diff --git a/0001-add-support-for-sw_64-architecture.patch b/0001-add-support-for-sw_64-architecture.patch index 50455ad2cdf50a197c3ec0d6fc92832dab1ce435..5ab50967dba330f2baf6478ba95f0204b622b771 100755 --- a/0001-add-support-for-sw_64-architecture.patch +++ b/0001-add-support-for-sw_64-architecture.patch @@ -1,7 +1,7 @@ -From d0640e594ea3a135519f77bfd4fcb334a77c2831 Mon Sep 17 00:00:00 2001 +From a2978c91647f00491a743044bc84794a7b3a55ad Mon Sep 17 00:00:00 2001 From: funlei Date: Thu, 3 Apr 2025 11:08:31 +0800 -Subject: [PATCH 1/1] add support for sw_64 architecture +Subject: [PATCH 6/8] add support for sw_64 architecture --- Configurations/10-main.conf | 7 + @@ -28,10 +28,10 @@ Subject: [PATCH 1/1] add support for sw_64 architecture create mode 100644 crypto/sw_64cpuid.pl diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index 280a75b..ae2bba5 100644 +index de3a815..9c25fb7 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf -@@ -976,6 +976,13 @@ my %targets = ( +@@ -999,6 +999,13 @@ my %targets = ( asm_arch => 'alpha', perlasm_scheme => "void", }, @@ -46,7 +46,7 @@ index 280a75b..ae2bba5 100644 inherit_from => [ "BASE_unix" ], # TI_CGT_C6000_7.3.x is a requirement diff --git a/apps/lib/vms_term_sock.c b/apps/lib/vms_term_sock.c -index 97fb394..8a8b0b3 100644 +index 219a978..7347258 100644 --- a/apps/lib/vms_term_sock.c +++ b/apps/lib/vms_term_sock.c @@ -36,7 +36,7 @@ @@ -414,10 +414,10 @@ index 0000000..3ed821e +print $code; +close STDOUT; diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index 50e9d26..a6275c1 100644 +index b5be37b..d296b89 100644 --- a/crypto/bn/bn_local.h +++ b/crypto/bn/bn_local.h -@@ -387,7 +387,7 @@ struct bn_gencb_st { +@@ -390,7 +390,7 @@ struct bn_gencb_st { # define BN_UMULT_LOHI(low,high,a,b) ({ \ uint128_t ret=(uint128_t)(a)*(b); \ (high)=ret>>64; (low)=ret; }) @@ -427,10 +427,10 @@ index 50e9d26..a6275c1 100644 # include # define BN_UMULT_HIGH(a,b) (BN_ULONG)asm("umulh %a0,%a1,%v0",(a),(b)) diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index c4ba51b..9eab5d8 100644 +index a822711..2f9a414 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info -@@ -50,6 +50,9 @@ IF[{- !$disabled{asm} -}] +@@ -51,6 +51,9 @@ IF[{- !$disabled{asm} -}] $BNASM_alpha=bn_asm.c alpha-mont.S $BNDEF_alpha=OPENSSL_BN_ASM_MONT @@ -440,7 +440,7 @@ index c4ba51b..9eab5d8 100644 $BNASM_mips32=bn-mips.S mips-mont.S $BNDEF_mips32=OPENSSL_BN_ASM_MONT $BNASM_mips64=$BNASM_mips32 -@@ -169,6 +172,8 @@ GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl +@@ -176,6 +179,8 @@ GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl GENERATE[alpha-mont.S]=asm/alpha-mont.pl @@ -450,7 +450,7 @@ index c4ba51b..9eab5d8 100644 INCLUDE[armv4-mont.o]=.. GENERATE[armv4-gf2m.S]=asm/armv4-gf2m.pl diff --git a/crypto/build.info b/crypto/build.info -index c04db55..070ef08 100644 +index aee5c46..bf7edbc 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -37,6 +37,8 @@ IF[{- !$disabled{asm} && $config{processor} ne '386' -}] @@ -462,7 +462,7 @@ index c04db55..070ef08 100644 $CPUIDASM_s390x=s390xcap.c s390xcpuid.S $CPUIDASM_armv4=armcap.c armv4cpuid.S -@@ -124,6 +126,7 @@ GENERATE[ia64cpuid.s]=ia64cpuid.S +@@ -130,6 +132,7 @@ GENERATE[ia64cpuid.s]=ia64cpuid.S GENERATE[ppccpuid.s]=ppccpuid.pl GENERATE[pariscid.s]=pariscid.pl GENERATE[alphacpuid.s]=alphacpuid.pl @@ -944,7 +944,7 @@ index 0000000..42838a8 +close STDOUT; + diff --git a/crypto/modes/build.info b/crypto/modes/build.info -index f3558fa..d642539 100644 +index 52d2df1..3a03e6e 100644 --- a/crypto/modes/build.info +++ b/crypto/modes/build.info @@ -19,6 +19,9 @@ IF[{- !$disabled{asm} -}] @@ -957,14 +957,14 @@ index f3558fa..d642539 100644 $MODESASM_s390x=ghash-s390x.S $MODESDEF_s390x=GHASH_ASM -@@ -69,6 +72,7 @@ GENERATE[aesni-gcm-x86_64.s]=asm/aesni-gcm-x86_64.pl +@@ -76,6 +79,7 @@ GENERATE[aes-gcm-avx512.s]=asm/aes-gcm-avx512.pl GENERATE[ghash-sparcv9.S]=asm/ghash-sparcv9.pl INCLUDE[ghash-sparcv9.o]=.. GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl +GENERATE[ghash-sw_64.S]=asm/ghash-sw_64.pl GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl - GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl + GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl diff --git a/crypto/sha/asm/sha1-sw_64.pl b/crypto/sha/asm/sha1-sw_64.pl new file mode 100644 index 0000000..08b9150 @@ -1301,7 +1301,7 @@ index 0000000..08b9150 +print $code; +close STDOUT; diff --git a/crypto/sha/build.info b/crypto/sha/build.info -index d61f7de..b6a031b 100644 +index 9a3d44f..6323e31 100644 --- a/crypto/sha/build.info +++ b/crypto/sha/build.info @@ -18,6 +18,9 @@ IF[{- !$disabled{asm} -}] @@ -1314,7 +1314,7 @@ index d61f7de..b6a031b 100644 $SHA1ASM_mips32=sha1-mips.S sha256-mips.S $SHA1DEF_mips32=SHA1_ASM SHA256_ASM $SHA1ASM_mips64=$SHA1ASM_mips32 sha512-mips.S -@@ -104,6 +107,8 @@ GENERATE[sha512-ia64.s]=asm/sha512-ia64.pl +@@ -107,6 +110,8 @@ GENERATE[sha512-ia64.s]=asm/sha512-ia64.pl GENERATE[sha1-alpha.S]=asm/sha1-alpha.pl @@ -1502,23 +1502,23 @@ index 0000000..791b530 + \ No newline at end of file diff --git a/include/crypto/md32_common.h b/include/crypto/md32_common.h -index 3b16f1b..84dc45a 100644 +index 46214f3..7355645 100644 --- a/include/crypto/md32_common.h +++ b/include/crypto/md32_common.h -@@ -226,7 +226,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c) +@@ -252,7 +252,7 @@ int HASH_FINAL(unsigned char *md, HASH_CTX *c) } - #ifndef MD32_REG_T --# if defined(__alpha) || defined(__sparcv9) || defined(__mips) -+# if defined(__alpha) || defined(__sw_64) || defined(__sparcv9) || defined(__mips) - # define MD32_REG_T long + # ifndef MD32_REG_T +-# if defined(__alpha) || defined(__sparcv9) || defined(__mips) ++# if defined(__alpha) || defined(__sw_64) || defined(__sparcv9) || defined(__mips) + # define MD32_REG_T long /* * This comment was originally written for MD5, which is why it diff --git a/providers/fips.module.sources b/providers/fips.module.sources -index 88e9188..8ab4683 100644 +index 03b97bf..43d45b7 100644 --- a/providers/fips.module.sources +++ b/providers/fips.module.sources -@@ -61,6 +61,7 @@ crypto/bn/asm/sparcv8plus.S +@@ -75,6 +75,7 @@ crypto/bn/asm/sparcv8plus.S crypto/bn/asm/sparcv9-gf2m.pl crypto/bn/asm/sparcv9-mont.pl crypto/bn/asm/sparcv9a-mont.pl @@ -1526,15 +1526,15 @@ index 88e9188..8ab4683 100644 crypto/bn/asm/via-mont.pl crypto/bn/asm/vis3-mont.pl crypto/bn/asm/x86-gf2m.pl -@@ -237,6 +238,7 @@ crypto/modes/asm/ghash-ia64.pl - crypto/modes/asm/ghash-parisc.pl +@@ -280,6 +281,7 @@ crypto/modes/asm/ghash-riscv64-zvkg.pl + crypto/modes/asm/ghash-riscv64.pl crypto/modes/asm/ghash-s390x.pl crypto/modes/asm/ghash-sparcv9.pl +crypto/modes/asm/ghash-sw_64.pl crypto/modes/asm/ghash-x86.pl crypto/modes/asm/ghash-x86_64.pl crypto/modes/asm/ghashp8-ppc.pl -@@ -314,6 +316,7 @@ crypto/sha/asm/sha1-ppc.pl +@@ -363,6 +365,7 @@ crypto/sha/asm/sha1-ppc.pl crypto/sha/asm/sha1-s390x.pl crypto/sha/asm/sha1-sparcv9.pl crypto/sha/asm/sha1-sparcv9a.pl @@ -1542,19 +1542,19 @@ index 88e9188..8ab4683 100644 crypto/sha/asm/sha1-thumb.pl crypto/sha/asm/sha1-x86_64.pl crypto/sha/asm/sha256-586.pl -@@ -342,6 +345,7 @@ crypto/sparccpuid.S - crypto/sparcv9cap.c - crypto/sparse_array.c - crypto/stack/stack.c -+crypto/sw_64cpuid.pl - crypto/threads_lib.c - crypto/threads_none.c +@@ -419,6 +422,7 @@ crypto/threads_none.c crypto/threads_pthread.c + crypto/threads_win.c + crypto/time.c ++crypto/sw_64cpuid.pl + crypto/x86_64cpuid.pl + crypto/x86cpuid.pl + include/crypto/aes_platform.h diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c -index 750afca..e894e97 100644 +index c3a5d8b..3d411de 100644 --- a/providers/implementations/rands/seeding/rand_unix.c +++ b/providers/implementations/rands/seeding/rand_unix.c -@@ -304,7 +304,7 @@ static ssize_t sysctl_random(char *buf, size_t buflen) +@@ -303,7 +303,7 @@ static ssize_t sysctl_random(char *buf, size_t buflen) # define __NR_getrandom 347 # elif defined(__ia64__) # define __NR_getrandom 1339 @@ -1564,10 +1564,10 @@ index 750afca..e894e97 100644 # elif defined(__sh__) # if defined(__SH5__) diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm -index 1aa6768..6540fcd 100755 +index 04aef06..471272b 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm -@@ -570,6 +570,7 @@ EOF +@@ -579,6 +579,7 @@ EOF %config }; } ], @@ -1576,5 +1576,5 @@ index 1aa6768..6540fcd 100755 sub { my $KERNEL_BITS = $ENV{KERNEL_BITS} // ''; -- -2.33.0 +2.50.1 diff --git a/Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch b/Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch deleted file mode 100644 index a5c37689eec2968ab25d72ecd8508b91b8a1afc1..0000000000000000000000000000000000000000 --- a/Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 19 Jan 2024 11:28:58 +0000 -Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL - -PKCS12 structures contain PKCS7 ContentInfo fields. These fields are -optional and can be NULL even if the "type" is a valid value. OpenSSL -was not properly accounting for this and a NULL dereference can occur -causing a crash. - -CVE-2024-0727 - -Reviewed-by: Tomas Mraz -Reviewed-by: Hugo Landau -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23362) - -(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) ---- - crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ - crypto/pkcs12/p12_mutl.c | 5 +++++ - crypto/pkcs12/p12_npas.c | 5 +++-- - crypto/pkcs7/pk7_mime.c | 7 +++++-- - 4 files changed, 31 insertions(+), 4 deletions(-) - -diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c -index 6fd4184af5..80ce31b3bc 100644 ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - p7s = ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - if (p7s != NULL) { -diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c -index 67a885a45f..68ff54d0e9 100644 ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (p12->mac->iter == NULL) -diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c -index 62230bc618..1e5b549599 100644 ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; -diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c -index 49a0da5f81..8228315eea 100644 ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) - int ctype_nid = OBJ_obj2nid(p7->type); - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - -- if (ctype_nid == NID_pkcs7_signed) -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; - --- -2.36.1 - diff --git a/Backport-Add-a-test-for-late-loading-of-an-ENGINE-in-TLS.patch b/Backport-Add-a-test-for-late-loading-of-an-ENGINE-in-TLS.patch deleted file mode 100644 index 61e622a7096f113f697501e655ab6818caf63e2a..0000000000000000000000000000000000000000 --- a/Backport-Add-a-test-for-late-loading-of-an-ENGINE-in-TLS.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 9ffd4a34681feb9968719905b366276e7425e2a2 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 29 Nov 2023 11:30:07 +0000 -Subject: [PATCH] Add a test for late loading of an ENGINE in TLS - -Confirm that using an ENGINE works as expected with TLS even if it is -loaded late (after construction of the SSL_CTX). - -(cherry picked from commit a9c97da4910648790387d035afb12963158778fb) - -Reviewed-by: Tomas Mraz -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/22865) - -(cherry picked from commit dda9208cef52670e6c832cbadaa3e08ad535ac30) ---- - test/sslapitest.c | 56 +++++++++++++++++++++++++++++++++++------------ - 1 file changed, 42 insertions(+), 14 deletions(-) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 2191b297d0..e0274f12f7 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -10128,6 +10128,27 @@ end: - } - - #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) -+ -+static ENGINE *load_dasync(void) -+{ -+ ENGINE *e; -+ -+ if (!TEST_ptr(e = ENGINE_by_id("dasync"))) -+ return NULL; -+ -+ if (!TEST_true(ENGINE_init(e))) { -+ ENGINE_free(e); -+ return NULL; -+ } -+ -+ if (!TEST_true(ENGINE_register_ciphers(e))) { -+ ENGINE_free(e); -+ return NULL; -+ } -+ -+ return e; -+} -+ - /* - * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not - * support this yet. The only pipeline capable cipher that we have is in the -@@ -10143,6 +10164,8 @@ end: - * Test 4: Client has pipelining enabled, server does not: more data than all - * the available pipelines can take - * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline -+ * Test 6: Repeat of test 0, but the engine is loaded late (after the SSL_CTX -+ * is created) - */ - static int test_pipelining(int idx) - { -@@ -10155,25 +10178,28 @@ static int test_pipelining(int idx) - size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5; - size_t expectedreads; - unsigned char *buf = NULL; -- ENGINE *e; -- -- if (!TEST_ptr(e = ENGINE_by_id("dasync"))) -- return 0; -+ ENGINE *e = NULL; - -- if (!TEST_true(ENGINE_init(e))) { -- ENGINE_free(e); -- return 0; -+ if (idx != 6) { -+ e = load_dasync(); -+ if (e == NULL) -+ return 0; - } - -- if (!TEST_true(ENGINE_register_ciphers(e))) -- goto end; -- - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), 0, - TLS1_2_VERSION, &sctx, &cctx, cert, - privkey))) - goto end; - -+ if (idx == 6) { -+ e = load_dasync(); -+ if (e == NULL) -+ goto end; -+ /* Now act like test 0 */ -+ idx = 0; -+ } -+ - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, - &clientssl, NULL, NULL))) - goto end; -@@ -10309,9 +10335,11 @@ end: - SSL_free(clientssl); - SSL_CTX_free(sctx); - SSL_CTX_free(cctx); -- ENGINE_unregister_ciphers(e); -- ENGINE_finish(e); -- ENGINE_free(e); -+ if (e != NULL) { -+ ENGINE_unregister_ciphers(e); -+ ENGINE_finish(e); -+ ENGINE_free(e); -+ } - OPENSSL_free(buf); - if (fragsize == SSL3_RT_MAX_PLAIN_LENGTH) - OPENSSL_free(msg); -@@ -10684,7 +10712,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_serverinfo_custom, 4); - #endif - #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) -- ADD_ALL_TESTS(test_pipelining, 6); -+ ADD_ALL_TESTS(test_pipelining, 7); - #endif - ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_ALL_TESTS(test_multi_resume, 5); --- -2.33.0 - diff --git a/Backport-Apply-SM4-optimization-patch-to-Kunpeng-920.patch b/Backport-Apply-SM4-optimization-patch-to-Kunpeng-920.patch deleted file mode 100644 index 6536ed596ec0c1ce4d8a2a9b7b44eda6a92eae22..0000000000000000000000000000000000000000 --- a/Backport-Apply-SM4-optimization-patch-to-Kunpeng-920.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 06f13f85ee86cd7fbc546060fbe2d077176b0be4 Mon Sep 17 00:00:00 2001 -From: Xu Yizhou -Date: Mon, 31 Oct 2022 11:28:15 +0800 -Subject: [PATCH 11/13] Apply SM4 optimization patch to Kunpeng-920 - -In the ideal scenario, performance can reach up to 2.2X. -But in single block input or CFB/OFB mode, CBC encryption, -performance could drop about 50%. - -Perf data on Kunpeng-920 2.6GHz hardware, before and after optimization: - -Before: -type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes -SM4-CTR 75318.96k 79089.62k 79736.15k 79934.12k 80325.44k 80068.61k -SM4-ECB 80211.39k 84998.36k 86472.28k 87024.93k 87144.80k 86862.51k -SM4-GCM 72156.19k 82012.08k 83848.02k 84322.65k 85103.65k 84896.43k -SM4-CBC 77956.13k 80638.81k 81976.17k 81606.31k 82078.91k 81750.70k -SM4-CFB 78078.20k 81054.87k 81841.07k 82396.38k 82203.99k 82236.76k -SM4-OFB 78282.76k 82074.03k 82765.74k 82989.06k 83200.68k 83487.17k - -After: -type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes -SM4-CTR 35678.07k 120687.25k 176632.27k 177192.62k 177586.18k 178295.18k -SM4-ECB 35540.32k 122628.07k 175067.90k 178007.84k 178298.88k 178328.92k -SM4-GCM 34215.75k 116720.50k 170275.16k 171770.88k 172714.21k 172272.30k -SM4-CBC 35645.60k 36544.86k 36515.50k 36732.15k 36618.24k 36629.16k -SM4-CFB 35528.14k 35690.99k 35954.86k 35843.42k 35809.18k 35809.96k -SM4-OFB 35563.55k 35853.56k 35963.05k 36203.52k 36233.85k 36307.82k - -Signed-off-by: Xu Yizhou - -Reviewed-by: Hugo Landau -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/19547) ---- - crypto/arm_arch.h | 4 ++++ - include/crypto/sm4_platform.h | 3 ++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h -index 5b5af31d92..c10748e5f8 100644 ---- a/crypto/arm_arch.h -+++ b/crypto/arm_arch.h -@@ -98,9 +98,13 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; - */ - - # define ARM_CPU_IMP_ARM 0x41 -+# define HISI_CPU_IMP 0x48 - - # define ARM_CPU_PART_CORTEX_A72 0xD08 - # define ARM_CPU_PART_N1 0xD0C -+# define ARM_CPU_PART_V1 0xD40 -+# define ARM_CPU_PART_N2 0xD49 -+# define HISI_CPU_PART_KP920 0xD01 - - # define MIDR_PARTNUM_SHIFT 4 - # define MIDR_PARTNUM_MASK (0xfffU << MIDR_PARTNUM_SHIFT) -diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h -index 11f9b9d88b..15d8abbcb1 100644 ---- a/include/crypto/sm4_platform.h -+++ b/include/crypto/sm4_platform.h -@@ -20,7 +20,8 @@ static inline int vpsm4_capable(void) - { - return (OPENSSL_armcap_P & ARMV8_CPUID) && - (MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1) || -- MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1)); -+ MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1) || -+ MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, HISI_CPU_IMP, HISI_CPU_PART_KP920)); - } - # if defined(VPSM4_ASM) - # define VPSM4_CAPABLE vpsm4_capable() --- -2.37.3.windows.1 - diff --git a/Backport-CVE-2024-4741-Extend-the-SSL_free_buffers-testing.patch b/Backport-CVE-2024-4741-Extend-the-SSL_free_buffers-testing.patch deleted file mode 100644 index 752625ad32a71e168b290bfa7d32e0c6c11382c7..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-4741-Extend-the-SSL_free_buffers-testing.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 6fef334f914abfcd988e53a32d19f01d84529f74 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 25 Apr 2024 09:34:16 +0100 -Subject: [PATCH 3/5] Extend the SSL_free_buffers testing - -Test that attempting to free the buffers at points where they should not -be freed works as expected. - -Follow on from CVE-2024-4741 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/24395) - -(cherry picked from commit 4238abc17d44383592f92d6254d89dac806ee76b) ---- - test/sslbuffertest.c | 93 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 93 insertions(+) - -diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c -index 3c3e69d61d..133fdb13ee 100644 ---- a/test/sslbuffertest.c -+++ b/test/sslbuffertest.c -@@ -150,6 +150,98 @@ static int test_func(int test) - return result; - } - -+/* -+ * Test that attempting to free the buffers at points where they cannot be freed -+ * works as expected -+ * Test 0: Attempt to free buffers after a full record has been processed, but -+ * the application has only performed a partial read -+ * Test 1: Attempt to free buffers after only a partial record header has been -+ * received -+ * Test 2: Attempt to free buffers after a full record header but no record body -+ * Test 3: Attempt to free buffers after a full record hedaer and partial record -+ * body -+ */ -+static int test_free_buffers(int test) -+{ -+ int result = 0; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ const char testdata[] = "Test data"; -+ char buf[40]; -+ size_t written, readbytes; -+ -+ if (!TEST_true(create_ssl_objects(serverctx, clientctx, &serverssl, -+ &clientssl, NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ -+ if (!TEST_true(SSL_write_ex(clientssl, testdata, sizeof(testdata), -+ &written))) -+ goto end; -+ -+ if (test == 0) { -+ /* -+ * Deliberately only read the first byte - so the remaining bytes are -+ * still buffered -+ */ -+ if (!TEST_true(SSL_read_ex(serverssl, buf, 1, &readbytes))) -+ goto end; -+ } else { -+ BIO *tmp; -+ size_t partial_len; -+ -+ /* Remove all the data that is pending for read by the server */ -+ tmp = SSL_get_rbio(serverssl); -+ if (!TEST_true(BIO_read_ex(tmp, buf, sizeof(buf), &readbytes)) -+ || !TEST_size_t_lt(readbytes, sizeof(buf)) -+ || !TEST_size_t_gt(readbytes, SSL3_RT_HEADER_LENGTH)) -+ goto end; -+ -+ switch(test) { -+ case 1: -+ partial_len = SSL3_RT_HEADER_LENGTH - 1; -+ break; -+ case 2: -+ partial_len = SSL3_RT_HEADER_LENGTH; -+ break; -+ case 3: -+ partial_len = readbytes - 1; -+ break; -+ default: -+ TEST_error("Invalid test index"); -+ goto end; -+ } -+ -+ /* Put back just the partial record */ -+ if (!TEST_true(BIO_write_ex(tmp, buf, partial_len, &written))) -+ goto end; -+ -+ /* -+ * Attempt a read. This should fail because only a partial record is -+ * available. -+ */ -+ if (!TEST_false(SSL_read_ex(serverssl, buf, 1, &readbytes))) -+ goto end; -+ } -+ -+ /* -+ * Attempting to free the buffers at this point should fail because they are -+ * still in use -+ */ -+ if (!TEST_false(SSL_free_buffers(serverssl))) -+ goto end; -+ -+ result = 1; -+ end: -+ SSL_free(clientssl); -+ SSL_free(serverssl); -+ -+ return result; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile\n") - - int setup_tests(void) -@@ -173,6 +265,7 @@ int setup_tests(void) - } - - ADD_ALL_TESTS(test_func, 9); -+ ADD_ALL_TESTS(test_free_buffers, 4); - return 1; - } - --- -2.33.0 - diff --git a/Backport-CVE-2024-4741-Further-extend-the-SSL_free_buffers-testing.patch b/Backport-CVE-2024-4741-Further-extend-the-SSL_free_buffers-testing.patch deleted file mode 100644 index e8d186c26e9eda73ab9ecfdf3c174b8cca19af13..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-4741-Further-extend-the-SSL_free_buffers-testing.patch +++ /dev/null @@ -1,201 +0,0 @@ -From d095674320c84b8ed1250715b1dd5ce05f9f267b Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 26 Apr 2024 13:58:29 +0100 -Subject: [PATCH 5/5] Further extend the SSL_free_buffers testing - -We extend the testing to test what happens when pipelining is in use. - -Follow on from CVE-2024-4741 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/24395) - -(cherry picked from commit 6972d5ace1275faf404e7a53e806861962f4121c) ---- - test/sslbuffertest.c | 113 +++++++++++++++++++++++++++++++++++++------ - 1 file changed, 97 insertions(+), 16 deletions(-) - -diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c -index 133fdb13ee..7079d04e15 100644 ---- a/test/sslbuffertest.c -+++ b/test/sslbuffertest.c -@@ -8,10 +8,19 @@ - * or in the file LICENSE in the source distribution. - */ - -+/* -+ * We need access to the deprecated low level Engine APIs for legacy purposes -+ * when the deprecated calls are not hidden -+ */ -+#ifndef OPENSSL_NO_DEPRECATED_3_0 -+# define OPENSSL_SUPPRESS_DEPRECATED -+#endif -+ - #include - #include - #include - #include -+#include - - #include "internal/packet.h" - -@@ -160,34 +169,65 @@ static int test_func(int test) - * Test 2: Attempt to free buffers after a full record header but no record body - * Test 3: Attempt to free buffers after a full record hedaer and partial record - * body -+ * Test 4-7: We repeat tests 0-3 but including data from a second pipelined -+ * record - */ - static int test_free_buffers(int test) - { - int result = 0; - SSL *serverssl = NULL, *clientssl = NULL; - const char testdata[] = "Test data"; -- char buf[40]; -+ char buf[120]; - size_t written, readbytes; -+ int i, pipeline = test > 3; -+ ENGINE *e = NULL; -+ -+ if (pipeline) { -+ e = load_dasync(); -+ if (e == NULL) -+ goto end; -+ test -= 4; -+ } - - if (!TEST_true(create_ssl_objects(serverctx, clientctx, &serverssl, - &clientssl, NULL, NULL))) - goto end; - -+ if (pipeline) { -+ if (!TEST_true(SSL_set_cipher_list(serverssl, "AES128-SHA")) -+ || !TEST_true(SSL_set_max_proto_version(serverssl, -+ TLS1_2_VERSION)) -+ || !TEST_true(SSL_set_max_pipelines(serverssl, 2))) -+ goto end; -+ } -+ - if (!TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE))) - goto end; - -- -- if (!TEST_true(SSL_write_ex(clientssl, testdata, sizeof(testdata), -- &written))) -- goto end; -+ /* -+ * For the non-pipeline case we write one record. For pipelining we write -+ * two records. -+ */ -+ for (i = 0; i <= pipeline; i++) { -+ if (!TEST_true(SSL_write_ex(clientssl, testdata, strlen(testdata), -+ &written))) -+ goto end; -+ } - - if (test == 0) { -+ size_t readlen = 1; -+ - /* -- * Deliberately only read the first byte - so the remaining bytes are -- * still buffered -- */ -- if (!TEST_true(SSL_read_ex(serverssl, buf, 1, &readbytes))) -+ * Deliberately only read the first byte - so the remaining bytes are -+ * still buffered. In the pipelining case we read as far as the first -+ * byte from the second record. -+ */ -+ if (pipeline) -+ readlen += strlen(testdata); -+ -+ if (!TEST_true(SSL_read_ex(serverssl, buf, readlen, &readbytes)) -+ || !TEST_size_t_eq(readlen, readbytes)) - goto end; - } else { - BIO *tmp; -@@ -215,16 +255,47 @@ static int test_free_buffers(int test) - goto end; - } - -- /* Put back just the partial record */ -- if (!TEST_true(BIO_write_ex(tmp, buf, partial_len, &written))) -- goto end; -+ if (pipeline) { -+ /* We happen to know the first record is 57 bytes long */ -+ const size_t first_rec_len = 57; -+ -+ if (test != 3) -+ partial_len += first_rec_len; -+ -+ /* -+ * Sanity check. If we got the record len right then this should -+ * never fail. -+ */ -+ if (!TEST_int_eq(buf[first_rec_len], SSL3_RT_APPLICATION_DATA)) -+ goto end; -+ } - - /* -- * Attempt a read. This should fail because only a partial record is -- * available. -+ * Put back just the partial record (plus the whole initial record in -+ * the pipelining case) - */ -- if (!TEST_false(SSL_read_ex(serverssl, buf, 1, &readbytes))) -+ if (!TEST_true(BIO_write_ex(tmp, buf, partial_len, &written))) - goto end; -+ -+ if (pipeline) { -+ /* -+ * Attempt a read. This should pass but only return data from the -+ * first record. Only a partial record is available for the second -+ * record. -+ */ -+ if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), -+ &readbytes)) -+ || !TEST_size_t_eq(readbytes, strlen(testdata))) -+ goto end; -+ } else { -+ /* -+ * Attempt a read. This should fail because only a partial record is -+ * available. -+ */ -+ if (!TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), -+ &readbytes))) -+ goto end; -+ } - } - - /* -@@ -238,7 +309,13 @@ static int test_free_buffers(int test) - end: - SSL_free(clientssl); - SSL_free(serverssl); -- -+#ifndef OPENSSL_NO_DYNAMIC_ENGINE -+ if (e != NULL) { -+ ENGINE_unregister_ciphers(e); -+ ENGINE_finish(e); -+ ENGINE_free(e); -+ } -+#endif - return result; - } - -@@ -265,7 +342,11 @@ int setup_tests(void) - } - - ADD_ALL_TESTS(test_func, 9); -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) -+ ADD_ALL_TESTS(test_free_buffers, 8); -+#else - ADD_ALL_TESTS(test_free_buffers, 4); -+#endif - return 1; - } - --- -2.33.0 - diff --git a/Backport-CVE-2024-4741-Move-the-ability-to-load-the-dasync-engine-into-sslt.patch b/Backport-CVE-2024-4741-Move-the-ability-to-load-the-dasync-engine-into-sslt.patch deleted file mode 100644 index 6c4dc8e52798d8cdd16e388a928c5e73bd964c60..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-4741-Move-the-ability-to-load-the-dasync-engine-into-sslt.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 1359c00e683840154760b7ba9204bad1b13dc074 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 26 Apr 2024 11:05:52 +0100 -Subject: [PATCH] Move the ability to load the dasync engine into ssltestlib.c - -The sslapitest has a helper function to load the dasync engine which is -useful for testing pipelining. We would like to have the same facility -from sslbuffertest, so we move the function to the common location -ssltestlib.c - -Follow on from CVE-2024-4741 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/24395) - -(cherry picked from commit 0544c21a22f4d787e6f31d35e8f980402ac90a6d) ---- - test/helpers/ssltestlib.c | 33 +++++++++++++++++++++++++++++++++ - test/helpers/ssltestlib.h | 1 + - test/sslapitest.c | 21 --------------------- - 3 files changed, 34 insertions(+), 21 deletions(-) - -diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c -index ef4a6177aa7dd..da14f6697db16 100644 ---- a/test/helpers/ssltestlib.c -+++ b/test/helpers/ssltestlib.c -@@ -7,8 +7,17 @@ - * https://www.openssl.org/source/license.html - */ - -+/* -+ * We need access to the deprecated low level ENGINE APIs for legacy purposes -+ * when the deprecated calls are not hidden -+ */ -+#ifndef OPENSSL_NO_DEPRECATED_3_0 -+# define OPENSSL_SUPPRESS_DEPRECATED -+#endif -+ - #include - -+#include - #include "internal/nelem.h" - #include "ssltestlib.h" - #include "../testutil.h" -@@ -1182,3 +1191,27 @@ void shutdown_ssl_connection(SSL *serverssl, SSL *clientssl) - SSL_free(serverssl); - SSL_free(clientssl); - } -+ -+ENGINE *load_dasync(void) -+{ -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) -+ ENGINE *e; -+ -+ if (!TEST_ptr(e = ENGINE_by_id("dasync"))) -+ return NULL; -+ -+ if (!TEST_true(ENGINE_init(e))) { -+ ENGINE_free(e); -+ return NULL; -+ } -+ -+ if (!TEST_true(ENGINE_register_ciphers(e))) { -+ ENGINE_free(e); -+ return NULL; -+ } -+ -+ return e; -+#else -+ return NULL; -+#endif -+} -diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h -index 8e9daa5601d3e..2777fb3047bef 100644 ---- a/test/helpers/ssltestlib.h -+++ b/test/helpers/ssltestlib.h -@@ -59,4 +59,5 @@ typedef struct mempacket_st MEMPACKET; - - DEFINE_STACK_OF(MEMPACKET) - -+ENGINE *load_dasync(void); - #endif /* OSSL_TEST_SSLTESTLIB_H */ -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 28bc94d672fa7..c2ff727513294 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -10299,27 +10299,6 @@ static int test_load_dhfile(void) - } - - #if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) -- --static ENGINE *load_dasync(void) --{ -- ENGINE *e; -- -- if (!TEST_ptr(e = ENGINE_by_id("dasync"))) -- return NULL; -- -- if (!TEST_true(ENGINE_init(e))) { -- ENGINE_free(e); -- return NULL; -- } -- -- if (!TEST_true(ENGINE_register_ciphers(e))) { -- ENGINE_free(e); -- return NULL; -- } -- -- return e; --} -- - /* - * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not - * support this yet. The only pipeline capable cipher that we have is in the diff --git a/Backport-CVE-2024-4741-Only-free-the-read-buffers-if-we-re-not-using-them.patch b/Backport-CVE-2024-4741-Only-free-the-read-buffers-if-we-re-not-using-them.patch deleted file mode 100644 index 596b871a64666caac54e02d076d8fd1aaa69f659..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-4741-Only-free-the-read-buffers-if-we-re-not-using-them.patch +++ /dev/null @@ -1,72 +0,0 @@ -From b3f0eb0a295f58f16ba43ba99dad70d4ee5c437d Mon Sep 17 00:00:00 2001 -From: Watson Ladd -Date: Wed, 24 Apr 2024 11:26:56 +0100 -Subject: [PATCH 1/5] Only free the read buffers if we're not using them - -If we're part way through processing a record, or the application has -not released all the records then we should not free our buffer because -they are still needed. - -CVE-2024-4741 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/24395) - -(cherry picked from commit 704f725b96aa373ee45ecfb23f6abfe8be8d9177) ---- - ssl/record/rec_layer_s3.c | 9 +++++++++ - ssl/record/record.h | 1 + - ssl/ssl_lib.c | 3 +++ - 3 files changed, 13 insertions(+) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index 4bcffcc41e..1569997bea 100644 ---- a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) - return SSL3_BUFFER_get_left(&rl->rbuf) != 0; - } - -+int RECORD_LAYER_data_present(const RECORD_LAYER *rl) -+{ -+ if (rl->rstate == SSL_ST_READ_BODY) -+ return 1; -+ if (RECORD_LAYER_processed_read_pending(rl)) -+ return 1; -+ return 0; -+} -+ - /* Checks if we have decrypted unread record data pending */ - int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) - { -diff --git a/ssl/record/record.h b/ssl/record/record.h -index 234656bf93..b60f71c8cb 100644 ---- a/ssl/record/record.h -+++ b/ssl/record/record.h -@@ -205,6 +205,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); - int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); - int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); - int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); -+int RECORD_LAYER_data_present(const RECORD_LAYER *rl); - void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); - void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); - int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index eed649c6fd..d14c55ae55 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -5492,6 +5492,9 @@ int SSL_free_buffers(SSL *ssl) - if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) - return 0; - -+ if (RECORD_LAYER_data_present(rl)) -+ return 0; -+ - RECORD_LAYER_release(rl); - return 1; - } --- -2.33.0 - diff --git a/Backport-CVE-2024-4741-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch b/Backport-CVE-2024-4741-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch deleted file mode 100644 index 3514fc8ddc815c3a587e4228136d18f777bc8041..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-4741-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 2d05959073c4bf8803401668b9df85931a08e020 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 24 Apr 2024 11:33:41 +0100 -Subject: [PATCH 2/5] Set rlayer.packet to NULL after we've finished using it - -In order to ensure we do not have a UAF we reset the rlayer.packet pointer -to NULL after we free it. - -CVE-2024-4741 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/24395) - -(cherry picked from commit d146349171101dec3a876c13eb7a6dea32ba62ba) ---- - ssl/record/rec_layer_s3.c | 6 ++++++ - ssl/record/ssl3_buffer.c | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index 1569997bea..779e998bb6 100644 ---- a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -230,6 +230,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, - /* ... now we can act as if 'extend' was set */ - } - -+ if (!ossl_assert(s->rlayer.packet != NULL)) { -+ /* does not happen */ -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return -1; -+ } -+ - len = s->rlayer.packet_length; - pkt = rb->buf + align; - /* -diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c -index 97b0c26ced..1a10a7c0b8 100644 ---- a/ssl/record/ssl3_buffer.c -+++ b/ssl/record/ssl3_buffer.c -@@ -191,5 +191,7 @@ int ssl3_release_read_buffer(SSL *s) - OPENSSL_cleanse(b->buf, b->len); - OPENSSL_free(b->buf); - b->buf = NULL; -+ s->rlayer.packet = NULL; -+ s->rlayer.packet_length = 0; - return 1; - } --- -2.33.0 - diff --git a/Backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch b/Backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch deleted file mode 100644 index e283af2e5e30bde0fab8d925b9e335ecf2dc2e25..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch +++ /dev/null @@ -1,1848 +0,0 @@ -From c3ac0d22f1924113e6bea60d6961501d7a36e13d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 16:35:16 +0100 -Subject: [PATCH] Add a test for ALPN and NPN - ---- - doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +- - ssl/statem/extensions_clnt.c | 27 +- - ssl/statem/extensions_srvr.c | 3 +- - test/helpers/handshake.c | 6 + - test/recipes/70-test_npn.t | 73 ++++ - test/ssl-tests/08-npn.cnf | 553 +++++++++++++----------- - test/ssl-tests/08-npn.cnf.in | 35 ++ - test/ssl-tests/09-alpn.cnf | 66 ++- - test/ssl-tests/09-alpn.cnf.in | 33 ++ - test/sslapitest.c | 362 ++++++++++++++++ - util/perl/TLSProxy/Message.pm | 9 + - util/perl/TLSProxy/NextProto.pm | 54 +++ - util/perl/TLSProxy/Proxy.pm | 1 + - 13 files changed, 994 insertions(+), 254 deletions(-) - create mode 100644 test/recipes/70-test_npn.t - create mode 100644 util/perl/TLSProxy/NextProto.pm - -diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -index 102e657..a29557d 100644 ---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod -+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to - set the list of protocols available to be negotiated. The B must be in - protocol-list format, described below. The length of B is specified in --B. -+B. Setting B to 0 clears any existing list of ALPN -+protocols and no ALPN extension will be sent to the server. - - SSL_CTX_set_alpn_select_cb() sets the application callback B used by a - server to select which protocol to use for the incoming connection. When B -@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format - described below. The first item in the B, B list that - matches an item in the B, B list is selected, and returned - in B, B. The B value will point into either B or --B, so it should be copied immediately. If no match is found, the first --item in B, B is returned in B, B. This --function can also be used in the NPN callback. -+B, so it should be copied immediately. The client list must include at -+least one valid (nonempty) protocol entry in the list. -+ -+The SSL_select_next_proto() helper function can be useful from either the ALPN -+callback or the NPN callback (described below). If no match is found, the first -+item in B, B is returned in B, B and -+B is returned. This can be useful when implementating -+the NPN callback. In the ALPN case, the value returned in B and B -+must be ignored if B has been returned from -+SSL_select_next_proto(). - - SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a - client needs to select a protocol from the server's provided list, and a -@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). - The length of the protocol name must be written into B. The - server's advertised protocols are provided in B and B. The - callback can assume that B is syntactically valid. The client must --select a protocol. It is fatal to the connection if this callback returns --a value other than B. The B parameter is the pointer --set via SSL_CTX_set_next_proto_select_cb(). -+select a protocol (although it may be an empty, zero length protocol). It is -+fatal to the connection if this callback returns a value other than -+B or if the zero length protocol is selected. The B -+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). - - SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called - when a TLS server needs a list of supported protocols for Next Protocol -@@ -149,7 +158,8 @@ A match was found and is returned in B, B. - =item OPENSSL_NPN_NO_OVERLAP - - No match was found. The first item in B, B is returned in --B, B. -+B, B (or B and 0 in the case where the first entry in -+B is invalid). - - =back - -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index 842be07..b21ccf9 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - PACKET_data(pkt), - PACKET_remaining(pkt), - s->ctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); - return 0; - } -@@ -1565,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3.alpn_sent) { -@@ -1583,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3.alpn_selected); - s->s3.alpn_selected = OPENSSL_malloc(len); - if (s->s3.alpn_selected == NULL) { -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 1fab5a3..51ea74b 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1471,9 +1471,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3.npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - -diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c -index 285391b..dd5a6d9 100644 ---- a/test/helpers/handshake.c -+++ b/test/helpers/handshake.c -@@ -348,6 +348,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) - - len = strlen(protos); - -+ if (len == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return 1; -+ } -+ - /* Should never have reuse. */ - if (!TEST_ptr_null(*out) - /* Test values are small, so we omit length limit checks. */ -diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t -new file mode 100644 -index 0000000..f82e71a ---- /dev/null -+++ b/test/recipes/70-test_npn.t -@@ -0,0 +1,73 @@ -+#! /usr/bin/env perl -+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; -+use OpenSSL::Test::Utils; -+ -+use TLSProxy::Proxy; -+ -+my $test_name = "test_npn"; -+setup($test_name); -+ -+plan skip_all => "TLSProxy isn't usable on $^O" -+ if $^O =~ /^(VMS)$/; -+ -+plan skip_all => "$test_name needs the dynamic engine feature enabled" -+ if disabled("engine") || disabled("dynamic-engine"); -+ -+plan skip_all => "$test_name needs the sock feature enabled" -+ if disabled("sock"); -+ -+plan skip_all => "$test_name needs NPN enabled" -+ if disabled("nextprotoneg"); -+ -+plan skip_all => "$test_name needs TLSv1.2 enabled" -+ if disabled("tls1_2"); -+ -+my $proxy = TLSProxy::Proxy->new( -+ undef, -+ cmdstr(app(["openssl"]), display => 1), -+ srctop_file("apps", "server.pem"), -+ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) -+); -+ -+$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -+plan tests => 1; -+ -+my $npnseen = 0; -+ -+# Test 1: Check sending an empty NextProto message from the client works. This is -+# valid as per the spec, but OpenSSL does not allow you to send it. -+# Therefore we must be prepared to receive such a message but we cannot -+# generate it except via TLSProxy -+$proxy->clear(); -+$proxy->filter(\&npn_filter); -+$proxy->clientflags("-nextprotoneg foo -no_tls1_3"); -+$proxy->serverflags("-nextprotoneg foo"); -+$proxy->start(); -+ok($npnseen && TLSProxy::Message->success(), "Empty NPN message"); -+ -+sub npn_filter -+{ -+ my $proxy = shift; -+ my $message; -+ -+ # The NextProto message always appears in flight 2 -+ return if $proxy->flight != 2; -+ -+ foreach my $message (@{$proxy->message_list}) { -+ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) { -+ # Our TLSproxy NextProto message support doesn't support parsing of -+ # the message. If we repack it just creates an empty NextProto -+ # message - which is exactly the scenario we want to test here. -+ $message->repack(); -+ $npnseen = 1; -+ } -+ } -+} -diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf -index f38b3f6..1931d02 100644 ---- a/test/ssl-tests/08-npn.cnf -+++ b/test/ssl-tests/08-npn.cnf -@@ -1,6 +1,6 @@ - # Generated with generate_ssl_tests.pl - --num_tests = 20 -+num_tests = 22 - - test-0 = 0-npn-simple - test-1 = 1-npn-client-finds-match -@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref - test-3 = 3-npn-client-first-pref-on-mismatch - test-4 = 4-npn-no-server-support - test-5 = 5-npn-no-client-support --test-6 = 6-npn-with-sni-no-context-switch --test-7 = 7-npn-with-sni-context-switch --test-8 = 8-npn-selected-sni-server-supports-npn --test-9 = 9-npn-selected-sni-server-does-not-support-npn --test-10 = 10-alpn-preferred-over-npn --test-11 = 11-sni-npn-preferred-over-alpn --test-12 = 12-npn-simple-resumption --test-13 = 13-npn-server-switch-resumption --test-14 = 14-npn-client-switch-resumption --test-15 = 15-npn-client-first-pref-on-mismatch-resumption --test-16 = 16-npn-no-server-support-resumption --test-17 = 17-npn-no-client-support-resumption --test-18 = 18-alpn-preferred-over-npn-resumption --test-19 = 19-npn-used-if-alpn-not-supported-resumption -+test-6 = 6-npn-empty-client-list -+test-7 = 7-npn-empty-server-list -+test-8 = 8-npn-with-sni-no-context-switch -+test-9 = 9-npn-with-sni-context-switch -+test-10 = 10-npn-selected-sni-server-supports-npn -+test-11 = 11-npn-selected-sni-server-does-not-support-npn -+test-12 = 12-alpn-preferred-over-npn -+test-13 = 13-sni-npn-preferred-over-alpn -+test-14 = 14-npn-simple-resumption -+test-15 = 15-npn-server-switch-resumption -+test-16 = 16-npn-client-switch-resumption -+test-17 = 17-npn-client-first-pref-on-mismatch-resumption -+test-18 = 18-npn-no-server-support-resumption -+test-19 = 19-npn-no-client-support-resumption -+test-20 = 20-alpn-preferred-over-npn-resumption -+test-21 = 21-npn-used-if-alpn-not-supported-resumption - # =========================================================== - - [0-npn-simple] -@@ -206,253 +208,318 @@ NPNProtocols = foo - - # =========================================================== - --[6-npn-with-sni-no-context-switch] --ssl_conf = 6-npn-with-sni-no-context-switch-ssl -+[6-npn-empty-client-list] -+ssl_conf = 6-npn-empty-client-list-ssl - --[6-npn-with-sni-no-context-switch-ssl] --server = 6-npn-with-sni-no-context-switch-server --client = 6-npn-with-sni-no-context-switch-client --server2 = 6-npn-with-sni-no-context-switch-server2 -+[6-npn-empty-client-list-ssl] -+server = 6-npn-empty-client-list-server -+client = 6-npn-empty-client-list-client - --[6-npn-with-sni-no-context-switch-server] -+[6-npn-empty-client-list-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[6-npn-with-sni-no-context-switch-server2] -+[6-npn-empty-client-list-client] -+CipherString = DEFAULT -+MaxProtocol = TLSv1.2 -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-6] -+ExpectedClientAlert = HandshakeFailure -+ExpectedResult = ClientFail -+server = 6-npn-empty-client-list-server-extra -+client = 6-npn-empty-client-list-client-extra -+ -+[6-npn-empty-client-list-server-extra] -+NPNProtocols = foo -+ -+[6-npn-empty-client-list-client-extra] -+NPNProtocols = -+ -+ -+# =========================================================== -+ -+[7-npn-empty-server-list] -+ssl_conf = 7-npn-empty-server-list-ssl -+ -+[7-npn-empty-server-list-ssl] -+server = 7-npn-empty-server-list-server -+client = 7-npn-empty-server-list-client -+ -+[7-npn-empty-server-list-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[6-npn-with-sni-no-context-switch-client] -+[7-npn-empty-server-list-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-6] -+[test-7] -+ExpectedNPNProtocol = foo -+server = 7-npn-empty-server-list-server-extra -+client = 7-npn-empty-server-list-client-extra -+ -+[7-npn-empty-server-list-server-extra] -+NPNProtocols = -+ -+[7-npn-empty-server-list-client-extra] -+NPNProtocols = foo -+ -+ -+# =========================================================== -+ -+[8-npn-with-sni-no-context-switch] -+ssl_conf = 8-npn-with-sni-no-context-switch-ssl -+ -+[8-npn-with-sni-no-context-switch-ssl] -+server = 8-npn-with-sni-no-context-switch-server -+client = 8-npn-with-sni-no-context-switch-client -+server2 = 8-npn-with-sni-no-context-switch-server2 -+ -+[8-npn-with-sni-no-context-switch-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[8-npn-with-sni-no-context-switch-server2] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[8-npn-with-sni-no-context-switch-client] -+CipherString = DEFAULT -+MaxProtocol = TLSv1.2 -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-8] - ExpectedNPNProtocol = foo - ExpectedServerName = server1 --server = 6-npn-with-sni-no-context-switch-server-extra --server2 = 6-npn-with-sni-no-context-switch-server2-extra --client = 6-npn-with-sni-no-context-switch-client-extra -+server = 8-npn-with-sni-no-context-switch-server-extra -+server2 = 8-npn-with-sni-no-context-switch-server2-extra -+client = 8-npn-with-sni-no-context-switch-client-extra - --[6-npn-with-sni-no-context-switch-server-extra] -+[8-npn-with-sni-no-context-switch-server-extra] - NPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[6-npn-with-sni-no-context-switch-server2-extra] -+[8-npn-with-sni-no-context-switch-server2-extra] - NPNProtocols = bar - --[6-npn-with-sni-no-context-switch-client-extra] -+[8-npn-with-sni-no-context-switch-client-extra] - NPNProtocols = foo,bar - ServerName = server1 - - - # =========================================================== - --[7-npn-with-sni-context-switch] --ssl_conf = 7-npn-with-sni-context-switch-ssl -+[9-npn-with-sni-context-switch] -+ssl_conf = 9-npn-with-sni-context-switch-ssl - --[7-npn-with-sni-context-switch-ssl] --server = 7-npn-with-sni-context-switch-server --client = 7-npn-with-sni-context-switch-client --server2 = 7-npn-with-sni-context-switch-server2 -+[9-npn-with-sni-context-switch-ssl] -+server = 9-npn-with-sni-context-switch-server -+client = 9-npn-with-sni-context-switch-client -+server2 = 9-npn-with-sni-context-switch-server2 - --[7-npn-with-sni-context-switch-server] -+[9-npn-with-sni-context-switch-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[7-npn-with-sni-context-switch-server2] -+[9-npn-with-sni-context-switch-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[7-npn-with-sni-context-switch-client] -+[9-npn-with-sni-context-switch-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-7] -+[test-9] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 7-npn-with-sni-context-switch-server-extra --server2 = 7-npn-with-sni-context-switch-server2-extra --client = 7-npn-with-sni-context-switch-client-extra -+server = 9-npn-with-sni-context-switch-server-extra -+server2 = 9-npn-with-sni-context-switch-server2-extra -+client = 9-npn-with-sni-context-switch-client-extra - --[7-npn-with-sni-context-switch-server-extra] -+[9-npn-with-sni-context-switch-server-extra] - NPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[7-npn-with-sni-context-switch-server2-extra] -+[9-npn-with-sni-context-switch-server2-extra] - NPNProtocols = bar - --[7-npn-with-sni-context-switch-client-extra] -+[9-npn-with-sni-context-switch-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[8-npn-selected-sni-server-supports-npn] --ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl -+[10-npn-selected-sni-server-supports-npn] -+ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl - --[8-npn-selected-sni-server-supports-npn-ssl] --server = 8-npn-selected-sni-server-supports-npn-server --client = 8-npn-selected-sni-server-supports-npn-client --server2 = 8-npn-selected-sni-server-supports-npn-server2 -+[10-npn-selected-sni-server-supports-npn-ssl] -+server = 10-npn-selected-sni-server-supports-npn-server -+client = 10-npn-selected-sni-server-supports-npn-client -+server2 = 10-npn-selected-sni-server-supports-npn-server2 - --[8-npn-selected-sni-server-supports-npn-server] -+[10-npn-selected-sni-server-supports-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[8-npn-selected-sni-server-supports-npn-server2] -+[10-npn-selected-sni-server-supports-npn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[8-npn-selected-sni-server-supports-npn-client] -+[10-npn-selected-sni-server-supports-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-8] -+[test-10] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 8-npn-selected-sni-server-supports-npn-server-extra --server2 = 8-npn-selected-sni-server-supports-npn-server2-extra --client = 8-npn-selected-sni-server-supports-npn-client-extra -+server = 10-npn-selected-sni-server-supports-npn-server-extra -+server2 = 10-npn-selected-sni-server-supports-npn-server2-extra -+client = 10-npn-selected-sni-server-supports-npn-client-extra - --[8-npn-selected-sni-server-supports-npn-server-extra] -+[10-npn-selected-sni-server-supports-npn-server-extra] - ServerNameCallback = IgnoreMismatch - --[8-npn-selected-sni-server-supports-npn-server2-extra] -+[10-npn-selected-sni-server-supports-npn-server2-extra] - NPNProtocols = bar - --[8-npn-selected-sni-server-supports-npn-client-extra] -+[10-npn-selected-sni-server-supports-npn-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[9-npn-selected-sni-server-does-not-support-npn] --ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl -+[11-npn-selected-sni-server-does-not-support-npn] -+ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl - --[9-npn-selected-sni-server-does-not-support-npn-ssl] --server = 9-npn-selected-sni-server-does-not-support-npn-server --client = 9-npn-selected-sni-server-does-not-support-npn-client --server2 = 9-npn-selected-sni-server-does-not-support-npn-server2 -+[11-npn-selected-sni-server-does-not-support-npn-ssl] -+server = 11-npn-selected-sni-server-does-not-support-npn-server -+client = 11-npn-selected-sni-server-does-not-support-npn-client -+server2 = 11-npn-selected-sni-server-does-not-support-npn-server2 - --[9-npn-selected-sni-server-does-not-support-npn-server] -+[11-npn-selected-sni-server-does-not-support-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[9-npn-selected-sni-server-does-not-support-npn-server2] -+[11-npn-selected-sni-server-does-not-support-npn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[9-npn-selected-sni-server-does-not-support-npn-client] -+[11-npn-selected-sni-server-does-not-support-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-9] -+[test-11] - ExpectedServerName = server2 --server = 9-npn-selected-sni-server-does-not-support-npn-server-extra --client = 9-npn-selected-sni-server-does-not-support-npn-client-extra -+server = 11-npn-selected-sni-server-does-not-support-npn-server-extra -+client = 11-npn-selected-sni-server-does-not-support-npn-client-extra - --[9-npn-selected-sni-server-does-not-support-npn-server-extra] -+[11-npn-selected-sni-server-does-not-support-npn-server-extra] - NPNProtocols = bar - ServerNameCallback = IgnoreMismatch - --[9-npn-selected-sni-server-does-not-support-npn-client-extra] -+[11-npn-selected-sni-server-does-not-support-npn-client-extra] - NPNProtocols = foo,bar - ServerName = server2 - - - # =========================================================== - --[10-alpn-preferred-over-npn] --ssl_conf = 10-alpn-preferred-over-npn-ssl -+[12-alpn-preferred-over-npn] -+ssl_conf = 12-alpn-preferred-over-npn-ssl - --[10-alpn-preferred-over-npn-ssl] --server = 10-alpn-preferred-over-npn-server --client = 10-alpn-preferred-over-npn-client -+[12-alpn-preferred-over-npn-ssl] -+server = 12-alpn-preferred-over-npn-server -+client = 12-alpn-preferred-over-npn-client - --[10-alpn-preferred-over-npn-server] -+[12-alpn-preferred-over-npn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[10-alpn-preferred-over-npn-client] -+[12-alpn-preferred-over-npn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-10] -+[test-12] - ExpectedALPNProtocol = foo --server = 10-alpn-preferred-over-npn-server-extra --client = 10-alpn-preferred-over-npn-client-extra -+server = 12-alpn-preferred-over-npn-server-extra -+client = 12-alpn-preferred-over-npn-client-extra - --[10-alpn-preferred-over-npn-server-extra] -+[12-alpn-preferred-over-npn-server-extra] - ALPNProtocols = foo - NPNProtocols = bar - --[10-alpn-preferred-over-npn-client-extra] -+[12-alpn-preferred-over-npn-client-extra] - ALPNProtocols = foo - NPNProtocols = bar - - - # =========================================================== - --[11-sni-npn-preferred-over-alpn] --ssl_conf = 11-sni-npn-preferred-over-alpn-ssl -+[13-sni-npn-preferred-over-alpn] -+ssl_conf = 13-sni-npn-preferred-over-alpn-ssl - --[11-sni-npn-preferred-over-alpn-ssl] --server = 11-sni-npn-preferred-over-alpn-server --client = 11-sni-npn-preferred-over-alpn-client --server2 = 11-sni-npn-preferred-over-alpn-server2 -+[13-sni-npn-preferred-over-alpn-ssl] -+server = 13-sni-npn-preferred-over-alpn-server -+client = 13-sni-npn-preferred-over-alpn-client -+server2 = 13-sni-npn-preferred-over-alpn-server2 - --[11-sni-npn-preferred-over-alpn-server] -+[13-sni-npn-preferred-over-alpn-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[11-sni-npn-preferred-over-alpn-server2] -+[13-sni-npn-preferred-over-alpn-server2] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[11-sni-npn-preferred-over-alpn-client] -+[13-sni-npn-preferred-over-alpn-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-11] -+[test-13] - ExpectedNPNProtocol = bar - ExpectedServerName = server2 --server = 11-sni-npn-preferred-over-alpn-server-extra --server2 = 11-sni-npn-preferred-over-alpn-server2-extra --client = 11-sni-npn-preferred-over-alpn-client-extra -+server = 13-sni-npn-preferred-over-alpn-server-extra -+server2 = 13-sni-npn-preferred-over-alpn-server2-extra -+client = 13-sni-npn-preferred-over-alpn-client-extra - --[11-sni-npn-preferred-over-alpn-server-extra] -+[13-sni-npn-preferred-over-alpn-server-extra] - ALPNProtocols = foo - ServerNameCallback = IgnoreMismatch - --[11-sni-npn-preferred-over-alpn-server2-extra] -+[13-sni-npn-preferred-over-alpn-server2-extra] - NPNProtocols = bar - --[11-sni-npn-preferred-over-alpn-client-extra] -+[13-sni-npn-preferred-over-alpn-client-extra] - ALPNProtocols = foo - NPNProtocols = bar - ServerName = server2 -@@ -460,356 +527,356 @@ ServerName = server2 - - # =========================================================== - --[12-npn-simple-resumption] --ssl_conf = 12-npn-simple-resumption-ssl -+[14-npn-simple-resumption] -+ssl_conf = 14-npn-simple-resumption-ssl - --[12-npn-simple-resumption-ssl] --server = 12-npn-simple-resumption-server --client = 12-npn-simple-resumption-client --resume-server = 12-npn-simple-resumption-server --resume-client = 12-npn-simple-resumption-client -+[14-npn-simple-resumption-ssl] -+server = 14-npn-simple-resumption-server -+client = 14-npn-simple-resumption-client -+resume-server = 14-npn-simple-resumption-server -+resume-client = 14-npn-simple-resumption-client - --[12-npn-simple-resumption-server] -+[14-npn-simple-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[12-npn-simple-resumption-client] -+[14-npn-simple-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-12] -+[test-14] - ExpectedNPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 12-npn-simple-resumption-server-extra --resume-server = 12-npn-simple-resumption-server-extra --client = 12-npn-simple-resumption-client-extra --resume-client = 12-npn-simple-resumption-client-extra -+server = 14-npn-simple-resumption-server-extra -+resume-server = 14-npn-simple-resumption-server-extra -+client = 14-npn-simple-resumption-client-extra -+resume-client = 14-npn-simple-resumption-client-extra - --[12-npn-simple-resumption-server-extra] -+[14-npn-simple-resumption-server-extra] - NPNProtocols = foo - --[12-npn-simple-resumption-client-extra] -+[14-npn-simple-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[13-npn-server-switch-resumption] --ssl_conf = 13-npn-server-switch-resumption-ssl -+[15-npn-server-switch-resumption] -+ssl_conf = 15-npn-server-switch-resumption-ssl - --[13-npn-server-switch-resumption-ssl] --server = 13-npn-server-switch-resumption-server --client = 13-npn-server-switch-resumption-client --resume-server = 13-npn-server-switch-resumption-resume-server --resume-client = 13-npn-server-switch-resumption-client -+[15-npn-server-switch-resumption-ssl] -+server = 15-npn-server-switch-resumption-server -+client = 15-npn-server-switch-resumption-client -+resume-server = 15-npn-server-switch-resumption-resume-server -+resume-client = 15-npn-server-switch-resumption-client - --[13-npn-server-switch-resumption-server] -+[15-npn-server-switch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[13-npn-server-switch-resumption-resume-server] -+[15-npn-server-switch-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[13-npn-server-switch-resumption-client] -+[15-npn-server-switch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-13] -+[test-15] - ExpectedNPNProtocol = baz - HandshakeMode = Resume - ResumptionExpected = Yes --server = 13-npn-server-switch-resumption-server-extra --resume-server = 13-npn-server-switch-resumption-resume-server-extra --client = 13-npn-server-switch-resumption-client-extra --resume-client = 13-npn-server-switch-resumption-client-extra -+server = 15-npn-server-switch-resumption-server-extra -+resume-server = 15-npn-server-switch-resumption-resume-server-extra -+client = 15-npn-server-switch-resumption-client-extra -+resume-client = 15-npn-server-switch-resumption-client-extra - --[13-npn-server-switch-resumption-server-extra] -+[15-npn-server-switch-resumption-server-extra] - NPNProtocols = bar,foo - --[13-npn-server-switch-resumption-resume-server-extra] -+[15-npn-server-switch-resumption-resume-server-extra] - NPNProtocols = baz,foo - --[13-npn-server-switch-resumption-client-extra] -+[15-npn-server-switch-resumption-client-extra] - NPNProtocols = foo,bar,baz - - - # =========================================================== - --[14-npn-client-switch-resumption] --ssl_conf = 14-npn-client-switch-resumption-ssl -+[16-npn-client-switch-resumption] -+ssl_conf = 16-npn-client-switch-resumption-ssl - --[14-npn-client-switch-resumption-ssl] --server = 14-npn-client-switch-resumption-server --client = 14-npn-client-switch-resumption-client --resume-server = 14-npn-client-switch-resumption-server --resume-client = 14-npn-client-switch-resumption-resume-client -+[16-npn-client-switch-resumption-ssl] -+server = 16-npn-client-switch-resumption-server -+client = 16-npn-client-switch-resumption-client -+resume-server = 16-npn-client-switch-resumption-server -+resume-client = 16-npn-client-switch-resumption-resume-client - --[14-npn-client-switch-resumption-server] -+[16-npn-client-switch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[14-npn-client-switch-resumption-client] -+[16-npn-client-switch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[14-npn-client-switch-resumption-resume-client] -+[16-npn-client-switch-resumption-resume-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-14] -+[test-16] - ExpectedNPNProtocol = bar - HandshakeMode = Resume - ResumptionExpected = Yes --server = 14-npn-client-switch-resumption-server-extra --resume-server = 14-npn-client-switch-resumption-server-extra --client = 14-npn-client-switch-resumption-client-extra --resume-client = 14-npn-client-switch-resumption-resume-client-extra -+server = 16-npn-client-switch-resumption-server-extra -+resume-server = 16-npn-client-switch-resumption-server-extra -+client = 16-npn-client-switch-resumption-client-extra -+resume-client = 16-npn-client-switch-resumption-resume-client-extra - --[14-npn-client-switch-resumption-server-extra] -+[16-npn-client-switch-resumption-server-extra] - NPNProtocols = foo,bar,baz - --[14-npn-client-switch-resumption-client-extra] -+[16-npn-client-switch-resumption-client-extra] - NPNProtocols = foo,baz - --[14-npn-client-switch-resumption-resume-client-extra] -+[16-npn-client-switch-resumption-resume-client-extra] - NPNProtocols = bar,baz - - - # =========================================================== - --[15-npn-client-first-pref-on-mismatch-resumption] --ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl -+[17-npn-client-first-pref-on-mismatch-resumption] -+ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl - --[15-npn-client-first-pref-on-mismatch-resumption-ssl] --server = 15-npn-client-first-pref-on-mismatch-resumption-server --client = 15-npn-client-first-pref-on-mismatch-resumption-client --resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server --resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client -+[17-npn-client-first-pref-on-mismatch-resumption-ssl] -+server = 17-npn-client-first-pref-on-mismatch-resumption-server -+client = 17-npn-client-first-pref-on-mismatch-resumption-client -+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server -+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client - --[15-npn-client-first-pref-on-mismatch-resumption-server] -+[17-npn-client-first-pref-on-mismatch-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[15-npn-client-first-pref-on-mismatch-resumption-resume-server] -+[17-npn-client-first-pref-on-mismatch-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[15-npn-client-first-pref-on-mismatch-resumption-client] -+[17-npn-client-first-pref-on-mismatch-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-15] -+[test-17] - ExpectedNPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra --resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra --client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra --resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra -+server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra -+resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra -+client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra -+resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra - --[15-npn-client-first-pref-on-mismatch-resumption-server-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-server-extra] - NPNProtocols = bar - --[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] - NPNProtocols = baz - --[15-npn-client-first-pref-on-mismatch-resumption-client-extra] -+[17-npn-client-first-pref-on-mismatch-resumption-client-extra] - NPNProtocols = foo,bar - - - # =========================================================== - --[16-npn-no-server-support-resumption] --ssl_conf = 16-npn-no-server-support-resumption-ssl -+[18-npn-no-server-support-resumption] -+ssl_conf = 18-npn-no-server-support-resumption-ssl - --[16-npn-no-server-support-resumption-ssl] --server = 16-npn-no-server-support-resumption-server --client = 16-npn-no-server-support-resumption-client --resume-server = 16-npn-no-server-support-resumption-resume-server --resume-client = 16-npn-no-server-support-resumption-client -+[18-npn-no-server-support-resumption-ssl] -+server = 18-npn-no-server-support-resumption-server -+client = 18-npn-no-server-support-resumption-client -+resume-server = 18-npn-no-server-support-resumption-resume-server -+resume-client = 18-npn-no-server-support-resumption-client - --[16-npn-no-server-support-resumption-server] -+[18-npn-no-server-support-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[16-npn-no-server-support-resumption-resume-server] -+[18-npn-no-server-support-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[16-npn-no-server-support-resumption-client] -+[18-npn-no-server-support-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-16] -+[test-18] - HandshakeMode = Resume - ResumptionExpected = Yes --server = 16-npn-no-server-support-resumption-server-extra --client = 16-npn-no-server-support-resumption-client-extra --resume-client = 16-npn-no-server-support-resumption-client-extra -+server = 18-npn-no-server-support-resumption-server-extra -+client = 18-npn-no-server-support-resumption-client-extra -+resume-client = 18-npn-no-server-support-resumption-client-extra - --[16-npn-no-server-support-resumption-server-extra] -+[18-npn-no-server-support-resumption-server-extra] - NPNProtocols = foo - --[16-npn-no-server-support-resumption-client-extra] -+[18-npn-no-server-support-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[17-npn-no-client-support-resumption] --ssl_conf = 17-npn-no-client-support-resumption-ssl -+[19-npn-no-client-support-resumption] -+ssl_conf = 19-npn-no-client-support-resumption-ssl - --[17-npn-no-client-support-resumption-ssl] --server = 17-npn-no-client-support-resumption-server --client = 17-npn-no-client-support-resumption-client --resume-server = 17-npn-no-client-support-resumption-server --resume-client = 17-npn-no-client-support-resumption-resume-client -+[19-npn-no-client-support-resumption-ssl] -+server = 19-npn-no-client-support-resumption-server -+client = 19-npn-no-client-support-resumption-client -+resume-server = 19-npn-no-client-support-resumption-server -+resume-client = 19-npn-no-client-support-resumption-resume-client - --[17-npn-no-client-support-resumption-server] -+[19-npn-no-client-support-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[17-npn-no-client-support-resumption-client] -+[19-npn-no-client-support-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[17-npn-no-client-support-resumption-resume-client] -+[19-npn-no-client-support-resumption-resume-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-17] -+[test-19] - HandshakeMode = Resume - ResumptionExpected = Yes --server = 17-npn-no-client-support-resumption-server-extra --resume-server = 17-npn-no-client-support-resumption-server-extra --client = 17-npn-no-client-support-resumption-client-extra -+server = 19-npn-no-client-support-resumption-server-extra -+resume-server = 19-npn-no-client-support-resumption-server-extra -+client = 19-npn-no-client-support-resumption-client-extra - --[17-npn-no-client-support-resumption-server-extra] -+[19-npn-no-client-support-resumption-server-extra] - NPNProtocols = foo - --[17-npn-no-client-support-resumption-client-extra] -+[19-npn-no-client-support-resumption-client-extra] - NPNProtocols = foo - - - # =========================================================== - --[18-alpn-preferred-over-npn-resumption] --ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl -+[20-alpn-preferred-over-npn-resumption] -+ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl - --[18-alpn-preferred-over-npn-resumption-ssl] --server = 18-alpn-preferred-over-npn-resumption-server --client = 18-alpn-preferred-over-npn-resumption-client --resume-server = 18-alpn-preferred-over-npn-resumption-resume-server --resume-client = 18-alpn-preferred-over-npn-resumption-client -+[20-alpn-preferred-over-npn-resumption-ssl] -+server = 20-alpn-preferred-over-npn-resumption-server -+client = 20-alpn-preferred-over-npn-resumption-client -+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server -+resume-client = 20-alpn-preferred-over-npn-resumption-client - --[18-alpn-preferred-over-npn-resumption-server] -+[20-alpn-preferred-over-npn-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[18-alpn-preferred-over-npn-resumption-resume-server] -+[20-alpn-preferred-over-npn-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[18-alpn-preferred-over-npn-resumption-client] -+[20-alpn-preferred-over-npn-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-18] -+[test-20] - ExpectedALPNProtocol = foo - HandshakeMode = Resume - ResumptionExpected = Yes --server = 18-alpn-preferred-over-npn-resumption-server-extra --resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra --client = 18-alpn-preferred-over-npn-resumption-client-extra --resume-client = 18-alpn-preferred-over-npn-resumption-client-extra -+server = 20-alpn-preferred-over-npn-resumption-server-extra -+resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra -+client = 20-alpn-preferred-over-npn-resumption-client-extra -+resume-client = 20-alpn-preferred-over-npn-resumption-client-extra - --[18-alpn-preferred-over-npn-resumption-server-extra] -+[20-alpn-preferred-over-npn-resumption-server-extra] - NPNProtocols = bar - --[18-alpn-preferred-over-npn-resumption-resume-server-extra] -+[20-alpn-preferred-over-npn-resumption-resume-server-extra] - ALPNProtocols = foo - NPNProtocols = baz - --[18-alpn-preferred-over-npn-resumption-client-extra] -+[20-alpn-preferred-over-npn-resumption-client-extra] - ALPNProtocols = foo - NPNProtocols = bar,baz - - - # =========================================================== - --[19-npn-used-if-alpn-not-supported-resumption] --ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl -+[21-npn-used-if-alpn-not-supported-resumption] -+ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl - --[19-npn-used-if-alpn-not-supported-resumption-ssl] --server = 19-npn-used-if-alpn-not-supported-resumption-server --client = 19-npn-used-if-alpn-not-supported-resumption-client --resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server --resume-client = 19-npn-used-if-alpn-not-supported-resumption-client -+[21-npn-used-if-alpn-not-supported-resumption-ssl] -+server = 21-npn-used-if-alpn-not-supported-resumption-server -+client = 21-npn-used-if-alpn-not-supported-resumption-client -+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server -+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client - --[19-npn-used-if-alpn-not-supported-resumption-server] -+[21-npn-used-if-alpn-not-supported-resumption-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[19-npn-used-if-alpn-not-supported-resumption-resume-server] -+[21-npn-used-if-alpn-not-supported-resumption-resume-server] - Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem - CipherString = DEFAULT - PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem - --[19-npn-used-if-alpn-not-supported-resumption-client] -+[21-npn-used-if-alpn-not-supported-resumption-client] - CipherString = DEFAULT - MaxProtocol = TLSv1.2 - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - --[test-19] -+[test-21] - ExpectedNPNProtocol = baz - HandshakeMode = Resume - ResumptionExpected = Yes --server = 19-npn-used-if-alpn-not-supported-resumption-server-extra --resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra --client = 19-npn-used-if-alpn-not-supported-resumption-client-extra --resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra -+server = 21-npn-used-if-alpn-not-supported-resumption-server-extra -+resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra -+client = 21-npn-used-if-alpn-not-supported-resumption-client-extra -+resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra - --[19-npn-used-if-alpn-not-supported-resumption-server-extra] -+[21-npn-used-if-alpn-not-supported-resumption-server-extra] - ALPNProtocols = foo - NPNProtocols = bar - --[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra] -+[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra] - NPNProtocols = baz - --[19-npn-used-if-alpn-not-supported-resumption-client-extra] -+[21-npn-used-if-alpn-not-supported-resumption-client-extra] - ALPNProtocols = foo - NPNProtocols = bar,baz - -diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in -index 30783e4..1dc2704 100644 ---- a/test/ssl-tests/08-npn.cnf.in -+++ b/test/ssl-tests/08-npn.cnf.in -@@ -110,6 +110,41 @@ our @tests = ( - "ExpectedNPNProtocol" => undef, - }, - }, -+ { -+ name => "npn-empty-client-list", -+ server => { -+ extra => { -+ "NPNProtocols" => "foo", -+ }, -+ }, -+ client => { -+ extra => { -+ "NPNProtocols" => "", -+ }, -+ "MaxProtocol" => "TLSv1.2" -+ }, -+ test => { -+ "ExpectedResult" => "ClientFail", -+ "ExpectedClientAlert" => "HandshakeFailure" -+ }, -+ }, -+ { -+ name => "npn-empty-server-list", -+ server => { -+ extra => { -+ "NPNProtocols" => "", -+ }, -+ }, -+ client => { -+ extra => { -+ "NPNProtocols" => "foo", -+ }, -+ "MaxProtocol" => "TLSv1.2" -+ }, -+ test => { -+ "ExpectedNPNProtocol" => "foo" -+ }, -+ }, - { - name => "npn-with-sni-no-context-switch", - server => { -diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf -index e7e6cb9..dd66873 100644 ---- a/test/ssl-tests/09-alpn.cnf -+++ b/test/ssl-tests/09-alpn.cnf -@@ -1,6 +1,6 @@ - # Generated with generate_ssl_tests.pl - --num_tests = 16 -+num_tests = 18 - - test-0 = 0-alpn-simple - test-1 = 1-alpn-server-finds-match -@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption - test-13 = 13-alpn-alert-on-mismatch-resumption - test-14 = 14-alpn-no-server-support-resumption - test-15 = 15-alpn-no-client-support-resumption -+test-16 = 16-alpn-empty-client-list -+test-17 = 17-alpn-empty-server-list - # =========================================================== - - [0-alpn-simple] -@@ -617,3 +619,65 @@ ALPNProtocols = foo - ALPNProtocols = foo - - -+# =========================================================== -+ -+[16-alpn-empty-client-list] -+ssl_conf = 16-alpn-empty-client-list-ssl -+ -+[16-alpn-empty-client-list-ssl] -+server = 16-alpn-empty-client-list-server -+client = 16-alpn-empty-client-list-client -+ -+[16-alpn-empty-client-list-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[16-alpn-empty-client-list-client] -+CipherString = DEFAULT -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-16] -+server = 16-alpn-empty-client-list-server-extra -+client = 16-alpn-empty-client-list-client-extra -+ -+[16-alpn-empty-client-list-server-extra] -+ALPNProtocols = foo -+ -+[16-alpn-empty-client-list-client-extra] -+ALPNProtocols = -+ -+ -+# =========================================================== -+ -+[17-alpn-empty-server-list] -+ssl_conf = 17-alpn-empty-server-list-ssl -+ -+[17-alpn-empty-server-list-ssl] -+server = 17-alpn-empty-server-list-server -+client = 17-alpn-empty-server-list-client -+ -+[17-alpn-empty-server-list-server] -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = DEFAULT -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem -+ -+[17-alpn-empty-server-list-client] -+CipherString = DEFAULT -+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -+VerifyMode = Peer -+ -+[test-17] -+ExpectedResult = ServerFail -+ExpectedServerAlert = NoApplicationProtocol -+server = 17-alpn-empty-server-list-server-extra -+client = 17-alpn-empty-server-list-client-extra -+ -+[17-alpn-empty-server-list-server-extra] -+ALPNProtocols = -+ -+[17-alpn-empty-server-list-client-extra] -+ALPNProtocols = foo -+ -+ -diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in -index 8133075..322b709 100644 ---- a/test/ssl-tests/09-alpn.cnf.in -+++ b/test/ssl-tests/09-alpn.cnf.in -@@ -322,4 +322,37 @@ our @tests = ( - "ExpectedALPNProtocol" => undef, - }, - }, -+ { -+ name => "alpn-empty-client-list", -+ server => { -+ extra => { -+ "ALPNProtocols" => "foo", -+ }, -+ }, -+ client => { -+ extra => { -+ "ALPNProtocols" => "", -+ }, -+ }, -+ test => { -+ "ExpectedALPNProtocol" => undef, -+ }, -+ }, -+ { -+ name => "alpn-empty-server-list", -+ server => { -+ extra => { -+ "ALPNProtocols" => "", -+ }, -+ }, -+ client => { -+ extra => { -+ "ALPNProtocols" => "foo", -+ }, -+ }, -+ test => { -+ "ExpectedResult" => "ServerFail", -+ "ExpectedServerAlert" => "NoApplicationProtocol", -+ }, -+ }, - ); -diff --git a/test/sslapitest.c b/test/sslapitest.c -index e8d105e..e14a93b 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -10713,6 +10713,363 @@ static int test_multi_resume(int idx) - return testresult; - } - -+static struct next_proto_st { -+ int serverlen; -+ unsigned char server[40]; -+ int clientlen; -+ unsigned char client[40]; -+ int expected_ret; -+ size_t selectedlen; -+ unsigned char selected[40]; -+} next_proto_tests[] = { -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', }, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, -+ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, -+ OPENSSL_NPN_NEGOTIATED, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'b', 'c', 'd' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 0, { 0 }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ -1, { 0 }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 0, { 0 }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ -1, { 0 }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ }, -+ { -+ 3, { 3, 'a', 'b', 'c' }, -+ 4, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 3, { 'a', 'b', 'c' } -+ }, -+ { -+ 4, { 3, 'a', 'b', 'c' }, -+ 3, { 3, 'a', 'b', 'c' }, -+ OPENSSL_NPN_NO_OVERLAP, -+ 0, { 0 } -+ } -+}; -+ -+static int test_select_next_proto(int idx) -+{ -+ struct next_proto_st *np = &next_proto_tests[idx]; -+ int ret = 0; -+ unsigned char *out, *client, *server; -+ unsigned char outlen; -+ unsigned int clientlen, serverlen; -+ -+ if (np->clientlen == -1) { -+ client = NULL; -+ clientlen = 0; -+ } else { -+ client = np->client; -+ clientlen = (unsigned int)np->clientlen; -+ } -+ if (np->serverlen == -1) { -+ server = NULL; -+ serverlen = 0; -+ } else { -+ server = np->server; -+ serverlen = (unsigned int)np->serverlen; -+ } -+ -+ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen, -+ client, clientlen), -+ np->expected_ret)) -+ goto err; -+ -+ if (np->selectedlen == 0) { -+ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0)) -+ goto err; -+ } else { -+ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen)) -+ goto err; -+ } -+ -+ ret = 1; -+ err: -+ return ret; -+} -+ -+static const unsigned char fooprot[] = {3, 'f', 'o', 'o' }; -+static const unsigned char barprot[] = {3, 'b', 'a', 'r' }; -+ -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -+static int npn_advert_cb(SSL *ssl, const unsigned char **out, -+ unsigned int *outlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ default: -+ case 0: -+ *out = fooprot; -+ *outlen = sizeof(fooprot); -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 1: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 2: -+ return SSL_TLSEXT_ERR_NOACK; -+ } -+} -+ -+static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, -+ const unsigned char *in, unsigned int inlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ case 0: -+ case 1: -+ *out = (unsigned char *)(fooprot + 1); -+ *outlen = *fooprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 3: -+ *out = (unsigned char *)(barprot + 1); -+ *outlen = *barprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 4: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ default: -+ case 2: -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+} -+ -+/* -+ * Test the NPN callbacks -+ * Test 0: advert = foo, select = foo -+ * Test 1: advert = , select = foo -+ * Test 2: no advert -+ * Test 3: advert = foo, select = bar -+ * Test 4: advert = foo, select = (should fail) -+ */ -+static int test_npn(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), 0, TLS1_2_VERSION, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx); -+ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, -+ NULL))) -+ goto end; -+ -+ if (idx == 4) { -+ /* We don't allow empty selection of NPN, so this should fail */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ } else { -+ const unsigned char *prot; -+ unsigned int protlen; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen); -+ switch (idx) { -+ case 0: -+ case 1: -+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) -+ goto end; -+ break; -+ case 2: -+ if (!TEST_uint_eq(protlen, 0)) -+ goto end; -+ break; -+ case 3: -+ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot)) -+ goto end; -+ break; -+ default: -+ TEST_error("Should not get here"); -+ goto end; -+ } -+ } -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ -+ return testresult; -+} -+#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */ -+ -+static int alpn_select_cb2(SSL *ssl, const unsigned char **out, -+ unsigned char *outlen, const unsigned char *in, -+ unsigned int inlen, void *arg) -+{ -+ int *idx = (int *)arg; -+ -+ switch (*idx) { -+ case 0: -+ *out = (unsigned char *)(fooprot + 1); -+ *outlen = *fooprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 2: -+ *out = (unsigned char *)(barprot + 1); -+ *outlen = *barprot; -+ return SSL_TLSEXT_ERR_OK; -+ -+ case 3: -+ *outlen = 0; -+ return SSL_TLSEXT_ERR_OK; -+ -+ default: -+ case 1: -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ return 0; -+} -+ -+/* -+ * Test the ALPN callbacks -+ * Test 0: client = foo, select = foo -+ * Test 1: client = , select = none -+ * Test 2: client = foo, select = bar (should fail) -+ * Test 3: client = foo, select = (should fail) -+ */ -+static int test_alpn(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ const unsigned char *prots = fooprot; -+ unsigned int protslen = sizeof(fooprot); -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), 0, 0, -+ &sctx, &cctx, cert, privkey))) -+ goto end; -+ -+ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, -+ NULL))) -+ goto end; -+ -+ if (idx == 1) { -+ prots = NULL; -+ protslen = 0; -+ } -+ -+ /* SSL_set_alpn_protos returns 0 for success! */ -+ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen))) -+ goto end; -+ -+ if (idx == 2 || idx == 3) { -+ /* We don't allow empty selection of NPN, so this should fail */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ } else { -+ const unsigned char *prot; -+ unsigned int protlen; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ SSL_get0_alpn_selected(clientssl, &prot, &protlen); -+ switch (idx) { -+ case 0: -+ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) -+ goto end; -+ break; -+ case 1: -+ if (!TEST_uint_eq(protlen, 0)) -+ goto end; -+ break; -+ default: -+ TEST_error("Should not get here"); -+ goto end; -+ } -+ } -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ -+ return testresult; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - - int setup_tests(void) -@@ -10989,6 +11346,11 @@ int setup_tests(void) - #endif - ADD_ALL_TESTS(test_handshake_retry, 16); - ADD_ALL_TESTS(test_multi_resume, 5); -+ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); -+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) -+ ADD_ALL_TESTS(test_npn, 5); -+#endif -+ ADD_ALL_TESTS(test_alpn, 4); - return 1; - - err: -diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm -index 2c1bdb3..eb350de 100644 ---- a/util/perl/TLSProxy/Message.pm -+++ b/util/perl/TLSProxy/Message.pm -@@ -379,6 +379,15 @@ sub create_message - [@message_frag_lens] - ); - $message->parse(); -+ } elsif ($mt == MT_NEXT_PROTO) { -+ $message = TLSProxy::NextProto->new( -+ $server, -+ $data, -+ [@message_rec_list], -+ $startoffset, -+ [@message_frag_lens] -+ ); -+ $message->parse(); - } else { - #Unknown message type - $message = TLSProxy::Message->new( -diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm -new file mode 100644 -index 0000000..3f7af72 ---- /dev/null -+++ b/util/perl/TLSProxy/NextProto.pm -@@ -0,0 +1,54 @@ -+# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+ -+package TLSProxy::NextProto; -+ -+use vars '@ISA'; -+push @ISA, 'TLSProxy::Message'; -+ -+sub new -+{ -+ my $class = shift; -+ my ($server, -+ $data, -+ $records, -+ $startoffset, -+ $message_frag_lens) = @_; -+ -+ my $self = $class->SUPER::new( -+ $server, -+ TLSProxy::Message::MT_NEXT_PROTO, -+ $data, -+ $records, -+ $startoffset, -+ $message_frag_lens); -+ -+ return $self; -+} -+ -+sub parse -+{ -+ #We don't support parsing at the moment -+} -+ -+# This is supposed to reconstruct the on-the-wire message data following changes. -+# For now though since we don't support parsing we just create an empty NextProto -+# message - this capability is used in test_npn -+sub set_message_contents -+{ -+ my $self = shift; -+ my $data; -+ -+ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00); -+ $self->data($data); -+} -+1; -diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm -index 3de10ec..b707722 100644 ---- a/util/perl/TLSProxy/Proxy.pm -+++ b/util/perl/TLSProxy/Proxy.pm -@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest; - use TLSProxy::CertificateVerify; - use TLSProxy::ServerKeyExchange; - use TLSProxy::NewSessionTicket; -+use TLSProxy::NextProto; - - my $have_IPv6; - my $IP_factory; --- -2.41.0 - diff --git a/Backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch b/Backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch deleted file mode 100644 index fb7fb7f3733452dee8f15950fb8f889c9f7eddf4..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch +++ /dev/null @@ -1,112 +0,0 @@ -From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Subject: [PATCH] Fix SSL_select_next_proto - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -Reviewed-by: Tomas Mraz -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/24716) - -(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e) - ---- - ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 846c55a..316556c 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2933,37 +2933,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; - } - - #ifndef OPENSSL_NO_NEXTPROTONEG --- -2.41.0 - diff --git a/Backport-CVE-2024-6119-Avoid-type-errors-in-EAI-related-name-check-logic.patch b/Backport-CVE-2024-6119-Avoid-type-errors-in-EAI-related-name-check-logic.patch deleted file mode 100644 index c0096093b73698e3f116bff6679cc33f6d29c715..0000000000000000000000000000000000000000 --- a/Backport-CVE-2024-6119-Avoid-type-errors-in-EAI-related-name-check-logic.patch +++ /dev/null @@ -1,269 +0,0 @@ -From 06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni -Date: Wed, 19 Jun 2024 21:04:11 +1000 -Subject: [PATCH] Avoid type errors in EAI-related name check logic. - -The incorrectly typed data is read only, used in a compare operation, so -neither remote code execution, nor memory content disclosure were possible. -However, applications performing certificate name checks were vulnerable to -denial of service. - -The GENERAL_TYPE data type is a union, and we must take care to access the -correct member, based on `gen->type`, not all the member fields have the same -structure, and a segfault is possible if the wrong member field is read. - -The code in question was lightly refactored with the intent to make it more -obviously correct. - -Fixes CVE-2024-6119 - -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -(cherry picked from commit 0890cd13d40fbc98f655f3974f466769caa83680) ---- - crypto/x509/v3_utl.c | 78 +++++++++++++------ - test/recipes/25-test_eai_data.t | 12 ++- - test/recipes/25-test_eai_data/kdc-cert.pem | 21 +++++ - .../25-test_eai_data/kdc-root-cert.pem | 16 ++++ - test/recipes/25-test_eai_data/kdc.sh | 41 ++++++++++ - 5 files changed, 142 insertions(+), 26 deletions(-) - create mode 100644 test/recipes/25-test_eai_data/kdc-cert.pem - create mode 100644 test/recipes/25-test_eai_data/kdc-root-cert.pem - create mode 100644 test/recipes/25-test_eai_data/kdc.sh - -diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c -index 6e4ef26..304463d 100644 ---- a/crypto/x509/v3_utl.c -+++ b/crypto/x509/v3_utl.c -@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, - ASN1_STRING *cstr; - - gen = sk_GENERAL_NAME_value(gens, i); -- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { -- if (OBJ_obj2nid(gen->d.otherName->type_id) == -- NID_id_on_SmtpUTF8Mailbox) { -- san_present = 1; -- -- /* -- * If it is not a UTF8String then that is unexpected and we -- * treat it as no match -- */ -- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { -- cstr = gen->d.otherName->value->value.utf8string; -- -- /* Positive on success, negative on error! */ -- if ((rv = do_check_string(cstr, 0, equal, flags, -- chk, chklen, peername)) != 0) -- break; -- } -- } else -+ switch (gen->type) { -+ default: -+ continue; -+ case GEN_OTHERNAME: -+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) { -+ default: - continue; -- } else { -- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) -+ case NID_id_on_SmtpUTF8Mailbox: -+ /*- -+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3 -+ * -+ * Due to name constraint compatibility reasons described -+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT -+ * be used unless the local-part of the email address -+ * contains non-ASCII characters. When the local-part is -+ * ASCII, rfc822Name subjectAltName MUST be used instead -+ * of SmtpUTF8Mailbox. This is compatible with legacy -+ * software that supports only rfc822Name (and not -+ * SmtpUTF8Mailbox). [...] -+ * -+ * SmtpUTF8Mailbox is encoded as UTF8String. -+ * -+ * If it is not a UTF8String then that is unexpected, and -+ * we ignore the invalid SAN (neither set san_present nor -+ * consider it a candidate for equality). This does mean -+ * that the subject CN may be considered, as would be the -+ * case when the malformed SmtpUtf8Mailbox SAN is instead -+ * simply absent. -+ * -+ * When CN-ID matching is not desirable, applications can -+ * choose to turn it off, doing so is at this time a best -+ * practice. -+ */ -+ if (check_type != GEN_EMAIL -+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING) -+ continue; -+ alt_type = 0; -+ cstr = gen->d.otherName->value->value.utf8string; -+ break; -+ } -+ break; -+ case GEN_EMAIL: -+ if (check_type != GEN_EMAIL) - continue; -- } -- san_present = 1; -- if (check_type == GEN_EMAIL) - cstr = gen->d.rfc822Name; -- else if (check_type == GEN_DNS) -+ break; -+ case GEN_DNS: -+ if (check_type != GEN_DNS) -+ continue; - cstr = gen->d.dNSName; -- else -+ break; -+ case GEN_IPADD: -+ if (check_type != GEN_IPADD) -+ continue; - cstr = gen->d.iPAddress; -+ break; -+ } -+ san_present = 1; - /* Positive on success, negative on error! */ - if ((rv = do_check_string(cstr, alt_type, equal, flags, - chk, chklen, peername)) != 0) -diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t -index 522982d..e18735d 100644 ---- a/test/recipes/25-test_eai_data.t -+++ b/test/recipes/25-test_eai_data.t -@@ -21,16 +21,18 @@ setup("test_eai_data"); - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem - #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem - --plan tests => 12; -+plan tests => 16; - - require_ok(srctop_file('test','recipes','tconversion.pl')); - my $folder = "test/recipes/25-test_eai_data"; - - my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); - my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); -+my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); - - my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); - my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); -+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); - - my $out; - my $outcnt = 0; -@@ -56,10 +58,18 @@ SKIP: { - - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); - ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); - - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); - ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); - -+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). -+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. -+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); -+ - #Check that we get the expected failure return code - with({ exit_checker => sub { return shift == 2; } }, - sub { -diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem -new file mode 100644 -index 0000000..e8a2c6f ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-cert.pem -@@ -0,0 +1,21 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 -+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU -+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+ -+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry -+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8 -+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx -+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT -+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9 -+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj -+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG -+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU -+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA -+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA -+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb -+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU -+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1 -+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9 -+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI -+oDQ9fKfUOAmUFth2/R/eGA== -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem -new file mode 100644 -index 0000000..a74c96b ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS -+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD -+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj -+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0 -+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK -+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS -+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj -+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7 -+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI -+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT -+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl -+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW -+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS -+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8 -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh -new file mode 100644 -index 0000000..7a8dbc7 ---- /dev/null -+++ b/test/recipes/25-test_eai_data/kdc.sh -@@ -0,0 +1,41 @@ -+#! /usr/bin/env bash -+ -+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and -+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS -+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should -+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` -+# should likewise lead to ASAN issues with email name checks. -+ -+rm -f root-key.pem root-cert.pem -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ -+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem -+ -+exts=$( -+ printf "%s\n%s\n%s\n%s = " \ -+ "subjectKeyIdentifier = hash" \ -+ "authorityKeyIdentifier = keyid" \ -+ "basicConstraints = CA:false" \ -+ "subjectAltName" -+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" -+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com" -+ printf "%s, " "email:joe@example.com" -+ printf "%s\n" "DNS:mx1.example.com" -+ printf "[kdc_princ_name]\n" -+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" -+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" -+ printf "[kdc_principal_seq]\n" -+ printf "name_type = EXP:0, INTEGER:1\n" -+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" -+ printf "[kdc_principal_components]\n" -+ printf "princ1 = GeneralString:krbtgt\n" -+ printf "princ2 = GeneralString:TEST.EXAMPLE\n" -+ ) -+ -+printf "%s\n" "$exts" -+ -+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ -+ -subj "/CN=TEST.EXAMPLE" | -+ openssl x509 -req -out kdc-cert.pem \ -+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ -+ -set_serial 2 -days 36524 \ -+ -extfile <(printf "%s\n" "$exts") --- -2.43.0 - diff --git a/Backport-Don-t-attempt-to-set-provider-params-on-an-ENGINE-ba.patch b/Backport-Don-t-attempt-to-set-provider-params-on-an-ENGINE-ba.patch deleted file mode 100644 index 0ea04a132e33071c83be076799b4120e9f9fbda4..0000000000000000000000000000000000000000 --- a/Backport-Don-t-attempt-to-set-provider-params-on-an-ENGINE-ba.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 4f41e1b1d0cd545278017099b4ba062ab7a0f470 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 29 Nov 2023 11:45:12 +0000 -Subject: [PATCH] Don't attempt to set provider params on an ENGINE based - cipher - -If an ENGINE has been loaded after the SSL_CTX has been created then -the cipher we have cached might be provider based, but the cipher we -actually end up using might not be. Don't try to set provider params on -a cipher that is actually ENGINE based. - -Reviewed-by: Tomas Mraz -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/22865) - -(cherry picked from commit ed5f9ce63e98da2e7fddd55040c8e9e03f3af975) ---- - ssl/s3_enc.c | 6 +++++- - ssl/t1_enc.c | 7 ++++++- - 2 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c -index 2ca3f74ae7..ee4f58e75e 100644 ---- a/ssl/s3_enc.c -+++ b/ssl/s3_enc.c -@@ -225,7 +225,11 @@ int ssl3_change_cipher_state(SSL *s, int which) - goto err; - } - -- if (EVP_CIPHER_get0_provider(c) != NULL -+ /* -+ * The cipher we actually ended up using in the EVP_CIPHER_CTX may be -+ * different to that in c if we have an ENGINE in use -+ */ -+ if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(dd)) != NULL - && !tls_provider_set_tls_params(s, dd, c, m)) { - /* SSLfatal already called */ - goto err; -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 91238e6457..6cb7baaf7c 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -427,7 +427,12 @@ int tls1_change_cipher_state(SSL *s, int which) - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } -- if (EVP_CIPHER_get0_provider(c) != NULL -+ -+ /* -+ * The cipher we actually ended up using in the EVP_CIPHER_CTX may be -+ * different to that in c if we have an ENGINE in use -+ */ -+ if (EVP_CIPHER_get0_provider(EVP_CIPHER_CTX_get0_cipher(dd)) != NULL - && !tls_provider_set_tls_params(s, dd, c, m)) { - /* SSLfatal already called */ - goto err; --- -2.33.0 - diff --git a/Backport-Fix-SM4-CBC-regression-on-Armv8.patch b/Backport-Fix-SM4-CBC-regression-on-Armv8.patch deleted file mode 100644 index 2176932d73ab2ce9682b53094cffd257cc30ddb4..0000000000000000000000000000000000000000 --- a/Backport-Fix-SM4-CBC-regression-on-Armv8.patch +++ /dev/null @@ -1,60 +0,0 @@ -From d7d5490d7201dcfb1f3811ad1bfc57ed9b2c0b77 Mon Sep 17 00:00:00 2001 -From: "fangming.fang" -Date: Thu, 8 Dec 2022 10:46:27 +0000 -Subject: [PATCH 09/13] Fix SM4-CBC regression on Armv8 - -Fixes #19858 - -During decryption, the last ciphertext is not fed to next block -correctly when the number of input blocks is exactly 4. Fix this -and add the corresponding test cases. - -Thanks xu-yi-zhou for reporting this issue and proposing the fix. - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/19872) ---- - crypto/sm4/asm/vpsm4-armv8.pl | 2 +- - test/recipes/30-test_evp_data/evpciph_sm4.txt | 12 ++++++++++++ - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl -index 095d9dae64..c842ef61d5 100755 ---- a/crypto/sm4/asm/vpsm4-armv8.pl -+++ b/crypto/sm4/asm/vpsm4-armv8.pl -@@ -880,7 +880,7 @@ $code.=<<___; - subs $blocks,$blocks,#4 - b.gt .Lcbc_4_blocks_dec - // save back IV -- st1 {@vtmp[3].16b}, [$ivp] -+ st1 {@data[3].16b}, [$ivp] - b 100f - 1: // last block - subs $blocks,$blocks,#1 -diff --git a/test/recipes/30-test_evp_data/evpciph_sm4.txt b/test/recipes/30-test_evp_data/evpciph_sm4.txt -index 9fb16ca15c..e9a98c9898 100644 ---- a/test/recipes/30-test_evp_data/evpciph_sm4.txt -+++ b/test/recipes/30-test_evp_data/evpciph_sm4.txt -@@ -19,6 +19,18 @@ IV = 0123456789ABCDEFFEDCBA9876543210 - Plaintext = 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 - Ciphertext = 2677F46B09C122CC975533105BD4A22AF6125F7275CE552C3A2BBCF533DE8A3B - -+Cipher = SM4-CBC -+Key = 0123456789ABCDEFFEDCBA9876543210 -+IV = 0123456789ABCDEFFEDCBA9876543210 -+Plaintext = 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 -+Ciphertext = 2677F46B09C122CC975533105BD4A22AF6125F7275CE552C3A2BBCF533DE8A3BFFF5A4F208092C0901BA02D5772977369915E3FA2356C9F4EB6460ECC457E7f8E3CFA3DEEBFE9883E3A48BCF7C4A11AA3EC9E0D317C5D319BE72A5CDDDEC640C -+ -+Cipher = SM4-CBC -+Key = 0123456789ABCDEFFEDCBA9876543210 -+IV = 0123456789ABCDEFFEDCBA9876543210 -+Plaintext = 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 -+Ciphertext = 2677f46b09c122cc975533105bd4a22af6125f7275ce552c3a2bbcf533de8a3bfff5a4f208092c0901ba02d5772977369915e3fa2356c9f4eb6460ecc457e7f8e3cfa3deebfe9883e3a48bcf7c4a11aa3ec9e0d317c5d319be72a5cdddec640c6fc70bfa3ddaafffdd7c09b2774dcb2cec29f0c6f0b6773e985b3e395e924238505a8f120d9ca84de5c3cf7e45f097b14b3a46c5b1068669982a5c1f5f61be291b984f331d44ffb2758f771672448fc957fa1416c446427a41e25d5524a2418b9d96b2f17582f0f1aa9c204c6807f54f7b6833c5f00856659ddabc245936868c -+ - Cipher = SM4-OFB - Key = 0123456789ABCDEFFEDCBA9876543210 - IV = 0123456789ABCDEFFEDCBA9876543210 --- -2.37.3.windows.1 - diff --git a/Backport-Fix-SM4-XTS-aarch64-assembly-implementation-bug.patch b/Backport-Fix-SM4-XTS-aarch64-assembly-implementation-bug.patch deleted file mode 100644 index e0ecafdc3ecc45b4d0e780831f863b73d94cd671..0000000000000000000000000000000000000000 --- a/Backport-Fix-SM4-XTS-aarch64-assembly-implementation-bug.patch +++ /dev/null @@ -1,129 +0,0 @@ -From de6d5b002f8deffe39d3596e88e380eed1a3d6a4 Mon Sep 17 00:00:00 2001 -From: Xu Yizhou -Date: Thu, 18 Jan 2024 17:35:11 +0800 -Subject: [PATCH] Fix SM4-XTS aarch64 assembly implementation bug - -When macro VPSM4_CAPABLE or VPSM4_EX_CAPABLE is enabled, -the GB variant of the SM4-XTS algorithm will encounter errors when -encrypting or decrypting messages with a length greater than 16 -bytes but less than 32 bytes. - -The OpenSSL has similar issue, the corresponding -solutions can be found in this [PR] -(https://github.com/openssl/openssl/pull/23317). - -Signed-off-by: Xu Yizhou ---- - crypto/sm4/asm/vpsm4-armv8.pl | 12 ++++++------ - crypto/sm4/asm/vpsm4_ex-armv8.pl | 12 ++++++------ - 2 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl -index d30e78f..2bacf9c 100755 ---- a/crypto/sm4/asm/vpsm4-armv8.pl -+++ b/crypto/sm4/asm/vpsm4-armv8.pl -@@ -1477,7 +1477,7 @@ $code.=<<___; - cmp $remain,0 - b.eq .return${std} - --// This brance calculates the last two tweaks, -+// This brance calculates the last two tweaks, - // while the encryption/decryption length is larger than 32 - .last_2blks_tweak${std}: - ld1 {@tweak[0].4s},[$ivp] -@@ -1489,13 +1489,13 @@ $code.=<<___; - b .check_dec${std} - - --// This brance calculates the last two tweaks, -+// This brance calculates the last two tweaks, - // while the encryption/decryption length is equal to 32, who only need two tweaks - .only_2blks_tweak${std}: - mov @tweak[1].16b,@tweak[0].16b - ___ - &rev32_armeb(@tweak[1],@tweak[1]); -- &compute_tweak_vec(@tweak[1],@tweak[2]); -+ &compute_tweak_vec(@tweak[1],@tweak[2],$std); - $code.=<<___; - b .check_dec${std} - -@@ -1505,12 +1505,12 @@ $code.=<<___; - .check_dec${std}: - // encryption:1 decryption:0 - cmp $enc,1 -- b.eq .prcess_last_2blks${std} -+ b.eq .process_last_2blks${std} - mov @vtmp[0].16B,@tweak[1].16b - mov @tweak[1].16B,@tweak[2].16b - mov @tweak[2].16B,@vtmp[0].16b - --.prcess_last_2blks${std}: -+.process_last_2blks${std}: - ___ - &rev32_armeb(@tweak[1],@tweak[1]); - &rev32_armeb(@tweak[2],@tweak[2]); -@@ -1532,7 +1532,7 @@ $code.=<<___; - strb $wtmp1,[$lastBlk,$remain] - strb $wtmp0,[$outp,$remain] - b.gt .loop${std} -- ld1 {@data[0].4s}, [$lastBlk] -+ ld1 {@data[0].4s}, [$lastBlk] - eor @data[0].16b, @data[0].16b, @tweak[2].16b - ___ - &rev32(@data[0],@data[0]); -diff --git a/crypto/sm4/asm/vpsm4_ex-armv8.pl b/crypto/sm4/asm/vpsm4_ex-armv8.pl -index f2d5b6d..727e0f2 100644 ---- a/crypto/sm4/asm/vpsm4_ex-armv8.pl -+++ b/crypto/sm4/asm/vpsm4_ex-armv8.pl -@@ -1452,7 +1452,7 @@ $code.=<<___; - cmp $remain,0 - b.eq .return${std} - --// This brance calculates the last two tweaks, -+// This brance calculates the last two tweaks, - // while the encryption/decryption length is larger than 32 - .last_2blks_tweak${std}: - ___ -@@ -1463,13 +1463,13 @@ $code.=<<___; - b .check_dec${std} - - --// This brance calculates the last two tweaks, -+// This brance calculates the last two tweaks, - // while the encryption/decryption length is equal to 32, who only need two tweaks - .only_2blks_tweak${std}: - mov @tweak[1].16b,@tweak[0].16b - ___ - &rev32_armeb(@tweak[1],@tweak[1]); -- &compute_tweak_vec(@tweak[1],@tweak[2]); -+ &compute_tweak_vec(@tweak[1],@tweak[2],$std); - $code.=<<___; - b .check_dec${std} - -@@ -1479,12 +1479,12 @@ $code.=<<___; - .check_dec${std}: - // encryption:1 decryption:0 - cmp $enc,1 -- b.eq .prcess_last_2blks${std} -+ b.eq .process_last_2blks${std} - mov @vtmp[0].16B,@tweak[1].16b - mov @tweak[1].16B,@tweak[2].16b - mov @tweak[2].16B,@vtmp[0].16b - --.prcess_last_2blks${std}: -+.process_last_2blks${std}: - ___ - &rev32_armeb(@tweak[1],@tweak[1]); - &rev32_armeb(@tweak[2],@tweak[2]); -@@ -1506,7 +1506,7 @@ $code.=<<___; - strb $wtmp1,[$lastBlk,$remain] - strb $wtmp0,[$outp,$remain] - b.gt .loop${std} -- ld1 {@data[0].4s}, [$lastBlk] -+ ld1 {@data[0].4s}, [$lastBlk] - eor @data[0].16b, @data[0].16b, @tweak[2].16b - ___ - &rev32(@data[0],@data[0]); --- -2.27.0 - diff --git a/Backport-Fix-SM4-XTS-build-failure-on-Mac-mini-M1.patch b/Backport-Fix-SM4-XTS-build-failure-on-Mac-mini-M1.patch deleted file mode 100644 index 5bfd186e8736f99e895a609b54b48ff4402edcce..0000000000000000000000000000000000000000 --- a/Backport-Fix-SM4-XTS-build-failure-on-Mac-mini-M1.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 6df7707fb22e8bd1c7d778a2041c1403f9852060 Mon Sep 17 00:00:00 2001 -From: Xu Yizhou -Date: Fri, 3 Feb 2023 15:59:59 +0800 -Subject: [PATCH 13/13] Fix SM4-XTS build failure on Mac mini M1 - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/20202) ---- - crypto/sm4/asm/vpsm4-armv8.pl | 4 +++- - crypto/sm4/asm/vpsm4_ex-armv8.pl | 23 ++++++++++++++++------- - 2 files changed, 19 insertions(+), 8 deletions(-) - -diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl -index e19de30901..d30e78f3ce 100755 ---- a/crypto/sm4/asm/vpsm4-armv8.pl -+++ b/crypto/sm4/asm/vpsm4-armv8.pl -@@ -524,7 +524,7 @@ sub compute_tweak_vec() { - my $std = shift; - &rbit(@vtmp[2],$src,$std); - $code.=<<___; -- ldr @qtmp[0], =0x01010101010101010101010101010187 -+ ldr @qtmp[0], .Lxts_magic - shl $des.16b, @vtmp[2].16b, #1 - ext @vtmp[1].16b, @vtmp[2].16b, @vtmp[2].16b,#15 - ushr @vtmp[1].16b, @vtmp[1].16b, #7 -@@ -572,6 +572,8 @@ _vpsm4_consts: - .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 - .Lshuffles: - .dword 0x0B0A090807060504,0x030201000F0E0D0C -+.Lxts_magic: -+ .dword 0x0101010101010187,0x0101010101010101 - - .size _vpsm4_consts,.-_vpsm4_consts - ___ -diff --git a/crypto/sm4/asm/vpsm4_ex-armv8.pl b/crypto/sm4/asm/vpsm4_ex-armv8.pl -index 3d094aa535..f2d5b6debf 100644 ---- a/crypto/sm4/asm/vpsm4_ex-armv8.pl -+++ b/crypto/sm4/asm/vpsm4_ex-armv8.pl -@@ -475,12 +475,12 @@ sub load_sbox () { - my $data = shift; - - $code.=<<___; -- ldr $MaskQ, =0x0306090c0f0205080b0e0104070a0d00 -- ldr $TAHMatQ, =0x22581a6002783a4062185a2042387a00 -- ldr $TALMatQ, =0xc10bb67c4a803df715df62a89e54e923 -- ldr $ATAHMatQ, =0x1407c6d56c7fbeadb9aa6b78c1d21300 -- ldr $ATALMatQ, =0xe383c1a1fe9edcbc6404462679195b3b -- ldr $ANDMaskQ, =0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f -+ ldr $MaskQ, .Lsbox_magic -+ ldr $TAHMatQ, .Lsbox_magic+16 -+ ldr $TALMatQ, .Lsbox_magic+32 -+ ldr $ATAHMatQ, .Lsbox_magic+48 -+ ldr $ATALMatQ, .Lsbox_magic+64 -+ ldr $ANDMaskQ, .Lsbox_magic+80 - ___ - } - -@@ -525,7 +525,7 @@ sub compute_tweak_vec() { - my $std = shift; - &rbit(@vtmp[2],$src,$std); - $code.=<<___; -- ldr @qtmp[0], =0x01010101010101010101010101010187 -+ ldr @qtmp[0], .Lxts_magic - shl $des.16b, @vtmp[2].16b, #1 - ext @vtmp[1].16b, @vtmp[2].16b, @vtmp[2].16b,#15 - ushr @vtmp[1].16b, @vtmp[1].16b, #7 -@@ -556,6 +556,15 @@ _${prefix}_consts: - .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 - .Lshuffles: - .dword 0x0B0A090807060504,0x030201000F0E0D0C -+.Lxts_magic: -+ .dword 0x0101010101010187,0x0101010101010101 -+.Lsbox_magic: -+ .dword 0x0b0e0104070a0d00,0x0306090c0f020508 -+ .dword 0x62185a2042387a00,0x22581a6002783a40 -+ .dword 0x15df62a89e54e923,0xc10bb67c4a803df7 -+ .dword 0xb9aa6b78c1d21300,0x1407c6d56c7fbead -+ .dword 0x6404462679195b3b,0xe383c1a1fe9edcbc -+ .dword 0x0f0f0f0f0f0f0f0f,0x0f0f0f0f0f0f0f0f - - .size _${prefix}_consts,.-_${prefix}_consts - ___ --- -2.37.3.windows.1 - diff --git a/Backport-Fix-SM4-test-failures-on-big-endian-ARM-processors.patch b/Backport-Fix-SM4-test-failures-on-big-endian-ARM-processors.patch deleted file mode 100644 index 485fd654cbdc4d594fabf17d1fdb54f4e9af2b69..0000000000000000000000000000000000000000 --- a/Backport-Fix-SM4-test-failures-on-big-endian-ARM-processors.patch +++ /dev/null @@ -1,207 +0,0 @@ -From b8f24cb95dbe70cbeef08b41f35018141b6ce994 Mon Sep 17 00:00:00 2001 -From: Xu Yizhou -Date: Thu, 15 Dec 2022 10:21:07 +0800 -Subject: [PATCH 10/13] Fix SM4 test failures on big-endian ARM processors - -Signed-off-by: Xu Yizhou - -Reviewed-by: Paul Yang -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19910) ---- - crypto/sm4/asm/vpsm4-armv8.pl | 52 +++++++++++++++++------------------ - 1 file changed, 26 insertions(+), 26 deletions(-) - -diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl -index c842ef61d5..73797af582 100755 ---- a/crypto/sm4/asm/vpsm4-armv8.pl -+++ b/crypto/sm4/asm/vpsm4-armv8.pl -@@ -45,7 +45,7 @@ sub rev32() { - - if ($src and ("$src" ne "$dst")) { - $code.=<<___; --#ifndef __ARMEB__ -+#ifndef __AARCH64EB__ - rev32 $dst.16b,$src.16b - #else - mov $dst.16b,$src.16b -@@ -53,7 +53,7 @@ $code.=<<___; - ___ - } else { - $code.=<<___; --#ifndef __ARMEB__ -+#ifndef __AARCH64EB__ - rev32 $dst.16b,$dst.16b - #endif - ___ -@@ -428,10 +428,10 @@ sub load_sbox () { - - $code.=<<___; - adr $ptr,.Lsbox -- ld1 {@sbox[0].4s,@sbox[1].4s,@sbox[2].4s,@sbox[3].4s},[$ptr],#64 -- ld1 {@sbox[4].4s,@sbox[5].4s,@sbox[6].4s,@sbox[7].4s},[$ptr],#64 -- ld1 {@sbox[8].4s,@sbox[9].4s,@sbox[10].4s,@sbox[11].4s},[$ptr],#64 -- ld1 {@sbox[12].4s,@sbox[13].4s,@sbox[14].4s,@sbox[15].4s},[$ptr] -+ ld1 {@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},[$ptr],#64 -+ ld1 {@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},[$ptr],#64 -+ ld1 {@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},[$ptr],#64 -+ ld1 {@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},[$ptr] - ___ - } - -@@ -492,9 +492,9 @@ ___ - &rev32($vkey,$vkey); - $code.=<<___; - adr $pointer,.Lshuffles -- ld1 {$vmap.4s},[$pointer] -+ ld1 {$vmap.2d},[$pointer] - adr $pointer,.Lfk -- ld1 {$vfk.4s},[$pointer] -+ ld1 {$vfk.2d},[$pointer] - eor $vkey.16b,$vkey.16b,$vfk.16b - mov $schedules,#32 - adr $pointer,.Lck -@@ -615,7 +615,7 @@ $code.=<<___; - .align 5 - ${prefix}_${dir}crypt: - AARCH64_VALID_CALL_TARGET -- ld1 {@data[0].16b},[$inp] -+ ld1 {@data[0].4s},[$inp] - ___ - &load_sbox(); - &rev32(@data[0],@data[0]); -@@ -624,7 +624,7 @@ $code.=<<___; - ___ - &encrypt_1blk(@data[0]); - $code.=<<___; -- st1 {@data[0].16b},[$outp] -+ st1 {@data[0].4s},[$outp] - ret - .size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt - ___ -@@ -692,12 +692,12 @@ $code.=<<___; - cmp $blocks,#1 - b.lt 100f - b.gt 1f -- ld1 {@data[0].16b},[$inp] -+ ld1 {@data[0].4s},[$inp] - ___ - &rev32(@data[0],@data[0]); - &encrypt_1blk(@data[0]); - $code.=<<___; -- st1 {@data[0].16b},[$outp] -+ st1 {@data[0].4s},[$outp] - b 100f - 1: // process last 2 blocks - ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp],#16 -@@ -798,11 +798,11 @@ ___ - &rev32($ivec0,$ivec0); - &encrypt_1blk($ivec0); - $code.=<<___; -- st1 {$ivec0.16b},[$outp],#16 -+ st1 {$ivec0.4s},[$outp],#16 - b 1b - 2: - // save back IV -- st1 {$ivec0.16b},[$ivp] -+ st1 {$ivec0.4s},[$ivp] - ret - - .Ldec: -@@ -834,7 +834,7 @@ ___ - &transpose(@vtmp,@datax); - &transpose(@data,@datax); - $code.=<<___; -- ld1 {$ivec1.16b},[$ivp] -+ ld1 {$ivec1.4s},[$ivp] - ld1 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 - // note ivec1 and vtmpx[3] are resuing the same register - // care needs to be taken to avoid conflict -@@ -844,7 +844,7 @@ $code.=<<___; - eor @vtmp[2].16b,@vtmp[2].16b,@datax[1].16b - eor @vtmp[3].16b,$vtmp[3].16b,@datax[2].16b - // save back IV -- st1 {$vtmpx[3].16b}, [$ivp] -+ st1 {$vtmpx[3].4s}, [$ivp] - eor @data[0].16b,@data[0].16b,$datax[3].16b - eor @data[1].16b,@data[1].16b,@vtmpx[0].16b - eor @data[2].16b,@data[2].16b,@vtmpx[1].16b -@@ -855,7 +855,7 @@ $code.=<<___; - b.gt .Lcbc_8_blocks_dec - b.eq 100f - 1: -- ld1 {$ivec1.16b},[$ivp] -+ ld1 {$ivec1.4s},[$ivp] - .Lcbc_4_blocks_dec: - cmp $blocks,#4 - b.lt 1f -@@ -880,7 +880,7 @@ $code.=<<___; - subs $blocks,$blocks,#4 - b.gt .Lcbc_4_blocks_dec - // save back IV -- st1 {@data[3].16b}, [$ivp] -+ st1 {@data[3].4s}, [$ivp] - b 100f - 1: // last block - subs $blocks,$blocks,#1 -@@ -888,13 +888,13 @@ $code.=<<___; - b.gt 1f - ld1 {@data[0].4s},[$inp],#16 - // save back IV -- st1 {$data[0].16b}, [$ivp] -+ st1 {$data[0].4s}, [$ivp] - ___ - &rev32(@datax[0],@data[0]); - &encrypt_1blk(@datax[0]); - $code.=<<___; - eor @datax[0].16b,@datax[0].16b,$ivec1.16b -- st1 {@datax[0].16b},[$outp],#16 -+ st1 {@datax[0].4s},[$outp],#16 - b 100f - 1: // last two blocks - ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp] -@@ -917,7 +917,7 @@ $code.=<<___; - eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b - st1 {@vtmp[0].4s,@vtmp[1].4s},[$outp],#32 - // save back IV -- st1 {@data[1].16b}, [$ivp] -+ st1 {@data[1].4s}, [$ivp] - b 100f - 1: // last 3 blocks - ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$ptr] -@@ -937,7 +937,7 @@ $code.=<<___; - eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b - st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48 - // save back IV -- st1 {@data[2].16b}, [$ivp] -+ st1 {@data[2].4s}, [$ivp] - 100: - ldp d10,d11,[sp,#16] - ldp d12,d13,[sp,#32] -@@ -973,9 +973,9 @@ $code.=<<___; - ___ - &encrypt_1blk($ivec); - $code.=<<___; -- ld1 {@data[0].16b},[$inp] -+ ld1 {@data[0].4s},[$inp] - eor @data[0].16b,@data[0].16b,$ivec.16b -- st1 {@data[0].16b},[$outp] -+ st1 {@data[0].4s},[$outp] - ret - 1: - AARCH64_SIGN_LINK_REGISTER -@@ -1053,9 +1053,9 @@ $code.=<<___; - ___ - &encrypt_1blk($ivec); - $code.=<<___; -- ld1 {@data[0].16b},[$inp] -+ ld1 {@data[0].4s},[$inp] - eor @data[0].16b,@data[0].16b,$ivec.16b -- st1 {@data[0].16b},[$outp] -+ st1 {@data[0].4s},[$outp] - b 100f - 1: // last 2 blocks processing - dup @data[0].4s,$word0 --- -2.37.3.windows.1 - diff --git a/Backport-Fix-sm3ss1-translation-issue-in-sm3-armv8.pl.patch b/Backport-Fix-sm3ss1-translation-issue-in-sm3-armv8.pl.patch deleted file mode 100644 index 3ecb59c0e2d0c760fec290fc436c1b181c106cd2..0000000000000000000000000000000000000000 --- a/Backport-Fix-sm3ss1-translation-issue-in-sm3-armv8.pl.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 8746fff8f096fa35c7157199917100aa7b547d7a Mon Sep 17 00:00:00 2001 -From: "fangming.fang" -Date: Tue, 18 Jan 2022 02:58:08 +0000 -Subject: [PATCH 03/13] Fix sm3ss1 translation issue in sm3-armv8.pl - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17542) ---- - crypto/sm3/asm/sm3-armv8.pl | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/crypto/sm3/asm/sm3-armv8.pl b/crypto/sm3/asm/sm3-armv8.pl -index bb71b2eade..f0555fd3f2 100644 ---- a/crypto/sm3/asm/sm3-armv8.pl -+++ b/crypto/sm3/asm/sm3-armv8.pl -@@ -109,7 +109,7 @@ ___ - - $code=<<___; - #include "arm_arch.h" --.arch armv8.2-a+sm4 -+.arch armv8.2-a - .text - ___ - -@@ -222,8 +222,8 @@ my %sm3partopcode = ( - "sm3partw1" => 0xce60C000, - "sm3partw2" => 0xce60C400); - --my %sm3sslopcode = ( -- "sm3ssl" => 0xce400000); -+my %sm3ss1opcode = ( -+ "sm3ss1" => 0xce400000); - - my %sm3ttopcode = ( - "sm3tt1a" => 0xce408000, -@@ -241,14 +241,13 @@ sub unsm3part { - $mnemonic,$arg; - } - --sub unsm3ssl { -+sub unsm3ss1 { - my ($mnemonic,$arg)=@_; - -- $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*, -- \s*[qv](\d+)/o -+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o - && - sprintf ".inst\t0x%08x\t//%s %s", -- $sm3sslopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10), -+ $sm3ss1opcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10), - $mnemonic,$arg; - } - -@@ -274,7 +273,7 @@ foreach(split("\n",$code)) { - s/\`([^\`]*)\`/eval($1)/ge; - - s/\b(sm3partw[1-2])\s+([qv].*)/unsm3part($1,$2)/ge; -- s/\b(sm3ssl)\s+([qv].*)/unsm3ssl($1,$2)/ge; -+ s/\b(sm3ss1)\s+([qv].*)/unsm3ss1($1,$2)/ge; - s/\b(sm3tt[1-2][a-b])\s+([qv].*)/unsm3tt($1,$2)/ge; - print $_,"\n"; - } --- -2.37.3.windows.1 - diff --git a/Backport-Further-acceleration-for-SM4-GCM-on-ARM.patch b/Backport-Further-acceleration-for-SM4-GCM-on-ARM.patch deleted file mode 100644 index 11129d99e4b6fcfae8381981e01cd6d735e31703..0000000000000000000000000000000000000000 --- a/Backport-Further-acceleration-for-SM4-GCM-on-ARM.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 98da8a58f964e279decc1bbbe8f07d807de05f7f Mon Sep 17 00:00:00 2001 -From: Daniel Hu -Date: Wed, 2 Mar 2022 12:55:39 +0000 -Subject: [PATCH 06/13] Further acceleration for SM4-GCM on ARM - -This patch will allow the SM4-GCM function to leverage the SM4 -high-performance CTR crypto interface already implemented for ARM, -which is faster than current single block cipher routine used -for GCM - -It does not address the acceleration of GHASH function of GCM, -which can be a future task, still we can see immediate uplift of -performance (up to 4X) - -Before this patch: -type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes -SM4-GCM 186432.92k 394234.05k 587916.46k 639365.12k 648486.91k 652924.25k - -After the patch: -SM4-GCM 193924.87k 860940.35k 1696083.71k 2302548.31k 2580411.73k 2607398.91k - -Signed-off-by: Daniel Hu - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17814) ---- - .../ciphers/cipher_sm4_gcm_hw.c | 25 ++++++++++++++++++- - 1 file changed, 24 insertions(+), 1 deletion(-) - -diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -index c0c9b22bd3..b9633f83ed 100644 ---- a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -@@ -42,11 +42,34 @@ static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, - return 1; - } - -+static int hw_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, -+ size_t len, unsigned char *out) -+{ -+ if (ctx->enc) { -+ if (ctx->ctr != NULL) { -+ if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr)) -+ return 0; -+ } else { -+ if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len)) -+ return 0; -+ } -+ } else { -+ if (ctx->ctr != NULL) { -+ if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr)) -+ return 0; -+ } else { -+ if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len)) -+ return 0; -+ } -+ } -+ return 1; -+} -+ - static const PROV_GCM_HW sm4_gcm = { - sm4_gcm_initkey, - ossl_gcm_setiv, - ossl_gcm_aad_update, -- ossl_gcm_cipher_update, -+ hw_gcm_cipher_update, - ossl_gcm_cipher_final, - ossl_gcm_one_shot - }; --- -2.37.3.windows.1 - diff --git a/Backport-Limit-the-execution-time-of-RSA-public-key-check.patch b/Backport-Limit-the-execution-time-of-RSA-public-key-check.patch deleted file mode 100644 index 904aed5579e7d07f62d8ef391283dc3233595e73..0000000000000000000000000000000000000000 --- a/Backport-Limit-the-execution-time-of-RSA-public-key-check.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 22 Dec 2023 16:25:56 +0100 -Subject: [PATCH] Limit the execution time of RSA public key check - -Fixes CVE-2023-6237 - -If a large and incorrect RSA public key is checked with -EVP_PKEY_public_check() the computation could take very long time -due to no limit being applied to the RSA public key size and -unnecessarily high number of Miller-Rabin algorithm rounds -used for non-primality check of the modulus. - -Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) -will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. -Also the number of Miller-Rabin rounds was set to 5. - -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/23243) - -(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db) ---- - crypto/rsa/rsa_sp800_56b_check.c | 8 +++- - test/recipes/91-test_pkey_check.t | 2 +- - .../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++ - 3 files changed, 56 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem - -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b487..bcbdd24fb8 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - return 0; - - nbits = BN_num_bits(rsa->n); -+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - #ifdef FIPS_MODULE - /* - * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) -@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - goto err; - } - -- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); -+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ -+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); - #ifdef FIPS_MODULE - if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { - #else -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index dc7cc64533..f8088df14d 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -70,7 +70,7 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - --my @negative_pubtests = (); -+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key - - push(@negative_pubtests, ( - "dsapub_noparam.der" -diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -new file mode 100644 -index 0000000000..9a2eaedaf1 ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -@@ -0,0 +1,48 @@ -+-----BEGIN PUBLIC KEY----- -+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR -+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph -+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 -+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ -+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj -+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 -+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq -+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 -+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 -+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j -+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH -+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa -+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y -+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu -+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J -+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo -+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id -+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB -+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi -+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 -+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN -+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux -+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O -+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi -+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH -+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx -+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP -+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 -+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS -+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL -+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ -+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ -+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz -+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq -+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW -+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC -+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK -+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys -+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC -+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J -+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ -+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa -+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q -+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb -+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID -+AQAB -+-----END PUBLIC KEY----- --- -2.36.1 - diff --git a/Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch b/Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch deleted file mode 100644 index b06abc727f1810e8a9fbcb1854f425ab86cdb589..0000000000000000000000000000000000000000 --- a/Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch +++ /dev/null @@ -1,177 +0,0 @@ -From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) - -(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) ---- - crypto/dh/dh_check.c | 12 ++++++++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/dh/dh_key.c | 12 ++++++++++++ - crypto/err/openssl.txt | 1 + - include/crypto/dherr.h | 2 +- - include/openssl/dh.h | 6 +++--- - include/openssl/dherr.h | 3 ++- - 7 files changed, 33 insertions(+), 6 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7f..e20eb62081 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426..f76ac0dd14 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241..afc49f5cdc 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e51504b7ab..36de321b74 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb..519327f795 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 6533260f20..50e0cf54be 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96..074a70145f 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - --- -2.36.1 - diff --git a/Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch b/Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch deleted file mode 100644 index 0467d78eff23a2a82c89a28bc8f3113f6ece8861..0000000000000000000000000000000000000000 --- a/Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch +++ /dev/null @@ -1,457 +0,0 @@ -From 8a83d735057dde1f727eb0921446e4ca8b085267 Mon Sep 17 00:00:00 2001 -From: "fangming.fang" -Date: Fri, 24 Dec 2021 08:29:04 +0000 -Subject: [PATCH 02/13] SM3 acceleration with SM3 hardware instruction on - aarch64 - -SM3 hardware instruction is optional feature of crypto extension for -aarch64. This implementation accelerates SM3 via SM3 instructions. For -the platform not supporting SM3 instruction, the original C -implementation still works. Thanks to AliBaba for testing and reporting -the following perf numbers for Yitian710: - -Benchmark on T-Head Yitian-710 2.75GHz: - -Before: -type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes -sm3 49297.82k 121062.63k 223106.05k 283371.52k 307574.10k 309400.92k - -After (33% - 74% faster): -type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes -sm3 65640.01k 179121.79k 359854.59k 481448.96k 534055.59k 538274.47k - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17454) ---- - crypto/arm64cpuid.pl | 8 + - crypto/arm_arch.h | 2 + - crypto/armcap.c | 10 ++ - crypto/sm3/asm/sm3-armv8.pl | 282 ++++++++++++++++++++++++++++++++++++ - crypto/sm3/build.info | 21 ++- - crypto/sm3/sm3_local.h | 16 +- - 6 files changed, 336 insertions(+), 3 deletions(-) - create mode 100644 crypto/sm3/asm/sm3-armv8.pl - -diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl -index 11f0e50279..10d267b7ad 100755 ---- a/crypto/arm64cpuid.pl -+++ b/crypto/arm64cpuid.pl -@@ -96,6 +96,14 @@ _armv8_cpuid_probe: - ret - .size _armv8_cpuid_probe,.-_armv8_cpuid_probe - -+.globl _armv8_sm3_probe -+.type _armv8_sm3_probe,%function -+_armv8_sm3_probe: -+ AARCH64_VALID_CALL_TARGET -+ .long 0xce63c004 // sm3partw1 v4.4s, v0.4s, v3.4s -+ ret -+.size _armv8_sm3_probe,.-_armv8_sm3_probe -+ - .globl OPENSSL_cleanse - .type OPENSSL_cleanse,%function - .align 5 -diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h -index a815a5c72b..c8b501f34c 100644 ---- a/crypto/arm_arch.h -+++ b/crypto/arm_arch.h -@@ -83,6 +83,8 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; - # define ARMV8_PMULL (1<<5) - # define ARMV8_SHA512 (1<<6) - # define ARMV8_CPUID (1<<7) -+# define ARMV8_RNG (1<<8) -+# define ARMV8_SM3 (1<<9) - - /* - * MIDR_EL1 system register -diff --git a/crypto/armcap.c b/crypto/armcap.c -index c021330e32..365a48df45 100644 ---- a/crypto/armcap.c -+++ b/crypto/armcap.c -@@ -52,6 +52,7 @@ void _armv8_sha1_probe(void); - void _armv8_sha256_probe(void); - void _armv8_pmull_probe(void); - # ifdef __aarch64__ -+void _armv8_sm3_probe(void); - void _armv8_sha512_probe(void); - unsigned int _armv8_cpuid_probe(void); - # endif -@@ -137,6 +138,7 @@ static unsigned long getauxval(unsigned long key) - # define HWCAP_CE_SHA1 (1 << 5) - # define HWCAP_CE_SHA256 (1 << 6) - # define HWCAP_CPUID (1 << 11) -+# define HWCAP_CE_SM3 (1 << 18) - # define HWCAP_CE_SHA512 (1 << 21) - # endif - -@@ -210,6 +212,9 @@ void OPENSSL_cpuid_setup(void) - - if (hwcap & HWCAP_CPUID) - OPENSSL_armcap_P |= ARMV8_CPUID; -+ -+ if (hwcap & HWCAP_CE_SM3) -+ OPENSSL_armcap_P |= ARMV8_SM3; - # endif - } - # endif -@@ -253,6 +258,11 @@ void OPENSSL_cpuid_setup(void) - _armv8_sha512_probe(); - OPENSSL_armcap_P |= ARMV8_SHA512; - } -+ -+ if (sigsetjmp(ill_jmp, 1) == 0) { -+ _armv8_sm3_probe(); -+ OPENSSL_armcap_P |= ARMV8_SM3; -+ } - # endif - } - # endif -diff --git a/crypto/sm3/asm/sm3-armv8.pl b/crypto/sm3/asm/sm3-armv8.pl -new file mode 100644 -index 0000000000..bb71b2eade ---- /dev/null -+++ b/crypto/sm3/asm/sm3-armv8.pl -@@ -0,0 +1,282 @@ -+#! /usr/bin/env perl -+# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+# -+# This module implements support for Armv8 SM3 instructions -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or -+die "can't locate arm-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+*STDOUT=*OUT; -+ -+# Message expanding: -+# Wj <- P1(W[j-16]^W[j-9]^(W[j-3]<<<15))^(W[j-13]<<<7)^W[j-6] -+# Input: s0, s1, s2, s3 -+# s0 = w0 | w1 | w2 | w3 -+# s1 = w4 | w5 | w6 | w7 -+# s2 = w8 | w9 | w10 | w11 -+# s3 = w12 | w13 | w14 | w15 -+# Output: s4 -+sub msg_exp () { -+my $s0 = shift; -+my $s1 = shift; -+my $s2 = shift; -+my $s3 = shift; -+my $s4 = shift; -+my $vtmp1 = shift; -+my $vtmp2 = shift; -+$code.=<<___; -+ // s4 = w7 | w8 | w9 | w10 -+ ext $s4.16b, $s1.16b, $s2.16b, #12 -+ // vtmp1 = w3 | w4 | w5 | w6 -+ ext $vtmp1.16b, $s0.16b, $s1.16b, #12 -+ // vtmp2 = w10 | w11 | w12 | w13 -+ ext $vtmp2.16b, $s2.16b, $s3.16b, #8 -+ sm3partw1 $s4.4s, $s0.4s, $s3.4s -+ sm3partw2 $s4.4s, $vtmp2.4s, $vtmp1.4s -+___ -+} -+ -+# A round of compresson function -+# Input: -+# ab - choose instruction among sm3tt1a, sm3tt1b, sm3tt2a, sm3tt2b -+# vstate0 - vstate1, store digest status(A - H) -+# vconst0 - vconst1, interleaved used to store Tj <<< j -+# vtmp - temporary register -+# vw - for sm3tt1ab, vw = s0 eor s1 -+# s0 - for sm3tt2ab, just be s0 -+# i, choose wj' or wj from vw -+sub round () { -+my $ab = shift; -+my $vstate0 = shift; -+my $vstate1 = shift; -+my $vconst0 = shift; -+my $vconst1 = shift; -+my $vtmp = shift; -+my $vw = shift; -+my $s0 = shift; -+my $i = shift; -+$code.=<<___; -+ sm3ss1 $vtmp.4s, $vstate0.4s, $vconst0.4s, $vstate1.4s -+ shl $vconst1.4s, $vconst0.4s, #1 -+ sri $vconst1.4s, $vconst0.4s, #31 -+ sm3tt1$ab $vstate0.4s, $vtmp.4s, $vw.4s[$i] -+ sm3tt2$ab $vstate1.4s, $vtmp.4s, $s0.4s[$i] -+___ -+} -+ -+sub qround () { -+my $ab = shift; -+my $vstate0 = shift; -+my $vstate1 = shift; -+my $vconst0 = shift; -+my $vconst1 = shift; -+my $vtmp1 = shift; -+my $vtmp2 = shift; -+my $s0 = shift; -+my $s1 = shift; -+my $s2 = shift; -+my $s3 = shift; -+my $s4 = shift; -+ if($s4) { -+ &msg_exp($s0, $s1, $s2, $s3, $s4, $vtmp1, $vtmp2); -+ } -+$code.=<<___; -+ eor $vtmp1.16b, $s0.16b, $s1.16b -+___ -+ &round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2, -+ $vtmp1, $s0, 0); -+ &round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2, -+ $vtmp1, $s0, 1); -+ &round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2, -+ $vtmp1, $s0, 2); -+ &round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2, -+ $vtmp1, $s0, 3); -+} -+ -+$code=<<___; -+#include "arm_arch.h" -+.arch armv8.2-a+sm4 -+.text -+___ -+ -+{{{ -+my ($pstate,$pdata,$num)=("x0","x1","w2"); -+my ($state1,$state2)=("v5","v6"); -+my ($sconst1, $sconst2)=("s16","s17"); -+my ($vconst1, $vconst2)=("v16","v17"); -+my ($s0,$s1,$s2,$s3,$s4)=map("v$_",(0..4)); -+my ($bkstate1,$bkstate2)=("v18","v19"); -+my ($vconst_tmp1,$vconst_tmp2)=("v20","v21"); -+my ($vtmp1,$vtmp2)=("v22","v23"); -+my $constaddr="x8"; -+# void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num) -+$code.=<<___; -+.globl ossl_hwsm3_block_data_order -+.type ossl_hwsm3_block_data_order,%function -+.align 5 -+ossl_hwsm3_block_data_order: -+ AARCH64_VALID_CALL_TARGET -+ // load state -+ ld1 {$state1.4s-$state2.4s}, [$pstate] -+ rev64 $state1.4s, $state1.4s -+ rev64 $state2.4s, $state2.4s -+ ext $state1.16b, $state1.16b, $state1.16b, #8 -+ ext $state2.16b, $state2.16b, $state2.16b, #8 -+ -+ adr $constaddr, .Tj -+ ldp $sconst1, $sconst2, [$constaddr] -+ -+.Loop: -+ // load input -+ ld1 {$s0.16b-$s3.16b}, [$pdata], #64 -+ sub $num, $num, #1 -+ -+ mov $bkstate1.16b, $state1.16b -+ mov $bkstate2.16b, $state2.16b -+ -+#ifndef __ARMEB__ -+ rev32 $s0.16b, $s0.16b -+ rev32 $s1.16b, $s1.16b -+ rev32 $s2.16b, $s2.16b -+ rev32 $s3.16b, $s3.16b -+#endif -+ -+ ext $vconst_tmp1.16b, $vconst1.16b, $vconst1.16b, #4 -+___ -+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s0,$s1,$s2,$s3,$s4); -+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s1,$s2,$s3,$s4,$s0); -+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s2,$s3,$s4,$s0,$s1); -+ &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s3,$s4,$s0,$s1,$s2); -+ -+$code.=<<___; -+ ext $vconst_tmp1.16b, $vconst2.16b, $vconst2.16b, #4 -+___ -+ -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s4,$s0,$s1,$s2,$s3); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s0,$s1,$s2,$s3,$s4); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s1,$s2,$s3,$s4,$s0); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s2,$s3,$s4,$s0,$s1); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s3,$s4,$s0,$s1,$s2); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s4,$s0,$s1,$s2,$s3); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s0,$s1,$s2,$s3,$s4); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s1,$s2,$s3,$s4,$s0); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s2,$s3,$s4,$s0,$s1); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s3,$s4); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s4,$s0); -+ &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, -+ $s0,$s1); -+ -+$code.=<<___; -+ eor $state1.16b, $state1.16b, $bkstate1.16b -+ eor $state2.16b, $state2.16b, $bkstate2.16b -+ -+ // any remained blocks? -+ cbnz $num, .Loop -+ -+ // save state -+ rev64 $state1.4s, $state1.4s -+ rev64 $state2.4s, $state2.4s -+ ext $state1.16b, $state1.16b, $state1.16b, #8 -+ ext $state2.16b, $state2.16b, $state2.16b, #8 -+ st1 {$state1.4s-$state2.4s}, [$pstate] -+ ret -+.size ossl_hwsm3_block_data_order,.-ossl_hwsm3_block_data_order -+ -+.align 3 -+.Tj: -+.word 0x79cc4519, 0x9d8a7a87 -+___ -+}}} -+ -+######################################### -+my %sm3partopcode = ( -+ "sm3partw1" => 0xce60C000, -+ "sm3partw2" => 0xce60C400); -+ -+my %sm3sslopcode = ( -+ "sm3ssl" => 0xce400000); -+ -+my %sm3ttopcode = ( -+ "sm3tt1a" => 0xce408000, -+ "sm3tt1b" => 0xce408400, -+ "sm3tt2a" => 0xce408800, -+ "sm3tt2b" => 0xce408C00); -+ -+sub unsm3part { -+ my ($mnemonic,$arg)=@_; -+ -+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o -+ && -+ sprintf ".inst\t0x%08x\t//%s %s", -+ $sm3partopcode{$mnemonic}|$1|($2<<5)|($3<<16), -+ $mnemonic,$arg; -+} -+ -+sub unsm3ssl { -+ my ($mnemonic,$arg)=@_; -+ -+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*, -+ \s*[qv](\d+)/o -+ && -+ sprintf ".inst\t0x%08x\t//%s %s", -+ $sm3sslopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10), -+ $mnemonic,$arg; -+} -+ -+sub unsm3tt { -+ my ($mnemonic,$arg)=@_; -+ -+ $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*\[([0-3])\]/o -+ && -+ sprintf ".inst\t0x%08x\t//%s %s", -+ $sm3ttopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<12), -+ $mnemonic,$arg; -+} -+ -+open SELF,$0; -+while() { -+ next if (/^#!/); -+ last if (!s/^#/\/\// and !/^$/); -+ print; -+} -+close SELF; -+ -+foreach(split("\n",$code)) { -+ s/\`([^\`]*)\`/eval($1)/ge; -+ -+ s/\b(sm3partw[1-2])\s+([qv].*)/unsm3part($1,$2)/ge; -+ s/\b(sm3ssl)\s+([qv].*)/unsm3ssl($1,$2)/ge; -+ s/\b(sm3tt[1-2][a-b])\s+([qv].*)/unsm3tt($1,$2)/ge; -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/sm3/build.info b/crypto/sm3/build.info -index eca68216f2..2fa54a4a8b 100644 ---- a/crypto/sm3/build.info -+++ b/crypto/sm3/build.info -@@ -1,5 +1,22 @@ - LIBS=../../libcrypto - - IF[{- !$disabled{sm3} -}] -- SOURCE[../../libcrypto]=sm3.c legacy_sm3.c --ENDIF -\ No newline at end of file -+ IF[{- !$disabled{asm} -}] -+ $SM3ASM_aarch64=sm3-armv8.S -+ $SM3DEF_aarch64=OPENSSL_SM3_ASM -+ -+ # Now that we have defined all the arch specific variables, use the -+ # appropriate ones, and define the appropriate macros -+ IF[$SM3ASM_{- $target{asm_arch} -}] -+ $SM3ASM=$SM3ASM_{- $target{asm_arch} -} -+ $SM3DEF=$SM3DEF_{- $target{asm_arch} -} -+ ENDIF -+ ENDIF -+ -+ SOURCE[../../libcrypto]=sm3.c legacy_sm3.c $SM3ASM -+ DEFINE[../../libcrypto]=$SM3DEF -+ -+ GENERATE[sm3-armv8.S]=asm/sm3-armv8.pl -+ INCLUDE[sm3-armv8.o]=.. -+ENDIF -+ -diff --git a/crypto/sm3/sm3_local.h b/crypto/sm3/sm3_local.h -index 6daeb878a8..ac8a2bf768 100644 ---- a/crypto/sm3/sm3_local.h -+++ b/crypto/sm3/sm3_local.h -@@ -32,7 +32,21 @@ - ll=(c)->G; (void)HOST_l2c(ll, (s)); \ - ll=(c)->H; (void)HOST_l2c(ll, (s)); \ - } while (0) --#define HASH_BLOCK_DATA_ORDER ossl_sm3_block_data_order -+ -+#if defined(OPENSSL_SM3_ASM) -+# if defined(__aarch64__) -+# include "crypto/arm_arch.h" -+# define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3) -+void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num); -+# endif -+#endif -+ -+#if defined(HWSM3_CAPABLE) -+# define HASH_BLOCK_DATA_ORDER (HWSM3_CAPABLE ? ossl_hwsm3_block_data_order \ -+ : ossl_sm3_block_data_order) -+#else -+# define HASH_BLOCK_DATA_ORDER ossl_sm3_block_data_order -+#endif - - void ossl_sm3_block_data_order(SM3_CTX *c, const void *p, size_t num); - void ossl_sm3_transform(SM3_CTX *c, const unsigned char *data); --- -2.37.3.windows.1 - diff --git a/Backport-SM4-AESE-optimization-for-ARMv8.patch b/Backport-SM4-AESE-optimization-for-ARMv8.patch deleted file mode 100644 index 086626293f09a5c21b38ebe04f5b4c2826df11f3..0000000000000000000000000000000000000000 --- a/Backport-SM4-AESE-optimization-for-ARMv8.patch +++ /dev/null @@ -1,2322 +0,0 @@ -From 730387aebda57a1bb0af5a74747d4dadc5e033f7 Mon Sep 17 00:00:00 2001 -From: Xu Yizhou -Date: Wed, 18 Jan 2023 09:55:02 +0800 -Subject: [PATCH 12/13] SM4 AESE optimization for ARMv8 - -Signed-off-by: Xu Yizhou - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/19914) ---- - crypto/sm4/asm/vpsm4-armv8.pl | 458 +++++ - crypto/sm4/asm/vpsm4_ex-armv8.pl | 1544 +++++++++++++++++ - crypto/sm4/build.info | 4 +- - include/crypto/sm4_platform.h | 41 +- - .../implementations/ciphers/cipher_sm4_hw.c | 26 +- - .../implementations/ciphers/cipher_sm4_xts.c | 4 +- - .../implementations/ciphers/cipher_sm4_xts.h | 2 +- - .../ciphers/cipher_sm4_xts_hw.c | 33 +- - 8 files changed, 2090 insertions(+), 22 deletions(-) - create mode 100644 crypto/sm4/asm/vpsm4_ex-armv8.pl - -diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl -index 73797af582..e19de30901 100755 ---- a/crypto/sm4/asm/vpsm4-armv8.pl -+++ b/crypto/sm4/asm/vpsm4-armv8.pl -@@ -28,6 +28,7 @@ open OUT,"| \"$^X\" $xlate $flavour \"$output\"" - - $prefix="vpsm4"; - my @vtmp=map("v$_",(0..3)); -+my @qtmp=map("q$_",(0..3)); - my @data=map("v$_",(4..7)); - my @datax=map("v$_",(8..11)); - my ($rk0,$rk1)=("v12","v13"); -@@ -36,6 +37,7 @@ my @vtmpx=map("v$_",(12..15)); - my @sbox=map("v$_",(16..31)); - my ($inp,$outp,$blocks,$rks)=("x0","x1","w2","x3"); - my ($tmpw,$tmp,$wtmp0,$wtmp1,$wtmp2)=("w6","x6","w7","w8","w9"); -+my ($xtmp1,$xtmp2)=("x8","x9"); - my ($ptr,$counter)=("x10","w11"); - my ($word0,$word1,$word2,$word3)=("w12","w13","w14","w15"); - -@@ -60,6 +62,51 @@ ___ - } - } - -+sub rev32_armeb() { -+ my $dst = shift; -+ my $src = shift; -+ -+ if ($src and ("$src" ne "$dst")) { -+$code.=<<___; -+#ifdef __AARCH64EB__ -+ rev32 $dst.16b,$src.16b -+#else -+ mov $dst.16b,$src.16b -+#endif -+___ -+ } else { -+$code.=<<___; -+#ifdef __AARCH64EB__ -+ rev32 $dst.16b,$dst.16b -+#endif -+___ -+ } -+} -+ -+sub rbit() { -+ my $dst = shift; -+ my $src = shift; -+ my $std = shift; -+ -+ if ($src and ("$src" ne "$dst")) { -+ if ($std eq "_gb") { -+$code.=<<___; -+ rbit $dst.16b,$src.16b -+___ -+ } else { -+$code.=<<___; -+ mov $dst.16b,$src.16b -+___ -+ } -+ } else { -+ if ($std eq "_gb") { -+$code.=<<___; -+ rbit $dst.16b,$src.16b -+___ -+ } -+ } -+} -+ - sub transpose() { - my ($dat0,$dat1,$dat2,$dat3,$vt0,$vt1,$vt2,$vt3) = @_; - -@@ -435,6 +482,58 @@ $code.=<<___; - ___ - } - -+ -+sub mov_reg_to_vec() { -+ my $src0 = shift; -+ my $src1 = shift; -+ my $desv = shift; -+$code.=<<___; -+ mov $desv.d[0],$src0 -+ mov $desv.d[1],$src1 -+___ -+ &rev32_armeb($desv,$desv); -+} -+ -+sub mov_vec_to_reg() { -+ my $srcv = shift; -+ my $des0 = shift; -+ my $des1 = shift; -+$code.=<<___; -+ mov $des0,$srcv.d[0] -+ mov $des1,$srcv.d[1] -+___ -+} -+ -+sub compute_tweak() { -+ my $src0 = shift; -+ my $src1 = shift; -+ my $des0 = shift; -+ my $des1 = shift; -+$code.=<<___; -+ mov $wtmp0,0x87 -+ extr $xtmp2,$src1,$src1,#32 -+ extr $des1,$src1,$src0,#63 -+ and $wtmp1,$wtmp0,$wtmp2,asr#31 -+ eor $des0,$xtmp1,$src0,lsl#1 -+___ -+} -+ -+sub compute_tweak_vec() { -+ my $src = shift; -+ my $des = shift; -+ my $std = shift; -+ &rbit(@vtmp[2],$src,$std); -+$code.=<<___; -+ ldr @qtmp[0], =0x01010101010101010101010101010187 -+ shl $des.16b, @vtmp[2].16b, #1 -+ ext @vtmp[1].16b, @vtmp[2].16b, @vtmp[2].16b,#15 -+ ushr @vtmp[1].16b, @vtmp[1].16b, #7 -+ mul @vtmp[1].16b, @vtmp[1].16b, @vtmp[0].16b -+ eor $des.16b, $des.16b, @vtmp[1].16b -+___ -+ &rbit($des,$des,$std); -+} -+ - $code=<<___; - #include "arm_arch.h" - .arch armv8-a -@@ -1101,6 +1200,365 @@ $code.=<<___; - .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks - ___ - }}} -+ -+{{{ -+my ($blocks,$len)=("x2","x2"); -+my $ivp=("x5"); -+my @twx=map("x$_",(12..27)); -+my ($rks1,$rks2)=("x26","x27"); -+my $lastBlk=("x26"); -+my $enc=("w28"); -+my $remain=("x29"); -+ -+my @tweak=@datax; -+ -+sub gen_xts_cipher() { -+ my $std = shift; -+$code.=<<___; -+.globl ${prefix}_xts_encrypt${std} -+.type ${prefix}_xts_encrypt${std},%function -+.align 5 -+${prefix}_xts_encrypt${std}: -+ AARCH64_SIGN_LINK_REGISTER -+ stp x15, x16, [sp, #-0x10]! -+ stp x17, x18, [sp, #-0x10]! -+ stp x19, x20, [sp, #-0x10]! -+ stp x21, x22, [sp, #-0x10]! -+ stp x23, x24, [sp, #-0x10]! -+ stp x25, x26, [sp, #-0x10]! -+ stp x27, x28, [sp, #-0x10]! -+ stp x29, x30, [sp, #-0x10]! -+ stp d8, d9, [sp, #-0x10]! -+ stp d10, d11, [sp, #-0x10]! -+ stp d12, d13, [sp, #-0x10]! -+ stp d14, d15, [sp, #-0x10]! -+ mov $rks1,x3 -+ mov $rks2,x4 -+ mov $enc,w6 -+ ld1 {@tweak[0].4s}, [$ivp] -+ mov $rks,$rks2 -+___ -+ &load_sbox(); -+ &rev32(@tweak[0],@tweak[0]); -+ &encrypt_1blk(@tweak[0]); -+$code.=<<___; -+ mov $rks,$rks1 -+ and $remain,$len,#0x0F -+ // convert length into blocks -+ lsr $blocks,$len,4 -+ cmp $blocks,#1 -+ b.lt .return${std} -+ -+ cmp $remain,0 -+ // If the encryption/decryption Length is N times of 16, -+ // the all blocks are encrypted/decrypted in .xts_encrypt_blocks${std} -+ b.eq .xts_encrypt_blocks${std} -+ -+ // If the encryption/decryption length is not N times of 16, -+ // the last two blocks are encrypted/decrypted in .last_2blks_tweak${std} or .only_2blks_tweak${std} -+ // the other blocks are encrypted/decrypted in .xts_encrypt_blocks${std} -+ subs $blocks,$blocks,#1 -+ b.eq .only_2blks_tweak${std} -+.xts_encrypt_blocks${std}: -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rev32_armeb(@tweak[0],@tweak[0]); -+ &mov_vec_to_reg(@tweak[0],@twx[0],@twx[1]); -+ &compute_tweak(@twx[0],@twx[1],@twx[2],@twx[3]); -+ &compute_tweak(@twx[2],@twx[3],@twx[4],@twx[5]); -+ &compute_tweak(@twx[4],@twx[5],@twx[6],@twx[7]); -+ &compute_tweak(@twx[6],@twx[7],@twx[8],@twx[9]); -+ &compute_tweak(@twx[8],@twx[9],@twx[10],@twx[11]); -+ &compute_tweak(@twx[10],@twx[11],@twx[12],@twx[13]); -+ &compute_tweak(@twx[12],@twx[13],@twx[14],@twx[15]); -+$code.=<<___; -+.Lxts_8_blocks_process${std}: -+ cmp $blocks,#8 -+ b.lt .Lxts_4_blocks_process${std} -+___ -+ &mov_reg_to_vec(@twx[0],@twx[1],@vtmp[0]); -+ &mov_reg_to_vec(@twx[2],@twx[3],@vtmp[1]); -+ &mov_reg_to_vec(@twx[4],@twx[5],@vtmp[2]); -+ &mov_reg_to_vec(@twx[6],@twx[7],@vtmp[3]); -+ &mov_reg_to_vec(@twx[8],@twx[9],@vtmpx[0]); -+ &mov_reg_to_vec(@twx[10],@twx[11],@vtmpx[1]); -+ &mov_reg_to_vec(@twx[12],@twx[13],@vtmpx[2]); -+ &mov_reg_to_vec(@twx[14],@twx[15],@vtmpx[3]); -+$code.=<<___; -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &rbit(@vtmp[0],@vtmp[0],$std); -+ &rbit(@vtmp[1],@vtmp[1],$std); -+ &rbit(@vtmp[2],@vtmp[2],$std); -+ &rbit(@vtmp[3],@vtmp[3],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @vtmp[0].16b -+ eor @data[1].16b, @data[1].16b, @vtmp[1].16b -+ eor @data[2].16b, @data[2].16b, @vtmp[2].16b -+ eor @data[3].16b, @data[3].16b, @vtmp[3].16b -+ ld1 {@datax[0].4s,$datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+___ -+ &rbit(@vtmpx[0],@vtmpx[0],$std); -+ &rbit(@vtmpx[1],@vtmpx[1],$std); -+ &rbit(@vtmpx[2],@vtmpx[2],$std); -+ &rbit(@vtmpx[3],@vtmpx[3],$std); -+$code.=<<___; -+ eor @datax[0].16b, @datax[0].16b, @vtmpx[0].16b -+ eor @datax[1].16b, @datax[1].16b, @vtmpx[1].16b -+ eor @datax[2].16b, @datax[2].16b, @vtmpx[2].16b -+ eor @datax[3].16b, @datax[3].16b, @vtmpx[3].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &rev32(@datax[0],@datax[0]); -+ &rev32(@datax[1],@datax[1]); -+ &rev32(@datax[2],@datax[2]); -+ &rev32(@datax[3],@datax[3]); -+ &transpose(@data,@vtmp); -+ &transpose(@datax,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_8blks -+___ -+ &transpose(@vtmp,@datax); -+ &transpose(@data,@datax); -+ -+ &mov_reg_to_vec(@twx[0],@twx[1],@vtmpx[0]); -+ &compute_tweak(@twx[14],@twx[15],@twx[0],@twx[1]); -+ &mov_reg_to_vec(@twx[2],@twx[3],@vtmpx[1]); -+ &compute_tweak(@twx[0],@twx[1],@twx[2],@twx[3]); -+ &mov_reg_to_vec(@twx[4],@twx[5],@vtmpx[2]); -+ &compute_tweak(@twx[2],@twx[3],@twx[4],@twx[5]); -+ &mov_reg_to_vec(@twx[6],@twx[7],@vtmpx[3]); -+ &compute_tweak(@twx[4],@twx[5],@twx[6],@twx[7]); -+ &mov_reg_to_vec(@twx[8],@twx[9],@tweak[0]); -+ &compute_tweak(@twx[6],@twx[7],@twx[8],@twx[9]); -+ &mov_reg_to_vec(@twx[10],@twx[11],@tweak[1]); -+ &compute_tweak(@twx[8],@twx[9],@twx[10],@twx[11]); -+ &mov_reg_to_vec(@twx[12],@twx[13],@tweak[2]); -+ &compute_tweak(@twx[10],@twx[11],@twx[12],@twx[13]); -+ &mov_reg_to_vec(@twx[14],@twx[15],@tweak[3]); -+ &compute_tweak(@twx[12],@twx[13],@twx[14],@twx[15]); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @vtmpx[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @vtmpx[1].16b -+ eor @vtmp[2].16b, @vtmp[2].16b, @vtmpx[2].16b -+ eor @vtmp[3].16b, @vtmp[3].16b, @vtmpx[3].16b -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+ eor @data[2].16b, @data[2].16b, @tweak[2].16b -+ eor @data[3].16b, @data[3].16b, @tweak[3].16b -+ -+ // save the last tweak -+ st1 {@tweak[3].4s},[$ivp] -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.gt .Lxts_8_blocks_process${std} -+ b 100f -+.Lxts_4_blocks_process${std}: -+___ -+ &mov_reg_to_vec(@twx[0],@twx[1],@tweak[0]); -+ &mov_reg_to_vec(@twx[2],@twx[3],@tweak[1]); -+ &mov_reg_to_vec(@twx[4],@twx[5],@tweak[2]); -+ &mov_reg_to_vec(@twx[6],@twx[7],@tweak[3]); -+$code.=<<___; -+ cmp $blocks,#4 -+ b.lt 1f -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+ &rbit(@tweak[2],@tweak[2],$std); -+ &rbit(@tweak[3],@tweak[3],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+ eor @data[2].16b, @data[2].16b, @tweak[2].16b -+ eor @data[3].16b, @data[3].16b, @tweak[3].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &transpose(@data,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+___ -+ &transpose(@vtmp,@data); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ eor @vtmp[2].16b, @vtmp[2].16b, @tweak[2].16b -+ eor @vtmp[3].16b, @vtmp[3].16b, @tweak[3].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ sub $blocks,$blocks,#4 -+___ -+ &mov_reg_to_vec(@twx[8],@twx[9],@tweak[0]); -+ &mov_reg_to_vec(@twx[10],@twx[11],@tweak[1]); -+ &mov_reg_to_vec(@twx[12],@twx[13],@tweak[2]); -+$code.=<<___; -+ // save the last tweak -+ st1 {@tweak[3].4s},[$ivp] -+1: -+ // process last block -+ cmp $blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ ld1 {@data[0].4s},[$inp],#16 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ st1 {@data[0].4s},[$outp],#16 -+ // save the last tweak -+ st1 {@tweak[0].4s},[$ivp] -+ b 100f -+1: // process last 2 blocks -+ cmp $blocks,#2 -+ b.gt 1f -+ ld1 {@data[0].4s,@data[1].4s},[$inp],#32 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &transpose(@data,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+___ -+ &transpose(@vtmp,@data); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s},[$outp],#32 -+ // save the last tweak -+ st1 {@tweak[1].4s},[$ivp] -+ b 100f -+1: // process last 3 blocks -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s},[$inp],#48 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+ &rbit(@tweak[2],@tweak[2],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+ eor @data[2].16b, @data[2].16b, @tweak[2].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &transpose(@data,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+___ -+ &transpose(@vtmp,@data); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ eor @vtmp[2].16b, @vtmp[2].16b, @tweak[2].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48 -+ // save the last tweak -+ st1 {@tweak[2].4s},[$ivp] -+100: -+ cmp $remain,0 -+ b.eq .return${std} -+ -+// This brance calculates the last two tweaks, -+// while the encryption/decryption length is larger than 32 -+.last_2blks_tweak${std}: -+ ld1 {@tweak[0].4s},[$ivp] -+___ -+ &rev32_armeb(@tweak[0],@tweak[0]); -+ &compute_tweak_vec(@tweak[0],@tweak[1],$std); -+ &compute_tweak_vec(@tweak[1],@tweak[2],$std); -+$code.=<<___; -+ b .check_dec${std} -+ -+ -+// This brance calculates the last two tweaks, -+// while the encryption/decryption length is equal to 32, who only need two tweaks -+.only_2blks_tweak${std}: -+ mov @tweak[1].16b,@tweak[0].16b -+___ -+ &rev32_armeb(@tweak[1],@tweak[1]); -+ &compute_tweak_vec(@tweak[1],@tweak[2]); -+$code.=<<___; -+ b .check_dec${std} -+ -+ -+// Determine whether encryption or decryption is required. -+// The last two tweaks need to be swapped for decryption. -+.check_dec${std}: -+ // encryption:1 decryption:0 -+ cmp $enc,1 -+ b.eq .prcess_last_2blks${std} -+ mov @vtmp[0].16B,@tweak[1].16b -+ mov @tweak[1].16B,@tweak[2].16b -+ mov @tweak[2].16B,@vtmp[0].16b -+ -+.prcess_last_2blks${std}: -+___ -+ &rev32_armeb(@tweak[1],@tweak[1]); -+ &rev32_armeb(@tweak[2],@tweak[2]); -+$code.=<<___; -+ ld1 {@data[0].4s},[$inp],#16 -+ eor @data[0].16b, @data[0].16b, @tweak[1].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[1].16b -+ st1 {@data[0].4s},[$outp],#16 -+ -+ sub $lastBlk,$outp,16 -+ .loop${std}: -+ subs $remain,$remain,1 -+ ldrb $wtmp0,[$lastBlk,$remain] -+ ldrb $wtmp1,[$inp,$remain] -+ strb $wtmp1,[$lastBlk,$remain] -+ strb $wtmp0,[$outp,$remain] -+ b.gt .loop${std} -+ ld1 {@data[0].4s}, [$lastBlk] -+ eor @data[0].16b, @data[0].16b, @tweak[2].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[2].16b -+ st1 {@data[0].4s}, [$lastBlk] -+.return${std}: -+ ldp d14, d15, [sp], #0x10 -+ ldp d12, d13, [sp], #0x10 -+ ldp d10, d11, [sp], #0x10 -+ ldp d8, d9, [sp], #0x10 -+ ldp x29, x30, [sp], #0x10 -+ ldp x27, x28, [sp], #0x10 -+ ldp x25, x26, [sp], #0x10 -+ ldp x23, x24, [sp], #0x10 -+ ldp x21, x22, [sp], #0x10 -+ ldp x19, x20, [sp], #0x10 -+ ldp x17, x18, [sp], #0x10 -+ ldp x15, x16, [sp], #0x10 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_xts_encrypt${std},.-${prefix}_xts_encrypt${std} -+___ -+} # end of gen_xts_cipher -+&gen_xts_cipher("_gb"); -+&gen_xts_cipher(""); -+}}} - ######################################## - open SELF,$0; - while() { -diff --git a/crypto/sm4/asm/vpsm4_ex-armv8.pl b/crypto/sm4/asm/vpsm4_ex-armv8.pl -new file mode 100644 -index 0000000000..3d094aa535 ---- /dev/null -+++ b/crypto/sm4/asm/vpsm4_ex-armv8.pl -@@ -0,0 +1,1544 @@ -+#! /usr/bin/env perl -+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# -+# This module implements SM4 with ASIMD and AESE on AARCH64 -+# -+# Dec 2022 -+# -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or -+die "can't locate arm-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+*STDOUT=*OUT; -+ -+$prefix="vpsm4_ex"; -+my @vtmp=map("v$_",(0..3)); -+my @qtmp=map("q$_",(0..3)); -+my @data=map("v$_",(4..7)); -+my @datax=map("v$_",(8..11)); -+my ($rk0,$rk1)=("v12","v13"); -+my ($rka,$rkb)=("v14","v15"); -+my @vtmpx=map("v$_",(12..15)); -+my ($vtmp4,$vtmp5)=("v24","v25"); -+my ($MaskV,$TAHMatV,$TALMatV,$ATAHMatV,$ATALMatV,$ANDMaskV)=("v26","v27","v28","v29","v30","v31"); -+my ($MaskQ,$TAHMatQ,$TALMatQ,$ATAHMatQ,$ATALMatQ,$ANDMaskQ)=("q26","q27","q28","q29","q30","q31"); -+ -+my ($inp,$outp,$blocks,$rks)=("x0","x1","w2","x3"); -+my ($tmpw,$tmp,$wtmp0,$wtmp1,$wtmp2)=("w6","x6","w7","w8","w9"); -+my ($xtmp1,$xtmp2)=("x8","x9"); -+my ($ptr,$counter)=("x10","w11"); -+my ($word0,$word1,$word2,$word3)=("w12","w13","w14","w15"); -+ -+sub rev32() { -+ my $dst = shift; -+ my $src = shift; -+ -+ if ($src and ("$src" ne "$dst")) { -+$code.=<<___; -+#ifndef __AARCH64EB__ -+ rev32 $dst.16b,$src.16b -+#else -+ mov $dst.16b,$src.16b -+#endif -+___ -+ } else { -+$code.=<<___; -+#ifndef __AARCH64EB__ -+ rev32 $dst.16b,$dst.16b -+#endif -+___ -+ } -+} -+ -+sub rev32_armeb() { -+ my $dst = shift; -+ my $src = shift; -+ -+ if ($src and ("$src" ne "$dst")) { -+$code.=<<___; -+#ifdef __AARCH64EB__ -+ rev32 $dst.16b,$src.16b -+#else -+ mov $dst.16b,$src.16b -+#endif -+___ -+ } else { -+$code.=<<___; -+#ifdef __AARCH64EB__ -+ rev32 $dst.16b,$dst.16b -+#endif -+___ -+ } -+} -+ -+sub rbit() { -+ my $dst = shift; -+ my $src = shift; -+ my $std = shift; -+ -+ if ($src and ("$src" ne "$dst")) { -+ if ($std eq "_gb") { -+$code.=<<___; -+ rbit $dst.16b,$src.16b -+___ -+ } else { -+$code.=<<___; -+ mov $dst.16b,$src.16b -+___ -+ } -+ } else { -+ if ($std eq "_gb") { -+$code.=<<___; -+ rbit $dst.16b,$src.16b -+___ -+ } -+ } -+} -+ -+sub transpose() { -+ my ($dat0,$dat1,$dat2,$dat3,$vt0,$vt1,$vt2,$vt3) = @_; -+ -+$code.=<<___; -+ zip1 $vt0.4s,$dat0.4s,$dat1.4s -+ zip2 $vt1.4s,$dat0.4s,$dat1.4s -+ zip1 $vt2.4s,$dat2.4s,$dat3.4s -+ zip2 $vt3.4s,$dat2.4s,$dat3.4s -+ zip1 $dat0.2d,$vt0.2d,$vt2.2d -+ zip2 $dat1.2d,$vt0.2d,$vt2.2d -+ zip1 $dat2.2d,$vt1.2d,$vt3.2d -+ zip2 $dat3.2d,$vt1.2d,$vt3.2d -+___ -+} -+ -+# matrix multiplication Mat*x = (lowerMat*x) ^ (higherMat*x) -+sub mul_matrix() { -+ my $x = shift; -+ my $higherMat = shift; -+ my $lowerMat = shift; -+ my $tmp = shift; -+$code.=<<___; -+ ushr $tmp.16b, $x.16b, 4 -+ and $x.16b, $x.16b, $ANDMaskV.16b -+ tbl $x.16b, {$lowerMat.16b}, $x.16b -+ tbl $tmp.16b, {$higherMat.16b}, $tmp.16b -+ eor $x.16b, $x.16b, $tmp.16b -+___ -+} -+ -+# sbox operations for 4-lane of words -+# sbox operation for 4-lane of words -+sub sbox() { -+ my $dat = shift; -+ -+$code.=<<___; -+ // optimize sbox using AESE instruction -+ tbl @vtmp[0].16b, {$dat.16b}, $MaskV.16b -+___ -+ &mul_matrix(@vtmp[0], $TAHMatV, $TALMatV, $vtmp4); -+$code.=<<___; -+ eor @vtmp[1].16b, @vtmp[1].16b, @vtmp[1].16b -+ aese @vtmp[0].16b,@vtmp[1].16b -+___ -+ &mul_matrix(@vtmp[0], $ATAHMatV, $ATALMatV, $vtmp4); -+$code.=<<___; -+ mov $dat.16b,@vtmp[0].16b -+ -+ // linear transformation -+ ushr @vtmp[0].4s,$dat.4s,32-2 -+ ushr @vtmp[1].4s,$dat.4s,32-10 -+ ushr @vtmp[2].4s,$dat.4s,32-18 -+ ushr @vtmp[3].4s,$dat.4s,32-24 -+ sli @vtmp[0].4s,$dat.4s,2 -+ sli @vtmp[1].4s,$dat.4s,10 -+ sli @vtmp[2].4s,$dat.4s,18 -+ sli @vtmp[3].4s,$dat.4s,24 -+ eor $vtmp4.16b,@vtmp[0].16b,$dat.16b -+ eor $vtmp4.16b,$vtmp4.16b,$vtmp[1].16b -+ eor $dat.16b,@vtmp[2].16b,@vtmp[3].16b -+ eor $dat.16b,$dat.16b,$vtmp4.16b -+___ -+} -+ -+# sbox operation for 8-lane of words -+sub sbox_double() { -+ my $dat = shift; -+ my $datx = shift; -+ -+$code.=<<___; -+ // optimize sbox using AESE instruction -+ tbl @vtmp[0].16b, {$dat.16b}, $MaskV.16b -+ tbl @vtmp[1].16b, {$datx.16b}, $MaskV.16b -+___ -+ &mul_matrix(@vtmp[0], $TAHMatV, $TALMatV, $vtmp4); -+ &mul_matrix(@vtmp[1], $TAHMatV, $TALMatV, $vtmp4); -+$code.=<<___; -+ eor $vtmp5.16b, $vtmp5.16b, $vtmp5.16b -+ aese @vtmp[0].16b,$vtmp5.16b -+ aese @vtmp[1].16b,$vtmp5.16b -+___ -+ &mul_matrix(@vtmp[0], $ATAHMatV, $ATALMatV,$vtmp4); -+ &mul_matrix(@vtmp[1], $ATAHMatV, $ATALMatV,$vtmp4); -+$code.=<<___; -+ mov $dat.16b,@vtmp[0].16b -+ mov $datx.16b,@vtmp[1].16b -+ -+ // linear transformation -+ ushr @vtmp[0].4s,$dat.4s,32-2 -+ ushr $vtmp5.4s,$datx.4s,32-2 -+ ushr @vtmp[1].4s,$dat.4s,32-10 -+ ushr @vtmp[2].4s,$dat.4s,32-18 -+ ushr @vtmp[3].4s,$dat.4s,32-24 -+ sli @vtmp[0].4s,$dat.4s,2 -+ sli $vtmp5.4s,$datx.4s,2 -+ sli @vtmp[1].4s,$dat.4s,10 -+ sli @vtmp[2].4s,$dat.4s,18 -+ sli @vtmp[3].4s,$dat.4s,24 -+ eor $vtmp4.16b,@vtmp[0].16b,$dat.16b -+ eor $vtmp4.16b,$vtmp4.16b,@vtmp[1].16b -+ eor $dat.16b,@vtmp[2].16b,@vtmp[3].16b -+ eor $dat.16b,$dat.16b,$vtmp4.16b -+ ushr @vtmp[1].4s,$datx.4s,32-10 -+ ushr @vtmp[2].4s,$datx.4s,32-18 -+ ushr @vtmp[3].4s,$datx.4s,32-24 -+ sli @vtmp[1].4s,$datx.4s,10 -+ sli @vtmp[2].4s,$datx.4s,18 -+ sli @vtmp[3].4s,$datx.4s,24 -+ eor $vtmp4.16b,$vtmp5.16b,$datx.16b -+ eor $vtmp4.16b,$vtmp4.16b,@vtmp[1].16b -+ eor $datx.16b,@vtmp[2].16b,@vtmp[3].16b -+ eor $datx.16b,$datx.16b,$vtmp4.16b -+___ -+} -+ -+# sbox operation for one single word -+sub sbox_1word () { -+ my $word = shift; -+ -+$code.=<<___; -+ mov @vtmp[3].s[0],$word -+ // optimize sbox using AESE instruction -+ tbl @vtmp[0].16b, {@vtmp[3].16b}, $MaskV.16b -+___ -+ &mul_matrix(@vtmp[0], $TAHMatV, $TALMatV, @vtmp[2]); -+$code.=<<___; -+ eor @vtmp[1].16b, @vtmp[1].16b, @vtmp[1].16b -+ aese @vtmp[0].16b,@vtmp[1].16b -+___ -+ &mul_matrix(@vtmp[0], $ATAHMatV, $ATALMatV, @vtmp[2]); -+$code.=<<___; -+ -+ mov $wtmp0,@vtmp[0].s[0] -+ eor $word,$wtmp0,$wtmp0,ror #32-2 -+ eor $word,$word,$wtmp0,ror #32-10 -+ eor $word,$word,$wtmp0,ror #32-18 -+ eor $word,$word,$wtmp0,ror #32-24 -+___ -+} -+ -+# sm4 for one block of data, in scalar registers word0/word1/word2/word3 -+sub sm4_1blk () { -+ my $kptr = shift; -+ -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) -+ eor $tmpw,$word2,$word3 -+ eor $wtmp2,$wtmp0,$word1 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ eor $word0,$word0,$tmpw -+ // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) -+ eor $tmpw,$word2,$word3 -+ eor $wtmp2,$word0,$wtmp1 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ eor $word1,$word1,$tmpw -+ // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) -+ eor $tmpw,$word0,$word1 -+ eor $wtmp2,$wtmp0,$word3 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ eor $word2,$word2,$tmpw -+ // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) -+ eor $tmpw,$word0,$word1 -+ eor $wtmp2,$word2,$wtmp1 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ eor $word3,$word3,$tmpw -+___ -+} -+ -+# sm4 for 4-lanes of data, in neon registers data0/data1/data2/data3 -+sub sm4_4blks () { -+ my $kptr = shift; -+ -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ dup $rk0.4s,$wtmp0 -+ dup $rk1.4s,$wtmp1 -+ -+ // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) -+ eor $rka.16b,@data[2].16b,@data[3].16b -+ eor $rk0.16b,@data[1].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,$rk0.16b -+___ -+ &sbox($rk0); -+$code.=<<___; -+ eor @data[0].16b,@data[0].16b,$rk0.16b -+ -+ // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) -+ eor $rka.16b,$rka.16b,@data[0].16b -+ eor $rk1.16b,$rka.16b,$rk1.16b -+___ -+ &sbox($rk1); -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ eor @data[1].16b,@data[1].16b,$rk1.16b -+ -+ dup $rk0.4s,$wtmp0 -+ dup $rk1.4s,$wtmp1 -+ -+ // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) -+ eor $rka.16b,@data[0].16b,@data[1].16b -+ eor $rk0.16b,@data[3].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,$rk0.16b -+___ -+ &sbox($rk0); -+$code.=<<___; -+ eor @data[2].16b,@data[2].16b,$rk0.16b -+ -+ // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) -+ eor $rka.16b,$rka.16b,@data[2].16b -+ eor $rk1.16b,$rka.16b,$rk1.16b -+___ -+ &sbox($rk1); -+$code.=<<___; -+ eor @data[3].16b,@data[3].16b,$rk1.16b -+___ -+} -+ -+# sm4 for 8 lanes of data, in neon registers -+# data0/data1/data2/data3 datax0/datax1/datax2/datax3 -+sub sm4_8blks () { -+ my $kptr = shift; -+ -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) -+ dup $rk0.4s,$wtmp0 -+ eor $rka.16b,@data[2].16b,@data[3].16b -+ eor $rkb.16b,@datax[2].16b,@datax[3].16b -+ eor @vtmp[0].16b,@data[1].16b,$rk0.16b -+ eor @vtmp[1].16b,@datax[1].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,@vtmp[0].16b -+ eor $rk1.16b,$rkb.16b,@vtmp[1].16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ eor @data[0].16b,@data[0].16b,$rk0.16b -+ eor @datax[0].16b,@datax[0].16b,$rk1.16b -+ -+ // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) -+ dup $rk1.4s,$wtmp1 -+ eor $rka.16b,$rka.16b,@data[0].16b -+ eor $rkb.16b,$rkb.16b,@datax[0].16b -+ eor $rk0.16b,$rka.16b,$rk1.16b -+ eor $rk1.16b,$rkb.16b,$rk1.16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ eor @data[1].16b,@data[1].16b,$rk0.16b -+ eor @datax[1].16b,@datax[1].16b,$rk1.16b -+ -+ // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) -+ dup $rk0.4s,$wtmp0 -+ eor $rka.16b,@data[0].16b,@data[1].16b -+ eor $rkb.16b,@datax[0].16b,@datax[1].16b -+ eor @vtmp[0].16b,@data[3].16b,$rk0.16b -+ eor @vtmp[1].16b,@datax[3].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,@vtmp[0].16b -+ eor $rk1.16b,$rkb.16b,@vtmp[1].16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ eor @data[2].16b,@data[2].16b,$rk0.16b -+ eor @datax[2].16b,@datax[2].16b,$rk1.16b -+ -+ // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) -+ dup $rk1.4s,$wtmp1 -+ eor $rka.16b,$rka.16b,@data[2].16b -+ eor $rkb.16b,$rkb.16b,@datax[2].16b -+ eor $rk0.16b,$rka.16b,$rk1.16b -+ eor $rk1.16b,$rkb.16b,$rk1.16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ eor @data[3].16b,@data[3].16b,$rk0.16b -+ eor @datax[3].16b,@datax[3].16b,$rk1.16b -+___ -+} -+ -+sub encrypt_1blk_norev() { -+ my $dat = shift; -+ -+$code.=<<___; -+ mov $ptr,$rks -+ mov $counter,#8 -+ mov $word0,$dat.s[0] -+ mov $word1,$dat.s[1] -+ mov $word2,$dat.s[2] -+ mov $word3,$dat.s[3] -+10: -+___ -+ &sm4_1blk($ptr); -+$code.=<<___; -+ subs $counter,$counter,#1 -+ b.ne 10b -+ mov $dat.s[0],$word3 -+ mov $dat.s[1],$word2 -+ mov $dat.s[2],$word1 -+ mov $dat.s[3],$word0 -+___ -+} -+ -+sub encrypt_1blk() { -+ my $dat = shift; -+ -+ &encrypt_1blk_norev($dat); -+ &rev32($dat,$dat); -+} -+ -+sub encrypt_4blks() { -+$code.=<<___; -+ mov $ptr,$rks -+ mov $counter,#8 -+10: -+___ -+ &sm4_4blks($ptr); -+$code.=<<___; -+ subs $counter,$counter,#1 -+ b.ne 10b -+___ -+ &rev32(@vtmp[3],@data[0]); -+ &rev32(@vtmp[2],@data[1]); -+ &rev32(@vtmp[1],@data[2]); -+ &rev32(@vtmp[0],@data[3]); -+} -+ -+sub encrypt_8blks() { -+$code.=<<___; -+ mov $ptr,$rks -+ mov $counter,#8 -+10: -+___ -+ &sm4_8blks($ptr); -+$code.=<<___; -+ subs $counter,$counter,#1 -+ b.ne 10b -+___ -+ &rev32(@vtmp[3],@data[0]); -+ &rev32(@vtmp[2],@data[1]); -+ &rev32(@vtmp[1],@data[2]); -+ &rev32(@vtmp[0],@data[3]); -+ &rev32(@data[3],@datax[0]); -+ &rev32(@data[2],@datax[1]); -+ &rev32(@data[1],@datax[2]); -+ &rev32(@data[0],@datax[3]); -+} -+ -+sub load_sbox () { -+ my $data = shift; -+ -+$code.=<<___; -+ ldr $MaskQ, =0x0306090c0f0205080b0e0104070a0d00 -+ ldr $TAHMatQ, =0x22581a6002783a4062185a2042387a00 -+ ldr $TALMatQ, =0xc10bb67c4a803df715df62a89e54e923 -+ ldr $ATAHMatQ, =0x1407c6d56c7fbeadb9aa6b78c1d21300 -+ ldr $ATALMatQ, =0xe383c1a1fe9edcbc6404462679195b3b -+ ldr $ANDMaskQ, =0x0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f -+___ -+} -+ -+sub mov_reg_to_vec() { -+ my $src0 = shift; -+ my $src1 = shift; -+ my $desv = shift; -+$code.=<<___; -+ mov $desv.d[0],$src0 -+ mov $desv.d[1],$src1 -+___ -+ &rev32_armeb($desv,$desv); -+} -+ -+sub mov_vec_to_reg() { -+ my $srcv = shift; -+ my $des0 = shift; -+ my $des1 = shift; -+$code.=<<___; -+ mov $des0,$srcv.d[0] -+ mov $des1,$srcv.d[1] -+___ -+} -+ -+sub compute_tweak() { -+ my $src0 = shift; -+ my $src1 = shift; -+ my $des0 = shift; -+ my $des1 = shift; -+$code.=<<___; -+ mov $wtmp0,0x87 -+ extr $xtmp2,$src1,$src1,#32 -+ extr $des1,$src1,$src0,#63 -+ and $wtmp1,$wtmp0,$wtmp2,asr#31 -+ eor $des0,$xtmp1,$src0,lsl#1 -+___ -+} -+ -+sub compute_tweak_vec() { -+ my $src = shift; -+ my $des = shift; -+ my $std = shift; -+ &rbit(@vtmp[2],$src,$std); -+$code.=<<___; -+ ldr @qtmp[0], =0x01010101010101010101010101010187 -+ shl $des.16b, @vtmp[2].16b, #1 -+ ext @vtmp[1].16b, @vtmp[2].16b, @vtmp[2].16b,#15 -+ ushr @vtmp[1].16b, @vtmp[1].16b, #7 -+ mul @vtmp[1].16b, @vtmp[1].16b, @vtmp[0].16b -+ eor $des.16b, $des.16b, @vtmp[1].16b -+___ -+ &rbit($des,$des,$std); -+} -+ -+$code=<<___; -+#include "arm_arch.h" -+.arch armv8-a+crypto -+.text -+ -+.type _${prefix}_consts,%object -+.align 7 -+_${prefix}_consts: -+.Lck: -+ .long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269 -+ .long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9 -+ .long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249 -+ .long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9 -+ .long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229 -+ .long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299 -+ .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 -+ .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 -+.Lfk: -+ .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 -+.Lshuffles: -+ .dword 0x0B0A090807060504,0x030201000F0E0D0C -+ -+.size _${prefix}_consts,.-_${prefix}_consts -+___ -+ -+{{{ -+my ($key,$keys,$enc)=("x0","x1","w2"); -+my ($pointer,$schedules,$wtmp,$roundkey)=("x5","x6","w7","w8"); -+my ($vkey,$vfk,$vmap)=("v5","v6","v7"); -+$code.=<<___; -+.type _${prefix}_set_key,%function -+.align 4 -+_${prefix}_set_key: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$vkey.4s},[$key] -+___ -+ &load_sbox(); -+ &rev32($vkey,$vkey); -+$code.=<<___; -+ adr $pointer,.Lshuffles -+ ld1 {$vmap.2d},[$pointer] -+ adr $pointer,.Lfk -+ ld1 {$vfk.2d},[$pointer] -+ eor $vkey.16b,$vkey.16b,$vfk.16b -+ mov $schedules,#32 -+ adr $pointer,.Lck -+ movi @vtmp[0].16b,#64 -+ cbnz $enc,1f -+ add $keys,$keys,124 -+1: -+ mov $wtmp,$vkey.s[1] -+ ldr $roundkey,[$pointer],#4 -+ eor $roundkey,$roundkey,$wtmp -+ mov $wtmp,$vkey.s[2] -+ eor $roundkey,$roundkey,$wtmp -+ mov $wtmp,$vkey.s[3] -+ eor $roundkey,$roundkey,$wtmp -+ // optimize sbox using AESE instruction -+ mov @data[0].s[0],$roundkey -+ tbl @vtmp[0].16b, {@data[0].16b}, $MaskV.16b -+___ -+ &mul_matrix(@vtmp[0], $TAHMatV, $TALMatV, @vtmp[2]); -+$code.=<<___; -+ eor @vtmp[1].16b, @vtmp[1].16b, @vtmp[1].16b -+ aese @vtmp[0].16b,@vtmp[1].16b -+___ -+ &mul_matrix(@vtmp[0], $ATAHMatV, $ATALMatV, @vtmp[2]); -+$code.=<<___; -+ mov $wtmp,@vtmp[0].s[0] -+ eor $roundkey,$wtmp,$wtmp,ror #19 -+ eor $roundkey,$roundkey,$wtmp,ror #9 -+ mov $wtmp,$vkey.s[0] -+ eor $roundkey,$roundkey,$wtmp -+ mov $vkey.s[0],$roundkey -+ cbz $enc,2f -+ str $roundkey,[$keys],#4 -+ b 3f -+2: -+ str $roundkey,[$keys],#-4 -+3: -+ tbl $vkey.16b,{$vkey.16b},$vmap.16b -+ subs $schedules,$schedules,#1 -+ b.ne 1b -+ ret -+.size _${prefix}_set_key,.-_${prefix}_set_key -+___ -+}}} -+ -+ -+{{{ -+$code.=<<___; -+.type _${prefix}_enc_4blks,%function -+.align 4 -+_${prefix}_enc_4blks: -+ AARCH64_VALID_CALL_TARGET -+___ -+ &encrypt_4blks(); -+$code.=<<___; -+ ret -+.size _${prefix}_enc_4blks,.-_${prefix}_enc_4blks -+___ -+}}} -+ -+{{{ -+$code.=<<___; -+.type _${prefix}_enc_8blks,%function -+.align 4 -+_${prefix}_enc_8blks: -+ AARCH64_VALID_CALL_TARGET -+___ -+ &encrypt_8blks(); -+$code.=<<___; -+ ret -+.size _${prefix}_enc_8blks,.-_${prefix}_enc_8blks -+___ -+}}} -+ -+ -+{{{ -+my ($key,$keys)=("x0","x1"); -+$code.=<<___; -+.globl ${prefix}_set_encrypt_key -+.type ${prefix}_set_encrypt_key,%function -+.align 5 -+${prefix}_set_encrypt_key: -+ AARCH64_SIGN_LINK_REGISTER -+ stp x29,x30,[sp,#-16]! -+ mov w2,1 -+ bl _${prefix}_set_key -+ ldp x29,x30,[sp],#16 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key -+___ -+}}} -+ -+{{{ -+my ($key,$keys)=("x0","x1"); -+$code.=<<___; -+.globl ${prefix}_set_decrypt_key -+.type ${prefix}_set_decrypt_key,%function -+.align 5 -+${prefix}_set_decrypt_key: -+ AARCH64_SIGN_LINK_REGISTER -+ stp x29,x30,[sp,#-16]! -+ mov w2,0 -+ bl _${prefix}_set_key -+ ldp x29,x30,[sp],#16 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key -+___ -+}}} -+ -+{{{ -+sub gen_block () { -+ my $dir = shift; -+ my ($inp,$outp,$rk)=map("x$_",(0..2)); -+ -+$code.=<<___; -+.globl ${prefix}_${dir}crypt -+.type ${prefix}_${dir}crypt,%function -+.align 5 -+${prefix}_${dir}crypt: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {@data[0].4s},[$inp] -+___ -+ &load_sbox(); -+ &rev32(@data[0],@data[0]); -+$code.=<<___; -+ mov $rks,$rk -+___ -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ st1 {@data[0].4s},[$outp] -+ ret -+.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt -+___ -+} -+&gen_block("en"); -+&gen_block("de"); -+}}} -+ -+{{{ -+$code.=<<___; -+.globl ${prefix}_ecb_encrypt -+.type ${prefix}_ecb_encrypt,%function -+.align 5 -+${prefix}_ecb_encrypt: -+ AARCH64_SIGN_LINK_REGISTER -+ // convert length into blocks -+ lsr x2,x2,4 -+ stp d8,d9,[sp,#-80]! -+ stp d10,d11,[sp,#16] -+ stp d12,d13,[sp,#32] -+ stp d14,d15,[sp,#48] -+ stp x29,x30,[sp,#64] -+___ -+ &load_sbox(); -+$code.=<<___; -+.Lecb_8_blocks_process: -+ cmp $blocks,#8 -+ b.lt .Lecb_4_blocks_process -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+ ld4 {@datax[0].4s,$datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &rev32(@datax[0],@datax[0]); -+ &rev32(@datax[1],@datax[1]); -+ &rev32(@datax[2],@datax[2]); -+ &rev32(@datax[3],@datax[3]); -+$code.=<<___; -+ bl _${prefix}_enc_8blks -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.gt .Lecb_8_blocks_process -+ b 100f -+.Lecb_4_blocks_process: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ sub $blocks,$blocks,#4 -+1: -+ // process last block -+ cmp $blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ ld1 {@data[0].4s},[$inp] -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ st1 {@data[0].4s},[$outp] -+ b 100f -+1: // process last 2 blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp],#16 -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$inp],#16 -+ cmp $blocks,#2 -+ b.gt 1f -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+ st4 {@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s-@vtmp[3].s}[1],[$outp] -+ b 100f -+1: // process last 3 blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$inp],#16 -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+ st4 {@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s-@vtmp[3].s}[1],[$outp],#16 -+ st4 {@vtmp[0].s-@vtmp[3].s}[2],[$outp] -+100: -+ ldp d10,d11,[sp,#16] -+ ldp d12,d13,[sp,#32] -+ ldp d14,d15,[sp,#48] -+ ldp x29,x30,[sp,#64] -+ ldp d8,d9,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt -+___ -+}}} -+ -+{{{ -+my ($len,$ivp,$enc)=("x2","x4","w5"); -+my $ivec0=("v3"); -+my $ivec1=("v15"); -+ -+$code.=<<___; -+.globl ${prefix}_cbc_encrypt -+.type ${prefix}_cbc_encrypt,%function -+.align 5 -+${prefix}_cbc_encrypt: -+ AARCH64_VALID_CALL_TARGET -+ lsr $len,$len,4 -+___ -+ &load_sbox(); -+$code.=<<___; -+ cbz $enc,.Ldec -+ ld1 {$ivec0.4s},[$ivp] -+.Lcbc_4_blocks_enc: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+ eor @data[0].16b,@data[0].16b,$ivec0.16b -+___ -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &encrypt_1blk_norev(@data[0]); -+$code.=<<___; -+ eor @data[1].16b,@data[1].16b,@data[0].16b -+___ -+ &encrypt_1blk_norev(@data[1]); -+ &rev32(@data[0],@data[0]); -+ -+$code.=<<___; -+ eor @data[2].16b,@data[2].16b,@data[1].16b -+___ -+ &encrypt_1blk_norev(@data[2]); -+ &rev32(@data[1],@data[1]); -+$code.=<<___; -+ eor @data[3].16b,@data[3].16b,@data[2].16b -+___ -+ &encrypt_1blk_norev(@data[3]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ orr $ivec0.16b,@data[3].16b,@data[3].16b -+ st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#4 -+ b.ne .Lcbc_4_blocks_enc -+ b 2f -+1: -+ subs $blocks,$blocks,#1 -+ b.lt 2f -+ ld1 {@data[0].4s},[$inp],#16 -+ eor $ivec0.16b,$ivec0.16b,@data[0].16b -+___ -+ &rev32($ivec0,$ivec0); -+ &encrypt_1blk($ivec0); -+$code.=<<___; -+ st1 {$ivec0.4s},[$outp],#16 -+ b 1b -+2: -+ // save back IV -+ st1 {$ivec0.4s},[$ivp] -+ ret -+ -+.Ldec: -+ // decryption mode starts -+ AARCH64_SIGN_LINK_REGISTER -+ stp d8,d9,[sp,#-80]! -+ stp d10,d11,[sp,#16] -+ stp d12,d13,[sp,#32] -+ stp d14,d15,[sp,#48] -+ stp x29,x30,[sp,#64] -+.Lcbc_8_blocks_dec: -+ cmp $blocks,#8 -+ b.lt 1f -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp] -+ add $ptr,$inp,#64 -+ ld4 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$ptr] -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],$data[3]); -+ &rev32(@datax[0],@datax[0]); -+ &rev32(@datax[1],@datax[1]); -+ &rev32(@datax[2],@datax[2]); -+ &rev32(@datax[3],$datax[3]); -+$code.=<<___; -+ bl _${prefix}_enc_8blks -+___ -+ &transpose(@vtmp,@datax); -+ &transpose(@data,@datax); -+$code.=<<___; -+ ld1 {$ivec1.4s},[$ivp] -+ ld1 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+ // note ivec1 and vtmpx[3] are resuing the same register -+ // care needs to be taken to avoid conflict -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ ld1 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 -+ eor @vtmp[1].16b,@vtmp[1].16b,@datax[0].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@datax[1].16b -+ eor @vtmp[3].16b,$vtmp[3].16b,@datax[2].16b -+ // save back IV -+ st1 {$vtmpx[3].4s}, [$ivp] -+ eor @data[0].16b,@data[0].16b,$datax[3].16b -+ eor @data[1].16b,@data[1].16b,@vtmpx[0].16b -+ eor @data[2].16b,@data[2].16b,@vtmpx[1].16b -+ eor @data[3].16b,$data[3].16b,@vtmpx[2].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.gt .Lcbc_8_blocks_dec -+ b.eq 100f -+1: -+ ld1 {$ivec1.4s},[$ivp] -+.Lcbc_4_blocks_dec: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp] -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],$data[3]); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &transpose(@vtmp,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b -+ orr $ivec1.16b,@data[3].16b,@data[3].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b -+ eor @vtmp[3].16b,$vtmp[3].16b,@data[2].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#4 -+ b.gt .Lcbc_4_blocks_dec -+ // save back IV -+ st1 {@data[3].4s}, [$ivp] -+ b 100f -+1: // last block -+ subs $blocks,$blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ ld1 {@data[0].4s},[$inp],#16 -+ // save back IV -+ st1 {$data[0].4s}, [$ivp] -+___ -+ &rev32(@datax[0],@data[0]); -+ &encrypt_1blk(@datax[0]); -+$code.=<<___; -+ eor @datax[0].16b,@datax[0].16b,$ivec1.16b -+ st1 {@datax[0].4s},[$outp],#16 -+ b 100f -+1: // last two blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp] -+ add $ptr,$inp,#16 -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$ptr],#16 -+ subs $blocks,$blocks,1 -+ b.gt 1f -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+ ld1 {@data[0].4s,@data[1].4s},[$inp],#32 -+___ -+ &transpose(@vtmp,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s},[$outp],#32 -+ // save back IV -+ st1 {@data[1].4s}, [$ivp] -+ b 100f -+1: // last 3 blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$ptr] -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s},[$inp],#48 -+___ -+ &transpose(@vtmp,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48 -+ // save back IV -+ st1 {@data[2].4s}, [$ivp] -+100: -+ ldp d10,d11,[sp,#16] -+ ldp d12,d13,[sp,#32] -+ ldp d14,d15,[sp,#48] -+ ldp x29,x30,[sp,#64] -+ ldp d8,d9,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt -+___ -+}}} -+ -+{{{ -+my ($ivp)=("x4"); -+my ($ctr)=("w5"); -+my $ivec=("v3"); -+ -+$code.=<<___; -+.globl ${prefix}_ctr32_encrypt_blocks -+.type ${prefix}_ctr32_encrypt_blocks,%function -+.align 5 -+${prefix}_ctr32_encrypt_blocks: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$ivec.4s},[$ivp] -+___ -+ &rev32($ivec,$ivec); -+ &load_sbox(); -+$code.=<<___; -+ cmp $blocks,#1 -+ b.ne 1f -+ // fast processing for one single block without -+ // context saving overhead -+___ -+ &encrypt_1blk($ivec); -+$code.=<<___; -+ ld1 {@data[0].4s},[$inp] -+ eor @data[0].16b,@data[0].16b,$ivec.16b -+ st1 {@data[0].4s},[$outp] -+ ret -+1: -+ AARCH64_SIGN_LINK_REGISTER -+ stp d8,d9,[sp,#-80]! -+ stp d10,d11,[sp,#16] -+ stp d12,d13,[sp,#32] -+ stp d14,d15,[sp,#48] -+ stp x29,x30,[sp,#64] -+ mov $word0,$ivec.s[0] -+ mov $word1,$ivec.s[1] -+ mov $word2,$ivec.s[2] -+ mov $ctr,$ivec.s[3] -+.Lctr32_4_blocks_process: -+ cmp $blocks,#4 -+ b.lt 1f -+ dup @data[0].4s,$word0 -+ dup @data[1].4s,$word1 -+ dup @data[2].4s,$word2 -+ mov @data[3].s[0],$ctr -+ add $ctr,$ctr,#1 -+ mov $data[3].s[1],$ctr -+ add $ctr,$ctr,#1 -+ mov @data[3].s[2],$ctr -+ add $ctr,$ctr,#1 -+ mov @data[3].s[3],$ctr -+ add $ctr,$ctr,#1 -+ cmp $blocks,#8 -+ b.ge .Lctr32_8_blocks_process -+ bl _${prefix}_enc_4blks -+ ld4 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#4 -+ b.ne .Lctr32_4_blocks_process -+ b 100f -+.Lctr32_8_blocks_process: -+ dup @datax[0].4s,$word0 -+ dup @datax[1].4s,$word1 -+ dup @datax[2].4s,$word2 -+ mov @datax[3].s[0],$ctr -+ add $ctr,$ctr,#1 -+ mov $datax[3].s[1],$ctr -+ add $ctr,$ctr,#1 -+ mov @datax[3].s[2],$ctr -+ add $ctr,$ctr,#1 -+ mov @datax[3].s[3],$ctr -+ add $ctr,$ctr,#1 -+ bl _${prefix}_enc_8blks -+ ld4 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 -+ ld4 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ eor @data[0].16b,@data[0].16b,@datax[0].16b -+ eor @data[1].16b,@data[1].16b,@datax[1].16b -+ eor @data[2].16b,@data[2].16b,@datax[2].16b -+ eor @data[3].16b,@data[3].16b,@datax[3].16b -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.ne .Lctr32_4_blocks_process -+ b 100f -+1: // last block processing -+ subs $blocks,$blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ mov $ivec.s[0],$word0 -+ mov $ivec.s[1],$word1 -+ mov $ivec.s[2],$word2 -+ mov $ivec.s[3],$ctr -+___ -+ &encrypt_1blk($ivec); -+$code.=<<___; -+ ld1 {@data[0].4s},[$inp] -+ eor @data[0].16b,@data[0].16b,$ivec.16b -+ st1 {@data[0].4s},[$outp] -+ b 100f -+1: // last 2 blocks processing -+ dup @data[0].4s,$word0 -+ dup @data[1].4s,$word1 -+ dup @data[2].4s,$word2 -+ mov @data[3].s[0],$ctr -+ add $ctr,$ctr,#1 -+ mov @data[3].s[1],$ctr -+ subs $blocks,$blocks,#1 -+ b.ne 1f -+ bl _${prefix}_enc_4blks -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16 -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16 -+ b 100f -+1: // last 3 blocks processing -+ add $ctr,$ctr,#1 -+ mov @data[3].s[2],$ctr -+ bl _${prefix}_enc_4blks -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16 -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16 -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[2],[$inp],#16 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16 -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[2],[$outp],#16 -+100: -+ ldp d10,d11,[sp,#16] -+ ldp d12,d13,[sp,#32] -+ ldp d14,d15,[sp,#48] -+ ldp x29,x30,[sp,#64] -+ ldp d8,d9,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks -+___ -+}}} -+ -+ -+{{{ -+my ($blocks,$len)=("x2","x2"); -+my $ivp=("x5"); -+my @twx=map("x$_",(12..27)); -+my ($rks1,$rks2)=("x26","x27"); -+my $lastBlk=("x26"); -+my $enc=("w28"); -+my $remain=("x29"); -+ -+my @tweak=map("v$_",(16..23)); -+my $lastTweak=("v25"); -+ -+sub gen_xts_cipher() { -+ my $std = shift; -+$code.=<<___; -+.globl ${prefix}_xts_encrypt${std} -+.type ${prefix}_xts_encrypt${std},%function -+.align 5 -+${prefix}_xts_encrypt${std}: -+ AARCH64_SIGN_LINK_REGISTER -+ stp x15, x16, [sp, #-0x10]! -+ stp x17, x18, [sp, #-0x10]! -+ stp x19, x20, [sp, #-0x10]! -+ stp x21, x22, [sp, #-0x10]! -+ stp x23, x24, [sp, #-0x10]! -+ stp x25, x26, [sp, #-0x10]! -+ stp x27, x28, [sp, #-0x10]! -+ stp x29, x30, [sp, #-0x10]! -+ stp d8, d9, [sp, #-0x10]! -+ stp d10, d11, [sp, #-0x10]! -+ stp d12, d13, [sp, #-0x10]! -+ stp d14, d15, [sp, #-0x10]! -+ mov $rks1,x3 -+ mov $rks2,x4 -+ mov $enc,w6 -+ ld1 {@tweak[0].4s}, [$ivp] -+ mov $rks,$rks2 -+___ -+ &load_sbox(); -+ &rev32(@tweak[0],@tweak[0]); -+ &encrypt_1blk(@tweak[0]); -+$code.=<<___; -+ mov $rks,$rks1 -+ and $remain,$len,#0x0F -+ // convert length into blocks -+ lsr $blocks,$len,4 -+ cmp $blocks,#1 -+ b.lt .return${std} -+ -+ cmp $remain,0 -+ // If the encryption/decryption Length is N times of 16, -+ // the all blocks are encrypted/decrypted in .xts_encrypt_blocks${std} -+ b.eq .xts_encrypt_blocks${std} -+ -+ // If the encryption/decryption length is not N times of 16, -+ // the last two blocks are encrypted/decrypted in .last_2blks_tweak${std} or .only_2blks_tweak${std} -+ // the other blocks are encrypted/decrypted in .xts_encrypt_blocks${std} -+ subs $blocks,$blocks,#1 -+ b.eq .only_2blks_tweak${std} -+.xts_encrypt_blocks${std}: -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rev32_armeb(@tweak[0],@tweak[0]); -+ &mov_vec_to_reg(@tweak[0],@twx[0],@twx[1]); -+ &compute_tweak(@twx[0],@twx[1],@twx[2],@twx[3]); -+ &compute_tweak(@twx[2],@twx[3],@twx[4],@twx[5]); -+ &compute_tweak(@twx[4],@twx[5],@twx[6],@twx[7]); -+ &compute_tweak(@twx[6],@twx[7],@twx[8],@twx[9]); -+ &compute_tweak(@twx[8],@twx[9],@twx[10],@twx[11]); -+ &compute_tweak(@twx[10],@twx[11],@twx[12],@twx[13]); -+ &compute_tweak(@twx[12],@twx[13],@twx[14],@twx[15]); -+$code.=<<___; -+.Lxts_8_blocks_process${std}: -+ cmp $blocks,#8 -+___ -+ &mov_reg_to_vec(@twx[0],@twx[1],@tweak[0]); -+ &compute_tweak(@twx[14],@twx[15],@twx[0],@twx[1]); -+ &mov_reg_to_vec(@twx[2],@twx[3],@tweak[1]); -+ &compute_tweak(@twx[0],@twx[1],@twx[2],@twx[3]); -+ &mov_reg_to_vec(@twx[4],@twx[5],@tweak[2]); -+ &compute_tweak(@twx[2],@twx[3],@twx[4],@twx[5]); -+ &mov_reg_to_vec(@twx[6],@twx[7],@tweak[3]); -+ &compute_tweak(@twx[4],@twx[5],@twx[6],@twx[7]); -+ &mov_reg_to_vec(@twx[8],@twx[9],@tweak[4]); -+ &compute_tweak(@twx[6],@twx[7],@twx[8],@twx[9]); -+ &mov_reg_to_vec(@twx[10],@twx[11],@tweak[5]); -+ &compute_tweak(@twx[8],@twx[9],@twx[10],@twx[11]); -+ &mov_reg_to_vec(@twx[12],@twx[13],@tweak[6]); -+ &compute_tweak(@twx[10],@twx[11],@twx[12],@twx[13]); -+ &mov_reg_to_vec(@twx[14],@twx[15],@tweak[7]); -+ &compute_tweak(@twx[12],@twx[13],@twx[14],@twx[15]); -+$code.=<<___; -+ b.lt .Lxts_4_blocks_process${std} -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+ &rbit(@tweak[2],@tweak[2],$std); -+ &rbit(@tweak[3],@tweak[3],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+ eor @data[2].16b, @data[2].16b, @tweak[2].16b -+ eor @data[3].16b, @data[3].16b, @tweak[3].16b -+ ld1 {@datax[0].4s,$datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+___ -+ &rbit(@tweak[4],@tweak[4],$std); -+ &rbit(@tweak[5],@tweak[5],$std); -+ &rbit(@tweak[6],@tweak[6],$std); -+ &rbit(@tweak[7],@tweak[7],$std); -+$code.=<<___; -+ eor @datax[0].16b, @datax[0].16b, @tweak[4].16b -+ eor @datax[1].16b, @datax[1].16b, @tweak[5].16b -+ eor @datax[2].16b, @datax[2].16b, @tweak[6].16b -+ eor @datax[3].16b, @datax[3].16b, @tweak[7].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &rev32(@datax[0],@datax[0]); -+ &rev32(@datax[1],@datax[1]); -+ &rev32(@datax[2],@datax[2]); -+ &rev32(@datax[3],@datax[3]); -+ &transpose(@data,@vtmp); -+ &transpose(@datax,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_8blks -+___ -+ &transpose(@vtmp,@datax); -+ &transpose(@data,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ eor @vtmp[2].16b, @vtmp[2].16b, @tweak[2].16b -+ eor @vtmp[3].16b, @vtmp[3].16b, @tweak[3].16b -+ eor @data[0].16b, @data[0].16b, @tweak[4].16b -+ eor @data[1].16b, @data[1].16b, @tweak[5].16b -+ eor @data[2].16b, @data[2].16b, @tweak[6].16b -+ eor @data[3].16b, @data[3].16b, @tweak[7].16b -+ -+ // save the last tweak -+ mov $lastTweak.16b,@tweak[7].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.gt .Lxts_8_blocks_process${std} -+ b 100f -+.Lxts_4_blocks_process${std}: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+ &rbit(@tweak[2],@tweak[2],$std); -+ &rbit(@tweak[3],@tweak[3],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+ eor @data[2].16b, @data[2].16b, @tweak[2].16b -+ eor @data[3].16b, @data[3].16b, @tweak[3].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &transpose(@data,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+___ -+ &transpose(@vtmp,@data); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ eor @vtmp[2].16b, @vtmp[2].16b, @tweak[2].16b -+ eor @vtmp[3].16b, @vtmp[3].16b, @tweak[3].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ sub $blocks,$blocks,#4 -+ mov @tweak[0].16b,@tweak[4].16b -+ mov @tweak[1].16b,@tweak[5].16b -+ mov @tweak[2].16b,@tweak[6].16b -+ // save the last tweak -+ mov $lastTweak.16b,@tweak[3].16b -+1: -+ // process last block -+ cmp $blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ ld1 {@data[0].4s},[$inp],#16 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ st1 {@data[0].4s},[$outp],#16 -+ // save the last tweak -+ mov $lastTweak.16b,@tweak[0].16b -+ b 100f -+1: // process last 2 blocks -+ cmp $blocks,#2 -+ b.gt 1f -+ ld1 {@data[0].4s,@data[1].4s},[$inp],#32 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &transpose(@data,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+___ -+ &transpose(@vtmp,@data); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s},[$outp],#32 -+ // save the last tweak -+ mov $lastTweak.16b,@tweak[1].16b -+ b 100f -+1: // process last 3 blocks -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s},[$inp],#48 -+___ -+ &rbit(@tweak[0],@tweak[0],$std); -+ &rbit(@tweak[1],@tweak[1],$std); -+ &rbit(@tweak[2],@tweak[2],$std); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[0].16b -+ eor @data[1].16b, @data[1].16b, @tweak[1].16b -+ eor @data[2].16b, @data[2].16b, @tweak[2].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &transpose(@data,@vtmp); -+$code.=<<___; -+ bl _${prefix}_enc_4blks -+___ -+ &transpose(@vtmp,@data); -+$code.=<<___; -+ eor @vtmp[0].16b, @vtmp[0].16b, @tweak[0].16b -+ eor @vtmp[1].16b, @vtmp[1].16b, @tweak[1].16b -+ eor @vtmp[2].16b, @vtmp[2].16b, @tweak[2].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48 -+ // save the last tweak -+ mov $lastTweak.16b,@tweak[2].16b -+100: -+ cmp $remain,0 -+ b.eq .return${std} -+ -+// This brance calculates the last two tweaks, -+// while the encryption/decryption length is larger than 32 -+.last_2blks_tweak${std}: -+___ -+ &rev32_armeb($lastTweak,$lastTweak); -+ &compute_tweak_vec($lastTweak,@tweak[1],$std); -+ &compute_tweak_vec(@tweak[1],@tweak[2],$std); -+$code.=<<___; -+ b .check_dec${std} -+ -+ -+// This brance calculates the last two tweaks, -+// while the encryption/decryption length is equal to 32, who only need two tweaks -+.only_2blks_tweak${std}: -+ mov @tweak[1].16b,@tweak[0].16b -+___ -+ &rev32_armeb(@tweak[1],@tweak[1]); -+ &compute_tweak_vec(@tweak[1],@tweak[2]); -+$code.=<<___; -+ b .check_dec${std} -+ -+ -+// Determine whether encryption or decryption is required. -+// The last two tweaks need to be swapped for decryption. -+.check_dec${std}: -+ // encryption:1 decryption:0 -+ cmp $enc,1 -+ b.eq .prcess_last_2blks${std} -+ mov @vtmp[0].16B,@tweak[1].16b -+ mov @tweak[1].16B,@tweak[2].16b -+ mov @tweak[2].16B,@vtmp[0].16b -+ -+.prcess_last_2blks${std}: -+___ -+ &rev32_armeb(@tweak[1],@tweak[1]); -+ &rev32_armeb(@tweak[2],@tweak[2]); -+$code.=<<___; -+ ld1 {@data[0].4s},[$inp],#16 -+ eor @data[0].16b, @data[0].16b, @tweak[1].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[1].16b -+ st1 {@data[0].4s},[$outp],#16 -+ -+ sub $lastBlk,$outp,16 -+ .loop${std}: -+ subs $remain,$remain,1 -+ ldrb $wtmp0,[$lastBlk,$remain] -+ ldrb $wtmp1,[$inp,$remain] -+ strb $wtmp1,[$lastBlk,$remain] -+ strb $wtmp0,[$outp,$remain] -+ b.gt .loop${std} -+ ld1 {@data[0].4s}, [$lastBlk] -+ eor @data[0].16b, @data[0].16b, @tweak[2].16b -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ eor @data[0].16b, @data[0].16b, @tweak[2].16b -+ st1 {@data[0].4s}, [$lastBlk] -+.return${std}: -+ ldp d14, d15, [sp], #0x10 -+ ldp d12, d13, [sp], #0x10 -+ ldp d10, d11, [sp], #0x10 -+ ldp d8, d9, [sp], #0x10 -+ ldp x29, x30, [sp], #0x10 -+ ldp x27, x28, [sp], #0x10 -+ ldp x25, x26, [sp], #0x10 -+ ldp x23, x24, [sp], #0x10 -+ ldp x21, x22, [sp], #0x10 -+ ldp x19, x20, [sp], #0x10 -+ ldp x17, x18, [sp], #0x10 -+ ldp x15, x16, [sp], #0x10 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_xts_encrypt${std},.-${prefix}_xts_encrypt${std} -+___ -+} # end of gen_xts_cipher -+&gen_xts_cipher("_gb"); -+&gen_xts_cipher(""); -+}}} -+ -+######################################## -+open SELF,$0; -+while() { -+ next if (/^#!/); -+ last if (!s/^#/\/\// and !/^$/); -+ print; -+} -+close SELF; -+ -+foreach(split("\n",$code)) { -+ s/\`([^\`]*)\`/eval($1)/ge; -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/sm4/build.info b/crypto/sm4/build.info -index 75a215ab80..73ffe5ea09 100644 ---- a/crypto/sm4/build.info -+++ b/crypto/sm4/build.info -@@ -2,7 +2,7 @@ LIBS=../../libcrypto - - IF[{- !$disabled{asm} -}] - $SM4DEF_aarch64=SM4_ASM VPSM4_ASM -- $SM4ASM_aarch64=sm4-armv8.S vpsm4-armv8.S -+ $SM4ASM_aarch64=sm4-armv8.S vpsm4-armv8.S vpsm4_ex-armv8.S - - # Now that we have defined all the arch specific variables, use the - # appropriate one, and define the appropriate macros -@@ -30,5 +30,7 @@ ENDIF - - GENERATE[sm4-armv8.S]=asm/sm4-armv8.pl - GENERATE[vpsm4-armv8.S]=asm/vpsm4-armv8.pl -+GENERATE[vpsm4_ex-armv8.S]=asm/vpsm4_ex-armv8.pl - INCLUDE[sm4-armv8.o]=.. - INCLUDE[vpsm4-armv8.o]=.. -+INCLUDE[vpsm4_ex-armv8.o]=.. -diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h -index 15d8abbcb1..8b9cd10f97 100644 ---- a/include/crypto/sm4_platform.h -+++ b/include/crypto/sm4_platform.h -@@ -20,11 +20,16 @@ static inline int vpsm4_capable(void) - { - return (OPENSSL_armcap_P & ARMV8_CPUID) && - (MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1) || -- MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1) || -- MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, HISI_CPU_IMP, HISI_CPU_PART_KP920)); -+ MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1)); -+} -+static inline int vpsm4_ex_capable(void) -+{ -+ return (OPENSSL_armcap_P & ARMV8_CPUID) && -+ (MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, HISI_CPU_IMP, HISI_CPU_PART_KP920)); - } - # if defined(VPSM4_ASM) - # define VPSM4_CAPABLE vpsm4_capable() -+# define VPSM4_EX_CAPABLE vpsm4_ex_capable() - # endif - # define HWSM4_CAPABLE (OPENSSL_armcap_P & ARMV8_SM4) - # define HWSM4_set_encrypt_key sm4_v8_set_encrypt_key -@@ -56,7 +61,7 @@ void HWSM4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, - const unsigned char ivec[16]); - # endif /* HWSM4_CAPABLE */ - --#ifdef VPSM4_CAPABLE -+# ifdef VPSM4_CAPABLE - int vpsm4_set_encrypt_key(const unsigned char *userKey, SM4_KEY *key); - int vpsm4_set_decrypt_key(const unsigned char *userKey, SM4_KEY *key); - void vpsm4_encrypt(const unsigned char *in, unsigned char *out, -@@ -72,7 +77,37 @@ void vpsm4_ecb_encrypt(const unsigned char *in, unsigned char *out, - void vpsm4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - const unsigned char ivec[16]); -+void vpsm4_xts_encrypt(const unsigned char *in, unsigned char *out, -+ size_t len, const SM4_KEY *key1, const SM4_KEY *key2, -+ const unsigned char ivec[16], const int enc); -+void vpsm4_xts_encrypt_gb(const unsigned char *in, unsigned char *out, -+ size_t len, const SM4_KEY *key1, const SM4_KEY *key2, -+ const unsigned char ivec[16], const int enc); - # endif /* VPSM4_CAPABLE */ - -+# ifdef VPSM4_EX_CAPABLE -+int vpsm4_ex_set_encrypt_key(const unsigned char *userKey, SM4_KEY *key); -+int vpsm4_ex_set_decrypt_key(const unsigned char *userKey, SM4_KEY *key); -+void vpsm4_ex_encrypt(const unsigned char *in, unsigned char *out, -+ const SM4_KEY *key); -+void vpsm4_ex_decrypt(const unsigned char *in, unsigned char *out, -+ const SM4_KEY *key); -+void vpsm4_ex_cbc_encrypt(const unsigned char *in, unsigned char *out, -+ size_t length, const SM4_KEY *key, -+ unsigned char *ivec, const int enc); -+void vpsm4_ex_ecb_encrypt(const unsigned char *in, unsigned char *out, -+ size_t length, const SM4_KEY *key, -+ const int enc); -+void vpsm4_ex_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ const unsigned char ivec[16]); -+void vpsm4_ex_xts_encrypt(const unsigned char *in, unsigned char *out, -+ size_t len, const SM4_KEY *key1, const SM4_KEY *key2, -+ const unsigned char ivec[16], const int enc); -+void vpsm4_ex_xts_encrypt_gb(const unsigned char *in, unsigned char *out, -+ size_t len, const SM4_KEY *key1, -+ const SM4_KEY *key2, const unsigned char ivec[16], -+ const int enc); -+# endif /* VPSM4_EX_CAPABLE */ - - #endif /* OSSL_SM4_PLATFORM_H */ -diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c -index 9a2e99f67c..8cabd78266 100644 ---- a/providers/implementations/ciphers/cipher_sm4_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_hw.c -@@ -42,6 +42,19 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, - (void)0; /* terminate potentially open 'else' */ - } else - #endif -+#ifdef VPSM4_EX_CAPABLE -+ if (VPSM4_EX_CAPABLE) { -+ vpsm4_ex_set_encrypt_key(key, ks); -+ ctx->block = (block128_f)vpsm4_ex_encrypt; -+ ctx->stream.cbc = NULL; -+ if (ctx->mode == EVP_CIPH_CBC_MODE) -+ ctx->stream.cbc = (cbc128_f)vpsm4_ex_cbc_encrypt; -+ else if (ctx->mode == EVP_CIPH_ECB_MODE) -+ ctx->stream.ecb = (ecb128_f)vpsm4_ex_ecb_encrypt; -+ else if (ctx->mode == EVP_CIPH_CTR_MODE) -+ ctx->stream.ctr = (ctr128_f)vpsm4_ex_ctr32_encrypt_blocks; -+ } else -+#endif - #ifdef VPSM4_CAPABLE - if (VPSM4_CAPABLE) { - vpsm4_set_encrypt_key(key, ks); -@@ -75,6 +88,17 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, - #endif - } else - #endif -+#ifdef VPSM4_EX_CAPABLE -+ if (VPSM4_EX_CAPABLE) { -+ vpsm4_ex_set_decrypt_key(key, ks); -+ ctx->block = (block128_f)vpsm4_ex_decrypt; -+ ctx->stream.cbc = NULL; -+ if (ctx->mode == EVP_CIPH_CBC_MODE) -+ ctx->stream.cbc = (cbc128_f)vpsm4_ex_cbc_encrypt; -+ else if (ctx->mode == EVP_CIPH_ECB_MODE) -+ ctx->stream.ecb = (ecb128_f)vpsm4_ex_ecb_encrypt; -+ } else -+#endif - #ifdef VPSM4_CAPABLE - if (VPSM4_CAPABLE) { - vpsm4_set_decrypt_key(key, ks); -@@ -82,7 +106,7 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, - ctx->stream.cbc = NULL; - if (ctx->mode == EVP_CIPH_CBC_MODE) - ctx->stream.cbc = (cbc128_f)vpsm4_cbc_encrypt; -- else if (ctx->mode == EVP_CIPH_ECB_MODE) -+ else if (ctx->mode == EVP_CIPH_ECB_MODE) - ctx->stream.ecb = (ecb128_f)vpsm4_ecb_encrypt; - } else - #endif -diff --git a/providers/implementations/ciphers/cipher_sm4_xts.c b/providers/implementations/ciphers/cipher_sm4_xts.c -index 3c568d4d18..037055fce8 100644 ---- a/providers/implementations/ciphers/cipher_sm4_xts.c -+++ b/providers/implementations/ciphers/cipher_sm4_xts.c -@@ -145,14 +145,14 @@ static int sm4_xts_cipher(void *vctx, unsigned char *out, size_t *outl, - if (ctx->xts_standard) { - if (ctx->stream != NULL) - (*ctx->stream)(in, out, inl, ctx->xts.key1, ctx->xts.key2, -- ctx->base.iv); -+ ctx->base.iv, ctx->base.enc); - else if (CRYPTO_xts128_encrypt(&ctx->xts, ctx->base.iv, in, out, inl, - ctx->base.enc)) - return 0; - } else { - if (ctx->stream_gb != NULL) - (*ctx->stream_gb)(in, out, inl, ctx->xts.key1, ctx->xts.key2, -- ctx->base.iv); -+ ctx->base.iv, ctx->base.enc); - else if (ossl_crypto_xts128gb_encrypt(&ctx->xts, ctx->base.iv, in, out, - inl, ctx->base.enc)) - return 0; -diff --git a/providers/implementations/ciphers/cipher_sm4_xts.h b/providers/implementations/ciphers/cipher_sm4_xts.h -index 4c369183e2..cfca596979 100644 ---- a/providers/implementations/ciphers/cipher_sm4_xts.h -+++ b/providers/implementations/ciphers/cipher_sm4_xts.h -@@ -14,7 +14,7 @@ - PROV_CIPHER_FUNC(void, xts_stream, - (const unsigned char *in, unsigned char *out, size_t len, - const SM4_KEY *key1, const SM4_KEY *key2, -- const unsigned char iv[16])); -+ const unsigned char iv[16], const int enc)); - - typedef struct prov_sm4_xts_ctx_st { - /* Must be first */ -diff --git a/providers/implementations/ciphers/cipher_sm4_xts_hw.c b/providers/implementations/ciphers/cipher_sm4_xts_hw.c -index 403eb879b1..67a9923d94 100644 ---- a/providers/implementations/ciphers/cipher_sm4_xts_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_xts_hw.c -@@ -11,8 +11,7 @@ - - #define XTS_SET_KEY_FN(fn_set_enc_key, fn_set_dec_key, \ - fn_block_enc, fn_block_dec, \ -- fn_stream_enc, fn_stream_dec, \ -- fn_stream_gb_enc, fn_stream_gb_dec) { \ -+ fn_stream, fn_stream_gb) { \ - size_t bytes = keylen / 2; \ - \ - if (ctx->enc) { \ -@@ -26,8 +25,8 @@ - xctx->xts.block2 = (block128_f)fn_block_enc; \ - xctx->xts.key1 = &xctx->ks1; \ - xctx->xts.key2 = &xctx->ks2; \ -- xctx->stream = ctx->enc ? fn_stream_enc : fn_stream_dec; \ -- xctx->stream_gb = ctx->enc ? fn_stream_gb_enc : fn_stream_gb_dec; \ -+ xctx->stream = fn_stream; \ -+ xctx->stream_gb = fn_stream_gb; \ - } - - static int cipher_hw_sm4_xts_generic_initkey(PROV_CIPHER_CTX *ctx, -@@ -35,23 +34,30 @@ static int cipher_hw_sm4_xts_generic_initkey(PROV_CIPHER_CTX *ctx, - size_t keylen) - { - PROV_SM4_XTS_CTX *xctx = (PROV_SM4_XTS_CTX *)ctx; -- OSSL_xts_stream_fn stream_enc = NULL; -- OSSL_xts_stream_fn stream_dec = NULL; -- OSSL_xts_stream_fn stream_gb_enc = NULL; -- OSSL_xts_stream_fn stream_gb_dec = NULL; -+ OSSL_xts_stream_fn stream = NULL; -+ OSSL_xts_stream_fn stream_gb = NULL; - #ifdef HWSM4_CAPABLE - if (HWSM4_CAPABLE) { - XTS_SET_KEY_FN(HWSM4_set_encrypt_key, HWSM4_set_decrypt_key, -- HWSM4_encrypt, HWSM4_decrypt, stream_enc, stream_dec, -- stream_gb_enc, stream_gb_dec); -+ HWSM4_encrypt, HWSM4_decrypt, stream, stream_gb); - return 1; - } else - #endif /* HWSM4_CAPABLE */ -+#ifdef VPSM4_EX_CAPABLE -+ if (VPSM4_EX_CAPABLE) { -+ stream = vpsm4_ex_xts_encrypt; -+ stream_gb = vpsm4_ex_xts_encrypt_gb; -+ XTS_SET_KEY_FN(vpsm4_ex_set_encrypt_key, vpsm4_ex_set_decrypt_key, -+ vpsm4_ex_encrypt, vpsm4_ex_decrypt, stream, stream_gb); -+ return 1; -+ } else -+#endif /* VPSM4_EX_CAPABLE */ - #ifdef VPSM4_CAPABLE - if (VPSM4_CAPABLE) { -+ stream = vpsm4_xts_encrypt; -+ stream_gb = vpsm4_xts_encrypt_gb; - XTS_SET_KEY_FN(vpsm4_set_encrypt_key, vpsm4_set_decrypt_key, -- vpsm4_encrypt, vpsm4_decrypt, stream_enc, stream_dec, -- stream_gb_enc, stream_gb_dec); -+ vpsm4_encrypt, vpsm4_decrypt, stream, stream_gb); - return 1; - } else - #endif /* VPSM4_CAPABLE */ -@@ -60,8 +66,7 @@ static int cipher_hw_sm4_xts_generic_initkey(PROV_CIPHER_CTX *ctx, - } - { - XTS_SET_KEY_FN(ossl_sm4_set_key, ossl_sm4_set_key, ossl_sm4_encrypt, -- ossl_sm4_decrypt, stream_enc, stream_dec, stream_gb_enc, -- stream_gb_dec); -+ ossl_sm4_decrypt, stream, stream_gb); - } - return 1; - } --- -2.37.3.windows.1 - diff --git a/Backport-SM4-optimization-for-ARM-by-ASIMD.patch b/Backport-SM4-optimization-for-ARM-by-ASIMD.patch deleted file mode 100644 index 5d58d16f2022fd46de3b978ad41afce59f8a248a..0000000000000000000000000000000000000000 --- a/Backport-SM4-optimization-for-ARM-by-ASIMD.patch +++ /dev/null @@ -1,1334 +0,0 @@ -From ca0b08e39bb619b6e62ef58c80edc784e8f20966 Mon Sep 17 00:00:00 2001 -From: Daniel Hu -Date: Mon, 14 Feb 2022 14:36:34 +0000 -Subject: [PATCH 07/13] SM4 optimization for ARM by ASIMD - -This patch optimizes SM4 for ARM processor using ASIMD instruction - -It will improve performance if both of following conditions are met: -1) Input data equal to or more than 4 blocks -2) Cipher mode allows parallelism, including ECB,CTR,GCM or CBC decryption - -This patch implements SM4 SBOX lookup in vector registers, with the -benefit of constant processing time over existing C implementation. - -It is only enabled for micro-architecture N1/V1. In the ideal scenario, -performance can reach up to 2.7X - -When either of above two conditions is not met, e.g. single block input -or CFB/OFB mode, CBC encryption, performance could drop about 50%. - -The assembly code has been reviewed internally by ARM engineer -Fangming.Fang@arm.com - -Signed-off-by: Daniel Hu - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17951) ---- - crypto/evp/e_sm4.c | 24 + - crypto/sm4/asm/vpsm4-armv8.pl | 1118 +++++++++++++++++ - crypto/sm4/build.info | 6 +- - include/crypto/sm4_platform.h | 29 + - .../ciphers/cipher_sm4_gcm_hw.c | 7 + - .../implementations/ciphers/cipher_sm4_hw.c | 24 + - 6 files changed, 1206 insertions(+), 2 deletions(-) - create mode 100755 crypto/sm4/asm/vpsm4-armv8.pl - -diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c -index bff79ff197..c8e8cfe9c9 100644 ---- a/crypto/evp/e_sm4.c -+++ b/crypto/evp/e_sm4.c -@@ -76,6 +76,17 @@ static int sm4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - dat->stream.ecb = (ecb128_f) HWSM4_ecb_encrypt; - # endif - } else -+#endif -+#ifdef VPSM4_CAPABLE -+ if (VPSM4_CAPABLE) { -+ vpsm4_set_decrypt_key(key, &dat->ks.ks); -+ dat->block = (block128_f) vpsm4_decrypt; -+ dat->stream.cbc = NULL; -+ if (mode == EVP_CIPH_CBC_MODE) -+ dat->stream.cbc = (cbc128_f) vpsm4_cbc_encrypt; -+ else if (mode == EVP_CIPH_ECB_MODE) -+ dat->stream.ecb = (ecb128_f) vpsm4_ecb_encrypt; -+ } else - #endif - { - dat->block = (block128_f) ossl_sm4_decrypt; -@@ -104,6 +115,19 @@ static int sm4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - # endif - (void)0; /* terminate potentially open 'else' */ - } else -+#endif -+#ifdef VPSM4_CAPABLE -+ if (VPSM4_CAPABLE) { -+ vpsm4_set_encrypt_key(key, &dat->ks.ks); -+ dat->block = (block128_f) vpsm4_encrypt; -+ dat->stream.cbc = NULL; -+ if (mode == EVP_CIPH_CBC_MODE) -+ dat->stream.cbc = (cbc128_f) vpsm4_cbc_encrypt; -+ else if (mode == EVP_CIPH_ECB_MODE) -+ dat->stream.ecb = (ecb128_f) vpsm4_ecb_encrypt; -+ else if (mode == EVP_CIPH_CTR_MODE) -+ dat->stream.ctr = (ctr128_f) vpsm4_ctr32_encrypt_blocks; -+ } else - #endif - { - dat->block = (block128_f) ossl_sm4_encrypt; -diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl -new file mode 100755 -index 0000000000..095d9dae64 ---- /dev/null -+++ b/crypto/sm4/asm/vpsm4-armv8.pl -@@ -0,0 +1,1118 @@ -+#! /usr/bin/env perl -+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# -+# This module implements SM4 with ASIMD on aarch64 -+# -+# Feb 2022 -+# -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or -+die "can't locate arm-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+*STDOUT=*OUT; -+ -+$prefix="vpsm4"; -+my @vtmp=map("v$_",(0..3)); -+my @data=map("v$_",(4..7)); -+my @datax=map("v$_",(8..11)); -+my ($rk0,$rk1)=("v12","v13"); -+my ($rka,$rkb)=("v14","v15"); -+my @vtmpx=map("v$_",(12..15)); -+my @sbox=map("v$_",(16..31)); -+my ($inp,$outp,$blocks,$rks)=("x0","x1","w2","x3"); -+my ($tmpw,$tmp,$wtmp0,$wtmp1,$wtmp2)=("w6","x6","w7","w8","w9"); -+my ($ptr,$counter)=("x10","w11"); -+my ($word0,$word1,$word2,$word3)=("w12","w13","w14","w15"); -+ -+sub rev32() { -+ my $dst = shift; -+ my $src = shift; -+ -+ if ($src and ("$src" ne "$dst")) { -+$code.=<<___; -+#ifndef __ARMEB__ -+ rev32 $dst.16b,$src.16b -+#else -+ mov $dst.16b,$src.16b -+#endif -+___ -+ } else { -+$code.=<<___; -+#ifndef __ARMEB__ -+ rev32 $dst.16b,$dst.16b -+#endif -+___ -+ } -+} -+ -+sub transpose() { -+ my ($dat0,$dat1,$dat2,$dat3,$vt0,$vt1,$vt2,$vt3) = @_; -+ -+$code.=<<___; -+ zip1 $vt0.4s,$dat0.4s,$dat1.4s -+ zip2 $vt1.4s,$dat0.4s,$dat1.4s -+ zip1 $vt2.4s,$dat2.4s,$dat3.4s -+ zip2 $vt3.4s,$dat2.4s,$dat3.4s -+ zip1 $dat0.2d,$vt0.2d,$vt2.2d -+ zip2 $dat1.2d,$vt0.2d,$vt2.2d -+ zip1 $dat2.2d,$vt1.2d,$vt3.2d -+ zip2 $dat3.2d,$vt1.2d,$vt3.2d -+___ -+} -+ -+# sbox operations for 4-lane of words -+sub sbox() { -+ my $dat = shift; -+ -+$code.=<<___; -+ movi @vtmp[0].16b,#64 -+ movi @vtmp[1].16b,#128 -+ movi @vtmp[2].16b,#192 -+ sub @vtmp[0].16b,$dat.16b,@vtmp[0].16b -+ sub @vtmp[1].16b,$dat.16b,@vtmp[1].16b -+ sub @vtmp[2].16b,$dat.16b,@vtmp[2].16b -+ tbl $dat.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$dat.16b -+ tbl @vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b -+ tbl @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b -+ tbl @vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b -+ add @vtmp[0].2d,@vtmp[0].2d,@vtmp[1].2d -+ add @vtmp[2].2d,@vtmp[2].2d,$dat.2d -+ add $dat.2d,@vtmp[0].2d,@vtmp[2].2d -+ -+ ushr @vtmp[0].4s,$dat.4s,32-2 -+ sli @vtmp[0].4s,$dat.4s,2 -+ ushr @vtmp[2].4s,$dat.4s,32-10 -+ eor @vtmp[1].16b,@vtmp[0].16b,$dat.16b -+ sli @vtmp[2].4s,$dat.4s,10 -+ eor @vtmp[1].16b,@vtmp[2].16b,$vtmp[1].16b -+ ushr @vtmp[0].4s,$dat.4s,32-18 -+ sli @vtmp[0].4s,$dat.4s,18 -+ ushr @vtmp[2].4s,$dat.4s,32-24 -+ eor @vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b -+ sli @vtmp[2].4s,$dat.4s,24 -+ eor $dat.16b,@vtmp[2].16b,@vtmp[1].16b -+___ -+} -+ -+# sbox operation for 8-lane of words -+sub sbox_double() { -+ my $dat = shift; -+ my $datx = shift; -+ -+$code.=<<___; -+ movi @vtmp[3].16b,#64 -+ sub @vtmp[0].16b,$dat.16b,@vtmp[3].16b -+ sub @vtmp[1].16b,@vtmp[0].16b,@vtmp[3].16b -+ sub @vtmp[2].16b,@vtmp[1].16b,@vtmp[3].16b -+ tbl $dat.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$dat.16b -+ tbl @vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b -+ tbl @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b -+ tbl @vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b -+ add @vtmp[1].2d,@vtmp[0].2d,@vtmp[1].2d -+ add $dat.2d,@vtmp[2].2d,$dat.2d -+ add $dat.2d,@vtmp[1].2d,$dat.2d -+ -+ sub @vtmp[0].16b,$datx.16b,@vtmp[3].16b -+ sub @vtmp[1].16b,@vtmp[0].16b,@vtmp[3].16b -+ sub @vtmp[2].16b,@vtmp[1].16b,@vtmp[3].16b -+ tbl $datx.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$datx.16b -+ tbl @vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b -+ tbl @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b -+ tbl @vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b -+ add @vtmp[1].2d,@vtmp[0].2d,@vtmp[1].2d -+ add $datx.2d,@vtmp[2].2d,$datx.2d -+ add $datx.2d,@vtmp[1].2d,$datx.2d -+ -+ ushr @vtmp[0].4s,$dat.4s,32-2 -+ sli @vtmp[0].4s,$dat.4s,2 -+ ushr @vtmp[2].4s,$datx.4s,32-2 -+ eor @vtmp[1].16b,@vtmp[0].16b,$dat.16b -+ sli @vtmp[2].4s,$datx.4s,2 -+ -+ ushr @vtmp[0].4s,$dat.4s,32-10 -+ eor @vtmp[3].16b,@vtmp[2].16b,$datx.16b -+ sli @vtmp[0].4s,$dat.4s,10 -+ ushr @vtmp[2].4s,$datx.4s,32-10 -+ eor @vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b -+ sli @vtmp[2].4s,$datx.4s,10 -+ -+ ushr @vtmp[0].4s,$dat.4s,32-18 -+ eor @vtmp[3].16b,@vtmp[2].16b,$vtmp[3].16b -+ sli @vtmp[0].4s,$dat.4s,18 -+ ushr @vtmp[2].4s,$datx.4s,32-18 -+ eor @vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b -+ sli @vtmp[2].4s,$datx.4s,18 -+ -+ ushr @vtmp[0].4s,$dat.4s,32-24 -+ eor @vtmp[3].16b,@vtmp[2].16b,$vtmp[3].16b -+ sli @vtmp[0].4s,$dat.4s,24 -+ ushr @vtmp[2].4s,$datx.4s,32-24 -+ eor $dat.16b,@vtmp[0].16b,@vtmp[1].16b -+ sli @vtmp[2].4s,$datx.4s,24 -+ eor $datx.16b,@vtmp[2].16b,@vtmp[3].16b -+___ -+} -+ -+# sbox operation for one single word -+sub sbox_1word () { -+ my $word = shift; -+ -+$code.=<<___; -+ movi @vtmp[1].16b,#64 -+ movi @vtmp[2].16b,#128 -+ movi @vtmp[3].16b,#192 -+ mov @vtmp[0].s[0],$word -+ -+ sub @vtmp[1].16b,@vtmp[0].16b,@vtmp[1].16b -+ sub @vtmp[2].16b,@vtmp[0].16b,@vtmp[2].16b -+ sub @vtmp[3].16b,@vtmp[0].16b,@vtmp[3].16b -+ -+ tbl @vtmp[0].16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},@vtmp[0].16b -+ tbl @vtmp[1].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[1].16b -+ tbl @vtmp[2].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[2].16b -+ tbl @vtmp[3].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[3].16b -+ -+ mov $word,@vtmp[0].s[0] -+ mov $wtmp0,@vtmp[1].s[0] -+ mov $wtmp2,@vtmp[2].s[0] -+ add $wtmp0,$word,$wtmp0 -+ mov $word,@vtmp[3].s[0] -+ add $wtmp0,$wtmp0,$wtmp2 -+ add $wtmp0,$wtmp0,$word -+ -+ eor $word,$wtmp0,$wtmp0,ror #32-2 -+ eor $word,$word,$wtmp0,ror #32-10 -+ eor $word,$word,$wtmp0,ror #32-18 -+ eor $word,$word,$wtmp0,ror #32-24 -+___ -+} -+ -+# sm4 for one block of data, in scalar registers word0/word1/word2/word3 -+sub sm4_1blk () { -+ my $kptr = shift; -+ -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) -+ eor $tmpw,$word2,$word3 -+ eor $wtmp2,$wtmp0,$word1 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ eor $word0,$word0,$tmpw -+ // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) -+ eor $tmpw,$word2,$word3 -+ eor $wtmp2,$word0,$wtmp1 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ eor $word1,$word1,$tmpw -+ // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) -+ eor $tmpw,$word0,$word1 -+ eor $wtmp2,$wtmp0,$word3 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ eor $word2,$word2,$tmpw -+ // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) -+ eor $tmpw,$word0,$word1 -+ eor $wtmp2,$word2,$wtmp1 -+ eor $tmpw,$tmpw,$wtmp2 -+___ -+ &sbox_1word($tmpw); -+$code.=<<___; -+ eor $word3,$word3,$tmpw -+___ -+} -+ -+# sm4 for 4-lanes of data, in neon registers data0/data1/data2/data3 -+sub sm4_4blks () { -+ my $kptr = shift; -+ -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ dup $rk0.4s,$wtmp0 -+ dup $rk1.4s,$wtmp1 -+ -+ // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) -+ eor $rka.16b,@data[2].16b,@data[3].16b -+ eor $rk0.16b,@data[1].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,$rk0.16b -+___ -+ &sbox($rk0); -+$code.=<<___; -+ eor @data[0].16b,@data[0].16b,$rk0.16b -+ -+ // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) -+ eor $rka.16b,$rka.16b,@data[0].16b -+ eor $rk1.16b,$rka.16b,$rk1.16b -+___ -+ &sbox($rk1); -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ eor @data[1].16b,@data[1].16b,$rk1.16b -+ -+ dup $rk0.4s,$wtmp0 -+ dup $rk1.4s,$wtmp1 -+ -+ // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) -+ eor $rka.16b,@data[0].16b,@data[1].16b -+ eor $rk0.16b,@data[3].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,$rk0.16b -+___ -+ &sbox($rk0); -+$code.=<<___; -+ eor @data[2].16b,@data[2].16b,$rk0.16b -+ -+ // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) -+ eor $rka.16b,$rka.16b,@data[2].16b -+ eor $rk1.16b,$rka.16b,$rk1.16b -+___ -+ &sbox($rk1); -+$code.=<<___; -+ eor @data[3].16b,@data[3].16b,$rk1.16b -+___ -+} -+ -+# sm4 for 8 lanes of data, in neon registers -+# data0/data1/data2/data3 datax0/datax1/datax2/datax3 -+sub sm4_8blks () { -+ my $kptr = shift; -+ -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) -+ dup $rk0.4s,$wtmp0 -+ eor $rka.16b,@data[2].16b,@data[3].16b -+ eor $rkb.16b,@datax[2].16b,@datax[3].16b -+ eor @vtmp[0].16b,@data[1].16b,$rk0.16b -+ eor @vtmp[1].16b,@datax[1].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,@vtmp[0].16b -+ eor $rk1.16b,$rkb.16b,@vtmp[1].16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ eor @data[0].16b,@data[0].16b,$rk0.16b -+ eor @datax[0].16b,@datax[0].16b,$rk1.16b -+ -+ // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) -+ dup $rk1.4s,$wtmp1 -+ eor $rka.16b,$rka.16b,@data[0].16b -+ eor $rkb.16b,$rkb.16b,@datax[0].16b -+ eor $rk0.16b,$rka.16b,$rk1.16b -+ eor $rk1.16b,$rkb.16b,$rk1.16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ ldp $wtmp0,$wtmp1,[$kptr],8 -+ eor @data[1].16b,@data[1].16b,$rk0.16b -+ eor @datax[1].16b,@datax[1].16b,$rk1.16b -+ -+ // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) -+ dup $rk0.4s,$wtmp0 -+ eor $rka.16b,@data[0].16b,@data[1].16b -+ eor $rkb.16b,@datax[0].16b,@datax[1].16b -+ eor @vtmp[0].16b,@data[3].16b,$rk0.16b -+ eor @vtmp[1].16b,@datax[3].16b,$rk0.16b -+ eor $rk0.16b,$rka.16b,@vtmp[0].16b -+ eor $rk1.16b,$rkb.16b,@vtmp[1].16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ eor @data[2].16b,@data[2].16b,$rk0.16b -+ eor @datax[2].16b,@datax[2].16b,$rk1.16b -+ -+ // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) -+ dup $rk1.4s,$wtmp1 -+ eor $rka.16b,$rka.16b,@data[2].16b -+ eor $rkb.16b,$rkb.16b,@datax[2].16b -+ eor $rk0.16b,$rka.16b,$rk1.16b -+ eor $rk1.16b,$rkb.16b,$rk1.16b -+___ -+ &sbox_double($rk0,$rk1); -+$code.=<<___; -+ eor @data[3].16b,@data[3].16b,$rk0.16b -+ eor @datax[3].16b,@datax[3].16b,$rk1.16b -+___ -+} -+ -+sub encrypt_1blk_norev() { -+ my $dat = shift; -+ -+$code.=<<___; -+ mov $ptr,$rks -+ mov $counter,#8 -+ mov $word0,$dat.s[0] -+ mov $word1,$dat.s[1] -+ mov $word2,$dat.s[2] -+ mov $word3,$dat.s[3] -+10: -+___ -+ &sm4_1blk($ptr); -+$code.=<<___; -+ subs $counter,$counter,#1 -+ b.ne 10b -+ mov $dat.s[0],$word3 -+ mov $dat.s[1],$word2 -+ mov $dat.s[2],$word1 -+ mov $dat.s[3],$word0 -+___ -+} -+ -+sub encrypt_1blk() { -+ my $dat = shift; -+ -+ &encrypt_1blk_norev($dat); -+ &rev32($dat,$dat); -+} -+ -+sub encrypt_4blks() { -+$code.=<<___; -+ mov $ptr,$rks -+ mov $counter,#8 -+10: -+___ -+ &sm4_4blks($ptr); -+$code.=<<___; -+ subs $counter,$counter,#1 -+ b.ne 10b -+___ -+ &rev32(@vtmp[3],@data[0]); -+ &rev32(@vtmp[2],@data[1]); -+ &rev32(@vtmp[1],@data[2]); -+ &rev32(@vtmp[0],@data[3]); -+} -+ -+sub encrypt_8blks() { -+$code.=<<___; -+ mov $ptr,$rks -+ mov $counter,#8 -+10: -+___ -+ &sm4_8blks($ptr); -+$code.=<<___; -+ subs $counter,$counter,#1 -+ b.ne 10b -+___ -+ &rev32(@vtmp[3],@data[0]); -+ &rev32(@vtmp[2],@data[1]); -+ &rev32(@vtmp[1],@data[2]); -+ &rev32(@vtmp[0],@data[3]); -+ &rev32(@data[3],@datax[0]); -+ &rev32(@data[2],@datax[1]); -+ &rev32(@data[1],@datax[2]); -+ &rev32(@data[0],@datax[3]); -+} -+ -+sub load_sbox () { -+ my $data = shift; -+ -+$code.=<<___; -+ adr $ptr,.Lsbox -+ ld1 {@sbox[0].4s,@sbox[1].4s,@sbox[2].4s,@sbox[3].4s},[$ptr],#64 -+ ld1 {@sbox[4].4s,@sbox[5].4s,@sbox[6].4s,@sbox[7].4s},[$ptr],#64 -+ ld1 {@sbox[8].4s,@sbox[9].4s,@sbox[10].4s,@sbox[11].4s},[$ptr],#64 -+ ld1 {@sbox[12].4s,@sbox[13].4s,@sbox[14].4s,@sbox[15].4s},[$ptr] -+___ -+} -+ -+$code=<<___; -+#include "arm_arch.h" -+.arch armv8-a -+.text -+ -+.type _vpsm4_consts,%object -+.align 7 -+_vpsm4_consts: -+.Lsbox: -+ .byte 0xD6,0x90,0xE9,0xFE,0xCC,0xE1,0x3D,0xB7,0x16,0xB6,0x14,0xC2,0x28,0xFB,0x2C,0x05 -+ .byte 0x2B,0x67,0x9A,0x76,0x2A,0xBE,0x04,0xC3,0xAA,0x44,0x13,0x26,0x49,0x86,0x06,0x99 -+ .byte 0x9C,0x42,0x50,0xF4,0x91,0xEF,0x98,0x7A,0x33,0x54,0x0B,0x43,0xED,0xCF,0xAC,0x62 -+ .byte 0xE4,0xB3,0x1C,0xA9,0xC9,0x08,0xE8,0x95,0x80,0xDF,0x94,0xFA,0x75,0x8F,0x3F,0xA6 -+ .byte 0x47,0x07,0xA7,0xFC,0xF3,0x73,0x17,0xBA,0x83,0x59,0x3C,0x19,0xE6,0x85,0x4F,0xA8 -+ .byte 0x68,0x6B,0x81,0xB2,0x71,0x64,0xDA,0x8B,0xF8,0xEB,0x0F,0x4B,0x70,0x56,0x9D,0x35 -+ .byte 0x1E,0x24,0x0E,0x5E,0x63,0x58,0xD1,0xA2,0x25,0x22,0x7C,0x3B,0x01,0x21,0x78,0x87 -+ .byte 0xD4,0x00,0x46,0x57,0x9F,0xD3,0x27,0x52,0x4C,0x36,0x02,0xE7,0xA0,0xC4,0xC8,0x9E -+ .byte 0xEA,0xBF,0x8A,0xD2,0x40,0xC7,0x38,0xB5,0xA3,0xF7,0xF2,0xCE,0xF9,0x61,0x15,0xA1 -+ .byte 0xE0,0xAE,0x5D,0xA4,0x9B,0x34,0x1A,0x55,0xAD,0x93,0x32,0x30,0xF5,0x8C,0xB1,0xE3 -+ .byte 0x1D,0xF6,0xE2,0x2E,0x82,0x66,0xCA,0x60,0xC0,0x29,0x23,0xAB,0x0D,0x53,0x4E,0x6F -+ .byte 0xD5,0xDB,0x37,0x45,0xDE,0xFD,0x8E,0x2F,0x03,0xFF,0x6A,0x72,0x6D,0x6C,0x5B,0x51 -+ .byte 0x8D,0x1B,0xAF,0x92,0xBB,0xDD,0xBC,0x7F,0x11,0xD9,0x5C,0x41,0x1F,0x10,0x5A,0xD8 -+ .byte 0x0A,0xC1,0x31,0x88,0xA5,0xCD,0x7B,0xBD,0x2D,0x74,0xD0,0x12,0xB8,0xE5,0xB4,0xB0 -+ .byte 0x89,0x69,0x97,0x4A,0x0C,0x96,0x77,0x7E,0x65,0xB9,0xF1,0x09,0xC5,0x6E,0xC6,0x84 -+ .byte 0x18,0xF0,0x7D,0xEC,0x3A,0xDC,0x4D,0x20,0x79,0xEE,0x5F,0x3E,0xD7,0xCB,0x39,0x48 -+.Lck: -+ .long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269 -+ .long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9 -+ .long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249 -+ .long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9 -+ .long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229 -+ .long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299 -+ .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 -+ .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 -+.Lfk: -+ .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 -+.Lshuffles: -+ .dword 0x0B0A090807060504,0x030201000F0E0D0C -+ -+.size _vpsm4_consts,.-_vpsm4_consts -+___ -+ -+{{{ -+my ($key,$keys,$enc)=("x0","x1","w2"); -+my ($pointer,$schedules,$wtmp,$roundkey)=("x5","x6","w7","w8"); -+my ($vkey,$vfk,$vmap)=("v5","v6","v7"); -+$code.=<<___; -+.type _vpsm4_set_key,%function -+.align 4 -+_vpsm4_set_key: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$vkey.4s},[$key] -+___ -+ &load_sbox(); -+ &rev32($vkey,$vkey); -+$code.=<<___; -+ adr $pointer,.Lshuffles -+ ld1 {$vmap.4s},[$pointer] -+ adr $pointer,.Lfk -+ ld1 {$vfk.4s},[$pointer] -+ eor $vkey.16b,$vkey.16b,$vfk.16b -+ mov $schedules,#32 -+ adr $pointer,.Lck -+ movi @vtmp[0].16b,#64 -+ cbnz $enc,1f -+ add $keys,$keys,124 -+1: -+ mov $wtmp,$vkey.s[1] -+ ldr $roundkey,[$pointer],#4 -+ eor $roundkey,$roundkey,$wtmp -+ mov $wtmp,$vkey.s[2] -+ eor $roundkey,$roundkey,$wtmp -+ mov $wtmp,$vkey.s[3] -+ eor $roundkey,$roundkey,$wtmp -+ // sbox lookup -+ mov @data[0].s[0],$roundkey -+ tbl @vtmp[1].16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},@data[0].16b -+ sub @data[0].16b,@data[0].16b,@vtmp[0].16b -+ tbx @vtmp[1].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@data[0].16b -+ sub @data[0].16b,@data[0].16b,@vtmp[0].16b -+ tbx @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@data[0].16b -+ sub @data[0].16b,@data[0].16b,@vtmp[0].16b -+ tbx @vtmp[1].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@data[0].16b -+ mov $wtmp,@vtmp[1].s[0] -+ eor $roundkey,$wtmp,$wtmp,ror #19 -+ eor $roundkey,$roundkey,$wtmp,ror #9 -+ mov $wtmp,$vkey.s[0] -+ eor $roundkey,$roundkey,$wtmp -+ mov $vkey.s[0],$roundkey -+ cbz $enc,2f -+ str $roundkey,[$keys],#4 -+ b 3f -+2: -+ str $roundkey,[$keys],#-4 -+3: -+ tbl $vkey.16b,{$vkey.16b},$vmap.16b -+ subs $schedules,$schedules,#1 -+ b.ne 1b -+ ret -+.size _vpsm4_set_key,.-_vpsm4_set_key -+___ -+}}} -+ -+ -+{{{ -+$code.=<<___; -+.type _vpsm4_enc_4blks,%function -+.align 4 -+_vpsm4_enc_4blks: -+ AARCH64_VALID_CALL_TARGET -+___ -+ &encrypt_4blks(); -+$code.=<<___; -+ ret -+.size _vpsm4_enc_4blks,.-_vpsm4_enc_4blks -+___ -+}}} -+ -+{{{ -+$code.=<<___; -+.type _vpsm4_enc_8blks,%function -+.align 4 -+_vpsm4_enc_8blks: -+ AARCH64_VALID_CALL_TARGET -+___ -+ &encrypt_8blks(); -+$code.=<<___; -+ ret -+.size _vpsm4_enc_8blks,.-_vpsm4_enc_8blks -+___ -+}}} -+ -+ -+{{{ -+my ($key,$keys)=("x0","x1"); -+$code.=<<___; -+.globl ${prefix}_set_encrypt_key -+.type ${prefix}_set_encrypt_key,%function -+.align 5 -+${prefix}_set_encrypt_key: -+ AARCH64_SIGN_LINK_REGISTER -+ stp x29,x30,[sp,#-16]! -+ mov w2,1 -+ bl _vpsm4_set_key -+ ldp x29,x30,[sp],#16 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key -+___ -+}}} -+ -+{{{ -+my ($key,$keys)=("x0","x1"); -+$code.=<<___; -+.globl ${prefix}_set_decrypt_key -+.type ${prefix}_set_decrypt_key,%function -+.align 5 -+${prefix}_set_decrypt_key: -+ AARCH64_SIGN_LINK_REGISTER -+ stp x29,x30,[sp,#-16]! -+ mov w2,0 -+ bl _vpsm4_set_key -+ ldp x29,x30,[sp],#16 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key -+___ -+}}} -+ -+{{{ -+sub gen_block () { -+ my $dir = shift; -+ my ($inp,$outp,$rk)=map("x$_",(0..2)); -+ -+$code.=<<___; -+.globl ${prefix}_${dir}crypt -+.type ${prefix}_${dir}crypt,%function -+.align 5 -+${prefix}_${dir}crypt: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {@data[0].16b},[$inp] -+___ -+ &load_sbox(); -+ &rev32(@data[0],@data[0]); -+$code.=<<___; -+ mov $rks,x2 -+___ -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ st1 {@data[0].16b},[$outp] -+ ret -+.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt -+___ -+} -+&gen_block("en"); -+&gen_block("de"); -+}}} -+ -+{{{ -+my ($enc) = ("w4"); -+my @dat=map("v$_",(16..23)); -+ -+$code.=<<___; -+.globl ${prefix}_ecb_encrypt -+.type ${prefix}_ecb_encrypt,%function -+.align 5 -+${prefix}_ecb_encrypt: -+ AARCH64_SIGN_LINK_REGISTER -+ // convert length into blocks -+ lsr x2,x2,4 -+ stp d8,d9,[sp,#-80]! -+ stp d10,d11,[sp,#16] -+ stp d12,d13,[sp,#32] -+ stp d14,d15,[sp,#48] -+ stp x29,x30,[sp,#64] -+___ -+ &load_sbox(); -+$code.=<<___; -+.Lecb_8_blocks_process: -+ cmp $blocks,#8 -+ b.lt .Lecb_4_blocks_process -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+ ld4 {@datax[0].4s,$datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &rev32(@datax[0],@datax[0]); -+ &rev32(@datax[1],@datax[1]); -+ &rev32(@datax[2],@datax[2]); -+ &rev32(@datax[3],@datax[3]); -+$code.=<<___; -+ bl _vpsm4_enc_8blks -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.gt .Lecb_8_blocks_process -+ b 100f -+.Lecb_4_blocks_process: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _vpsm4_enc_4blks -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ sub $blocks,$blocks,#4 -+1: -+ // process last block -+ cmp $blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ ld1 {@data[0].16b},[$inp] -+___ -+ &rev32(@data[0],@data[0]); -+ &encrypt_1blk(@data[0]); -+$code.=<<___; -+ st1 {@data[0].16b},[$outp] -+ b 100f -+1: // process last 2 blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp],#16 -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$inp],#16 -+ cmp $blocks,#2 -+ b.gt 1f -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _vpsm4_enc_4blks -+ st4 {@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s-@vtmp[3].s}[1],[$outp] -+ b 100f -+1: // process last 3 blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$inp],#16 -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _vpsm4_enc_4blks -+ st4 {@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s-@vtmp[3].s}[1],[$outp],#16 -+ st4 {@vtmp[0].s-@vtmp[3].s}[2],[$outp] -+100: -+ ldp d10,d11,[sp,#16] -+ ldp d12,d13,[sp,#32] -+ ldp d14,d15,[sp,#48] -+ ldp x29,x30,[sp,#64] -+ ldp d8,d9,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt -+___ -+}}} -+ -+{{{ -+my ($len,$ivp,$enc)=("x2","x4","w5"); -+my $ivec0=("v3"); -+my $ivec1=("v15"); -+ -+$code.=<<___; -+.globl ${prefix}_cbc_encrypt -+.type ${prefix}_cbc_encrypt,%function -+.align 5 -+${prefix}_cbc_encrypt: -+ AARCH64_VALID_CALL_TARGET -+ lsr $len,$len,4 -+___ -+ &load_sbox(); -+$code.=<<___; -+ cbz $enc,.Ldec -+ ld1 {$ivec0.4s},[$ivp] -+.Lcbc_4_blocks_enc: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+ eor @data[0].16b,@data[0].16b,$ivec0.16b -+___ -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+ &encrypt_1blk_norev(@data[0]); -+$code.=<<___; -+ eor @data[1].16b,@data[1].16b,@data[0].16b -+___ -+ &encrypt_1blk_norev(@data[1]); -+ &rev32(@data[0],@data[0]); -+ -+$code.=<<___; -+ eor @data[2].16b,@data[2].16b,@data[1].16b -+___ -+ &encrypt_1blk_norev(@data[2]); -+ &rev32(@data[1],@data[1]); -+$code.=<<___; -+ eor @data[3].16b,@data[3].16b,@data[2].16b -+___ -+ &encrypt_1blk_norev(@data[3]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ orr $ivec0.16b,@data[3].16b,@data[3].16b -+ st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#4 -+ b.ne .Lcbc_4_blocks_enc -+ b 2f -+1: -+ subs $blocks,$blocks,#1 -+ b.lt 2f -+ ld1 {@data[0].4s},[$inp],#16 -+ eor $ivec0.16b,$ivec0.16b,@data[0].16b -+___ -+ &rev32($ivec0,$ivec0); -+ &encrypt_1blk($ivec0); -+$code.=<<___; -+ st1 {$ivec0.16b},[$outp],#16 -+ b 1b -+2: -+ // save back IV -+ st1 {$ivec0.16b},[$ivp] -+ ret -+ -+.Ldec: -+ // decryption mode starts -+ AARCH64_SIGN_LINK_REGISTER -+ stp d8,d9,[sp,#-80]! -+ stp d10,d11,[sp,#16] -+ stp d12,d13,[sp,#32] -+ stp d14,d15,[sp,#48] -+ stp x29,x30,[sp,#64] -+.Lcbc_8_blocks_dec: -+ cmp $blocks,#8 -+ b.lt 1f -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp] -+ add $ptr,$inp,#64 -+ ld4 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$ptr] -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],$data[3]); -+ &rev32(@datax[0],@datax[0]); -+ &rev32(@datax[1],@datax[1]); -+ &rev32(@datax[2],@datax[2]); -+ &rev32(@datax[3],$datax[3]); -+$code.=<<___; -+ bl _vpsm4_enc_8blks -+___ -+ &transpose(@vtmp,@datax); -+ &transpose(@data,@datax); -+$code.=<<___; -+ ld1 {$ivec1.16b},[$ivp] -+ ld1 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+ // note ivec1 and vtmpx[3] are resuing the same register -+ // care needs to be taken to avoid conflict -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ ld1 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 -+ eor @vtmp[1].16b,@vtmp[1].16b,@datax[0].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@datax[1].16b -+ eor @vtmp[3].16b,$vtmp[3].16b,@datax[2].16b -+ // save back IV -+ st1 {$vtmpx[3].16b}, [$ivp] -+ eor @data[0].16b,@data[0].16b,$datax[3].16b -+ eor @data[1].16b,@data[1].16b,@vtmpx[0].16b -+ eor @data[2].16b,@data[2].16b,@vtmpx[1].16b -+ eor @data[3].16b,$data[3].16b,@vtmpx[2].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.gt .Lcbc_8_blocks_dec -+ b.eq 100f -+1: -+ ld1 {$ivec1.16b},[$ivp] -+.Lcbc_4_blocks_dec: -+ cmp $blocks,#4 -+ b.lt 1f -+ ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp] -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],$data[3]); -+$code.=<<___; -+ bl _vpsm4_enc_4blks -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 -+___ -+ &transpose(@vtmp,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b -+ orr $ivec1.16b,@data[3].16b,@data[3].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b -+ eor @vtmp[3].16b,$vtmp[3].16b,@data[2].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#4 -+ b.gt .Lcbc_4_blocks_dec -+ // save back IV -+ st1 {@vtmp[3].16b}, [$ivp] -+ b 100f -+1: // last block -+ subs $blocks,$blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ ld1 {@data[0].4s},[$inp],#16 -+ // save back IV -+ st1 {$data[0].16b}, [$ivp] -+___ -+ &rev32(@datax[0],@data[0]); -+ &encrypt_1blk(@datax[0]); -+$code.=<<___; -+ eor @datax[0].16b,@datax[0].16b,$ivec1.16b -+ st1 {@datax[0].16b},[$outp],#16 -+ b 100f -+1: // last two blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp] -+ add $ptr,$inp,#16 -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$ptr],#16 -+ subs $blocks,$blocks,1 -+ b.gt 1f -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _vpsm4_enc_4blks -+ ld1 {@data[0].4s,@data[1].4s},[$inp],#32 -+___ -+ &transpose(@vtmp,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s},[$outp],#32 -+ // save back IV -+ st1 {@data[1].16b}, [$ivp] -+ b 100f -+1: // last 3 blocks -+ ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$ptr] -+___ -+ &rev32(@data[0],@data[0]); -+ &rev32(@data[1],@data[1]); -+ &rev32(@data[2],@data[2]); -+ &rev32(@data[3],@data[3]); -+$code.=<<___; -+ bl _vpsm4_enc_4blks -+ ld1 {@data[0].4s,@data[1].4s,@data[2].4s},[$inp],#48 -+___ -+ &transpose(@vtmp,@datax); -+$code.=<<___; -+ eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b -+ st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48 -+ // save back IV -+ st1 {@data[2].16b}, [$ivp] -+100: -+ ldp d10,d11,[sp,#16] -+ ldp d12,d13,[sp,#32] -+ ldp d14,d15,[sp,#48] -+ ldp x29,x30,[sp,#64] -+ ldp d8,d9,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt -+___ -+}}} -+ -+{{{ -+my ($ivp)=("x4"); -+my ($ctr)=("w5"); -+my $ivec=("v3"); -+ -+$code.=<<___; -+.globl ${prefix}_ctr32_encrypt_blocks -+.type ${prefix}_ctr32_encrypt_blocks,%function -+.align 5 -+${prefix}_ctr32_encrypt_blocks: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$ivec.4s},[$ivp] -+___ -+ &rev32($ivec,$ivec); -+ &load_sbox(); -+$code.=<<___; -+ cmp $blocks,#1 -+ b.ne 1f -+ // fast processing for one single block without -+ // context saving overhead -+___ -+ &encrypt_1blk($ivec); -+$code.=<<___; -+ ld1 {@data[0].16b},[$inp] -+ eor @data[0].16b,@data[0].16b,$ivec.16b -+ st1 {@data[0].16b},[$outp] -+ ret -+1: -+ AARCH64_SIGN_LINK_REGISTER -+ stp d8,d9,[sp,#-80]! -+ stp d10,d11,[sp,#16] -+ stp d12,d13,[sp,#32] -+ stp d14,d15,[sp,#48] -+ stp x29,x30,[sp,#64] -+ mov $word0,$ivec.s[0] -+ mov $word1,$ivec.s[1] -+ mov $word2,$ivec.s[2] -+ mov $ctr,$ivec.s[3] -+.Lctr32_4_blocks_process: -+ cmp $blocks,#4 -+ b.lt 1f -+ dup @data[0].4s,$word0 -+ dup @data[1].4s,$word1 -+ dup @data[2].4s,$word2 -+ mov @data[3].s[0],$ctr -+ add $ctr,$ctr,#1 -+ mov $data[3].s[1],$ctr -+ add $ctr,$ctr,#1 -+ mov @data[3].s[2],$ctr -+ add $ctr,$ctr,#1 -+ mov @data[3].s[3],$ctr -+ add $ctr,$ctr,#1 -+ cmp $blocks,#8 -+ b.ge .Lctr32_8_blocks_process -+ bl _vpsm4_enc_4blks -+ ld4 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#4 -+ b.ne .Lctr32_4_blocks_process -+ b 100f -+.Lctr32_8_blocks_process: -+ dup @datax[0].4s,$word0 -+ dup @datax[1].4s,$word1 -+ dup @datax[2].4s,$word2 -+ mov @datax[3].s[0],$ctr -+ add $ctr,$ctr,#1 -+ mov $datax[3].s[1],$ctr -+ add $ctr,$ctr,#1 -+ mov @datax[3].s[2],$ctr -+ add $ctr,$ctr,#1 -+ mov @datax[3].s[3],$ctr -+ add $ctr,$ctr,#1 -+ bl _vpsm4_enc_8blks -+ ld4 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 -+ ld4 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ eor @data[0].16b,@data[0].16b,@datax[0].16b -+ eor @data[1].16b,@data[1].16b,@datax[1].16b -+ eor @data[2].16b,@data[2].16b,@datax[2].16b -+ eor @data[3].16b,@data[3].16b,@datax[3].16b -+ st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 -+ st4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 -+ subs $blocks,$blocks,#8 -+ b.ne .Lctr32_4_blocks_process -+ b 100f -+1: // last block processing -+ subs $blocks,$blocks,#1 -+ b.lt 100f -+ b.gt 1f -+ mov $ivec.s[0],$word0 -+ mov $ivec.s[1],$word1 -+ mov $ivec.s[2],$word2 -+ mov $ivec.s[3],$ctr -+___ -+ &encrypt_1blk($ivec); -+$code.=<<___; -+ ld1 {@data[0].16b},[$inp] -+ eor @data[0].16b,@data[0].16b,$ivec.16b -+ st1 {@data[0].16b},[$outp] -+ b 100f -+1: // last 2 blocks processing -+ dup @data[0].4s,$word0 -+ dup @data[1].4s,$word1 -+ dup @data[2].4s,$word2 -+ mov @data[3].s[0],$ctr -+ add $ctr,$ctr,#1 -+ mov @data[3].s[1],$ctr -+ subs $blocks,$blocks,#1 -+ b.ne 1f -+ bl _vpsm4_enc_4blks -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16 -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16 -+ b 100f -+1: // last 3 blocks processing -+ add $ctr,$ctr,#1 -+ mov @data[3].s[2],$ctr -+ bl _vpsm4_enc_4blks -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16 -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16 -+ ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[2],[$inp],#16 -+ eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b -+ eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b -+ eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b -+ eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16 -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16 -+ st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[2],[$outp],#16 -+100: -+ ldp d10,d11,[sp,#16] -+ ldp d12,d13,[sp,#32] -+ ldp d14,d15,[sp,#48] -+ ldp x29,x30,[sp,#64] -+ ldp d8,d9,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER -+ ret -+.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks -+___ -+}}} -+######################################## -+open SELF,$0; -+while() { -+ next if (/^#!/); -+ last if (!s/^#/\/\// and !/^$/); -+ print; -+} -+close SELF; -+ -+foreach(split("\n",$code)) { -+ s/\`([^\`]*)\`/eval($1)/ge; -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/sm4/build.info b/crypto/sm4/build.info -index e27aa49e67..75a215ab80 100644 ---- a/crypto/sm4/build.info -+++ b/crypto/sm4/build.info -@@ -1,8 +1,8 @@ - LIBS=../../libcrypto - - IF[{- !$disabled{asm} -}] -- $SM4DEF_aarch64=SM4_ASM -- $SM4ASM_aarch64=sm4-armv8.S -+ $SM4DEF_aarch64=SM4_ASM VPSM4_ASM -+ $SM4ASM_aarch64=sm4-armv8.S vpsm4-armv8.S - - # Now that we have defined all the arch specific variables, use the - # appropriate one, and define the appropriate macros -@@ -29,4 +29,6 @@ IF[{- !$disabled{module} && !$disabled{shared} -}] - ENDIF - - GENERATE[sm4-armv8.S]=asm/sm4-armv8.pl -+GENERATE[vpsm4-armv8.S]=asm/vpsm4-armv8.pl - INCLUDE[sm4-armv8.o]=.. -+INCLUDE[vpsm4-armv8.o]=.. -diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h -index 42c8b44a43..11f9b9d88b 100644 ---- a/include/crypto/sm4_platform.h -+++ b/include/crypto/sm4_platform.h -@@ -15,6 +15,16 @@ - # if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) - # include "arm_arch.h" - # if __ARM_MAX_ARCH__>=8 -+extern unsigned int OPENSSL_arm_midr; -+static inline int vpsm4_capable(void) -+{ -+ return (OPENSSL_armcap_P & ARMV8_CPUID) && -+ (MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1) || -+ MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1)); -+} -+# if defined(VPSM4_ASM) -+# define VPSM4_CAPABLE vpsm4_capable() -+# endif - # define HWSM4_CAPABLE (OPENSSL_armcap_P & ARMV8_SM4) - # define HWSM4_set_encrypt_key sm4_v8_set_encrypt_key - # define HWSM4_set_decrypt_key sm4_v8_set_decrypt_key -@@ -45,4 +55,23 @@ void HWSM4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, - const unsigned char ivec[16]); - # endif /* HWSM4_CAPABLE */ - -+#ifdef VPSM4_CAPABLE -+int vpsm4_set_encrypt_key(const unsigned char *userKey, SM4_KEY *key); -+int vpsm4_set_decrypt_key(const unsigned char *userKey, SM4_KEY *key); -+void vpsm4_encrypt(const unsigned char *in, unsigned char *out, -+ const SM4_KEY *key); -+void vpsm4_decrypt(const unsigned char *in, unsigned char *out, -+ const SM4_KEY *key); -+void vpsm4_cbc_encrypt(const unsigned char *in, unsigned char *out, -+ size_t length, const SM4_KEY *key, -+ unsigned char *ivec, const int enc); -+void vpsm4_ecb_encrypt(const unsigned char *in, unsigned char *out, -+ size_t length, const SM4_KEY *key, -+ const int enc); -+void vpsm4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ const unsigned char ivec[16]); -+# endif /* VPSM4_CAPABLE */ -+ -+ - #endif /* OSSL_SM4_PLATFORM_H */ -diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -index b9633f83ed..db7fe0fe2f 100644 ---- a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -@@ -32,6 +32,13 @@ static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, - # endif - } else - # endif /* HWSM4_CAPABLE */ -+# ifdef VPSM4_CAPABLE -+ if (VPSM4_CAPABLE) { -+ vpsm4_set_encrypt_key(key, ks); -+ CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f) vpsm4_encrypt); -+ ctx->ctr = (ctr128_f) vpsm4_ctr32_encrypt_blocks; -+ } else -+# endif /* VPSM4_CAPABLE */ - { - ossl_sm4_set_key(key, ks); - CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)ossl_sm4_encrypt); -diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c -index 4cd3d3d669..9a2e99f67c 100644 ---- a/providers/implementations/ciphers/cipher_sm4_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_hw.c -@@ -41,6 +41,19 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, - #endif - (void)0; /* terminate potentially open 'else' */ - } else -+#endif -+#ifdef VPSM4_CAPABLE -+ if (VPSM4_CAPABLE) { -+ vpsm4_set_encrypt_key(key, ks); -+ ctx->block = (block128_f)vpsm4_encrypt; -+ ctx->stream.cbc = NULL; -+ if (ctx->mode == EVP_CIPH_CBC_MODE) -+ ctx->stream.cbc = (cbc128_f)vpsm4_cbc_encrypt; -+ else if (ctx->mode == EVP_CIPH_ECB_MODE) -+ ctx->stream.ecb = (ecb128_f)vpsm4_ecb_encrypt; -+ else if (ctx->mode == EVP_CIPH_CTR_MODE) -+ ctx->stream.ctr = (ctr128_f)vpsm4_ctr32_encrypt_blocks; -+ } else - #endif - { - ossl_sm4_set_key(key, ks); -@@ -61,6 +74,17 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, - ctx->stream.ecb = (ecb128_f)HWSM4_ecb_encrypt; - #endif - } else -+#endif -+#ifdef VPSM4_CAPABLE -+ if (VPSM4_CAPABLE) { -+ vpsm4_set_decrypt_key(key, ks); -+ ctx->block = (block128_f)vpsm4_decrypt; -+ ctx->stream.cbc = NULL; -+ if (ctx->mode == EVP_CIPH_CBC_MODE) -+ ctx->stream.cbc = (cbc128_f)vpsm4_cbc_encrypt; -+ else if (ctx->mode == EVP_CIPH_ECB_MODE) -+ ctx->stream.ecb = (ecb128_f)vpsm4_ecb_encrypt; -+ } else - #endif - { - ossl_sm4_set_key(key, ks); --- -2.37.3.windows.1 - diff --git a/Backport-SM4-optimization-for-ARM-by-HW-instruction.patch b/Backport-SM4-optimization-for-ARM-by-HW-instruction.patch deleted file mode 100644 index c68f1a0187318de83b0702397a32ce56eb268b83..0000000000000000000000000000000000000000 --- a/Backport-SM4-optimization-for-ARM-by-HW-instruction.patch +++ /dev/null @@ -1,1228 +0,0 @@ -From 1cd480c10b8bbaa6f72d503494ff2973672ec0e4 Mon Sep 17 00:00:00 2001 -From: Daniel Hu -Date: Tue, 19 Oct 2021 22:49:05 +0100 -Subject: [PATCH 05/13] SM4 optimization for ARM by HW instruction - -This patch implements the SM4 optimization for ARM processor, -using SM4 HW instruction, which is an optional feature of -crypto extension for aarch64 V8. - -Tested on some modern ARM micro-architectures with SM4 support, the -performance uplift can be observed around 8X~40X over existing -C implementation in openssl. Algorithms that can be parallelized -(like CTR, ECB, CBC decryption) are on higher end, with algorithm -like CBC encryption on lower end (due to inter-block dependency) - -Perf data on Yitian-710 2.75GHz hardware, before and after optimization: - -Before: - type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes - SM4-CTR 105787.80k 107837.87k 108380.84k 108462.08k 108549.46k 108554.92k - SM4-ECB 111924.58k 118173.76k 119776.00k 120093.70k 120264.02k 120274.94k - SM4-CBC 106428.09k 109190.98k 109674.33k 109774.51k 109827.41k 109827.41k - -After (7.4x - 36.6x faster): - type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes - SM4-CTR 781979.02k 2432994.28k 3437753.86k 3834177.88k 3963715.58k 3974556.33k - SM4-ECB 937590.69k 2941689.02k 3945751.81k 4328655.87k 4459181.40k 4468692.31k - SM4-CBC 890639.88k 1027746.58k 1050621.78k 1056696.66k 1058613.93k 1058701.31k - -Signed-off-by: Daniel Hu - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17455) ---- - crypto/arm64cpuid.pl | 8 + - crypto/arm_arch.h | 1 + - crypto/armcap.c | 10 + - crypto/evp/e_sm4.c | 193 ++++-- - crypto/sm4/asm/sm4-armv8.pl | 635 ++++++++++++++++++ - crypto/sm4/build.info | 32 +- - include/crypto/sm4_platform.h | 48 ++ - .../implementations/ciphers/cipher_sm4.h | 1 + - .../ciphers/cipher_sm4_gcm_hw.c | 20 +- - .../implementations/ciphers/cipher_sm4_hw.c | 57 +- - 10 files changed, 945 insertions(+), 60 deletions(-) - create mode 100755 crypto/sm4/asm/sm4-armv8.pl - create mode 100644 include/crypto/sm4_platform.h - -diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl -index 10d267b7ad..36af3e075b 100755 ---- a/crypto/arm64cpuid.pl -+++ b/crypto/arm64cpuid.pl -@@ -80,6 +80,14 @@ _armv8_pmull_probe: - ret - .size _armv8_pmull_probe,.-_armv8_pmull_probe - -+.globl _armv8_sm4_probe -+.type _armv8_sm4_probe,%function -+_armv8_sm4_probe: -+ AARCH64_VALID_CALL_TARGET -+ .long 0xcec08400 // sm4e v0.4s, v0.4s -+ ret -+.size _armv8_sm4_probe,.-_armv8_sm4_probe -+ - .globl _armv8_sha512_probe - .type _armv8_sha512_probe,%function - _armv8_sha512_probe: -diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h -index c8b501f34c..5b5af31d92 100644 ---- a/crypto/arm_arch.h -+++ b/crypto/arm_arch.h -@@ -85,6 +85,7 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; - # define ARMV8_CPUID (1<<7) - # define ARMV8_RNG (1<<8) - # define ARMV8_SM3 (1<<9) -+# define ARMV8_SM4 (1<<10) - - /* - * MIDR_EL1 system register -diff --git a/crypto/armcap.c b/crypto/armcap.c -index 365a48df45..c5aa062767 100644 ---- a/crypto/armcap.c -+++ b/crypto/armcap.c -@@ -53,6 +53,7 @@ void _armv8_sha256_probe(void); - void _armv8_pmull_probe(void); - # ifdef __aarch64__ - void _armv8_sm3_probe(void); -+void _armv8_sm4_probe(void); - void _armv8_sha512_probe(void); - unsigned int _armv8_cpuid_probe(void); - # endif -@@ -139,6 +140,7 @@ static unsigned long getauxval(unsigned long key) - # define HWCAP_CE_SHA256 (1 << 6) - # define HWCAP_CPUID (1 << 11) - # define HWCAP_CE_SM3 (1 << 18) -+# define HWCAP_CE_SM4 (1 << 19) - # define HWCAP_CE_SHA512 (1 << 21) - # endif - -@@ -207,6 +209,9 @@ void OPENSSL_cpuid_setup(void) - OPENSSL_armcap_P |= ARMV8_SHA256; - - # ifdef __aarch64__ -+ if (hwcap & HWCAP_CE_SM4) -+ OPENSSL_armcap_P |= ARMV8_SM4; -+ - if (hwcap & HWCAP_CE_SHA512) - OPENSSL_armcap_P |= ARMV8_SHA512; - -@@ -254,6 +259,11 @@ void OPENSSL_cpuid_setup(void) - OPENSSL_armcap_P |= ARMV8_SHA256; - } - # if defined(__aarch64__) && !defined(__APPLE__) -+ if (sigsetjmp(ill_jmp, 1) == 0) { -+ _armv8_sm4_probe(); -+ OPENSSL_armcap_P |= ARMV8_SM4; -+ } -+ - if (sigsetjmp(ill_jmp, 1) == 0) { - _armv8_sha512_probe(); - OPENSSL_armcap_P |= ARMV8_SHA512; -diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c -index abd603015c..bff79ff197 100644 ---- a/crypto/evp/e_sm4.c -+++ b/crypto/evp/e_sm4.c -@@ -17,92 +17,187 @@ - # include - # include "crypto/sm4.h" - # include "crypto/evp.h" -+# include "crypto/sm4_platform.h" - # include "evp_local.h" - - typedef struct { -- SM4_KEY ks; -+ union { -+ OSSL_UNION_ALIGN; -+ SM4_KEY ks; -+ } ks; -+ block128_f block; -+ union { -+ ecb128_f ecb; -+ cbc128_f cbc; -+ ctr128_f ctr; -+ } stream; - } EVP_SM4_KEY; - -+# define BLOCK_CIPHER_generic(nid,blocksize,ivlen,nmode,mode,MODE,flags) \ -+static const EVP_CIPHER sm4_##mode = { \ -+ nid##_##nmode,blocksize,128/8,ivlen, \ -+ flags|EVP_CIPH_##MODE##_MODE, \ -+ EVP_ORIG_GLOBAL, \ -+ sm4_init_key, \ -+ sm4_##mode##_cipher, \ -+ NULL, \ -+ sizeof(EVP_SM4_KEY), \ -+ NULL,NULL,NULL,NULL }; \ -+const EVP_CIPHER *EVP_sm4_##mode(void) \ -+{ return &sm4_##mode; } -+ -+#define DEFINE_BLOCK_CIPHERS(nid,flags) \ -+ BLOCK_CIPHER_generic(nid,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ -+ BLOCK_CIPHER_generic(nid,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ -+ BLOCK_CIPHER_generic(nid,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ -+ BLOCK_CIPHER_generic(nid,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ -+ BLOCK_CIPHER_generic(nid,1,16,ctr,ctr,CTR,flags) -+ - static int sm4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { -- ossl_sm4_set_key(key, EVP_CIPHER_CTX_get_cipher_data(ctx)); -+ int mode; -+ EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); -+ -+ mode = EVP_CIPHER_CTX_get_mode(ctx); -+ if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) -+ && !enc) { -+#ifdef HWSM4_CAPABLE -+ if (HWSM4_CAPABLE) { -+ HWSM4_set_decrypt_key(key, &dat->ks.ks); -+ dat->block = (block128_f) HWSM4_decrypt; -+ dat->stream.cbc = NULL; -+# ifdef HWSM4_cbc_encrypt -+ if (mode == EVP_CIPH_CBC_MODE) -+ dat->stream.cbc = (cbc128_f) HWSM4_cbc_encrypt; -+# endif -+# ifdef HWSM4_ecb_encrypt -+ if (mode == EVP_CIPH_ECB_MODE) -+ dat->stream.ecb = (ecb128_f) HWSM4_ecb_encrypt; -+# endif -+ } else -+#endif -+ { -+ dat->block = (block128_f) ossl_sm4_decrypt; -+ ossl_sm4_set_key(key, EVP_CIPHER_CTX_get_cipher_data(ctx)); -+ } -+ } else -+#ifdef HWSM4_CAPABLE -+ if (HWSM4_CAPABLE) { -+ HWSM4_set_encrypt_key(key, &dat->ks.ks); -+ dat->block = (block128_f) HWSM4_encrypt; -+ dat->stream.cbc = NULL; -+# ifdef HWSM4_cbc_encrypt -+ if (mode == EVP_CIPH_CBC_MODE) -+ dat->stream.cbc = (cbc128_f) HWSM4_cbc_encrypt; -+ else -+# endif -+# ifdef HWSM4_ecb_encrypt -+ if (mode == EVP_CIPH_ECB_MODE) -+ dat->stream.ecb = (ecb128_f) HWSM4_ecb_encrypt; -+ else -+# endif -+# ifdef HWSM4_ctr32_encrypt_blocks -+ if (mode == EVP_CIPH_CTR_MODE) -+ dat->stream.ctr = (ctr128_f) HWSM4_ctr32_encrypt_blocks; -+ else -+# endif -+ (void)0; /* terminate potentially open 'else' */ -+ } else -+#endif -+ { -+ dat->block = (block128_f) ossl_sm4_encrypt; -+ ossl_sm4_set_key(key, EVP_CIPHER_CTX_get_cipher_data(ctx)); -+ } - return 1; - } - --static void sm4_cbc_encrypt(const unsigned char *in, unsigned char *out, -- size_t len, const SM4_KEY *key, -- unsigned char *ivec, const int enc) -+static int sm4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t len) - { -- if (enc) -- CRYPTO_cbc128_encrypt(in, out, len, key, ivec, -- (block128_f)ossl_sm4_encrypt); -+ EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); -+ -+ if (dat->stream.cbc) -+ (*dat->stream.cbc) (in, out, len, &dat->ks.ks, ctx->iv, -+ EVP_CIPHER_CTX_is_encrypting(ctx)); -+ else if (EVP_CIPHER_CTX_is_encrypting(ctx)) -+ CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, -+ dat->block); - else -- CRYPTO_cbc128_decrypt(in, out, len, key, ivec, -- (block128_f)ossl_sm4_decrypt); -+ CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, -+ ctx->iv, dat->block); -+ return 1; - } - --static void sm4_cfb128_encrypt(const unsigned char *in, unsigned char *out, -- size_t length, const SM4_KEY *key, -- unsigned char *ivec, int *num, const int enc) -+static int sm4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t len) - { -- CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc, -- (block128_f)ossl_sm4_encrypt); -+ EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); -+ int num = EVP_CIPHER_CTX_get_num(ctx); -+ -+ CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, -+ ctx->iv, &num, -+ EVP_CIPHER_CTX_is_encrypting(ctx), dat->block); -+ EVP_CIPHER_CTX_set_num(ctx, num); -+ return 1; - } - --static void sm4_ecb_encrypt(const unsigned char *in, unsigned char *out, -- const SM4_KEY *key, const int enc) -+static int sm4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t len) - { -- if (enc) -- ossl_sm4_encrypt(in, out, key); -+ size_t bl = EVP_CIPHER_CTX_get_block_size(ctx); -+ size_t i; -+ EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); -+ -+ if (len < bl) -+ return 1; -+ -+ if (dat->stream.ecb != NULL) -+ (*dat->stream.ecb) (in, out, len, &dat->ks.ks, -+ EVP_CIPHER_CTX_is_encrypting(ctx)); - else -- ossl_sm4_decrypt(in, out, key); -+ for (i = 0, len -= bl; i <= len; i += bl) -+ (*dat->block) (in + i, out + i, &dat->ks); -+ -+ return 1; - } - --static void sm4_ofb128_encrypt(const unsigned char *in, unsigned char *out, -- size_t length, const SM4_KEY *key, -- unsigned char *ivec, int *num) -+static int sm4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t len) - { -- CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num, -- (block128_f)ossl_sm4_encrypt); --} -+ EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); -+ int num = EVP_CIPHER_CTX_get_num(ctx); - --IMPLEMENT_BLOCK_CIPHER(sm4, ks, sm4, EVP_SM4_KEY, NID_sm4, -- 16, 16, 16, 128, EVP_CIPH_FLAG_DEFAULT_ASN1, -- sm4_init_key, 0, 0, 0, 0) -+ CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, -+ ctx->iv, &num, dat->block); -+ EVP_CIPHER_CTX_set_num(ctx, num); -+ return 1; -+} - - static int sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len) - { - int n = EVP_CIPHER_CTX_get_num(ctx); - unsigned int num; -- EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY, ctx); -+ EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); - - if (n < 0) - return 0; - num = (unsigned int)n; - -- CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv, -- EVP_CIPHER_CTX_buf_noconst(ctx), &num, -- (block128_f)ossl_sm4_encrypt); -+ if (dat->stream.ctr) -+ CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, -+ ctx->iv, -+ EVP_CIPHER_CTX_buf_noconst(ctx), -+ &num, dat->stream.ctr); -+ else -+ CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, -+ ctx->iv, -+ EVP_CIPHER_CTX_buf_noconst(ctx), &num, -+ dat->block); - EVP_CIPHER_CTX_set_num(ctx, num); - return 1; - } - --static const EVP_CIPHER sm4_ctr_mode = { -- NID_sm4_ctr, 1, 16, 16, -- EVP_CIPH_CTR_MODE, -- EVP_ORIG_GLOBAL, -- sm4_init_key, -- sm4_ctr_cipher, -- NULL, -- sizeof(EVP_SM4_KEY), -- NULL, NULL, NULL, NULL --}; -- --const EVP_CIPHER *EVP_sm4_ctr(void) --{ -- return &sm4_ctr_mode; --} -- -+DEFINE_BLOCK_CIPHERS(NID_sm4, 0) - #endif -diff --git a/crypto/sm4/asm/sm4-armv8.pl b/crypto/sm4/asm/sm4-armv8.pl -new file mode 100755 -index 0000000000..7358a6e6a2 ---- /dev/null -+++ b/crypto/sm4/asm/sm4-armv8.pl -@@ -0,0 +1,635 @@ -+#! /usr/bin/env perl -+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# -+# This module implements support for SM4 hw support on aarch64 -+# Oct 2021 -+# -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or -+die "can't locate arm-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+*STDOUT=*OUT; -+ -+$prefix="sm4_v8"; -+my @rks=map("v$_",(0..7)); -+ -+sub rev32() { -+my $dst = shift; -+my $src = shift; -+$code.=<<___; -+#ifndef __ARMEB__ -+ rev32 $dst.16b,$src.16b -+#endif -+___ -+} -+ -+sub enc_blk () { -+my $data = shift; -+$code.=<<___; -+ sm4e $data.4s,@rks[0].4s -+ sm4e $data.4s,@rks[1].4s -+ sm4e $data.4s,@rks[2].4s -+ sm4e $data.4s,@rks[3].4s -+ sm4e $data.4s,@rks[4].4s -+ sm4e $data.4s,@rks[5].4s -+ sm4e $data.4s,@rks[6].4s -+ sm4e $data.4s,@rks[7].4s -+ rev64 $data.4S,$data.4S -+ ext $data.16b,$data.16b,$data.16b,#8 -+___ -+} -+ -+sub enc_4blks () { -+my $data0 = shift; -+my $data1 = shift; -+my $data2 = shift; -+my $data3 = shift; -+$code.=<<___; -+ sm4e $data0.4s,@rks[0].4s -+ sm4e $data1.4s,@rks[0].4s -+ sm4e $data2.4s,@rks[0].4s -+ sm4e $data3.4s,@rks[0].4s -+ -+ sm4e $data0.4s,@rks[1].4s -+ sm4e $data1.4s,@rks[1].4s -+ sm4e $data2.4s,@rks[1].4s -+ sm4e $data3.4s,@rks[1].4s -+ -+ sm4e $data0.4s,@rks[2].4s -+ sm4e $data1.4s,@rks[2].4s -+ sm4e $data2.4s,@rks[2].4s -+ sm4e $data3.4s,@rks[2].4s -+ -+ sm4e $data0.4s,@rks[3].4s -+ sm4e $data1.4s,@rks[3].4s -+ sm4e $data2.4s,@rks[3].4s -+ sm4e $data3.4s,@rks[3].4s -+ -+ sm4e $data0.4s,@rks[4].4s -+ sm4e $data1.4s,@rks[4].4s -+ sm4e $data2.4s,@rks[4].4s -+ sm4e $data3.4s,@rks[4].4s -+ -+ sm4e $data0.4s,@rks[5].4s -+ sm4e $data1.4s,@rks[5].4s -+ sm4e $data2.4s,@rks[5].4s -+ sm4e $data3.4s,@rks[5].4s -+ -+ sm4e $data0.4s,@rks[6].4s -+ sm4e $data1.4s,@rks[6].4s -+ sm4e $data2.4s,@rks[6].4s -+ sm4e $data3.4s,@rks[6].4s -+ -+ sm4e $data0.4s,@rks[7].4s -+ rev64 $data0.4S,$data0.4S -+ sm4e $data1.4s,@rks[7].4s -+ ext $data0.16b,$data0.16b,$data0.16b,#8 -+ rev64 $data1.4S,$data1.4S -+ sm4e $data2.4s,@rks[7].4s -+ ext $data1.16b,$data1.16b,$data1.16b,#8 -+ rev64 $data2.4S,$data2.4S -+ sm4e $data3.4s,@rks[7].4s -+ ext $data2.16b,$data2.16b,$data2.16b,#8 -+ rev64 $data3.4S,$data3.4S -+ ext $data3.16b,$data3.16b,$data3.16b,#8 -+___ -+} -+ -+$code=<<___; -+#include "arm_arch.h" -+.arch armv8-a+crypto -+.text -+___ -+ -+{{{ -+$code.=<<___; -+.align 6 -+.Lck: -+ .long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269 -+ .long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9 -+ .long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249 -+ .long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9 -+ .long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229 -+ .long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299 -+ .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 -+ .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 -+.Lfk: -+ .long 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc -+___ -+}}} -+ -+{{{ -+my ($key,$keys)=("x0","x1"); -+my ($tmp)=("x2"); -+my ($key0,$key1,$key2,$key3,$key4,$key5,$key6,$key7)=map("v$_",(0..7)); -+my ($const0,$const1,$const2,$const3,$const4,$const5,$const6,$const7)=map("v$_",(16..23)); -+my ($fkconst) = ("v24"); -+$code.=<<___; -+.globl ${prefix}_set_encrypt_key -+.type ${prefix}_set_encrypt_key,%function -+.align 5 -+${prefix}_set_encrypt_key: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$key0.4s},[$key] -+ adr $tmp,.Lfk -+ ld1 {$fkconst.4s},[$tmp] -+ adr $tmp,.Lck -+ ld1 {$const0.4s,$const1.4s,$const2.4s,$const3.4s},[$tmp],64 -+___ -+ &rev32($key0, $key0); -+$code.=<<___; -+ ld1 {$const4.4s,$const5.4s,$const6.4s,$const7.4s},[$tmp] -+ eor $key0.16b,$key0.16b,$fkconst.16b; -+ sm4ekey $key0.4S,$key0.4S,$const0.4S -+ sm4ekey $key1.4S,$key0.4S,$const1.4S -+ sm4ekey $key2.4S,$key1.4S,$const2.4S -+ sm4ekey $key3.4S,$key2.4S,$const3.4S -+ sm4ekey $key4.4S,$key3.4S,$const4.4S -+ st1 {$key0.4s,$key1.4s,$key2.4s,$key3.4s},[$keys],64 -+ sm4ekey $key5.4S,$key4.4S,$const5.4S -+ sm4ekey $key6.4S,$key5.4S,$const6.4S -+ sm4ekey $key7.4S,$key6.4S,$const7.4S -+ st1 {$key4.4s,$key5.4s,$key6.4s,$key7.4s},[$keys] -+ ret -+.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key -+___ -+}}} -+ -+{{{ -+my ($key,$keys)=("x0","x1"); -+my ($tmp)=("x2"); -+my ($key7,$key6,$key5,$key4,$key3,$key2,$key1,$key0)=map("v$_",(0..7)); -+my ($const0,$const1,$const2,$const3,$const4,$const5,$const6,$const7)=map("v$_",(16..23)); -+my ($fkconst) = ("v24"); -+$code.=<<___; -+.globl ${prefix}_set_decrypt_key -+.type ${prefix}_set_decrypt_key,%function -+.align 5 -+${prefix}_set_decrypt_key: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$key0.4s},[$key] -+ adr $tmp,.Lfk -+ ld1 {$fkconst.4s},[$tmp] -+ adr $tmp, .Lck -+ ld1 {$const0.4s,$const1.4s,$const2.4s,$const3.4s},[$tmp],64 -+___ -+ &rev32($key0, $key0); -+$code.=<<___; -+ ld1 {$const4.4s,$const5.4s,$const6.4s,$const7.4s},[$tmp] -+ eor $key0.16b, $key0.16b,$fkconst.16b; -+ sm4ekey $key0.4S,$key0.4S,$const0.4S -+ sm4ekey $key1.4S,$key0.4S,$const1.4S -+ sm4ekey $key2.4S,$key1.4S,$const2.4S -+ rev64 $key0.4s,$key0.4s -+ rev64 $key1.4s,$key1.4s -+ ext $key0.16b,$key0.16b,$key0.16b,#8 -+ ext $key1.16b,$key1.16b,$key1.16b,#8 -+ sm4ekey $key3.4S,$key2.4S,$const3.4S -+ sm4ekey $key4.4S,$key3.4S,$const4.4S -+ rev64 $key2.4s,$key2.4s -+ rev64 $key3.4s,$key3.4s -+ ext $key2.16b,$key2.16b,$key2.16b,#8 -+ ext $key3.16b,$key3.16b,$key3.16b,#8 -+ sm4ekey $key5.4S,$key4.4S,$const5.4S -+ sm4ekey $key6.4S,$key5.4S,$const6.4S -+ rev64 $key4.4s,$key4.4s -+ rev64 $key5.4s,$key5.4s -+ ext $key4.16b,$key4.16b,$key4.16b,#8 -+ ext $key5.16b,$key5.16b,$key5.16b,#8 -+ sm4ekey $key7.4S,$key6.4S,$const7.4S -+ rev64 $key6.4s, $key6.4s -+ rev64 $key7.4s, $key7.4s -+ ext $key6.16b,$key6.16b,$key6.16b,#8 -+ ext $key7.16b,$key7.16b,$key7.16b,#8 -+ st1 {$key7.4s,$key6.4s,$key5.4s,$key4.4s},[$keys],64 -+ st1 {$key3.4s,$key2.4s,$key1.4s,$key0.4s},[$keys] -+ ret -+.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key -+___ -+}}} -+ -+{{{ -+sub gen_block () { -+my $dir = shift; -+my ($inp,$out,$rk)=map("x$_",(0..2)); -+my ($data)=("v16"); -+$code.=<<___; -+.globl ${prefix}_${dir}crypt -+.type ${prefix}_${dir}crypt,%function -+.align 5 -+${prefix}_${dir}crypt: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {$data.4s},[$inp] -+ ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],64 -+ ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] -+___ -+ &rev32($data,$data); -+ &enc_blk($data); -+ &rev32($data,$data); -+$code.=<<___; -+ st1 {$data.4s},[$out] -+ ret -+.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt -+___ -+} -+ -+&gen_block("en"); -+&gen_block("de"); -+}}} -+ -+{{{ -+my ($inp,$out,$len,$rk)=map("x$_",(0..3)); -+my ($enc) = ("w4"); -+my @dat=map("v$_",(16..23)); -+$code.=<<___; -+.globl ${prefix}_ecb_encrypt -+.type ${prefix}_ecb_encrypt,%function -+.align 5 -+${prefix}_ecb_encrypt: -+ AARCH64_VALID_CALL_TARGET -+ ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],#64 -+ ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] -+1: -+ cmp $len,#64 -+ b.lt 1f -+ ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64 -+ cmp $len,#128 -+ b.lt 2f -+ ld1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp],#64 -+ // 8 blocks -+___ -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+ &rev32(@dat[4],@dat[4]); -+ &rev32(@dat[5],@dat[5]); -+ &rev32(@dat[6],@dat[6]); -+ &rev32(@dat[7],@dat[7]); -+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); -+ &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+ &rev32(@dat[4],@dat[4]); -+ &rev32(@dat[5],@dat[5]); -+$code.=<<___; -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+___ -+ &rev32(@dat[6],@dat[6]); -+ &rev32(@dat[7],@dat[7]); -+$code.=<<___; -+ st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64 -+ subs $len,$len,#128 -+ b.gt 1b -+ ret -+ // 4 blocks -+2: -+___ -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+$code.=<<___; -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+ subs $len,$len,#64 -+ b.gt 1b -+1: -+ subs $len,$len,#16 -+ b.lt 1f -+ ld1 {@dat[0].4s},[$inp],#16 -+___ -+ &rev32(@dat[0],@dat[0]); -+ &enc_blk(@dat[0]); -+ &rev32(@dat[0],@dat[0]); -+$code.=<<___; -+ st1 {@dat[0].4s},[$out],#16 -+ b.ne 1b -+1: -+ ret -+.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt -+___ -+}}} -+ -+{{{ -+my ($inp,$out,$len,$rk,$ivp)=map("x$_",(0..4)); -+my ($enc) = ("w5"); -+my @dat=map("v$_",(16..23)); -+my @in=map("v$_",(24..31)); -+my ($ivec) = ("v8"); -+$code.=<<___; -+.globl ${prefix}_cbc_encrypt -+.type ${prefix}_cbc_encrypt,%function -+.align 5 -+${prefix}_cbc_encrypt: -+ AARCH64_VALID_CALL_TARGET -+ stp d8,d9,[sp, #-16]! -+ -+ ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],#64 -+ ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] -+ ld1 {$ivec.4s},[$ivp] -+ cmp $enc,#0 -+ b.eq .Ldec -+1: -+ cmp $len, #64 -+ b.lt 1f -+ ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64 -+ eor @dat[0].16b,@dat[0].16b,$ivec.16b -+___ -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+ &enc_blk(@dat[0]); -+$code.=<<___; -+ eor @dat[1].16b,@dat[1].16b,@dat[0].16b -+___ -+ &enc_blk(@dat[1]); -+ &rev32(@dat[0],@dat[0]); -+$code.=<<___; -+ eor @dat[2].16b,@dat[2].16b,@dat[1].16b -+___ -+ &enc_blk(@dat[2]); -+ &rev32(@dat[1],@dat[1]); -+$code.=<<___; -+ eor @dat[3].16b,@dat[3].16b,@dat[2].16b -+___ -+ &enc_blk(@dat[3]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+$code.=<<___; -+ mov $ivec.16b,@dat[3].16b -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+ subs $len,$len,#64 -+ b.ne 1b -+1: -+ subs $len,$len,#16 -+ b.lt 3f -+ ld1 {@dat[0].4s},[$inp],#16 -+ eor $ivec.16b,$ivec.16b,@dat[0].16b -+___ -+ &rev32($ivec,$ivec); -+ &enc_blk($ivec); -+ &rev32($ivec,$ivec); -+$code.=<<___; -+ st1 {$ivec.16b},[$out],#16 -+ b.ne 1b -+ b 3f -+.Ldec: -+1: -+ cmp $len, #64 -+ b.lt 1f -+ ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp] -+ ld1 {@in[0].4s,@in[1].4s,@in[2].4s,@in[3].4s},[$inp],#64 -+ cmp $len,#128 -+ b.lt 2f -+ // 8 blocks mode -+ ld1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp] -+ ld1 {@in[4].4s,@in[5].4s,@in[6].4s,@in[7].4s},[$inp],#64 -+___ -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],$dat[3]); -+ &rev32(@dat[4],@dat[4]); -+ &rev32(@dat[5],@dat[5]); -+ &rev32(@dat[6],@dat[6]); -+ &rev32(@dat[7],$dat[7]); -+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); -+ &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+ &rev32(@dat[4],@dat[4]); -+ &rev32(@dat[5],@dat[5]); -+ &rev32(@dat[6],@dat[6]); -+ &rev32(@dat[7],@dat[7]); -+$code.=<<___; -+ eor @dat[0].16b,@dat[0].16b,$ivec.16b -+ eor @dat[1].16b,@dat[1].16b,@in[0].16b -+ eor @dat[2].16b,@dat[2].16b,@in[1].16b -+ mov $ivec.16b,@in[7].16b -+ eor @dat[3].16b,$dat[3].16b,@in[2].16b -+ eor @dat[4].16b,$dat[4].16b,@in[3].16b -+ eor @dat[5].16b,$dat[5].16b,@in[4].16b -+ eor @dat[6].16b,$dat[6].16b,@in[5].16b -+ eor @dat[7].16b,$dat[7].16b,@in[6].16b -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+ st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64 -+ subs $len,$len,128 -+ b.gt 1b -+ b 3f -+ // 4 blocks mode -+2: -+___ -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],$dat[3]); -+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+$code.=<<___; -+ eor @dat[0].16b,@dat[0].16b,$ivec.16b -+ eor @dat[1].16b,@dat[1].16b,@in[0].16b -+ mov $ivec.16b,@in[3].16b -+ eor @dat[2].16b,@dat[2].16b,@in[1].16b -+ eor @dat[3].16b,$dat[3].16b,@in[2].16b -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+ subs $len,$len,#64 -+ b.gt 1b -+1: -+ subs $len,$len,#16 -+ b.lt 3f -+ ld1 {@dat[0].4s},[$inp],#16 -+ mov @in[0].16b,@dat[0].16b -+___ -+ &rev32(@dat[0],@dat[0]); -+ &enc_blk(@dat[0]); -+ &rev32(@dat[0],@dat[0]); -+$code.=<<___; -+ eor @dat[0].16b,@dat[0].16b,$ivec.16b -+ mov $ivec.16b,@in[0].16b -+ st1 {@dat[0].16b},[$out],#16 -+ b.ne 1b -+3: -+ // save back IV -+ st1 {$ivec.16b},[$ivp] -+ ldp d8,d9,[sp],#16 -+ ret -+.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt -+___ -+}}} -+ -+{{{ -+my ($inp,$out,$len,$rk,$ivp)=map("x$_",(0..4)); -+my ($ctr)=("w5"); -+my @dat=map("v$_",(16..23)); -+my @in=map("v$_",(24..31)); -+my ($ivec)=("v8"); -+$code.=<<___; -+.globl ${prefix}_ctr32_encrypt_blocks -+.type ${prefix}_ctr32_encrypt_blocks,%function -+.align 5 -+${prefix}_ctr32_encrypt_blocks: -+ AARCH64_VALID_CALL_TARGET -+ stp d8,d9,[sp, #-16]! -+ -+ ld1 {$ivec.4s},[$ivp] -+ ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],64 -+ ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] -+___ -+ &rev32($ivec,$ivec); -+$code.=<<___; -+ mov $ctr,$ivec.s[3] -+1: -+ cmp $len,#4 -+ b.lt 1f -+ ld1 {@in[0].4s,@in[1].4s,@in[2].4s,@in[3].4s},[$inp],#64 -+ mov @dat[0].16b,$ivec.16b -+ mov @dat[1].16b,$ivec.16b -+ mov @dat[2].16b,$ivec.16b -+ mov @dat[3].16b,$ivec.16b -+ add $ctr,$ctr,#1 -+ mov $dat[1].s[3],$ctr -+ add $ctr,$ctr,#1 -+ mov @dat[2].s[3],$ctr -+ add $ctr,$ctr,#1 -+ mov @dat[3].s[3],$ctr -+ cmp $len,#8 -+ b.lt 2f -+ ld1 {@in[4].4s,@in[5].4s,@in[6].4s,@in[7].4s},[$inp],#64 -+ mov @dat[4].16b,$ivec.16b -+ mov @dat[5].16b,$ivec.16b -+ mov @dat[6].16b,$ivec.16b -+ mov @dat[7].16b,$ivec.16b -+ add $ctr,$ctr,#1 -+ mov $dat[4].s[3],$ctr -+ add $ctr,$ctr,#1 -+ mov @dat[5].s[3],$ctr -+ add $ctr,$ctr,#1 -+ mov @dat[6].s[3],$ctr -+ add $ctr,$ctr,#1 -+ mov @dat[7].s[3],$ctr -+___ -+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); -+ &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+ &rev32(@dat[4],@dat[4]); -+ &rev32(@dat[5],@dat[5]); -+ &rev32(@dat[6],@dat[6]); -+ &rev32(@dat[7],@dat[7]); -+$code.=<<___; -+ eor @dat[0].16b,@dat[0].16b,@in[0].16b -+ eor @dat[1].16b,@dat[1].16b,@in[1].16b -+ eor @dat[2].16b,@dat[2].16b,@in[2].16b -+ eor @dat[3].16b,@dat[3].16b,@in[3].16b -+ eor @dat[4].16b,@dat[4].16b,@in[4].16b -+ eor @dat[5].16b,@dat[5].16b,@in[5].16b -+ eor @dat[6].16b,@dat[6].16b,@in[6].16b -+ eor @dat[7].16b,@dat[7].16b,@in[7].16b -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+ st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64 -+ subs $len,$len,#8 -+ b.eq 3f -+ add $ctr,$ctr,#1 -+ mov $ivec.s[3],$ctr -+ b 1b -+2: -+___ -+ &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); -+ &rev32(@dat[0],@dat[0]); -+ &rev32(@dat[1],@dat[1]); -+ &rev32(@dat[2],@dat[2]); -+ &rev32(@dat[3],@dat[3]); -+$code.=<<___; -+ eor @dat[0].16b,@dat[0].16b,@in[0].16b -+ eor @dat[1].16b,@dat[1].16b,@in[1].16b -+ eor @dat[2].16b,@dat[2].16b,@in[2].16b -+ eor @dat[3].16b,@dat[3].16b,@in[3].16b -+ st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 -+ subs $len,$len,#4 -+ b.eq 3f -+ add $ctr,$ctr,#1 -+ mov $ivec.s[3],$ctr -+ b 1b -+1: -+ subs $len,$len,#1 -+ b.lt 3f -+ mov $dat[0].16b,$ivec.16b -+ ld1 {@in[0].4s},[$inp],#16 -+___ -+ &enc_blk(@dat[0]); -+ &rev32(@dat[0],@dat[0]); -+$code.=<<___; -+ eor $dat[0].16b,$dat[0].16b,@in[0].16b -+ st1 {$dat[0].4s},[$out],#16 -+ b.eq 3f -+ add $ctr,$ctr,#1 -+ mov $ivec.s[3],$ctr -+ b 1b -+3: -+ ldp d8,d9,[sp],#16 -+ ret -+.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks -+___ -+}}} -+######################################## -+{ my %opcode = ( -+ "sm4e" => 0xcec08400, -+ "sm4ekey" => 0xce60c800); -+ -+ sub unsm4 { -+ my ($mnemonic,$arg)=@_; -+ -+ $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv]([0-9]+))?/o -+ && -+ sprintf ".inst\t0x%08x\t//%s %s", -+ $opcode{$mnemonic}|$1|($2<<5)|($3<<16), -+ $mnemonic,$arg; -+ } -+} -+ -+open SELF,$0; -+while() { -+ next if (/^#!/); -+ last if (!s/^#/\/\// and !/^$/); -+ print; -+} -+close SELF; -+ -+foreach(split("\n",$code)) { -+ s/\`([^\`]*)\`/eval($1)/ge; -+ -+ s/\b(sm4\w+)\s+([qv].*)/unsm4($1,$2)/ge; -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/sm4/build.info b/crypto/sm4/build.info -index b65a7d149e..e27aa49e67 100644 ---- a/crypto/sm4/build.info -+++ b/crypto/sm4/build.info -@@ -1,4 +1,32 @@ - LIBS=../../libcrypto --SOURCE[../../libcrypto]=\ -- sm4.c - -+IF[{- !$disabled{asm} -}] -+ $SM4DEF_aarch64=SM4_ASM -+ $SM4ASM_aarch64=sm4-armv8.S -+ -+ # Now that we have defined all the arch specific variables, use the -+ # appropriate one, and define the appropriate macros -+ IF[$SM4ASM_{- $target{asm_arch} -}] -+ $SM4ASM=$SM4ASM_{- $target{asm_arch} -} -+ $SM4DEF=$SM4DEF_{- $target{asm_arch} -} -+ ENDIF -+ENDIF -+ -+SOURCE[../../libcrypto]= $SM4ASM sm4.c -+ -+ -+# Implementations are now spread across several libraries, so the defines -+# need to be applied to all affected libraries and modules. -+DEFINE[../../libcrypto]=$SM4DEF -+DEFINE[../../providers/libfips.a]=$SM4DEF -+DEFINE[../../providers/libdefault.a]=$SM4DEF -+# We only need to include the SM4DEF stuff in the legacy provider when it's a -+# separate module and it's dynamically linked with libcrypto. Otherwise, it -+# already gets everything that the static libcrypto.a has, and doesn't need it -+# added again. -+IF[{- !$disabled{module} && !$disabled{shared} -}] -+ DEFINE[../providers/liblegacy.a]=$SM4DEF -+ENDIF -+ -+GENERATE[sm4-armv8.S]=asm/sm4-armv8.pl -+INCLUDE[sm4-armv8.o]=.. -diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h -new file mode 100644 -index 0000000000..42c8b44a43 ---- /dev/null -+++ b/include/crypto/sm4_platform.h -@@ -0,0 +1,48 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#ifndef OSSL_SM4_PLATFORM_H -+# define OSSL_SM4_PLATFORM_H -+# pragma once -+ -+# if defined(OPENSSL_CPUID_OBJ) -+# if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) -+# include "arm_arch.h" -+# if __ARM_MAX_ARCH__>=8 -+# define HWSM4_CAPABLE (OPENSSL_armcap_P & ARMV8_SM4) -+# define HWSM4_set_encrypt_key sm4_v8_set_encrypt_key -+# define HWSM4_set_decrypt_key sm4_v8_set_decrypt_key -+# define HWSM4_encrypt sm4_v8_encrypt -+# define HWSM4_decrypt sm4_v8_decrypt -+# define HWSM4_cbc_encrypt sm4_v8_cbc_encrypt -+# define HWSM4_ecb_encrypt sm4_v8_ecb_encrypt -+# define HWSM4_ctr32_encrypt_blocks sm4_v8_ctr32_encrypt_blocks -+# endif -+# endif -+# endif /* OPENSSL_CPUID_OBJ */ -+ -+# if defined(HWSM4_CAPABLE) -+int HWSM4_set_encrypt_key(const unsigned char *userKey, SM4_KEY *key); -+int HWSM4_set_decrypt_key(const unsigned char *userKey, SM4_KEY *key); -+void HWSM4_encrypt(const unsigned char *in, unsigned char *out, -+ const SM4_KEY *key); -+void HWSM4_decrypt(const unsigned char *in, unsigned char *out, -+ const SM4_KEY *key); -+void HWSM4_cbc_encrypt(const unsigned char *in, unsigned char *out, -+ size_t length, const SM4_KEY *key, -+ unsigned char *ivec, const int enc); -+void HWSM4_ecb_encrypt(const unsigned char *in, unsigned char *out, -+ size_t length, const SM4_KEY *key, -+ const int enc); -+void HWSM4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ const unsigned char ivec[16]); -+# endif /* HWSM4_CAPABLE */ -+ -+#endif /* OSSL_SM4_PLATFORM_H */ -diff --git a/providers/implementations/ciphers/cipher_sm4.h b/providers/implementations/ciphers/cipher_sm4.h -index f7f833fcb4..01a031a74d 100644 ---- a/providers/implementations/ciphers/cipher_sm4.h -+++ b/providers/implementations/ciphers/cipher_sm4.h -@@ -9,6 +9,7 @@ - - #include "prov/ciphercommon.h" - #include "crypto/sm4.h" -+#include "crypto/sm4_platform.h" - - typedef struct prov_cast_ctx_st { - PROV_CIPHER_CTX base; /* Must be first */ -diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -index 6bcd1ec406..c0c9b22bd3 100644 ---- a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -@@ -12,6 +12,7 @@ - */ - - #include "cipher_sm4_gcm.h" -+#include "crypto/sm4_platform.h" - - static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, - size_t keylen) -@@ -20,9 +21,22 @@ static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, - SM4_KEY *ks = &actx->ks.ks; - - ctx->ks = ks; -- ossl_sm4_set_key(key, ks); -- CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)ossl_sm4_encrypt); -- ctx->ctr = (ctr128_f)NULL; -+# ifdef HWSM4_CAPABLE -+ if (HWSM4_CAPABLE) { -+ HWSM4_set_encrypt_key(key, ks); -+ CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f) HWSM4_encrypt); -+# ifdef HWSM4_ctr32_encrypt_blocks -+ ctx->ctr = (ctr128_f) HWSM4_ctr32_encrypt_blocks; -+# else /* HWSM4_ctr32_encrypt_blocks */ -+ ctx->ctr = (ctr128_f)NULL; -+# endif -+ } else -+# endif /* HWSM4_CAPABLE */ -+ { -+ ossl_sm4_set_key(key, ks); -+ CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)ossl_sm4_encrypt); -+ ctx->ctr = (ctr128_f)NULL; -+ } - ctx->key_set = 1; - - return 1; -diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c -index 0db04b1a74..4cd3d3d669 100644 ---- a/providers/implementations/ciphers/cipher_sm4_hw.c -+++ b/providers/implementations/ciphers/cipher_sm4_hw.c -@@ -15,14 +15,59 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, - PROV_SM4_CTX *sctx = (PROV_SM4_CTX *)ctx; - SM4_KEY *ks = &sctx->ks.ks; - -- ossl_sm4_set_key(key, ks); - ctx->ks = ks; - if (ctx->enc - || (ctx->mode != EVP_CIPH_ECB_MODE -- && ctx->mode != EVP_CIPH_CBC_MODE)) -- ctx->block = (block128_f)ossl_sm4_encrypt; -- else -- ctx->block = (block128_f)ossl_sm4_decrypt; -+ && ctx->mode != EVP_CIPH_CBC_MODE)) { -+#ifdef HWSM4_CAPABLE -+ if (HWSM4_CAPABLE) { -+ HWSM4_set_encrypt_key(key, ks); -+ ctx->block = (block128_f)HWSM4_encrypt; -+ ctx->stream.cbc = NULL; -+#ifdef HWSM4_cbc_encrypt -+ if (ctx->mode == EVP_CIPH_CBC_MODE) -+ ctx->stream.cbc = (cbc128_f)HWSM4_cbc_encrypt; -+ else -+#endif -+#ifdef HWSM4_ecb_encrypt -+ if (ctx->mode == EVP_CIPH_ECB_MODE) -+ ctx->stream.ecb = (ecb128_f)HWSM4_ecb_encrypt; -+ else -+#endif -+#ifdef HWSM4_ctr32_encrypt_blocks -+ if (ctx->mode == EVP_CIPH_CTR_MODE) -+ ctx->stream.ctr = (ctr128_f)HWSM4_ctr32_encrypt_blocks; -+ else -+#endif -+ (void)0; /* terminate potentially open 'else' */ -+ } else -+#endif -+ { -+ ossl_sm4_set_key(key, ks); -+ ctx->block = (block128_f)ossl_sm4_encrypt; -+ } -+ } else { -+#ifdef HWSM4_CAPABLE -+ if (HWSM4_CAPABLE) { -+ HWSM4_set_decrypt_key(key, ks); -+ ctx->block = (block128_f)HWSM4_decrypt; -+ ctx->stream.cbc = NULL; -+#ifdef HWSM4_cbc_encrypt -+ if (ctx->mode == EVP_CIPH_CBC_MODE) -+ ctx->stream.cbc = (cbc128_f)HWSM4_cbc_encrypt; -+#endif -+#ifdef HWSM4_ecb_encrypt -+ if (ctx->mode == EVP_CIPH_ECB_MODE) -+ ctx->stream.ecb = (ecb128_f)HWSM4_ecb_encrypt; -+#endif -+ } else -+#endif -+ { -+ ossl_sm4_set_key(key, ks); -+ ctx->block = (block128_f)ossl_sm4_decrypt; -+ } -+ } -+ - return 1; - } - -@@ -31,7 +76,7 @@ IMPLEMENT_CIPHER_HW_COPYCTX(cipher_hw_sm4_copyctx, PROV_SM4_CTX) - # define PROV_CIPHER_HW_sm4_mode(mode) \ - static const PROV_CIPHER_HW sm4_##mode = { \ - cipher_hw_sm4_initkey, \ -- ossl_cipher_hw_chunked_##mode, \ -+ ossl_cipher_hw_generic_##mode, \ - cipher_hw_sm4_copyctx \ - }; \ - const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_##mode(size_t keybits) \ --- -2.37.3.windows.1 - diff --git a/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch b/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch deleted file mode 100644 index 31852cb93573e787d35c6fd6ebc5582b81bb11c8..0000000000000000000000000000000000000000 --- a/Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch +++ /dev/null @@ -1,1521 +0,0 @@ -From 44b6e3d07ae5b09255710986e61035c862ec68aa Mon Sep 17 00:00:00 2001 -From: Russ Butler -Date: Sat, 28 Aug 2021 13:57:09 -0500 -Subject: [PATCH 01/13] aarch64: support BTI and pointer authentication in - assembly - -This change adds optional support for -- Armv8.3-A Pointer Authentication (PAuth) and -- Armv8.5-A Branch Target Identification (BTI) -features to the perl scripts. - -Both features can be enabled with additional compiler flags. -Unless any of these are enabled explicitly there is no code change at -all. - -The extensions are briefly described below. Please read the appropriate -chapters of the Arm Architecture Reference Manual for the complete -specification. - -Scope ------ - -This change only affects generated assembly code. - -Armv8.3-A Pointer Authentication --------------------------------- - -Pointer Authentication extension supports the authentication of the -contents of registers before they are used for indirect branching -or load. - -PAuth provides a probabilistic method to detect corruption of register -values. PAuth signing instructions generate a Pointer Authentication -Code (PAC) based on the value of a register, a seed and a key. -The generated PAC is inserted into the original value in the register. -A PAuth authentication instruction recomputes the PAC, and if it matches -the PAC in the register, restores its original value. In case of a -mismatch, an architecturally unmapped address is generated instead. - -With PAuth, mitigation against ROP (Return-oriented Programming) attacks -can be implemented. This is achieved by signing the contents of the -link-register (LR) before it is pushed to stack. Once LR is popped, -it is authenticated. This way a stack corruption which overwrites the -LR on the stack is detectable. - -The PAuth extension adds several new instructions, some of which are not -recognized by older hardware. To support a single codebase for both pre -Armv8.3-A targets and newer ones, only NOP-space instructions are added -by this patch. These instructions are treated as NOPs on hardware -which does not support Armv8.3-A. Furthermore, this patch only considers -cases where LR is saved to the stack and then restored before branching -to its content. There are cases in the code where LR is pushed to stack -but it is not used later. We do not address these cases as they are not -affected by PAuth. - -There are two keys available to sign an instruction address: A and B. -PACIASP and PACIBSP only differ in the used keys: A and B, respectively. -The keys are typically managed by the operating system. - -To enable generating code for PAuth compile with --mbranch-protection=: - -- standard or pac-ret: add PACIASP and AUTIASP, also enables BTI - (read below) -- pac-ret+b-key: add PACIBSP and AUTIBSP - -Armv8.5-A Branch Target Identification --------------------------------------- - -Branch Target Identification features some new instructions which -protect the execution of instructions on guarded pages which are not -intended branch targets. - -If Armv8.5-A is supported by the hardware, execution of an instruction -changes the value of PSTATE.BTYPE field. If an indirect branch -lands on a guarded page the target instruction must be one of the -BTI flavors, or in case of a direct call or jump it can be any -other instruction. If the target instruction is not compatible with the -value of PSTATE.BTYPE a Branch Target Exception is generated. - -In short, indirect jumps are compatible with BTI and while -indirect calls are compatible with BTI and . Please refer to the -specification for the details. - -Armv8.3-A PACIASP and PACIBSP are implicit branch target -identification instructions which are equivalent with BTI c or BTI jc -depending on system register configuration. - -BTI is used to mitigate JOP (Jump-oriented Programming) attacks by -limiting the set of instructions which can be jumped to. - -BTI requires active linker support to mark the pages with BTI-enabled -code as guarded. For ELF64 files BTI compatibility is recorded in the -.note.gnu.property section. For a shared object or static binary it is -required that all linked units support BTI. This means that even a -single assembly file without the required note section turns-off BTI -for the whole binary or shared object. - -The new BTI instructions are treated as NOPs on hardware which does -not support Armv8.5-A or on pages which are not guarded. - -To insert this new and optional instruction compile with --mbranch-protection=standard (also enables PAuth) or +bti. - -When targeting a guarded page from a non-guarded page, weaker -compatibility restrictions apply to maintain compatibility between -legacy and new code. For detailed rules please refer to the Arm ARM. - -Compiler support ----------------- - -Compiler support requires understanding '-mbranch-protection=' -and emitting the appropriate feature macros (__ARM_FEATURE_BTI_DEFAULT -and __ARM_FEATURE_PAC_DEFAULT). The current state is the following: - -------------------------------------------------------- -| Compiler | -mbranch-protection | Feature macros | -+----------+---------------------+--------------------+ -| clang | 9.0.0 | 11.0.0 | -+----------+---------------------+--------------------+ -| gcc | 9 | expected in 10.1+ | -------------------------------------------------------- - -Available Platforms ------------------- - -Arm Fast Model and QEMU support both extensions. - -https://developer.arm.com/tools-and-software/simulation-models/fast-models -https://www.qemu.org/ - -Implementation Notes --------------------- - -This change adds BTI landing pads even to assembly functions which are -likely to be directly called only. In these cases, landing pads might -be superfluous depending on what code the linker generates. -Code size and performance impact for these cases would be negligible. - -Interaction with C code ------------------------ - -Pointer Authentication is a per-frame protection while Branch Target -Identification can be turned on and off only for all code pages of a -whole shared object or static binary. Because of these properties if -C/C++ code is compiled without any of the above features but assembly -files support any of them unconditionally there is no incompatibility -between the two. - -Useful Links ------------- - -To fully understand the details of both PAuth and BTI it is advised to -read the related chapters of the Arm Architecture Reference Manual -(Arm ARM): -https://developer.arm.com/documentation/ddi0487/latest/ - -Additional materials: - -"Providing protection for complex software" -https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software - -Arm Compiler Reference Guide Version 6.14: -mbranch-protection -https://developer.arm.com/documentation/101754/0614/armclang-Reference/armclang-Command-line-Options/-mbranch-protection?lang=en - -Arm C Language Extensions (ACLE) -https://developer.arm.com/docs/101028/latest - -Addional Notes --------------- - -This patch is a copy of the work done by Tamas Petz in boringssl. It -contains the changes from the following commits: - -aarch64: support BTI and pointer authentication in assembly - Change-Id: I4335f92e2ccc8e209c7d68a0a79f1acdf3aeb791 - URL: https://boringssl-review.googlesource.com/c/boringssl/+/42084 -aarch64: Improve conditional compilation - Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf - URL: https://boringssl-review.googlesource.com/c/boringssl/+/43524 -aarch64: Fix name of gnu property note section - Change-Id: I6c432d1c852129e9c273f6469a8b60e3983671ec - URL: https://boringssl-review.googlesource.com/c/boringssl/+/44024 - -Change-Id: I2d95ebc5e4aeb5610d3b226f9754ee80cf74a9af - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/16674) ---- - crypto/aes/asm/aesv8-armx.pl | 18 +++++++- - crypto/aes/asm/vpaes-armv8.pl | 39 ++++++++-------- - crypto/aes/build.info | 1 + - crypto/arm64cpuid.pl | 10 +++++ - crypto/arm_arch.h | 58 ++++++++++++++++++++++++ - crypto/bn/asm/armv8-mont.pl | 19 +++++--- - crypto/chacha/asm/chacha-armv8.pl | 18 ++++---- - crypto/ec/asm/ecp_nistz256-armv8.pl | 64 ++++++++++++++++----------- - crypto/modes/asm/aes-gcm-armv8_64.pl | 6 +++ - crypto/modes/asm/ghashv8-armx.pl | 11 +++++ - crypto/poly1305/asm/poly1305-armv8.pl | 17 ++++++- - crypto/sha/asm/keccak1600-armv8.pl | 30 +++++++------ - crypto/sha/asm/sha1-armv8.pl | 5 ++- - crypto/sha/asm/sha512-armv8.pl | 11 +++-- - crypto/sha/build.info | 1 + - 15 files changed, 228 insertions(+), 80 deletions(-) - -diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl -index 6a7bf05d1b..ed5ae4207c 100755 ---- a/crypto/aes/asm/aesv8-armx.pl -+++ b/crypto/aes/asm/aesv8-armx.pl -@@ -120,6 +120,8 @@ ${prefix}_set_encrypt_key: - .Lenc_key: - ___ - $code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - ___ -@@ -295,7 +297,7 @@ $code.=<<___; - ${prefix}_set_decrypt_key: - ___ - $code.=<<___ if ($flavour =~ /64/); -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - ___ -@@ -339,7 +341,7 @@ $code.=<<___ if ($flavour !~ /64/); - ___ - $code.=<<___ if ($flavour =~ /64/); - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - ___ - $code.=<<___; -@@ -359,6 +361,11 @@ $code.=<<___; - .type ${prefix}_${dir}crypt,%function - .align 5 - ${prefix}_${dir}crypt: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET -+___ -+$code.=<<___; - ldr $rounds,[$key,#240] - vld1.32 {$rndkey0},[$key],#16 - vld1.8 {$inout},[$inp] -@@ -442,6 +449,7 @@ $code.=<<___; - ${prefix}_ecb_encrypt: - ___ - $code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET - subs $len,$len,#16 - // Original input data size bigger than 16, jump to big size processing. - b.ne .Lecb_big_size -@@ -1236,6 +1244,8 @@ $code.=<<___; - ${prefix}_cbc_encrypt: - ___ - $code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - ___ -@@ -1764,6 +1774,8 @@ $code.=<<___; - ${prefix}_ctr32_encrypt_blocks: - ___ - $code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - ___ -@@ -2256,6 +2268,7 @@ $code.=<<___ if ($flavour =~ /64/); - ${prefix}_xts_encrypt: - ___ - $code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET - cmp $len,#16 - // Original input data size bigger than 16, jump to big size processing. - b.ne .Lxts_enc_big_size -@@ -2930,6 +2943,7 @@ $code.=<<___ if ($flavour =~ /64/); - .type ${prefix}_xts_decrypt,%function - .align 5 - ${prefix}_xts_decrypt: -+ AARCH64_VALID_CALL_TARGET - ___ - $code.=<<___ if ($flavour =~ /64/); - cmp $len,#16 -diff --git a/crypto/aes/asm/vpaes-armv8.pl b/crypto/aes/asm/vpaes-armv8.pl -index dcd5065e68..49988e9c2b 100755 ---- a/crypto/aes/asm/vpaes-armv8.pl -+++ b/crypto/aes/asm/vpaes-armv8.pl -@@ -53,6 +53,8 @@ open OUT,"| \"$^X\" $xlate $flavour \"$output\"" - *STDOUT=*OUT; - - $code.=<<___; -+#include "arm_arch.h" -+ - .text - - .type _vpaes_consts,%object -@@ -259,7 +261,7 @@ _vpaes_encrypt_core: - .type vpaes_encrypt,%function - .align 4 - vpaes_encrypt: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -269,7 +271,7 @@ vpaes_encrypt: - st1 {v0.16b}, [$out] - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_encrypt,.-vpaes_encrypt - -@@ -492,7 +494,7 @@ _vpaes_decrypt_core: - .type vpaes_decrypt,%function - .align 4 - vpaes_decrypt: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -502,7 +504,7 @@ vpaes_decrypt: - st1 {v0.16b}, [$out] - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_decrypt,.-vpaes_decrypt - -@@ -673,7 +675,7 @@ _vpaes_key_preheat: - .type _vpaes_schedule_core,%function - .align 4 - _vpaes_schedule_core: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29, x30, [sp,#-16]! - add x29,sp,#0 - -@@ -838,7 +840,7 @@ _vpaes_schedule_core: - eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6 - eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7 - ldp x29, x30, [sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size _vpaes_schedule_core,.-_vpaes_schedule_core - -@@ -1051,7 +1053,7 @@ _vpaes_schedule_mangle: - .type vpaes_set_encrypt_key,%function - .align 4 - vpaes_set_encrypt_key: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - stp d8,d9,[sp,#-16]! // ABI spec says so -@@ -1067,7 +1069,7 @@ vpaes_set_encrypt_key: - - ldp d8,d9,[sp],#16 - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key - -@@ -1075,7 +1077,7 @@ vpaes_set_encrypt_key: - .type vpaes_set_decrypt_key,%function - .align 4 - vpaes_set_decrypt_key: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - stp d8,d9,[sp,#-16]! // ABI spec says so -@@ -1095,7 +1097,7 @@ vpaes_set_decrypt_key: - - ldp d8,d9,[sp],#16 - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key - ___ -@@ -1108,11 +1110,11 @@ $code.=<<___; - .type vpaes_cbc_encrypt,%function - .align 4 - vpaes_cbc_encrypt: -+ AARCH64_SIGN_LINK_REGISTER - cbz $len, .Lcbc_abort - cmp w5, #0 // check direction - b.eq vpaes_cbc_decrypt - -- .inst 0xd503233f // paciasp - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -1135,15 +1137,16 @@ vpaes_cbc_encrypt: - st1 {v0.16b}, [$ivec] // write ivec - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp - .Lcbc_abort: -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt - - .type vpaes_cbc_decrypt,%function - .align 4 - vpaes_cbc_decrypt: -- .inst 0xd503233f // paciasp -+ // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to -+ // only from vpaes_cbc_encrypt which has already signed the return address. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - stp d8,d9,[sp,#-16]! // ABI spec says so -@@ -1185,7 +1188,7 @@ vpaes_cbc_decrypt: - ldp d10,d11,[sp],#16 - ldp d8,d9,[sp],#16 - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt - ___ -@@ -1195,7 +1198,7 @@ $code.=<<___; - .type vpaes_ecb_encrypt,%function - .align 4 - vpaes_ecb_encrypt: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - stp d8,d9,[sp,#-16]! // ABI spec says so -@@ -1229,7 +1232,7 @@ vpaes_ecb_encrypt: - ldp d10,d11,[sp],#16 - ldp d8,d9,[sp],#16 - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt - -@@ -1237,7 +1240,7 @@ vpaes_ecb_encrypt: - .type vpaes_ecb_decrypt,%function - .align 4 - vpaes_ecb_decrypt: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - stp d8,d9,[sp,#-16]! // ABI spec says so -@@ -1271,7 +1274,7 @@ vpaes_ecb_decrypt: - ldp d10,d11,[sp],#16 - ldp d8,d9,[sp],#16 - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt - ___ -diff --git a/crypto/aes/build.info b/crypto/aes/build.info -index b250903fa6..47f99fdf33 100644 ---- a/crypto/aes/build.info -+++ b/crypto/aes/build.info -@@ -116,6 +116,7 @@ INCLUDE[aes-mips.o]=.. - GENERATE[aesv8-armx.S]=asm/aesv8-armx.pl - INCLUDE[aesv8-armx.o]=.. - GENERATE[vpaes-armv8.S]=asm/vpaes-armv8.pl -+INCLUDE[vpaes-armv8.o]=.. - - GENERATE[aes-armv4.S]=asm/aes-armv4.pl - INCLUDE[aes-armv4.o]=.. -diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl -index ac76dd449f..11f0e50279 100755 ---- a/crypto/arm64cpuid.pl -+++ b/crypto/arm64cpuid.pl -@@ -31,6 +31,7 @@ $code.=<<___; - .globl _armv7_neon_probe - .type _armv7_neon_probe,%function - _armv7_neon_probe: -+ AARCH64_VALID_CALL_TARGET - orr v15.16b, v15.16b, v15.16b - ret - .size _armv7_neon_probe,.-_armv7_neon_probe -@@ -38,6 +39,7 @@ _armv7_neon_probe: - .globl _armv7_tick - .type _armv7_tick,%function - _armv7_tick: -+ AARCH64_VALID_CALL_TARGET - #ifdef __APPLE__ - mrs x0, CNTPCT_EL0 - #else -@@ -49,6 +51,7 @@ _armv7_tick: - .globl _armv8_aes_probe - .type _armv8_aes_probe,%function - _armv8_aes_probe: -+ AARCH64_VALID_CALL_TARGET - aese v0.16b, v0.16b - ret - .size _armv8_aes_probe,.-_armv8_aes_probe -@@ -56,6 +59,7 @@ _armv8_aes_probe: - .globl _armv8_sha1_probe - .type _armv8_sha1_probe,%function - _armv8_sha1_probe: -+ AARCH64_VALID_CALL_TARGET - sha1h s0, s0 - ret - .size _armv8_sha1_probe,.-_armv8_sha1_probe -@@ -63,6 +67,7 @@ _armv8_sha1_probe: - .globl _armv8_sha256_probe - .type _armv8_sha256_probe,%function - _armv8_sha256_probe: -+ AARCH64_VALID_CALL_TARGET - sha256su0 v0.4s, v0.4s - ret - .size _armv8_sha256_probe,.-_armv8_sha256_probe -@@ -70,6 +75,7 @@ _armv8_sha256_probe: - .globl _armv8_pmull_probe - .type _armv8_pmull_probe,%function - _armv8_pmull_probe: -+ AARCH64_VALID_CALL_TARGET - pmull v0.1q, v0.1d, v0.1d - ret - .size _armv8_pmull_probe,.-_armv8_pmull_probe -@@ -77,6 +83,7 @@ _armv8_pmull_probe: - .globl _armv8_sha512_probe - .type _armv8_sha512_probe,%function - _armv8_sha512_probe: -+ AARCH64_VALID_CALL_TARGET - .long 0xcec08000 // sha512su0 v0.2d,v0.2d - ret - .size _armv8_sha512_probe,.-_armv8_sha512_probe -@@ -84,6 +91,7 @@ _armv8_sha512_probe: - .globl _armv8_cpuid_probe - .type _armv8_cpuid_probe,%function - _armv8_cpuid_probe: -+ AARCH64_VALID_CALL_TARGET - mrs x0, midr_el1 - ret - .size _armv8_cpuid_probe,.-_armv8_cpuid_probe -@@ -92,6 +100,7 @@ _armv8_cpuid_probe: - .type OPENSSL_cleanse,%function - .align 5 - OPENSSL_cleanse: -+ AARCH64_VALID_CALL_TARGET - cbz x1,.Lret // len==0? - cmp x1,#15 - b.hi .Lot // len>15 -@@ -123,6 +132,7 @@ OPENSSL_cleanse: - .type CRYPTO_memcmp,%function - .align 4 - CRYPTO_memcmp: -+ AARCH64_VALID_CALL_TARGET - eor w3,w3,w3 - cbz x2,.Lno_data // len==0? - cmp x2,#16 -diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h -index 45d7e15564..a815a5c72b 100644 ---- a/crypto/arm_arch.h -+++ b/crypto/arm_arch.h -@@ -126,4 +126,62 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; - - # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ - (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) -+ -+#if defined(__ASSEMBLER__) -+ -+ /* -+ * Support macros for -+ * - Armv8.3-A Pointer Authentication and -+ * - Armv8.5-A Branch Target Identification -+ * features which require emitting a .note.gnu.property section with the -+ * appropriate architecture-dependent feature bits set. -+ * Read more: "ELF for the Arm® 64-bit Architecture" -+ */ -+ -+# if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 -+# define GNU_PROPERTY_AARCH64_BTI (1 << 0) /* Has Branch Target Identification */ -+# define AARCH64_VALID_CALL_TARGET hint #34 /* BTI 'c' */ -+# else -+# define GNU_PROPERTY_AARCH64_BTI 0 /* No Branch Target Identification */ -+# define AARCH64_VALID_CALL_TARGET -+# endif -+ -+# if defined(__ARM_FEATURE_PAC_DEFAULT) && \ -+ (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 /* Signed with A-key */ -+# define GNU_PROPERTY_AARCH64_POINTER_AUTH \ -+ (1 << 1) /* Has Pointer Authentication */ -+# define AARCH64_SIGN_LINK_REGISTER hint #25 /* PACIASP */ -+# define AARCH64_VALIDATE_LINK_REGISTER hint #29 /* AUTIASP */ -+# elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ -+ (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 /* Signed with B-key */ -+# define GNU_PROPERTY_AARCH64_POINTER_AUTH \ -+ (1 << 1) /* Has Pointer Authentication */ -+# define AARCH64_SIGN_LINK_REGISTER hint #27 /* PACIBSP */ -+# define AARCH64_VALIDATE_LINK_REGISTER hint #31 /* AUTIBSP */ -+# else -+# define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 /* No Pointer Authentication */ -+# if GNU_PROPERTY_AARCH64_BTI != 0 -+# define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET -+# else -+# define AARCH64_SIGN_LINK_REGISTER -+# endif -+# define AARCH64_VALIDATE_LINK_REGISTER -+# endif -+ -+# if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 -+ .pushsection .note.gnu.property, "a"; -+ .balign 8; -+ .long 4; -+ .long 0x10; -+ .long 0x5; -+ .asciz "GNU"; -+ .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ -+ .long 4; -+ .long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); -+ .long 0; -+ .popsection; -+# endif -+ -+# endif /* defined __ASSEMBLER__ */ -+ - #endif -diff --git a/crypto/bn/asm/armv8-mont.pl b/crypto/bn/asm/armv8-mont.pl -index 54d2e8245f..21ab12bdf0 100755 ---- a/crypto/bn/asm/armv8-mont.pl -+++ b/crypto/bn/asm/armv8-mont.pl -@@ -67,8 +67,8 @@ $n0="x4"; # const BN_ULONG *n0, - $num="x5"; # int num); - - $code.=<<___; -+#include "arm_arch.h" - #ifndef __KERNEL__ --# include "arm_arch.h" - .extern OPENSSL_armv8_rsa_neonized - .hidden OPENSSL_armv8_rsa_neonized - #endif -@@ -78,6 +78,7 @@ $code.=<<___; - .type bn_mul_mont,%function - .align 5 - bn_mul_mont: -+ AARCH64_SIGN_LINK_REGISTER - .Lbn_mul_mont: - tst $num,#3 - b.ne .Lmul_mont -@@ -288,6 +289,7 @@ bn_mul_mont: - mov x0,#1 - ldp x23,x24,[x29,#48] - ldr x29,[sp],#64 -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size bn_mul_mont,.-bn_mul_mont - ___ -@@ -309,6 +311,8 @@ $code.=<<___; - .type bn_mul8x_mont_neon,%function - .align 5 - bn_mul8x_mont_neon: -+ // Not adding AARCH64_SIGN_LINK_REGISTER here because bn_mul8x_mont_neon is jumped to -+ // only from bn_mul_mont which has already signed the return address. - stp x29,x30,[sp,#-80]! - mov x16,sp - stp d8,d9,[sp,#16] -@@ -649,6 +653,7 @@ $code.=<<___; - ldp d10,d11,[sp,#32] - ldp d8,d9,[sp,#16] - ldr x29,[sp],#80 -+ AARCH64_VALIDATE_LINK_REGISTER - ret // bx lr - - .size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon -@@ -671,7 +676,8 @@ __bn_sqr8x_mont: - cmp $ap,$bp - b.ne __bn_mul4x_mont - .Lsqr8x_mont: -- .inst 0xd503233f // paciasp -+ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to -+ // only from bn_mul_mont which has already signed the return address. - stp x29,x30,[sp,#-128]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -1425,7 +1431,8 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldr x29,[sp],#128 -- .inst 0xd50323bf // autiasp -+ // x30 is loaded earlier -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size __bn_sqr8x_mont,.-__bn_sqr8x_mont - ___ -@@ -1449,7 +1456,8 @@ $code.=<<___; - .type __bn_mul4x_mont,%function - .align 5 - __bn_mul4x_mont: -- .inst 0xd503233f // paciasp -+ // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to -+ // only from bn_mul_mont (or __bn_sqr8x_mont from bn_mul_mont) which has already signed the return address. - stp x29,x30,[sp,#-128]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -1883,7 +1891,8 @@ __bn_mul4x_mont: - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldr x29,[sp],#128 -- .inst 0xd50323bf // autiasp -+ // x30 loaded earlier -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size __bn_mul4x_mont,.-__bn_mul4x_mont - ___ -diff --git a/crypto/chacha/asm/chacha-armv8.pl b/crypto/chacha/asm/chacha-armv8.pl -index dcdc4a04e3..e1a8b81594 100755 ---- a/crypto/chacha/asm/chacha-armv8.pl -+++ b/crypto/chacha/asm/chacha-armv8.pl -@@ -132,8 +132,8 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); - } - - $code.=<<___; -+#include "arm_arch.h" - #ifndef __KERNEL__ --# include "arm_arch.h" - .extern OPENSSL_armcap_P - .hidden OPENSSL_armcap_P - #endif -@@ -153,6 +153,7 @@ $code.=<<___; - .type ChaCha20_ctr32,%function - .align 5 - ChaCha20_ctr32: -+ AARCH64_SIGN_LINK_REGISTER - cbz $len,.Labort - cmp $len,#192 - b.lo .Lshort -@@ -165,7 +166,6 @@ ChaCha20_ctr32: - #endif - - .Lshort: -- .inst 0xd503233f // paciasp - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - -@@ -285,8 +285,8 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp - .Labort: -+ AARCH64_VALIDATE_LINK_REGISTER - ret - - .align 4 -@@ -342,7 +342,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ChaCha20_ctr32,.-ChaCha20_ctr32 - ___ -@@ -432,8 +432,8 @@ $code.=<<___; - .type ChaCha20_neon,%function - .align 5 - ChaCha20_neon: -+ AARCH64_SIGN_LINK_REGISTER - .LChaCha20_neon: -- .inst 0xd503233f // paciasp - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - -@@ -667,7 +667,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - - .align 4 -@@ -799,7 +799,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ChaCha20_neon,.-ChaCha20_neon - ___ -@@ -844,7 +844,7 @@ $code.=<<___; - .type ChaCha20_512_neon,%function - .align 5 - ChaCha20_512_neon: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - -@@ -1268,7 +1268,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ChaCha20_512_neon,.-ChaCha20_512_neon - ___ -diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl -index 81ee3947d7..6c5d0e8b3c 100644 ---- a/crypto/ec/asm/ecp_nistz256-armv8.pl -+++ b/crypto/ec/asm/ecp_nistz256-armv8.pl -@@ -122,7 +122,7 @@ $code.=<<___; - .type ecp_nistz256_to_mont,%function - .align 6 - ecp_nistz256_to_mont: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -138,7 +138,7 @@ ecp_nistz256_to_mont: - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont - -@@ -147,7 +147,7 @@ ecp_nistz256_to_mont: - .type ecp_nistz256_from_mont,%function - .align 4 - ecp_nistz256_from_mont: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -163,7 +163,7 @@ ecp_nistz256_from_mont: - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont - -@@ -173,7 +173,7 @@ ecp_nistz256_from_mont: - .type ecp_nistz256_mul_mont,%function - .align 4 - ecp_nistz256_mul_mont: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -188,7 +188,7 @@ ecp_nistz256_mul_mont: - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont - -@@ -197,7 +197,7 @@ ecp_nistz256_mul_mont: - .type ecp_nistz256_sqr_mont,%function - .align 4 - ecp_nistz256_sqr_mont: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -211,7 +211,7 @@ ecp_nistz256_sqr_mont: - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont - -@@ -221,7 +221,7 @@ ecp_nistz256_sqr_mont: - .type ecp_nistz256_add,%function - .align 4 - ecp_nistz256_add: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -235,7 +235,7 @@ ecp_nistz256_add: - bl __ecp_nistz256_add - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_add,.-ecp_nistz256_add - -@@ -244,7 +244,7 @@ ecp_nistz256_add: - .type ecp_nistz256_div_by_2,%function - .align 4 - ecp_nistz256_div_by_2: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -256,7 +256,7 @@ ecp_nistz256_div_by_2: - bl __ecp_nistz256_div_by_2 - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 - -@@ -265,7 +265,7 @@ ecp_nistz256_div_by_2: - .type ecp_nistz256_mul_by_2,%function - .align 4 - ecp_nistz256_mul_by_2: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -281,7 +281,7 @@ ecp_nistz256_mul_by_2: - bl __ecp_nistz256_add // ret = a+a // 2*a - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 - -@@ -290,7 +290,7 @@ ecp_nistz256_mul_by_2: - .type ecp_nistz256_mul_by_3,%function - .align 4 - ecp_nistz256_mul_by_3: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -317,7 +317,7 @@ ecp_nistz256_mul_by_3: - bl __ecp_nistz256_add // ret += a // 2*a+a=3*a - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 - -@@ -327,7 +327,7 @@ ecp_nistz256_mul_by_3: - .type ecp_nistz256_sub,%function - .align 4 - ecp_nistz256_sub: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -339,7 +339,7 @@ ecp_nistz256_sub: - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_sub,.-ecp_nistz256_sub - -@@ -348,7 +348,7 @@ ecp_nistz256_sub: - .type ecp_nistz256_neg,%function - .align 4 - ecp_nistz256_neg: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -363,7 +363,7 @@ ecp_nistz256_neg: - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_neg,.-ecp_nistz256_neg - -@@ -724,7 +724,7 @@ $code.=<<___; - .type ecp_nistz256_point_double,%function - .align 5 - ecp_nistz256_point_double: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -859,7 +859,7 @@ ecp_nistz256_point_double: - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_point_double,.-ecp_nistz256_point_double - ___ -@@ -882,7 +882,7 @@ $code.=<<___; - .type ecp_nistz256_point_add,%function - .align 5 - ecp_nistz256_point_add: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -1117,7 +1117,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_point_add,.-ecp_nistz256_point_add - ___ -@@ -1139,7 +1139,7 @@ $code.=<<___; - .type ecp_nistz256_point_add_affine,%function - .align 5 - ecp_nistz256_point_add_affine: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -1328,7 +1328,7 @@ $code.=<<___; - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x29,x30,[sp],#80 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine - ___ -@@ -1346,6 +1346,8 @@ $code.=<<___; - .type ecp_nistz256_ord_mul_mont,%function - .align 4 - ecp_nistz256_ord_mul_mont: -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-64]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -1487,6 +1489,8 @@ $code.=<<___; - .type ecp_nistz256_ord_sqr_mont,%function - .align 4 - ecp_nistz256_ord_sqr_mont: -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-64]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -1641,6 +1645,8 @@ $code.=<<___; - .type ecp_nistz256_scatter_w5,%function - .align 4 - ecp_nistz256_scatter_w5: -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -1703,6 +1709,8 @@ ecp_nistz256_scatter_w5: - .type ecp_nistz256_gather_w5,%function - .align 4 - ecp_nistz256_gather_w5: -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -1780,6 +1788,8 @@ ecp_nistz256_gather_w5: - .type ecp_nistz256_scatter_w7,%function - .align 4 - ecp_nistz256_scatter_w7: -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -1824,6 +1834,8 @@ ecp_nistz256_scatter_w7: - .type ecp_nistz256_gather_w7,%function - .align 4 - ecp_nistz256_gather_w7: -+ AARCH64_VALID_CALL_TARGET -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl -index 3b9d5b6511..ff5809ec22 100755 ---- a/crypto/modes/asm/aes-gcm-armv8_64.pl -+++ b/crypto/modes/asm/aes-gcm-armv8_64.pl -@@ -256,6 +256,7 @@ $code.=<<___; - .type aes_gcm_enc_128_kernel,%function - .align 4 - aes_gcm_enc_128_kernel: -+ AARCH64_VALID_CALL_TARGET - cbz x1, .L128_enc_ret - stp x19, x20, [sp, #-112]! - mov x16, x4 -@@ -1089,6 +1090,7 @@ $code.=<<___; - .type aes_gcm_dec_128_kernel,%function - .align 4 - aes_gcm_dec_128_kernel: -+ AARCH64_VALID_CALL_TARGET - cbz x1, .L128_dec_ret - stp x19, x20, [sp, #-112]! - mov x16, x4 -@@ -1973,6 +1975,7 @@ $code.=<<___; - .type aes_gcm_enc_192_kernel,%function - .align 4 - aes_gcm_enc_192_kernel: -+ AARCH64_VALID_CALL_TARGET - cbz x1, .L192_enc_ret - stp x19, x20, [sp, #-112]! - mov x16, x4 -@@ -2858,6 +2861,7 @@ $code.=<<___; - .type aes_gcm_dec_192_kernel,%function - .align 4 - aes_gcm_dec_192_kernel: -+ AARCH64_VALID_CALL_TARGET - cbz x1, .L192_dec_ret - stp x19, x20, [sp, #-112]! - mov x16, x4 -@@ -3797,6 +3801,7 @@ $code.=<<___; - .type aes_gcm_enc_256_kernel,%function - .align 4 - aes_gcm_enc_256_kernel: -+ AARCH64_VALID_CALL_TARGET - cbz x1, .L256_enc_ret - stp x19, x20, [sp, #-112]! - mov x16, x4 -@@ -4729,6 +4734,7 @@ $code.=<<___; - .type aes_gcm_dec_256_kernel,%function - .align 4 - aes_gcm_dec_256_kernel: -+ AARCH64_VALID_CALL_TARGET - cbz x1, .L256_dec_ret - stp x19, x20, [sp, #-112]! - mov x16, x4 -diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl -index b1d35d25b5..57f893e77c 100644 ---- a/crypto/modes/asm/ghashv8-armx.pl -+++ b/crypto/modes/asm/ghashv8-armx.pl -@@ -107,6 +107,11 @@ $code.=<<___; - .type gcm_init_v8,%function - .align 4 - gcm_init_v8: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET -+___ -+$code.=<<___; - vld1.64 {$t1},[x1] @ load input H - vmov.i8 $xC2,#0xe1 - vshl.i64 $xC2,$xC2,#57 @ 0xc2.0 -@@ -214,6 +219,11 @@ $code.=<<___; - .type gcm_gmult_v8,%function - .align 4 - gcm_gmult_v8: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET -+___ -+$code.=<<___; - vld1.64 {$t1},[$Xi] @ load Xi - vmov.i8 $xC2,#0xe1 - vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ... -@@ -268,6 +278,7 @@ $code.=<<___; - gcm_ghash_v8: - ___ - $code.=<<___ if ($flavour =~ /64/); -+ AARCH64_VALID_CALL_TARGET - cmp $len,#64 - b.hs .Lgcm_ghash_v8_4x - ___ -diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl -index 113a2151b6..20816c4283 100755 ---- a/crypto/poly1305/asm/poly1305-armv8.pl -+++ b/crypto/poly1305/asm/poly1305-armv8.pl -@@ -72,6 +72,7 @@ $code.=<<___; - .type poly1305_init,%function - .align 5 - poly1305_init: -+ AARCH64_VALID_CALL_TARGET - cmp $inp,xzr - stp xzr,xzr,[$ctx] // zero hash value - stp xzr,xzr,[$ctx,#16] // [along with is_base2_26] -@@ -119,6 +120,9 @@ poly1305_init: - .align 5 - poly1305_blocks: - .Lpoly1305_blocks: -+ // The symbol .Lpoly1305_blocks is not a .globl symbol -+ // but a pointer to it is returned by poly1305_init -+ AARCH64_VALID_CALL_TARGET - ands $len,$len,#-16 - b.eq .Lno_data - -@@ -184,6 +188,9 @@ poly1305_blocks: - .align 5 - poly1305_emit: - .Lpoly1305_emit: -+ // The symbol .poly1305_emit is not a .globl symbol -+ // but a pointer to it is returned by poly1305_init -+ AARCH64_VALID_CALL_TARGET - ldp $h0,$h1,[$ctx] // load hash base 2^64 - ldr $h2,[$ctx,#16] - ldp $t0,$t1,[$nonce] // load nonce -@@ -291,13 +298,16 @@ poly1305_splat: - .align 5 - poly1305_blocks_neon: - .Lpoly1305_blocks_neon: -+ // The symbol .Lpoly1305_blocks_neon is not a .globl symbol -+ // but a pointer to it is returned by poly1305_init -+ AARCH64_VALID_CALL_TARGET - ldr $is_base2_26,[$ctx,#24] - cmp $len,#128 - b.hs .Lblocks_neon - cbz $is_base2_26,.Lpoly1305_blocks - - .Lblocks_neon: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - -@@ -867,7 +877,7 @@ poly1305_blocks_neon: - - .Lno_data_neon: - ldr x29,[sp],#80 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size poly1305_blocks_neon,.-poly1305_blocks_neon - -@@ -875,6 +885,9 @@ poly1305_blocks_neon: - .align 5 - poly1305_emit_neon: - .Lpoly1305_emit_neon: -+ // The symbol .Lpoly1305_emit_neon is not a .globl symbol -+ // but a pointer to it is returned by poly1305_init -+ AARCH64_VALID_CALL_TARGET - ldr $is_base2_26,[$ctx,#24] - cbz $is_base2_26,poly1305_emit - -diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl -index 65102e7c29..cf54b62c63 100755 ---- a/crypto/sha/asm/keccak1600-armv8.pl -+++ b/crypto/sha/asm/keccak1600-armv8.pl -@@ -80,6 +80,8 @@ my @rhotates = ([ 0, 1, 62, 28, 27 ], - [ 18, 2, 61, 56, 14 ]); - - $code.=<<___; -+#include "arm_arch.h" -+ - .text - - .align 8 // strategic alignment and padding that allows to use -@@ -125,7 +127,7 @@ $code.=<<___; - .align 5 - KeccakF1600_int: - adr $C[2],iotas -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp $C[2],x30,[sp,#16] // 32 bytes on top are mine - b .Loop - .align 4 -@@ -297,14 +299,14 @@ $code.=<<___; - bne .Loop - - ldr x30,[sp,#24] -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size KeccakF1600_int,.-KeccakF1600_int - - .type KeccakF1600,%function - .align 5 - KeccakF1600: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-128]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -354,7 +356,7 @@ KeccakF1600: - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#128 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size KeccakF1600,.-KeccakF1600 - -@@ -362,7 +364,7 @@ KeccakF1600: - .type SHA3_absorb,%function - .align 5 - SHA3_absorb: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-128]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -460,7 +462,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#128 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size SHA3_absorb,.-SHA3_absorb - ___ -@@ -471,7 +473,7 @@ $code.=<<___; - .type SHA3_squeeze,%function - .align 5 - SHA3_squeeze: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-48]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -534,7 +536,7 @@ SHA3_squeeze: - ldp x19,x20,[sp,#16] - ldp x21,x22,[sp,#32] - ldp x29,x30,[sp],#48 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size SHA3_squeeze,.-SHA3_squeeze - ___ -@@ -653,7 +655,7 @@ KeccakF1600_ce: - .type KeccakF1600_cext,%function - .align 5 - KeccakF1600_cext: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - stp d8,d9,[sp,#16] // per ABI requirement -@@ -686,7 +688,7 @@ $code.=<<___; - ldp d12,d13,[sp,#48] - ldp d14,d15,[sp,#64] - ldr x29,[sp],#80 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size KeccakF1600_cext,.-KeccakF1600_cext - ___ -@@ -699,7 +701,7 @@ $code.=<<___; - .type SHA3_absorb_cext,%function - .align 5 - SHA3_absorb_cext: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - stp d8,d9,[sp,#16] // per ABI requirement -@@ -771,7 +773,7 @@ $code.=<<___; - ldp d12,d13,[sp,#48] - ldp d14,d15,[sp,#64] - ldp x29,x30,[sp],#80 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size SHA3_absorb_cext,.-SHA3_absorb_cext - ___ -@@ -783,7 +785,7 @@ $code.=<<___; - .type SHA3_squeeze_cext,%function - .align 5 - SHA3_squeeze_cext: -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - mov x9,$ctx -@@ -839,7 +841,7 @@ SHA3_squeeze_cext: - - .Lsqueeze_done_ce: - ldr x29,[sp],#16 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size SHA3_squeeze_cext,.-SHA3_squeeze_cext - ___ -diff --git a/crypto/sha/asm/sha1-armv8.pl b/crypto/sha/asm/sha1-armv8.pl -index cdea8845af..5f23a20c1a 100644 ---- a/crypto/sha/asm/sha1-armv8.pl -+++ b/crypto/sha/asm/sha1-armv8.pl -@@ -175,8 +175,8 @@ ___ - } - - $code.=<<___; -+#include "arm_arch.h" - #ifndef __KERNEL__ --# include "arm_arch.h" - .extern OPENSSL_armcap_P - .hidden OPENSSL_armcap_P - #endif -@@ -187,11 +187,13 @@ $code.=<<___; - .type sha1_block_data_order,%function - .align 6 - sha1_block_data_order: -+ AARCH64_VALID_CALL_TARGET - adrp x16,OPENSSL_armcap_P - ldr w16,[x16,#:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA1 - b.ne .Lv8_entry - -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] -@@ -253,6 +255,7 @@ $code.=<<___; - .align 6 - sha1_block_armv8: - .Lv8_entry: -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -diff --git a/crypto/sha/asm/sha512-armv8.pl b/crypto/sha/asm/sha512-armv8.pl -index 6bcff0b7d3..f900882fee 100644 ---- a/crypto/sha/asm/sha512-armv8.pl -+++ b/crypto/sha/asm/sha512-armv8.pl -@@ -190,8 +190,8 @@ ___ - } - - $code.=<<___; -+#include "arm_arch.h" - #ifndef __KERNEL__ --# include "arm_arch.h" - .extern OPENSSL_armcap_P - .hidden OPENSSL_armcap_P - #endif -@@ -202,6 +202,7 @@ $code.=<<___; - .type $func,%function - .align 6 - $func: -+ AARCH64_VALID_CALL_TARGET - #ifndef __KERNEL__ - adrp x16,OPENSSL_armcap_P - ldr w16,[x16,#:lo12:OPENSSL_armcap_P] -@@ -218,7 +219,7 @@ $code.=<<___ if ($SZ==8); - ___ - $code.=<<___; - #endif -- .inst 0xd503233f // paciasp -+ AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-128]! - add x29,sp,#0 - -@@ -280,7 +281,7 @@ $code.=<<___; - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#128 -- .inst 0xd50323bf // autiasp -+ AARCH64_VALIDATE_LINK_REGISTER - ret - .size $func,.-$func - -@@ -370,6 +371,7 @@ $code.=<<___; - .align 6 - sha256_block_armv8: - .Lv8_entry: -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -@@ -632,7 +634,9 @@ $code.=<<___; - .type sha256_block_neon,%function - .align 4 - sha256_block_neon: -+ AARCH64_VALID_CALL_TARGET - .Lneon_entry: -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later - stp x29, x30, [sp, #-16]! - mov x29, sp - sub sp,sp,#16*4 -@@ -743,6 +747,7 @@ $code.=<<___; - .align 6 - sha512_block_armv8: - .Lv8_entry: -+ // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - -diff --git a/crypto/sha/build.info b/crypto/sha/build.info -index d61f7de9b6..556a658d8b 100644 ---- a/crypto/sha/build.info -+++ b/crypto/sha/build.info -@@ -153,6 +153,7 @@ INCLUDE[sha256-armv8.o]=.. - GENERATE[sha512-armv8.S]=asm/sha512-armv8.pl - INCLUDE[sha512-armv8.o]=.. - GENERATE[keccak1600-armv8.S]=asm/keccak1600-armv8.pl -+INCLUDE[keccak1600-armv8.o]=.. - - GENERATE[sha1-s390x.S]=asm/sha1-s390x.pl - INCLUDE[sha1-s390x.o]=.. --- -2.37.3.windows.1 - diff --git a/Backport-bn-Properly-error-out-if-aliasing-return-value-with-.patch b/Backport-bn-Properly-error-out-if-aliasing-return-value-with-.patch deleted file mode 100644 index 50ffa62b003fc855a851eeffd0711ca705a5a0c6..0000000000000000000000000000000000000000 --- a/Backport-bn-Properly-error-out-if-aliasing-return-value-with-.patch +++ /dev/null @@ -1,255 +0,0 @@ -From 5cf554ee9d127a5cf81c09a6dbfe090e86c022b4 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 18 Oct 2023 15:50:30 +0200 -Subject: [PATCH] bn: Properly error out if aliasing return value with modulus - -Test case amended from code initially written by Bernd Edlinger. - -Fixes #21110 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22421) - -(cherry picked from commit af0025fc40779cc98c06db7e29936f9d5de8cc9e) ---- - crypto/bn/bn_exp.c | 21 ++++++++ - crypto/bn/bn_mod.c | 10 ++++ - doc/man3/BN_add.pod | 5 ++ - doc/man3/BN_mod_inverse.pod | 6 ++- - test/bntest.c | 104 ++++++++++++++++++++++++++++++++++++ - 5 files changed, 145 insertions(+), 1 deletion(-) - -diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c -index 4e169ae1f9..598a592ca1 100644 ---- a/crypto/bn/bn_exp.c -+++ b/crypto/bn/bn_exp.c -@@ -243,6 +243,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - wstart = bits - 1; /* The top bit of the window */ - wend = 0; /* The bottom bit of the window */ - -+ if (r == p) { -+ BIGNUM *p_dup = BN_CTX_get(ctx); -+ -+ if (p_dup == NULL || BN_copy(p_dup, p) == NULL) -+ goto err; -+ p = p_dup; -+ } -+ - if (!BN_one(r)) - goto err; - -@@ -1317,6 +1325,11 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - return 0; - } - -+ if (r == m) { -+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); -+ return 0; -+ } -+ - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1, or x**0 mod -1 is still zero. */ -@@ -1362,6 +1375,14 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - wstart = bits - 1; /* The top bit of the window */ - wend = 0; /* The bottom bit of the window */ - -+ if (r == p) { -+ BIGNUM *p_dup = BN_CTX_get(ctx); -+ -+ if (p_dup == NULL || BN_copy(p_dup, p) == NULL) -+ goto err; -+ p = p_dup; -+ } -+ - if (!BN_one(r)) - goto err; - -diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c -index 7f5afa25ec..2dda2e3442 100644 ---- a/crypto/bn/bn_mod.c -+++ b/crypto/bn/bn_mod.c -@@ -17,6 +17,11 @@ int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) - * always holds) - */ - -+ if (r == d) { -+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); -+ return 0; -+ } -+ - if (!(BN_mod(r, m, d, ctx))) - return 0; - if (!r->neg) -@@ -186,6 +191,11 @@ int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *m) - { -+ if (r == m) { -+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); -+ return 0; -+ } -+ - if (!BN_sub(r, a, b)) - return 0; - if (r->neg) -diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod -index 9561d55431..35cfdd1495 100644 ---- a/doc/man3/BN_add.pod -+++ b/doc/man3/BN_add.pod -@@ -114,6 +114,11 @@ temporary variables; see L. - Unless noted otherwise, the result B must be different from - the arguments. - -+=head1 NOTES -+ -+For modular operations such as BN_nnmod() or BN_mod_exp() it is an error -+to use the same B object for the modulus as for the output. -+ - =head1 RETURN VALUES - - The BN_mod_sqrt() returns the result (possibly incorrect if I

is -diff --git a/doc/man3/BN_mod_inverse.pod b/doc/man3/BN_mod_inverse.pod -index 5dbb5c3cc2..f88e0e63fa 100644 ---- a/doc/man3/BN_mod_inverse.pod -+++ b/doc/man3/BN_mod_inverse.pod -@@ -18,7 +18,11 @@ places the result in B (C<(a*r)%n==1>). If B is NULL, - a new B is created. - - B is a previously allocated B used for temporary --variables. B may be the same B as B or B. -+variables. B may be the same B as B. -+ -+=head1 NOTES -+ -+It is an error to use the same B as B. - - =head1 RETURN VALUES - -diff --git a/test/bntest.c b/test/bntest.c -index c5894c157b..ee8b692618 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -2927,6 +2927,108 @@ err: - return res; - } - -+static int test_mod_inverse(void) -+{ -+ int res = 0; -+ char *str = NULL; -+ BIGNUM *a = NULL; -+ BIGNUM *b = NULL; -+ BIGNUM *r = NULL; -+ -+ if (!TEST_true(BN_dec2bn(&a, "5193817943"))) -+ goto err; -+ if (!TEST_true(BN_dec2bn(&b, "3259122431"))) -+ goto err; -+ if (!TEST_ptr(r = BN_new())) -+ goto err; -+ if (!TEST_ptr_eq(BN_mod_inverse(r, a, b, ctx), r)) -+ goto err; -+ if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL)) -+ goto err; -+ if (!TEST_int_eq(strcmp(str, "2609653924"), 0)) -+ goto err; -+ -+ /* Note that this aliases the result with the modulus. */ -+ if (!TEST_ptr_null(BN_mod_inverse(b, a, b, ctx))) -+ goto err; -+ -+ res = 1; -+ -+err: -+ BN_free(a); -+ BN_free(b); -+ BN_free(r); -+ OPENSSL_free(str); -+ return res; -+} -+ -+static int test_mod_exp_alias(int idx) -+{ -+ int res = 0; -+ char *str = NULL; -+ BIGNUM *a = NULL; -+ BIGNUM *b = NULL; -+ BIGNUM *c = NULL; -+ BIGNUM *r = NULL; -+ -+ if (!TEST_true(BN_dec2bn(&a, "15"))) -+ goto err; -+ if (!TEST_true(BN_dec2bn(&b, "10"))) -+ goto err; -+ if (!TEST_true(BN_dec2bn(&c, "39"))) -+ goto err; -+ if (!TEST_ptr(r = BN_new())) -+ goto err; -+ -+ if (!TEST_int_eq((idx == 0 ? BN_mod_exp_simple -+ : BN_mod_exp_recp)(r, a, b, c, ctx), 1)) -+ goto err; -+ if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL)) -+ goto err; -+ if (!TEST_str_eq(str, "36")) -+ goto err; -+ -+ OPENSSL_free(str); -+ str = NULL; -+ -+ BN_copy(r, b); -+ -+ /* Aliasing with exponent must work. */ -+ if (!TEST_int_eq((idx == 0 ? BN_mod_exp_simple -+ : BN_mod_exp_recp)(r, a, r, c, ctx), 1)) -+ goto err; -+ if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL)) -+ goto err; -+ if (!TEST_str_eq(str, "36")) -+ goto err; -+ -+ OPENSSL_free(str); -+ str = NULL; -+ -+ /* Aliasing with modulus should return failure for the simple call. */ -+ if (idx == 0) { -+ if (!TEST_int_eq(BN_mod_exp_simple(c, a, b, c, ctx), 0)) -+ goto err; -+ } else { -+ if (!TEST_int_eq(BN_mod_exp_recp(c, a, b, c, ctx), 1)) -+ goto err; -+ if (!TEST_ptr_ne(str = BN_bn2dec(c), NULL)) -+ goto err; -+ if (!TEST_str_eq(str, "36")) -+ goto err; -+ } -+ -+ res = 1; -+ -+err: -+ BN_free(a); -+ BN_free(b); -+ BN_free(c); -+ BN_free(r); -+ OPENSSL_free(str); -+ return res; -+} -+ - static int file_test_run(STANZA *s) - { - static const FILETEST filetests[] = { -@@ -3036,6 +3138,8 @@ int setup_tests(void) - ADD_ALL_TESTS(test_signed_mod_replace_ab, OSSL_NELEM(signed_mod_tests)); - ADD_ALL_TESTS(test_signed_mod_replace_ba, OSSL_NELEM(signed_mod_tests)); - ADD_TEST(test_mod); -+ ADD_TEST(test_mod_inverse); -+ ADD_ALL_TESTS(test_mod_exp_alias, 2); - ADD_TEST(test_modexp_mont5); - ADD_TEST(test_kronecker); - ADD_TEST(test_rand); --- -2.33.0 - diff --git a/Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch b/Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch deleted file mode 100644 index 1890c2f3c8f941cbd8456ed7aa5311af4fd817e6..0000000000000000000000000000000000000000 --- a/Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Thu, 4 Jan 2024 10:25:50 +0100 -Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering - -Fixes CVE-2023-6129 - -The POLY1305 MAC (message authentication code) implementation in OpenSSL for -PowerPC CPUs saves the the contents of vector registers in different order -than they are restored. Thus the contents of some of these vector registers -is corrupted when returning to the caller. The vulnerable code is used only -on newer PowerPC processors supporting the PowerISA 2.07 instructions. - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/23200) - -(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f) ---- - crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++--------------- - 1 file changed, 21 insertions(+), 21 deletions(-) - -diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl -index 9f86134d92..2e601bb9c2 100755 ---- a/crypto/poly1305/asm/poly1305-ppc.pl -+++ b/crypto/poly1305/asm/poly1305-ppc.pl -@@ -744,7 +744,7 @@ ___ - my $LOCALS= 6*$SIZE_T; - my $VSXFRAME = $LOCALS + 6*$SIZE_T; - $VSXFRAME += 128; # local variables -- $VSXFRAME += 13*16; # v20-v31 offload -+ $VSXFRAME += 12*16; # v20-v31 offload - - my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; - -@@ -919,12 +919,12 @@ __poly1305_blocks_vsx: - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx: - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1899,26 +1899,26 @@ Ldone_vsx: - mtspr 256,r12 # restore vrsave - lvx v20,r10,$sp - addi r10,r10,32 -- lvx v21,r10,$sp -- addi r10,r10,32 -- lvx v22,r11,$sp -+ lvx v21,r11,$sp - addi r11,r11,32 -- lvx v23,r10,$sp -+ lvx v22,r10,$sp - addi r10,r10,32 -- lvx v24,r11,$sp -+ lvx v23,r11,$sp - addi r11,r11,32 -- lvx v25,r10,$sp -+ lvx v24,r10,$sp - addi r10,r10,32 -- lvx v26,r11,$sp -+ lvx v25,r11,$sp - addi r11,r11,32 -- lvx v27,r10,$sp -+ lvx v26,r10,$sp - addi r10,r10,32 -- lvx v28,r11,$sp -+ lvx v27,r11,$sp - addi r11,r11,32 -- lvx v29,r10,$sp -+ lvx v28,r10,$sp - addi r10,r10,32 -- lvx v30,r11,$sp -- lvx v31,r10,$sp -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp - $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) - $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) - $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) --- -2.36.1 - diff --git a/Backport-providers-Add-SM4-GCM-implementation.patch b/Backport-providers-Add-SM4-GCM-implementation.patch deleted file mode 100644 index 3e2ee2324cb29e21406c8c0729da2faa867a472f..0000000000000000000000000000000000000000 --- a/Backport-providers-Add-SM4-GCM-implementation.patch +++ /dev/null @@ -1,360 +0,0 @@ -From 2f1c0b5f1b585a307f21a70ef3ae652643c25f6d Mon Sep 17 00:00:00 2001 -From: Tianjia Zhang -Date: Wed, 1 Sep 2021 16:54:15 +0800 -Subject: [PATCH 04/13] providers: Add SM4 GCM implementation - -The GCM mode of the SM4 algorithm is specifieded by RFC8998. - -Signed-off-by: Tianjia Zhang - -Reviewed-by: Paul Yang -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/16491) ---- - providers/defltprov.c | 2 + - providers/implementations/ciphers/build.info | 4 +- - .../implementations/ciphers/cipher_sm4_ccm.c | 39 +++++++++++++++++ - .../implementations/ciphers/cipher_sm4_ccm.h | 22 ++++++++++ - .../ciphers/cipher_sm4_ccm_hw.c | 41 ++++++++++++++++++ - .../implementations/ciphers/cipher_sm4_gcm.c | 40 +++++++++++++++++ - .../implementations/ciphers/cipher_sm4_gcm.h | 22 ++++++++++ - .../ciphers/cipher_sm4_gcm_hw.c | 43 +++++++++++++++++++ - .../include/prov/implementations.h | 2 + - .../implementations/include/prov/names.h | 2 + - test/recipes/30-test_evp_data/evpciph_sm4.txt | 20 +++++++++ - 11 files changed, 236 insertions(+), 1 deletion(-) - create mode 100644 providers/implementations/ciphers/cipher_sm4_ccm.c - create mode 100644 providers/implementations/ciphers/cipher_sm4_ccm.h - create mode 100644 providers/implementations/ciphers/cipher_sm4_ccm_hw.c - create mode 100644 providers/implementations/ciphers/cipher_sm4_gcm.c - create mode 100644 providers/implementations/ciphers/cipher_sm4_gcm.h - create mode 100644 providers/implementations/ciphers/cipher_sm4_gcm_hw.c - -diff --git a/providers/defltprov.c b/providers/defltprov.c -index ed3f4799e7..cc0b0c3b62 100644 ---- a/providers/defltprov.c -+++ b/providers/defltprov.c -@@ -289,6 +289,8 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { - ALG(PROV_NAMES_DES_EDE_CFB, ossl_tdes_ede2_cfb_functions), - #endif /* OPENSSL_NO_DES */ - #ifndef OPENSSL_NO_SM4 -+ ALG(PROV_NAMES_SM4_GCM, ossl_sm4128gcm_functions), -+ ALG(PROV_NAMES_SM4_CCM, ossl_sm4128ccm_functions), - ALG(PROV_NAMES_SM4_ECB, ossl_sm4128ecb_functions), - ALG(PROV_NAMES_SM4_CBC, ossl_sm4128cbc_functions), - ALG(PROV_NAMES_SM4_CTR, ossl_sm4128ctr_functions), -diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info -index e4c5f4f051..b5d9d4f6c1 100644 ---- a/providers/implementations/ciphers/build.info -+++ b/providers/implementations/ciphers/build.info -@@ -105,7 +105,9 @@ ENDIF - - IF[{- !$disabled{sm4} -}] - SOURCE[$SM4_GOAL]=\ -- cipher_sm4.c cipher_sm4_hw.c -+ cipher_sm4.c cipher_sm4_hw.c \ -+ cipher_sm4_gcm.c cipher_sm4_gcm_hw.c \ -+ cipher_sm4_ccm.c cipher_sm4_ccm_hw.c - ENDIF - - IF[{- !$disabled{ocb} -}] -diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c -new file mode 100644 -index 0000000000..f0295a5ca2 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_ccm.c -@@ -0,0 +1,39 @@ -+/* -+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Dispatch functions for SM4 CCM mode */ -+ -+#include "cipher_sm4_ccm.h" -+#include "prov/implementations.h" -+#include "prov/providercommon.h" -+ -+static OSSL_FUNC_cipher_freectx_fn sm4_ccm_freectx; -+ -+static void *sm4_ccm_newctx(void *provctx, size_t keybits) -+{ -+ PROV_SM4_CCM_CTX *ctx; -+ -+ if (!ossl_prov_is_running()) -+ return NULL; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx != NULL) -+ ossl_ccm_initctx(&ctx->base, keybits, ossl_prov_sm4_hw_ccm(keybits)); -+ return ctx; -+} -+ -+static void sm4_ccm_freectx(void *vctx) -+{ -+ PROV_SM4_CCM_CTX *ctx = (PROV_SM4_CCM_CTX *)vctx; -+ -+ OPENSSL_clear_free(ctx, sizeof(*ctx)); -+} -+ -+/* sm4128ccm functions */ -+IMPLEMENT_aead_cipher(sm4, ccm, CCM, AEAD_FLAGS, 128, 8, 96); -diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.h b/providers/implementations/ciphers/cipher_sm4_ccm.h -new file mode 100644 -index 0000000000..189e71e9e4 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_ccm.h -@@ -0,0 +1,22 @@ -+/* -+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "crypto/sm4.h" -+#include "prov/ciphercommon.h" -+#include "prov/ciphercommon_ccm.h" -+ -+typedef struct prov_sm4_ccm_ctx_st { -+ PROV_CCM_CTX base; /* Must be first */ -+ union { -+ OSSL_UNION_ALIGN; -+ SM4_KEY ks; -+ } ks; /* SM4 key schedule to use */ -+} PROV_SM4_CCM_CTX; -+ -+const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keylen); -diff --git a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c -new file mode 100644 -index 0000000000..791daf3e46 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c -@@ -0,0 +1,41 @@ -+/* -+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/*- -+ * Generic support for SM4 CCM. -+ */ -+ -+#include "cipher_sm4_ccm.h" -+ -+static int ccm_sm4_initkey(PROV_CCM_CTX *ctx, -+ const unsigned char *key, size_t keylen) -+{ -+ PROV_SM4_CCM_CTX *actx = (PROV_SM4_CCM_CTX *)ctx; -+ -+ ossl_sm4_set_key(key, &actx->ks.ks); -+ CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks, -+ (block128_f)ossl_sm4_encrypt); -+ ctx->str = NULL; -+ ctx->key_set = 1; -+ return 1; -+} -+ -+static const PROV_CCM_HW ccm_sm4 = { -+ ccm_sm4_initkey, -+ ossl_ccm_generic_setiv, -+ ossl_ccm_generic_setaad, -+ ossl_ccm_generic_auth_encrypt, -+ ossl_ccm_generic_auth_decrypt, -+ ossl_ccm_generic_gettag -+}; -+ -+const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keybits) -+{ -+ return &ccm_sm4; -+} -diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c -new file mode 100644 -index 0000000000..7a936f00ee ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_gcm.c -@@ -0,0 +1,40 @@ -+/* -+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Dispatch functions for SM4 GCM mode */ -+ -+#include "cipher_sm4_gcm.h" -+#include "prov/implementations.h" -+#include "prov/providercommon.h" -+ -+static OSSL_FUNC_cipher_freectx_fn sm4_gcm_freectx; -+ -+static void *sm4_gcm_newctx(void *provctx, size_t keybits) -+{ -+ PROV_SM4_GCM_CTX *ctx; -+ -+ if (!ossl_prov_is_running()) -+ return NULL; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx != NULL) -+ ossl_gcm_initctx(provctx, &ctx->base, keybits, -+ ossl_prov_sm4_hw_gcm(keybits)); -+ return ctx; -+} -+ -+static void sm4_gcm_freectx(void *vctx) -+{ -+ PROV_SM4_GCM_CTX *ctx = (PROV_SM4_GCM_CTX *)vctx; -+ -+ OPENSSL_clear_free(ctx, sizeof(*ctx)); -+} -+ -+/* ossl_sm4128gcm_functions */ -+IMPLEMENT_aead_cipher(sm4, gcm, GCM, AEAD_FLAGS, 128, 8, 96); -diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.h b/providers/implementations/ciphers/cipher_sm4_gcm.h -new file mode 100644 -index 0000000000..2b6b5f3ece ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_gcm.h -@@ -0,0 +1,22 @@ -+/* -+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "crypto/sm4.h" -+#include "prov/ciphercommon.h" -+#include "prov/ciphercommon_gcm.h" -+ -+typedef struct prov_sm4_gcm_ctx_st { -+ PROV_GCM_CTX base; /* must be first entry in struct */ -+ union { -+ OSSL_UNION_ALIGN; -+ SM4_KEY ks; -+ } ks; -+} PROV_SM4_GCM_CTX; -+ -+const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits); -diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -new file mode 100644 -index 0000000000..6bcd1ec406 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c -@@ -0,0 +1,43 @@ -+/* -+ * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/*- -+ * Generic support for SM4 GCM. -+ */ -+ -+#include "cipher_sm4_gcm.h" -+ -+static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, -+ size_t keylen) -+{ -+ PROV_SM4_GCM_CTX *actx = (PROV_SM4_GCM_CTX *)ctx; -+ SM4_KEY *ks = &actx->ks.ks; -+ -+ ctx->ks = ks; -+ ossl_sm4_set_key(key, ks); -+ CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)ossl_sm4_encrypt); -+ ctx->ctr = (ctr128_f)NULL; -+ ctx->key_set = 1; -+ -+ return 1; -+} -+ -+static const PROV_GCM_HW sm4_gcm = { -+ sm4_gcm_initkey, -+ ossl_gcm_setiv, -+ ossl_gcm_aad_update, -+ ossl_gcm_cipher_update, -+ ossl_gcm_cipher_final, -+ ossl_gcm_one_shot -+}; -+ -+const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits) -+{ -+ return &sm4_gcm; -+} -diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h -index 3f6dd7ee16..498eab4ad4 100644 ---- a/providers/implementations/include/prov/implementations.h -+++ b/providers/implementations/include/prov/implementations.h -@@ -174,6 +174,8 @@ extern const OSSL_DISPATCH ossl_seed128ofb128_functions[]; - extern const OSSL_DISPATCH ossl_seed128cfb128_functions[]; - #endif /* OPENSSL_NO_SEED */ - #ifndef OPENSSL_NO_SM4 -+extern const OSSL_DISPATCH ossl_sm4128gcm_functions[]; -+extern const OSSL_DISPATCH ossl_sm4128ccm_functions[]; - extern const OSSL_DISPATCH ossl_sm4128ecb_functions[]; - extern const OSSL_DISPATCH ossl_sm4128cbc_functions[]; - extern const OSSL_DISPATCH ossl_sm4128ctr_functions[]; -diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h -index e0dbb69a9d..0fac23a850 100644 ---- a/providers/implementations/include/prov/names.h -+++ b/providers/implementations/include/prov/names.h -@@ -162,6 +162,8 @@ - #define PROV_NAMES_SM4_CTR "SM4-CTR:1.2.156.10197.1.104.7" - #define PROV_NAMES_SM4_OFB "SM4-OFB:SM4-OFB128:1.2.156.10197.1.104.3" - #define PROV_NAMES_SM4_CFB "SM4-CFB:SM4-CFB128:1.2.156.10197.1.104.4" -+#define PROV_NAMES_SM4_GCM "SM4-GCM:1.2.156.10197.1.104.8" -+#define PROV_NAMES_SM4_CCM "SM4-CCM:1.2.156.10197.1.104.9" - #define PROV_NAMES_ChaCha20 "ChaCha20" - #define PROV_NAMES_ChaCha20_Poly1305 "ChaCha20-Poly1305" - #define PROV_NAMES_CAST5_ECB "CAST5-ECB" -diff --git a/test/recipes/30-test_evp_data/evpciph_sm4.txt b/test/recipes/30-test_evp_data/evpciph_sm4.txt -index ec8a45bd3f..9fb16ca15c 100644 ---- a/test/recipes/30-test_evp_data/evpciph_sm4.txt -+++ b/test/recipes/30-test_evp_data/evpciph_sm4.txt -@@ -36,3 +36,23 @@ Key = 0123456789ABCDEFFEDCBA9876543210 - IV = 0123456789ABCDEFFEDCBA9876543210 - Plaintext = AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFEEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAA - Ciphertext = C2B4759E78AC3CF43D0852F4E8D5F9FD7256E8A5FCB65A350EE00630912E44492A0B17E1B85B060D0FBA612D8A95831638B361FD5FFACD942F081485A83CA35D -+ -+Title = SM4 GCM test vectors from RFC8998 -+ -+Cipher = SM4-GCM -+Key = 0123456789abcdeffedcba9876543210 -+IV = 00001234567800000000abcd -+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 -+Tag = 83de3541e4c2b58177e065a9bf7b62ec -+Plaintext = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa -+Ciphertext = 17f399f08c67d5ee19d0dc9969c4bb7d5fd46fd3756489069157b282bb200735d82710ca5c22f0ccfa7cbf93d496ac15a56834cbcf98c397b4024a2691233b8d -+ -+Title = SM4 CCM test vectors from RFC8998 -+ -+Cipher = SM4-CCM -+Key = 0123456789abcdeffedcba9876543210 -+IV = 00001234567800000000abcd -+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 -+Tag = 16842d4fa186f56ab33256971fa110f4 -+Plaintext = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa -+Ciphertext = 48af93501fa62adbcd414cce6034d895dda1bf8f132f042098661572e7483094fd12e518ce062c98acee28d95df4416bed31a2f04476c18bb40c84a74b97dc5b --- -2.37.3.windows.1 - diff --git a/Backport-providers-Add-SM4-XTS-implementation.patch b/Backport-providers-Add-SM4-XTS-implementation.patch deleted file mode 100644 index 51362365c7c72e4b663def97392dedd37522297b..0000000000000000000000000000000000000000 --- a/Backport-providers-Add-SM4-XTS-implementation.patch +++ /dev/null @@ -1,763 +0,0 @@ -From 57c854480481bd6b0900984d17db17426c44aa40 Mon Sep 17 00:00:00 2001 -From: Xu Yizhou -Date: Fri, 25 Nov 2022 13:52:49 +0800 -Subject: [PATCH 08/13] providers: Add SM4 XTS implementation - -Signed-off-by: Xu Yizhou - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19619) ---- - crypto/modes/build.info | 2 +- - crypto/modes/xts128gb.c | 199 +++++++++++++ - include/crypto/modes.h | 6 + - include/openssl/core_names.h | 1 + - providers/defltprov.c | 1 + - providers/implementations/ciphers/build.info | 4 +- - .../implementations/ciphers/cipher_sm4_xts.c | 281 ++++++++++++++++++ - .../implementations/ciphers/cipher_sm4_xts.h | 46 +++ - .../ciphers/cipher_sm4_xts_hw.c | 89 ++++++ - .../include/prov/implementations.h | 1 + - .../implementations/include/prov/names.h | 1 + - 11 files changed, 629 insertions(+), 2 deletions(-) - create mode 100644 crypto/modes/xts128gb.c - create mode 100644 providers/implementations/ciphers/cipher_sm4_xts.c - create mode 100644 providers/implementations/ciphers/cipher_sm4_xts.h - create mode 100644 providers/implementations/ciphers/cipher_sm4_xts_hw.c - -diff --git a/crypto/modes/build.info b/crypto/modes/build.info -index f3558fa1a4..0ee297ced8 100644 ---- a/crypto/modes/build.info -+++ b/crypto/modes/build.info -@@ -49,7 +49,7 @@ IF[{- !$disabled{asm} -}] - ENDIF - - $COMMON=cbc128.c ctr128.c cfb128.c ofb128.c gcm128.c ccm128.c xts128.c \ -- wrap128.c $MODESASM -+ wrap128.c xts128gb.c $MODESASM - SOURCE[../../libcrypto]=$COMMON \ - cts128.c ocb128.c siv128.c - SOURCE[../../providers/libfips.a]=$COMMON -diff --git a/crypto/modes/xts128gb.c b/crypto/modes/xts128gb.c -new file mode 100644 -index 0000000000..021c0597e4 ---- /dev/null -+++ b/crypto/modes/xts128gb.c -@@ -0,0 +1,199 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include "internal/endian.h" -+#include "crypto/modes.h" -+ -+#ifndef STRICT_ALIGNMENT -+# ifdef __GNUC__ -+typedef u64 u64_a1 __attribute((__aligned__(1))); -+# else -+typedef u64 u64_a1; -+# endif -+#endif -+ -+int ossl_crypto_xts128gb_encrypt(const XTS128_CONTEXT *ctx, -+ const unsigned char iv[16], -+ const unsigned char *inp, unsigned char *out, -+ size_t len, int enc) -+{ -+ DECLARE_IS_ENDIAN; -+ union { -+ u64 u[2]; -+ u32 d[4]; -+ u8 c[16]; -+ } tweak, scratch; -+ unsigned int i; -+ -+ if (len < 16) -+ return -1; -+ -+ memcpy(tweak.c, iv, 16); -+ -+ (*ctx->block2) (tweak.c, tweak.c, ctx->key2); -+ -+ if (!enc && (len % 16)) -+ len -= 16; -+ -+ while (len >= 16) { -+#if defined(STRICT_ALIGNMENT) -+ memcpy(scratch.c, inp, 16); -+ scratch.u[0] ^= tweak.u[0]; -+ scratch.u[1] ^= tweak.u[1]; -+#else -+ scratch.u[0] = ((u64_a1 *)inp)[0] ^ tweak.u[0]; -+ scratch.u[1] = ((u64_a1 *)inp)[1] ^ tweak.u[1]; -+#endif -+ (*ctx->block1) (scratch.c, scratch.c, ctx->key1); -+#if defined(STRICT_ALIGNMENT) -+ scratch.u[0] ^= tweak.u[0]; -+ scratch.u[1] ^= tweak.u[1]; -+ memcpy(out, scratch.c, 16); -+#else -+ ((u64_a1 *)out)[0] = scratch.u[0] ^= tweak.u[0]; -+ ((u64_a1 *)out)[1] = scratch.u[1] ^= tweak.u[1]; -+#endif -+ inp += 16; -+ out += 16; -+ len -= 16; -+ -+ if (len == 0) -+ return 0; -+ -+ if (IS_LITTLE_ENDIAN) { -+ u8 res; -+ u64 hi, lo; -+#ifdef BSWAP8 -+ hi = BSWAP8(tweak.u[0]); -+ lo = BSWAP8(tweak.u[1]); -+#else -+ u8 *p = tweak.c; -+ -+ hi = (u64)GETU32(p) << 32 | GETU32(p + 4); -+ lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12); -+#endif -+ res = (u8)lo & 1; -+ tweak.u[0] = (lo >> 1) | (hi << 63); -+ tweak.u[1] = hi >> 1; -+ if (res) -+ tweak.c[15] ^= 0xe1; -+#ifdef BSWAP8 -+ hi = BSWAP8(tweak.u[0]); -+ lo = BSWAP8(tweak.u[1]); -+#else -+ p = tweak.c; -+ -+ hi = (u64)GETU32(p) << 32 | GETU32(p + 4); -+ lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12); -+#endif -+ tweak.u[0] = lo; -+ tweak.u[1] = hi; -+ } else { -+ u8 carry, res; -+ carry = 0; -+ for (i = 0; i < 16; ++i) { -+ res = (tweak.c[i] << 7) & 0x80; -+ tweak.c[i] = ((tweak.c[i] >> 1) + carry) & 0xff; -+ carry = res; -+ } -+ if (res) -+ tweak.c[0] ^= 0xe1; -+ } -+ } -+ if (enc) { -+ for (i = 0; i < len; ++i) { -+ u8 c = inp[i]; -+ out[i] = scratch.c[i]; -+ scratch.c[i] = c; -+ } -+ scratch.u[0] ^= tweak.u[0]; -+ scratch.u[1] ^= tweak.u[1]; -+ (*ctx->block1) (scratch.c, scratch.c, ctx->key1); -+ scratch.u[0] ^= tweak.u[0]; -+ scratch.u[1] ^= tweak.u[1]; -+ memcpy(out - 16, scratch.c, 16); -+ } else { -+ union { -+ u64 u[2]; -+ u8 c[16]; -+ } tweak1; -+ -+ if (IS_LITTLE_ENDIAN) { -+ u8 res; -+ u64 hi, lo; -+#ifdef BSWAP8 -+ hi = BSWAP8(tweak.u[0]); -+ lo = BSWAP8(tweak.u[1]); -+#else -+ u8 *p = tweak.c; -+ -+ hi = (u64)GETU32(p) << 32 | GETU32(p + 4); -+ lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12); -+#endif -+ res = (u8)lo & 1; -+ tweak1.u[0] = (lo >> 1) | (hi << 63); -+ tweak1.u[1] = hi >> 1; -+ if (res) -+ tweak1.c[15] ^= 0xe1; -+#ifdef BSWAP8 -+ hi = BSWAP8(tweak1.u[0]); -+ lo = BSWAP8(tweak1.u[1]); -+#else -+ p = tweak1.c; -+ -+ hi = (u64)GETU32(p) << 32 | GETU32(p + 4); -+ lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12); -+#endif -+ tweak1.u[0] = lo; -+ tweak1.u[1] = hi; -+ } else { -+ u8 carry, res; -+ carry = 0; -+ for (i = 0; i < 16; ++i) { -+ res = (tweak.c[i] << 7) & 0x80; -+ tweak1.c[i] = ((tweak.c[i] >> 1) + carry) & 0xff; -+ carry = res; -+ } -+ if (res) -+ tweak1.c[0] ^= 0xe1; -+ } -+#if defined(STRICT_ALIGNMENT) -+ memcpy(scratch.c, inp, 16); -+ scratch.u[0] ^= tweak1.u[0]; -+ scratch.u[1] ^= tweak1.u[1]; -+#else -+ scratch.u[0] = ((u64_a1 *)inp)[0] ^ tweak1.u[0]; -+ scratch.u[1] = ((u64_a1 *)inp)[1] ^ tweak1.u[1]; -+#endif -+ (*ctx->block1) (scratch.c, scratch.c, ctx->key1); -+ scratch.u[0] ^= tweak1.u[0]; -+ scratch.u[1] ^= tweak1.u[1]; -+ -+ for (i = 0; i < len; ++i) { -+ u8 c = inp[16 + i]; -+ out[16 + i] = scratch.c[i]; -+ scratch.c[i] = c; -+ } -+ scratch.u[0] ^= tweak.u[0]; -+ scratch.u[1] ^= tweak.u[1]; -+ (*ctx->block1) (scratch.c, scratch.c, ctx->key1); -+#if defined(STRICT_ALIGNMENT) -+ scratch.u[0] ^= tweak.u[0]; -+ scratch.u[1] ^= tweak.u[1]; -+ memcpy(out, scratch.c, 16); -+#else -+ ((u64_a1 *)out)[0] = scratch.u[0] ^ tweak.u[0]; -+ ((u64_a1 *)out)[1] = scratch.u[1] ^ tweak.u[1]; -+#endif -+ } -+ -+ return 0; -+} -diff --git a/include/crypto/modes.h b/include/crypto/modes.h -index 19f9d85959..475b77f925 100644 ---- a/include/crypto/modes.h -+++ b/include/crypto/modes.h -@@ -148,6 +148,12 @@ struct xts128_context { - block128_f block1, block2; - }; - -+/* XTS mode for SM4 algorithm specified by GB/T 17964-2021 */ -+int ossl_crypto_xts128gb_encrypt(const XTS128_CONTEXT *ctx, -+ const unsigned char iv[16], -+ const unsigned char *inp, unsigned char *out, -+ size_t len, int enc); -+ - struct ccm128_context { - union { - u64 u[2]; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 6bed5a8a67..a90971099d 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -97,6 +97,7 @@ extern "C" { - #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ - /* For passing the AlgorithmIdentifier parameter in DER form */ - #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ -+#define OSSL_CIPHER_PARAM_XTS_STANDARD "xts_standard" /* utf8_string */ - - #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ - "tls1multi_maxsndfrag" /* uint */ -diff --git a/providers/defltprov.c b/providers/defltprov.c -index cc0b0c3b62..ab898d3f44 100644 ---- a/providers/defltprov.c -+++ b/providers/defltprov.c -@@ -296,6 +296,7 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { - ALG(PROV_NAMES_SM4_CTR, ossl_sm4128ctr_functions), - ALG(PROV_NAMES_SM4_OFB, ossl_sm4128ofb128_functions), - ALG(PROV_NAMES_SM4_CFB, ossl_sm4128cfb128_functions), -+ ALG(PROV_NAMES_SM4_XTS, ossl_sm4128xts_functions), - #endif /* OPENSSL_NO_SM4 */ - #ifndef OPENSSL_NO_CHACHA - ALG(PROV_NAMES_ChaCha20, ossl_chacha20_functions), -diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info -index b5d9d4f6c1..9f6eacf5e3 100644 ---- a/providers/implementations/ciphers/build.info -+++ b/providers/implementations/ciphers/build.info -@@ -107,7 +107,9 @@ IF[{- !$disabled{sm4} -}] - SOURCE[$SM4_GOAL]=\ - cipher_sm4.c cipher_sm4_hw.c \ - cipher_sm4_gcm.c cipher_sm4_gcm_hw.c \ -- cipher_sm4_ccm.c cipher_sm4_ccm_hw.c -+ cipher_sm4_ccm.c cipher_sm4_ccm_hw.c \ -+ cipher_sm4_xts.c cipher_sm4_xts_hw.c -+ - ENDIF - - IF[{- !$disabled{ocb} -}] -diff --git a/providers/implementations/ciphers/cipher_sm4_xts.c b/providers/implementations/ciphers/cipher_sm4_xts.c -new file mode 100644 -index 0000000000..3c568d4d18 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_xts.c -@@ -0,0 +1,281 @@ -+ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Dispatch functions for SM4 XTS mode */ -+ -+#include -+#include "cipher_sm4_xts.h" -+#include "prov/implementations.h" -+#include "prov/providercommon.h" -+ -+#define SM4_XTS_FLAGS PROV_CIPHER_FLAG_CUSTOM_IV -+#define SM4_XTS_IV_BITS 128 -+#define SM4_XTS_BLOCK_BITS 8 -+ -+/* forward declarations */ -+static OSSL_FUNC_cipher_encrypt_init_fn sm4_xts_einit; -+static OSSL_FUNC_cipher_decrypt_init_fn sm4_xts_dinit; -+static OSSL_FUNC_cipher_update_fn sm4_xts_stream_update; -+static OSSL_FUNC_cipher_final_fn sm4_xts_stream_final; -+static OSSL_FUNC_cipher_cipher_fn sm4_xts_cipher; -+static OSSL_FUNC_cipher_freectx_fn sm4_xts_freectx; -+static OSSL_FUNC_cipher_dupctx_fn sm4_xts_dupctx; -+static OSSL_FUNC_cipher_set_ctx_params_fn sm4_xts_set_ctx_params; -+static OSSL_FUNC_cipher_settable_ctx_params_fn sm4_xts_settable_ctx_params; -+ -+/*- -+ * Provider dispatch functions -+ */ -+static int sm4_xts_init(void *vctx, const unsigned char *key, size_t keylen, -+ const unsigned char *iv, size_t ivlen, -+ const OSSL_PARAM params[], int enc) -+{ -+ PROV_SM4_XTS_CTX *xctx = (PROV_SM4_XTS_CTX *)vctx; -+ PROV_CIPHER_CTX *ctx = &xctx->base; -+ -+ if (!ossl_prov_is_running()) -+ return 0; -+ -+ ctx->enc = enc; -+ -+ if (iv != NULL) { -+ if (!ossl_cipher_generic_initiv(vctx, iv, ivlen)) -+ return 0; -+ } -+ if (key != NULL) { -+ if (keylen != ctx->keylen) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ if (!ctx->hw->init(ctx, key, keylen)) -+ return 0; -+ } -+ return sm4_xts_set_ctx_params(xctx, params); -+} -+ -+static int sm4_xts_einit(void *vctx, const unsigned char *key, size_t keylen, -+ const unsigned char *iv, size_t ivlen, -+ const OSSL_PARAM params[]) -+{ -+ return sm4_xts_init(vctx, key, keylen, iv, ivlen, params, 1); -+} -+ -+static int sm4_xts_dinit(void *vctx, const unsigned char *key, size_t keylen, -+ const unsigned char *iv, size_t ivlen, -+ const OSSL_PARAM params[]) -+{ -+ return sm4_xts_init(vctx, key, keylen, iv, ivlen, params, 0); -+} -+ -+static void *sm4_xts_newctx(void *provctx, unsigned int mode, uint64_t flags, -+ size_t kbits, size_t blkbits, size_t ivbits) -+{ -+ PROV_SM4_XTS_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ -+ if (ctx != NULL) { -+ ossl_cipher_generic_initkey(&ctx->base, kbits, blkbits, ivbits, mode, -+ flags, ossl_prov_cipher_hw_sm4_xts(kbits), -+ NULL); -+ } -+ return ctx; -+} -+ -+static void sm4_xts_freectx(void *vctx) -+{ -+ PROV_SM4_XTS_CTX *ctx = (PROV_SM4_XTS_CTX *)vctx; -+ -+ ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx); -+ OPENSSL_clear_free(ctx, sizeof(*ctx)); -+} -+ -+static void *sm4_xts_dupctx(void *vctx) -+{ -+ PROV_SM4_XTS_CTX *in = (PROV_SM4_XTS_CTX *)vctx; -+ PROV_SM4_XTS_CTX *ret = NULL; -+ -+ if (!ossl_prov_is_running()) -+ return NULL; -+ -+ if (in->xts.key1 != NULL) { -+ if (in->xts.key1 != &in->ks1) -+ return NULL; -+ } -+ if (in->xts.key2 != NULL) { -+ if (in->xts.key2 != &in->ks2) -+ return NULL; -+ } -+ ret = OPENSSL_malloc(sizeof(*ret)); -+ if (ret == NULL) -+ return NULL; -+ in->base.hw->copyctx(&ret->base, &in->base); -+ return ret; -+} -+ -+static int sm4_xts_cipher(void *vctx, unsigned char *out, size_t *outl, -+ size_t outsize, const unsigned char *in, size_t inl) -+{ -+ PROV_SM4_XTS_CTX *ctx = (PROV_SM4_XTS_CTX *)vctx; -+ -+ if (!ossl_prov_is_running() -+ || ctx->xts.key1 == NULL -+ || ctx->xts.key2 == NULL -+ || !ctx->base.iv_set -+ || out == NULL -+ || in == NULL -+ || inl < SM4_BLOCK_SIZE) -+ return 0; -+ -+ /* -+ * Impose a limit of 2^20 blocks per data unit as specified by -+ * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007 -+ * indicated that this was a SHOULD NOT rather than a MUST NOT. -+ * NIST SP 800-38E mandates the same limit. -+ */ -+ if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * SM4_BLOCK_SIZE) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE); -+ return 0; -+ } -+ if (ctx->xts_standard) { -+ if (ctx->stream != NULL) -+ (*ctx->stream)(in, out, inl, ctx->xts.key1, ctx->xts.key2, -+ ctx->base.iv); -+ else if (CRYPTO_xts128_encrypt(&ctx->xts, ctx->base.iv, in, out, inl, -+ ctx->base.enc)) -+ return 0; -+ } else { -+ if (ctx->stream_gb != NULL) -+ (*ctx->stream_gb)(in, out, inl, ctx->xts.key1, ctx->xts.key2, -+ ctx->base.iv); -+ else if (ossl_crypto_xts128gb_encrypt(&ctx->xts, ctx->base.iv, in, out, -+ inl, ctx->base.enc)) -+ return 0; -+ } -+ *outl = inl; -+ return 1; -+} -+ -+static int sm4_xts_stream_update(void *vctx, unsigned char *out, size_t *outl, -+ size_t outsize, const unsigned char *in, -+ size_t inl) -+{ -+ PROV_SM4_XTS_CTX *ctx = (PROV_SM4_XTS_CTX *)vctx; -+ -+ if (outsize < inl) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -+ return 0; -+ } -+ -+ if (!sm4_xts_cipher(ctx, out, outl, outsize, in, inl)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+static int sm4_xts_stream_final(void *vctx, unsigned char *out, size_t *outl, -+ size_t outsize) -+{ -+ if (!ossl_prov_is_running()) -+ return 0; -+ *outl = 0; -+ return 1; -+} -+ -+static const OSSL_PARAM sm4_xts_known_settable_ctx_params[] = { -+ OSSL_PARAM_utf8_string(OSSL_CIPHER_PARAM_XTS_STANDARD, NULL, 0), -+ OSSL_PARAM_END -+}; -+ -+static const OSSL_PARAM *sm4_xts_settable_ctx_params(ossl_unused void *cctx, -+ ossl_unused void *provctx) -+{ -+ return sm4_xts_known_settable_ctx_params; -+} -+ -+static int sm4_xts_set_ctx_params(void *vxctx, const OSSL_PARAM params[]) -+{ -+ PROV_SM4_XTS_CTX *xctx = (PROV_SM4_XTS_CTX *)vxctx; -+ const OSSL_PARAM *p; -+ -+ if (params == NULL) -+ return 1; -+ -+ /*- -+ * Sets the XTS standard to use with SM4-XTS algorithm. -+ * -+ * Must be utf8 string "GB" or "IEEE", -+ * "GB" means the GB/T 17964-2021 standard -+ * "IEEE" means the IEEE Std 1619-2007 standard -+ */ -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_XTS_STANDARD); -+ -+ if (p != NULL) { -+ const char *xts_standard = NULL; -+ -+ if (p->data_type != OSSL_PARAM_UTF8_STRING) -+ return 0; -+ -+ if (!OSSL_PARAM_get_utf8_string_ptr(p, &xts_standard)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -+ return 0; -+ } -+ if (OPENSSL_strcasecmp(xts_standard, "GB") == 0) { -+ xctx->xts_standard = 0; -+ } else if (OPENSSL_strcasecmp(xts_standard, "IEEE") == 0) { -+ xctx->xts_standard = 1; -+ } else { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ } -+ -+ return 1; -+} -+ -+#define IMPLEMENT_cipher(lcmode, UCMODE, kbits, flags) \ -+static OSSL_FUNC_cipher_get_params_fn sm4_##kbits##_##lcmode##_get_params; \ -+static int sm4_##kbits##_##lcmode##_get_params(OSSL_PARAM params[]) \ -+{ \ -+ return ossl_cipher_generic_get_params(params, EVP_CIPH_##UCMODE##_MODE, \ -+ flags, 2 * kbits, SM4_XTS_BLOCK_BITS,\ -+ SM4_XTS_IV_BITS); \ -+} \ -+static OSSL_FUNC_cipher_newctx_fn sm4_##kbits##_xts_newctx; \ -+static void *sm4_##kbits##_xts_newctx(void *provctx) \ -+{ \ -+ return sm4_xts_newctx(provctx, EVP_CIPH_##UCMODE##_MODE, flags, 2 * kbits, \ -+ SM4_XTS_BLOCK_BITS, SM4_XTS_IV_BITS); \ -+} \ -+const OSSL_DISPATCH ossl_sm4##kbits##xts_functions[] = { \ -+ { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))sm4_##kbits##_xts_newctx }, \ -+ { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void))sm4_xts_einit }, \ -+ { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void))sm4_xts_dinit }, \ -+ { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))sm4_xts_stream_update }, \ -+ { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))sm4_xts_stream_final }, \ -+ { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))sm4_xts_cipher }, \ -+ { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))sm4_xts_freectx }, \ -+ { OSSL_FUNC_CIPHER_DUPCTX, (void (*)(void))sm4_xts_dupctx }, \ -+ { OSSL_FUNC_CIPHER_GET_PARAMS, \ -+ (void (*)(void))sm4_##kbits##_##lcmode##_get_params }, \ -+ { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \ -+ (void (*)(void))ossl_cipher_generic_gettable_params }, \ -+ { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, \ -+ (void (*)(void))ossl_cipher_generic_get_ctx_params }, \ -+ { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \ -+ (void (*)(void))ossl_cipher_generic_gettable_ctx_params }, \ -+ { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \ -+ (void (*)(void))sm4_xts_set_ctx_params }, \ -+ { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \ -+ (void (*)(void))sm4_xts_settable_ctx_params }, \ -+ { 0, NULL } \ -+} -+/* ossl_sm4128xts_functions */ -+IMPLEMENT_cipher(xts, XTS, 128, SM4_XTS_FLAGS); -diff --git a/providers/implementations/ciphers/cipher_sm4_xts.h b/providers/implementations/ciphers/cipher_sm4_xts.h -new file mode 100644 -index 0000000000..4c369183e2 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_xts.h -@@ -0,0 +1,46 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include "prov/ciphercommon.h" -+#include "crypto/sm4_platform.h" -+ -+PROV_CIPHER_FUNC(void, xts_stream, -+ (const unsigned char *in, unsigned char *out, size_t len, -+ const SM4_KEY *key1, const SM4_KEY *key2, -+ const unsigned char iv[16])); -+ -+typedef struct prov_sm4_xts_ctx_st { -+ /* Must be first */ -+ PROV_CIPHER_CTX base; -+ -+ /* SM4 key schedules to use */ -+ union { -+ OSSL_UNION_ALIGN; -+ SM4_KEY ks; -+ } ks1, ks2; -+ -+ /*- -+ * XTS standard to use with SM4-XTS algorithm -+ * -+ * Must be 0 or 1, -+ * 0 for XTS mode specified by GB/T 17964-2021 -+ * 1 for XTS mode specified by IEEE Std 1619-2007 -+ */ -+ int xts_standard; -+ -+ XTS128_CONTEXT xts; -+ -+ /* Stream function for XTS mode specified by GB/T 17964-2021 */ -+ OSSL_xts_stream_fn stream_gb; -+ /* Stream function for XTS mode specified by IEEE Std 1619-2007 */ -+ OSSL_xts_stream_fn stream; -+} PROV_SM4_XTS_CTX; -+ -+const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_xts(size_t keybits); -diff --git a/providers/implementations/ciphers/cipher_sm4_xts_hw.c b/providers/implementations/ciphers/cipher_sm4_xts_hw.c -new file mode 100644 -index 0000000000..403eb879b1 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_sm4_xts_hw.c -@@ -0,0 +1,89 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "cipher_sm4_xts.h" -+ -+#define XTS_SET_KEY_FN(fn_set_enc_key, fn_set_dec_key, \ -+ fn_block_enc, fn_block_dec, \ -+ fn_stream_enc, fn_stream_dec, \ -+ fn_stream_gb_enc, fn_stream_gb_dec) { \ -+ size_t bytes = keylen / 2; \ -+ \ -+ if (ctx->enc) { \ -+ fn_set_enc_key(key, &xctx->ks1.ks); \ -+ xctx->xts.block1 = (block128_f)fn_block_enc; \ -+ } else { \ -+ fn_set_dec_key(key, &xctx->ks1.ks); \ -+ xctx->xts.block1 = (block128_f)fn_block_dec; \ -+ } \ -+ fn_set_enc_key(key + bytes, &xctx->ks2.ks); \ -+ xctx->xts.block2 = (block128_f)fn_block_enc; \ -+ xctx->xts.key1 = &xctx->ks1; \ -+ xctx->xts.key2 = &xctx->ks2; \ -+ xctx->stream = ctx->enc ? fn_stream_enc : fn_stream_dec; \ -+ xctx->stream_gb = ctx->enc ? fn_stream_gb_enc : fn_stream_gb_dec; \ -+} -+ -+static int cipher_hw_sm4_xts_generic_initkey(PROV_CIPHER_CTX *ctx, -+ const unsigned char *key, -+ size_t keylen) -+{ -+ PROV_SM4_XTS_CTX *xctx = (PROV_SM4_XTS_CTX *)ctx; -+ OSSL_xts_stream_fn stream_enc = NULL; -+ OSSL_xts_stream_fn stream_dec = NULL; -+ OSSL_xts_stream_fn stream_gb_enc = NULL; -+ OSSL_xts_stream_fn stream_gb_dec = NULL; -+#ifdef HWSM4_CAPABLE -+ if (HWSM4_CAPABLE) { -+ XTS_SET_KEY_FN(HWSM4_set_encrypt_key, HWSM4_set_decrypt_key, -+ HWSM4_encrypt, HWSM4_decrypt, stream_enc, stream_dec, -+ stream_gb_enc, stream_gb_dec); -+ return 1; -+ } else -+#endif /* HWSM4_CAPABLE */ -+#ifdef VPSM4_CAPABLE -+ if (VPSM4_CAPABLE) { -+ XTS_SET_KEY_FN(vpsm4_set_encrypt_key, vpsm4_set_decrypt_key, -+ vpsm4_encrypt, vpsm4_decrypt, stream_enc, stream_dec, -+ stream_gb_enc, stream_gb_dec); -+ return 1; -+ } else -+#endif /* VPSM4_CAPABLE */ -+ { -+ (void)0; -+ } -+ { -+ XTS_SET_KEY_FN(ossl_sm4_set_key, ossl_sm4_set_key, ossl_sm4_encrypt, -+ ossl_sm4_decrypt, stream_enc, stream_dec, stream_gb_enc, -+ stream_gb_dec); -+ } -+ return 1; -+} -+ -+static void cipher_hw_sm4_xts_copyctx(PROV_CIPHER_CTX *dst, -+ const PROV_CIPHER_CTX *src) -+{ -+ PROV_SM4_XTS_CTX *sctx = (PROV_SM4_XTS_CTX *)src; -+ PROV_SM4_XTS_CTX *dctx = (PROV_SM4_XTS_CTX *)dst; -+ -+ *dctx = *sctx; -+ dctx->xts.key1 = &dctx->ks1.ks; -+ dctx->xts.key2 = &dctx->ks2.ks; -+} -+ -+ -+static const PROV_CIPHER_HW sm4_generic_xts = { -+ cipher_hw_sm4_xts_generic_initkey, -+ NULL, -+ cipher_hw_sm4_xts_copyctx -+}; -+const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_xts(size_t keybits) -+{ -+ return &sm4_generic_xts; -+} -diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h -index 498eab4ad4..cfa32ea3ca 100644 ---- a/providers/implementations/include/prov/implementations.h -+++ b/providers/implementations/include/prov/implementations.h -@@ -181,6 +181,7 @@ extern const OSSL_DISPATCH ossl_sm4128cbc_functions[]; - extern const OSSL_DISPATCH ossl_sm4128ctr_functions[]; - extern const OSSL_DISPATCH ossl_sm4128ofb128_functions[]; - extern const OSSL_DISPATCH ossl_sm4128cfb128_functions[]; -+extern const OSSL_DISPATCH ossl_sm4128xts_functions[]; - #endif /* OPENSSL_NO_SM4 */ - #ifndef OPENSSL_NO_RC5 - extern const OSSL_DISPATCH ossl_rc5128ecb_functions[]; -diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h -index 0fac23a850..5192f4f471 100644 ---- a/providers/implementations/include/prov/names.h -+++ b/providers/implementations/include/prov/names.h -@@ -164,6 +164,7 @@ - #define PROV_NAMES_SM4_CFB "SM4-CFB:SM4-CFB128:1.2.156.10197.1.104.4" - #define PROV_NAMES_SM4_GCM "SM4-GCM:1.2.156.10197.1.104.8" - #define PROV_NAMES_SM4_CCM "SM4-CCM:1.2.156.10197.1.104.9" -+#define PROV_NAMES_SM4_XTS "SM4-XTS:1.2.156.10197.1.104.10" - #define PROV_NAMES_ChaCha20 "ChaCha20" - #define PROV_NAMES_ChaCha20_Poly1305 "ChaCha20-Poly1305" - #define PROV_NAMES_CAST5_ECB "CAST5-ECB" --- -2.37.3.windows.1 - diff --git a/Backport-support-decode-SM2-parameters.patch b/Backport-support-decode-SM2-parameters.patch deleted file mode 100644 index 7f4ea20db62b98b758ddc95d6df4c75c3e0f636b..0000000000000000000000000000000000000000 --- a/Backport-support-decode-SM2-parameters.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 08ae9fa627e858b9f8e96e0c6d3cf84422a11d75 Mon Sep 17 00:00:00 2001 -From: K1 -Date: Tue, 19 Jul 2022 01:18:12 +0800 -Subject: [PATCH] Support decode SM2 parameters - -Reviewed-by: Hugo Landau -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18819) - -Signed-off-by: Huaxin Lu ---- - apps/ecparam.c | 12 ++++++++++-- - include/openssl/pem.h | 1 + - providers/decoders.inc | 1 + - .../implementations/encode_decode/decode_der2key.c | 1 + - .../implementations/encode_decode/decode_pem2der.c | 1 + - .../implementations/encode_decode/encode_key2text.c | 8 +++++--- - .../implementations/include/prov/implementations.h | 1 + - test/recipes/15-test_ecparam.t | 4 ++++ - .../15-test_ecparam_data/valid/sm2-explicit.pem | 7 +++++++ - .../recipes/15-test_ecparam_data/valid/sm2-named.pem | 3 +++ - 10 files changed, 34 insertions(+), 5 deletions(-) - create mode 100644 test/recipes/15-test_ecparam_data/valid/sm2-explicit.pem - create mode 100644 test/recipes/15-test_ecparam_data/valid/sm2-named.pem - -diff --git a/apps/ecparam.c b/apps/ecparam.c -index 5d66b65569..71f93c4ca5 100644 ---- a/apps/ecparam.c -+++ b/apps/ecparam.c -@@ -242,9 +242,17 @@ int ecparam_main(int argc, char **argv) - goto end; - } - } else { -- params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters"); -- if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC")) -+ params_key = load_keyparams_suppress(infile, informat, 1, "EC", -+ "EC parameters", 1); -+ if (params_key == NULL) -+ params_key = load_keyparams_suppress(infile, informat, 1, "SM2", -+ "SM2 parameters", 1); -+ -+ if (params_key == NULL) { -+ BIO_printf(bio_err, "Unable to load parameters from %s\n", infile); - goto end; -+ } -+ - if (point_format - && !EVP_PKEY_set_utf8_string_param( - params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, -diff --git a/include/openssl/pem.h b/include/openssl/pem.h -index ed50f081fa..0446c77019 100644 ---- a/include/openssl/pem.h -+++ b/include/openssl/pem.h -@@ -57,6 +57,7 @@ extern "C" { - # define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" - # define PEM_STRING_PARAMETERS "PARAMETERS" - # define PEM_STRING_CMS "CMS" -+# define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS" - - # define PEM_TYPE_ENCRYPTED 10 - # define PEM_TYPE_MIC_ONLY 20 -diff --git a/providers/decoders.inc b/providers/decoders.inc -index 2772aad05d..edca39ea36 100644 ---- a/providers/decoders.inc -+++ b/providers/decoders.inc -@@ -69,6 +69,7 @@ DECODER_w_structure("X448", der, SubjectPublicKeyInfo, x448, yes), - # ifndef OPENSSL_NO_SM2 - DECODER_w_structure("SM2", der, PrivateKeyInfo, sm2, no), - DECODER_w_structure("SM2", der, SubjectPublicKeyInfo, sm2, no), -+DECODER_w_structure("SM2", der, type_specific_no_pub, sm2, no), - # endif - #endif - DECODER_w_structure("RSA", der, PrivateKeyInfo, rsa, yes), -diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c -index ebc2d24833..d4d3731460 100644 ---- a/providers/implementations/encode_decode/decode_der2key.c -+++ b/providers/implementations/encode_decode/decode_der2key.c -@@ -783,6 +783,7 @@ MAKE_DECODER("ED448", ed448, ecx, SubjectPublicKeyInfo); - # ifndef OPENSSL_NO_SM2 - MAKE_DECODER("SM2", sm2, ec, PrivateKeyInfo); - MAKE_DECODER("SM2", sm2, ec, SubjectPublicKeyInfo); -+MAKE_DECODER("SM2", sm2, sm2, type_specific_no_pub); - # endif - #endif - MAKE_DECODER("RSA", rsa, rsa, PrivateKeyInfo); -diff --git a/providers/implementations/encode_decode/decode_pem2der.c b/providers/implementations/encode_decode/decode_pem2der.c -index bc937ffb9d..648ecd4584 100644 ---- a/providers/implementations/encode_decode/decode_pem2der.c -+++ b/providers/implementations/encode_decode/decode_pem2der.c -@@ -119,6 +119,7 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection, - { PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" }, - { PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" }, - { PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" }, -+ { PEM_STRING_SM2PARAMETERS, OSSL_OBJECT_PKEY, "SM2", "type-specific" }, - { PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, - { PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" }, - -diff --git a/providers/implementations/encode_decode/encode_key2text.c b/providers/implementations/encode_decode/encode_key2text.c -index 7d983f5e51..a92e04a89d 100644 ---- a/providers/implementations/encode_decode/encode_key2text.c -+++ b/providers/implementations/encode_decode/encode_key2text.c -@@ -512,7 +512,8 @@ static int ec_to_text(BIO *out, const void *key, int selection) - else if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) - type_label = "Public-Key"; - else if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) -- type_label = "EC-Parameters"; -+ if (EC_GROUP_get_curve_name(group) != NID_sm2) -+ type_label = "EC-Parameters"; - - if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - const BIGNUM *priv_key = EC_KEY_get0_private_key(ec); -@@ -538,8 +539,9 @@ static int ec_to_text(BIO *out, const void *key, int selection) - goto err; - } - -- if (BIO_printf(out, "%s: (%d bit)\n", type_label, -- EC_GROUP_order_bits(group)) <= 0) -+ if (type_label != NULL -+ && BIO_printf(out, "%s: (%d bit)\n", type_label, -+ EC_GROUP_order_bits(group)) <= 0) - goto err; - if (priv != NULL - && !print_labeled_buf(out, "priv:", priv, priv_len)) -diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h -index 03ce43719e..288808bb6f 100644 ---- a/providers/implementations/include/prov/implementations.h -+++ b/providers/implementations/include/prov/implementations.h -@@ -508,6 +508,7 @@ extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_ed448_decoder_functi - #ifndef OPENSSL_NO_SM2 - extern const OSSL_DISPATCH ossl_PrivateKeyInfo_der_to_sm2_decoder_functions[]; - extern const OSSL_DISPATCH ossl_SubjectPublicKeyInfo_der_to_sm2_decoder_functions[]; -+extern const OSSL_DISPATCH ossl_type_specific_no_pub_der_to_sm2_decoder_functions[]; - #endif - - extern const OSSL_DISPATCH ossl_PrivateKeyInfo_der_to_rsa_decoder_functions[]; -diff --git a/test/recipes/15-test_ecparam.t b/test/recipes/15-test_ecparam.t -index 37bf620f35..5dba866378 100644 ---- a/test/recipes/15-test_ecparam.t -+++ b/test/recipes/15-test_ecparam.t -@@ -25,6 +25,10 @@ my @valid = glob(data_file("valid", "*.pem")); - my @noncanon = glob(data_file("noncanon", "*.pem")); - my @invalid = glob(data_file("invalid", "*.pem")); - -+if (disabled("sm2")) { -+ @valid = grep { !/sm2-.*\.pem/} @valid; -+} -+ - plan tests => 12; - - sub checkload { -diff --git a/test/recipes/15-test_ecparam_data/valid/sm2-explicit.pem b/test/recipes/15-test_ecparam_data/valid/sm2-explicit.pem -new file mode 100644 -index 0000000000..bd07654ea4 ---- /dev/null -+++ b/test/recipes/15-test_ecparam_data/valid/sm2-explicit.pem -@@ -0,0 +1,7 @@ -+-----BEGIN SM2 PARAMETERS----- -+MIHgAgEBMCwGByqGSM49AQECIQD////+/////////////////////wAAAAD///// -+/////zBEBCD////+/////////////////////wAAAAD//////////AQgKOn6np2f -+XjRNWp5Lz2UJp/OXifUVq4+S3by9QU2UDpMEQQQyxK4sHxmBGV+ZBEZqOcmUj+ML -+v/JmC+FxWkWJM0x0x7w3NqL09necWb3O42tpIVPQqYd8xipHQALfMuUhOfCgAiEA -+/////v///////////////3ID32shxgUrU7v0CTnVQSMCAQE= -+-----END SM2 PARAMETERS----- -diff --git a/test/recipes/15-test_ecparam_data/valid/sm2-named.pem b/test/recipes/15-test_ecparam_data/valid/sm2-named.pem -new file mode 100644 -index 0000000000..d6e280f6c2 ---- /dev/null -+++ b/test/recipes/15-test_ecparam_data/valid/sm2-named.pem -@@ -0,0 +1,3 @@ -+-----BEGIN SM2 PARAMETERS----- -+BggqgRzPVQGCLQ== -+-----END SM2 PARAMETERS----- --- -2.33.0 - diff --git a/Feature-support-SM2-CMS-signature.patch b/Feature-support-SM2-CMS-signature.patch index 5c87cc78c9f8737e08b9bb1c0fdffa77912246cf..aaa3b460e826d6adc4584f5ba8a167bb5d4f7cb8 100644 --- a/Feature-support-SM2-CMS-signature.patch +++ b/Feature-support-SM2-CMS-signature.patch @@ -1,7 +1,7 @@ -From e7f35b6f10599a574acb3bcca40845eeccfdc63b Mon Sep 17 00:00:00 2001 +From 3c61595d2b18dc1dcaa05c7069da5aa5d15d6343 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Fri, 1 Sep 2023 20:08:46 +0800 -Subject: [PATCH] Support SM2 CMS signature +Subject: [PATCH 2/8] Support SM2 CMS signature Signed-off-by: Huaxin Lu --- @@ -10,23 +10,23 @@ Signed-off-by: Huaxin Lu 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c -index 2093657..083edd2 100644 +index 9d5b860..e0cdff3 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c -@@ -232,7 +232,7 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) +@@ -271,7 +271,7 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) EVP_PKEY *pkey = si->pkey; int i; - if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC")) + if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "SM2")) - return ossl_cms_ecdsa_dsa_sign(si, cmd) > 0; + return cms_generic_sign(si, cmd) > 0; else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) return ossl_cms_rsa_sign(si, cmd) > 0; diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c -index f6acb5b..9567bb0 100644 +index 7f45081..2637351 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c -@@ -982,6 +982,9 @@ int EVP_PKEY_type(int type) +@@ -1035,6 +1035,9 @@ int EVP_PKEY_type(int type) int EVP_PKEY_get_id(const EVP_PKEY *pkey) { @@ -37,5 +37,5 @@ index f6acb5b..9567bb0 100644 } -- -2.33.0 +2.50.1 diff --git a/Feature-use-default-id-if-SM2-id-is-not-set.patch b/Feature-use-default-id-if-SM2-id-is-not-set.patch index ee6f2d814756f65aaa2d74ce946fc7c92a36e862..ccebde3c51ca19cda3e4a594c3a03cb76be994c5 100644 --- a/Feature-use-default-id-if-SM2-id-is-not-set.patch +++ b/Feature-use-default-id-if-SM2-id-is-not-set.patch @@ -1,7 +1,7 @@ -From 12f6ee3806c1f04a682b4c31aeb510a2dca602ef Mon Sep 17 00:00:00 2001 +From 9c6c4837534b7a5b13d71dd764a1781504aaaf53 Mon Sep 17 00:00:00 2001 From: Huaxin Lu Date: Fri, 1 Sep 2023 20:27:45 +0800 -Subject: [PATCH] use default id if SM2 id is not set +Subject: [PATCH 3/8] use default id if SM2 id is not set Signed-off-by: Huaxin Lu --- @@ -9,7 +9,7 @@ Signed-off-by: Huaxin Lu 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c -index ff5be9b..33d3a73 100644 +index 28cf95c..370c1ed 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -42,6 +42,8 @@ int ossl_sm2_compute_z_digest(uint8_t *out, @@ -19,9 +19,9 @@ index ff5be9b..33d3a73 100644 + const uint8_t *f_id = id; + size_t f_id_len = id_len; - hash = EVP_MD_CTX_new(); - ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(key)); -@@ -68,15 +70,21 @@ int ossl_sm2_compute_z_digest(uint8_t *out, + /* SM2 Signatures require a public key, check for it */ + if (pubkey == NULL) { +@@ -78,15 +80,21 @@ int ossl_sm2_compute_z_digest(uint8_t *out, goto done; } @@ -45,7 +45,7 @@ index ff5be9b..33d3a73 100644 e_byte = entl >> 8; if (!EVP_DigestUpdate(hash, &e_byte, 1)) { -@@ -89,7 +97,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out, +@@ -99,7 +107,7 @@ int ossl_sm2_compute_z_digest(uint8_t *out, goto done; } @@ -55,5 +55,5 @@ index ff5be9b..33d3a73 100644 goto done; } -- -2.33.0 +2.50.1 diff --git a/Fix-build-error-for-ppc64le.patch b/Fix-build-error-for-ppc64le.patch index a6b1b12fc6603dd64768b4f962892ef877e87ed6..9a8ee8b3a3b52d1dc07f599a504c8bf0be9de215 100644 --- a/Fix-build-error-for-ppc64le.patch +++ b/Fix-build-error-for-ppc64le.patch @@ -1,17 +1,17 @@ -From 4d2ed81fcc1f21aa651fb5cc4555ea21cfd3d232 Mon Sep 17 00:00:00 2001 +From 95f94607b6a726cbc7c01eb08a3acd0df242b505 Mon Sep 17 00:00:00 2001 From: peng_zou Date: Tue, 25 Jun 2024 10:33:28 +0800 -Subject: [PATCH] Fix build error for ppc64le +Subject: [PATCH 8/8] Fix build error for ppc64le --- Configurations/10-main.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index 915e7dd..27433ce 100644 +index 9c25fb7..fa5a892 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf -@@ -734,6 +734,14 @@ my %targets = ( +@@ -727,6 +727,14 @@ my %targets = ( asm_arch => 'ppc64', perlasm_scheme => "linux64le", }, @@ -27,5 +27,5 @@ index 915e7dd..27433ce 100644 "linux-armv4" => { ################################################################ -- -2.43.0 +2.50.1 diff --git a/add-FIPS_mode_set-support.patch b/add-FIPS_mode_set-support.patch index 6608341d160067d7275b0ee5fdaa40cf2825e03a..1ecd07640cc5960ca3018897a6635f5ed6226c51 100644 --- a/add-FIPS_mode_set-support.patch +++ b/add-FIPS_mode_set-support.patch @@ -1,14 +1,14 @@ -From 9ffb8af6f00224c93caa8d738414502b7483a2a0 Mon Sep 17 00:00:00 2001 +From b61d0dc0a782e59168ea90ce14641538604c05f5 Mon Sep 17 00:00:00 2001 From: jinlun Date: Wed, 14 Aug 2024 15:24:31 +0800 -Subject: [PATCH] add FIPS_mode_set support +Subject: [PATCH 7/8] add FIPS_mode_set support --- - include/openssl/fips.h | 1 + - 1 files changed, 1 insertions(+) + include/openssl/fips.h | 1 + + 1 file changed, 1 insertion(+) diff --git a/include/openssl/fips.h b/include/openssl/fips.h -index 4162cbf..5e89003 100644 +index 4162cbf..c9b4ff4 100644 --- a/include/openssl/fips.h +++ b/include/openssl/fips.h @@ -19,6 +19,7 @@ extern "C" { @@ -20,5 +20,5 @@ index 4162cbf..5e89003 100644 # ifdef __cplusplus } -- -2.27.0 +2.50.1 diff --git a/backport-01-Improve-FIPS-RSA-keygen-performance.patch b/backport-01-Improve-FIPS-RSA-keygen-performance.patch deleted file mode 100644 index 816c0f7ceeb3da5d6af86bc4a1864949588d183e..0000000000000000000000000000000000000000 --- a/backport-01-Improve-FIPS-RSA-keygen-performance.patch +++ /dev/null @@ -1,265 +0,0 @@ -From dd1d7bcb69994d81662e709b0ad838880b943870 Mon Sep 17 00:00:00 2001 -From: slontis -Date: Wed, 2 Nov 2022 12:01:34 +1000 -Subject: [PATCH] Improve FIPS RSA keygen performance. - -FIPS 186-4 has 5 different algorithms for key generation, -and all of them rely on testing GCD(a,n) == 1 many times. - -Cachegrind was showing that during a RSA keygen operation, -the function BN_gcd() was taking a considerable percentage -of the total cycles. - -The default provider uses multiprime keygen, which seemed to -be much faster. This is because it uses BN_mod_inverse() -instead. - -For a 4096 bit key, the entropy of a key that was taking a -long time to generate was recorded and fed back into subsequent -runs. Roughly 40% of the cycle time was BN_gcd() with most of the -remainder in the prime testing. Changing to use the inverse -resulted in the cycle count being 96% in the prime testing. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19578) ---- - crypto/bn/bn_gcd.c | 31 +++++++++++++++++++++++++++++++ - crypto/bn/bn_rsa_fips186_4.c | 24 +++++++++++++++--------- - doc/man3/BN_cmp.pod | 14 +++++++++++++- - include/openssl/bn.h | 1 + - test/bntest.c | 26 ++++++++++++++++++++++++-- - util/libcrypto.num | 1 + - 6 files changed, 85 insertions(+), 12 deletions(-) - -diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c -index 91ad76a161..519bb4e951 100644 ---- a/crypto/bn/bn_gcd.c -+++ b/crypto/bn/bn_gcd.c -@@ -534,6 +534,37 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, - return rv; - } - -+/* -+ * The numbers a and b are coprime if the only positive integer that is a -+ * divisor of both of them is 1. -+ * i.e. gcd(a,b) = 1. -+ * -+ * Coprimes have the property: b has a multiplicative inverse modulo a -+ * i.e there is some value x such that bx = 1 (mod a). -+ * -+ * Testing the modulo inverse is currently much faster than the constant -+ * time version of BN_gcd(). -+ */ -+int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) -+{ -+ int ret = 0; -+ BIGNUM *tmp; -+ -+ BN_CTX_start(ctx); -+ tmp = BN_CTX_get(ctx); -+ if (tmp == NULL) -+ goto end; -+ -+ ERR_set_mark(); -+ BN_set_flags(a, BN_FLG_CONSTTIME); -+ ret = (BN_mod_inverse(tmp, a, b, ctx) != NULL); -+ /* Clear any errors (an error is returned if there is no inverse) */ -+ ERR_pop_to_mark(); -+end: -+ BN_CTX_end(ctx); -+ return ret; -+} -+ - /*- - * This function is based on the constant-time GCD work by Bernstein and Yang: - * https://eprint.iacr.org/2019/266 -diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c -index 770ae4d1fa..e3a2ad76af 100644 ---- a/crypto/bn/bn_rsa_fips186_4.c -+++ b/crypto/bn/bn_rsa_fips186_4.c -@@ -286,14 +286,20 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - goto err; - } - -+ /* -+ * (Step 1) GCD(2r1, r2) = 1. -+ * Note: This algorithm was doing a gcd(2r1, r2)=1 test before doing an -+ * mod_inverse(2r1, r2) which are effectively the same operation. -+ * (The algorithm assumed that the gcd test would be faster). Since the -+ * mod_inverse is currently faster than calling the constant time -+ * BN_gcd(), the call to BN_gcd() has been omitted. The inverse result -+ * is used further down. -+ */ - if (!(BN_lshift1(r1x2, r1) -- /* (Step 1) GCD(2r1, r2) = 1 */ -- && BN_gcd(tmp, r1x2, r2, ctx) -- && BN_is_one(tmp) -+ && (BN_mod_inverse(tmp, r1x2, r2, ctx) != NULL) - /* (Step 2) R = ((r2^-1 mod 2r1) * r2) - ((2r1^-1 mod r2)*2r1) */ -- && BN_mod_inverse(R, r2, r1x2, ctx) -+ && (BN_mod_inverse(R, r2, r1x2, ctx) != NULL) - && BN_mul(R, R, r2, ctx) /* R = (r2^-1 mod 2r1) * r2 */ -- && BN_mod_inverse(tmp, r1x2, r2, ctx) - && BN_mul(tmp, tmp, r1x2, ctx) /* tmp = (2r1^-1 mod r2)*2r1 */ - && BN_sub(R, R, tmp) - /* Calculate 2r1r2 */ -@@ -305,7 +311,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - - /* - * In FIPS 186-4 imax was set to 5 * nlen/2. -- * Analysis by Allen Roginsky (See https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf -+ * Analysis by Allen Roginsky -+ * (See https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf - * page 68) indicates this has a 1 in 2 million chance of failure. - * The number has been updated to 20 * nlen/2 as used in - * FIPS186-5 Appendix B.9 Step 9. -@@ -337,10 +344,9 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - - /* (Step 7) If GCD(Y-1) == 1 & Y is probably prime then return Y */ - if (BN_copy(y1, Y) == NULL -- || !BN_sub_word(y1, 1) -- || !BN_gcd(tmp, y1, e, ctx)) -+ || !BN_sub_word(y1, 1)) - goto err; -- if (BN_is_one(tmp)) { -+ if (BN_are_coprime(y1, e, ctx)) { - int rv = BN_check_prime(Y, ctx, cb); - - if (rv > 0) -diff --git a/doc/man3/BN_cmp.pod b/doc/man3/BN_cmp.pod -index f302818f21..e9ddf8fa2d 100644 ---- a/doc/man3/BN_cmp.pod -+++ b/doc/man3/BN_cmp.pod -@@ -2,7 +2,8 @@ - - =head1 NAME - --BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd - BIGNUM comparison and test functions -+BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd, BN_are_coprime -+- BIGNUM comparison and test functions - - =head1 SYNOPSIS - -@@ -17,6 +18,8 @@ BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd - - int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); - int BN_is_odd(const BIGNUM *a); - -+ int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -+ - =head1 DESCRIPTION - - BN_cmp() compares the numbers I and I. BN_ucmp() compares their -@@ -26,6 +29,10 @@ BN_is_zero(), BN_is_one(), BN_is_word() and BN_abs_is_word() test if - I equals 0, 1, I, or EIE respectively. - BN_is_odd() tests if I is odd. - -+BN_are_coprime() determines if B and B are coprime. -+B is used internally for storing temporary variables. -+The values of B and B and B must not be NULL. -+ - =head1 RETURN VALUES - - BN_cmp() returns -1 if I E I, 0 if I == I and 1 if -@@ -35,11 +42,16 @@ of I and I. - BN_is_zero(), BN_is_one() BN_is_word(), BN_abs_is_word() and - BN_is_odd() return 1 if the condition is true, 0 otherwise. - -+BN_are_coprime() returns 1 if the B's are coprime, otherwise it -+returns 0. -+ - =head1 HISTORY - - Prior to OpenSSL 1.1.0, BN_is_zero(), BN_is_one(), BN_is_word(), - BN_abs_is_word() and BN_is_odd() were macros. - -+The function BN_are_coprime() was added in OpenSSL 3.1. -+ - =head1 COPYRIGHT - - Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. -diff --git a/include/openssl/bn.h b/include/openssl/bn.h -index 333e201eae..ea706dca7f 100644 ---- a/include/openssl/bn.h -+++ b/include/openssl/bn.h -@@ -350,6 +350,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); - int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); /* returns - * -2 for - * error */ -+int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); - BIGNUM *BN_mod_inverse(BIGNUM *ret, - const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); - BIGNUM *BN_mod_sqrt(BIGNUM *ret, -diff --git a/test/bntest.c b/test/bntest.c -index 85445b701b..b35b53df7e 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -41,6 +41,7 @@ typedef struct mpitest_st { - - static const int NUM0 = 100; /* number of tests */ - static const int NUM1 = 50; /* additional tests for some functions */ -+static const int NUM_PRIME_TESTS = 20; - static BN_CTX *ctx; - - /* -@@ -2722,6 +2723,25 @@ static int test_ctx_consttime_flag(void) - return st; - } - -+static int test_coprime(void) -+{ -+ BIGNUM *a = NULL, *b = NULL; -+ int ret = 0; -+ -+ ret = TEST_ptr(a = BN_new()) -+ && TEST_ptr(b = BN_new()) -+ && TEST_true(BN_set_word(a, 66)) -+ && TEST_true(BN_set_word(b, 99)) -+ && TEST_int_eq(BN_are_coprime(a, b, ctx), 0) -+ && TEST_int_eq(BN_are_coprime(b, a, ctx), 0) -+ && TEST_true(BN_set_word(a, 67)) -+ && TEST_int_eq(BN_are_coprime(a, b, ctx), 1) -+ && TEST_int_eq(BN_are_coprime(b, a, ctx), 1); -+ BN_free(a); -+ BN_free(b); -+ return ret; -+} -+ - static int test_gcd_prime(void) - { - BIGNUM *a = NULL, *b = NULL, *gcd = NULL; -@@ -2734,11 +2754,12 @@ static int test_gcd_prime(void) - - if (!TEST_true(BN_generate_prime_ex(a, 1024, 0, NULL, NULL, NULL))) - goto err; -- for (i = 0; i < NUM0; i++) { -+ for (i = 0; i < NUM_PRIME_TESTS; i++) { - if (!TEST_true(BN_generate_prime_ex(b, 1024, 0, - NULL, NULL, NULL)) - || !TEST_true(BN_gcd(gcd, a, b, ctx)) -- || !TEST_true(BN_is_one(gcd))) -+ || !TEST_true(BN_is_one(gcd)) -+ || !TEST_true(BN_are_coprime(a, b, ctx))) - goto err; - } - -@@ -3216,6 +3237,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_is_prime, (int)OSSL_NELEM(primes)); - ADD_ALL_TESTS(test_not_prime, (int)OSSL_NELEM(not_primes)); - ADD_TEST(test_gcd_prime); -+ ADD_TEST(test_coprime); - ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests)); - ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests)); - ADD_TEST(test_mod_exp2_mont); -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 0f6f30b..4a20709 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5429,3 +5429,4 @@ OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: - OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP - OSSL_CMP_MSG_update_recipNonce 5559 3_0_9 EXIST::FUNCTION:CMP -+BN_are_coprime 5560 3_0_12 EXIST::FUNCTION: --- -2.33.0 - diff --git a/backport-02-Improve-FIPS-RSA-keygen-performance.patch b/backport-02-Improve-FIPS-RSA-keygen-performance.patch deleted file mode 100644 index 5ce670b283af12c54b7f328e9fd14aeab8060def..0000000000000000000000000000000000000000 --- a/backport-02-Improve-FIPS-RSA-keygen-performance.patch +++ /dev/null @@ -1,179 +0,0 @@ -From d2f6e66d2837bff1f5f7636bb2118e3a45c9df61 Mon Sep 17 00:00:00 2001 -From: slontis -Date: Wed, 2 Nov 2022 13:20:55 +1000 -Subject: [PATCH] Improve FIPS RSA keygen performance. - -Reduce the Miller Rabin counts to the values specified by FIPS 186-5. -The old code was using a fixed value of 64. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19579) ---- - crypto/bn/bn_prime.c | 11 ++++++++ - crypto/bn/bn_rsa_fips186_4.c | 49 ++++++++++++++++++++++++++++++------ - include/crypto/bn.h | 2 ++ - 3 files changed, 54 insertions(+), 8 deletions(-) - -diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index 560855542f..96eb1b3c34 100644 ---- a/crypto/bn/bn_prime.c -+++ b/crypto/bn/bn_prime.c -@@ -250,6 +250,17 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx, - return bn_is_prime_int(w, checks, ctx, do_trial_division, cb); - } - -+/* -+ * Use this only for key generation. -+ * It always uses trial division. The number of checks -+ * (MR rounds) passed in is used without being clamped to a minimum value. -+ */ -+int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, -+ BN_GENCB *cb) -+{ -+ return bn_is_prime_int(w, checks, ctx, 1, cb); -+} -+ - int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) - { - return ossl_bn_check_prime(p, 0, ctx, 1, cb); -diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c -index e3a2ad76af..765ee250e7 100644 ---- a/crypto/bn/bn_rsa_fips186_4.c -+++ b/crypto/bn/bn_rsa_fips186_4.c -@@ -48,6 +48,34 @@ const BIGNUM ossl_bn_inv_sqrt_2 = { - BN_FLG_STATIC_DATA - }; - -+/* -+ * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin -+ * required for generation of RSA aux primes (p1, p2, q1 and q2). -+ */ -+static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits) -+{ -+ if (nbits >= 4096) -+ return 44; -+ if (nbits >= 3072) -+ return 41; -+ if (nbits >= 2048) -+ return 38; -+ return 0; /* Error */ -+} -+ -+/* -+ * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin -+ * required for generation of RSA primes (p and q) -+ */ -+static int bn_rsa_fips186_5_prime_MR_rounds(int nbits) -+{ -+ if (nbits >= 3072) -+ return 4; -+ if (nbits >= 2048) -+ return 5; -+ return 0; /* Error */ -+} -+ - /* - * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2". - * (FIPS 186-5 has an entry for >= 4096 bits). -@@ -97,11 +125,13 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) - * Xp1 The passed in starting point to find a probably prime. - * p1 The returned probable prime (first odd integer >= Xp1) - * ctx A BN_CTX object. -+ * rounds The number of Miller Rabin rounds - * cb An optional BIGNUM callback. - * Returns: 1 on success otherwise it returns 0. - */ - static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, - BIGNUM *p1, BN_CTX *ctx, -+ int rounds, - BN_GENCB *cb) - { - int ret = 0; -@@ -117,7 +147,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, - i++; - BN_GENCB_call(cb, 0, i); - /* MR test with trial division */ -- tmp = BN_check_prime(p1, ctx, cb); -+ tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb); - if (tmp > 0) - break; - if (tmp < 0) -@@ -160,7 +190,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - { - int ret = 0; - BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; -- int bitlen; -+ int bitlen, rounds; - - if (p == NULL || Xpout == NULL) - return 0; -@@ -177,6 +207,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen); - if (bitlen == 0) - goto err; -+ rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen); - - /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ - if (Xp1 == NULL) { -@@ -194,8 +225,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, - } - - /* (Steps 4.2/5.2) - find first auxiliary probable primes */ -- if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb) -- || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb)) -+ if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) -+ || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb)) - goto err; - /* (Table B.1) auxiliary prime Max length check */ - if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= -@@ -243,11 +274,11 @@ err: - */ - int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - const BIGNUM *r1, const BIGNUM *r2, -- int nlen, const BIGNUM *e, BN_CTX *ctx, -- BN_GENCB *cb) -+ int nlen, const BIGNUM *e, -+ BN_CTX *ctx, BN_GENCB *cb) - { - int ret = 0; -- int i, imax; -+ int i, imax, rounds; - int bits = nlen >> 1; - BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; - BIGNUM *base, *range; -@@ -317,6 +348,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - * The number has been updated to 20 * nlen/2 as used in - * FIPS186-5 Appendix B.9 Step 9. - */ -+ rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen); - imax = 20 * bits; /* max = 20/2 * nbits */ - for (;;) { - if (Xin == NULL) { -@@ -346,8 +378,9 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, - if (BN_copy(y1, Y) == NULL - || !BN_sub_word(y1, 1)) - goto err; -+ - if (BN_are_coprime(y1, e, ctx)) { -- int rv = BN_check_prime(Y, ctx, cb); -+ int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb); - - if (rv > 0) - goto end; -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index cf69bea848..4d11e0e4b1 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -95,6 +95,8 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - - int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, - BN_GENCB *cb, int enhanced, int *status); -+int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, -+ BN_GENCB *cb); - - const BIGNUM *ossl_bn_get0_small_factors(void); - --- -2.33.0 - diff --git a/backport-Add-CTX-copy-function-for-EVP_MD-to-optimize-the-per.patch b/backport-Add-CTX-copy-function-for-EVP_MD-to-optimize-the-per.patch deleted file mode 100644 index 92a3238fe5ed27841055e5f9d29cf83774436484..0000000000000000000000000000000000000000 --- a/backport-Add-CTX-copy-function-for-EVP_MD-to-optimize-the-per.patch +++ /dev/null @@ -1,306 +0,0 @@ -From 4c41aa4b338ca181a394483c8bb6aeb6366c6f96 Mon Sep 17 00:00:00 2001 -From: wangcheng -Date: Sat, 26 Oct 2024 17:10:38 +0800 -Subject: [PATCH] Add CTX copy function for EVP_MD to optimize the performance - of EVP_MD_CTX_copy_ex. - -1. Add OSSL_FUNC_digest_copyctx_fn function for EVP_MD, which is used to copy algctx from the old EVP_MD_CTX to the new one. - -2. Add implementation of OSSL_FUNC_digest_copyctx_fn function for default providers. - -3. Modify EVP_MD_CTX_copy_ex: When the fetched digest is the same in in and out contexts, use the copy function to copy the members in EVP_MD_CTX if the OSSL_FUNC_digest_copyctx_fn function exists. Otherwise, use the previous method to copy. - -4. Add documentation for OSSL_FUNC_digest_copyctx function in doc/man7/provider-digest.pod. - -5. Add testcase. - -Fixes #25703 - -Signed-off-by: wangcheng - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/25726) ---- - crypto/evp/digest.c | 47 +++++++++++++------ - doc/man7/provider-digest.pod | 11 +++++ - include/crypto/evp.h | 1 + - include/openssl/core_dispatch.h | 2 + - providers/implementations/digests/sha3_prov.c | 10 ++++ - .../include/prov/digestcommon.h | 7 +++ - test/evp_extra_test2.c | 43 +++++++++++++++++ - 7 files changed, 106 insertions(+), 15 deletions(-) - -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c -index eefed52..f5c44b1 100644 ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -548,23 +548,35 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) - return 0; - } - -- evp_md_ctx_reset_ex(out, 1); -- digest_change = (out->fetched_digest != in->fetched_digest); -- if (digest_change && out->fetched_digest != NULL) -- EVP_MD_free(out->fetched_digest); -- *out = *in; -- /* NULL out pointers in case of error */ -- out->pctx = NULL; -- out->algctx = NULL; -+ if (out->digest == in->digest && in->digest->copyctx != NULL) { - -- if (digest_change && in->fetched_digest != NULL) -- EVP_MD_up_ref(in->fetched_digest); -+ in->digest->copyctx(out->algctx, in->algctx); - -- if (in->algctx != NULL) { -- out->algctx = in->digest->dupctx(in->algctx); -- if (out->algctx == NULL) { -- ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX); -- return 0; -+ EVP_PKEY_CTX_free(out->pctx); -+ out->pctx = NULL; -+ cleanup_old_md_data(out, 0); -+ -+ out->flags = in->flags; -+ out->update = in->update; -+ } else { -+ evp_md_ctx_reset_ex(out, 1); -+ digest_change = (out->fetched_digest != in->fetched_digest); -+ if (digest_change && out->fetched_digest != NULL) -+ EVP_MD_free(out->fetched_digest); -+ *out = *in; -+ /* NULL out pointers in case of error */ -+ out->pctx = NULL; -+ out->algctx = NULL; -+ -+ if (digest_change && in->fetched_digest != NULL) -+ EVP_MD_up_ref(in->fetched_digest); -+ -+ if (in->algctx != NULL) { -+ out->algctx = in->digest->dupctx(in->algctx); -+ if (out->algctx == NULL) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_NOT_ABLE_TO_COPY_CTX); -+ return 0; -+ } - } - } - -@@ -1029,6 +1041,11 @@ static void *evp_md_from_algorithm(int name_id, - md->gettable_ctx_params = - OSSL_FUNC_digest_gettable_ctx_params(fns); - break; -+ case OSSL_FUNC_DIGEST_COPYCTX: -+ if (md->copyctx == NULL) -+ md->copyctx = -+ OSSL_FUNC_digest_copyctx(fns); -+ break; - } - } - if ((fncnt != 0 && fncnt != 5) -diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod -index cac53ac..0ed0d3b 100644 ---- a/doc/man7/provider-digest.pod -+++ b/doc/man7/provider-digest.pod -@@ -20,6 +20,7 @@ provider-digest - The digest library E-E provider functions - void *OSSL_FUNC_digest_newctx(void *provctx); - void OSSL_FUNC_digest_freectx(void *dctx); - void *OSSL_FUNC_digest_dupctx(void *dctx); -+ void OSSL_FUNC_digest_copyctx(void *voutctx, void *vinctx); - - /* Digest generation */ - int OSSL_FUNC_digest_init(void *dctx, const OSSL_PARAM params[]); -@@ -76,6 +77,7 @@ macros in L, as follows: - OSSL_FUNC_digest_newctx OSSL_FUNC_DIGEST_NEWCTX - OSSL_FUNC_digest_freectx OSSL_FUNC_DIGEST_FREECTX - OSSL_FUNC_digest_dupctx OSSL_FUNC_DIGEST_DUPCTX -+ OSSL_FUNC_digest_copyctx OSSL_FUNC_DIGEST_COPYCTX - - OSSL_FUNC_digest_init OSSL_FUNC_DIGEST_INIT - OSSL_FUNC_digest_update OSSL_FUNC_DIGEST_UPDATE -@@ -111,6 +113,14 @@ This function should free any resources associated with that context. - OSSL_FUNC_digest_dupctx() should duplicate the provider side digest context in the - I parameter and return the duplicate copy. - -+OSSL_FUNC_digest_copyctx() should copy the provider side digest context in the -+I parameter to the I parameter which is the another provider side -+context. -+The OSSL_FUNC_digest_copyctx function is used in the EVP_MD_CTX_copy_ex function to -+speed up HMAC operations in the PBKDF2. -+This function is optional, and dupctx will be used if there is no EVP_MD_CTX_copy_ex -+function. -+ - =head2 Digest Generation Functions - - OSSL_FUNC_digest_init() initialises a digest operation given a newly created -@@ -274,6 +284,7 @@ L, L - =head1 HISTORY - - The provider DIGEST interface was introduced in OpenSSL 3.0. -+OSSL_FUNC_digest_copyctx() was added in 3.5 version. - - =head1 COPYRIGHT - -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index e70d8e9..f17b569 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -277,6 +277,7 @@ struct evp_md_st { - OSSL_FUNC_digest_final_fn *dfinal; - OSSL_FUNC_digest_digest_fn *digest; - OSSL_FUNC_digest_freectx_fn *freectx; -+ OSSL_FUNC_digest_copyctx_fn *copyctx; - OSSL_FUNC_digest_dupctx_fn *dupctx; - OSSL_FUNC_digest_get_params_fn *get_params; - OSSL_FUNC_digest_set_ctx_params_fn *set_ctx_params; -diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h -index 99fcda0..e6fa38d 100644 ---- a/include/openssl/core_dispatch.h -+++ b/include/openssl/core_dispatch.h -@@ -283,6 +283,7 @@ OSSL_CORE_MAKE_FUNC(int, provider_self_test, (void *provctx)) - # define OSSL_FUNC_DIGEST_GETTABLE_PARAMS 11 - # define OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS 12 - # define OSSL_FUNC_DIGEST_GETTABLE_CTX_PARAMS 13 -+# define OSSL_FUNC_DIGEST_COPYCTX 14 - - OSSL_CORE_MAKE_FUNC(void *, digest_newctx, (void *provctx)) - OSSL_CORE_MAKE_FUNC(int, digest_init, (void *dctx, const OSSL_PARAM params[])) -@@ -297,6 +298,7 @@ OSSL_CORE_MAKE_FUNC(int, digest_digest, - - OSSL_CORE_MAKE_FUNC(void, digest_freectx, (void *dctx)) - OSSL_CORE_MAKE_FUNC(void *, digest_dupctx, (void *dctx)) -+OSSL_CORE_MAKE_FUNC(void, digest_copyctx, (void *outctx, void *inctx)) - - OSSL_CORE_MAKE_FUNC(int, digest_get_params, (OSSL_PARAM params[])) - OSSL_CORE_MAKE_FUNC(int, digest_set_ctx_params, -diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c -index 168825d..3929f97 100644 ---- a/providers/implementations/digests/sha3_prov.c -+++ b/providers/implementations/digests/sha3_prov.c -@@ -32,6 +32,7 @@ static OSSL_FUNC_digest_init_fn keccak_init_params; - static OSSL_FUNC_digest_update_fn keccak_update; - static OSSL_FUNC_digest_final_fn keccak_final; - static OSSL_FUNC_digest_freectx_fn keccak_freectx; -+static OSSL_FUNC_digest_copyctx_fn keccak_copyctx; - static OSSL_FUNC_digest_dupctx_fn keccak_dupctx; - static OSSL_FUNC_digest_set_ctx_params_fn shake_set_ctx_params; - static OSSL_FUNC_digest_settable_ctx_params_fn shake_settable_ctx_params; -@@ -236,6 +237,7 @@ const OSSL_DISPATCH ossl_##name##_functions[] = { \ - { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))keccak_final }, \ - { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))keccak_freectx }, \ - { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))keccak_dupctx }, \ -+ { OSSL_FUNC_DIGEST_COPYCTX, (void (*)(void))keccak_copyctx }, \ - PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) - - #define PROV_FUNC_SHA3_DIGEST(name, bitlen, blksize, dgstsize, flags) \ -@@ -258,6 +260,14 @@ static void keccak_freectx(void *vctx) - OPENSSL_clear_free(ctx, sizeof(*ctx)); - } - -+static void keccak_copyctx(void *voutctx, void *vinctx) -+{ -+ KECCAK1600_CTX *outctx = (KECCAK1600_CTX *)voutctx; -+ KECCAK1600_CTX *inctx = (KECCAK1600_CTX *)vinctx; -+ -+ *outctx = *inctx; -+} -+ - static void *keccak_dupctx(void *ctx) - { - KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx; -diff --git a/providers/implementations/include/prov/digestcommon.h b/providers/implementations/include/prov/digestcommon.h -index abdb8bb..332d473 100644 ---- a/providers/implementations/include/prov/digestcommon.h -+++ b/providers/implementations/include/prov/digestcommon.h -@@ -70,6 +70,12 @@ static void *name##_dupctx(void *ctx) \ - *ret = *in; \ - return ret; \ - } \ -+static void name##_copyctx(void *voutctx, void *vinctx) \ -+{ \ -+ CTX *outctx = (CTX *)voutctx; \ -+ CTX *inctx = (CTX *)vinctx; \ -+ *outctx = *inctx; \ -+} \ - PROV_FUNC_DIGEST_FINAL(name, dgstsize, fin) \ - PROV_FUNC_DIGEST_GET_PARAM(name, blksize, dgstsize, flags) \ - const OSSL_DISPATCH ossl_##name##_functions[] = { \ -@@ -78,6 +84,7 @@ const OSSL_DISPATCH ossl_##name##_functions[] = { \ - { OSSL_FUNC_DIGEST_FINAL, (void (*)(void))name##_internal_final }, \ - { OSSL_FUNC_DIGEST_FREECTX, (void (*)(void))name##_freectx }, \ - { OSSL_FUNC_DIGEST_DUPCTX, (void (*)(void))name##_dupctx }, \ -+ { OSSL_FUNC_DIGEST_COPYCTX, (void (*)(void))name##_copyctx }, \ - PROV_DISPATCH_FUNC_DIGEST_GET_PARAMS(name) - - # define PROV_DISPATCH_FUNC_DIGEST_CONSTRUCT_END \ -diff --git a/test/evp_extra_test2.c b/test/evp_extra_test2.c -index 68329b0..be7db00 100644 ---- a/test/evp_extra_test2.c -+++ b/test/evp_extra_test2.c -@@ -27,6 +27,8 @@ - - #include "testutil.h" - #include "internal/nelem.h" -+#include "crypto/evp.h" -+#include "../crypto/evp/evp_local.h" - - static OSSL_LIB_CTX *mainctx = NULL; - static OSSL_PROVIDER *nullprov = NULL; -@@ -1193,6 +1195,46 @@ static int test_evp_md_ctx_copy(void) - return ret; - } - -+static int test_evp_md_ctx_copy2(void) -+{ -+ int ret = 0; -+ EVP_MD *md = NULL; -+ OSSL_LIB_CTX *ctx = NULL; -+ EVP_MD_CTX *inctx = NULL, *outctx = NULL; -+ void *origin_algctx = NULL; -+ -+ if (!TEST_ptr(ctx = OSSL_LIB_CTX_new()) -+ || !TEST_ptr(md = EVP_MD_fetch(ctx, "sha256", NULL))) -+ goto end; -+ -+ inctx = EVP_MD_CTX_new(); -+ outctx = EVP_MD_CTX_new(); -+ -+ if (!TEST_ptr(inctx) || !TEST_ptr(outctx)) -+ goto end; -+ -+ /* init inctx and outctx, now the contexts are from same providers */ -+ if (!TEST_true(EVP_DigestInit_ex2(inctx, md, NULL))) -+ goto end; -+ if (!TEST_true(EVP_DigestInit_ex2(outctx, md, NULL))) -+ goto end; -+ -+ /* -+ * Test the EVP_MD_CTX_copy_ex function. After copying, -+ * outctx->algctx should be the same as the original. -+ */ -+ origin_algctx = outctx->algctx; -+ ret = TEST_true(EVP_MD_CTX_copy_ex(outctx, inctx)) -+ && TEST_true(outctx->algctx == origin_algctx); -+ -+end: -+ EVP_MD_free(md); -+ EVP_MD_CTX_free(inctx); -+ EVP_MD_CTX_free(outctx); -+ OSSL_LIB_CTX_free(ctx); -+ return ret; -+} -+ - #if !defined OPENSSL_NO_DES && !defined OPENSSL_NO_MD5 - static int test_evp_pbe_alg_add(void) - { -@@ -1262,6 +1304,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_PEM_read_bio_negative_wrong_password, 2); - ADD_TEST(test_rsa_pss_sign); - ADD_TEST(test_evp_md_ctx_copy); -+ ADD_TEST(test_evp_md_ctx_copy2); - ADD_ALL_TESTS(test_provider_unload_effective, 2); - #if !defined OPENSSL_NO_DES && !defined OPENSSL_NO_MD5 - ADD_TEST(test_evp_pbe_alg_add); --- -2.33.0 - diff --git a/backport-Add-FIPS_mode-compatibility-macro.patch b/backport-Add-FIPS_mode-compatibility-macro.patch index e3d0ee0eff52d9036a1659eeb93f18dbdc1ccab0..0c9b9460e26a45a70335ebd3bded81142d8d505e 100644 --- a/backport-Add-FIPS_mode-compatibility-macro.patch +++ b/backport-Add-FIPS_mode-compatibility-macro.patch @@ -1,22 +1,21 @@ -From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001 +From 2486060fbbe07fa8c56bac4fa202a3c7c4812984 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 26 Nov 2020 14:00:16 +0100 -Subject: Add FIPS_mode() compatibility macro +Subject: [PATCH 5/8] Add FIPS_mode() compatibility macro Reference:https://src.fedoraproject.org/rpms/openssl/blob/f38/f/0008-Add-FIPS_mode-compatibility-macro.patch Conflict:NA The macro calls EVP_default_properties_is_fips_enabled() on the default context. --- - include/openssl/crypto.h.in | 1 + - include/openssl/fips.h | 25 +++++++++++++++++++++++++ - test/property_test.c | 13 +++++++++++++ - 3 files changed, 39 insertions(+) + include/openssl/fips.h | 26 ++++++++++++++++++++++++++ + test/property_test.c | 14 ++++++++++++++ + 2 files changed, 40 insertions(+) create mode 100644 include/openssl/fips.h diff --git a/include/openssl/fips.h b/include/openssl/fips.h new file mode 100644 -index 0000000000..c64f0f8e8f +index 0000000..4162cbf --- /dev/null +++ b/include/openssl/fips.h @@ -0,0 +1,26 @@ @@ -46,13 +45,14 @@ index 0000000000..c64f0f8e8f +} +# endif +#endif -diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c ---- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200 -+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200 -@@ -488,6 +488,19 @@ static int test_property_list_to_string( +diff --git a/test/property_test.c b/test/property_test.c +index 18f8cc8..6864b1a 100644 +--- a/test/property_test.c ++++ b/test/property_test.c +@@ -687,6 +687,19 @@ static int test_property_list_to_string(int i) return ret; } - + +#include +static int test_downstream_FIPS_mode(void) +{ @@ -69,7 +69,7 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1 int setup_tests(void) { ADD_TEST(test_property_string); -@@ -500,6 +512,7 @@ int setup_tests(void) +@@ -700,6 +713,7 @@ int setup_tests(void) ADD_TEST(test_property); ADD_TEST(test_query_cache_stochastic); ADD_TEST(test_fips_mode); @@ -77,3 +77,6 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1 ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); return 1; } +-- +2.50.1 + diff --git a/backport-Add-a-test-for-session-cache-handling.patch b/backport-Add-a-test-for-session-cache-handling.patch deleted file mode 100644 index da9674f705e0f6976be0cb32e305f709cb662427..0000000000000000000000000000000000000000 --- a/backport-Add-a-test-for-session-cache-handling.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 2af85c2b8fd6799924a56eb5907cc6110b450467 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Mon, 4 Mar 2024 13:45:23 +0000 -Subject: [PATCH] Add a test for session cache handling - -Repeatedly create sessions to be added to the cache and ensure we never -exceed the expected size. - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit 5f5b9e1ca1fad0215f623b8bd4955a2e8101f306) ---- - test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 92 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 231f498199..56229e51b9 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -10436,6 +10436,97 @@ end: - return testresult; - } - -+/* -+ * Test multiple resumptions and cache size handling -+ * Test 0: TLSv1.3 (max_early_data set) -+ * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set) -+ * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set) -+ * Test 3: TLSv1.2 -+ */ -+static int test_multi_resume(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ SSL_SESSION *sess = NULL; -+ int max_version = TLS1_3_VERSION; -+ int i, testresult = 0; -+ -+ if (idx == 3) -+ max_version = TLS1_2_VERSION; -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), TLS1_VERSION, -+ max_version, &sctx, &cctx, cert, -+ privkey))) -+ goto end; -+ -+ /* -+ * TLSv1.3 only uses a session cache if either max_early_data > 0 (used for -+ * replay protection), or if SSL_OP_NO_TICKET is in use -+ */ -+ if (idx == 0 || idx == 2) { -+ if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024))) -+ goto end; -+ } -+ if (idx == 1 || idx == 2) -+ SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); -+ -+ SSL_CTX_sess_set_cache_size(sctx, 5); -+ -+ for (i = 0; i < 30; i++) { -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL)) -+ || !TEST_true(SSL_set_session(clientssl, sess))) -+ goto end; -+ -+ /* -+ * Recreate a bug where dynamically changing the max_early_data value -+ * can cause sessions in the session cache which cannot be deleted. -+ */ -+ if ((idx == 0 || idx == 2) && (i % 3) == 2) -+ SSL_set_max_early_data(serverssl, 0); -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ if (sess == NULL || (idx == 0 && (i % 3) == 2)) { -+ if (!TEST_false(SSL_session_reused(clientssl))) -+ goto end; -+ } else { -+ if (!TEST_true(SSL_session_reused(clientssl))) -+ goto end; -+ } -+ SSL_SESSION_free(sess); -+ -+ /* Do a full handshake, followed by two resumptions */ -+ if ((i % 3) == 2) { -+ sess = NULL; -+ } else { -+ if (!TEST_ptr((sess = SSL_get1_session(clientssl)))) -+ goto end; -+ } -+ -+ SSL_shutdown(clientssl); -+ SSL_shutdown(serverssl); -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ serverssl = clientssl = NULL; -+ } -+ -+ /* We should never exceed the session cache size limit */ -+ if (!TEST_long_le(SSL_CTX_sess_number(sctx), 5)) -+ goto end; -+ -+ testresult = 1; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ SSL_SESSION_free(sess); -+ return testresult; -+} -+ - OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") - - int setup_tests(void) -@@ -10708,6 +10799,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_pipelining, 6); - #endif - ADD_ALL_TESTS(test_handshake_retry, 16); -+ ADD_ALL_TESTS(test_multi_resume, 4); - return 1; - - err: --- -2.33.0 - diff --git a/backport-Add-a-test-for-session-cache-overflow.patch b/backport-Add-a-test-for-session-cache-overflow.patch deleted file mode 100644 index 519438437aa8ea6e745d4edfb57031fa9ca38ee1..0000000000000000000000000000000000000000 --- a/backport-Add-a-test-for-session-cache-overflow.patch +++ /dev/null @@ -1,171 +0,0 @@ -From ea821878c0cc04d292c1f8d1ff3c5e112da91f08 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 15 Jul 2022 13:26:33 +0100 -Subject: [PATCH] Add a test for session cache overflow - -Test sessions behave as we expect even in the case that an overflow -occurs when adding a new session into the session cache. - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit ddead0935d77ba9b771d632ace61b145d7153f18) ---- - test/sslapitest.c | 124 +++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 123 insertions(+), 1 deletion(-) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 24fb95e4b6..cb098a46f5 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -2402,7 +2402,6 @@ static int test_session_wo_ca_names(void) - #endif - } - -- - #ifndef OSSL_NO_USABLE_TLS1_3 - static SSL_SESSION *sesscache[6]; - static int do_cache; -@@ -8954,6 +8953,126 @@ static int test_session_timeout(int test) - return testresult; - } - -+/* -+ * Test that a session cache overflow works as expected -+ * Test 0: TLSv1.3, timeout on new session later than old session -+ * Test 1: TLSv1.2, timeout on new session later than old session -+ * Test 2: TLSv1.3, timeout on new session earlier than old session -+ * Test 3: TLSv1.2, timeout on new session earlier than old session -+ */ -+#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) -+static int test_session_cache_overflow(int idx) -+{ -+ SSL_CTX *sctx = NULL, *cctx = NULL; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int testresult = 0; -+ SSL_SESSION *sess = NULL; -+ -+#ifdef OSSL_NO_USABLE_TLS1_3 -+ /* If no TLSv1.3 available then do nothing in this case */ -+ if (idx % 2 == 0) -+ return TEST_skip("No TLSv1.3 available"); -+#endif -+#ifdef OPENSSL_NO_TLS1_2 -+ /* If no TLSv1.2 available then do nothing in this case */ -+ if (idx % 2 == 1) -+ return TEST_skip("No TLSv1.2 available"); -+#endif -+ -+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), -+ TLS_client_method(), TLS1_VERSION, -+ (idx % 2 == 0) ? TLS1_3_VERSION -+ : TLS1_2_VERSION, -+ &sctx, &cctx, cert, privkey)) -+ || !TEST_true(SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET))) -+ goto end; -+ -+ SSL_CTX_sess_set_get_cb(sctx, get_session_cb); -+ get_sess_val = NULL; -+ -+ SSL_CTX_sess_set_cache_size(sctx, 1); -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ if (idx > 1) { -+ sess = SSL_get_session(serverssl); -+ if (!TEST_ptr(sess)) -+ goto end; -+ -+ /* -+ * Cause this session to have a longer timeout than the next session to -+ * be added. -+ */ -+ if (!TEST_true(SSL_SESSION_set_timeout(sess, LONG_MAX / 2))) { -+ sess = NULL; -+ goto end; -+ } -+ sess = NULL; -+ } -+ -+ SSL_shutdown(serverssl); -+ SSL_shutdown(clientssl); -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ serverssl = clientssl = NULL; -+ -+ /* -+ * Session cache size is 1 and we already populated the cache with a session -+ * so the next connection should cause an overflow. -+ */ -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ /* -+ * The session we just negotiated may have been already removed from the -+ * internal cache - but we will return it anyway from our external cache. -+ */ -+ get_sess_val = SSL_get_session(serverssl); -+ if (!TEST_ptr(get_sess_val)) -+ goto end; -+ sess = SSL_get1_session(clientssl); -+ if (!TEST_ptr(sess)) -+ goto end; -+ -+ SSL_shutdown(serverssl); -+ SSL_shutdown(clientssl); -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ serverssl = clientssl = NULL; -+ -+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL))) -+ goto end; -+ -+ if (!TEST_true(SSL_set_session(clientssl, sess))) -+ goto end; -+ -+ if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) -+ goto end; -+ -+ testresult = 1; -+ -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ SSL_SESSION_free(sess); -+ -+ return testresult; -+} -+#endif /* !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) */ -+ - /* - * Test 0: Client sets servername and server acknowledges it (TLSv1.2) - * Test 1: Client sets servername and server does not acknowledge it (TLSv1.2) -@@ -10872,6 +10991,9 @@ int setup_tests(void) - ADD_TEST(test_set_verify_cert_store_ssl_ctx); - ADD_TEST(test_set_verify_cert_store_ssl); - ADD_ALL_TESTS(test_session_timeout, 1); -+#if !defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2) -+ ADD_ALL_TESTS(test_session_cache_overflow, 4); -+#endif - ADD_TEST(test_load_dhfile); - #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) - ADD_ALL_TESTS(test_serverinfo_custom, 4); --- -2.33.0 - diff --git a/backport-Avoid-an-unneccessary-lock-if-we-didn-t-add-anything.patch b/backport-Avoid-an-unneccessary-lock-if-we-didn-t-add-anything.patch deleted file mode 100644 index 4091f1595933058768b5e2e2891cca0247fcf5a2..0000000000000000000000000000000000000000 --- a/backport-Avoid-an-unneccessary-lock-if-we-didn-t-add-anything.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 00bea959ab580c78e00eb56780fec8d53dab054d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 12 May 2023 15:52:07 +0100 -Subject: [PATCH] Avoid an unneccessary lock if we didn't add anything to the - store - -Partially fixes #20286 - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20952) - -(cherry picked from commit 50001e0e15d4a96213c2eea7c56f80087afa89fd) ---- - crypto/x509/by_dir.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c -index 1bc397a847..97e6ea0ee1 100644 ---- a/crypto/x509/by_dir.c -+++ b/crypto/x509/by_dir.c -@@ -348,12 +348,16 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, - /* - * we have added it to the cache so now pull it out again - */ -- if (!X509_STORE_lock(xl->store_ctx)) -- goto finish; -- j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp); -- tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); -- X509_STORE_unlock(xl->store_ctx); -- -+ if (k > 0) { -+ if (!X509_STORE_lock(xl->store_ctx)) -+ goto finish; -+ j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp); -+ tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j); -+ X509_STORE_unlock(xl->store_ctx); -+ } else { -+ j = -1; -+ tmp = NULL; -+ } - /* - * If a CRL, update the last file suffix added for this. - * We don't need to add an entry if k is 0 as this is the initial value. --- -2.33.0 - diff --git a/backport-Avoid-calling-into-provider-with-the-same-iv_len-or-.patch b/backport-Avoid-calling-into-provider-with-the-same-iv_len-or-.patch deleted file mode 100644 index 85a08ffdbb6063c4f5d471df4427d8442386d807..0000000000000000000000000000000000000000 --- a/backport-Avoid-calling-into-provider-with-the-same-iv_len-or-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 6f8002014dda3f45aa864b38b92c2df7611af52e Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 31 Mar 2023 15:46:15 +0200 -Subject: [PATCH] Avoid calling into provider with the same iv_len or key_len - -Fixes #20625 - -Reviewed-by: Matt Caswell -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20664) - -(cherry picked from commit eb52450f5151e8e78743ab05de21a344823316f5) ---- - crypto/evp/evp_enc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index e6af8b1c7b..231be1adf4 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -1078,6 +1078,11 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) - - switch (type) { - case EVP_CTRL_SET_KEY_LENGTH: -+ if (arg < 0) -+ return 0; -+ if (ctx->key_len == arg) -+ /* Skip calling into provider if unchanged. */ -+ return 1; - params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &sz); - ctx->key_len = -1; - break; -@@ -1103,6 +1108,9 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) - case EVP_CTRL_AEAD_SET_IVLEN: - if (arg < 0) - return 0; -+ if (ctx->iv_len == arg) -+ /* Skip calling into provider if unchanged. */ -+ return 1; - params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_IVLEN, &sz); - ctx->iv_len = -1; - break; --- -2.33.0 - diff --git a/backport-CVE-2024-13176-Fix-timing-side-channel.patch b/backport-CVE-2024-13176-Fix-timing-side-channel.patch deleted file mode 100644 index 330a8f15930e2c149867b688b213dfbc6285f490..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-13176-Fix-timing-side-channel.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 2af62e74fb59bc469506bc37eb2990ea408d9467 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 15 Jan 2025 18:27:02 +0100 -Subject: [PATCH] Fix timing side-channel in ECDSA signature computation - -There is a timing signal of around 300 nanoseconds when the top word of -the inverted ECDSA nonce value is zero. This can happen with significant -probability only for some of the supported elliptic curves. In particular -the NIST P-521 curve is affected. To be able to measure this leak, the -attacker process must either be located in the same physical computer or -must have a very fast network connection with low latency. - -Attacks on ECDSA nonce are also known as Minerva attack. - -Fixes CVE-2024-13176 - -Reviewed-by: Tim Hudson -Reviewed-by: Neil Horman -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/26429) - -(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203) ---- - crypto/bn/bn_exp.c | 21 +++++++++++++++------ - crypto/ec/ec_lib.c | 7 ++++--- - include/crypto/bn.h | 3 +++ - 3 files changed, 22 insertions(+), 9 deletions(-) - -diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c -index 8700a25a14..9466e53bef 100644 ---- a/crypto/bn/bn_exp.c -+++ b/crypto/bn/bn_exp.c -@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - * out by Colin Percival, - * http://www.daemonology.net/hyperthreading-considered-harmful/) - */ --int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) - { -@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - unsigned int t4 = 0; - #endif - -- bn_check_top(a); -- bn_check_top(p); -- bn_check_top(m); -- - if (!BN_is_odd(m)) { - ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS); - return 0; -@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - goto err; - } else - #endif -- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) -+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) - goto err; - ret = 1; - err: -@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, - return ret; - } - -+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont) -+{ -+ bn_check_top(a); -+ bn_check_top(p); -+ bn_check_top(m); -+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) -+ return 0; -+ bn_correct_top(rr); -+ return 1; -+} -+ - int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) - { -diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c -index a84e088c19..eda5c83e55 100644 ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -20,6 +20,7 @@ - #include - #include - #include "crypto/ec.h" -+#include "crypto/bn.h" - #include "internal/nelem.h" - #include "ec_local.h" - -@@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, - if (!BN_sub(e, group->order, e)) - goto err; - /*- -- * Exponent e is public. -- * No need for scatter-gather or BN_FLG_CONSTTIME. -+ * Although the exponent is public we want the result to be -+ * fixed top. - */ -- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) -+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) - goto err; - - ret = 1; -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index f8855d8463..34244bdf1a 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); - */ - int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mont, BN_CTX *ctx); -+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, -+ BN_MONT_CTX *in_mont); - int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, - BN_CTX *ctx); - int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, --- -2.33.0 - diff --git a/backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch b/backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch deleted file mode 100644 index 01236131b444469adfb756d5aa8c2acf977b82f6..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch +++ /dev/null @@ -1,121 +0,0 @@ -From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 +0000 -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce) ---- - ssl/ssl_lib.c | 5 +++-- - ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ - ssl/statem/statem_srvr.c | 5 ++--- - 3 files changed, 27 insertions(+), 11 deletions(-) - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 2c8479eb5f..eed649c6fd 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index d836b33ed0..75adbd9e52 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index a9e67f9d32..6c942e6bce 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { --- -2.33.0 - diff --git a/backport-CVE-2024-4603-Check-DSA-parameters-for-exce.patch b/backport-CVE-2024-4603-Check-DSA-parameters-for-exce.patch deleted file mode 100644 index d1fe90007f82dd4a74feb501a400b285b7718c64..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-4603-Check-DSA-parameters-for-exce.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 85ccbab216da245cf9a6503dd327072f21950d9b Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 17 May 2024 09:21:27 +0800 -Subject: [PATCH] Check DSA parameters for excessive sizes before validating - -This avoids overly long computation of various validation -checks. - -Fixes CVE-2024-4603 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -Reviewed-by: Neil Horman -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/24346) ---- - crypto/dsa/dsa_check.c | 44 ++++++++++++-- - .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ - 2 files changed, 97 insertions(+), 4 deletions(-) - create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem - -diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c -index fb0e912..122449a 100644 ---- a/crypto/dsa/dsa_check.c -+++ b/crypto/dsa/dsa_check.c -@@ -19,8 +19,34 @@ - #include "dsa_local.h" - #include "crypto/dsa.h" - -+static int dsa_precheck_params(const DSA *dsa, int *ret) -+{ -+ if (dsa->params.p == NULL || dsa->params.q == NULL) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); -+ *ret = FFC_CHECK_INVALID_PQ; -+ return 0; -+ } -+ -+ return 1; -+} -+ - int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) - return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, - FFC_PARAM_TYPE_DSA, ret); -@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) - */ - int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) - && *ret == 0; - } -@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) - */ - int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) - { -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ - return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) - && *ret == 0; - } -@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret) - { - *ret = 0; - -- return (dsa->params.q != NULL -- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); -+ if (!dsa_precheck_params(dsa, ret)) -+ return 0; -+ -+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); - } - - /* -@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa) - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL; - -- if (dsa->params.p == NULL -- || dsa->params.g == NULL -+ if (!dsa_precheck_params(dsa, &ret)) -+ return 0; -+ -+ if (dsa->params.g == NULL - || dsa->priv_key == NULL - || dsa->pub_key == NULL) - return 0; -diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -new file mode 100644 -index 0000000..e85e295 ---- /dev/null -+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem -@@ -0,0 +1,57 @@ -+-----BEGIN DSA PARAMETERS----- -+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja -+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil -+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF -+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk -+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW -+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb -+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O -+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ -+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 -+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 -+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB -+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN -+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl -+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ -+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg -+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG -+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE -+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN -+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 -+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 -+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd -+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW -+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 -+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 -+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s -+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs -+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN -+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy -+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx -+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 -+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 -+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B -+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 -+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W -+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl -++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX -+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq -+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX -+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot -+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK -+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco -+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD -+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 -+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy -+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct -+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ -+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd -+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG -+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E -+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk -+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF -+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d -+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa -+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D -+vKuje86bePD6kD/LH3wmkA== -+-----END DSA PARAMETERS----- --- -2.33.0 - diff --git a/backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch b/backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch deleted file mode 100644 index cc3c363c8f57a5569c9b2f328a21580accd89e12..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni -Date: Thu, 19 Sep 2024 01:02:40 +1000 -Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. - -The BN_GF2m_poly2arr() function converts characteristic-2 field -(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, -to a compact array with just the exponents of the non-zero terms. - -These polynomials are then used in BN_GF2m_mod_arr() to perform modular -reduction. A precondition of calling BN_GF2m_mod_arr() is that the -polynomial must have a non-zero constant term (i.e. the array has `0` as -its final element). - -Internally, callers of BN_GF2m_poly2arr() did not verify that -precondition, and binary EC curve parameters with an invalid polynomial -could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). - -The precondition is always true for polynomials that arise from the -standard form of EC parameters for characteristic-two fields (X9.62). -See the "Finite Field Identification" section of: - - https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html - -The OpenSSL GF(2^m) code supports only the trinomial and pentanomial -basis X9.62 forms. - -This commit updates BN_GF2m_poly2arr() to return `0` (failure) when -the constant term is zero (i.e. the input bitmask BIGNUM is not odd). - -Additionally, the return value is made unambiguous when there is not -enough space to also pad the array with a final `-1` sentinel value. -The return value is now always the number of elements (including the -final `-1`) that would be filled when the output array is sufficiently -large. Previously the same count was returned both when the array has -just enough room for the final `-1` and when it had only enough space -for non-sentinel values. - -Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose -degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against -CPU exhausition attacks via excessively large inputs. - -The above issues do not arise in processing X.509 certificates. These -generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) -disallows explicit EC parameters. The TLS code in OpenSSL enforces this -constraint only after the certificate is decoded, but, even if explicit -parameters are specified, they are in X9.62 form, which cannot represent -problem values as noted above. - -Initially reported as oss-fuzz issue 71623. - -A closely related issue was earlier reported in -. - -Severity: Low, CVE-2024-9143 - -Reviewed-by: Matt Caswell -Reviewed-by: Bernd Edlinger -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/25639) - -(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) ---- - crypto/bn/bn_gf2m.c | 28 +++++++++++++++------- - test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 71 insertions(+), 8 deletions(-) - -diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c -index c811ae82d6..bcc66613cc 100644 ---- a/crypto/bn/bn_gf2m.c -+++ b/crypto/bn/bn_gf2m.c -@@ -15,6 +15,7 @@ - #include "bn_local.h" - - #ifndef OPENSSL_NO_EC2M -+# include - - /* - * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should -@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - /* - * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * - * x^i) into an array of integers corresponding to the bits with non-zero -- * coefficient. Array is terminated with -1. Up to max elements of the array -- * will be filled. Return value is total number of array elements that would -- * be filled if array was large enough. -+ * coefficient. The array is intended to be suitable for use with -+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be -+ * zero. This translates to a requirement that the input BIGNUM `a` is odd. -+ * -+ * Given sufficient room, the array is terminated with -1. Up to max elements -+ * of the array will be filled. -+ * -+ * The return value is total number of array elements that would be filled if -+ * array was large enough, including the terminating `-1`. It is `0` when `a` -+ * is not odd or the constant term is zero contrary to requirement. -+ * -+ * The return value is also `0` when the leading exponent exceeds -+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, - */ - int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) - { - int i, j, k = 0; - BN_ULONG mask; - -- if (BN_is_zero(a)) -+ if (!BN_is_odd(a)) - return 0; - - for (i = a->top - 1; i >= 0; i--) { -@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) - } - } - -- if (k < max) { -+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) -+ return 0; -+ -+ if (k < max) - p[k] = -1; -- k++; -- } - -- return k; -+ return k + 1; - } - - /* -diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c -index 8c2cd05631..02cfd4e9d8 100644 ---- a/test/ec_internal_test.c -+++ b/test/ec_internal_test.c -@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) - } - - #ifndef OPENSSL_NO_EC2M -+/* Test that decoding of invalid GF2m field parameters fails. */ -+static int ec2m_field_sanity(void) -+{ -+ int ret = 0; -+ BN_CTX *ctx = BN_CTX_new(); -+ BIGNUM *p, *a, *b; -+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; -+ -+ TEST_info("Testing GF2m hardening\n"); -+ -+ BN_CTX_start(ctx); -+ p = BN_CTX_get(ctx); -+ a = BN_CTX_get(ctx); -+ if (!TEST_ptr(b = BN_CTX_get(ctx)) -+ || !TEST_true(BN_one(a)) -+ || !TEST_true(BN_one(b))) -+ goto out; -+ -+ /* Even pentanomial value should be rejected */ -+ if (!TEST_true(BN_set_word(p, 0xf2))) -+ goto out; -+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("Zero constant term accepted in GF2m polynomial"); -+ -+ /* Odd hexanomial should also be rejected */ -+ if (!TEST_true(BN_set_word(p, 0xf3))) -+ goto out; -+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("Hexanomial accepted as GF2m polynomial"); -+ -+ /* Excessive polynomial degree should also be rejected */ -+ if (!TEST_true(BN_set_word(p, 0x71)) -+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) -+ goto out; -+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) -+ TEST_error("GF2m polynomial degree > %d accepted", -+ OPENSSL_ECC_MAX_FIELD_BITS); -+ -+ ret = group1 == NULL && group2 == NULL && group3 == NULL; -+ -+ out: -+ EC_GROUP_free(group1); -+ EC_GROUP_free(group2); -+ EC_GROUP_free(group3); -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ -+ return ret; -+} -+ - /* test EC_GF2m_simple_method directly */ - static int field_tests_ec2_simple(void) - { -@@ -443,6 +493,7 @@ int setup_tests(void) - ADD_TEST(field_tests_ecp_simple); - ADD_TEST(field_tests_ecp_mont); - #ifndef OPENSSL_NO_EC2M -+ ADD_TEST(ec2m_field_sanity); - ADD_TEST(field_tests_ec2_simple); - #endif - ADD_ALL_TESTS(field_tests_default, crv_len); --- -2.43.0.windows.1 - diff --git a/backport-Decoder-resolution-performance-optimizations.patch b/backport-Decoder-resolution-performance-optimizations.patch deleted file mode 100644 index 6932936280c6ead7a9df22cd5d3359be94e89dcc..0000000000000000000000000000000000000000 --- a/backport-Decoder-resolution-performance-optimizations.patch +++ /dev/null @@ -1,566 +0,0 @@ -From 4a1108eb5906cd3cf47a3f70bd58722dbe2023a4 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Thu, 17 Mar 2022 17:29:22 +0000 -Subject: [PATCH] Decoder resolution performance optimizations - -This refactors decoder functionality to reduce calls to -OSSL_DECODER_is_a / EVP_KEYMGMT_is_a, which are substantial bottlenecks -in the performance of repeated decode operations (see #15199). - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17921) - -(cherry picked from commit 247554458435eaab175cdc9d36878158b9eb6f6e) ---- - crypto/encode_decode/decoder_lib.c | 20 +- - crypto/encode_decode/decoder_meth.c | 18 ++ - crypto/encode_decode/decoder_pkey.c | 323 +++++++++++++++------------ - crypto/encode_decode/encoder_local.h | 4 + - 4 files changed, 222 insertions(+), 143 deletions(-) - -diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c -index 817f335453..8863c316d6 100644 ---- a/crypto/encode_decode/decoder_lib.c -+++ b/crypto/encode_decode/decoder_lib.c -@@ -18,6 +18,7 @@ - #include - #include "internal/bio.h" - #include "internal/provider.h" -+#include "internal/namemap.h" - #include "crypto/decoder.h" - #include "encoder_local.h" - #include "e_os.h" -@@ -241,6 +242,7 @@ OSSL_DECODER_INSTANCE *ossl_decoder_instance_new(OSSL_DECODER *decoder, - /* The "input" property is mandatory */ - prop = ossl_property_find_property(props, libctx, "input"); - decoder_inst->input_type = ossl_property_get_string_value(libctx, prop); -+ decoder_inst->input_type_id = 0; - if (decoder_inst->input_type == NULL) { - ERR_raise_data(ERR_LIB_OSSL_DECODER, ERR_R_INVALID_PROPERTY_DEFINITION, - "the mandatory 'input' property is missing " -@@ -343,6 +345,8 @@ int OSSL_DECODER_CTX_add_decoder(OSSL_DECODER_CTX *ctx, OSSL_DECODER *decoder) - struct collect_extra_decoder_data_st { - OSSL_DECODER_CTX *ctx; - const char *output_type; -+ int output_type_id; -+ - /* - * 0 to check that the decoder's input type is the same as the decoder name - * 1 to check that the decoder's input type differs from the decoder name -@@ -370,7 +374,7 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) - const OSSL_PROVIDER *prov = OSSL_DECODER_get0_provider(decoder); - void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); - -- if (OSSL_DECODER_is_a(decoder, data->output_type)) { -+ if (ossl_decoder_fast_is_a(decoder, data->output_type, &data->output_type_id)) { - void *decoderctx = NULL; - OSSL_DECODER_INSTANCE *di = NULL; - -@@ -413,8 +417,9 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) - switch (data->type_check) { - case IS_SAME: - /* If it differs, this is not a decoder to add for now. */ -- if (!OSSL_DECODER_is_a(decoder, -- OSSL_DECODER_INSTANCE_get_input_type(di))) { -+ if (!ossl_decoder_fast_is_a(decoder, -+ OSSL_DECODER_INSTANCE_get_input_type(di), -+ &di->input_type_id)) { - ossl_decoder_instance_free(di); - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, -@@ -425,8 +430,9 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) - break; - case IS_DIFFERENT: - /* If it's the same, this is not a decoder to add for now. */ -- if (OSSL_DECODER_is_a(decoder, -- OSSL_DECODER_INSTANCE_get_input_type(di))) { -+ if (ossl_decoder_fast_is_a(decoder, -+ OSSL_DECODER_INSTANCE_get_input_type(di), -+ &di->input_type_id)) { - ossl_decoder_instance_free(di); - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, -@@ -534,6 +540,7 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, - data.output_type - = OSSL_DECODER_INSTANCE_get_input_type(decoder_inst); - -+ data.output_type_id = 0; - - for (j = 0; j < numdecoders; j++) - collect_extra_decoder(sk_OSSL_DECODER_value(skdecoders, j), -@@ -867,7 +874,8 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) - * |new_input_type| holds the value of the "input-type" parameter - * for the decoder we're currently considering. - */ -- if (decoder != NULL && !OSSL_DECODER_is_a(decoder, new_input_type)) { -+ if (decoder != NULL && !ossl_decoder_fast_is_a(decoder, new_input_type, -+ &new_decoder_inst->input_type_id)) { - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) %s [%u] the input type doesn't match the name of the previous decoder (%p), skipping...\n", -diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c -index 56899a9269..496fbe3320 100644 ---- a/crypto/encode_decode/decoder_meth.c -+++ b/crypto/encode_decode/decoder_meth.c -@@ -558,6 +558,24 @@ int OSSL_DECODER_is_a(const OSSL_DECODER *decoder, const char *name) - return 0; - } - -+static int resolve_name(OSSL_DECODER *decoder, const char *name) -+{ -+ OSSL_LIB_CTX *libctx = ossl_provider_libctx(decoder->base.prov); -+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); -+ -+ return ossl_namemap_name2num(namemap, name); -+} -+ -+int ossl_decoder_fast_is_a(OSSL_DECODER *decoder, const char *name, int *id_cache) -+{ -+ int id = *id_cache; -+ -+ if (id <= 0) -+ *id_cache = id = resolve_name(decoder, name); -+ -+ return id > 0 && ossl_decoder_get_number(decoder) == id; -+} -+ - struct do_one_data_st { - void (*user_fn)(OSSL_DECODER *decoder, void *arg); - void *user_arg; -diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c -index ed10bb1cee..00d3d48420 100644 ---- a/crypto/encode_decode/decoder_pkey.c -+++ b/crypto/encode_decode/decoder_pkey.c -@@ -17,7 +17,9 @@ - #include - #include "crypto/evp.h" - #include "crypto/decoder.h" -+#include "crypto/evp/evp_local.h" - #include "encoder_local.h" -+#include "internal/namemap.h" - - int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, - const unsigned char *kstr, -@@ -195,53 +197,83 @@ static void decoder_clean_pkey_construct_arg(void *construct_data) - } - } - --static void collect_name(const char *name, void *arg) --{ -- STACK_OF(OPENSSL_CSTRING) *names = arg; -+struct collect_data_st { -+ OSSL_LIB_CTX *libctx; -+ OSSL_DECODER_CTX *ctx; - -- sk_OPENSSL_CSTRING_push(names, name); --} -+ const char *keytype; /* the keytype requested, if any */ -+ int keytype_id; /* if keytype_resolved is set, keymgmt name_id; else 0 */ -+ int sm2_id; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */ -+ int total; /* number of matching results */ -+ char error_occurred; -+ char keytype_resolved; - --static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) -+ STACK_OF(EVP_KEYMGMT) *keymgmts; -+}; -+ -+static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, -+ void *provctx, struct collect_data_st *data) - { -- STACK_OF(EVP_KEYMGMT) *keymgmts = arg; -+ void *decoderctx = NULL; -+ OSSL_DECODER_INSTANCE *di = NULL; -+ -+ /* -+ * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we -+ * don't check it again here. -+ */ - -- if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */) -+ if (keymgmt->name_id != decoder->base.id) -+ /* Mismatch is not an error, continue. */ - return; -- if (sk_EVP_KEYMGMT_push(keymgmts, keymgmt) <= 0) { -- EVP_KEYMGMT_free(keymgmt); /* ref-- */ -+ -+ if ((decoderctx = decoder->newctx(provctx)) == NULL) { -+ data->error_occurred = 1; - return; - } --} - --struct collect_decoder_data_st { -- STACK_OF(OPENSSL_CSTRING) *names; -- OSSL_DECODER_CTX *ctx; -+ if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { -+ decoder->freectx(decoderctx); -+ data->error_occurred = 1; -+ return; -+ } - -- int total; -- unsigned int error_occurred:1; --}; -+ OSSL_TRACE_BEGIN(DECODER) { -+ BIO_printf(trc_out, -+ "(ctx %p) Checking out decoder %p:\n" -+ " %s with %s\n", -+ (void *)data->ctx, (void *)decoder, -+ OSSL_DECODER_get0_name(decoder), -+ OSSL_DECODER_get0_properties(decoder)); -+ } OSSL_TRACE_END(DECODER); -+ -+ if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { -+ ossl_decoder_instance_free(di); -+ data->error_occurred = 1; -+ return; -+ } -+ -+ ++data->total; -+} - - static void collect_decoder(OSSL_DECODER *decoder, void *arg) - { -- struct collect_decoder_data_st *data = arg; -+ struct collect_data_st *data = arg; -+ STACK_OF(EVP_KEYMGMT) *keymgmts = data->keymgmts; - size_t i, end_i; -- const OSSL_PROVIDER *prov = OSSL_DECODER_get0_provider(decoder); -- void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); -+ EVP_KEYMGMT *keymgmt; -+ const OSSL_PROVIDER *prov; -+ void *provctx; - - if (data->error_occurred) - return; - -- if (data->names == NULL) { -- data->error_occurred = 1; -- return; -- } -+ prov = OSSL_DECODER_get0_provider(decoder); -+ provctx = OSSL_PROVIDER_get0_provider_ctx(prov); - - /* -- * Either the caller didn't give a selection, or if they did, -- * the decoder must tell us if it supports that selection to -- * be accepted. If the decoder doesn't have |does_selection|, -- * it's seen as taking anything. -+ * Either the caller didn't give us a selection, or if they did, the decoder -+ * must tell us if it supports that selection to be accepted. If the decoder -+ * doesn't have |does_selection|, it's seen as taking anything. - */ - if (decoder->does_selection != NULL - && !decoder->does_selection(provctx, data->ctx->selection)) -@@ -256,68 +288,101 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) - OSSL_DECODER_get0_properties(decoder)); - } OSSL_TRACE_END(DECODER); - -- end_i = sk_OPENSSL_CSTRING_num(data->names); -- for (i = 0; i < end_i; i++) { -- const char *name = sk_OPENSSL_CSTRING_value(data->names, i); -- -- if (OSSL_DECODER_is_a(decoder, name)) { -- void *decoderctx = NULL; -- OSSL_DECODER_INSTANCE *di = NULL; -- -- if ((decoderctx = decoder->newctx(provctx)) == NULL) { -- data->error_occurred = 1; -- return; -- } -- if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { -- decoder->freectx(decoderctx); -- data->error_occurred = 1; -- return; -- } -- -- OSSL_TRACE_BEGIN(DECODER) { -- BIO_printf(trc_out, -- "(ctx %p) Checking out decoder %p:\n" -- " %s with %s\n", -- (void *)data->ctx, (void *)decoder, -- OSSL_DECODER_get0_name(decoder), -- OSSL_DECODER_get0_properties(decoder)); -- } OSSL_TRACE_END(DECODER); -- -- if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { -- ossl_decoder_instance_free(di); -- data->error_occurred = 1; -- return; -- } -- data->total++; -- -- /* Success */ -+ end_i = sk_EVP_KEYMGMT_num(keymgmts); -+ for (i = 0; i < end_i; ++i) { -+ keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i); -+ -+ collect_decoder_keymgmt(keymgmt, decoder, provctx, data); -+ if (data->error_occurred) - return; -- } -+ } -+} -+ -+/* -+ * Is this EVP_KEYMGMT applicable given the key type given in the call to -+ * ossl_decoder_ctx_setup_for_pkey (if any)? -+ */ -+static int check_keymgmt(EVP_KEYMGMT *keymgmt, struct collect_data_st *data) -+{ -+ /* If no keytype was specified, everything matches. */ -+ if (data->keytype == NULL) -+ return 1; -+ -+ if (!data->keytype_resolved) { -+ /* We haven't cached the IDs from the keytype string yet. */ -+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(data->libctx); -+ data->keytype_id = ossl_namemap_name2num(namemap, data->keytype); -+ -+ /* -+ * If keytype is a value ambiguously used for both EC and SM2, -+ * collect the ID for SM2 as well. -+ */ -+ if (data->keytype_id != 0 -+ && (strcmp(data->keytype, "id-ecPublicKey") == 0 -+ || strcmp(data->keytype, "1.2.840.10045.2.1") == 0)) -+ data->sm2_id = ossl_namemap_name2num(namemap, "SM2"); -+ -+ /* -+ * If keytype_id is zero the name was not found, but we still -+ * set keytype_resolved to avoid trying all this again. -+ */ -+ data->keytype_resolved = 1; - } - -- /* Decoder not suitable - but not a fatal error */ -- data->error_occurred = 0; -+ /* Specified keytype could not be resolved, so nothing matches. */ -+ if (data->keytype_id == 0) -+ return 0; -+ -+ /* Does not match the keytype specified, so skip. */ -+ if (keymgmt->name_id != data->keytype_id -+ && keymgmt->name_id != data->sm2_id) -+ return 0; -+ -+ return 1; - } - -+static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) -+{ -+ struct collect_data_st *data = arg; -+ -+ if (!check_keymgmt(keymgmt, data)) -+ return; -+ -+ /* -+ * We have to ref EVP_KEYMGMT here because in the success case, -+ * data->keymgmts is referenced by the constructor we register in the -+ * OSSL_DECODER_CTX. The registered cleanup function -+ * (decoder_clean_pkey_construct_arg) unrefs every element of the stack and -+ * frees it. -+ */ -+ if (!EVP_KEYMGMT_up_ref(keymgmt)) -+ return; -+ -+ if (sk_EVP_KEYMGMT_push(data->keymgmts, keymgmt) <= 0) { -+ EVP_KEYMGMT_free(keymgmt); -+ data->error_occurred = 1; -+ } -+} -+ -+/* -+ * This function does the actual binding of decoders to the OSSL_DECODER_CTX. It -+ * searches for decoders matching 'keytype', which is a string like "RSA", "DH", -+ * etc. If 'keytype' is NULL, decoders for all keytypes are bound. -+ */ - int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, - EVP_PKEY **pkey, const char *keytype, - OSSL_LIB_CTX *libctx, - const char *propquery) - { -- struct decoder_pkey_data_st *process_data = NULL; -- STACK_OF(OPENSSL_CSTRING) *names = NULL; -- const char *input_type = ctx->start_input_type; -- const char *input_structure = ctx->input_structure; - int ok = 0; -- int isecoid = 0; -- int i, end; -- -- if (keytype != NULL -- && (strcmp(keytype, "id-ecPublicKey") == 0 -- || strcmp(keytype, "1.2.840.10045.2.1") == 0)) -- isecoid = 1; -+ struct decoder_pkey_data_st *process_data = NULL; -+ struct collect_data_st collect_data = { NULL }; -+ STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; - - OSSL_TRACE_BEGIN(DECODER) { -+ const char *input_type = ctx->start_input_type; -+ const char *input_structure = ctx->input_structure; -+ - BIO_printf(trc_out, - "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n", - (void *)ctx, -@@ -329,81 +394,67 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, - input_structure != NULL ? input_structure : ""); - } OSSL_TRACE_END(DECODER); - -+ /* Allocate data. */ - if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL - || (propquery != NULL -- && (process_data->propq = OPENSSL_strdup(propquery)) == NULL) -- || (process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL -- || (names = sk_OPENSSL_CSTRING_new_null()) == NULL) { -+ && (process_data->propq = OPENSSL_strdup(propquery)) == NULL)) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); - goto err; - } - -- process_data->object = (void **)pkey; -- process_data->libctx = libctx; -+ /* Allocate our list of EVP_KEYMGMTs. */ -+ keymgmts = sk_EVP_KEYMGMT_new_null(); -+ if (keymgmts == NULL) { -+ ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ -+ process_data->object = (void **)pkey; -+ process_data->libctx = libctx; - process_data->selection = ctx->selection; -+ process_data->keymgmts = keymgmts; - -- /* First, find all keymgmts to form goals */ -- EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, -- process_data->keymgmts); -+ /* -+ * Enumerate all keymgmts into a stack. -+ * -+ * We could nest EVP_KEYMGMT_do_all_provided inside -+ * OSSL_DECODER_do_all_provided or vice versa but these functions become -+ * bottlenecks if called repeatedly, which is why we collect the -+ * EVP_KEYMGMTs into a stack here and call both functions only once. -+ * -+ * We resolve the keytype string to a name ID so we don't have to resolve it -+ * multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a -+ * performance bottleneck. However, we do this lazily on the first call to -+ * collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it -+ * upfront, as this ensures that the names for all loaded providers have -+ * been registered by the time we try to resolve the keytype string. -+ */ -+ collect_data.ctx = ctx; -+ collect_data.libctx = libctx; -+ collect_data.keymgmts = keymgmts; -+ collect_data.keytype = keytype; -+ EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data); - -- /* Then, we collect all the keymgmt names */ -- end = sk_EVP_KEYMGMT_num(process_data->keymgmts); -- for (i = 0; i < end; i++) { -- EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(process_data->keymgmts, i); -+ if (collect_data.error_occurred) -+ goto err; - -- /* -- * If the key type is given by the caller, we only use the matching -- * KEYMGMTs, otherwise we use them all. -- * We have to special case SM2 here because of its abuse of the EC OID. -- * The EC OID can be used to identify an EC key or an SM2 key - so if -- * we have seen that OID we try both key types -- */ -- if (keytype == NULL -- || EVP_KEYMGMT_is_a(keymgmt, keytype) -- || (isecoid && EVP_KEYMGMT_is_a(keymgmt, "SM2"))) { -- if (!EVP_KEYMGMT_names_do_all(keymgmt, collect_name, names)) { -- ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); -- goto err; -- } -- } -- } -+ /* Enumerate all matching decoders. */ -+ OSSL_DECODER_do_all_provided(libctx, collect_decoder, &collect_data); -+ -+ if (collect_data.error_occurred) -+ goto err; - - OSSL_TRACE_BEGIN(DECODER) { -- end = sk_OPENSSL_CSTRING_num(names); - BIO_printf(trc_out, -- " Found %d keytypes (possibly with duplicates)", -- end); -- for (i = 0; i < end; i++) -- BIO_printf(trc_out, "%s%s", -- i == 0 ? ": " : ", ", -- sk_OPENSSL_CSTRING_value(names, i)); -- BIO_printf(trc_out, "\n"); -+ "(ctx %p) Got %d decoders producing keys\n", -+ (void *)ctx, collect_data.total); - } OSSL_TRACE_END(DECODER); - - /* -- * Finally, find all decoders that have any keymgmt of the collected -- * keymgmt names -+ * Finish initializing the decoder context. If one or more decoders matched -+ * above then the number of decoders attached to the OSSL_DECODER_CTX will -+ * be nonzero. Else nothing was found and we do nothing. - */ -- { -- struct collect_decoder_data_st collect_decoder_data = { NULL, }; -- -- collect_decoder_data.names = names; -- collect_decoder_data.ctx = ctx; -- OSSL_DECODER_do_all_provided(libctx, -- collect_decoder, &collect_decoder_data); -- sk_OPENSSL_CSTRING_free(names); -- names = NULL; -- -- if (collect_decoder_data.error_occurred) -- goto err; -- -- OSSL_TRACE_BEGIN(DECODER) { -- BIO_printf(trc_out, -- "(ctx %p) Got %d decoders producing keys\n", -- (void *)ctx, collect_decoder_data.total); -- } OSSL_TRACE_END(DECODER); -- } -- - if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) { - if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey) - || !OSSL_DECODER_CTX_set_construct_data(ctx, process_data) -@@ -417,8 +468,6 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, - ok = 1; - err: - decoder_clean_pkey_construct_arg(process_data); -- sk_OPENSSL_CSTRING_free(names); -- - return ok; - } - -diff --git a/crypto/encode_decode/encoder_local.h b/crypto/encode_decode/encoder_local.h -index c1885ffc77..939e831727 100644 ---- a/crypto/encode_decode/encoder_local.h -+++ b/crypto/encode_decode/encoder_local.h -@@ -108,6 +108,7 @@ struct ossl_decoder_instance_st { - void *decoderctx; /* Never NULL */ - const char *input_type; /* Never NULL */ - const char *input_structure; /* May be NULL */ -+ int input_type_id; - - unsigned int flag_input_structure_was_set : 1; - }; -@@ -162,3 +163,6 @@ const OSSL_PROPERTY_LIST * - ossl_decoder_parsed_properties(const OSSL_DECODER *decoder); - const OSSL_PROPERTY_LIST * - ossl_encoder_parsed_properties(const OSSL_ENCODER *encoder); -+ -+int ossl_decoder_fast_is_a(OSSL_DECODER *decoder, -+ const char *name, int *id_cache); --- -2.33.0 - diff --git a/backport-Don-t-take-a-write-lock-to-retrieve-a-value-from-a-s.patch b/backport-Don-t-take-a-write-lock-to-retrieve-a-value-from-a-s.patch deleted file mode 100644 index b6508426561bc803e025d81637c510858b78d516..0000000000000000000000000000000000000000 --- a/backport-Don-t-take-a-write-lock-to-retrieve-a-value-from-a-s.patch +++ /dev/null @@ -1,102 +0,0 @@ -From d6e07491ab2838c74e7070bd3247073cb1222e36 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 12 May 2023 16:15:21 +0100 -Subject: [PATCH] Don't take a write lock to retrieve a value from a stack - -ossl_x509_store_ctx_get_by_subject() was taking a write lock for the -store, but was only (usually) retrieving a value from the stack of -objects. We take a read lock instead. - -Partially fixes #20286 - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20952) - -(cherry picked from commit 80935bf5ad309bf6c03591acf1d48fe1db57b78f) ---- - crypto/x509/x509_lu.c | 34 +++++++++++++++++++++++++--------- - 1 file changed, 25 insertions(+), 9 deletions(-) - -diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c -index d8927bda07..1fb46586f0 100644 ---- a/crypto/x509/x509_lu.c -+++ b/crypto/x509/x509_lu.c -@@ -41,14 +41,19 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) - OPENSSL_free(ctx); - } - --int X509_STORE_lock(X509_STORE *s) -+int X509_STORE_lock(X509_STORE *xs) - { -- return CRYPTO_THREAD_write_lock(s->lock); -+ return CRYPTO_THREAD_write_lock(xs->lock); - } - --int X509_STORE_unlock(X509_STORE *s) -+static int x509_store_read_lock(X509_STORE *xs) - { -- return CRYPTO_THREAD_unlock(s->lock); -+ return CRYPTO_THREAD_read_lock(xs->lock); -+} -+ -+int X509_STORE_unlock(X509_STORE *xs) -+{ -+ return CRYPTO_THREAD_unlock(xs->lock); - } - - int X509_LOOKUP_init(X509_LOOKUP *ctx) -@@ -321,9 +326,19 @@ int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs, - stmp.type = X509_LU_NONE; - stmp.data.ptr = NULL; - -- if (!X509_STORE_lock(store)) -+ if (!x509_store_read_lock(store)) - return 0; -- -+ /* Should already be sorted...but just in case */ -+ if (!sk_X509_OBJECT_is_sorted(store->objs)) { -+ X509_STORE_unlock(store); -+ /* Take a write lock instead of a read lock */ -+ X509_STORE_lock(store); -+ /* -+ * Another thread might have sorted it in the meantime. But if so, -+ * sk_X509_OBJECT_sort() exits early. -+ */ -+ sk_X509_OBJECT_sort(store->objs); -+ } - tmp = X509_OBJECT_retrieve_by_subject(store->objs, type, name); - X509_STORE_unlock(store); - -@@ -505,7 +520,6 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, - X509_OBJECT stmp; - X509 x509_s; - X509_CRL crl_s; -- int idx; - - stmp.type = type; - switch (type) { -@@ -522,16 +536,18 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, - return -1; - } - -- idx = sk_X509_OBJECT_find_all(h, &stmp, pnmatch); -- return idx; -+ /* Assumes h is locked for read if applicable */ -+ return sk_X509_OBJECT_find_all(h, &stmp, pnmatch); - } - -+/* Assumes h is locked for read if applicable */ - int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, - const X509_NAME *name) - { - return x509_object_idx_cnt(h, type, name, NULL); - } - -+/* Assumes h is locked for read if applicable */ - X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, - X509_LOOKUP_TYPE type, - const X509_NAME *name) --- -2.33.0 - diff --git a/backport-Drop-ossl_namemap_add_name_n-and-simplify-ossl_namem.patch b/backport-Drop-ossl_namemap_add_name_n-and-simplify-ossl_namem.patch deleted file mode 100644 index cde3676258fdf933c7e87900efe64639b8e45200..0000000000000000000000000000000000000000 --- a/backport-Drop-ossl_namemap_add_name_n-and-simplify-ossl_namem.patch +++ /dev/null @@ -1,275 +0,0 @@ -From fca5d6a2b76d0c1f20e63cec5ac1b927eeba7b43 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Thu, 19 May 2022 11:38:23 +0200 -Subject: [PATCH] Drop ossl_namemap_add_name_n() and simplify - ossl_namemap_add_names() - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18341) - -(cherry picked from commit b00cf0e790661636e1df1026554f712cc513592d) ---- - crypto/core_namemap.c | 96 +++++++++++--------------- - doc/internal/man3/ossl_namemap_new.pod | 15 ++-- - include/internal/namemap.h | 2 - - 3 files changed, 48 insertions(+), 65 deletions(-) - -diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c -index 4c1ca05308..380f4da9c2 100644 ---- a/crypto/core_namemap.c -+++ b/crypto/core_namemap.c -@@ -166,6 +166,7 @@ int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, - return 1; - } - -+/* This function is not thread safe, the namemap must be locked */ - static int namemap_name2num(const OSSL_NAMEMAP *namemap, - const char *name) - { -@@ -239,25 +240,22 @@ const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number, - return data.name; - } - --static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, -- const char *name, size_t name_len) -+/* This function is not thread safe, the namemap must be locked */ -+static int namemap_add_name(OSSL_NAMEMAP *namemap, int number, -+ const char *name) - { - NAMENUM_ENTRY *namenum = NULL; - int tmp_number; -- char *tmp = OPENSSL_strndup(name, name_len); -- -- if (tmp == NULL) -- return 0; - - /* If it already exists, we don't add it */ -- if ((tmp_number = namemap_name2num(namemap, tmp)) != 0) { -- OPENSSL_free(tmp); -+ if ((tmp_number = namemap_name2num(namemap, name)) != 0) - return tmp_number; -- } - - if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL) -+ return 0; -+ -+ if ((namenum->name = OPENSSL_strdup(name)) == NULL) - goto err; -- namenum->name = tmp; - - /* The tsan_counter use here is safe since we're under lock */ - namenum->number = -@@ -269,13 +267,12 @@ static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - return namenum->number; - - err: -- OPENSSL_free(tmp); -- OPENSSL_free(namenum); -+ namenum_free(namenum); - return 0; - } - --int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, -- const char *name, size_t name_len) -+int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, -+ const char *name) - { - int tmp_number; - -@@ -284,29 +281,20 @@ int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - namemap = ossl_namemap_stored(NULL); - #endif - -- if (name == NULL || name_len == 0 || namemap == NULL) -+ if (name == NULL || *name == 0 || namemap == NULL) - return 0; - - if (!CRYPTO_THREAD_write_lock(namemap->lock)) - return 0; -- tmp_number = namemap_add_name_n(namemap, number, name, name_len); -+ tmp_number = namemap_add_name(namemap, number, name); - CRYPTO_THREAD_unlock(namemap->lock); - return tmp_number; - } - --int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name) --{ -- if (name == NULL) -- return 0; -- -- return ossl_namemap_add_name_n(namemap, number, name, strlen(name)); --} -- - int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, - const char *names, const char separator) - { -- const char *p, *q; -- size_t l; -+ char *tmp, *p, *q, *endp; - - /* Check that we have a namemap */ - if (!ossl_assert(namemap != NULL)) { -@@ -314,71 +302,71 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, - return 0; - } - -- if (!CRYPTO_THREAD_write_lock(namemap->lock)) -+ if ((tmp = OPENSSL_strdup(names)) == NULL) - return 0; -+ -+ if (!CRYPTO_THREAD_write_lock(namemap->lock)) { -+ OPENSSL_free(tmp); -+ return 0; -+ } - /* - * Check that no name is an empty string, and that all names have at - * most one numeric identity together. - */ -- for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { -+ for (p = tmp; *p != '\0'; p = q) { - int this_number; -- char *allocated; -- const char *tmp; -+ size_t l; - - if ((q = strchr(p, separator)) == NULL) { - l = strlen(p); /* offset to \0 */ -- tmp = p; -- allocated = NULL; -+ q = p + l; - } else { - l = q - p; /* offset to the next separator */ -- tmp = allocated = OPENSSL_strndup(p, l); -- if (tmp == NULL) -- goto err; -+ *q++ = '\0'; - } - -- this_number = namemap_name2num(namemap, tmp); -- OPENSSL_free(allocated); -- -- if (*p == '\0' || *p == separator) { -+ if (*p == '\0') { - ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_BAD_ALGORITHM_NAME); -- goto err; -+ number = 0; -+ goto end; - } -+ -+ this_number = namemap_name2num(namemap, p); -+ - if (number == 0) { - number = this_number; - } else if (this_number != 0 && this_number != number) { - ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_CONFLICTING_NAMES, -- "\"%.*s\" has an existing different identity %d (from \"%s\")", -- l, p, this_number, names); -- goto err; -+ "\"%s\" has an existing different identity %d (from \"%s\")", -+ p, this_number, names); -+ number = 0; -+ goto end; - } - } -+ endp = p; - - /* Now that we have checked, register all names */ -- for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { -+ for (p = tmp; p < endp; p = q) { - int this_number; - -- if ((q = strchr(p, separator)) == NULL) -- l = strlen(p); /* offset to \0 */ -- else -- l = q - p; /* offset to the next separator */ -+ q = p + strlen(p) + 1; - -- this_number = namemap_add_name_n(namemap, number, p, l); -+ this_number = namemap_add_name(namemap, number, p); - if (number == 0) { - number = this_number; - } else if (this_number != number) { - ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR, - "Got number %d when expecting %d", - this_number, number); -- goto err; -+ number = 0; -+ goto end; - } - } - -+ end: - CRYPTO_THREAD_unlock(namemap->lock); -+ OPENSSL_free(tmp); - return number; -- -- err: -- CRYPTO_THREAD_unlock(namemap->lock); -- return 0; - } - - /*- -diff --git a/doc/internal/man3/ossl_namemap_new.pod b/doc/internal/man3/ossl_namemap_new.pod -index ff247e87b0..7f4940fc93 100644 ---- a/doc/internal/man3/ossl_namemap_new.pod -+++ b/doc/internal/man3/ossl_namemap_new.pod -@@ -3,7 +3,7 @@ - =head1 NAME - - ossl_namemap_new, ossl_namemap_free, ossl_namemap_stored, ossl_namemap_empty, --ossl_namemap_add_name, ossl_namemap_add_name_n, ossl_namemap_add_names, -+ossl_namemap_add_name, ossl_namemap_add_names, - ossl_namemap_name2num, ossl_namemap_name2num_n, - ossl_namemap_doall_names - - internal number E-E name map -@@ -19,8 +19,6 @@ ossl_namemap_doall_names - int ossl_namemap_empty(OSSL_NAMEMAP *namemap); - - int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name); -- int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, -- const char *name, size_t name_len); - - int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name); - int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, -@@ -62,10 +60,9 @@ names already associated with that number. - ossl_namemap_name2num() finds the number corresponding to the given - I. - --ossl_namemap_add_name_n() and ossl_namemap_name2num_n() do the same thing --as ossl_namemap_add_name() and ossl_namemap_name2num(), but take a string --length I as well, allowing the caller to use a fragment of --a string as a name. -+ossl_namemap_name2num_n() does the same thing as -+ossl_namemap_name2num(), but takes a string length I as well, -+allowing the caller to use a fragment of a string as a name. - - ossl_namemap_doall_names() walks through all names associated with - I in the given I and calls the function I for -@@ -88,8 +85,8 @@ ossl_namemap_empty() returns 1 if the B is NULL or - empty, 0 if it's not empty, or -1 on internal error (such as inability - to lock). - --ossl_namemap_add_name() and ossl_namemap_add_name_n() return the number --associated with the added string, or zero on error. -+ossl_namemap_add_name() returns the number associated with the added -+string, or zero on error. - - ossl_namemap_num2names() returns a pointer to a NULL-terminated list of - pointers to the names corresponding to the given number, or NULL if -diff --git a/include/internal/namemap.h b/include/internal/namemap.h -index a4c60ae695..6c42a9cd7c 100644 ---- a/include/internal/namemap.h -+++ b/include/internal/namemap.h -@@ -18,8 +18,6 @@ void ossl_namemap_free(OSSL_NAMEMAP *namemap); - int ossl_namemap_empty(OSSL_NAMEMAP *namemap); - - int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name); --int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, -- const char *name, size_t name_len); - - /* - * The number<->name relationship is 1<->many --- -2.33.0 - diff --git a/backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch b/backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch deleted file mode 100644 index 5cbbc3bab2ee167c642549fd7f348f16ded9fb74..0000000000000000000000000000000000000000 --- a/backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch +++ /dev/null @@ -1,160 +0,0 @@ -From c1e462ee4bd61867ee391fc13110ca41e4889535 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:35:51 +0000 -Subject: [PATCH] Extend the multi_resume test for simultaneous resumptions - -Test what happens if the same session gets resumed multiple times at the -same time - and one of them gets marked as not_resumable. - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit 031b11a4054c972a5e2f07dfa81ce1842453253e) ---- - test/sslapitest.c | 89 ++++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 85 insertions(+), 4 deletions(-) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 56229e51b9..24fb95e4b6 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -10436,12 +10436,63 @@ end: - return testresult; - } - -+struct resume_servername_cb_data { -+ int i; -+ SSL_CTX *cctx; -+ SSL_CTX *sctx; -+ SSL_SESSION *sess; -+ int recurse; -+}; -+ -+/* -+ * Servername callback. We use it here to run another complete handshake using -+ * the same session - and mark the session as not_resuamble at the end -+ */ -+static int resume_servername_cb(SSL *s, int *ad, void *arg) -+{ -+ struct resume_servername_cb_data *cbdata = arg; -+ SSL *serverssl = NULL, *clientssl = NULL; -+ int ret = SSL_TLSEXT_ERR_ALERT_FATAL; -+ -+ if (cbdata->recurse) -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ -+ if ((cbdata->i % 3) != 1) -+ return SSL_TLSEXT_ERR_OK; -+ -+ cbdata->recurse = 1; -+ -+ if (!TEST_true(create_ssl_objects(cbdata->sctx, cbdata->cctx, &serverssl, -+ &clientssl, NULL, NULL)) -+ || !TEST_true(SSL_set_session(clientssl, cbdata->sess))) -+ goto end; -+ -+ ERR_set_mark(); -+ /* -+ * We expect this to fail - because the servername cb will fail. This will -+ * mark the session as not_resumable. -+ */ -+ if (!TEST_false(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) { -+ ERR_clear_last_mark(); -+ goto end; -+ } -+ ERR_pop_to_mark(); -+ -+ ret = SSL_TLSEXT_ERR_OK; -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ cbdata->recurse = 0; -+ return ret; -+} -+ - /* - * Test multiple resumptions and cache size handling - * Test 0: TLSv1.3 (max_early_data set) - * Test 1: TLSv1.3 (SSL_OP_NO_TICKET set) - * Test 2: TLSv1.3 (max_early_data and SSL_OP_NO_TICKET set) -- * Test 3: TLSv1.2 -+ * Test 3: TLSv1.3 (SSL_OP_NO_TICKET, simultaneous resumes) -+ * Test 4: TLSv1.2 - */ - static int test_multi_resume(int idx) - { -@@ -10450,9 +10501,19 @@ static int test_multi_resume(int idx) - SSL_SESSION *sess = NULL; - int max_version = TLS1_3_VERSION; - int i, testresult = 0; -+ struct resume_servername_cb_data cbdata; - -- if (idx == 3) -+#if defined(OPENSSL_NO_TLS1_2) -+ if (idx == 4) -+ return TEST_skip("TLSv1.2 is disabled in this build"); -+#else -+ if (idx == 4) - max_version = TLS1_2_VERSION; -+#endif -+#if defined(OSSL_NO_USABLE_TLS1_3) -+ if (idx != 4) -+ return TEST_skip("No usable TLSv1.3 in this build"); -+#endif - - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), TLS1_VERSION, -@@ -10468,17 +10529,37 @@ static int test_multi_resume(int idx) - if (!TEST_true(SSL_CTX_set_max_early_data(sctx, 1024))) - goto end; - } -- if (idx == 1 || idx == 2) -+ if (idx == 1 || idx == 2 || idx == 3) - SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); - - SSL_CTX_sess_set_cache_size(sctx, 5); - -+ if (idx == 3) { -+ SSL_CTX_set_tlsext_servername_callback(sctx, resume_servername_cb); -+ SSL_CTX_set_tlsext_servername_arg(sctx, &cbdata); -+ cbdata.cctx = cctx; -+ cbdata.sctx = sctx; -+ cbdata.recurse = 0; -+ } -+ - for (i = 0; i < 30; i++) { - if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL)) - || !TEST_true(SSL_set_session(clientssl, sess))) - goto end; - -+ /* -+ * Check simultaneous resumes. We pause the connection part way through -+ * the handshake by (mis)using the servername_cb. The pause occurs after -+ * session resumption has already occurred, but before any session -+ * tickets have been issued. While paused we run another complete -+ * handshake resuming the same session. -+ */ -+ if (idx == 3) { -+ cbdata.i = i; -+ cbdata.sess = sess; -+ } -+ - /* - * Recreate a bug where dynamically changing the max_early_data value - * can cause sessions in the session cache which cannot be deleted. -@@ -10799,7 +10880,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_pipelining, 6); - #endif - ADD_ALL_TESTS(test_handshake_retry, 16); -- ADD_ALL_TESTS(test_multi_resume, 4); -+ ADD_ALL_TESTS(test_multi_resume, 5); - return 1; - - err: --- -2.33.0 - diff --git a/backport-Hardening-around-not_resumable-sessions.patch b/backport-Hardening-around-not_resumable-sessions.patch deleted file mode 100644 index 1b43920a9a81c865c09f9f4279fe4bbc53a83996..0000000000000000000000000000000000000000 --- a/backport-Hardening-around-not_resumable-sessions.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cc9ece9118eeacccc3571c2ee852f8ba067d0607 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 15 Mar 2024 17:58:42 +0000 -Subject: [PATCH] Hardening around not_resumable sessions - -Make sure we can't inadvertently use a not_resumable session - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96) ---- - ssl/ssl_sess.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index 75adbd9e52..d0b72b7880 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, - ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); - - if (ret != NULL) { -+ if (ret->not_resumable) { -+ /* If its not resumable then ignore this session */ -+ if (!copy) -+ SSL_SESSION_free(ret); -+ return NULL; -+ } - ssl_tsan_counter(s->session_ctx, - &s->session_ctx->stats.sess_cb_hit); - --- -2.33.0 - diff --git a/backport-Improve-performance-of-the-encoder-collection.patch b/backport-Improve-performance-of-the-encoder-collection.patch deleted file mode 100644 index 301921e1038b3e22be51cec08eabdfa9eb6d8026..0000000000000000000000000000000000000000 --- a/backport-Improve-performance-of-the-encoder-collection.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 762473f53a0cf319e511895556a6df0e3fbb3f9e Mon Sep 17 00:00:00 2001 -From: slontis -Date: Wed, 5 Oct 2022 09:57:51 +1000 -Subject: [PATCH] Improve performance of the encoder collection - -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/19344) - -(cherry picked from commit c3b46409559c18f103ebb2221c6f8af3cd7db00d) ---- - crypto/encode_decode/encoder_pkey.c | 80 ++++++++++++++++++----------- - 1 file changed, 51 insertions(+), 29 deletions(-) - -diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c -index 3a24317cf4..f8a5a45acc 100644 ---- a/crypto/encode_decode/encoder_pkey.c -+++ b/crypto/encode_decode/encoder_pkey.c -@@ -17,6 +17,7 @@ - #include - #include "internal/provider.h" - #include "internal/property.h" -+#include "internal/namemap.h" - #include "crypto/evp.h" - #include "encoder_local.h" - -@@ -72,6 +73,7 @@ int OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX *ctx, - - struct collected_encoder_st { - STACK_OF(OPENSSL_CSTRING) *names; -+ int *id_names; - const char *output_structure; - const char *output_type; - -@@ -85,41 +87,41 @@ struct collected_encoder_st { - static void collect_encoder(OSSL_ENCODER *encoder, void *arg) - { - struct collected_encoder_st *data = arg; -- size_t i, end_i; -+ const OSSL_PROVIDER *prov; - - if (data->error_occurred) - return; - - data->error_occurred = 1; /* Assume the worst */ - -- if (data->names == NULL) -- return; -- -- end_i = sk_OPENSSL_CSTRING_num(data->names); -- for (i = 0; i < end_i; i++) { -- const char *name = sk_OPENSSL_CSTRING_value(data->names, i); -- const OSSL_PROVIDER *prov = OSSL_ENCODER_get0_provider(encoder); -+ prov = OSSL_ENCODER_get0_provider(encoder); -+ /* -+ * collect_encoder() is called in two passes, one where the encoders -+ * from the same provider as the keymgmt are looked up, and one where -+ * the other encoders are looked up. |data->flag_find_same_provider| -+ * tells us which pass we're in. -+ */ -+ if ((data->keymgmt_prov == prov) == data->flag_find_same_provider) { - void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); -- -- /* -- * collect_encoder() is called in two passes, one where the encoders -- * from the same provider as the keymgmt are looked up, and one where -- * the other encoders are looked up. |data->flag_find_same_provider| -- * tells us which pass we're in. -- */ -- if ((data->keymgmt_prov == prov) != data->flag_find_same_provider) -- continue; -- -- if (!OSSL_ENCODER_is_a(encoder, name) -- || (encoder->does_selection != NULL -- && !encoder->does_selection(provctx, data->ctx->selection)) -- || (data->keymgmt_prov != prov -- && encoder->import_object == NULL)) -- continue; -- -- /* Only add each encoder implementation once */ -- if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder)) -- break; -+ size_t i, end_i = sk_OPENSSL_CSTRING_num(data->names); -+ int match; -+ -+ for (i = 0; i < end_i; i++) { -+ if (data->flag_find_same_provider) -+ match = (data->id_names[i] == encoder->base.id); -+ else -+ match = OSSL_ENCODER_is_a(encoder, sk_OPENSSL_CSTRING_value(data->names, i)); -+ if (!match -+ || (encoder->does_selection != NULL -+ && !encoder->does_selection(provctx, data->ctx->selection)) -+ || (data->keymgmt_prov != prov -+ && encoder->import_object == NULL)) -+ continue; -+ -+ /* Only add each encoder implementation once */ -+ if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder)) -+ break; -+ } - } - - data->error_occurred = 0; /* All is good now */ -@@ -227,7 +229,8 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, - struct construct_data_st *data = NULL; - const OSSL_PROVIDER *prov = NULL; - OSSL_LIB_CTX *libctx = NULL; -- int ok = 0; -+ int ok = 0, i, end; -+ OSSL_NAMEMAP *namemap; - - if (!ossl_assert(ctx != NULL) || !ossl_assert(pkey != NULL)) { - ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER); -@@ -271,7 +274,25 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, - encoder_data.error_occurred = 0; - encoder_data.keymgmt_prov = prov; - encoder_data.ctx = ctx; -+ encoder_data.id_names = NULL; - -+ /* -+ * collect_encoder() is called many times, and for every call it converts all encoder_data.names -+ * into namemap ids if it calls OSSL_ENCODER_is_a(). We cache the ids here instead, -+ * and can use them for encoders with the same provider as the keymgmt. -+ */ -+ namemap = ossl_namemap_stored(libctx); -+ end = sk_OPENSSL_CSTRING_num(encoder_data.names); -+ if (end > 0) { -+ encoder_data.id_names = OPENSSL_malloc(end * sizeof(int)); -+ if (encoder_data.id_names == NULL) -+ goto err; -+ for (i = 0; i < end; ++i) { -+ const char *name = sk_OPENSSL_CSTRING_value(keymgmt_data.names, i); -+ -+ encoder_data.id_names[i] = ossl_namemap_name2num(namemap, name); -+ } -+ } - /* - * Place the encoders with the a different provider as the keymgmt - * last (the chain is processed in reverse order) -@@ -286,6 +307,7 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, - encoder_data.flag_find_same_provider = 1; - OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data); - -+ OPENSSL_free(encoder_data.id_names); - sk_OPENSSL_CSTRING_free(keymgmt_data.names); - if (encoder_data.error_occurred) { - ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE); --- -2.33.0 - diff --git a/backport-Make-IV-buf-in-prov_cipher_ctx_st-aligned.patch b/backport-Make-IV-buf-in-prov_cipher_ctx_st-aligned.patch deleted file mode 100644 index 2291107bb57de545b56e1dae08e35de2f59649dd..0000000000000000000000000000000000000000 --- a/backport-Make-IV-buf-in-prov_cipher_ctx_st-aligned.patch +++ /dev/null @@ -1,62 +0,0 @@ -From a91c268853c4bda825a505629a873e21685490bf Mon Sep 17 00:00:00 2001 -From: "Hongren (Zenithal) Zheng" -Date: Mon, 9 May 2022 19:42:39 +0800 -Subject: [PATCH] Make IV/buf in prov_cipher_ctx_st aligned - -Make IV/buf aligned will drastically improve performance -as some architecture performs badly on misaligned memory -access. - -Ref to -https://gist.github.com/ZenithalHourlyRate/7b5175734f87acb73d0bbc53391d7140#file-2-openssl-long-md -Ref to -openssl#18197 - -Signed-off-by: Hongren (Zenithal) Zheng - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz - -(cherry picked from commit 2787a709c984d3884e1726383c2f2afca428d795) - -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/23463) ---- - .../implementations/include/prov/ciphercommon.h | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h -index 383b759304..7f9a4a3bf2 100644 ---- a/providers/implementations/include/prov/ciphercommon.h -+++ b/providers/implementations/include/prov/ciphercommon.h -@@ -42,6 +42,13 @@ typedef int (PROV_CIPHER_HW_FN)(PROV_CIPHER_CTX *dat, unsigned char *out, - #define PROV_CIPHER_FLAG_INVERSE_CIPHER 0x0200 - - struct prov_cipher_ctx_st { -+ /* place buffer at the beginning for memory alignment */ -+ /* The original value of the iv */ -+ unsigned char oiv[GENERIC_BLOCK_SIZE]; -+ /* Buffer of partial blocks processed via update calls */ -+ unsigned char buf[GENERIC_BLOCK_SIZE]; -+ unsigned char iv[GENERIC_BLOCK_SIZE]; -+ - block128_f block; - union { - cbc128_f cbc; -@@ -83,12 +90,6 @@ struct prov_cipher_ctx_st { - * manage partial blocks themselves. - */ - unsigned int num; -- -- /* The original value of the iv */ -- unsigned char oiv[GENERIC_BLOCK_SIZE]; -- /* Buffer of partial blocks processed via update calls */ -- unsigned char buf[GENERIC_BLOCK_SIZE]; -- unsigned char iv[GENERIC_BLOCK_SIZE]; - const PROV_CIPHER_HW *hw; /* hardware specific functions */ - const void *ks; /* Pointer to algorithm specific key data */ - OSSL_LIB_CTX *libctx; --- -2.33.0 - diff --git a/backport-Refactor-OSSL_LIB_CTX-to-avoid-using-CRYPTO_EX_DATA.patch b/backport-Refactor-OSSL_LIB_CTX-to-avoid-using-CRYPTO_EX_DATA.patch deleted file mode 100644 index 808b60c416f2aa877cc5b9793c17b8cec62f46e4..0000000000000000000000000000000000000000 --- a/backport-Refactor-OSSL_LIB_CTX-to-avoid-using-CRYPTO_EX_DATA.patch +++ /dev/null @@ -1,1969 +0,0 @@ -From 8436ef8bdb96c0a977a15ec707d28404d97c3a6c Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Mon, 14 Mar 2022 08:13:12 +0000 -Subject: [PATCH] Refactor OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA - -This refactors OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA. The assorted -objects to be managed by OSSL_LIB_CTX are hardcoded and are initialized -eagerly rather than lazily, which avoids the need for locking on access -in most cases. - -Fixes #17116. - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17881) - -(cherry picked from commit 927d0566ded0dff9d6c5abc8a40bb84068446b76) ---- - crypto/bio/bss_core.c | 14 +- - crypto/context.c | 441 ++++++++++++++------ - crypto/core_namemap.c | 14 +- - crypto/encode_decode/decoder_meth.c | 23 +- - crypto/encode_decode/encoder_meth.c | 23 +- - crypto/evp/evp_fetch.c | 21 +- - crypto/initthread.c | 17 +- - crypto/property/defn_cache.c | 17 +- - crypto/property/property.c | 20 +- - crypto/property/property_string.c | 19 +- - crypto/provider_child.c | 32 +- - crypto/provider_conf.c | 15 +- - crypto/provider_core.c | 17 +- - crypto/rand/rand_lib.c | 14 +- - crypto/self_test_core.c | 14 +- - crypto/store/store_meth.c | 23 +- - doc/internal/man3/ossl_lib_ctx_get_data.pod | 81 +--- - include/crypto/context.h | 40 ++ - include/internal/cryptlib.h | 14 +- - providers/fips/fipsprov.c | 27 +- - providers/implementations/rands/crngt.c | 14 +- - providers/implementations/rands/drbg.c | 14 +- - test/context_internal_test.c | 92 +--- - 23 files changed, 445 insertions(+), 561 deletions(-) - create mode 100644 include/crypto/context.h - -diff --git a/crypto/bio/bss_core.c b/crypto/bio/bss_core.c -index 7a84b20460..b9a8eff346 100644 ---- a/crypto/bio/bss_core.c -+++ b/crypto/bio/bss_core.c -@@ -10,6 +10,7 @@ - #include - #include "bio_local.h" - #include "internal/cryptlib.h" -+#include "crypto/context.h" - - typedef struct { - OSSL_FUNC_BIO_read_ex_fn *c_bio_read_ex; -@@ -21,26 +22,19 @@ typedef struct { - OSSL_FUNC_BIO_free_fn *c_bio_free; - } BIO_CORE_GLOBALS; - --static void bio_core_globals_free(void *vbcg) -+void ossl_bio_core_globals_free(void *vbcg) - { - OPENSSL_free(vbcg); - } - --static void *bio_core_globals_new(OSSL_LIB_CTX *ctx) -+void *ossl_bio_core_globals_new(OSSL_LIB_CTX *ctx) - { - return OPENSSL_zalloc(sizeof(BIO_CORE_GLOBALS)); - } - --static const OSSL_LIB_CTX_METHOD bio_core_globals_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- bio_core_globals_new, -- bio_core_globals_free, --}; -- - static ossl_inline BIO_CORE_GLOBALS *get_globals(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_BIO_CORE_INDEX, -- &bio_core_globals_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_BIO_CORE_INDEX); - } - - static int bio_core_read_ex(BIO *bio, char *data, size_t data_len, -diff --git a/crypto/context.c b/crypto/context.c -index 1647371bb7..c9f976c68c 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -14,7 +14,7 @@ - #include "internal/core.h" - #include "internal/bio.h" - #include "internal/provider.h" --#include "crypto/ctype.h" -+#include "crypto/context.h" - - struct ossl_lib_ctx_onfree_list_st { - ossl_lib_ctx_onfree_fn *fn; -@@ -22,20 +22,31 @@ struct ossl_lib_ctx_onfree_list_st { - }; - - struct ossl_lib_ctx_st { -- CRYPTO_RWLOCK *lock; -- CRYPTO_EX_DATA data; -- -- /* -- * For most data in the OSSL_LIB_CTX we just use ex_data to store it. But -- * that doesn't work for ex_data itself - so we store that directly. -- */ -+ CRYPTO_RWLOCK *lock, *rand_crngt_lock; - OSSL_EX_DATA_GLOBAL global; - -- /* Map internal static indexes to dynamically created indexes */ -- int dyn_indexes[OSSL_LIB_CTX_MAX_INDEXES]; -- -- /* Keep a separate lock for each index */ -- CRYPTO_RWLOCK *index_locks[OSSL_LIB_CTX_MAX_INDEXES]; -+ void *property_string_data; -+ void *evp_method_store; -+ void *provider_store; -+ void *namemap; -+ void *property_defns; -+ void *global_properties; -+ void *drbg; -+ void *drbg_nonce; -+#ifndef FIPS_MODULE -+ void *provider_conf; -+ void *bio_core; -+ void *child_provider; -+ OSSL_METHOD_STORE *decoder_store; -+ OSSL_METHOD_STORE *encoder_store; -+ OSSL_METHOD_STORE *store_loader_store; -+ void *self_test_cb; -+#endif -+ void *rand_crngt; -+#ifdef FIPS_MODULE -+ void *thread_event_handler; -+ void *fips_prov; -+#endif - - CRYPTO_RWLOCK *oncelock; - int run_once_done[OSSL_LIB_CTX_MAX_RUN_ONCE]; -@@ -68,9 +79,10 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx) - return ctx->ischild; - } - -+static void context_deinit_objs(OSSL_LIB_CTX *ctx); -+ - static int context_init(OSSL_LIB_CTX *ctx) - { -- size_t i; - int exdata_done = 0; - - ctx->lock = CRYPTO_THREAD_lock_new(); -@@ -81,48 +93,246 @@ static int context_init(OSSL_LIB_CTX *ctx) - if (ctx->oncelock == NULL) - goto err; - -- for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) { -- ctx->index_locks[i] = CRYPTO_THREAD_lock_new(); -- ctx->dyn_indexes[i] = -1; -- if (ctx->index_locks[i] == NULL) -- goto err; -- } -+ ctx->rand_crngt_lock = CRYPTO_THREAD_lock_new(); -+ if (ctx->rand_crngt_lock == NULL) -+ goto err; - -- /* OSSL_LIB_CTX is built on top of ex_data so we initialise that directly */ -+ /* Initialize ex_data. */ - if (!ossl_do_ex_data_init(ctx)) - goto err; - exdata_done = 1; - -- if (!ossl_crypto_new_ex_data_ex(ctx, CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, -- &ctx->data)) -+ /* P2. We want evp_method_store to be cleaned up before the provider store */ -+ ctx->evp_method_store = ossl_method_store_new(ctx); -+ if (ctx->evp_method_store == NULL) -+ goto err; -+ -+#ifndef FIPS_MODULE -+ /* P2. Must be freed before the provider store is freed */ -+ ctx->provider_conf = ossl_prov_conf_ctx_new(ctx); -+ if (ctx->provider_conf == NULL) -+ goto err; -+#endif -+ -+ /* P2. */ -+ ctx->drbg = ossl_rand_ctx_new(ctx); -+ if (ctx->drbg == NULL) -+ goto err; -+ -+#ifndef FIPS_MODULE -+ /* P2. We want decoder_store to be cleaned up before the provider store */ -+ ctx->decoder_store = ossl_method_store_new(ctx); -+ if (ctx->decoder_store == NULL) -+ goto err; -+ -+ /* P2. We want encoder_store to be cleaned up before the provider store */ -+ ctx->encoder_store = ossl_method_store_new(ctx); -+ if (ctx->encoder_store == NULL) -+ goto err; -+ -+ /* P2. We want loader_store to be cleaned up before the provider store */ -+ ctx->store_loader_store = ossl_method_store_new(ctx); -+ if (ctx->store_loader_store == NULL) -+ goto err; -+#endif -+ -+ /* P1. Needs to be freed before the child provider data is freed */ -+ ctx->provider_store = ossl_provider_store_new(ctx); -+ if (ctx->provider_store == NULL) -+ goto err; -+ -+ /* Default priority. */ -+ ctx->property_string_data = ossl_property_string_data_new(ctx); -+ if (ctx->property_string_data == NULL) - goto err; - -+ ctx->namemap = ossl_stored_namemap_new(ctx); -+ if (ctx->namemap == NULL) -+ goto err; -+ -+ ctx->property_defns = ossl_property_defns_new(ctx); -+ if (ctx->property_defns == NULL) -+ goto err; -+ -+ ctx->global_properties = ossl_ctx_global_properties_new(ctx); -+ if (ctx->global_properties == NULL) -+ goto err; -+ -+#ifndef FIPS_MODULE -+ ctx->bio_core = ossl_bio_core_globals_new(ctx); -+ if (ctx->bio_core == NULL) -+ goto err; -+#endif -+ -+ ctx->drbg_nonce = ossl_prov_drbg_nonce_ctx_new(ctx); -+ if (ctx->drbg_nonce == NULL) -+ goto err; -+ -+#ifndef FIPS_MODULE -+ ctx->self_test_cb = ossl_self_test_set_callback_new(ctx); -+ if (ctx->self_test_cb == NULL) -+ goto err; -+#endif -+ -+#ifdef FIPS_MODULE -+ ctx->thread_event_handler = ossl_thread_event_ctx_new(ctx); -+ if (ctx->thread_event_handler == NULL) -+ goto err; -+ -+ ctx->fips_prov = ossl_fips_prov_ossl_ctx_new(ctx); -+ if (ctx->fips_prov == NULL) -+ goto err; -+#endif -+ -+ /* Low priority. */ -+#ifndef FIPS_MODULE -+ ctx->child_provider = ossl_child_prov_ctx_new(ctx); -+ if (ctx->child_provider == NULL) -+ goto err; -+#endif -+ - /* Everything depends on properties, so we also pre-initialise that */ - if (!ossl_property_parse_init(ctx)) - goto err; - - return 1; -+ - err: -+ context_deinit_objs(ctx); -+ - if (exdata_done) - ossl_crypto_cleanup_all_ex_data_int(ctx); -- for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) -- CRYPTO_THREAD_lock_free(ctx->index_locks[i]); -+ -+ CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock); - CRYPTO_THREAD_lock_free(ctx->oncelock); - CRYPTO_THREAD_lock_free(ctx->lock); - memset(ctx, '\0', sizeof(*ctx)); - return 0; - } - -+static void context_deinit_objs(OSSL_LIB_CTX *ctx) -+{ -+ /* P2. We want evp_method_store to be cleaned up before the provider store */ -+ if (ctx->evp_method_store != NULL) { -+ ossl_method_store_free(ctx->evp_method_store); -+ ctx->evp_method_store = NULL; -+ } -+ -+ /* P2. */ -+ if (ctx->drbg != NULL) { -+ ossl_rand_ctx_free(ctx->drbg); -+ ctx->drbg = NULL; -+ } -+ -+#ifndef FIPS_MODULE -+ /* P2. */ -+ if (ctx->provider_conf != NULL) { -+ ossl_prov_conf_ctx_free(ctx->provider_conf); -+ ctx->provider_conf = NULL; -+ } -+ -+ /* P2. We want decoder_store to be cleaned up before the provider store */ -+ if (ctx->decoder_store != NULL) { -+ ossl_method_store_free(ctx->decoder_store); -+ ctx->decoder_store = NULL; -+ } -+ -+ /* P2. We want encoder_store to be cleaned up before the provider store */ -+ if (ctx->encoder_store != NULL) { -+ ossl_method_store_free(ctx->encoder_store); -+ ctx->encoder_store = NULL; -+ } -+ -+ /* P2. We want loader_store to be cleaned up before the provider store */ -+ if (ctx->store_loader_store != NULL) { -+ ossl_method_store_free(ctx->store_loader_store); -+ ctx->store_loader_store = NULL; -+ } -+#endif -+ -+ /* P1. Needs to be freed before the child provider data is freed */ -+ if (ctx->provider_store != NULL) { -+ ossl_provider_store_free(ctx->provider_store); -+ ctx->provider_store = NULL; -+ } -+ -+ /* Default priority. */ -+ if (ctx->property_string_data != NULL) { -+ ossl_property_string_data_free(ctx->property_string_data); -+ ctx->property_string_data = NULL; -+ } -+ -+ if (ctx->namemap != NULL) { -+ ossl_stored_namemap_free(ctx->namemap); -+ ctx->namemap = NULL; -+ } -+ -+ if (ctx->property_defns != NULL) { -+ ossl_property_defns_free(ctx->property_defns); -+ ctx->property_defns = NULL; -+ } -+ -+ if (ctx->global_properties != NULL) { -+ ossl_ctx_global_properties_free(ctx->global_properties); -+ ctx->global_properties = NULL; -+ } -+ -+#ifndef FIPS_MODULE -+ if (ctx->bio_core != NULL) { -+ ossl_bio_core_globals_free(ctx->bio_core); -+ ctx->bio_core = NULL; -+ } -+#endif -+ -+ if (ctx->drbg_nonce != NULL) { -+ ossl_prov_drbg_nonce_ctx_free(ctx->drbg_nonce); -+ ctx->drbg_nonce = NULL; -+ } -+ -+#ifndef FIPS_MODULE -+ if (ctx->self_test_cb != NULL) { -+ ossl_self_test_set_callback_free(ctx->self_test_cb); -+ ctx->self_test_cb = NULL; -+ } -+#endif -+ -+ if (ctx->rand_crngt != NULL) { -+ ossl_rand_crng_ctx_free(ctx->rand_crngt); -+ ctx->rand_crngt = NULL; -+ } -+ -+#ifdef FIPS_MODULE -+ if (ctx->thread_event_handler != NULL) { -+ ossl_thread_event_ctx_free(ctx->thread_event_handler); -+ ctx->thread_event_handler = NULL; -+ } -+ -+ if (ctx->fips_prov != NULL) { -+ ossl_fips_prov_ossl_ctx_free(ctx->fips_prov); -+ ctx->fips_prov = NULL; -+ } -+#endif -+ -+ /* Low priority. */ -+#ifndef FIPS_MODULE -+ if (ctx->child_provider != NULL) { -+ ossl_child_prov_ctx_free(ctx->child_provider); -+ ctx->child_provider = NULL; -+ } -+#endif -+} -+ - static int context_deinit(OSSL_LIB_CTX *ctx) - { - struct ossl_lib_ctx_onfree_list_st *tmp, *onfree; -- int i; - - if (ctx == NULL) - return 1; - - ossl_ctx_thread_stop(ctx); - -+ context_deinit_objs(ctx); -+ - onfree = ctx->onfreelist; - while (onfree != NULL) { - onfree->fn(ctx); -@@ -130,13 +340,14 @@ static int context_deinit(OSSL_LIB_CTX *ctx) - onfree = onfree->next; - OPENSSL_free(tmp); - } -- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, &ctx->data); -+ - ossl_crypto_cleanup_all_ex_data_int(ctx); -- for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) -- CRYPTO_THREAD_lock_free(ctx->index_locks[i]); - -+ CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock); - CRYPTO_THREAD_lock_free(ctx->oncelock); - CRYPTO_THREAD_lock_free(ctx->lock); -+ ctx->rand_crngt_lock = NULL; -+ ctx->oncelock = NULL; - ctx->lock = NULL; - return 1; - } -@@ -300,127 +511,89 @@ int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx) - return 0; - } - --static void ossl_lib_ctx_generic_new(void *parent_ign, void *ptr_ign, -- CRYPTO_EX_DATA *ad, int index, -- long argl_ign, void *argp) -+void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) - { -- const OSSL_LIB_CTX_METHOD *meth = argp; -- OSSL_LIB_CTX *ctx = ossl_crypto_ex_data_get_ossl_lib_ctx(ad); -- void *ptr = meth->new_func(ctx); -- -- if (ptr != NULL) { -- if (!CRYPTO_THREAD_write_lock(ctx->lock)) -- /* -- * Can't return something, so best to hope that something will -- * fail later. :( -- */ -- return; -- CRYPTO_set_ex_data(ad, index, ptr); -- CRYPTO_THREAD_unlock(ctx->lock); -- } --} --static void ossl_lib_ctx_generic_free(void *parent_ign, void *ptr, -- CRYPTO_EX_DATA *ad, int index, -- long argl_ign, void *argp) --{ -- const OSSL_LIB_CTX_METHOD *meth = argp; -- -- meth->free_func(ptr); --} -- --static int ossl_lib_ctx_init_index(OSSL_LIB_CTX *ctx, int static_index, -- const OSSL_LIB_CTX_METHOD *meth) --{ -- int idx; -+ void *p; - - ctx = ossl_lib_ctx_get_concrete(ctx); - if (ctx == NULL) -- return 0; -+ return NULL; - -- idx = ossl_crypto_get_ex_new_index_ex(ctx, CRYPTO_EX_INDEX_OSSL_LIB_CTX, 0, -- (void *)meth, -- ossl_lib_ctx_generic_new, -- NULL, ossl_lib_ctx_generic_free, -- meth->priority); -- if (idx < 0) -- return 0; -+ switch (index) { -+ case OSSL_LIB_CTX_PROPERTY_STRING_INDEX: -+ return ctx->property_string_data; -+ case OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX: -+ return ctx->evp_method_store; -+ case OSSL_LIB_CTX_PROVIDER_STORE_INDEX: -+ return ctx->provider_store; -+ case OSSL_LIB_CTX_NAMEMAP_INDEX: -+ return ctx->namemap; -+ case OSSL_LIB_CTX_PROPERTY_DEFN_INDEX: -+ return ctx->property_defns; -+ case OSSL_LIB_CTX_GLOBAL_PROPERTIES: -+ return ctx->global_properties; -+ case OSSL_LIB_CTX_DRBG_INDEX: -+ return ctx->drbg; -+ case OSSL_LIB_CTX_DRBG_NONCE_INDEX: -+ return ctx->drbg_nonce; -+#ifndef FIPS_MODULE -+ case OSSL_LIB_CTX_PROVIDER_CONF_INDEX: -+ return ctx->provider_conf; -+ case OSSL_LIB_CTX_BIO_CORE_INDEX: -+ return ctx->bio_core; -+ case OSSL_LIB_CTX_CHILD_PROVIDER_INDEX: -+ return ctx->child_provider; -+ case OSSL_LIB_CTX_DECODER_STORE_INDEX: -+ return ctx->decoder_store; -+ case OSSL_LIB_CTX_ENCODER_STORE_INDEX: -+ return ctx->encoder_store; -+ case OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX: -+ return ctx->store_loader_store; -+ case OSSL_LIB_CTX_SELF_TEST_CB_INDEX: -+ return ctx->self_test_cb; -+#endif - -- ctx->dyn_indexes[static_index] = idx; -- return 1; --} -+ case OSSL_LIB_CTX_RAND_CRNGT_INDEX: { -+ -+ /* -+ * rand_crngt must be lazily initialized because it calls into -+ * libctx, so must not be called from context_init, else a deadlock -+ * will occur. -+ * -+ * We use a separate lock because code called by the instantiation -+ * of rand_crngt is liable to try and take the libctx lock. -+ */ -+ if (CRYPTO_THREAD_read_lock(ctx->rand_crngt_lock) != 1) -+ return NULL; - --void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, -- const OSSL_LIB_CTX_METHOD *meth) --{ -- void *data = NULL; -- int dynidx; -+ if (ctx->rand_crngt == NULL) { -+ CRYPTO_THREAD_unlock(ctx->rand_crngt_lock); - -- ctx = ossl_lib_ctx_get_concrete(ctx); -- if (ctx == NULL) -- return NULL; -- -- if (!CRYPTO_THREAD_read_lock(ctx->lock)) -- return NULL; -- dynidx = ctx->dyn_indexes[index]; -- CRYPTO_THREAD_unlock(ctx->lock); -+ if (CRYPTO_THREAD_write_lock(ctx->rand_crngt_lock) != 1) -+ return NULL; - -- if (dynidx != -1) { -- if (!CRYPTO_THREAD_read_lock(ctx->index_locks[index])) -- return NULL; -- if (!CRYPTO_THREAD_read_lock(ctx->lock)) { -- CRYPTO_THREAD_unlock(ctx->index_locks[index]); -- return NULL; -+ if (ctx->rand_crngt == NULL) -+ ctx->rand_crngt = ossl_rand_crng_ctx_new(ctx); - } -- data = CRYPTO_get_ex_data(&ctx->data, dynidx); -- CRYPTO_THREAD_unlock(ctx->lock); -- CRYPTO_THREAD_unlock(ctx->index_locks[index]); -- return data; -- } - -- if (!CRYPTO_THREAD_write_lock(ctx->index_locks[index])) -- return NULL; -- if (!CRYPTO_THREAD_write_lock(ctx->lock)) { -- CRYPTO_THREAD_unlock(ctx->index_locks[index]); -- return NULL; -- } -+ p = ctx->rand_crngt; - -- dynidx = ctx->dyn_indexes[index]; -- if (dynidx != -1) { -- data = CRYPTO_get_ex_data(&ctx->data, dynidx); -- CRYPTO_THREAD_unlock(ctx->lock); -- CRYPTO_THREAD_unlock(ctx->index_locks[index]); -- return data; -- } -+ CRYPTO_THREAD_unlock(ctx->rand_crngt_lock); - -- if (!ossl_lib_ctx_init_index(ctx, index, meth)) { -- CRYPTO_THREAD_unlock(ctx->lock); -- CRYPTO_THREAD_unlock(ctx->index_locks[index]); -- return NULL; -+ return p; - } - -- CRYPTO_THREAD_unlock(ctx->lock); -- -- /* -- * The alloc call ensures there's a value there. We release the ctx->lock -- * for this, because the allocation itself may recursively call -- * ossl_lib_ctx_get_data for other indexes (never this one). The allocation -- * will itself aquire the ctx->lock when it actually comes to store the -- * allocated data (see ossl_lib_ctx_generic_new() above). We call -- * ossl_crypto_alloc_ex_data_intern() here instead of CRYPTO_alloc_ex_data(). -- * They do the same thing except that the latter calls CRYPTO_get_ex_data() -- * as well - which we must not do without holding the ctx->lock. -- */ -- if (ossl_crypto_alloc_ex_data_intern(CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, -- &ctx->data, ctx->dyn_indexes[index])) { -- if (!CRYPTO_THREAD_read_lock(ctx->lock)) -- goto end; -- data = CRYPTO_get_ex_data(&ctx->data, ctx->dyn_indexes[index]); -- CRYPTO_THREAD_unlock(ctx->lock); -- } -+#ifdef FIPS_MODULE -+ case OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX: -+ return ctx->thread_event_handler; - --end: -- CRYPTO_THREAD_unlock(ctx->index_locks[index]); -- return data; -+ case OSSL_LIB_CTX_FIPS_PROV_INDEX: -+ return ctx->fips_prov; -+#endif -+ -+ default: -+ return NULL; -+ } - } - - OSSL_EX_DATA_GLOBAL *ossl_lib_ctx_get_ex_data_global(OSSL_LIB_CTX *ctx) -diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c -index 7e11ab1c88..554524a5c4 100644 ---- a/crypto/core_namemap.c -+++ b/crypto/core_namemap.c -@@ -12,6 +12,7 @@ - #include "crypto/lhash.h" /* ossl_lh_strcasehash */ - #include "internal/tsan_assist.h" - #include "internal/sizes.h" -+#include "crypto/context.h" - - /*- - * The namenum entry -@@ -60,7 +61,7 @@ static void namenum_free(NAMENUM_ENTRY *n) - - /* OSSL_LIB_CTX_METHOD functions for a namemap stored in a library context */ - --static void *stored_namemap_new(OSSL_LIB_CTX *libctx) -+void *ossl_stored_namemap_new(OSSL_LIB_CTX *libctx) - { - OSSL_NAMEMAP *namemap = ossl_namemap_new(); - -@@ -70,7 +71,7 @@ static void *stored_namemap_new(OSSL_LIB_CTX *libctx) - return namemap; - } - --static void stored_namemap_free(void *vnamemap) -+void ossl_stored_namemap_free(void *vnamemap) - { - OSSL_NAMEMAP *namemap = vnamemap; - -@@ -81,12 +82,6 @@ static void stored_namemap_free(void *vnamemap) - } - } - --static const OSSL_LIB_CTX_METHOD stored_namemap_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- stored_namemap_new, -- stored_namemap_free, --}; -- - /*- - * API functions - * ============= -@@ -468,8 +463,7 @@ OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx) - int nms; - #endif - OSSL_NAMEMAP *namemap = -- ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX, -- &stored_namemap_method); -+ ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX); - - if (namemap == NULL) - return NULL; -diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c -index 496fbe3320..62e30ccb1a 100644 ---- a/crypto/encode_decode/decoder_meth.c -+++ b/crypto/encode_decode/decoder_meth.c -@@ -17,6 +17,7 @@ - #include "internal/provider.h" - #include "crypto/decoder.h" - #include "encoder_local.h" -+#include "crypto/context.h" - - /* - * Decoder can have multiple names, separated with colons in a name string -@@ -65,25 +66,6 @@ void OSSL_DECODER_free(OSSL_DECODER *decoder) - OPENSSL_free(decoder); - } - --/* Permanent decoder method store, constructor and destructor */ --static void decoder_store_free(void *vstore) --{ -- ossl_method_store_free(vstore); --} -- --static void *decoder_store_new(OSSL_LIB_CTX *ctx) --{ -- return ossl_method_store_new(ctx); --} -- -- --static const OSSL_LIB_CTX_METHOD decoder_store_method = { -- /* We want decoder_store to be cleaned up before the provider store */ -- OSSL_LIB_CTX_METHOD_PRIORITY_2, -- decoder_store_new, -- decoder_store_free, --}; -- - /* Data to be passed through ossl_method_construct() */ - struct decoder_data_st { - OSSL_LIB_CTX *libctx; -@@ -120,8 +102,7 @@ static void dealloc_tmp_decoder_store(void *store) - /* Get the permanent decoder store */ - static OSSL_METHOD_STORE *get_decoder_store(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_STORE_INDEX, -- &decoder_store_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_STORE_INDEX); - } - - static int reserve_decoder_store(void *store, void *data) -diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c -index 89e7b6abf8..f91d349587 100644 ---- a/crypto/encode_decode/encoder_meth.c -+++ b/crypto/encode_decode/encoder_meth.c -@@ -17,6 +17,7 @@ - #include "internal/provider.h" - #include "crypto/encoder.h" - #include "encoder_local.h" -+#include "crypto/context.h" - - /* - * Encoder can have multiple names, separated with colons in a name string -@@ -65,25 +66,6 @@ void OSSL_ENCODER_free(OSSL_ENCODER *encoder) - OPENSSL_free(encoder); - } - --/* Permanent encoder method store, constructor and destructor */ --static void encoder_store_free(void *vstore) --{ -- ossl_method_store_free(vstore); --} -- --static void *encoder_store_new(OSSL_LIB_CTX *ctx) --{ -- return ossl_method_store_new(ctx); --} -- -- --static const OSSL_LIB_CTX_METHOD encoder_store_method = { -- /* We want encoder_store to be cleaned up before the provider store */ -- OSSL_LIB_CTX_METHOD_PRIORITY_2, -- encoder_store_new, -- encoder_store_free, --}; -- - /* Data to be passed through ossl_method_construct() */ - struct encoder_data_st { - OSSL_LIB_CTX *libctx; -@@ -120,8 +102,7 @@ static void dealloc_tmp_encoder_store(void *store) - /* Get the permanent encoder store */ - static OSSL_METHOD_STORE *get_encoder_store(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_ENCODER_STORE_INDEX, -- &encoder_store_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_ENCODER_STORE_INDEX); - } - - static int reserve_encoder_store(void *store, void *data) -diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c -index aafd927e63..b9ef0200bb 100644 ---- a/crypto/evp/evp_fetch.c -+++ b/crypto/evp/evp_fetch.c -@@ -23,24 +23,6 @@ - - #define NAME_SEPARATOR ':' - --static void evp_method_store_free(void *vstore) --{ -- ossl_method_store_free(vstore); --} -- --static void *evp_method_store_new(OSSL_LIB_CTX *ctx) --{ -- return ossl_method_store_new(ctx); --} -- -- --static const OSSL_LIB_CTX_METHOD evp_method_store_method = { -- /* We want evp_method_store to be cleaned up before the provider store */ -- OSSL_LIB_CTX_METHOD_PRIORITY_2, -- evp_method_store_new, -- evp_method_store_free, --}; -- - /* Data to be passed through ossl_method_construct() */ - struct evp_method_data_st { - OSSL_LIB_CTX *libctx; -@@ -79,8 +61,7 @@ static void *get_tmp_evp_method_store(void *data) - - static OSSL_METHOD_STORE *get_evp_method_store(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX, -- &evp_method_store_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX); - } - - static int reserve_evp_method_store(void *store, void *data) -diff --git a/crypto/initthread.c b/crypto/initthread.c -index 1bdaeda9fc..ee57d14466 100644 ---- a/crypto/initthread.c -+++ b/crypto/initthread.c -@@ -12,6 +12,7 @@ - #include "crypto/cryptlib.h" - #include "prov/providercommon.h" - #include "internal/thread_once.h" -+#include "crypto/context.h" - - #ifdef FIPS_MODULE - #include "prov/provider_ctx.h" -@@ -248,7 +249,7 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx) - - #else - --static void *thread_event_ossl_ctx_new(OSSL_LIB_CTX *libctx) -+void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx) - { - THREAD_EVENT_HANDLER **hands = NULL; - CRYPTO_THREAD_LOCAL *tlocal = OPENSSL_zalloc(sizeof(*tlocal)); -@@ -274,17 +275,11 @@ static void *thread_event_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return NULL; - } - --static void thread_event_ossl_ctx_free(void *tlocal) -+void ossl_thread_event_ctx_free(void *tlocal) - { - OPENSSL_free(tlocal); - } - --static const OSSL_LIB_CTX_METHOD thread_event_ossl_ctx_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- thread_event_ossl_ctx_new, -- thread_event_ossl_ctx_free, --}; -- - static void ossl_arg_thread_stop(void *arg) - { - ossl_ctx_thread_stop((OSSL_LIB_CTX *)arg); -@@ -294,8 +289,7 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx) - { - THREAD_EVENT_HANDLER **hands; - CRYPTO_THREAD_LOCAL *local -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX, -- &thread_event_ossl_ctx_method); -+ = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX); - - if (local == NULL) - return; -@@ -363,8 +357,7 @@ int ossl_init_thread_start(const void *index, void *arg, - * OSSL_LIB_CTX gets informed about thread stop events individually. - */ - CRYPTO_THREAD_LOCAL *local -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX, -- &thread_event_ossl_ctx_method); -+ = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX); - #else - /* - * Outside of FIPS mode the list of THREAD_EVENT_HANDLERs is unique per -diff --git a/crypto/property/defn_cache.c b/crypto/property/defn_cache.c -index b4cd67c990..c697e6f474 100644 ---- a/crypto/property/defn_cache.c -+++ b/crypto/property/defn_cache.c -@@ -15,6 +15,7 @@ - #include "internal/property.h" - #include "internal/core.h" - #include "property_local.h" -+#include "crypto/context.h" - - /* - * Implement a property definition cache. -@@ -47,7 +48,7 @@ static void property_defn_free(PROPERTY_DEFN_ELEM *elem) - OPENSSL_free(elem); - } - --static void property_defns_free(void *vproperty_defns) -+void ossl_property_defns_free(void *vproperty_defns) - { - LHASH_OF(PROPERTY_DEFN_ELEM) *property_defns = vproperty_defns; - -@@ -58,24 +59,17 @@ static void property_defns_free(void *vproperty_defns) - } - } - --static void *property_defns_new(OSSL_LIB_CTX *ctx) { -+void *ossl_property_defns_new(OSSL_LIB_CTX *ctx) { - return lh_PROPERTY_DEFN_ELEM_new(&property_defn_hash, &property_defn_cmp); - } - --static const OSSL_LIB_CTX_METHOD property_defns_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- property_defns_new, -- property_defns_free, --}; -- - OSSL_PROPERTY_LIST *ossl_prop_defn_get(OSSL_LIB_CTX *ctx, const char *prop) - { - PROPERTY_DEFN_ELEM elem, *r; - LHASH_OF(PROPERTY_DEFN_ELEM) *property_defns; - - property_defns = ossl_lib_ctx_get_data(ctx, -- OSSL_LIB_CTX_PROPERTY_DEFN_INDEX, -- &property_defns_method); -+ OSSL_LIB_CTX_PROPERTY_DEFN_INDEX); - if (property_defns == NULL || !ossl_lib_ctx_read_lock(ctx)) - return NULL; - -@@ -99,8 +93,7 @@ int ossl_prop_defn_set(OSSL_LIB_CTX *ctx, const char *prop, - int res = 1; - - property_defns = ossl_lib_ctx_get_data(ctx, -- OSSL_LIB_CTX_PROPERTY_DEFN_INDEX, -- &property_defns_method); -+ OSSL_LIB_CTX_PROPERTY_DEFN_INDEX); - if (property_defns == NULL) - return 0; - -diff --git a/crypto/property/property.c b/crypto/property/property.c -index 2c92cb5e50..fe00815cbe 100644 ---- a/crypto/property/property.c -+++ b/crypto/property/property.c -@@ -23,6 +23,7 @@ - #include "crypto/lhash.h" - #include "crypto/sparse_array.h" - #include "property_local.h" -+#include "crypto/context.h" - - /* - * The number of elements in the query cache before we initiate a flush. -@@ -107,7 +108,7 @@ static void ossl_method_cache_flush_alg(OSSL_METHOD_STORE *store, - static void ossl_method_cache_flush(OSSL_METHOD_STORE *store, int nid); - - /* Global properties are stored per library context */ --static void ossl_ctx_global_properties_free(void *vglobp) -+void ossl_ctx_global_properties_free(void *vglobp) - { - OSSL_GLOBAL_PROPERTIES *globp = vglobp; - -@@ -117,17 +118,11 @@ static void ossl_ctx_global_properties_free(void *vglobp) - } - } - --static void *ossl_ctx_global_properties_new(OSSL_LIB_CTX *ctx) -+void *ossl_ctx_global_properties_new(OSSL_LIB_CTX *ctx) - { - return OPENSSL_zalloc(sizeof(OSSL_GLOBAL_PROPERTIES)); - } - --static const OSSL_LIB_CTX_METHOD ossl_ctx_global_properties_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- ossl_ctx_global_properties_new, -- ossl_ctx_global_properties_free, --}; -- - OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, - ossl_unused int loadconfig) - { -@@ -137,8 +132,7 @@ OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, - if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) - return NULL; - #endif -- globp = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, -- &ossl_ctx_global_properties_method); -+ globp = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES); - - return globp != NULL ? &globp->list : NULL; - } -@@ -147,8 +141,7 @@ OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, - int ossl_global_properties_no_mirrored(OSSL_LIB_CTX *libctx) - { - OSSL_GLOBAL_PROPERTIES *globp -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, -- &ossl_ctx_global_properties_method); -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES); - - return globp != NULL && globp->no_mirrored ? 1 : 0; - } -@@ -156,8 +149,7 @@ int ossl_global_properties_no_mirrored(OSSL_LIB_CTX *libctx) - void ossl_global_properties_stop_mirroring(OSSL_LIB_CTX *libctx) - { - OSSL_GLOBAL_PROPERTIES *globp -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, -- &ossl_ctx_global_properties_method); -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES); - - if (globp != NULL) - globp->no_mirrored = 1; -diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c -index 5a1f5cd2dc..3f978c06a3 100644 ---- a/crypto/property/property_string.c -+++ b/crypto/property/property_string.c -@@ -13,6 +13,7 @@ - #include - #include "crypto/lhash.h" - #include "property_local.h" -+#include "crypto/context.h" - - /* - * Property strings are a consolidation of all strings seen by the property -@@ -72,7 +73,7 @@ static void property_table_free(PROP_TABLE **pt) - } - } - --static void property_string_data_free(void *vpropdata) -+void ossl_property_string_data_free(void *vpropdata) - { - PROPERTY_STRING_DATA *propdata = vpropdata; - -@@ -92,7 +93,7 @@ static void property_string_data_free(void *vpropdata) - OPENSSL_free(propdata); - } - --static void *property_string_data_new(OSSL_LIB_CTX *ctx) { -+void *ossl_property_string_data_new(OSSL_LIB_CTX *ctx) { - PROPERTY_STRING_DATA *propdata = OPENSSL_zalloc(sizeof(*propdata)); - - if (propdata == NULL) -@@ -114,18 +115,12 @@ static void *property_string_data_new(OSSL_LIB_CTX *ctx) { - || propdata->prop_values == NULL - || propdata->prop_namelist == NULL - || propdata->prop_valuelist == NULL) { -- property_string_data_free(propdata); -+ ossl_property_string_data_free(propdata); - return NULL; - } - return propdata; - } - --static const OSSL_LIB_CTX_METHOD property_string_data_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- property_string_data_new, -- property_string_data_free, --}; -- - static PROPERTY_STRING *new_property_string(const char *s, - OSSL_PROPERTY_IDX *pidx) - { -@@ -151,8 +146,7 @@ static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, - STACK_OF(OPENSSL_CSTRING) *slist; - OSSL_PROPERTY_IDX *pidx; - PROPERTY_STRING_DATA *propdata -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -- &property_string_data_method); -+ = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX); - - if (propdata == NULL) - return 0; -@@ -224,8 +218,7 @@ static const char *ossl_property_str(int name, OSSL_LIB_CTX *ctx, - { - const char *r; - PROPERTY_STRING_DATA *propdata -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -- &property_string_data_method); -+ = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX); - - if (propdata == NULL) - return NULL; -diff --git a/crypto/provider_child.c b/crypto/provider_child.c -index 16728f9c12..b1eadd5b19 100644 ---- a/crypto/provider_child.c -+++ b/crypto/provider_child.c -@@ -16,6 +16,7 @@ - #include "internal/provider.h" - #include "internal/cryptlib.h" - #include "crypto/evp.h" -+#include "crypto/context.h" - - DEFINE_STACK_OF(OSSL_PROVIDER) - -@@ -33,12 +34,12 @@ struct child_prov_globals { - OSSL_FUNC_provider_free_fn *c_prov_free; - }; - --static void *child_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) -+void *ossl_child_prov_ctx_new(OSSL_LIB_CTX *libctx) - { - return OPENSSL_zalloc(sizeof(struct child_prov_globals)); - } - --static void child_prov_ossl_ctx_free(void *vgbl) -+void ossl_child_prov_ctx_free(void *vgbl) - { - struct child_prov_globals *gbl = vgbl; - -@@ -46,12 +47,6 @@ static void child_prov_ossl_ctx_free(void *vgbl) - OPENSSL_free(gbl); - } - --static const OSSL_LIB_CTX_METHOD child_prov_ossl_ctx_method = { -- OSSL_LIB_CTX_METHOD_LOW_PRIORITY, -- child_prov_ossl_ctx_new, -- child_prov_ossl_ctx_free, --}; -- - static OSSL_provider_init_fn ossl_child_provider_init; - - static int ossl_child_provider_init(const OSSL_CORE_HANDLE *handle, -@@ -84,8 +79,7 @@ static int ossl_child_provider_init(const OSSL_CORE_HANDLE *handle, - */ - ctx = (OSSL_LIB_CTX *)c_get_libctx(handle); - -- gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return 0; - -@@ -103,8 +97,7 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) - OSSL_PROVIDER *cprov; - int ret = 0; - -- gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return 0; - -@@ -166,8 +159,7 @@ static int provider_remove_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) - const char *provname; - OSSL_PROVIDER *cprov; - -- gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return 0; - -@@ -203,8 +195,7 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, - if (ctx == NULL) - return 0; - -- gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return 0; - -@@ -271,8 +262,7 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, - void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx) - { - struct child_prov_globals *gbl -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return; - -@@ -297,8 +287,7 @@ int ossl_provider_up_ref_parent(OSSL_PROVIDER *prov, int activate) - const OSSL_CORE_HANDLE *parent_handle; - - gbl = ossl_lib_ctx_get_data(ossl_provider_libctx(prov), -- OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return 0; - -@@ -314,8 +303,7 @@ int ossl_provider_free_parent(OSSL_PROVIDER *prov, int deactivate) - const OSSL_CORE_HANDLE *parent_handle; - - gbl = ossl_lib_ctx_get_data(ossl_provider_libctx(prov), -- OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, -- &child_prov_ossl_ctx_method); -+ OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); - if (gbl == NULL) - return 0; - -diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c -index 6a62f0df60..e3b576d6c2 100644 ---- a/crypto/provider_conf.c -+++ b/crypto/provider_conf.c -@@ -16,6 +16,7 @@ - #include "internal/provider.h" - #include "internal/cryptlib.h" - #include "provider_local.h" -+#include "crypto/context.h" - - DEFINE_STACK_OF(OSSL_PROVIDER) - -@@ -26,7 +27,7 @@ typedef struct { - STACK_OF(OSSL_PROVIDER) *activated_providers; - } PROVIDER_CONF_GLOBAL; - --static void *prov_conf_ossl_ctx_new(OSSL_LIB_CTX *libctx) -+void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *libctx) - { - PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl)); - -@@ -42,7 +43,7 @@ static void *prov_conf_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return pcgbl; - } - --static void prov_conf_ossl_ctx_free(void *vpcgbl) -+void ossl_prov_conf_ctx_free(void *vpcgbl) - { - PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl; - -@@ -54,13 +55,6 @@ static void prov_conf_ossl_ctx_free(void *vpcgbl) - OPENSSL_free(pcgbl); - } - --static const OSSL_LIB_CTX_METHOD provider_conf_ossl_ctx_method = { -- /* Must be freed before the provider store is freed */ -- OSSL_LIB_CTX_METHOD_PRIORITY_2, -- prov_conf_ossl_ctx_new, -- prov_conf_ossl_ctx_free, --}; -- - static const char *skip_dot(const char *name) - { - const char *p = strchr(name, '.'); -@@ -141,8 +135,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, - int soft, const CONF *cnf) - { - PROVIDER_CONF_GLOBAL *pcgbl -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -- &provider_conf_ossl_ctx_method); -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX); - OSSL_PROVIDER *prov = NULL, *actual = NULL; - int ok = 0; - -diff --git a/crypto/provider_core.c b/crypto/provider_core.c -index 25583868db..c6925b4028 100644 ---- a/crypto/provider_core.c -+++ b/crypto/provider_core.c -@@ -29,6 +29,7 @@ - #include "internal/bio.h" - #include "internal/core.h" - #include "provider_local.h" -+#include "crypto/context.h" - #ifndef FIPS_MODULE - # include - #endif -@@ -282,7 +283,7 @@ void ossl_provider_info_clear(OSSL_PROVIDER_INFO *info) - sk_INFOPAIR_pop_free(info->parameters, infopair_free); - } - --static void provider_store_free(void *vstore) -+void ossl_provider_store_free(void *vstore) - { - struct provider_store_st *store = vstore; - size_t i; -@@ -304,7 +305,7 @@ static void provider_store_free(void *vstore) - OPENSSL_free(store); - } - --static void *provider_store_new(OSSL_LIB_CTX *ctx) -+void *ossl_provider_store_new(OSSL_LIB_CTX *ctx) - { - struct provider_store_st *store = OPENSSL_zalloc(sizeof(*store)); - -@@ -315,7 +316,7 @@ static void *provider_store_new(OSSL_LIB_CTX *ctx) - || (store->child_cbs = sk_OSSL_PROVIDER_CHILD_CB_new_null()) == NULL - #endif - || (store->lock = CRYPTO_THREAD_lock_new()) == NULL) { -- provider_store_free(store); -+ ossl_provider_store_free(store); - return NULL; - } - store->libctx = ctx; -@@ -324,19 +325,11 @@ static void *provider_store_new(OSSL_LIB_CTX *ctx) - return store; - } - --static const OSSL_LIB_CTX_METHOD provider_store_method = { -- /* Needs to be freed before the child provider data is freed */ -- OSSL_LIB_CTX_METHOD_PRIORITY_1, -- provider_store_new, -- provider_store_free, --}; -- - static struct provider_store_st *get_provider_store(OSSL_LIB_CTX *libctx) - { - struct provider_store_st *store = NULL; - -- store = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_STORE_INDEX, -- &provider_store_method); -+ store = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_STORE_INDEX); - if (store == NULL) - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); - return store; -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index caedbca204..3f04ec171e 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -18,6 +18,7 @@ - #include "crypto/rand.h" - #include "crypto/cryptlib.h" - #include "rand_local.h" -+#include "crypto/context.h" - - #ifndef FIPS_MODULE - # include -@@ -434,7 +435,7 @@ typedef struct rand_global_st { - * Initialize the OSSL_LIB_CTX global DRBGs on first use. - * Returns the allocated global data on success or NULL on failure. - */ --static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) -+void *ossl_rand_ctx_new(OSSL_LIB_CTX *libctx) - { - RAND_GLOBAL *dgbl = OPENSSL_zalloc(sizeof(*dgbl)); - -@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return NULL; - } - --static void rand_ossl_ctx_free(void *vdgbl) -+void ossl_rand_ctx_free(void *vdgbl) - { - RAND_GLOBAL *dgbl = vdgbl; - -@@ -491,16 +492,9 @@ static void rand_ossl_ctx_free(void *vdgbl) - OPENSSL_free(dgbl); - } - --static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { -- OSSL_LIB_CTX_METHOD_PRIORITY_2, -- rand_ossl_ctx_new, -- rand_ossl_ctx_free, --}; -- - static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_INDEX, -- &rand_drbg_ossl_ctx_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_INDEX); - } - - static void rand_delete_thread_state(void *arg) -diff --git a/crypto/self_test_core.c b/crypto/self_test_core.c -index dad4be208a..e0999fb05f 100644 ---- a/crypto/self_test_core.c -+++ b/crypto/self_test_core.c -@@ -11,6 +11,7 @@ - #include - #include - #include "internal/cryptlib.h" -+#include "crypto/context.h" - - typedef struct self_test_cb_st - { -@@ -32,7 +33,7 @@ struct ossl_self_test_st - }; - - #ifndef FIPS_MODULE --static void *self_test_set_callback_new(OSSL_LIB_CTX *ctx) -+void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *ctx) - { - SELF_TEST_CB *stcb; - -@@ -40,21 +41,14 @@ static void *self_test_set_callback_new(OSSL_LIB_CTX *ctx) - return stcb; - } - --static void self_test_set_callback_free(void *stcb) -+void ossl_self_test_set_callback_free(void *stcb) - { - OPENSSL_free(stcb); - } - --static const OSSL_LIB_CTX_METHOD self_test_set_callback_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- self_test_set_callback_new, -- self_test_set_callback_free, --}; -- - static SELF_TEST_CB *get_self_test_callback(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_SELF_TEST_CB_INDEX, -- &self_test_set_callback_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_SELF_TEST_CB_INDEX); - } - - void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb, -diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c -index a5b0d1b095..42848b799a 100644 ---- a/crypto/store/store_meth.c -+++ b/crypto/store/store_meth.c -@@ -14,6 +14,7 @@ - #include "internal/property.h" - #include "internal/provider.h" - #include "store_local.h" -+#include "crypto/context.h" - - int OSSL_STORE_LOADER_up_ref(OSSL_STORE_LOADER *loader) - { -@@ -68,25 +69,6 @@ static void free_loader(void *method) - OSSL_STORE_LOADER_free(method); - } - --/* Permanent loader method store, constructor and destructor */ --static void loader_store_free(void *vstore) --{ -- ossl_method_store_free(vstore); --} -- --static void *loader_store_new(OSSL_LIB_CTX *ctx) --{ -- return ossl_method_store_new(ctx); --} -- -- --static const OSSL_LIB_CTX_METHOD loader_store_method = { -- /* We want loader_store to be cleaned up before the provider store */ -- OSSL_LIB_CTX_METHOD_PRIORITY_2, -- loader_store_new, -- loader_store_free, --}; -- - /* Data to be passed through ossl_method_construct() */ - struct loader_data_st { - OSSL_LIB_CTX *libctx; -@@ -123,8 +105,7 @@ static void *get_tmp_loader_store(void *data) - /* Get the permanent loader store */ - static OSSL_METHOD_STORE *get_loader_store(OSSL_LIB_CTX *libctx) - { -- return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX, -- &loader_store_method); -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX); - } - - static int reserve_loader_store(void *store, void *data) -diff --git a/doc/internal/man3/ossl_lib_ctx_get_data.pod b/doc/internal/man3/ossl_lib_ctx_get_data.pod -index faedf7275f..2ffd000da1 100644 ---- a/doc/internal/man3/ossl_lib_ctx_get_data.pod -+++ b/doc/internal/man3/ossl_lib_ctx_get_data.pod -@@ -11,14 +11,7 @@ ossl_lib_ctx_is_child - #include - #include "internal/cryptlib.h" - -- typedef struct ossl_lib_ctx_method { -- int priority; -- void *(*new_func)(OSSL_LIB_CTX *ctx); -- void (*free_func)(void *); -- } OSSL_LIB_CTX_METHOD; -- -- void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, -- const OSSL_LIB_CTX_METHOD *meth); -+ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index); - - int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, - ossl_lib_ctx_run_once_fn run_once_fn); -@@ -28,38 +21,24 @@ ossl_lib_ctx_is_child - - =head1 DESCRIPTION - --Internally, the OpenSSL library context B is implemented --as a B, which allows data from diverse parts of the --library to be added and removed dynamically. --Each such data item must have a corresponding CRYPTO_EX_DATA index --associated with it. Unlike normal CRYPTO_EX_DATA objects we use static indexes --to identify data items. These are mapped transparently to CRYPTO_EX_DATA dynamic --indexes internally to the implementation. --See the example further down to see how that's done. -- --ossl_lib_ctx_get_data() is used to retrieve a pointer to the data in --the library context I associated with the given I. An --OSSL_LIB_CTX_METHOD must be defined and given in the I parameter. The index --for it should be defined in cryptlib.h. The functions through the method are --used to create or free items that are stored at that index whenever a library --context is created or freed, meaning that the code that use a data item of that --index doesn't have to worry about that, just use the data available. -- --Deallocation of an index happens automatically when the library --context is freed. -- --ossl_lib_ctx_run_once is used to run some initialisation routine I -+ossl_lib_ctx_run_once() is used to run some initialisation routine I - exactly once per library context I object. Each initialisation routine - should be allocate a unique run once index in cryptlib.h. - - Any resources allocated via a run once initialisation routine can be cleaned up --using ossl_lib_ctx_onfree. This associates an "on free" routine I with -+using ossl_lib_ctx_onfree(). This associates an "on free" routine I with - the library context I. When I is freed all associated "on free" - routines are called. - - ossl_lib_ctx_is_child() returns 1 if this library context is a child and 0 - otherwise. - -+ossl_lib_ctx_get_data() allows different parts of the library to retrieve -+pointers to structures used in diverse parts of the library. The lifetime of -+these structures is managed by B. The different objects which can -+be retrieved are specified with the given argument I. The valid values of -+I are specified in cryptlib.h. -+ - =head1 RETURN VALUES - - ossl_lib_ctx_get_data() returns a pointer on success, or NULL on -@@ -67,51 +46,15 @@ failure. - - =head1 EXAMPLES - --=head2 Initialization -- --For a type C that should end up in the OpenSSL library context, a --small bit of initialization is needed, i.e. to associate a constructor --and a destructor to an index. -- -- typedef struct foo_st { -- int i; -- void *data; -- } FOO; -- -- static void *foo_new(OSSL_LIB_CTX *ctx) -- { -- FOO *ptr = OPENSSL_zalloc(sizeof(*foo)); -- if (ptr != NULL) -- ptr->i = 42; -- return ptr; -- } -- static void foo_free(void *ptr) -- { -- OPENSSL_free(ptr); -- } -- -- /* -- * Include a reference to this in the methods table in context.c -- * OSSL_LIB_CTX_FOO_INDEX should be added to internal/cryptlib.h -- * Priorities can be OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- * OSSL_LIB_CTX_METHOD_PRIORITY_1, OSSL_LIB_CTX_METHOD_PRIORITY_2, etc. -- * Default priority is low (0). The higher the priority the earlier the -- * method's destructor will be called when the library context is cleaned up. -- */ -- const OSSL_LIB_CTX_METHOD foo_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- foo_new, -- foo_free -- }; -- - =head2 Usage - --To get and use the data stored in the library context, simply do this: -+To obtain a pointer for an object managed by the library context, simply do -+this: - - /* - * ctx is received from a caller, - */ -- FOO *data = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_FOO_INDEX, &foo_method); -+ FOO *data = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_FOO_INDEX); - - =head2 Run Once - -diff --git a/include/crypto/context.h b/include/crypto/context.h -new file mode 100644 -index 0000000000..143f6d6b6d ---- /dev/null -+++ b/include/crypto/context.h -@@ -0,0 +1,40 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+ -+void *ossl_provider_store_new(OSSL_LIB_CTX *); -+void *ossl_property_string_data_new(OSSL_LIB_CTX *); -+void *ossl_stored_namemap_new(OSSL_LIB_CTX *); -+void *ossl_property_defns_new(OSSL_LIB_CTX *); -+void *ossl_ctx_global_properties_new(OSSL_LIB_CTX *); -+void *ossl_rand_ctx_new(OSSL_LIB_CTX *); -+void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *); -+void *ossl_bio_core_globals_new(OSSL_LIB_CTX *); -+void *ossl_child_prov_ctx_new(OSSL_LIB_CTX *); -+void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *); -+void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *); -+void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *); -+void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *); -+void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *); -+ -+void ossl_provider_store_free(void *); -+void ossl_property_string_data_free(void *); -+void ossl_stored_namemap_free(void *); -+void ossl_property_defns_free(void *); -+void ossl_ctx_global_properties_free(void *); -+void ossl_rand_ctx_free(void *); -+void ossl_prov_conf_ctx_free(void *); -+void ossl_bio_core_globals_free(void *); -+void ossl_child_prov_ctx_free(void *); -+void ossl_prov_drbg_nonce_ctx_free(void *); -+void ossl_self_test_set_callback_free(void *); -+void ossl_rand_crng_ctx_free(void *); -+void ossl_thread_event_ctx_free(void *); -+void ossl_fips_prov_ossl_ctx_free(void *); -diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 1291299b6e..ce1a5093ac 100644 ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -170,24 +170,12 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 - # define OSSL_LIB_CTX_MAX_INDEXES 19 - --# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 --# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 --# define OSSL_LIB_CTX_METHOD_PRIORITY_1 1 --# define OSSL_LIB_CTX_METHOD_PRIORITY_2 2 -- --typedef struct ossl_lib_ctx_method { -- int priority; -- void *(*new_func)(OSSL_LIB_CTX *ctx); -- void (*free_func)(void *); --} OSSL_LIB_CTX_METHOD; -- - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); - int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); - int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx); - - /* Functions to retrieve pointers to data by index */ --void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *, int /* index */, -- const OSSL_LIB_CTX_METHOD * ctx); -+void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *, int /* index */); - - void ossl_lib_ctx_default_deinit(void); - OSSL_EX_DATA_GLOBAL *ossl_lib_ctx_get_ex_data_global(OSSL_LIB_CTX *ctx); -diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index 9e0fcf084d..533d9d1598 100644 ---- a/providers/fips/fipsprov.c -+++ b/providers/fips/fipsprov.c -@@ -22,6 +22,7 @@ - #include "prov/provider_util.h" - #include "prov/seeding.h" - #include "self_test.h" -+#include "crypto/context.h" - #include "internal/core.h" - - static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; -@@ -83,7 +84,7 @@ typedef struct fips_global_st { - const char *fips_security_check_option; - } FIPS_GLOBAL; - --static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) -+void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) - { - FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl)); - -@@ -95,18 +96,11 @@ static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return fgbl; - } - --static void fips_prov_ossl_ctx_free(void *fgbl) -+void ossl_fips_prov_ossl_ctx_free(void *fgbl) - { - OPENSSL_free(fgbl); - } - --static const OSSL_LIB_CTX_METHOD fips_prov_ossl_ctx_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- fips_prov_ossl_ctx_new, -- fips_prov_ossl_ctx_free, --}; -- -- - /* Parameters we provide to the core */ - static const OSSL_PARAM fips_param_types[] = { - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), -@@ -175,8 +169,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) - { - OSSL_PARAM *p; - FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), -- OSSL_LIB_CTX_FIPS_PROV_INDEX, -- &fips_prov_ossl_ctx_method); -+ OSSL_LIB_CTX_FIPS_PROV_INDEX); - - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) -@@ -213,8 +206,7 @@ static void set_self_test_cb(FIPS_GLOBAL *fgbl) - static int fips_self_test(void *provctx) - { - FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), -- OSSL_LIB_CTX_FIPS_PROV_INDEX, -- &fips_prov_ossl_ctx_method); -+ OSSL_LIB_CTX_FIPS_PROV_INDEX); - - set_self_test_cb(fgbl); - return SELF_TEST_post(&fgbl->selftest_params, 1) ? 1 : 0; -@@ -671,8 +663,7 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, - goto err; - } - -- if ((fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX, -- &fips_prov_ossl_ctx_method)) == NULL) -+ if ((fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX)) == NULL) - goto err; - - fgbl->handle = handle; -@@ -817,8 +808,7 @@ int ERR_pop_to_mark(void) - const OSSL_CORE_HANDLE *FIPS_get_core_handle(OSSL_LIB_CTX *libctx) - { - FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, -- OSSL_LIB_CTX_FIPS_PROV_INDEX, -- &fips_prov_ossl_ctx_method); -+ OSSL_LIB_CTX_FIPS_PROV_INDEX); - - if (fgbl == NULL) - return NULL; -@@ -896,8 +886,7 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) - { - FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, -- OSSL_LIB_CTX_FIPS_PROV_INDEX, -- &fips_prov_ossl_ctx_method); -+ OSSL_LIB_CTX_FIPS_PROV_INDEX); - - return fgbl->fips_security_checks; - } -diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c -index 4095994bda..50d4a429da 100644 ---- a/providers/implementations/rands/crngt.c -+++ b/providers/implementations/rands/crngt.c -@@ -23,6 +23,7 @@ - #include "crypto/rand_pool.h" - #include "drbg_local.h" - #include "prov/seeding.h" -+#include "crypto/context.h" - - typedef struct crng_test_global_st { - unsigned char crngt_prev[EVP_MAX_MD_SIZE]; -@@ -52,7 +53,7 @@ static int crngt_get_entropy(PROV_CTX *provctx, const EVP_MD *digest, - return 0; - } - --static void rand_crng_ossl_ctx_free(void *vcrngt_glob) -+void ossl_rand_crng_ctx_free(void *vcrngt_glob) - { - CRNG_TEST_GLOBAL *crngt_glob = vcrngt_glob; - -@@ -61,7 +62,7 @@ static void rand_crng_ossl_ctx_free(void *vcrngt_glob) - OPENSSL_free(crngt_glob); - } - --static void *rand_crng_ossl_ctx_new(OSSL_LIB_CTX *ctx) -+void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *ctx) - { - CRNG_TEST_GLOBAL *crngt_glob = OPENSSL_zalloc(sizeof(*crngt_glob)); - -@@ -82,12 +83,6 @@ static void *rand_crng_ossl_ctx_new(OSSL_LIB_CTX *ctx) - return crngt_glob; - } - --static const OSSL_LIB_CTX_METHOD rand_crng_ossl_ctx_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- rand_crng_ossl_ctx_new, -- rand_crng_ossl_ctx_free, --}; -- - static int prov_crngt_compare_previous(const unsigned char *prev, - const unsigned char *cur, - size_t sz) -@@ -113,8 +108,7 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg, - int crng_test_pass = 1; - OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx); - CRNG_TEST_GLOBAL *crngt_glob -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX, -- &rand_crng_ossl_ctx_method); -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX); - OSSL_CALLBACK *stcb = NULL; - void *stcbarg = NULL; - OSSL_SELF_TEST *st = NULL; -diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c -index c8fe66aa57..007a181c89 100644 ---- a/providers/implementations/rands/drbg.c -+++ b/providers/implementations/rands/drbg.c -@@ -21,6 +21,7 @@ - #include "crypto/rand_pool.h" - #include "prov/provider_ctx.h" - #include "prov/providercommon.h" -+#include "crypto/context.h" - - /* - * Support framework for NIST SP 800-90A DRBG -@@ -274,7 +275,7 @@ typedef struct prov_drbg_nonce_global_st { - * to be in a different global data object. Otherwise we will go into an - * infinite recursion loop. - */ --static void *prov_drbg_nonce_ossl_ctx_new(OSSL_LIB_CTX *libctx) -+void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx) - { - PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl)); - -@@ -290,7 +291,7 @@ static void *prov_drbg_nonce_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return dngbl; - } - --static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl) -+void ossl_prov_drbg_nonce_ctx_free(void *vdngbl) - { - PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl; - -@@ -302,12 +303,6 @@ static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl) - OPENSSL_free(dngbl); - } - --static const OSSL_LIB_CTX_METHOD drbg_nonce_ossl_ctx_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- prov_drbg_nonce_ossl_ctx_new, -- prov_drbg_nonce_ossl_ctx_free, --}; -- - /* Get a nonce from the operating system */ - static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout, - size_t min_len, size_t max_len) -@@ -316,8 +311,7 @@ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout, - unsigned char *buf = NULL; - OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx); - PROV_DRBG_NONCE_GLOBAL *dngbl -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX, -- &drbg_nonce_ossl_ctx_method); -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX); - struct { - void *drbg; - int count; -diff --git a/test/context_internal_test.c b/test/context_internal_test.c -index 4c02f601cc..fd7518c020 100644 ---- a/test/context_internal_test.c -+++ b/test/context_internal_test.c -@@ -12,103 +12,25 @@ - #include "internal/cryptlib.h" - #include "testutil.h" - --/* -- * Everything between BEGIN EXAMPLE and END EXAMPLE is copied from -- * doc/internal/man3/ossl_lib_ctx_get_data.pod -- */ -- --/* -- * ====================================================================== -- * BEGIN EXAMPLE -- */ -- --typedef struct foo_st { -- int i; -- void *data; --} FOO; -- --static void *foo_new(OSSL_LIB_CTX *ctx) --{ -- FOO *ptr = OPENSSL_zalloc(sizeof(*ptr)); -- if (ptr != NULL) -- ptr->i = 42; -- return ptr; --} --static void foo_free(void *ptr) --{ -- OPENSSL_free(ptr); --} --static const OSSL_LIB_CTX_METHOD foo_method = { -- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -- foo_new, -- foo_free --}; -- --/* -- * END EXAMPLE -- * ====================================================================== -- */ -- --static int test_context(OSSL_LIB_CTX *ctx) --{ -- FOO *data = NULL; -- -- return TEST_ptr(data = ossl_lib_ctx_get_data(ctx, 0, &foo_method)) -- /* OPENSSL_zalloc in foo_new() initialized it to zero */ -- && TEST_int_eq(data->i, 42); --} -- --static int test_app_context(void) --{ -- OSSL_LIB_CTX *ctx = NULL; -- int result = -- TEST_ptr(ctx = OSSL_LIB_CTX_new()) -- && test_context(ctx); -- -- OSSL_LIB_CTX_free(ctx); -- return result; --} -- --static int test_def_context(void) --{ -- return test_context(NULL); --} -- - static int test_set0_default(void) - { - OSSL_LIB_CTX *global = OSSL_LIB_CTX_get0_global_default(); - OSSL_LIB_CTX *local = OSSL_LIB_CTX_new(); - OSSL_LIB_CTX *prev; - int testresult = 0; -- FOO *data = NULL; - - if (!TEST_ptr(global) - || !TEST_ptr(local) -- || !TEST_ptr_eq(global, OSSL_LIB_CTX_set0_default(NULL)) -- || !TEST_ptr(data = ossl_lib_ctx_get_data(local, 0, &foo_method))) -- goto err; -- -- /* Set local "i" value to 43. Global "i" should be 42 */ -- data->i++; -- if (!TEST_int_eq(data->i, 43)) -- goto err; -- -- /* The default context should still be the "global" default */ -- if (!TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) -- || !TEST_int_eq(data->i, 42)) -+ || !TEST_ptr_eq(global, OSSL_LIB_CTX_set0_default(NULL))) - goto err; - - /* Check we can change the local default context */ - if (!TEST_ptr(prev = OSSL_LIB_CTX_set0_default(local)) -- || !TEST_ptr_eq(global, prev) -- || !TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) -- || !TEST_int_eq(data->i, 43)) -+ || !TEST_ptr_eq(global, prev)) - goto err; - - /* Calling OSSL_LIB_CTX_set0_default() with a NULL should be a no-op */ -- if (!TEST_ptr_eq(local, OSSL_LIB_CTX_set0_default(NULL)) -- || !TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) -- || !TEST_int_eq(data->i, 43)) -+ if (!TEST_ptr_eq(local, OSSL_LIB_CTX_set0_default(NULL))) - goto err; - - /* Global default should be unchanged */ -@@ -116,10 +38,8 @@ static int test_set0_default(void) - goto err; - - /* Check we can swap back to the global default */ -- if (!TEST_ptr(prev = OSSL_LIB_CTX_set0_default(global)) -- || !TEST_ptr_eq(local, prev) -- || !TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) -- || !TEST_int_eq(data->i, 42)) -+ if (!TEST_ptr(prev = OSSL_LIB_CTX_set0_default(global)) -+ || !TEST_ptr_eq(local, prev)) - goto err; - - testresult = 1; -@@ -130,8 +50,6 @@ static int test_set0_default(void) - - int setup_tests(void) - { -- ADD_TEST(test_app_context); -- ADD_TEST(test_def_context); - ADD_TEST(test_set0_default); - return 1; - } --- -2.33.0 - diff --git a/backport-Refactor-a-separate-func-for-provider-activation-fro.patch b/backport-Refactor-a-separate-func-for-provider-activation-fro.patch deleted file mode 100644 index 3cbd4f3c9f6162524a662e02c3d77a9ac1abf658..0000000000000000000000000000000000000000 --- a/backport-Refactor-a-separate-func-for-provider-activation-fro.patch +++ /dev/null @@ -1,181 +0,0 @@ -From ee246234bf591cd2a9779a4ad3a2ee3c53848213 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Mon, 22 Nov 2021 10:14:27 +0100 -Subject: [PATCH] Refactor: a separate func for provider activation from config - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17099) - -(cherry picked from commit 07ba69483a7d8005a53284cbde55b9dac8c5c554) ---- - crypto/provider_conf.c | 140 ++++++++++++++++++++++------------------- - 1 file changed, 75 insertions(+), 65 deletions(-) - -diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c -index c13c887c3d..6a62f0df60 100644 ---- a/crypto/provider_conf.c -+++ b/crypto/provider_conf.c -@@ -136,13 +136,86 @@ static int prov_already_activated(const char *name, - return 0; - } - -+static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, -+ const char *value, const char *path, -+ int soft, const CONF *cnf) -+{ -+ PROVIDER_CONF_GLOBAL *pcgbl -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -+ &provider_conf_ossl_ctx_method); -+ OSSL_PROVIDER *prov = NULL, *actual = NULL; -+ int ok = 0; -+ -+ if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ if (!prov_already_activated(name, pcgbl->activated_providers)) { -+ /* -+ * There is an attempt to activate a provider, so we should disable -+ * loading of fallbacks. Otherwise a misconfiguration could mean the -+ * intended provider does not get loaded. Subsequent fetches could -+ * then fallback to the default provider - which may be the wrong -+ * thing. -+ */ -+ if (!ossl_provider_disable_fallback_loading(libctx)) { -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ prov = ossl_provider_find(libctx, name, 1); -+ if (prov == NULL) -+ prov = ossl_provider_new(libctx, name, NULL, 1); -+ if (prov == NULL) { -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ if (soft) -+ ERR_clear_error(); -+ return 0; -+ } -+ -+ if (path != NULL) -+ ossl_provider_set_module_path(prov, path); -+ -+ ok = provider_conf_params(prov, NULL, NULL, value, cnf); -+ -+ if (ok) { -+ if (!ossl_provider_activate(prov, 1, 0)) { -+ ok = 0; -+ } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { -+ ossl_provider_deactivate(prov, 1); -+ ok = 0; -+ } else if (actual != prov -+ && !ossl_provider_activate(actual, 1, 0)) { -+ ossl_provider_free(actual); -+ ok = 0; -+ } else { -+ if (pcgbl->activated_providers == NULL) -+ pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); -+ if (pcgbl->activated_providers == NULL -+ || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, -+ actual)) { -+ ossl_provider_deactivate(actual, 1); -+ ossl_provider_free(actual); -+ ok = 0; -+ } else { -+ ok = 1; -+ } -+ } -+ } -+ if (!ok) -+ ossl_provider_free(prov); -+ } -+ CRYPTO_THREAD_unlock(pcgbl->lock); -+ -+ return ok; -+} -+ - static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, - const char *value, const CONF *cnf) - { - int i; - STACK_OF(CONF_VALUE) *ecmds; - int soft = 0; -- OSSL_PROVIDER *prov = NULL, *actual = NULL; - const char *path = NULL; - long activate = 0; - int ok = 0; -@@ -182,70 +255,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, - } - - if (activate) { -- PROVIDER_CONF_GLOBAL *pcgbl -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -- &provider_conf_ossl_ctx_method); -- -- if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -- return 0; -- } -- if (!prov_already_activated(name, pcgbl->activated_providers)) { -- /* -- * There is an attempt to activate a provider, so we should disable -- * loading of fallbacks. Otherwise a misconfiguration could mean the -- * intended provider does not get loaded. Subsequent fetches could -- * then fallback to the default provider - which may be the wrong -- * thing. -- */ -- if (!ossl_provider_disable_fallback_loading(libctx)) { -- CRYPTO_THREAD_unlock(pcgbl->lock); -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -- return 0; -- } -- prov = ossl_provider_find(libctx, name, 1); -- if (prov == NULL) -- prov = ossl_provider_new(libctx, name, NULL, 1); -- if (prov == NULL) { -- CRYPTO_THREAD_unlock(pcgbl->lock); -- if (soft) -- ERR_clear_error(); -- return 0; -- } -- -- if (path != NULL) -- ossl_provider_set_module_path(prov, path); -- -- ok = provider_conf_params(prov, NULL, NULL, value, cnf); -- -- if (ok) { -- if (!ossl_provider_activate(prov, 1, 0)) { -- ok = 0; -- } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { -- ossl_provider_deactivate(prov, 1); -- ok = 0; -- } else if (actual != prov -- && !ossl_provider_activate(actual, 1, 0)) { -- ossl_provider_free(actual); -- ok = 0; -- } else { -- if (pcgbl->activated_providers == NULL) -- pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); -- if (pcgbl->activated_providers == NULL -- || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, -- actual)) { -- ossl_provider_deactivate(actual, 1); -- ossl_provider_free(actual); -- ok = 0; -- } else { -- ok = 1; -- } -- } -- } -- if (!ok) -- ossl_provider_free(prov); -- } -- CRYPTO_THREAD_unlock(pcgbl->lock); -+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); - } else { - OSSL_PROVIDER_INFO entry; - --- -2.33.0 - diff --git a/backport-Release-the-drbg-in-the-global-default-context-befor.patch b/backport-Release-the-drbg-in-the-global-default-context-befor.patch deleted file mode 100644 index b11cc234dbaf42e1f392219ea79d9a0324fc18b0..0000000000000000000000000000000000000000 --- a/backport-Release-the-drbg-in-the-global-default-context-befor.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d5c02e2de86a28ab2c06e866f0db858c43d00355 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 11 Oct 2022 17:26:23 +0200 -Subject: [PATCH] Release the drbg in the global default context before engines - -Fixes #17995 -Fixes #18578 - -Reviewed-by: Paul Dale -Reviewed-by: Bernd Edlinger -(Merged from https://github.com/openssl/openssl/pull/19386) - -(cherry picked from commit a88e97fcace01ecf557b207f04328a72df5110df) ---- - crypto/context.c | 9 +++++++++ - crypto/rand/rand_lib.c | 1 + - include/crypto/context.h | 1 + - 3 files changed, 11 insertions(+) - -diff --git a/crypto/context.c b/crypto/context.c -index aec9ecd4ac..c6358afc81 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -456,6 +456,15 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) - - return NULL; - } -+ -+void ossl_release_default_drbg_ctx(void) -+{ -+ /* early release of the DRBG in global default libctx */ -+ if (default_context_int.drbg != NULL) { -+ ossl_rand_ctx_free(default_context_int.drbg); -+ default_context_int.drbg = NULL; -+ } -+} - #endif - - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index 3f04ec171e..b186ec7f27 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -97,6 +97,7 @@ void ossl_rand_cleanup_int(void) - CRYPTO_THREAD_lock_free(rand_meth_lock); - rand_meth_lock = NULL; - # endif -+ ossl_release_default_drbg_ctx(); - rand_inited = 0; - } - -diff --git a/include/crypto/context.h b/include/crypto/context.h -index 143f6d6b6d..cc06c71be8 100644 ---- a/include/crypto/context.h -+++ b/include/crypto/context.h -@@ -38,3 +38,4 @@ void ossl_self_test_set_callback_free(void *); - void ossl_rand_crng_ctx_free(void *); - void ossl_thread_event_ctx_free(void *); - void ossl_fips_prov_ossl_ctx_free(void *); -+void ossl_release_default_drbg_ctx(void); --- -2.33.0 - diff --git a/backport-Remove-the-_fetch_by_number-functions.patch b/backport-Remove-the-_fetch_by_number-functions.patch deleted file mode 100644 index 73cd4dddbb12b01a13e5aecc6e2d8ba0aaca72ce..0000000000000000000000000000000000000000 --- a/backport-Remove-the-_fetch_by_number-functions.patch +++ /dev/null @@ -1,509 +0,0 @@ -From 4a929c7c5cb06dcf1952691ee8732007cc1a41d4 Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Wed, 4 May 2022 14:54:13 +1000 -Subject: [PATCH] Remove the _fetch_by_number functions - -These functions are unused and untested. They are also implemented rather -inefficiently. If we ever needed them in the future, they'd almost surely -need to be rewritten more efficiently. - -Fixes #18227 - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/18237) - -(cherry picked from commit 16ff70a58cfb5c40197e6a940cf4666226f31b79) ---- - crypto/encode_decode/decoder_meth.c | 36 +++------------- - crypto/encode_decode/encoder_meth.c | 36 +++------------- - crypto/evp/evp_fetch.c | 55 ++++--------------------- - crypto/evp/evp_local.h | 7 ---- - crypto/evp/keymgmt_meth.c | 10 ----- - crypto/store/store_local.h | 3 -- - crypto/store/store_meth.c | 37 +++-------------- - doc/internal/man3/evp_generic_fetch.pod | 19 +-------- - include/crypto/decoder.h | 4 -- - include/crypto/encoder.h | 2 - - 10 files changed, 27 insertions(+), 182 deletions(-) - -diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c -index 62e30ccb1a..74c86a8fe8 100644 ---- a/crypto/encode_decode/decoder_meth.c -+++ b/crypto/encode_decode/decoder_meth.c -@@ -340,38 +340,27 @@ static void free_decoder(void *method) - - /* Fetching support. Can fetch by numeric identity or by name */ - static OSSL_DECODER * --inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, -+inner_ossl_decoder_fetch(struct decoder_data_st *methdata, - const char *name, const char *properties) - { - OSSL_METHOD_STORE *store = get_decoder_store(methdata->libctx); - OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); - const char *const propq = properties != NULL ? properties : ""; - void *method = NULL; -- int unsupported = 0; -+ int unsupported, id; - - if (store == NULL || namemap == NULL) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_PASSED_INVALID_ARGUMENT); - return NULL; - } - -- /* -- * If we have been passed both an id and a name, we have an -- * internal programming error. -- */ -- if (!ossl_assert(id == 0 || name == NULL)) { -- ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); -- return NULL; -- } -- -- if (id == 0 && name != NULL) -- id = ossl_namemap_name2num(namemap, name); -+ id = name != NULL ? ossl_namemap_name2num(namemap, name) : 0; - - /* - * If we haven't found the name yet, chances are that the algorithm to - * be fetched is unsupported. - */ -- if (id == 0) -- unsupported = 1; -+ unsupported = id == 0; - - if (id == 0 - || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { -@@ -436,20 +425,7 @@ OSSL_DECODER *OSSL_DECODER_fetch(OSSL_LIB_CTX *libctx, const char *name, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- method = inner_ossl_decoder_fetch(&methdata, 0, name, properties); -- dealloc_tmp_decoder_store(methdata.tmp_store); -- return method; --} -- --OSSL_DECODER *ossl_decoder_fetch_by_number(OSSL_LIB_CTX *libctx, int id, -- const char *properties) --{ -- struct decoder_data_st methdata; -- void *method; -- -- methdata.libctx = libctx; -- methdata.tmp_store = NULL; -- method = inner_ossl_decoder_fetch(&methdata, id, NULL, properties); -+ method = inner_ossl_decoder_fetch(&methdata, name, properties); - dealloc_tmp_decoder_store(methdata.tmp_store); - return method; - } -@@ -579,7 +555,7 @@ void OSSL_DECODER_do_all_provided(OSSL_LIB_CTX *libctx, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- (void)inner_ossl_decoder_fetch(&methdata, 0, NULL, NULL /* properties */); -+ (void)inner_ossl_decoder_fetch(&methdata, NULL, NULL /* properties */); - - data.user_fn = user_fn; - data.user_arg = user_arg; -diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c -index f91d349587..7092ba7ef8 100644 ---- a/crypto/encode_decode/encoder_meth.c -+++ b/crypto/encode_decode/encoder_meth.c -@@ -350,38 +350,27 @@ static void free_encoder(void *method) - - /* Fetching support. Can fetch by numeric identity or by name */ - static OSSL_ENCODER * --inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, -+inner_ossl_encoder_fetch(struct encoder_data_st *methdata, - const char *name, const char *properties) - { - OSSL_METHOD_STORE *store = get_encoder_store(methdata->libctx); - OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); - const char *const propq = properties != NULL ? properties : ""; - void *method = NULL; -- int unsupported = 0; -+ int unsupported, id; - - if (store == NULL || namemap == NULL) { - ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT); - return NULL; - } - -- /* -- * If we have been passed both an id and a name, we have an -- * internal programming error. -- */ -- if (!ossl_assert(id == 0 || name == NULL)) { -- ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INTERNAL_ERROR); -- return NULL; -- } -- -- if (id == 0) -- id = ossl_namemap_name2num(namemap, name); -+ id = name != NULL ? ossl_namemap_name2num(namemap, name) : 0; - - /* - * If we haven't found the name yet, chances are that the algorithm to - * be fetched is unsupported. - */ -- if (id == 0) -- unsupported = 1; -+ unsupported = id == 0; - - if (id == 0 - || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { -@@ -445,20 +434,7 @@ OSSL_ENCODER *OSSL_ENCODER_fetch(OSSL_LIB_CTX *libctx, const char *name, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- method = inner_ossl_encoder_fetch(&methdata, 0, name, properties); -- dealloc_tmp_encoder_store(methdata.tmp_store); -- return method; --} -- --OSSL_ENCODER *ossl_encoder_fetch_by_number(OSSL_LIB_CTX *libctx, int id, -- const char *properties) --{ -- struct encoder_data_st methdata; -- void *method; -- -- methdata.libctx = libctx; -- methdata.tmp_store = NULL; -- method = inner_ossl_encoder_fetch(&methdata, id, NULL, properties); -+ method = inner_ossl_encoder_fetch(&methdata, name, properties); - dealloc_tmp_encoder_store(methdata.tmp_store); - return method; - } -@@ -570,7 +546,7 @@ void OSSL_ENCODER_do_all_provided(OSSL_LIB_CTX *libctx, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- (void)inner_ossl_encoder_fetch(&methdata, 0, NULL, NULL /* properties */); -+ (void)inner_ossl_encoder_fetch(&methdata, NULL, NULL /* properties */); - - data.user_fn = user_fn; - data.user_arg = user_arg; -diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c -index 26ed5edcaf..4908f6cfee 100644 ---- a/crypto/evp/evp_fetch.c -+++ b/crypto/evp/evp_fetch.c -@@ -122,7 +122,7 @@ static void *get_evp_method_from_store(void *store, const OSSL_PROVIDER **prov, - { - struct evp_method_data_st *methdata = data; - void *method = NULL; -- int name_id = 0; -+ int name_id; - uint32_t meth_id; - - /* -@@ -239,8 +239,7 @@ static void destruct_evp_method(void *method, void *data) - static void * - inner_evp_generic_fetch(struct evp_method_data_st *methdata, - OSSL_PROVIDER *prov, int operation_id, -- int name_id, const char *name, -- const char *properties, -+ const char *name, const char *properties, - void *(*new_method)(int name_id, - const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov), -@@ -252,7 +251,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, - const char *const propq = properties != NULL ? properties : ""; - uint32_t meth_id = 0; - void *method = NULL; -- int unsupported = 0; -+ int unsupported, name_id; - - if (store == NULL || namemap == NULL) { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); -@@ -268,18 +267,8 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, - return NULL; - } - -- /* -- * If we have been passed both a name_id and a name, we have an -- * internal programming error. -- */ -- if (!ossl_assert(name_id == 0 || name == NULL)) { -- ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); -- return NULL; -- } -- - /* If we haven't received a name id yet, try to get one for the name */ -- if (name_id == 0 && name != NULL) -- name_id = ossl_namemap_name2num(namemap, name); -+ name_id = name != NULL ? ossl_namemap_name2num(namemap, name) : 0; - - /* - * If we have a name id, calculate a method id with evp_method_id(). -@@ -298,8 +287,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, - * If we haven't found the name yet, chances are that the algorithm to - * be fetched is unsupported. - */ -- if (name_id == 0) -- unsupported = 1; -+ unsupported = name_id == 0; - - if (meth_id == 0 - || !ossl_method_store_cache_get(store, prov, meth_id, propq, &method)) { -@@ -374,34 +362,7 @@ void *evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, - methdata.libctx = libctx; - methdata.tmp_store = NULL; - method = inner_evp_generic_fetch(&methdata, NULL, operation_id, -- 0, name, properties, -- new_method, up_ref_method, free_method); -- dealloc_tmp_evp_method_store(methdata.tmp_store); -- return method; --} -- --/* -- * evp_generic_fetch_by_number() is special, and only returns methods for -- * already known names, i.e. it refuses to work if no name_id can be found -- * (it's considered an internal programming error). -- * This is meant to be used when one method needs to fetch an associated -- * method. -- */ --void *evp_generic_fetch_by_number(OSSL_LIB_CTX *libctx, int operation_id, -- int name_id, const char *properties, -- void *(*new_method)(int name_id, -- const OSSL_ALGORITHM *algodef, -- OSSL_PROVIDER *prov), -- int (*up_ref_method)(void *), -- void (*free_method)(void *)) --{ -- struct evp_method_data_st methdata; -- void *method; -- -- methdata.libctx = libctx; -- methdata.tmp_store = NULL; -- method = inner_evp_generic_fetch(&methdata, NULL, operation_id, -- name_id, NULL, properties, -+ name, properties, - new_method, up_ref_method, free_method); - dealloc_tmp_evp_method_store(methdata.tmp_store); - return method; -@@ -427,7 +388,7 @@ void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, - methdata.libctx = ossl_provider_libctx(prov); - methdata.tmp_store = NULL; - method = inner_evp_generic_fetch(&methdata, prov, operation_id, -- 0, name, properties, -+ name, properties, - new_method, up_ref_method, free_method); - dealloc_tmp_evp_method_store(methdata.tmp_store); - return method; -@@ -631,7 +592,7 @@ void evp_generic_do_all(OSSL_LIB_CTX *libctx, int operation_id, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- (void)inner_evp_generic_fetch(&methdata, NULL, operation_id, 0, NULL, NULL, -+ (void)inner_evp_generic_fetch(&methdata, NULL, operation_id, NULL, NULL, - new_method, up_ref_method, free_method); - - data.operation_id = operation_id; -diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h -index 3ccfaeb37c..a853174452 100644 ---- a/crypto/evp/evp_local.h -+++ b/crypto/evp/evp_local.h -@@ -270,13 +270,6 @@ void *evp_generic_fetch(OSSL_LIB_CTX *ctx, int operation_id, - OSSL_PROVIDER *prov), - int (*up_ref_method)(void *), - void (*free_method)(void *)); --void *evp_generic_fetch_by_number(OSSL_LIB_CTX *ctx, int operation_id, -- int name_id, const char *properties, -- void *(*new_method)(int name_id, -- const OSSL_ALGORITHM *algodef, -- OSSL_PROVIDER *prov), -- int (*up_ref_method)(void *), -- void (*free_method)(void *)); - void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, - const char *name, const char *properties, - void *(*new_method)(int name_id, -diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c -index 90fd8068dc..5fab4a7639 100644 ---- a/crypto/evp/keymgmt_meth.c -+++ b/crypto/evp/keymgmt_meth.c -@@ -203,16 +203,6 @@ static void *keymgmt_from_algorithm(int name_id, - return keymgmt; - } - --EVP_KEYMGMT *evp_keymgmt_fetch_by_number(OSSL_LIB_CTX *ctx, int name_id, -- const char *properties) --{ -- return evp_generic_fetch_by_number(ctx, -- OSSL_OP_KEYMGMT, name_id, properties, -- keymgmt_from_algorithm, -- (int (*)(void *))EVP_KEYMGMT_up_ref, -- (void (*)(void *))EVP_KEYMGMT_free); --} -- - EVP_KEYMGMT *evp_keymgmt_fetch_from_prov(OSSL_PROVIDER *prov, - const char *name, - const char *properties) -diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h -index 8f817fd514..f73bce32b9 100644 ---- a/crypto/store/store_local.h -+++ b/crypto/store/store_local.h -@@ -168,9 +168,6 @@ int ossl_store_file_detach_pem_bio_int(OSSL_STORE_LOADER_CTX *ctx); - OSSL_STORE_LOADER *ossl_store_loader_fetch(OSSL_LIB_CTX *libctx, - const char *scheme, - const char *properties); --OSSL_STORE_LOADER *ossl_store_loader_fetch_by_number(OSSL_LIB_CTX *libctx, -- int scheme_id, -- const char *properties); - - /* Standard function to handle the result from OSSL_FUNC_store_load() */ - struct ossl_load_result_data_st { -diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c -index 42848b799a..ab1016853e 100644 ---- a/crypto/store/store_meth.c -+++ b/crypto/store/store_meth.c -@@ -278,39 +278,28 @@ static void destruct_loader(void *method, void *data) - - /* Fetching support. Can fetch by numeric identity or by scheme */ - static OSSL_STORE_LOADER * --inner_loader_fetch(struct loader_data_st *methdata, int id, -+inner_loader_fetch(struct loader_data_st *methdata, - const char *scheme, const char *properties) - { - OSSL_METHOD_STORE *store = get_loader_store(methdata->libctx); - OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); - const char *const propq = properties != NULL ? properties : ""; - void *method = NULL; -- int unsupported = 0; -+ int unsupported, id; - - if (store == NULL || namemap == NULL) { - ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT); - return NULL; - } - -- /* -- * If we have been passed both an id and a scheme, we have an -- * internal programming error. -- */ -- if (!ossl_assert(id == 0 || scheme == NULL)) { -- ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_INTERNAL_ERROR); -- return NULL; -- } -- - /* If we haven't received a name id yet, try to get one for the name */ -- if (id == 0 && scheme != NULL) -- id = ossl_namemap_name2num(namemap, scheme); -+ id = scheme != NULL ? ossl_namemap_name2num(namemap, scheme) : 0; - - /* - * If we haven't found the name yet, chances are that the algorithm to - * be fetched is unsupported. - */ -- if (id == 0) -- unsupported = 1; -+ unsupported = id == 0; - - if (id == 0 - || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { -@@ -381,21 +370,7 @@ OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(OSSL_LIB_CTX *libctx, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- method = inner_loader_fetch(&methdata, 0, scheme, properties); -- dealloc_tmp_loader_store(methdata.tmp_store); -- return method; --} -- --OSSL_STORE_LOADER *ossl_store_loader_fetch_by_number(OSSL_LIB_CTX *libctx, -- int scheme_id, -- const char *properties) --{ -- struct loader_data_st methdata; -- void *method; -- -- methdata.libctx = libctx; -- methdata.tmp_store = NULL; -- method = inner_loader_fetch(&methdata, scheme_id, NULL, properties); -+ method = inner_loader_fetch(&methdata, scheme, properties); - dealloc_tmp_loader_store(methdata.tmp_store); - return method; - } -@@ -491,7 +466,7 @@ void OSSL_STORE_LOADER_do_all_provided(OSSL_LIB_CTX *libctx, - - methdata.libctx = libctx; - methdata.tmp_store = NULL; -- (void)inner_loader_fetch(&methdata, 0, NULL, NULL /* properties */); -+ (void)inner_loader_fetch(&methdata, NULL, NULL /* properties */); - - data.user_fn = user_fn; - data.user_arg = user_arg; -diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod -index b23d2ec0ea..ce75ffbfc8 100644 ---- a/doc/internal/man3/evp_generic_fetch.pod -+++ b/doc/internal/man3/evp_generic_fetch.pod -@@ -2,7 +2,7 @@ - - =head1 NAME - --evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov -+evp_generic_fetch, evp_generic_fetch_from_prov - - generic algorithm fetchers and method creators for EVP - - =head1 SYNOPSIS -@@ -20,15 +20,6 @@ evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov - int (*up_ref_method)(void *), - void (*free_method)(void *)); - -- void *evp_generic_fetch_by_number(OSSL_LIB_CTX *ctx, int operation_id, -- int name_id, const char *properties, -- void *(*new_method)(int name_id, -- const OSSL_DISPATCH *fns, -- OSSL_PROVIDER *prov, -- void *method_data), -- void *method_data, -- int (*up_ref_method)(void *), -- void (*free_method)(void *)); - void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, - int name_id, const char *properties, - void *(*new_method)(int name_id, -@@ -46,14 +37,6 @@ I, I, I, and I and uses - it to create an EVP method with the help of the functions - I, I, and I. - --evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), --but takes a numeric I instead of a name. --I must always be nonzero; as a matter of fact, it being zero --is considered a programming error. --This is meant to be used when one method needs to fetch an associated --method, and is typically called from inside the given function --I. -- - evp_generic_fetch_from_prov() does the same thing as evp_generic_fetch(), - but limits the search of methods to the provider given with I. - This is meant to be used when one method needs to fetch an associated -diff --git a/include/crypto/decoder.h b/include/crypto/decoder.h -index 107a7b502a..6b5ee56ac6 100644 ---- a/include/crypto/decoder.h -+++ b/include/crypto/decoder.h -@@ -13,10 +13,6 @@ - - # include - --OSSL_DECODER *ossl_decoder_fetch_by_number(OSSL_LIB_CTX *libctx, -- int id, -- const char *properties); -- - /* - * These are specially made for the 'file:' provider-native loader, which - * uses this to install a DER to anything decoder, which doesn't do much -diff --git a/include/crypto/encoder.h b/include/crypto/encoder.h -index 562081ad41..5c53bbea39 100644 ---- a/include/crypto/encoder.h -+++ b/include/crypto/encoder.h -@@ -13,8 +13,6 @@ - - # include - --OSSL_ENCODER *ossl_encoder_fetch_by_number(OSSL_LIB_CTX *libctx, int id, -- const char *properties); - int ossl_encoder_get_number(const OSSL_ENCODER *encoder); - int ossl_encoder_store_cache_flush(OSSL_LIB_CTX *libctx); - int ossl_encoder_store_remove_all_provided(const OSSL_PROVIDER *prov); --- -2.33.0 - diff --git a/backport-Revert-Release-the-drbg-in-the-global-default-contex.patch b/backport-Revert-Release-the-drbg-in-the-global-default-contex.patch deleted file mode 100644 index d579ab65b82af123cb74828c70c38fa2a2dae6b4..0000000000000000000000000000000000000000 --- a/backport-Revert-Release-the-drbg-in-the-global-default-contex.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 9a12f01f6e784c8cf714442014573d010266182d Mon Sep 17 00:00:00 2001 -From: hzero1996 -Date: Fri, 31 May 2024 16:55:10 +0800 -Subject: [PATCH] Revert "Release the drbg in the global default context before - engines" - -This reverts commit d0f8056c47f7aea40a34815fe459404f14501e81. - - -The fix patch for 3.1 will be merged later: d5c02e2de86a28ab2c06e866f0db858c43d00355 ---- - crypto/context.c | 15 --------------- - crypto/rand/rand_lib.c | 5 ++--- - include/crypto/rand.h | 1 - - include/internal/cryptlib.h | 2 -- - 4 files changed, 2 insertions(+), 21 deletions(-) - -diff --git a/crypto/context.c b/crypto/context.c -index 548665fba2..bdfc4d02a3 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -15,7 +15,6 @@ - #include "internal/bio.h" - #include "internal/provider.h" - #include "crypto/ctype.h" --#include "crypto/rand.h" - - struct ossl_lib_ctx_onfree_list_st { - ossl_lib_ctx_onfree_fn *fn; -@@ -272,20 +271,6 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) - - return NULL; - } -- --void ossl_release_default_drbg_ctx(void) --{ -- int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; -- -- /* early release of the DRBG in global default libctx, no locking */ -- if (dynidx != -1) { -- void *data; -- -- data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); -- ossl_rand_ctx_free(data); -- CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); -- } --} - #endif - - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index 5fde214448..edfae865b6 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -96,7 +96,6 @@ void ossl_rand_cleanup_int(void) - CRYPTO_THREAD_lock_free(rand_meth_lock); - rand_meth_lock = NULL; - # endif -- ossl_release_default_drbg_ctx(); - rand_inited = 0; - } - -@@ -476,7 +475,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return NULL; - } - --void ossl_rand_ctx_free(void *vdgbl) -+static void rand_ossl_ctx_free(void *vdgbl) - { - RAND_GLOBAL *dgbl = vdgbl; - -@@ -501,7 +500,7 @@ void ossl_rand_ctx_free(void *vdgbl) - static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_PRIORITY_2, - rand_ossl_ctx_new, -- ossl_rand_ctx_free, -+ rand_ossl_ctx_free, - }; - - static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) -diff --git a/include/crypto/rand.h b/include/crypto/rand.h -index 165deaf95c..6a71a339c8 100644 ---- a/include/crypto/rand.h -+++ b/include/crypto/rand.h -@@ -125,5 +125,4 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, - size_t ossl_pool_acquire_entropy(RAND_POOL *pool); - int ossl_pool_add_nonce_data(RAND_POOL *pool); - --void ossl_rand_ctx_free(void *vdgbl); - #endif -diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 934d4b089c..1291299b6e 100644 ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -199,8 +199,6 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, - int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); - const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); - --void ossl_release_default_drbg_ctx(void); -- - OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); - int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, - CRYPTO_EX_DATA *ad); --- -2.33.0 - diff --git a/backport-When-we-re-just-reading-EX_CALLBACK-data-just-get-a-.patch b/backport-When-we-re-just-reading-EX_CALLBACK-data-just-get-a-.patch deleted file mode 100644 index cf0a7a105009319635124368df8ae14ab4c271c4..0000000000000000000000000000000000000000 --- a/backport-When-we-re-just-reading-EX_CALLBACK-data-just-get-a-.patch +++ /dev/null @@ -1,115 +0,0 @@ -From f56744fe1e47ca153f487eb383e62aac0e8b0545 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 11 May 2023 11:25:07 +0100 -Subject: [PATCH] When we're just reading EX_CALLBACK data just get a read lock - -The crypto_ex_data code was always obtaining a write lock in all functions -regardless of whether we were only reading EX_CALLBACK data or actually -changing it. Changes to the EX_CALLBACK data are rare, with many reads so -we should change to a read lock where we can. - -We hit this every time we create or free any object that can have ex_data -associated with it (e.g. BIOs, SSL, etc) - -Partially fixes #20286 - -Reviewed-by: Tomas Mraz -Reviewed-by: Hugo Landau -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/20943) - -(cherry picked from commit 6d15357aeb893c6e8b4c7a8188c18f4db54c0612) ---- - crypto/ex_data.c | 26 +++++++++++++++++--------- - 1 file changed, 17 insertions(+), 9 deletions(-) - -diff --git a/crypto/ex_data.c b/crypto/ex_data.c -index 40223f06e4..33c35da7d0 100644 ---- a/crypto/ex_data.c -+++ b/crypto/ex_data.c -@@ -26,8 +26,10 @@ int ossl_do_ex_data_init(OSSL_LIB_CTX *ctx) - * Return the EX_CALLBACKS from the |ex_data| array that corresponds to - * a given class. On success, *holds the lock.* - * The |global| parameter is assumed to be non null (checked by the caller). -+ * If |read| is 1 then a read lock is obtained. Otherwise it is a write lock. - */ --static EX_CALLBACKS *get_and_lock(OSSL_EX_DATA_GLOBAL *global, int class_index) -+static EX_CALLBACKS *get_and_lock(OSSL_EX_DATA_GLOBAL *global, int class_index, -+ int read) - { - EX_CALLBACKS *ip; - -@@ -44,8 +46,14 @@ static EX_CALLBACKS *get_and_lock(OSSL_EX_DATA_GLOBAL *global, int class_index) - return NULL; - } - -- if (!CRYPTO_THREAD_write_lock(global->ex_data_lock)) -- return NULL; -+ if (read) { -+ if (!CRYPTO_THREAD_read_lock(global->ex_data_lock)) -+ return NULL; -+ } else { -+ if (!CRYPTO_THREAD_write_lock(global->ex_data_lock)) -+ return NULL; -+ } -+ - ip = &global->ex_data[class_index]; - return ip; - } -@@ -112,7 +120,7 @@ int ossl_crypto_free_ex_index_ex(OSSL_LIB_CTX *ctx, int class_index, int idx) - if (global == NULL) - return 0; - -- ip = get_and_lock(global, class_index); -+ ip = get_and_lock(global, class_index, 0); - if (ip == NULL) - return 0; - -@@ -153,7 +161,7 @@ int ossl_crypto_get_ex_new_index_ex(OSSL_LIB_CTX *ctx, int class_index, - if (global == NULL) - return -1; - -- ip = get_and_lock(global, class_index); -+ ip = get_and_lock(global, class_index, 0); - if (ip == NULL) - return -1; - -@@ -221,7 +229,7 @@ int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, - if (global == NULL) - return 0; - -- ip = get_and_lock(global, class_index); -+ ip = get_and_lock(global, class_index, 1); - if (ip == NULL) - return 0; - -@@ -284,7 +292,7 @@ int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to, - if (global == NULL) - return 0; - -- ip = get_and_lock(global, class_index); -+ ip = get_and_lock(global, class_index, 1); - if (ip == NULL) - return 0; - -@@ -373,7 +381,7 @@ void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad) - if (global == NULL) - goto err; - -- ip = get_and_lock(global, class_index); -+ ip = get_and_lock(global, class_index, 1); - if (ip == NULL) - goto err; - -@@ -440,7 +448,7 @@ int ossl_crypto_alloc_ex_data_intern(int class_index, void *obj, - if (global == NULL) - return 0; - -- ip = get_and_lock(global, class_index); -+ ip = get_and_lock(global, class_index, 1); - if (ip == NULL) - return 0; - f = sk_EX_CALLBACK_value(ip->meth, idx); --- -2.33.0 - diff --git a/backport-aes-avoid-accessing-key-length-field-directly.patch b/backport-aes-avoid-accessing-key-length-field-directly.patch deleted file mode 100644 index e4e2eca64df2805dbe000f10f399a26860315360..0000000000000000000000000000000000000000 --- a/backport-aes-avoid-accessing-key-length-field-directly.patch +++ /dev/null @@ -1,711 +0,0 @@ -From 071f5f874bb4cd7f04cf9d75be8b094b0bbc9179 Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Thu, 27 Jan 2022 12:51:13 +1100 -Subject: [PATCH] aes: avoid accessing key length field directly - -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17543) - -(cherry picked from commit 80ce874a093087b919e1c722427df30f81f5dad5) -Reviewed-by: Hugo Landau ---- - crypto/evp/e_aes.c | 305 +++++++++++++++++++++---------- - crypto/evp/e_aes_cbc_hmac_sha1.c | 23 ++- - 2 files changed, 224 insertions(+), 104 deletions(-) - -diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c -index 52b9e87c1e..d8aca6e525 100644 ---- a/crypto/evp/e_aes.c -+++ b/crypto/evp/e_aes.c -@@ -146,20 +146,21 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - { - int ret, mode; - EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - mode = EVP_CIPHER_CTX_get_mode(ctx); - if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) - && !enc) { -- ret = aesni_set_decrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = aesni_set_decrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) aesni_decrypt; - dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? - (cbc128_f) aesni_cbc_encrypt : NULL; - } else { -- ret = aesni_set_encrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = aesni_set_encrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) aesni_encrypt; - if (mode == EVP_CIPH_CBC_MODE) - dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt; -@@ -223,12 +224,19 @@ static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { -- EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); -- if (!iv && !key) -+ EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX, ctx); -+ -+ if (iv == NULL && key == NULL) - return 1; -+ - if (key) { -- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &gctx->ks.ks); -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ aesni_set_encrypt_key(key, keylen, &gctx->ks.ks); - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt); - gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; - /* -@@ -262,14 +270,19 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - { - EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); - -- if (!iv && !key) -+ if (iv == NULL && key == NULL) - return 1; - - if (key) { - /* The key is two half length keys in reality */ -- const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); -+ const int bytes = keylen / 2; - const int bits = bytes * 8; - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - /* - * Verify that the two keys are different. - * -@@ -315,11 +328,18 @@ static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) { -- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &cctx->ks.ks); -+ -+ if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ aesni_set_encrypt_key(key, keylen, &cctx->ks.ks); - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f) aesni_encrypt); - cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks : -@@ -342,19 +362,25 @@ static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) { -+ -+ if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - do { - /* - * We set both the encrypt and decrypt key here because decrypt - * needs both. We could possibly optimise to remove setting the - * decrypt for an encryption operation. - */ -- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksenc.ks); -- aesni_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksdec.ks); -+ aesni_set_encrypt_key(key, keylen, &octx->ksenc.ks); -+ aesni_set_decrypt_key(key, keylen, &octx->ksdec.ks); - if (!CRYPTO_ocb128_init(&octx->ocb, - &octx->ksenc.ks, &octx->ksdec.ks, - (block128_f) aesni_encrypt, -@@ -452,6 +478,10 @@ static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - - mode = EVP_CIPHER_CTX_get_mode(ctx); - bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ if (bits <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) - && !enc) { - ret = 0; -@@ -547,10 +577,16 @@ static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; - if (key) { -- int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (bits <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks); - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, - (block128_f) aes_t4_encrypt); -@@ -603,9 +639,14 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - - if (key) { - /* The key is two half length keys in reality */ -- const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); -+ const int bytes = keylen / 2; - const int bits = bytes * 8; - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - /* - * Verify that the two keys are different. - * -@@ -670,10 +711,17 @@ static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) { -- int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (key != NULL) { -+ const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (bits <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks); - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f) aes_t4_encrypt); -@@ -696,19 +744,25 @@ static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) { -+ -+ if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - do { - /* - * We set both the encrypt and decrypt key here because decrypt - * needs both. We could possibly optimise to remove setting the - * decrypt for an encryption operation. - */ -- aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksenc.ks); -- aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksdec.ks); -+ aes_t4_set_encrypt_key(key, keylen, &octx->ksenc.ks); -+ aes_t4_set_decrypt_key(key, keylen, &octx->ksdec.ks); - if (!CRYPTO_ocb128_init(&octx->ocb, - &octx->ksenc.ks, &octx->ksdec.ks, - (block128_f) aes_t4_encrypt, -@@ -973,6 +1027,10 @@ static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx, - S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx); - const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - cctx->fc = S390X_AES_FC(keylen); - if (!enc) - cctx->fc |= S390X_DECRYPT; -@@ -999,6 +1057,14 @@ static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx, - const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); - const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ if (ivlen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); -+ return 0; -+ } - memcpy(cctx->kmo.param.cv, iv, ivlen); - memcpy(cctx->kmo.param.k, key, keylen); - cctx->fc = S390X_AES_FC(keylen); -@@ -1058,6 +1124,14 @@ static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx, - const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); - const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ if (ivlen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); -+ return 0; -+ } - cctx->fc = S390X_AES_FC(keylen); - cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */ - if (!enc) -@@ -1081,6 +1155,14 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - int rem; - unsigned char tmp; - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ if (ivlen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); -+ return 0; -+ } - memcpy(cctx->kmf.param.cv, iv, ivlen); - while (n && len) { - tmp = *in; -@@ -1128,6 +1210,14 @@ static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx, - const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); - const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ if (ivlen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); -+ return 0; -+ } - cctx->fc = S390X_AES_FC(keylen); - cctx->fc |= 1 << 24; /* 1 byte cipher feedback */ - if (!enc) -@@ -1533,6 +1623,11 @@ static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, - - if (key != NULL) { - keylen = EVP_CIPHER_CTX_get_key_length(ctx); -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ - memcpy(&gctx->kma.param.k, key, keylen); - - gctx->fc = S390X_AES_FC(keylen); -@@ -1939,6 +2034,11 @@ static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx, - - if (key != NULL) { - keylen = EVP_CIPHER_CTX_get_key_length(ctx); -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ - cctx->aes.ccm.fc = S390X_AES_FC(keylen); - memcpy(cctx->aes.ccm.kmac_param.k, key, keylen); - -@@ -2315,15 +2415,19 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - { - int ret, mode; - EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - - mode = EVP_CIPHER_CTX_get_mode(ctx); - if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) - && !enc) { - #ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { -- ret = HWAES_set_decrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = HWAES_set_decrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) HWAES_decrypt; - dat->stream.cbc = NULL; - # ifdef HWAES_cbc_encrypt -@@ -2334,27 +2438,21 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - #endif - #ifdef BSAES_CAPABLE - if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { -- ret = AES_set_decrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) AES_decrypt; - dat->stream.cbc = (cbc128_f) ossl_bsaes_cbc_encrypt; - } else - #endif - #ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { -- ret = vpaes_set_decrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = vpaes_set_decrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) vpaes_decrypt; - dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? - (cbc128_f) vpaes_cbc_encrypt : NULL; - } else - #endif - { -- ret = AES_set_decrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) AES_decrypt; - dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? - (cbc128_f) AES_cbc_encrypt : NULL; -@@ -2362,9 +2460,7 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - } else - #ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { -- ret = HWAES_set_encrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = HWAES_set_encrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) HWAES_encrypt; - dat->stream.cbc = NULL; - # ifdef HWAES_cbc_encrypt -@@ -2382,25 +2478,21 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - #endif - #ifdef BSAES_CAPABLE - if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { -- ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) AES_encrypt; - dat->stream.ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks; - } else - #endif - #ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { -- ret = vpaes_set_encrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = vpaes_set_encrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) vpaes_encrypt; - dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? - (cbc128_f) vpaes_cbc_encrypt : NULL; - } else - #endif - { -- ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &dat->ks.ks); -+ ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks); - dat->block = (block128_f) AES_encrypt; - dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? - (cbc128_f) AES_cbc_encrypt : NULL; -@@ -2711,13 +2803,21 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) { -+ -+ if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - do { - #ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { -- HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); -+ HWAES_set_encrypt_key(key, keylen, &gctx->ks.ks); - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, - (block128_f) HWAES_encrypt); - # ifdef HWAES_ctr32_encrypt_blocks -@@ -2730,7 +2830,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - #endif - #ifdef BSAES_CAPABLE - if (BSAES_CAPABLE) { -- AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); -+ AES_set_encrypt_key(key, keylen, &gctx->ks.ks); - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, - (block128_f) AES_encrypt); - gctx->ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks; -@@ -2739,7 +2839,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - #endif - #ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { -- vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); -+ vpaes_set_encrypt_key(key, keylen, &gctx->ks.ks); - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, - (block128_f) vpaes_encrypt); - gctx->ctr = NULL; -@@ -2748,7 +2848,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - #endif - (void)0; /* terminate potentially open 'else' */ - -- AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); -+ AES_set_encrypt_key(key, keylen, &gctx->ks.ks); - CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, - (block128_f) AES_encrypt); - #ifdef AES_CTR_ASM -@@ -3128,15 +3228,20 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - { - EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); - -- if (!iv && !key) -+ if (iv == NULL && key == NULL) - return 1; - -- if (key) { -+ if (key != NULL) { - do { - /* The key is two half length keys in reality */ -- const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); -+ const int bytes = keylen / 2; - const int bits = bytes * 8; - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - /* - * Verify that the two keys are different. - * -@@ -3382,15 +3487,21 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) -+ -+ if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - do { - #ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { -- HWAES_set_encrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &cctx->ks.ks); -+ HWAES_set_encrypt_key(key, keylen, &cctx->ks.ks); - - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f) HWAES_encrypt); -@@ -3401,9 +3512,7 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - #endif - #ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { -- vpaes_set_encrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &cctx->ks.ks); -+ vpaes_set_encrypt_key(key, keylen, &cctx->ks.ks); - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f) vpaes_encrypt); - cctx->str = NULL; -@@ -3411,14 +3520,14 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - break; - } - #endif -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &cctx->ks.ks); -+ AES_set_encrypt_key(key, keylen, &cctx->ks.ks); - CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, - &cctx->ks, (block128_f) AES_encrypt); - cctx->str = NULL; - cctx->key_set = 1; - } while (0); -- if (iv) { -+ } -+ if (iv != NULL) { - memcpy(ctx->iv, iv, 15 - cctx->L); - cctx->iv_set = 1; - } -@@ -3573,12 +3682,16 @@ static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - if (iv == NULL && key == NULL) - return 1; - if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - if (EVP_CIPHER_CTX_is_encrypting(ctx)) -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &wctx->ks.ks); -+ AES_set_encrypt_key(key, keylen, &wctx->ks.ks); - else -- AES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &wctx->ks.ks); -+ AES_set_decrypt_key(key, keylen, &wctx->ks.ks); - if (iv == NULL) - wctx->iv = NULL; - } -@@ -3806,9 +3919,17 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) - { - EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); -- if (!iv && !key) -+ -+ if (iv == NULL && key == NULL) - return 1; -- if (key) { -+ -+ if (key != NULL) { -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - do { - /* - * We set both the encrypt and decrypt key here because decrypt -@@ -3817,10 +3938,8 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - */ - # ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { -- HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksenc.ks); -- HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksdec.ks); -+ HWAES_set_encrypt_key(key, keylen, &octx->ksenc.ks); -+ HWAES_set_decrypt_key(key, keylen, &octx->ksdec.ks); - if (!CRYPTO_ocb128_init(&octx->ocb, - &octx->ksenc.ks, &octx->ksdec.ks, - (block128_f) HWAES_encrypt, -@@ -3833,12 +3952,8 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - # endif - # ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { -- vpaes_set_encrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksenc.ks); -- vpaes_set_decrypt_key(key, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksdec.ks); -+ vpaes_set_encrypt_key(key, keylen, &octx->ksenc.ks); -+ vpaes_set_decrypt_key(key, keylen, &octx->ksdec.ks); - if (!CRYPTO_ocb128_init(&octx->ocb, - &octx->ksenc.ks, &octx->ksdec.ks, - (block128_f) vpaes_encrypt, -@@ -3848,10 +3963,8 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - break; - } - # endif -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksenc.ks); -- AES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &octx->ksdec.ks); -+ AES_set_encrypt_key(key, keylen, &octx->ksenc.ks); -+ AES_set_decrypt_key(key, keylen, &octx->ksdec.ks); - if (!CRYPTO_ocb128_init(&octx->ocb, - &octx->ksenc.ks, &octx->ksdec.ks, - (block128_f) AES_encrypt, -diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c -index 4941f98e64..5f25cda0ec 100644 ---- a/crypto/evp/e_aes_cbc_hmac_sha1.c -+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c -@@ -72,15 +72,16 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, - { - EVP_AES_HMAC_SHA1 *key = data(ctx); - int ret; -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; - -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - if (enc) -- ret = aesni_set_encrypt_key(inkey, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &key->ks); -+ ret = aesni_set_encrypt_key(inkey, keylen, &key->ks); - else -- ret = aesni_set_decrypt_key(inkey, -- EVP_CIPHER_CTX_get_key_length(ctx) * 8, -- &key->ks); -+ ret = aesni_set_decrypt_key(inkey, keylen, &key->ks); - - SHA1_Init(&key->head); /* handy when benchmarking */ - key->tail = key->head; -@@ -496,6 +497,12 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - # if defined(STITCHED_DECRYPT_CALL) - unsigned char tail_iv[AES_BLOCK_SIZE]; - int stitch = 0; -+ const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); -+ -+ if (keylen <= 0) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); -+ return 0; -+ } - # endif - - if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3]) -@@ -513,7 +520,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - return 0; - - # if defined(STITCHED_DECRYPT_CALL) -- if (len >= 1024 && ctx->key_len == 32) { -+ if (len >= 1024 && keylen == 32) { - /* decrypt last block */ - memcpy(tail_iv, in + len - 2 * AES_BLOCK_SIZE, - AES_BLOCK_SIZE); -@@ -734,7 +741,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - return ret; - } else { - # if defined(STITCHED_DECRYPT_CALL) -- if (len >= 1024 && ctx->key_len == 32) { -+ if (len >= 1024 && keylen == 32) { - if (sha_off %= SHA_CBLOCK) - blocks = (len - 3 * SHA_CBLOCK) / SHA_CBLOCK; - else --- -2.33.0 - diff --git a/backport-evp-enc-cache-cipher-key-length.patch b/backport-evp-enc-cache-cipher-key-length.patch deleted file mode 100644 index d0619ede2dec34b645e3a7190b1bc74448ff2b2c..0000000000000000000000000000000000000000 --- a/backport-evp-enc-cache-cipher-key-length.patch +++ /dev/null @@ -1,136 +0,0 @@ -From bbbccd795940114cb18722fc6fffe2b25ce3c436 Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Thu, 27 Jan 2022 13:33:36 +1100 -Subject: [PATCH] evp enc: cache cipher key length - -Instead of doing a heavy params based query every time a context is -asked for its key length, this value is cached in the context and only -queried if it could have been modified. - -Fixes #17064 - -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17543) - -(cherry picked from commit 70f39a487d3f7d976a01e0ee7ae98a82ceeea7a0) -Reviewed-by: Hugo Landau ---- - crypto/evp/evp_enc.c | 31 ++++++++++++++++++++++++------- - crypto/evp/evp_lib.c | 26 ++++++++++++++++++++------ - 2 files changed, 44 insertions(+), 13 deletions(-) - -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index 921d24dd3d..a6468f6767 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -62,7 +62,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) - ENGINE_finish(ctx->engine); - #endif - memset(ctx, 0, sizeof(*ctx)); -- ctx->iv_len = -1; -+ ctx->iv_len = 0; - return 1; - } - -@@ -994,7 +994,7 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen) - if (c->cipher->prov != NULL) { - int ok; - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; -- size_t len = keylen; -+ size_t len; - - if (EVP_CIPHER_CTX_get_key_length(c) == keylen) - return 1; -@@ -1007,9 +1007,13 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen) - } - - params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len); -+ if (!OSSL_PARAM_set_int(params, keylen)) -+ return 0; - ok = evp_do_ciph_ctx_setparams(c->cipher, c->algctx, params); -- -- return ok > 0 ? 1 : 0; -+ if (ok <= 0) -+ return 0; -+ c->key_len = keylen; -+ return 1; - } - - /* Code below to be removed when legacy support is dropped. */ -@@ -1070,6 +1074,7 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) - switch (type) { - case EVP_CTRL_SET_KEY_LENGTH: - params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &sz); -+ ctx->key_len = -1; - break; - case EVP_CTRL_RAND_KEY: /* Used by DES */ - set_params = 0; -@@ -1265,11 +1270,23 @@ int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]) - - int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]) - { -+ int r = 0; -+ const OSSL_PARAM *p; -+ - if (ctx->cipher != NULL && ctx->cipher->set_ctx_params != NULL) { -- ctx->iv_len = -1; -- return ctx->cipher->set_ctx_params(ctx->algctx, params); -+ r = ctx->cipher->set_ctx_params(ctx->algctx, params); -+ if (r > 0) { -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); -+ if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->key_len)) -+ r = 0; -+ } -+ if (r > 0) { -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); -+ if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->iv_len)) -+ r = 0; -+ } - } -- return 0; -+ return r; - } - - int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]) -diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c -index d88066d0a2..98bb25655d 100644 ---- a/crypto/evp/evp_lib.c -+++ b/crypto/evp/evp_lib.c -@@ -652,14 +652,28 @@ int EVP_CIPHER_get_key_length(const EVP_CIPHER *cipher) - - int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx) - { -- int ok; -- size_t v = ctx->key_len; -- OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; -+ if (ctx->key_len <= 0 && ctx->cipher->prov != NULL) { -+ int ok; -+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; -+ size_t len; - -- params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &v); -- ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len); -+ ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); -+ if (ok <= 0) -+ return EVP_CTRL_RET_UNSUPPORTED; - -- return ok != 0 ? (int)v : EVP_CTRL_RET_UNSUPPORTED; -+ /*- -+ * The if branch should never be taken since EVP_MAX_KEY_LENGTH is -+ * less than INT_MAX but best to be safe. -+ * -+ * Casting away the const is annoying but required here. We need to -+ * cache the result for performance reasons. -+ */ -+ if (!OSSL_PARAM_get_int(params, &((EVP_CIPHER_CTX *)ctx)->key_len)) -+ return -1; -+ ((EVP_CIPHER_CTX *)ctx)->key_len = (int)len; -+ } -+ return ctx->key_len; - } - - int EVP_CIPHER_get_nid(const EVP_CIPHER *cipher) --- -2.33.0 - diff --git a/backport-evp_md_init_internal-Avoid-reallocating-algctx-if-di.patch b/backport-evp_md_init_internal-Avoid-reallocating-algctx-if-di.patch deleted file mode 100644 index 72101aafa55bc63c55dbad6b37a2f874f2a67dae..0000000000000000000000000000000000000000 --- a/backport-evp_md_init_internal-Avoid-reallocating-algctx-if-di.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 708bf3dde8f53446cccded5dadafb853e7e9d38b Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 13 Apr 2022 16:26:18 +0200 -Subject: [PATCH] evp_md_init_internal: Avoid reallocating algctx if digest - unchanged - -Fixes #16947 - -Also refactor out algctx freeing into a separate function. - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Ben Kaduk -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18105) - -(cherry picked from commit fe5c5cb85197aec7d68ab095b866ed22076850d0) ---- - crypto/evp/digest.c | 35 ++++++++++++++++++++--------------- - crypto/evp/m_sigver.c | 11 ++--------- - include/crypto/evp.h | 2 ++ - 3 files changed, 24 insertions(+), 24 deletions(-) - -diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c -index b93e079b15..7a8e15241f 100644 ---- a/crypto/evp/digest.c -+++ b/crypto/evp/digest.c -@@ -141,6 +141,20 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx) - OPENSSL_free(ctx); - } - -+int evp_md_ctx_free_algctx(EVP_MD_CTX *ctx) -+{ -+ if (ctx->algctx != NULL) { -+ if (!ossl_assert(ctx->digest != NULL)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -+ return 0; -+ } -+ if (ctx->digest->freectx != NULL) -+ ctx->digest->freectx(ctx->algctx); -+ ctx->algctx = NULL; -+ } -+ return 1; -+} -+ - static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, - const OSSL_PARAM params[], ENGINE *impl) - { -@@ -169,16 +183,6 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, - - EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); - -- if (ctx->algctx != NULL) { -- if (!ossl_assert(ctx->digest != NULL)) { -- ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -- return 0; -- } -- if (ctx->digest->freectx != NULL) -- ctx->digest->freectx(ctx->algctx); -- ctx->algctx = NULL; -- } -- - if (type != NULL) { - ctx->reqdigest = type; - } else { -@@ -229,6 +233,10 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, - || (type != NULL && type->origin == EVP_ORIG_METH) - || (type == NULL && ctx->digest != NULL - && ctx->digest->origin == EVP_ORIG_METH)) { -+ /* If we were using provided hash before, cleanup algctx */ -+ if (!evp_md_ctx_free_algctx(ctx)) -+ return 0; -+ - if (ctx->digest == ctx->fetched_digest) - ctx->digest = NULL; - EVP_MD_free(ctx->fetched_digest); -@@ -239,6 +247,8 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, - cleanup_old_md_data(ctx, 1); - - /* Start of non-legacy code below */ -+ if (ctx->digest != type && !evp_md_ctx_free_algctx(ctx)) -+ return 0; - - if (type->prov == NULL) { - #ifdef FIPS_MODULE -@@ -261,11 +271,6 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, - #endif - } - -- if (ctx->algctx != NULL && ctx->digest != NULL && ctx->digest != type) { -- if (ctx->digest->freectx != NULL) -- ctx->digest->freectx(ctx->algctx); -- ctx->algctx = NULL; -- } - if (type->prov != NULL && ctx->fetched_digest != type) { - if (!EVP_MD_up_ref((EVP_MD *)type)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index fc087d2cb6..630d339c35 100644 ---- a/crypto/evp/m_sigver.c -+++ b/crypto/evp/m_sigver.c -@@ -51,15 +51,8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, - void *provkey = NULL; - int ret, iter, reinit = 1; - -- if (ctx->algctx != NULL) { -- if (!ossl_assert(ctx->digest != NULL)) { -- ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -- return 0; -- } -- if (ctx->digest->freectx != NULL) -- ctx->digest->freectx(ctx->algctx); -- ctx->algctx = NULL; -- } -+ if (!evp_md_ctx_free_algctx(ctx)) -+ return 0; - - if (ctx->pctx == NULL) { - reinit = 0; -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index e70d8e9e84..dbbdcccbda 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -909,6 +909,8 @@ int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, - char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig); - - void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force, int keep_digest); -+/* just free the algctx if set, returns 0 on inconsistent state of ctx */ -+int evp_md_ctx_free_algctx(EVP_MD_CTX *ctx); - - /* Three possible states: */ - # define EVP_PKEY_STATE_UNKNOWN 0 --- -2.33.0 - diff --git a/backport-ossl_namemap_name2_num-Avoid-unnecessary-OPENSSL_str.patch b/backport-ossl_namemap_name2_num-Avoid-unnecessary-OPENSSL_str.patch deleted file mode 100644 index 88f97d15ee86db16d1ba22924bf543681f1492d2..0000000000000000000000000000000000000000 --- a/backport-ossl_namemap_name2_num-Avoid-unnecessary-OPENSSL_str.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 8af5c6c4d340961dcb853a6126831ebc5a86b311 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 18 May 2022 16:45:20 +0200 -Subject: [PATCH] ossl_namemap_name2_num: Avoid unnecessary OPENSSL_strndup(). - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18341) - -(cherry picked from commit dab5098eacb9e264c32a33332ba047f234a3de68) ---- - crypto/core_namemap.c | 55 +++++++++++++++++++++++++++++-------------- - 1 file changed, 37 insertions(+), 18 deletions(-) - -diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c -index 554524a5c4..4c1ca05308 100644 ---- a/crypto/core_namemap.c -+++ b/crypto/core_namemap.c -@@ -166,22 +166,19 @@ int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, - return 1; - } - --static int namemap_name2num_n(const OSSL_NAMEMAP *namemap, -- const char *name, size_t name_len) -+static int namemap_name2num(const OSSL_NAMEMAP *namemap, -+ const char *name) - { - NAMENUM_ENTRY *namenum_entry, namenum_tmpl; - -- if ((namenum_tmpl.name = OPENSSL_strndup(name, name_len)) == NULL) -- return 0; -+ namenum_tmpl.name = (char *)name; - namenum_tmpl.number = 0; - namenum_entry = - lh_NAMENUM_ENTRY_retrieve(namemap->namenum, &namenum_tmpl); -- OPENSSL_free(namenum_tmpl.name); - return namenum_entry != NULL ? namenum_entry->number : 0; - } - --int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, -- const char *name, size_t name_len) -+int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name) - { - int number; - -@@ -195,18 +192,24 @@ int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, - - if (!CRYPTO_THREAD_read_lock(namemap->lock)) - return 0; -- number = namemap_name2num_n(namemap, name, name_len); -+ number = namemap_name2num(namemap, name); - CRYPTO_THREAD_unlock(namemap->lock); - - return number; - } - --int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name) -+int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, -+ const char *name, size_t name_len) - { -- if (name == NULL) -+ char *tmp; -+ int ret; -+ -+ if (name == NULL || (tmp = OPENSSL_strndup(name, name_len)) == NULL) - return 0; - -- return ossl_namemap_name2num_n(namemap, name, strlen(name)); -+ ret = ossl_namemap_name2num(namemap, tmp); -+ OPENSSL_free(tmp); -+ return ret; - } - - struct num2name_data_st { -@@ -241,14 +244,20 @@ static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - { - NAMENUM_ENTRY *namenum = NULL; - int tmp_number; -+ char *tmp = OPENSSL_strndup(name, name_len); -+ -+ if (tmp == NULL) -+ return 0; - - /* If it already exists, we don't add it */ -- if ((tmp_number = namemap_name2num_n(namemap, name, name_len)) != 0) -+ if ((tmp_number = namemap_name2num(namemap, tmp)) != 0) { -+ OPENSSL_free(tmp); - return tmp_number; -+ } - -- if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL -- || (namenum->name = OPENSSL_strndup(name, name_len)) == NULL) -+ if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL) - goto err; -+ namenum->name = tmp; - - /* The tsan_counter use here is safe since we're under lock */ - namenum->number = -@@ -260,7 +269,8 @@ static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - return namenum->number; - - err: -- namenum_free(namenum); -+ OPENSSL_free(tmp); -+ OPENSSL_free(namenum); - return 0; - } - -@@ -312,13 +322,22 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, - */ - for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { - int this_number; -+ char *allocated; -+ const char *tmp; - -- if ((q = strchr(p, separator)) == NULL) -+ if ((q = strchr(p, separator)) == NULL) { - l = strlen(p); /* offset to \0 */ -- else -+ tmp = p; -+ allocated = NULL; -+ } else { - l = q - p; /* offset to the next separator */ -+ tmp = allocated = OPENSSL_strndup(p, l); -+ if (tmp == NULL) -+ goto err; -+ } - -- this_number = namemap_name2num_n(namemap, p, l); -+ this_number = namemap_name2num(namemap, tmp); -+ OPENSSL_free(allocated); - - if (*p == '\0' || *p == separator) { - ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_BAD_ALGORITHM_NAME); --- -2.33.0 - diff --git a/backport-params-provide-a-faster-TRIE-based-param-lookup.patch b/backport-params-provide-a-faster-TRIE-based-param-lookup.patch deleted file mode 100644 index 4940c36ed59bb319c4ad5d2b7ecf2e44ec2e8b4e..0000000000000000000000000000000000000000 --- a/backport-params-provide-a-faster-TRIE-based-param-lookup.patch +++ /dev/null @@ -1,1686 +0,0 @@ -From ed34eddc7e458dd013f7a7228f707ee2095909c5 Mon Sep 17 00:00:00 2001 -From: wangcheng -Date: Wed, 25 Sep 2024 16:52:03 +0800 -Subject: [PATCH] 2 - ---- - build.info | 11 +- - crypto/build.info | 2 +- - crypto/params_idx.c.in | 21 + - include/internal/e_os.h | 432 +++++++++++ - include/internal/param_names.h.in | 18 + - include/openssl/core_names.h.in | 118 +++ - .../ciphers/ciphercommon_gcm.c | 288 ++++---- - util/perl/OpenSSL/paramnames.pm | 673 ++++++++++++++++++ - 8 files changed, 1426 insertions(+), 137 deletions(-) - create mode 100644 crypto/params_idx.c.in - create mode 100644 include/internal/e_os.h - create mode 100644 include/internal/param_names.h.in - create mode 100644 include/openssl/core_names.h.in - create mode 100644 util/perl/OpenSSL/paramnames.pm - -diff --git a/build.info b/build.info -index 5a84216..630696c 100644 ---- a/build.info -+++ b/build.info -@@ -22,6 +22,7 @@ DEPEND[]=include/openssl/asn1.h \ - include/openssl/cmp.h \ - include/openssl/cms.h \ - include/openssl/conf.h \ -+ include/openssl/core_names.h \ - include/openssl/crmf.h \ - include/openssl/crypto.h \ - include/openssl/ct.h \ -@@ -40,7 +41,8 @@ DEPEND[]=include/openssl/asn1.h \ - include/openssl/x509.h \ - include/openssl/x509v3.h \ - include/openssl/x509_vfy.h \ -- include/crypto/bn_conf.h include/crypto/dso_conf.h -+ include/crypto/bn_conf.h include/crypto/dso_conf.h \ -+ include/internal/param_names.h crypto/params_idx.c - - GENERATE[include/openssl/asn1.h]=include/openssl/asn1.h.in - GENERATE[include/openssl/asn1t.h]=include/openssl/asn1t.h.in -@@ -73,6 +75,13 @@ GENERATE[include/openssl/x509_vfy.h]=include/openssl/x509_vfy.h.in - GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in - GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in - -+DEPEND[crypto/params_idx.c \ -+ include/internal/param_names.h \ -+ include/openssl/core_names.h]=util/perl/OpenSSL/paramnames.pm -+GENERATE[crypto/params_idx.c]=crypto/params_idx.c.in -+GENERATE[include/internal/param_names.h]=include/internal/param_names.h.in -+GENERATE[include/openssl/core_names.h]=include/openssl/core_names.h.in -+ - IF[{- defined $target{shared_defflag} -}] - SHARED_SOURCE[libcrypto]=libcrypto.ld - SHARED_SOURCE[libssl]=libssl.ld -diff --git a/crypto/build.info b/crypto/build.info -index c04db55..d7afe47 100644 ---- a/crypto/build.info -+++ b/crypto/build.info -@@ -95,7 +95,7 @@ $UTIL_COMMON=\ - cryptlib.c params.c params_from_text.c bsearch.c ex_data.c o_str.c \ - threads_pthread.c threads_win.c threads_none.c initthread.c \ - context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ -- param_build_set.c der_writer.c threads_lib.c params_dup.c -+ param_build_set.c der_writer.c threads_lib.c params_dup.c params_idx.c - - SOURCE[../libcrypto]=$UTIL_COMMON \ - mem.c mem_sec.c \ -diff --git a/crypto/params_idx.c.in b/crypto/params_idx.c.in -new file mode 100644 -index 0000000..f04939b ---- /dev/null -+++ b/crypto/params_idx.c.in -@@ -0,0 +1,21 @@ -+/* -+ * {- join("\n * ", @autowarntext) -} -+ * -+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+{- -+use OpenSSL::paramnames qw(produce_decoder); -+-} -+ -+#include "internal/e_os.h" -+#include "internal/param_names.h" -+#include -+ -+/* Machine generated TRIE -- generated by util/perl/OpenSSL/paramnames.pm */ -+{- produce_decoder(); -} -+/* End of TRIE */ -diff --git a/include/internal/e_os.h b/include/internal/e_os.h -new file mode 100644 -index 0000000..db05b7f ---- /dev/null -+++ b/include/internal/e_os.h -@@ -0,0 +1,432 @@ -+/* -+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#ifndef OSSL_E_OS_H -+# define OSSL_E_OS_H -+ -+# include -+# include -+ -+# include -+# include -+# include "internal/nelem.h" -+ -+/* -+ * contains what we can justify to make visible to the -+ * outside; this file e_os.h is not part of the exported interface. -+ */ -+ -+# if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) -+# define NO_CHMOD -+# define NO_SYSLOG -+# endif -+ -+# define get_last_sys_error() errno -+# define clear_sys_error() errno=0 -+# define set_sys_error(e) errno=(e) -+ -+/******************************************************************** -+ The Microsoft section -+ ********************************************************************/ -+# if defined(OPENSSL_SYS_WIN32) && !defined(WIN32) -+# define WIN32 -+# endif -+# if defined(OPENSSL_SYS_WINDOWS) && !defined(WINDOWS) -+# define WINDOWS -+# endif -+# if defined(OPENSSL_SYS_MSDOS) && !defined(MSDOS) -+# define MSDOS -+# endif -+ -+# ifdef WIN32 -+# undef get_last_sys_error -+# undef clear_sys_error -+# undef set_sys_error -+# define get_last_sys_error() GetLastError() -+# define clear_sys_error() SetLastError(0) -+# define set_sys_error(e) SetLastError(e) -+# if !defined(WINNT) -+# define WIN_CONSOLE_BUG -+# endif -+# else -+# endif -+ -+# if (defined(WINDOWS) || defined(MSDOS)) -+ -+# ifdef __DJGPP__ -+# include -+# include -+# define _setmode setmode -+# define _O_TEXT O_TEXT -+# define _O_BINARY O_BINARY -+# undef DEVRANDOM_EGD /* Neither MS-DOS nor FreeDOS provide 'egd' sockets. */ -+# undef DEVRANDOM -+# define DEVRANDOM "/dev/urandom\x24" -+# endif /* __DJGPP__ */ -+ -+# ifndef S_IFDIR -+# define S_IFDIR _S_IFDIR -+# endif -+ -+# ifndef S_IFMT -+# define S_IFMT _S_IFMT -+# endif -+ -+# if !defined(WINNT) && !defined(__DJGPP__) -+# define NO_SYSLOG -+# endif -+ -+# ifdef WINDOWS -+# if !defined(_WIN32_WCE) && !defined(_WIN32_WINNT) -+ /* -+ * Defining _WIN32_WINNT here in e_os.h implies certain "discipline." -+ * Most notably we ought to check for availability of each specific -+ * routine that was introduced after denoted _WIN32_WINNT with -+ * GetProcAddress(). Normally newer functions are masked with higher -+ * _WIN32_WINNT in SDK headers. So that if you wish to use them in -+ * some module, you'd need to override _WIN32_WINNT definition in -+ * the target module in order to "reach for" prototypes, but replace -+ * calls to new functions with indirect calls. Alternatively it -+ * might be possible to achieve the goal by /DELAYLOAD-ing .DLLs -+ * and check for current OS version instead. -+ */ -+# define _WIN32_WINNT 0x0501 -+# endif -+# if defined(_WIN32_WINNT) || defined(_WIN32_WCE) -+ /* -+ * Just like defining _WIN32_WINNT including winsock2.h implies -+ * certain "discipline" for maintaining [broad] binary compatibility. -+ * As long as structures are invariant among Winsock versions, -+ * it's sufficient to check for specific Winsock2 API availability -+ * at run-time [DSO_global_lookup is recommended]... -+ */ -+# include -+# include -+ /* -+ * Clang-based C++Builder 10.3.3 toolchains cannot find C inline -+ * definitions at link-time. This header defines WspiapiLoad() as an -+ * __inline function. https://quality.embarcadero.com/browse/RSP-33806 -+ */ -+# if !defined(__BORLANDC__) || !defined(__clang__) -+# include -+# endif -+ /* yes, they have to be #included prior to */ -+# endif -+# include -+# include -+# include -+# include -+# if defined(_WIN32_WCE) && !defined(EACCES) -+# define EACCES 13 -+# endif -+# include -+# ifdef _WIN64 -+# define strlen(s) _strlen31(s) -+/* cut strings to 2GB */ -+static __inline unsigned int _strlen31(const char *str) -+{ -+ unsigned int len = 0; -+ while (*str && len < 0x80000000U) -+ str++, len++; -+ return len & 0x7FFFFFFF; -+} -+# endif -+# include -+# if defined(_MSC_VER) && !defined(_WIN32_WCE) && !defined(_DLL) && defined(stdin) -+# if _MSC_VER>=1300 && _MSC_VER<1600 -+# undef stdin -+# undef stdout -+# undef stderr -+FILE *__iob_func(); -+# define stdin (&__iob_func()[0]) -+# define stdout (&__iob_func()[1]) -+# define stderr (&__iob_func()[2]) -+# endif -+# endif -+# endif -+# include -+# include -+ -+# ifdef OPENSSL_SYS_WINCE -+# define OPENSSL_NO_POSIX_IO -+# endif -+ -+# define EXIT(n) exit(n) -+# define LIST_SEPARATOR_CHAR ';' -+# ifndef W_OK -+# define W_OK 2 -+# endif -+# ifndef R_OK -+# define R_OK 4 -+# endif -+# ifdef OPENSSL_SYS_WINCE -+# define DEFAULT_HOME "" -+# else -+# define DEFAULT_HOME "C:" -+# endif -+ -+/* Avoid Visual Studio 13 GetVersion deprecated problems */ -+# if defined(_MSC_VER) && _MSC_VER>=1800 -+# define check_winnt() (1) -+# define check_win_minplat(x) (1) -+# else -+# define check_winnt() (GetVersion() < 0x80000000) -+# define check_win_minplat(x) (LOBYTE(LOWORD(GetVersion())) >= (x)) -+# endif -+ -+# else /* The non-microsoft world */ -+ -+# if defined(OPENSSL_SYS_VXWORKS) -+# include -+# else -+# include -+# endif -+ -+# ifdef OPENSSL_SYS_VMS -+# define VMS 1 -+ /* -+ * some programs don't include stdlib, so exit() and others give implicit -+ * function warnings -+ */ -+# include -+# if defined(__DECC) -+# include -+# else -+# include -+# endif -+# define LIST_SEPARATOR_CHAR ',' -+ /* We don't have any well-defined random devices on VMS, yet... */ -+# undef DEVRANDOM -+ /*- -+ We need to do this since VMS has the following coding on status codes: -+ -+ Bits 0-2: status type: 0 = warning, 1 = success, 2 = error, 3 = info ... -+ The important thing to know is that odd numbers are considered -+ good, while even ones are considered errors. -+ Bits 3-15: actual status number -+ Bits 16-27: facility number. 0 is considered "unknown" -+ Bits 28-31: control bits. If bit 28 is set, the shell won't try to -+ output the message (which, for random codes, just looks ugly) -+ -+ So, what we do here is to change 0 to 1 to get the default success status, -+ and everything else is shifted up to fit into the status number field, and -+ the status is tagged as an error, which is what is wanted here. -+ -+ Finally, we add the VMS C facility code 0x35a000, because there are some -+ programs, such as Perl, that will reinterpret the code back to something -+ POSIX. 'man perlvms' explains it further. -+ -+ NOTE: the perlvms manual wants to turn all codes 2 to 255 into success -+ codes (status type = 1). I couldn't disagree more. Fortunately, the -+ status type doesn't seem to bother Perl. -+ -- Richard Levitte -+ */ -+# define EXIT(n) exit((n) ? (((n) << 3) | 2 | 0x10000000 | 0x35a000) : 1) -+ -+# define DEFAULT_HOME "SYS$LOGIN:" -+ -+# else -+ /* !defined VMS */ -+# include -+# include -+# ifdef OPENSSL_SYS_WIN32_CYGWIN -+# include -+# include -+# endif -+ -+# define LIST_SEPARATOR_CHAR ':' -+# define EXIT(n) exit(n) -+# endif -+ -+# endif -+ -+/***********************************************/ -+ -+# if defined(OPENSSL_SYS_WINDOWS) -+# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) -+# define open _open -+# define fdopen _fdopen -+# define close _close -+# ifndef strdup -+# define strdup _strdup -+# endif -+# define unlink _unlink -+# define fileno _fileno -+# endif -+# else -+# include -+# endif -+ -+/* vxworks */ -+# if defined(OPENSSL_SYS_VXWORKS) -+# include -+# include -+# include -+# include -+# include -+# include -+ -+# define TTY_STRUCT int -+# define sleep(a) taskDelay((a) * sysClkRateGet()) -+ -+/* -+ * NOTE: these are implemented by helpers in database app! if the database is -+ * not linked, we need to implement them elsewhere -+ */ -+struct hostent *gethostbyname(const char *name); -+struct hostent *gethostbyaddr(const char *addr, int length, int type); -+struct servent *getservbyname(const char *name, const char *proto); -+ -+# endif -+/* end vxworks */ -+ -+/* system-specific variants defining ossl_sleep() */ -+#if defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) -+# include -+static ossl_inline void ossl_sleep(unsigned long millis) -+{ -+# ifdef OPENSSL_SYS_VXWORKS -+ struct timespec ts; -+ ts.tv_sec = (long int) (millis / 1000); -+ ts.tv_nsec = (long int) (millis % 1000) * 1000000ul; -+ nanosleep(&ts, NULL); -+# elif defined(__TANDEM) -+# if !defined(_REENTRANT) -+# include -+ /* HPNS does not support usleep for non threaded apps */ -+ PROCESS_DELAY_(millis * 1000); -+# elif defined(_SPT_MODEL_) -+# include -+# include -+ usleep(millis * 1000); -+# else -+ usleep(millis * 1000); -+# endif -+# else -+ usleep(millis * 1000); -+# endif -+} -+#elif defined(_WIN32) -+# include -+static ossl_inline void ossl_sleep(unsigned long millis) -+{ -+ Sleep(millis); -+} -+#else -+/* Fallback to a busy wait */ -+static ossl_inline void ossl_sleep(unsigned long millis) -+{ -+ struct timeval start, now; -+ unsigned long elapsedms; -+ -+ gettimeofday(&start, NULL); -+ do { -+ gettimeofday(&now, NULL); -+ elapsedms = (((now.tv_sec - start.tv_sec) * 1000000) -+ + now.tv_usec - start.tv_usec) / 1000; -+ } while (elapsedms < millis); -+} -+#endif /* defined OPENSSL_SYS_UNIX */ -+ -+/* ----------------------------- HP NonStop -------------------------------- */ -+/* Required to support platform variant without getpid() and pid_t. */ -+# if defined(__TANDEM) && defined(_GUARDIAN_TARGET) -+# include -+# include -+# define getservbyname(name,proto) getservbyname((char*)name,proto) -+# define gethostbyname(name) gethostbyname((char*)name) -+# define ioctlsocket(a,b,c) ioctl(a,b,c) -+# ifdef NO_GETPID -+inline int nssgetpid(); -+# ifndef NSSGETPID_MACRO -+# define NSSGETPID_MACRO -+# include -+# include -+ inline int nssgetpid() -+ { -+ short phandle[10]={0}; -+ union pseudo_pid { -+ struct { -+ short cpu; -+ short pin; -+ } cpu_pin ; -+ int ppid; -+ } ppid = { 0 }; -+ PROCESSHANDLE_GETMINE_(phandle); -+ PROCESSHANDLE_DECOMPOSE_(phandle, &ppid.cpu_pin.cpu, &ppid.cpu_pin.pin); -+ return ppid.ppid; -+ } -+# define getpid(a) nssgetpid(a) -+# endif /* NSSGETPID_MACRO */ -+# endif /* NO_GETPID */ -+/*# define setsockopt(a,b,c,d,f) setsockopt(a,b,c,(char*)d,f)*/ -+/*# define getsockopt(a,b,c,d,f) getsockopt(a,b,c,(char*)d,f)*/ -+/*# define connect(a,b,c) connect(a,(struct sockaddr *)b,c)*/ -+/*# define bind(a,b,c) bind(a,(struct sockaddr *)b,c)*/ -+/*# define sendto(a,b,c,d,e,f) sendto(a,(char*)b,c,d,(struct sockaddr *)e,f)*/ -+# if defined(OPENSSL_THREADS) && !defined(_PUT_MODEL_) -+ /* -+ * HPNS SPT threads -+ */ -+# define SPT_THREAD_SIGNAL 1 -+# define SPT_THREAD_AWARE 1 -+# include -+# undef close -+# define close spt_close -+/* -+# define get_last_socket_error() errno -+# define clear_socket_error() errno=0 -+# define ioctlsocket(a,b,c) ioctl(a,b,c) -+# define closesocket(s) close(s) -+# define readsocket(s,b,n) read((s),(char*)(b),(n)) -+# define writesocket(s,b,n) write((s),(char*)(b),(n) -+*/ -+# define accept(a,b,c) accept(a,(struct sockaddr *)b,c) -+# define recvfrom(a,b,c,d,e,f) recvfrom(a,b,(socklen_t)c,d,e,f) -+# endif -+# endif -+ -+# ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+# define CRYPTO_memcmp memcmp -+# endif -+ -+# ifndef OPENSSL_NO_SECURE_MEMORY -+ /* unistd.h defines _POSIX_VERSION */ -+# if (defined(OPENSSL_SYS_UNIX) \ -+ && ( (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L) \ -+ || defined(__sun) || defined(__hpux) || defined(__sgi) \ -+ || defined(__osf__) )) \ -+ || defined(_WIN32) -+ /* secure memory is implemented */ -+# else -+# define OPENSSL_NO_SECURE_MEMORY -+# endif -+# endif -+ -+/* -+ * str[n]casecmp_l is defined in POSIX 2008-01. Value is taken accordingly -+ * https://www.gnu.org/software/libc/manual/html_node/Feature-Test-Macros.html -+ * There are also equivalent functions on Windows. -+ * There is no locale_t on NONSTOP. -+ */ -+# if defined(OPENSSL_SYS_WINDOWS) -+# define locale_t _locale_t -+# define freelocale _free_locale -+# define strcasecmp_l _stricmp_l -+# define strncasecmp_l _strnicmp_l -+# define strcasecmp _stricmp -+# define strncasecmp _strnicmp -+# elif !defined(_POSIX_C_SOURCE) || _POSIX_C_SOURCE < 200809L \ -+ || defined(OPENSSL_SYS_TANDEM) -+# ifndef OPENSSL_NO_LOCALE -+# define OPENSSL_NO_LOCALE -+# endif -+# endif -+ -+#endif -diff --git a/include/internal/param_names.h.in b/include/internal/param_names.h.in -new file mode 100644 -index 0000000..f34db21 ---- /dev/null -+++ b/include/internal/param_names.h.in -@@ -0,0 +1,18 @@ -+/* -+ * {- join("\n * ", @autowarntext) -} -+ * -+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+{- -+use OpenSSL::paramnames qw(generate_internal_macros); -+-} -+ -+int ossl_param_find_pidx(const char *s); -+ -+/* Parameter name definitions - generated by util/perl/OpenSSL/paramnames.pm */ -+{- generate_internal_macros(); -} -diff --git a/include/openssl/core_names.h.in b/include/openssl/core_names.h.in -new file mode 100644 -index 0000000..133f783 ---- /dev/null -+++ b/include/openssl/core_names.h.in -@@ -0,0 +1,118 @@ -+/* -+ * {- join("\n * ", @autowarntext) -} -+ * -+ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+{- -+use OpenSSL::paramnames qw(generate_public_macros); -+-} -+ -+#ifndef OPENSSL_CORE_NAMES_H -+# define OPENSSL_CORE_NAMES_H -+# pragma once -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+/* OSSL_CIPHER_PARAM_CTS_MODE Values */ -+# define OSSL_CIPHER_CTS_MODE_CS1 "CS1" -+# define OSSL_CIPHER_CTS_MODE_CS2 "CS2" -+# define OSSL_CIPHER_CTS_MODE_CS3 "CS3" -+ -+/* Known CIPHER names (not a complete list) */ -+# define OSSL_CIPHER_NAME_AES_128_GCM_SIV "AES-128-GCM-SIV" -+# define OSSL_CIPHER_NAME_AES_192_GCM_SIV "AES-192-GCM-SIV" -+# define OSSL_CIPHER_NAME_AES_256_GCM_SIV "AES-256-GCM-SIV" -+ -+/* Known DIGEST names (not a complete list) */ -+# define OSSL_DIGEST_NAME_MD5 "MD5" -+# define OSSL_DIGEST_NAME_MD5_SHA1 "MD5-SHA1" -+# define OSSL_DIGEST_NAME_SHA1 "SHA1" -+# define OSSL_DIGEST_NAME_SHA2_224 "SHA2-224" -+# define OSSL_DIGEST_NAME_SHA2_256 "SHA2-256" -+# define OSSL_DIGEST_NAME_SHA2_384 "SHA2-384" -+# define OSSL_DIGEST_NAME_SHA2_512 "SHA2-512" -+# define OSSL_DIGEST_NAME_SHA2_512_224 "SHA2-512/224" -+# define OSSL_DIGEST_NAME_SHA2_512_256 "SHA2-512/256" -+# define OSSL_DIGEST_NAME_MD2 "MD2" -+# define OSSL_DIGEST_NAME_MD4 "MD4" -+# define OSSL_DIGEST_NAME_MDC2 "MDC2" -+# define OSSL_DIGEST_NAME_RIPEMD160 "RIPEMD160" -+# define OSSL_DIGEST_NAME_SHA3_224 "SHA3-224" -+# define OSSL_DIGEST_NAME_SHA3_256 "SHA3-256" -+# define OSSL_DIGEST_NAME_SHA3_384 "SHA3-384" -+# define OSSL_DIGEST_NAME_SHA3_512 "SHA3-512" -+# define OSSL_DIGEST_NAME_KECCAK_KMAC128 "KECCAK-KMAC-128" -+# define OSSL_DIGEST_NAME_KECCAK_KMAC256 "KECCAK-KMAC-256" -+# define OSSL_DIGEST_NAME_SM3 "SM3" -+ -+/* Known MAC names */ -+# define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" -+# define OSSL_MAC_NAME_BLAKE2SMAC "BLAKE2SMAC" -+# define OSSL_MAC_NAME_CMAC "CMAC" -+# define OSSL_MAC_NAME_GMAC "GMAC" -+# define OSSL_MAC_NAME_HMAC "HMAC" -+# define OSSL_MAC_NAME_KMAC128 "KMAC128" -+# define OSSL_MAC_NAME_KMAC256 "KMAC256" -+# define OSSL_MAC_NAME_POLY1305 "POLY1305" -+# define OSSL_MAC_NAME_SIPHASH "SIPHASH" -+ -+/* Known KDF names */ -+# define OSSL_KDF_NAME_HKDF "HKDF" -+# define OSSL_KDF_NAME_TLS1_3_KDF "TLS13-KDF" -+# define OSSL_KDF_NAME_PBKDF1 "PBKDF1" -+# define OSSL_KDF_NAME_PBKDF2 "PBKDF2" -+# define OSSL_KDF_NAME_SCRYPT "SCRYPT" -+# define OSSL_KDF_NAME_SSHKDF "SSHKDF" -+# define OSSL_KDF_NAME_SSKDF "SSKDF" -+# define OSSL_KDF_NAME_TLS1_PRF "TLS1-PRF" -+# define OSSL_KDF_NAME_X942KDF_ASN1 "X942KDF-ASN1" -+# define OSSL_KDF_NAME_X942KDF_CONCAT "X942KDF-CONCAT" -+# define OSSL_KDF_NAME_X963KDF "X963KDF" -+# define OSSL_KDF_NAME_KBKDF "KBKDF" -+# define OSSL_KDF_NAME_KRB5KDF "KRB5KDF" -+# define OSSL_KDF_NAME_HMACDRBGKDF "HMAC-DRBG-KDF" -+ -+/* RSA padding modes */ -+# define OSSL_PKEY_RSA_PAD_MODE_NONE "none" -+# define OSSL_PKEY_RSA_PAD_MODE_PKCSV15 "pkcs1" -+# define OSSL_PKEY_RSA_PAD_MODE_OAEP "oaep" -+# define OSSL_PKEY_RSA_PAD_MODE_X931 "x931" -+# define OSSL_PKEY_RSA_PAD_MODE_PSS "pss" -+ -+/* RSA pss padding salt length */ -+# define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" -+# define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" -+# define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" -+# define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" -+ -+/* OSSL_PKEY_PARAM_EC_ENCODING values */ -+# define OSSL_PKEY_EC_ENCODING_EXPLICIT "explicit" -+# define OSSL_PKEY_EC_ENCODING_GROUP "named_curve" -+ -+# define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED "uncompressed" -+# define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED "compressed" -+# define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID "hybrid" -+ -+# define OSSL_PKEY_EC_GROUP_CHECK_DEFAULT "default" -+# define OSSL_PKEY_EC_GROUP_CHECK_NAMED "named" -+# define OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST "named-nist" -+ -+/* OSSL_KEM_PARAM_OPERATION values */ -+#define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" -+#define OSSL_KEM_PARAM_OPERATION_DHKEM "DHKEM" -+ -+/* Parameter name definitions - generated by util/perl/OpenSSL/paramnames.pm */ -+{- generate_public_macros(); -} -+ -+# ifdef __cplusplus -+} -+# endif -+ -+#endif -diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c -index ed95c97..455924f 100644 ---- a/providers/implementations/ciphers/ciphercommon_gcm.c -+++ b/providers/implementations/ciphers/ciphercommon_gcm.c -@@ -15,6 +15,7 @@ - #include "prov/ciphercommon_gcm.h" - #include "prov/providercommon.h" - #include "prov/provider_ctx.h" -+#include "internal/param_names.h" - - static int gcm_tls_init(PROV_GCM_CTX *dat, unsigned char *aad, size_t aad_len); - static int gcm_tls_iv_set_fixed(PROV_GCM_CTX *ctx, unsigned char *iv, -@@ -145,84 +146,97 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) - PROV_GCM_CTX *ctx = (PROV_GCM_CTX *)vctx; - OSSL_PARAM *p; - size_t sz; -- -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IVLEN); -- if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->ivlen)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_KEYLEN); -- if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->keylen)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAGLEN); -- if (p != NULL) { -- size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen : -- GCM_TAG_MAX_SIZE; -- -- if (!OSSL_PARAM_set_size_t(p, taglen)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- } -- -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_IV); -- if (p != NULL) { -- if (ctx->iv_state == IV_STATE_UNINITIALISED) -- return 0; -- if (ctx->ivlen > p->data_size) { -- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); -- return 0; -- } -- if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen) -- && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- } -- -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_UPDATED_IV); -- if (p != NULL) { -- if (ctx->iv_state == IV_STATE_UNINITIALISED) -- return 0; -- if (ctx->ivlen > p->data_size) { -- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); -- return 0; -- } -- if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen) -- && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- } -- -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD); -- if (p != NULL && !OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TAG); -- if (p != NULL) { -- sz = p->data_size; -- if (sz == 0 -- || sz > EVP_GCM_TLS_TAG_LEN -- || !ctx->enc -- || ctx->taglen == UNINITIALISED_SIZET) { -- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); -- return 0; -+ int type; -+ -+ for (p = params; p->key != NULL; p++) { -+ type = ossl_param_find_pidx(p->key); -+ switch (type) { -+ default: -+ break; -+ -+ case PIDX_CIPHER_PARAM_IVLEN: -+ if (!OSSL_PARAM_set_size_t(p, ctx->ivlen)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_KEYLEN: -+ if (!OSSL_PARAM_set_size_t(p, ctx->keylen)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TAGLEN: -+ { -+ size_t taglen = (ctx->taglen != UNINITIALISED_SIZET) ? ctx->taglen : -+ GCM_TAG_MAX_SIZE; -+ -+ if (!OSSL_PARAM_set_size_t(p, taglen)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_IV: -+ if (ctx->iv_state == IV_STATE_UNINITIALISED) -+ return 0; -+ if (ctx->ivlen > p->data_size) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); -+ return 0; -+ } -+ if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen) -+ && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_UPDATED_IV: -+ if (ctx->iv_state == IV_STATE_UNINITIALISED) -+ return 0; -+ if (ctx->ivlen > p->data_size) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); -+ return 0; -+ } -+ if (!OSSL_PARAM_set_octet_string(p, ctx->iv, ctx->ivlen) -+ && !OSSL_PARAM_set_octet_ptr(p, &ctx->iv, ctx->ivlen)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD_PAD: -+ if (!OSSL_PARAM_set_size_t(p, ctx->tls_aad_pad_sz)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TAG: -+ sz = p->data_size; -+ if (sz == 0 -+ || sz > EVP_GCM_TLS_TAG_LEN -+ || !ctx->enc -+ || ctx->taglen == UNINITIALISED_SIZET) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); -+ return 0; -+ } -+ if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN: -+ if (p->data == NULL -+ || p->data_type != OSSL_PARAM_OCTET_STRING -+ || !getivgen(ctx, p->data, p->data_size)) -+ return 0; -+ break; - } -- if (!OSSL_PARAM_set_octet_string(p, ctx->buf, sz)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); -- return 0; -- } -- } -- p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN); -- if (p != NULL) { -- if (p->data == NULL -- || p->data_type != OSSL_PARAM_OCTET_STRING -- || !getivgen(ctx, p->data, p->data_size)) -- return 0; - } - return 1; - } -@@ -233,71 +247,75 @@ int ossl_gcm_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - const OSSL_PARAM *p; - size_t sz; - void *vp; -+ int type; - - if (params == NULL) - return 1; - -- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TAG); -- if (p != NULL) { -- vp = ctx->buf; -- if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -- return 0; -- } -- if (sz == 0 || ctx->enc) { -- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); -- return 0; -+ for (p = params; p->key != NULL; p++) { -+ type = ossl_param_find_pidx(p->key); -+ switch (type) { -+ default: -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TAG: -+ vp = ctx->buf; -+ if (!OSSL_PARAM_get_octet_string(p, &vp, EVP_GCM_TLS_TAG_LEN, &sz)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -+ return 0; -+ } -+ if (sz == 0 || ctx->enc) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_TAG); -+ return 0; -+ } -+ ctx->taglen = sz; -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_IVLEN: -+ if (!OSSL_PARAM_get_size_t(p, &sz)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -+ return 0; -+ } -+ if (sz == 0 || sz > sizeof(ctx->iv)) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); -+ return 0; -+ } -+ ctx->ivlen = sz; -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TLS1_AAD: -+ if (p->data_type != OSSL_PARAM_OCTET_STRING) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -+ return 0; -+ } -+ sz = gcm_tls_init(ctx, p->data, p->data_size); -+ if (sz == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD); -+ return 0; -+ } -+ ctx->tls_aad_pad_sz = sz; -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TLS1_IV_FIXED: -+ if (p->data_type != OSSL_PARAM_OCTET_STRING) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -+ return 0; -+ } -+ if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -+ return 0; -+ } -+ break; -+ -+ case PIDX_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV: -+ if (p->data == NULL -+ || p->data_type != OSSL_PARAM_OCTET_STRING -+ || !setivinv(ctx, p->data, p->data_size)) -+ return 0; -+ break; - } -- ctx->taglen = sz; - } - -- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_IVLEN); -- if (p != NULL) { -- if (!OSSL_PARAM_get_size_t(p, &sz)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -- return 0; -- } -- if (sz == 0 || sz > sizeof(ctx->iv)) { -- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); -- return 0; -- } -- ctx->ivlen = sz; -- } -- -- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_AAD); -- if (p != NULL) { -- if (p->data_type != OSSL_PARAM_OCTET_STRING) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -- return 0; -- } -- sz = gcm_tls_init(ctx, p->data, p->data_size); -- if (sz == 0) { -- ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_AAD); -- return 0; -- } -- ctx->tls_aad_pad_sz = sz; -- } -- -- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED); -- if (p != NULL) { -- if (p->data_type != OSSL_PARAM_OCTET_STRING) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -- return 0; -- } -- if (gcm_tls_iv_set_fixed(ctx, p->data, p->data_size) == 0) { -- ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); -- return 0; -- } -- } -- p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV); -- if (p != NULL) { -- if (p->data == NULL -- || p->data_type != OSSL_PARAM_OCTET_STRING -- || !setivinv(ctx, p->data, p->data_size)) -- return 0; -- } -- -- - return 1; - } - -diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm -new file mode 100644 -index 0000000..66c6fdd ---- /dev/null -+++ b/util/perl/OpenSSL/paramnames.pm -@@ -0,0 +1,673 @@ -+#! /usr/bin/env perl -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+package OpenSSL::paramnames; -+ -+use strict; -+use warnings; -+ -+require Exporter; -+our @ISA = qw(Exporter); -+our @EXPORT_OK = qw(generate_public_macros -+ generate_internal_macros -+ produce_decoder); -+ -+my $case_sensitive = 1; -+ -+my %params = ( -+# Well known parameter names that core passes to providers -+ 'PROV_PARAM_CORE_VERSION' => "openssl-version",# utf8_ptr -+ 'PROV_PARAM_CORE_PROV_NAME' => "provider-name", # utf8_ptr -+ 'PROV_PARAM_CORE_MODULE_FILENAME' => "module-filename",# utf8_ptr -+ -+# Well known parameter names that Providers can define -+ 'PROV_PARAM_NAME' => "name", # utf8_ptr -+ 'PROV_PARAM_VERSION' => "version", # utf8_ptr -+ 'PROV_PARAM_BUILDINFO' => "buildinfo", # utf8_ptr -+ 'PROV_PARAM_STATUS' => "status", # uint -+ 'PROV_PARAM_SECURITY_CHECKS' => "security-checks", # uint -+ 'PROV_PARAM_TLS1_PRF_EMS_CHECK' => "tls1-prf-ems-check", # uint -+ 'PROV_PARAM_DRBG_TRUNC_DIGEST' => "drbg-no-trunc-md", # uint -+ -+# Self test callback parameters -+ 'PROV_PARAM_SELF_TEST_PHASE' => "st-phase",# utf8_string -+ 'PROV_PARAM_SELF_TEST_TYPE' => "st-type", # utf8_string -+ 'PROV_PARAM_SELF_TEST_DESC' => "st-desc", # utf8_string -+ -+# Provider-native object abstractions -+# -+# These are used when a provider wants to pass object data or an object -+# reference back to libcrypto. This is only useful for provider functions -+# that take a callback to which an PARAM array with these parameters -+# can be passed. -+# -+# This set of parameter names is explained in detail in provider-object(7) -+# (doc/man7/provider-object.pod) -+ -+ 'OBJECT_PARAM_TYPE' => "type", # INTEGER -+ 'OBJECT_PARAM_DATA_TYPE' => "data-type",# UTF8_STRING -+ 'OBJECT_PARAM_DATA_STRUCTURE' => "data-structure",# UTF8_STRING -+ 'OBJECT_PARAM_REFERENCE' => "reference",# OCTET_STRING -+ 'OBJECT_PARAM_DATA' => "data",# OCTET_STRING or UTF8_STRING -+ 'OBJECT_PARAM_DESC' => "desc", # UTF8_STRING -+ -+# Algorithm parameters -+# If "engine",or "properties",are specified, they should always be paired -+# with the algorithm type. -+# Note these are common names that are shared by many types (such as kdf, mac, -+# and pkey) e.g: see MAC_PARAM_DIGEST below. -+ -+ 'ALG_PARAM_DIGEST' => "digest", # utf8_string -+ 'ALG_PARAM_CIPHER' => "cipher", # utf8_string -+ 'ALG_PARAM_ENGINE' => "engine", # utf8_string -+ 'ALG_PARAM_MAC' => "mac", # utf8_string -+ 'ALG_PARAM_PROPERTIES' => "properties", # utf8_string -+ -+# cipher parameters -+ 'CIPHER_PARAM_PADDING' => "padding", # uint -+ 'CIPHER_PARAM_USE_BITS' => "use-bits", # uint -+ 'CIPHER_PARAM_TLS_VERSION' => "tls-version", # uint -+ 'CIPHER_PARAM_TLS_MAC' => "tls-mac", # octet_ptr -+ 'CIPHER_PARAM_TLS_MAC_SIZE' => "tls-mac-size",# size_t -+ 'CIPHER_PARAM_MODE' => "mode", # uint -+ 'CIPHER_PARAM_BLOCK_SIZE' => "blocksize", # size_t -+ 'CIPHER_PARAM_AEAD' => "aead", # int, 0 or 1 -+ 'CIPHER_PARAM_CUSTOM_IV' => "custom-iv", # int, 0 or 1 -+ 'CIPHER_PARAM_CTS' => "cts", # int, 0 or 1 -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK' => "tls-multi", # int, 0 or 1 -+ 'CIPHER_PARAM_HAS_RAND_KEY' => "has-randkey", # int, 0 or 1 -+ 'CIPHER_PARAM_KEYLEN' => "keylen", # size_t -+ 'CIPHER_PARAM_IVLEN' => "ivlen", # size_t -+ 'CIPHER_PARAM_IV' => "iv", # octet_string OR octet_ptr -+ 'CIPHER_PARAM_UPDATED_IV' => "updated-iv", # octet_string OR octet_ptr -+ 'CIPHER_PARAM_NUM' => "num", # uint -+ 'CIPHER_PARAM_ROUNDS' => "rounds", # uint -+ 'CIPHER_PARAM_AEAD_TAG' => "tag", # octet_string -+ 'CIPHER_PARAM_AEAD_TLS1_AAD' => "tlsaad", # octet_string -+ 'CIPHER_PARAM_AEAD_TLS1_AAD_PAD' => "tlsaadpad", # size_t -+ 'CIPHER_PARAM_AEAD_TLS1_IV_FIXED' => "tlsivfixed", # octet_string -+ 'CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN' => "tlsivgen", # octet_string -+ 'CIPHER_PARAM_AEAD_TLS1_SET_IV_INV' => "tlsivinv", # octet_string -+ 'CIPHER_PARAM_AEAD_IVLEN' => '*CIPHER_PARAM_IVLEN', -+ 'CIPHER_PARAM_AEAD_TAGLEN' => "taglen", # size_t -+ 'CIPHER_PARAM_AEAD_MAC_KEY' => "mackey", # octet_string -+ 'CIPHER_PARAM_RANDOM_KEY' => "randkey", # octet_string -+ 'CIPHER_PARAM_RC2_KEYBITS' => "keybits", # size_t -+ 'CIPHER_PARAM_SPEED' => "speed", # uint -+ 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string -+# For passing the AlgorithmIdentifier parameter in DER form -+ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string -+ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string -+ -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE' => "tls1multi_interleave",# uint -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_AAD' => "tls1multi_aad", # octet_string -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN' => "tls1multi_aadpacklen",# uint -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_ENC' => "tls1multi_enc", # octet_string -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN' => "tls1multi_encin", # octet_string -+ 'CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN' => "tls1multi_enclen", # size_t -+ -+# digest parameters -+ 'DIGEST_PARAM_XOFLEN' => "xoflen", # size_t -+ 'DIGEST_PARAM_SSL3_MS' => "ssl3-ms", # octet string -+ 'DIGEST_PARAM_PAD_TYPE' => "pad-type", # uint -+ 'DIGEST_PARAM_MICALG' => "micalg", # utf8 string -+ 'DIGEST_PARAM_BLOCK_SIZE' => "blocksize", # size_t -+ 'DIGEST_PARAM_SIZE' => "size", # size_t -+ 'DIGEST_PARAM_XOF' => "xof", # int, 0 or 1 -+ 'DIGEST_PARAM_ALGID_ABSENT' => "algid-absent", # int, 0 or 1 -+ -+# MAC parameters -+ 'MAC_PARAM_KEY' => "key", # octet string -+ 'MAC_PARAM_IV' => "iv", # octet string -+ 'MAC_PARAM_CUSTOM' => "custom", # utf8 string -+ 'MAC_PARAM_SALT' => "salt", # octet string -+ 'MAC_PARAM_XOF' => "xof", # int, 0 or 1 -+ 'MAC_PARAM_DIGEST_NOINIT' => "digest-noinit", # int, 0 or 1 -+ 'MAC_PARAM_DIGEST_ONESHOT' => "digest-oneshot",# int, 0 or 1 -+ 'MAC_PARAM_C_ROUNDS' => "c-rounds", # unsigned int -+ 'MAC_PARAM_D_ROUNDS' => "d-rounds", # unsigned int -+ -+# If "engine",or "properties",are specified, they should always be paired -+# with "cipher",or "digest". -+ -+ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string -+ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string -+ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string -+ 'MAC_PARAM_SIZE' => "size", # size_t -+ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t -+ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t -+ -+# KDF / PRF parameters -+ 'KDF_PARAM_SECRET' => "secret", # octet string -+ 'KDF_PARAM_KEY' => "key", # octet string -+ 'KDF_PARAM_SALT' => "salt", # octet string -+ 'KDF_PARAM_PASSWORD' => "pass", # octet string -+ 'KDF_PARAM_PREFIX' => "prefix", # octet string -+ 'KDF_PARAM_LABEL' => "label", # octet string -+ 'KDF_PARAM_DATA' => "data", # octet string -+ 'KDF_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string -+ 'KDF_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string -+ 'KDF_PARAM_MAC' => '*ALG_PARAM_MAC', # utf8 string -+ 'KDF_PARAM_MAC_SIZE' => "maclen", # size_t -+ 'KDF_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string -+ 'KDF_PARAM_ITER' => "iter", # unsigned int -+ 'KDF_PARAM_MODE' => "mode", # utf8 string or int -+ 'KDF_PARAM_PKCS5' => "pkcs5", # int -+ 'KDF_PARAM_UKM' => "ukm", # octet string -+ 'KDF_PARAM_CEK_ALG' => "cekalg", # utf8 string -+ 'KDF_PARAM_SCRYPT_N' => "n", # uint64_t -+ 'KDF_PARAM_SCRYPT_R' => "r", # uint32_t -+ 'KDF_PARAM_SCRYPT_P' => "p", # uint32_t -+ 'KDF_PARAM_SCRYPT_MAXMEM' => "maxmem_bytes", # uint64_t -+ 'KDF_PARAM_INFO' => "info", # octet string -+ 'KDF_PARAM_SEED' => "seed", # octet string -+ 'KDF_PARAM_SSHKDF_XCGHASH' => "xcghash", # octet string -+ 'KDF_PARAM_SSHKDF_SESSION_ID' => "session_id", # octet string -+ 'KDF_PARAM_SSHKDF_TYPE' => "type", # int -+ 'KDF_PARAM_SIZE' => "size", # size_t -+ 'KDF_PARAM_CONSTANT' => "constant", # octet string -+ 'KDF_PARAM_PKCS12_ID' => "id", # int -+ 'KDF_PARAM_KBKDF_USE_L' => "use-l", # int -+ 'KDF_PARAM_KBKDF_USE_SEPARATOR' => "use-separator", # int -+ 'KDF_PARAM_KBKDF_R' => "r", # int -+ 'KDF_PARAM_X942_ACVPINFO' => "acvp-info", -+ 'KDF_PARAM_X942_PARTYUINFO' => "partyu-info", -+ 'KDF_PARAM_X942_PARTYVINFO' => "partyv-info", -+ 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", -+ 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", -+ 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", -+ 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", -+ 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", -+ 'KDF_PARAM_THREADS' => "threads", # uint32_t -+ 'KDF_PARAM_EARLY_CLEAN' => "early_clean", # uint32_t -+ 'KDF_PARAM_ARGON2_AD' => "ad", # octet string -+ 'KDF_PARAM_ARGON2_LANES' => "lanes", # uint32_t -+ 'KDF_PARAM_ARGON2_MEMCOST' => "memcost", # uint32_t -+ 'KDF_PARAM_ARGON2_VERSION' => "version", # uint32_t -+ -+# Known RAND names -+ 'RAND_PARAM_STATE' => "state", -+ 'RAND_PARAM_STRENGTH' => "strength", -+ 'RAND_PARAM_MAX_REQUEST' => "max_request", -+ 'RAND_PARAM_TEST_ENTROPY' => "test_entropy", -+ 'RAND_PARAM_TEST_NONCE' => "test_nonce", -+ -+# RAND/DRBG names -+ 'DRBG_PARAM_RESEED_REQUESTS' => "reseed_requests", -+ 'DRBG_PARAM_RESEED_TIME_INTERVAL' => "reseed_time_interval", -+ 'DRBG_PARAM_MIN_ENTROPYLEN' => "min_entropylen", -+ 'DRBG_PARAM_MAX_ENTROPYLEN' => "max_entropylen", -+ 'DRBG_PARAM_MIN_NONCELEN' => "min_noncelen", -+ 'DRBG_PARAM_MAX_NONCELEN' => "max_noncelen", -+ 'DRBG_PARAM_MAX_PERSLEN' => "max_perslen", -+ 'DRBG_PARAM_MAX_ADINLEN' => "max_adinlen", -+ 'DRBG_PARAM_RESEED_COUNTER' => "reseed_counter", -+ 'DRBG_PARAM_RESEED_TIME' => "reseed_time", -+ 'DRBG_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', -+ 'DRBG_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', -+ 'DRBG_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', -+ 'DRBG_PARAM_MAC' => '*ALG_PARAM_MAC', -+ 'DRBG_PARAM_USE_DF' => "use_derivation_function", -+ -+# DRBG call back parameters -+ 'DRBG_PARAM_ENTROPY_REQUIRED' => "entropy_required", -+ 'DRBG_PARAM_PREDICTION_RESISTANCE' => "prediction_resistance", -+ 'DRBG_PARAM_MIN_LENGTH' => "minium_length", -+ 'DRBG_PARAM_MAX_LENGTH' => "maxium_length", -+ 'DRBG_PARAM_RANDOM_DATA' => "random_data", -+ 'DRBG_PARAM_SIZE' => "size", -+ -+# PKEY parameters -+# Common PKEY parameters -+ 'PKEY_PARAM_BITS' => "bits",# integer -+ 'PKEY_PARAM_MAX_SIZE' => "max-size",# integer -+ 'PKEY_PARAM_SECURITY_BITS' => "security-bits",# integer -+ 'PKEY_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', -+ 'PKEY_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string -+ 'PKEY_PARAM_ENGINE' => '*ALG_PARAM_ENGINE', # utf8 string -+ 'PKEY_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', -+ 'PKEY_PARAM_DEFAULT_DIGEST' => "default-digest",# utf8 string -+ 'PKEY_PARAM_MANDATORY_DIGEST' => "mandatory-digest",# utf8 string -+ 'PKEY_PARAM_PAD_MODE' => "pad-mode", -+ 'PKEY_PARAM_DIGEST_SIZE' => "digest-size", -+ 'PKEY_PARAM_MASKGENFUNC' => "mgf", -+ 'PKEY_PARAM_MGF1_DIGEST' => "mgf1-digest", -+ 'PKEY_PARAM_MGF1_PROPERTIES' => "mgf1-properties", -+ 'PKEY_PARAM_ENCODED_PUBLIC_KEY' => "encoded-pub-key", -+ 'PKEY_PARAM_GROUP_NAME' => "group", -+ 'PKEY_PARAM_DIST_ID' => "distid", -+ 'PKEY_PARAM_PUB_KEY' => "pub", -+ 'PKEY_PARAM_PRIV_KEY' => "priv", -+ 'PKEY_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", -+ -+# Diffie-Hellman/DSA Parameters -+ 'PKEY_PARAM_FFC_P' => "p", -+ 'PKEY_PARAM_FFC_G' => "g", -+ 'PKEY_PARAM_FFC_Q' => "q", -+ 'PKEY_PARAM_FFC_GINDEX' => "gindex", -+ 'PKEY_PARAM_FFC_PCOUNTER' => "pcounter", -+ 'PKEY_PARAM_FFC_SEED' => "seed", -+ 'PKEY_PARAM_FFC_COFACTOR' => "j", -+ 'PKEY_PARAM_FFC_H' => "hindex", -+ 'PKEY_PARAM_FFC_VALIDATE_PQ' => "validate-pq", -+ 'PKEY_PARAM_FFC_VALIDATE_G' => "validate-g", -+ 'PKEY_PARAM_FFC_VALIDATE_LEGACY' => "validate-legacy", -+ -+# Diffie-Hellman params -+ 'PKEY_PARAM_DH_GENERATOR' => "safeprime-generator", -+ 'PKEY_PARAM_DH_PRIV_LEN' => "priv_len", -+ -+# Elliptic Curve Domain Parameters -+ 'PKEY_PARAM_EC_PUB_X' => "qx", -+ 'PKEY_PARAM_EC_PUB_Y' => "qy", -+ -+# Elliptic Curve Explicit Domain Parameters -+ 'PKEY_PARAM_EC_FIELD_TYPE' => "field-type", -+ 'PKEY_PARAM_EC_P' => "p", -+ 'PKEY_PARAM_EC_A' => "a", -+ 'PKEY_PARAM_EC_B' => "b", -+ 'PKEY_PARAM_EC_GENERATOR' => "generator", -+ 'PKEY_PARAM_EC_ORDER' => "order", -+ 'PKEY_PARAM_EC_COFACTOR' => "cofactor", -+ 'PKEY_PARAM_EC_SEED' => "seed", -+ 'PKEY_PARAM_EC_CHAR2_M' => "m", -+ 'PKEY_PARAM_EC_CHAR2_TYPE' => "basis-type", -+ 'PKEY_PARAM_EC_CHAR2_TP_BASIS' => "tp", -+ 'PKEY_PARAM_EC_CHAR2_PP_K1' => "k1", -+ 'PKEY_PARAM_EC_CHAR2_PP_K2' => "k2", -+ 'PKEY_PARAM_EC_CHAR2_PP_K3' => "k3", -+ 'PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS' => "decoded-from-explicit", -+ -+# Elliptic Curve Key Parameters -+ 'PKEY_PARAM_USE_COFACTOR_FLAG' => "use-cofactor-flag", -+ 'PKEY_PARAM_USE_COFACTOR_ECDH' => '*PKEY_PARAM_USE_COFACTOR_FLAG', -+ -+# RSA Keys -+# -+# n, e, d are the usual public and private key components -+# -+# rsa-num is the number of factors, including p and q -+# rsa-factor is used for each factor: p, q, r_i (i = 3, ...) -+# rsa-exponent is used for each exponent: dP, dQ, d_i (i = 3, ...) -+# rsa-coefficient is used for each coefficient: qInv, t_i (i = 3, ...) -+# -+# The number of rsa-factor items must be equal to the number of rsa-exponent -+# items, and the number of rsa-coefficients must be one less. -+# (the base i for the coefficients is 2, not 1, at least as implied by -+# RFC 8017) -+ -+ 'PKEY_PARAM_RSA_N' => "n", -+ 'PKEY_PARAM_RSA_E' => "e", -+ 'PKEY_PARAM_RSA_D' => "d", -+ 'PKEY_PARAM_RSA_FACTOR' => "rsa-factor", -+ 'PKEY_PARAM_RSA_EXPONENT' => "rsa-exponent", -+ 'PKEY_PARAM_RSA_COEFFICIENT' => "rsa-coefficient", -+ 'PKEY_PARAM_RSA_FACTOR1' => "rsa-factor1", -+ 'PKEY_PARAM_RSA_FACTOR2' => "rsa-factor2", -+ 'PKEY_PARAM_RSA_FACTOR3' => "rsa-factor3", -+ 'PKEY_PARAM_RSA_FACTOR4' => "rsa-factor4", -+ 'PKEY_PARAM_RSA_FACTOR5' => "rsa-factor5", -+ 'PKEY_PARAM_RSA_FACTOR6' => "rsa-factor6", -+ 'PKEY_PARAM_RSA_FACTOR7' => "rsa-factor7", -+ 'PKEY_PARAM_RSA_FACTOR8' => "rsa-factor8", -+ 'PKEY_PARAM_RSA_FACTOR9' => "rsa-factor9", -+ 'PKEY_PARAM_RSA_FACTOR10' => "rsa-factor10", -+ 'PKEY_PARAM_RSA_EXPONENT1' => "rsa-exponent1", -+ 'PKEY_PARAM_RSA_EXPONENT2' => "rsa-exponent2", -+ 'PKEY_PARAM_RSA_EXPONENT3' => "rsa-exponent3", -+ 'PKEY_PARAM_RSA_EXPONENT4' => "rsa-exponent4", -+ 'PKEY_PARAM_RSA_EXPONENT5' => "rsa-exponent5", -+ 'PKEY_PARAM_RSA_EXPONENT6' => "rsa-exponent6", -+ 'PKEY_PARAM_RSA_EXPONENT7' => "rsa-exponent7", -+ 'PKEY_PARAM_RSA_EXPONENT8' => "rsa-exponent8", -+ 'PKEY_PARAM_RSA_EXPONENT9' => "rsa-exponent9", -+ 'PKEY_PARAM_RSA_EXPONENT10' => "rsa-exponent10", -+ 'PKEY_PARAM_RSA_COEFFICIENT1' => "rsa-coefficient1", -+ 'PKEY_PARAM_RSA_COEFFICIENT2' => "rsa-coefficient2", -+ 'PKEY_PARAM_RSA_COEFFICIENT3' => "rsa-coefficient3", -+ 'PKEY_PARAM_RSA_COEFFICIENT4' => "rsa-coefficient4", -+ 'PKEY_PARAM_RSA_COEFFICIENT5' => "rsa-coefficient5", -+ 'PKEY_PARAM_RSA_COEFFICIENT6' => "rsa-coefficient6", -+ 'PKEY_PARAM_RSA_COEFFICIENT7' => "rsa-coefficient7", -+ 'PKEY_PARAM_RSA_COEFFICIENT8' => "rsa-coefficient8", -+ 'PKEY_PARAM_RSA_COEFFICIENT9' => "rsa-coefficient9", -+ -+# Key generation parameters -+ 'PKEY_PARAM_RSA_BITS' => '*PKEY_PARAM_BITS', -+ 'PKEY_PARAM_RSA_PRIMES' => "primes", -+ 'PKEY_PARAM_RSA_DIGEST' => '*PKEY_PARAM_DIGEST', -+ 'PKEY_PARAM_RSA_DIGEST_PROPS' => '*PKEY_PARAM_PROPERTIES', -+ 'PKEY_PARAM_RSA_MASKGENFUNC' => '*PKEY_PARAM_MASKGENFUNC', -+ 'PKEY_PARAM_RSA_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', -+ 'PKEY_PARAM_RSA_PSS_SALTLEN' => "saltlen", -+ -+# EC, X25519 and X448 Key generation parameters -+ 'PKEY_PARAM_DHKEM_IKM' => "dhkem-ikm", -+ -+# Key generation parameters -+ 'PKEY_PARAM_FFC_TYPE' => "type", -+ 'PKEY_PARAM_FFC_PBITS' => "pbits", -+ 'PKEY_PARAM_FFC_QBITS' => "qbits", -+ 'PKEY_PARAM_FFC_DIGEST' => '*PKEY_PARAM_DIGEST', -+ 'PKEY_PARAM_FFC_DIGEST_PROPS' => '*PKEY_PARAM_PROPERTIES', -+ -+ 'PKEY_PARAM_EC_ENCODING' => "encoding",# utf8_string -+ 'PKEY_PARAM_EC_POINT_CONVERSION_FORMAT' => "point-format", -+ 'PKEY_PARAM_EC_GROUP_CHECK_TYPE' => "group-check", -+ 'PKEY_PARAM_EC_INCLUDE_PUBLIC' => "include-public", -+ -+# Key Exchange parameters -+ 'EXCHANGE_PARAM_PAD' => "pad",# uint -+ 'EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE' => "ecdh-cofactor-mode",# int -+ 'EXCHANGE_PARAM_KDF_TYPE' => "kdf-type",# utf8_string -+ 'EXCHANGE_PARAM_KDF_DIGEST' => "kdf-digest",# utf8_string -+ 'EXCHANGE_PARAM_KDF_DIGEST_PROPS' => "kdf-digest-props",# utf8_string -+ 'EXCHANGE_PARAM_KDF_OUTLEN' => "kdf-outlen",# size_t -+# The following parameter is an octet_string on set and an octet_ptr on get -+ 'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm", -+ -+# Signature parameters -+ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", -+ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', -+ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', -+ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', -+ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", -+ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', -+ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', -+ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', -+ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", -+ 'SIGNATURE_PARAM_INSTANCE' => "instance", -+ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", -+ -+# Asym cipher parameters -+ 'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', -+ 'ASYM_CIPHER_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', -+ 'ASYM_CIPHER_PARAM_ENGINE' => '*PKEY_PARAM_ENGINE', -+ 'ASYM_CIPHER_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', -+ 'ASYM_CIPHER_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', -+ 'ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS' => '*PKEY_PARAM_MGF1_PROPERTIES', -+ 'ASYM_CIPHER_PARAM_OAEP_DIGEST' => '*ALG_PARAM_DIGEST', -+ 'ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS' => "digest-props", -+# The following parameter is an octet_string on set and an octet_ptr on get -+ 'ASYM_CIPHER_PARAM_OAEP_LABEL' => "oaep-label", -+ 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", -+ 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", -+ 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", -+ -+# Encoder / decoder parameters -+ -+ 'ENCODER_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', -+ 'ENCODER_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', -+# Currently PVK only, but reusable for others as needed -+ 'ENCODER_PARAM_ENCRYPT_LEVEL' => "encrypt-level", -+ 'ENCODER_PARAM_SAVE_PARAMETERS' => "save-parameters",# integer -+ -+ 'DECODER_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', -+ -+# Passphrase callback parameters -+ 'PASSPHRASE_PARAM_INFO' => "info", -+ -+# Keygen callback parameters, from provider to libcrypto -+ 'GEN_PARAM_POTENTIAL' => "potential",# integer -+ 'GEN_PARAM_ITERATION' => "iteration",# integer -+ -+# ACVP Test parameters : These should not be used normally -+ 'PKEY_PARAM_RSA_TEST_XP1' => "xp1", -+ 'PKEY_PARAM_RSA_TEST_XP2' => "xp2", -+ 'PKEY_PARAM_RSA_TEST_XP' => "xp", -+ 'PKEY_PARAM_RSA_TEST_XQ1' => "xq1", -+ 'PKEY_PARAM_RSA_TEST_XQ2' => "xq2", -+ 'PKEY_PARAM_RSA_TEST_XQ' => "xq", -+ 'PKEY_PARAM_RSA_TEST_P1' => "p1", -+ 'PKEY_PARAM_RSA_TEST_P2' => "p2", -+ 'PKEY_PARAM_RSA_TEST_Q1' => "q1", -+ 'PKEY_PARAM_RSA_TEST_Q2' => "q2", -+ 'SIGNATURE_PARAM_KAT' => "kat", -+ -+# KEM parameters -+ 'KEM_PARAM_OPERATION' => "operation", -+ 'KEM_PARAM_IKME' => "ikme", -+ -+# Capabilities -+ -+# TLS-GROUP Capability -+ 'CAPABILITY_TLS_GROUP_NAME' => "tls-group-name", -+ 'CAPABILITY_TLS_GROUP_NAME_INTERNAL' => "tls-group-name-internal", -+ 'CAPABILITY_TLS_GROUP_ID' => "tls-group-id", -+ 'CAPABILITY_TLS_GROUP_ALG' => "tls-group-alg", -+ 'CAPABILITY_TLS_GROUP_SECURITY_BITS' => "tls-group-sec-bits", -+ 'CAPABILITY_TLS_GROUP_IS_KEM' => "tls-group-is-kem", -+ 'CAPABILITY_TLS_GROUP_MIN_TLS' => "tls-min-tls", -+ 'CAPABILITY_TLS_GROUP_MAX_TLS' => "tls-max-tls", -+ 'CAPABILITY_TLS_GROUP_MIN_DTLS' => "tls-min-dtls", -+ 'CAPABILITY_TLS_GROUP_MAX_DTLS' => "tls-max-dtls", -+ -+# TLS-SIGALG Capability -+ 'CAPABILITY_TLS_SIGALG_IANA_NAME' => "tls-sigalg-iana-name", -+ 'CAPABILITY_TLS_SIGALG_CODE_POINT' => "tls-sigalg-code-point", -+ 'CAPABILITY_TLS_SIGALG_NAME' => "tls-sigalg-name", -+ 'CAPABILITY_TLS_SIGALG_OID' => "tls-sigalg-oid", -+ 'CAPABILITY_TLS_SIGALG_SIG_NAME' => "tls-sigalg-sig-name", -+ 'CAPABILITY_TLS_SIGALG_SIG_OID' => "tls-sigalg-sig-oid", -+ 'CAPABILITY_TLS_SIGALG_HASH_NAME' => "tls-sigalg-hash-name", -+ 'CAPABILITY_TLS_SIGALG_HASH_OID' => "tls-sigalg-hash-oid", -+ 'CAPABILITY_TLS_SIGALG_KEYTYPE' => "tls-sigalg-keytype", -+ 'CAPABILITY_TLS_SIGALG_KEYTYPE_OID' => "tls-sigalg-keytype-oid", -+ 'CAPABILITY_TLS_SIGALG_SECURITY_BITS' => "tls-sigalg-sec-bits", -+ 'CAPABILITY_TLS_SIGALG_MIN_TLS' => "tls-min-tls", -+ 'CAPABILITY_TLS_SIGALG_MAX_TLS' => "tls-max-tls", -+ -+# storemgmt parameters -+ -+ -+# Used by storemgmt_ctx_set_params(): -+# -+# - STORE_PARAM_EXPECT is an INTEGER, and the value is any of the -+# STORE_INFO numbers. This is used to set the expected type of -+# object loaded. -+# -+# - STORE_PARAM_SUBJECT, STORE_PARAM_ISSUER, -+# STORE_PARAM_SERIAL, STORE_PARAM_FINGERPRINT, -+# STORE_PARAM_DIGEST, STORE_PARAM_ALIAS -+# are used as search criteria. -+# (STORE_PARAM_DIGEST is used with STORE_PARAM_FINGERPRINT) -+ -+ 'STORE_PARAM_EXPECT' => "expect", # INTEGER -+ 'STORE_PARAM_SUBJECT' => "subject", # DER blob => OCTET_STRING -+ 'STORE_PARAM_ISSUER' => "name", # DER blob => OCTET_STRING -+ 'STORE_PARAM_SERIAL' => "serial", # INTEGER -+ 'STORE_PARAM_DIGEST' => "digest", # UTF8_STRING -+ 'STORE_PARAM_FINGERPRINT' => "fingerprint", # OCTET_STRING -+ 'STORE_PARAM_ALIAS' => "alias", # UTF8_STRING -+ -+# You may want to pass properties for the provider implementation to use -+ 'STORE_PARAM_PROPERTIES' => "properties", # utf8_string -+# DECODER input type if a decoder is used by the store -+ 'STORE_PARAM_INPUT_TYPE' => "input-type", # UTF8_STRING -+ -+ -+# Libssl record layer -+ 'LIBSSL_RECORD_LAYER_PARAM_OPTIONS' => "options", -+ 'LIBSSL_RECORD_LAYER_PARAM_MODE' => "mode", -+ 'LIBSSL_RECORD_LAYER_PARAM_READ_AHEAD' => "read_ahead", -+ 'LIBSSL_RECORD_LAYER_READ_BUFFER_LEN' => "read_buffer_len", -+ 'LIBSSL_RECORD_LAYER_PARAM_USE_ETM' => "use_etm", -+ 'LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC' => "stream_mac", -+ 'LIBSSL_RECORD_LAYER_PARAM_TLSTREE' => "tlstree", -+ 'LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN' => "max_frag_len", -+ 'LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA' => "max_early_data", -+ 'LIBSSL_RECORD_LAYER_PARAM_BLOCK_PADDING' => "block_padding", -+); -+ -+# Generate string based macros for public consumption -+sub generate_public_macros { -+ my @macros = (); -+ -+ foreach my $name (keys %params) { -+ my $val = $params{$name}; -+ my $def = '# define OSSL_' . $name . ' '; -+ -+ if (substr($val, 0, 1) eq '*') { -+ $def .= 'OSSL_' . substr($val, 1); -+ } else { -+ $def .= '"' . $val . '"'; -+ } -+ push(@macros, $def) -+ } -+ return join("\n", sort @macros); -+} -+ -+# Generate number based macros for internal use -+# The numbers are unique per string -+sub generate_internal_macros { -+ my @macros = (); -+ my $count = 0; -+ my %reverse; -+ -+ # Determine the number for each unique string -+ # Sort the names to improve the chance of cache coherency -+ foreach my $name (sort keys %params) { -+ my $val = $params{$name}; -+ -+ if (substr($val, 0, 1) ne '*' and not defined $reverse{$val}) { -+ $reverse{$val} = $count++; -+ } -+ } -+ -+ # Output the defines -+ foreach my $name (keys %params) { -+ my $val = $params{$name}; -+ my $def = '#define PIDX_' . $name . ' '; -+ -+ if (substr($val, 0, 1) eq '*') { -+ $def .= 'PIDX_' . substr($val, 1); -+ } else { -+ $def .= $reverse{$val}; -+ } -+ push(@macros, $def) -+ } -+ return "#define NUM_PIDX $count\n\n" . join("\n", sort @macros); -+} -+ -+sub generate_trie { -+ my %trie; -+ my $nodes = 0; -+ my $chars = 0; -+ -+ foreach my $name (keys %params) { -+ my $val = $params{$name}; -+ if (substr($val, 0, 1) ne '*') { -+ my $cursor = \%trie; -+ -+ $chars += length($val); -+ for my $i (0 .. length($val) - 1) { -+ my $c = substr($val, $i, 1); -+ -+ if (not $case_sensitive) { -+ $c = '_' if $c eq '-'; -+ $c = lc $c; -+ } -+ -+ if (not defined $$cursor{$c}) { -+ $$cursor{$c} = {}; -+ $nodes++; -+ } -+ $cursor = %$cursor{$c}; -+ } -+ $$cursor{'val'} = $name; -+ } -+ } -+ #print "\n\n/* $nodes nodes for $chars letters*/\n\n"; -+ return %trie; -+} -+ -+sub generate_code_from_trie { -+ my $n = shift; -+ my $trieref = shift; -+ my $idt = " "; -+ my $indent0 = $idt x ($n + 1); -+ my $indent1 = $indent0 . $idt; -+ my $strcmp = $case_sensitive ? 'strcmp' : 'strcasecmp'; -+ -+ print "int ossl_param_find_pidx(const char *s)\n{\n" if $n == 0; -+ -+ if ($trieref->{'suffix'}) { -+ my $suf = $trieref->{'suffix'}; -+ -+ printf "%sif ($strcmp(\"$suf\", s + $n) == 0", $indent0; -+ if (not $case_sensitive) { -+ $suf =~ tr/_/-/; -+ print " || $strcmp(\"$suf\", s + $n) == 0" -+ if ($suf ne $trieref->{'suffix'}); -+ } -+ printf ")\n%sreturn PIDX_%s;\n", $indent1, $trieref->{'name'}; -+ #printf "%sbreak;\n", $indent0; -+ return; -+ } -+ -+ printf "%sswitch(s\[%d\]) {\n", $indent0, $n; -+ printf "%sdefault:\n", $indent0; -+ for my $l (sort keys %$trieref) { -+ if ($l eq 'val') { -+ printf "%sbreak;\n", $indent1; -+ printf "%scase '\\0':\n", $indent0; -+ printf "%sreturn PIDX_%s;\n", $indent1, $trieref->{'val'}; -+ } else { -+ printf "%sbreak;\n", $indent1; -+ printf "%scase '%s':", $indent0, $l; -+ if (not $case_sensitive) { -+ print " case '-':" if ($l eq '_'); -+ printf " case '%s':", uc $l if ($l =~ /[a-z]/); -+ } -+ print "\n"; -+ generate_code_from_trie($n + 1, $trieref->{$l}); -+ } -+ } -+ printf "%s}\n", $indent0; -+ print " return -1;\n}\n" if $n == 0; -+ return ""; -+} -+ -+# Find long endings and cache what they resolve to -+sub locate_long_endings { -+ my $trieref = shift; -+ my @names = keys %$trieref; -+ my $num = @names; -+ -+ return (1, '', $trieref->{$names[0]}) if ($num == 1 and $names[0] eq 'val'); -+ -+ if ($num == 1) { -+ my ($res, $suffix, $name) = locate_long_endings($trieref->{$names[0]}); -+ my $e = $names[0] . $suffix; -+ if ($res) { -+ $trieref->{'suffix'} = $e; -+ $trieref->{'name'} = $name; -+ } -+ return $res, $e, $name; -+ } -+ -+ for my $l (@names) { -+ if ($l ne 'val') { -+ my ($res, $suffix, $name) = locate_long_endings($trieref->{$l}); -+ } -+ } -+ return 0, ''; -+} -+ -+sub produce_decoder { -+ my %t = generate_trie(); -+ my $s; -+ -+ locate_long_endings(\%t); -+ -+ open local *STDOUT, '>', \$s; -+ generate_code_from_trie(0, \%t); -+ return $s; -+} --- -2.33.0 - diff --git a/backport-performance-improve-ossl_lh_strcasehash.patch b/backport-performance-improve-ossl_lh_strcasehash.patch deleted file mode 100644 index 2e73d8724e1050372bfce65f0cec58d23aecd6ee..0000000000000000000000000000000000000000 --- a/backport-performance-improve-ossl_lh_strcasehash.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d295e4b1da6d223242eb43bfae10479616c5236d Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Fri, 20 May 2022 10:15:55 +1000 -Subject: [PATCH] performance: improve ossl_lh_strcasehash - -This improvement seems to roughly halve the time it takes to run the -ossl_lh_strcasehash function. - -It should have no impact on the strings we hash and search for often (algorithm -names, property strings). - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/18354) - -(cherry picked from commit a4e21d18d5b7cb4fef66c10f13b1b3b55945439f) ---- - crypto/lhash/lhash.c | 21 ++++++++++++++++++++- - 1 file changed, 20 insertions(+), 1 deletion(-) - -diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c -index 1cd988f01f..c319a44c7b 100644 ---- a/crypto/lhash/lhash.c -+++ b/crypto/lhash/lhash.c -@@ -344,18 +344,37 @@ unsigned long OPENSSL_LH_strhash(const char *c) - return (ret >> 16) ^ ret; - } - -+/* -+ * Case insensitive string hashing. -+ * -+ * The lower/upper case bit is masked out (forcing all letters to be capitals). -+ * The major side effect on non-alpha characters is mapping the symbols and -+ * digits into the control character range (which should be harmless). -+ * The duplication (with respect to the hash value) of printable characters -+ * are that '`', '{', '|', '}' and '~' map to '@', '[', '\', ']' and '^' -+ * respectively (which seems tolerable). -+ * -+ * For EBCDIC, the alpha mapping is to lower case, most symbols go to control -+ * characters. The only duplication is '0' mapping to '^', which is better -+ * than for ASCII. -+ */ - unsigned long ossl_lh_strcasehash(const char *c) - { - unsigned long ret = 0; - long n; - unsigned long v; - int r; -+#if defined(CHARSET_EBCDIC) && !defined(CHARSET_EBCDIC_TEST) -+ const long int case_adjust = ~0x40; -+#else -+ const long int case_adjust = ~0x20; -+#endif - - if (c == NULL || *c == '\0') - return ret; - - for (n = 0x100; *c != '\0'; n += 0x100) { -- v = n | ossl_tolower(*c); -+ v = n | (case_adjust & *c); - r = (int)((v >> 2) ^ v) & 0x0f; - /* cast to uint64_t to avoid 32 bit shift of 32 bit value */ - ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r)); --- -2.33.0 - diff --git a/backport-property-use-a-stack-to-efficiently-convert-index-to.patch b/backport-property-use-a-stack-to-efficiently-convert-index-to.patch deleted file mode 100644 index 197246eb8de1b6ec80a25dce34243f76ad718df7..0000000000000000000000000000000000000000 --- a/backport-property-use-a-stack-to-efficiently-convert-index-to.patch +++ /dev/null @@ -1,225 +0,0 @@ -From b1b4806a8caf92f32d18b52985fe4b14a6a694bd Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Tue, 21 Dec 2021 11:44:31 +1100 -Subject: [PATCH] property: use a stack to efficiently convert index to string - -The existing code does this conversion by searching the hash table for the -appropriate index which is slow and expensive. - -Fixes #15867 - -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/17325) - -(cherry picked from commit 2e3c59356f847a76a90f9f837d4983428df6eb19) -Reviewed-by: Hugo Landau ---- - crypto/property/property_string.c | 114 ++++++++++++++---------------- - 1 file changed, 52 insertions(+), 62 deletions(-) - -diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c -index ef87a6a782..3288c6ede8 100644 ---- a/crypto/property/property_string.c -+++ b/crypto/property/property_string.c -@@ -40,6 +40,8 @@ typedef struct { - PROP_TABLE *prop_values; - OSSL_PROPERTY_IDX prop_name_idx; - OSSL_PROPERTY_IDX prop_value_idx; -+ STACK_OF(OPENSSL_CSTRING) *prop_namelist; -+ STACK_OF(OPENSSL_CSTRING) *prop_valuelist; - } PROPERTY_STRING_DATA; - - static unsigned long property_hash(const PROPERTY_STRING *a) -@@ -78,6 +80,9 @@ static void property_string_data_free(void *vpropdata) - CRYPTO_THREAD_lock_free(propdata->lock); - property_table_free(&propdata->prop_names); - property_table_free(&propdata->prop_values); -+ sk_OPENSSL_CSTRING_free(propdata->prop_namelist); -+ sk_OPENSSL_CSTRING_free(propdata->prop_valuelist); -+ propdata->prop_namelist = propdata->prop_valuelist = NULL; - propdata->prop_name_idx = propdata->prop_value_idx = 0; - - OPENSSL_free(propdata); -@@ -90,24 +95,21 @@ static void *property_string_data_new(OSSL_LIB_CTX *ctx) { - return NULL; - - propdata->lock = CRYPTO_THREAD_lock_new(); -- if (propdata->lock == NULL) -- goto err; -- - propdata->prop_names = lh_PROPERTY_STRING_new(&property_hash, - &property_cmp); -- if (propdata->prop_names == NULL) -- goto err; -- - propdata->prop_values = lh_PROPERTY_STRING_new(&property_hash, - &property_cmp); -- if (propdata->prop_values == NULL) -- goto err; -- -+ propdata->prop_namelist = sk_OPENSSL_CSTRING_new_null(); -+ propdata->prop_valuelist = sk_OPENSSL_CSTRING_new_null(); -+ if (propdata->lock == NULL -+ || propdata->prop_names == NULL -+ || propdata->prop_values == NULL -+ || propdata->prop_namelist == NULL -+ || propdata->prop_valuelist == NULL) { -+ property_string_data_free(propdata); -+ return NULL; -+ } - return propdata; -- --err: -- property_string_data_free(propdata); -- return NULL; - } - - static const OSSL_LIB_CTX_METHOD property_string_data_method = { -@@ -134,57 +136,65 @@ static PROPERTY_STRING *new_property_string(const char *s, - return ps; - } - --static OSSL_PROPERTY_IDX ossl_property_string(CRYPTO_RWLOCK *lock, -- PROP_TABLE *t, -- OSSL_PROPERTY_IDX *pidx, -- const char *s) -+static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, -+ int create, const char *s) - { - PROPERTY_STRING p, *ps, *ps_new; -+ PROP_TABLE *t; -+ STACK_OF(OPENSSL_CSTRING) *slist; -+ OSSL_PROPERTY_IDX *pidx; -+ PROPERTY_STRING_DATA *propdata -+ = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -+ &property_string_data_method); - -+ if (propdata == NULL) -+ return 0; -+ -+ t = name ? propdata->prop_names : propdata->prop_values; - p.s = s; -- if (!CRYPTO_THREAD_read_lock(lock)) { -+ if (!CRYPTO_THREAD_read_lock(propdata->lock)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); - return 0; - } - ps = lh_PROPERTY_STRING_retrieve(t, &p); -- if (ps == NULL && pidx != NULL) { -- CRYPTO_THREAD_unlock(lock); -- if (!CRYPTO_THREAD_write_lock(lock)) { -+ if (ps == NULL && create) { -+ CRYPTO_THREAD_unlock(propdata->lock); -+ if (!CRYPTO_THREAD_write_lock(propdata->lock)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_WRITE_LOCK); - return 0; - } -+ pidx = name ? &propdata->prop_name_idx : &propdata->prop_value_idx; - ps = lh_PROPERTY_STRING_retrieve(t, &p); - if (ps == NULL && (ps_new = new_property_string(s, pidx)) != NULL) { -+ slist = name ? propdata->prop_namelist : propdata->prop_valuelist; -+ if (sk_OPENSSL_CSTRING_push(slist, ps_new->s) <= 0) { -+ property_free(ps_new); -+ CRYPTO_THREAD_unlock(propdata->lock); -+ return 0; -+ } - lh_PROPERTY_STRING_insert(t, ps_new); - if (lh_PROPERTY_STRING_error(t)) { -+ /*- -+ * Undo the previous push which means also decrementing the -+ * index and freeing the allocated storage. -+ */ -+ sk_OPENSSL_CSTRING_pop(slist); - property_free(ps_new); -- CRYPTO_THREAD_unlock(lock); -+ --*pidx; -+ CRYPTO_THREAD_unlock(propdata->lock); - return 0; - } - ps = ps_new; - } - } -- CRYPTO_THREAD_unlock(lock); -+ CRYPTO_THREAD_unlock(propdata->lock); - return ps != NULL ? ps->idx : 0; - } - --struct find_str_st { -- const char *str; -- OSSL_PROPERTY_IDX idx; --}; -- --static void find_str_fn(PROPERTY_STRING *prop, void *vfindstr) --{ -- struct find_str_st *findstr = vfindstr; -- -- if (prop->idx == findstr->idx) -- findstr->str = prop->s; --} -- - static const char *ossl_property_str(int name, OSSL_LIB_CTX *ctx, - OSSL_PROPERTY_IDX idx) - { -- struct find_str_st findstr; -+ const char *r; - PROPERTY_STRING_DATA *propdata - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, - &property_string_data_method); -@@ -192,33 +202,21 @@ static const char *ossl_property_str(int name, OSSL_LIB_CTX *ctx, - if (propdata == NULL) - return NULL; - -- findstr.str = NULL; -- findstr.idx = idx; -- - if (!CRYPTO_THREAD_read_lock(propdata->lock)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); - return NULL; - } -- lh_PROPERTY_STRING_doall_arg(name ? propdata->prop_names -- : propdata->prop_values, -- find_str_fn, &findstr); -+ r = sk_OPENSSL_CSTRING_value(name ? propdata->prop_namelist -+ : propdata->prop_valuelist, idx - 1); - CRYPTO_THREAD_unlock(propdata->lock); - -- return findstr.str; -+ return r; - } - - OSSL_PROPERTY_IDX ossl_property_name(OSSL_LIB_CTX *ctx, const char *s, - int create) - { -- PROPERTY_STRING_DATA *propdata -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -- &property_string_data_method); -- -- if (propdata == NULL) -- return 0; -- return ossl_property_string(propdata->lock, propdata->prop_names, -- create ? &propdata->prop_name_idx : NULL, -- s); -+ return ossl_property_string(ctx, 1, create, s); - } - - const char *ossl_property_name_str(OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) -@@ -229,15 +227,7 @@ const char *ossl_property_name_str(OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) - OSSL_PROPERTY_IDX ossl_property_value(OSSL_LIB_CTX *ctx, const char *s, - int create) - { -- PROPERTY_STRING_DATA *propdata -- = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, -- &property_string_data_method); -- -- if (propdata == NULL) -- return 0; -- return ossl_property_string(propdata->lock, propdata->prop_values, -- create ? &propdata->prop_value_idx : NULL, -- s); -+ return ossl_property_string(ctx, 0, create, s); - } - - const char *ossl_property_value_str(OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) --- -2.33.0 - diff --git a/backport-use-__builtin_expect-to-improve-EVP_EncryptUpdate-pe.patch b/backport-use-__builtin_expect-to-improve-EVP_EncryptUpdate-pe.patch deleted file mode 100644 index 3b4c471ed23e96f1475a8955089e57c0a32109c6..0000000000000000000000000000000000000000 --- a/backport-use-__builtin_expect-to-improve-EVP_EncryptUpdate-pe.patch +++ /dev/null @@ -1,128 +0,0 @@ -From ed6dfd1e3694b3438249f3d0117bc314afa6b240 Mon Sep 17 00:00:00 2001 -From: Liu-ErMeng -Date: Tue, 11 Jul 2023 16:22:53 +0800 -Subject: [PATCH] use '__builtin_expect' to improve EVP_EncryptUpdate - performance for gcc/clang. - -Signed-off-by: Liu-ErMeng - -Reviewed-by: Tomas Mraz -Reviewed-by: Tom Cosgrove -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21425) ---- - crypto/evp/evp_enc.c | 24 ++++++++++++------------ - include/internal/common.h | 8 ++++++++ - 2 files changed, 20 insertions(+), 12 deletions(-) - -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index 6b6d65163f..8dddcc0bb5 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -27,6 +27,14 @@ - #include "crypto/evp.h" - #include "evp_local.h" - -+#if defined(__GNUC__) || defined(__clang__) -+ #define likely(x) __builtin_expect(!!(x), 1) -+ #define unlikely(x) __builtin_expect(!!(x), 0) -+#else -+ #define likely(x) x -+ #define unlikely(x) x -+#endif -+ - int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) - { - if (ctx == NULL) -@@ -621,7 +621,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - size_t soutl, inl_ = (size_t)inl; - int blocksize; - -- if (outl != NULL) { -+ if (likely(outl != NULL)) { - *outl = 0; - } else { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); -@@ -629,22 +629,22 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - } - - /* Prevent accidental use of decryption context when encrypting */ -- if (!ctx->encrypt) { -+ if (unlikely(!ctx->encrypt)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); - return 0; - } - -- if (ctx->cipher == NULL) { -+ if (unlikely(ctx->cipher == NULL)) { - ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); - return 0; - } - -- if (ctx->cipher->prov == NULL) -+ if (unlikely(ctx->cipher->prov == NULL)) - goto legacy; - - blocksize = ctx->cipher->block_size; - -- if (ctx->cipher->cupdate == NULL || blocksize < 1) { -+ if (unlikely(ctx->cipher->cupdate == NULL || blocksize < 1)) { - ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); - return 0; - } -@@ -653,7 +653,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - inl_ + (size_t)(blocksize == 1 ? 0 : blocksize), - in, inl_); - -- if (ret) { -+ if (likely(ret)) { - if (soutl > INT_MAX) { - ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); - return 0; -@@ -770,7 +770,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - size_t soutl, inl_ = (size_t)inl; - int blocksize; - -- if (outl != NULL) { -+ if (likely(outl != NULL)) { - *outl = 0; - } else { - ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER); -@@ -778,21 +778,21 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - } - - /* Prevent accidental use of encryption context when decrypting */ -- if (ctx->encrypt) { -+ if (unlikely(ctx->encrypt)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); - return 0; - } - -- if (ctx->cipher == NULL) { -+ if (unlikely(ctx->cipher == NULL)) { - ERR_raise(ERR_LIB_EVP, EVP_R_NO_CIPHER_SET); - return 0; - } -- if (ctx->cipher->prov == NULL) -+ if (unlikely(ctx->cipher->prov == NULL)) - goto legacy; - - blocksize = EVP_CIPHER_CTX_get_block_size(ctx); - -- if (ctx->cipher->cupdate == NULL || blocksize < 1) { -+ if (unlikely(ctx->cipher->cupdate == NULL || blocksize < 1)) { - ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); - return 0; - } -@@ -800,7 +800,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - inl_ + (size_t)(blocksize == 1 ? 0 : blocksize), - in, inl_); - -- if (ret) { -+ if (likely(ret)) { - if (soutl > INT_MAX) { - ERR_raise(ERR_LIB_EVP, EVP_R_UPDATE_ERROR); - return 0; --- -2.33.0 - diff --git a/fix-add-loongarch64-target.patch b/fix-add-loongarch64-target.patch index 9999e971d1c20b7d93460ee53c1548342a61dfce..0df21b27f9cce46a6005d0b2aee7488aa8e3ac24 100644 --- a/fix-add-loongarch64-target.patch +++ b/fix-add-loongarch64-target.patch @@ -1,31 +1,32 @@ -From 5fd4cc31c0eba0813a005d3559afc1b42df8ee32 Mon Sep 17 00:00:00 2001 +From 155ae43afd86cd682e758f93dc7937dc3bcd6e20 Mon Sep 17 00:00:00 2001 From: Shi Pujin Date: Wed, 16 Feb 2022 10:53:56 +0800 -Subject: [PATCH] Add loongarch64 target +Subject: [PATCH 4/8] Add loongarch64 target --- - Configurations/10-main.conf | 7 +++++++ - 1 file changed, 7 insertions(+) + Configurations/10-main.conf | 9 +++++++++ + 1 file changed, 9 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index 61c6689..7102c95 100644 +index 2dc62e0..de3a815 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf -@@ -761,6 +761,13 @@ my %targets = ( - perlasm_scheme => "linux64", +@@ -838,6 +838,15 @@ my %targets = ( + lib_cppflags => add("-DL_ENDIAN"), }, + # loongarch64 below refers to contemporary LOONGARCH Architecture + # specifications, + "linux-loongarch64" => { + inherit_from => [ "linux-generic64"], ++ asm_arch => 'loongarch64', + perlasm_scheme => "linux64", ++ lib_cppflags => add("-DL_ENDIAN"), + }, + #### IA-32 targets... #### These two targets are a bit aged and are to be used on older Linux #### machines where gcc doesn't understand -m32 and -m64 -- -2.27.0 - +2.50.1 diff --git a/openssl-3.0.12.tar.gz b/openssl-3.0.12.tar.gz deleted file mode 100644 index 4fb7c5f6e5f63dc609156763733126550081dd7e..0000000000000000000000000000000000000000 Binary files a/openssl-3.0.12.tar.gz and /dev/null differ diff --git a/openssl-3.0-build.patch b/openssl-3.5-build.patch similarity index 63% rename from openssl-3.0-build.patch rename to openssl-3.5-build.patch index b8f9c5aaf62c081728782e7e44d23d11100e0816..ec382124c1e2ee460c7bf4d51fe7abb98895f059 100644 --- a/openssl-3.0-build.patch +++ b/openssl-3.5-build.patch @@ -1,7 +1,7 @@ -From 262bff1615d4461120327c5a9fe904ad1c6ce813 Mon Sep 17 00:00:00 2001 +From eb31b00cf1d2288fcb9af37f2942561ce0a38834 Mon Sep 17 00:00:00 2001 From: hzero1996 Date: Sun, 29 Jan 2023 14:53:03 +0800 -Subject: [PATCH] openssl-3.0-build +Subject: [PATCH 1/8] openssl-3.0-build --- Configurations/10-main.conf | 1 + @@ -9,10 +9,10 @@ Subject: [PATCH] openssl-3.0-build 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf -index b578a3c..1ad81c3 100644 +index cba57b4..2dc62e0 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf -@@ -772,6 +772,7 @@ my %targets = ( +@@ -768,6 +768,7 @@ my %targets = ( inherit_from => [ "linux-generic64" ], asm_arch => 'aarch64', perlasm_scheme => "linux64", @@ -21,18 +21,18 @@ index b578a3c..1ad81c3 100644 "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 inherit_from => [ "linux-generic32" ], diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index a48fae5..56b4292 100644 +index a6f6669..784e66e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime +@@ -658,7 +658,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries --install_docs: install_man_docs install_html_docs +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation +install_docs: install_man_docs - uninstall_docs: uninstall_man_docs uninstall_html_docs + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation $(RM) -r "$(DESTDIR)$(DOCDIR)" -- -2.27.0 +2.50.1 diff --git a/openssl-3.5.1.tar.gz b/openssl-3.5.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7f0f1d918968acbcdfaf46bd0cada88eb9f9bea9 Binary files /dev/null and b/openssl-3.5.1.tar.gz differ diff --git a/openssl.spec b/openssl.spec index 0846e8915154a53e8251a859a648142af3a809dc..8d3552edc65e1a71a4ee11ad791b7c6955e0bb32 100755 --- a/openssl.spec +++ b/openssl.spec @@ -1,87 +1,23 @@ %define soversion 3 Name: openssl Epoch: 1 -Version: 3.0.12 -Release: 17 +Version: 3.5.1 +Release: 1 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz Source1: Makefile.certificate -Patch1: openssl-3.0-build.patch -Patch2: Backport-aarch64-support-BTI-and-pointer-authentication-in-as.patch -Patch3: Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch -Patch4: Backport-Fix-sm3ss1-translation-issue-in-sm3-armv8.pl.patch -Patch5: Backport-providers-Add-SM4-GCM-implementation.patch -Patch6: Backport-SM4-optimization-for-ARM-by-HW-instruction.patch -Patch7: Backport-Further-acceleration-for-SM4-GCM-on-ARM.patch -Patch8: Backport-SM4-optimization-for-ARM-by-ASIMD.patch -Patch9: Backport-providers-Add-SM4-XTS-implementation.patch -Patch10: Backport-Fix-SM4-CBC-regression-on-Armv8.patch -Patch11: Backport-Fix-SM4-test-failures-on-big-endian-ARM-processors.patch -Patch12: Backport-Apply-SM4-optimization-patch-to-Kunpeng-920.patch -Patch13: Backport-SM4-AESE-optimization-for-ARMv8.patch -Patch14: Backport-Fix-SM4-XTS-build-failure-on-Mac-mini-M1.patch -Patch15: Backport-support-decode-SM2-parameters.patch -Patch16: Feature-support-SM2-CMS-signature.patch -Patch17: Feature-use-default-id-if-SM2-id-is-not-set.patch -Patch18: Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch -Patch19: Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch -Patch20: Backport-Limit-the-execution-time-of-RSA-public-key-check.patch -Patch21: Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch -Patch22: Backport-Fix-SM4-XTS-aarch64-assembly-implementation-bug.patch -Patch23: fix-add-loongarch64-target.patch -Patch24: backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch -Patch25: backport-Add-a-test-for-session-cache-handling.patch -Patch26: backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch -Patch27: backport-Hardening-around-not_resumable-sessions.patch -Patch28: backport-Add-a-test-for-session-cache-overflow.patch -Patch29: backport-CVE-2024-4603-Check-DSA-parameters-for-exce.patch -Patch30: Backport-Add-a-test-for-late-loading-of-an-ENGINE-in-TLS.patch -Patch31: Backport-Don-t-attempt-to-set-provider-params-on-an-ENGINE-ba.patch -Patch32: Backport-CVE-2024-4741-Only-free-the-read-buffers-if-we-re-not-using-them.patch -Patch33: Backport-CVE-2024-4741-Set-rlayer.packet-to-NULL-after-we-ve-finished-using.patch -Patch34: Backport-CVE-2024-4741-Extend-the-SSL_free_buffers-testing.patch -Patch35: Backport-CVE-2024-4741-Move-the-ability-to-load-the-dasync-engine-into-sslt.patch -Patch36: Backport-CVE-2024-4741-Further-extend-the-SSL_free_buffers-testing.patch -Patch37: Backport-bn-Properly-error-out-if-aliasing-return-value-with-.patch -Patch38: Backport-CVE-2024-5535-Fix-SSL_select_next_proto.patch -Patch39: Backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch -Patch40: backport-Add-FIPS_mode-compatibility-macro.patch -Patch41: Backport-CVE-2024-6119-Avoid-type-errors-in-EAI-related-name-check-logic.patch - -Patch42: backport-Add-CTX-copy-function-for-EVP_MD-to-optimize-the-per.patch -Patch43: backport-Decoder-resolution-performance-optimizations.patch -Patch44: backport-Improve-performance-of-the-encoder-collection.patch -Patch45: backport-evp_md_init_internal-Avoid-reallocating-algctx-if-di.patch -Patch46: backport-Remove-the-_fetch_by_number-functions.patch -Patch47: backport-Make-IV-buf-in-prov_cipher_ctx_st-aligned.patch -Patch48: backport-ossl_namemap_name2_num-Avoid-unnecessary-OPENSSL_str.patch -Patch49: backport-performance-improve-ossl_lh_strcasehash.patch -Patch50: backport-01-Improve-FIPS-RSA-keygen-performance.patch -Patch51: backport-02-Improve-FIPS-RSA-keygen-performance.patch -Patch52: backport-When-we-re-just-reading-EX_CALLBACK-data-just-get-a-.patch -Patch53: backport-Avoid-an-unneccessary-lock-if-we-didn-t-add-anything.patch -Patch54: backport-use-__builtin_expect-to-improve-EVP_EncryptUpdate-pe.patch -Patch55: backport-Drop-ossl_namemap_add_name_n-and-simplify-ossl_namem.patch -Patch56: backport-Don-t-take-a-write-lock-to-retrieve-a-value-from-a-s.patch -Patch57: backport-aes-avoid-accessing-key-length-field-directly.patch -Patch58: backport-evp-enc-cache-cipher-key-length.patch -Patch59: backport-Avoid-calling-into-provider-with-the-same-iv_len-or-.patch -Patch60: backport-property-use-a-stack-to-efficiently-convert-index-to.patch -Patch61: backport-Revert-Release-the-drbg-in-the-global-default-contex.patch -Patch62: backport-Refactor-a-separate-func-for-provider-activation-fro.patch -Patch63: backport-Refactor-OSSL_LIB_CTX-to-avoid-using-CRYPTO_EX_DATA.patch -Patch64: backport-Release-the-drbg-in-the-global-default-context-befor.patch -Patch65: backport-params-provide-a-faster-TRIE-based-param-lookup.patch -Patch66: backport-CVE-2024-13176-Fix-timing-side-channel.patch - -Patch67: 0001-add-support-for-sw_64-architecture.patch +Patch1: openssl-3.5-build.patch +Patch2: Feature-support-SM2-CMS-signature.patch +Patch3: Feature-use-default-id-if-SM2-id-is-not-set.patch +Patch4: fix-add-loongarch64-target.patch +Patch5: backport-Add-FIPS_mode-compatibility-macro.patch +Patch6: 0001-add-support-for-sw_64-architecture.patch Patch9000: add-FIPS_mode_set-support.patch -Patch9001: backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch -Patch9002: Fix-build-error-for-ppc64le.patch +Patch9001: Fix-build-error-for-ppc64le.patch BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -257,6 +193,7 @@ make test || : %{_libdir}/*.a %{_mandir}/man3/* %{_libdir}/pkgconfig/*.pc +%{_libdir}/cmake/OpenSSL/*.cmake %files help @@ -282,108 +219,5 @@ make test || : %ldconfig_scriptlets libs %changelog -* Thu Apr 3 2025 swcompiler - 1:3.0.12-17 -- add support for sw_64 architecture - -* Sat Feb 8 2025 jinlun - 1:3.0.12-16 -- fix CVE-2024-13176 - -* Wed Nov 27 2024 peng.zou - 1:3.0.12-15 -- Fix build error for ppc64le - -* Tue Nov 26 2024 steven - 1:3.0.12-14 -- backport patch for performance improvements - -* Fri Nov 22 2024 zhujianwei - 1:3.0.12-13 -- backport patch for performance improvements - -* Tue Nov 19 2024 wangjinchao - 1:3.0.12-12 -- fix broken link - -* Thu Oct 17 2024 liningjie - 1:3.0.12-11 -- fix CVE-2024-9143 - -* Tue Sep 03 2024 yinyongkang - 1:3.0.12-10 -- fix CVE-2024-6119 - -* Wed Aug 21 2024 fuanan - 1:3.0.12-9 -- add fips feature - -* Fri Jun 28 2024 yinyongkang - 1:3.0.12-8 -- fix CVE-2024-5535 - -* Mon Jun 24 2024 steven - 1:3.0.12-7 -- backport patch - -* Mon Jun 3 2024 wangcheng - 1:3.0.12-6 -- fix CVE-2024-4741 - -* Fri May 17 2024 cenhuilin - 1:3.0.12-5 -- fix CVE-2024-4603 - -* Sun Apr 28 2024 wangcheng - 1:3.0.12-4 -- fix CVE-2024-2511 - -* Wed Mar 6 2024 Wenlong Zhang - 1:3.0.12-3 -- Fix build error for loongarch64 - -* Thu Jan 18 2024 Xu Yizhou - 1:3.0.12-2 -- Fix SM4-XTS aarch64 assembly implementation bug - -* Thu Jan 04 2024 wangcheng - 1:3.0.12-1 -- Upgrade to 3.0.12 - Resolves: CVE-2023-0464 - Resolves: CVE-2023-0465 - Resolves: CVE-2023-0466 - Resolves: CVE-2023-1255 - Resolves: CVE-2023-2650 - Resolves: CVE-2023-5363 - Resolves: CVE-2023-6237 - Resolves: CVE-2023-6129 - Resolves: CVE-2023-5678 - Resolves: CVE-2024-0727 - -* Fri Sep 22 2023 dongyuzhen - 1:3.0.9-5 -- Backport some upstream patches - -* Wed Sep 13 2023 luhuaxin - 1:3.0.9-4 -- Support decode SM2 parameters - -* Wed Sep 13 2023 luhuaxin - 1:3.0.9-3 -- Support SM2 CMS signature and use SM2 default id - -* Tue Aug 08 2023 zhujianwei - 1:3.0.9-2 -- fix CVE-2023-2975 CVE-2023-3446 CVE-2023-3816 - -* Sat Jul 22 2023 wangcheng - 1:3.0.9-1 -- upgrade to 3.0.9 - -* Mon Jun 12 2023 steven - 1:3.0.8-7 -- fix CVE-2023-2650 - -* Wed Apr 26 2023 zcwei - 1:3.0.8-6 -- fix CVE-2023-1255 - -* Tue Apr 4 2023 wangcheng - 1:3.0.8-5 -- fix some CVEs - -* Mon Mar 27 2023 xuraoqing - 1:3.0.8-4 -- fix CVE-2023-0464 and add test cases - -* Fri Mar 17 2023 wangjunqiang - 1:3.0.8-3 -- fix sslarch and libdir for riscv64 - -* Thu Mar 16 2023 Xu Yizhou - 1:3.0.8-2 -- backport SM4 GCM/CCM/XTS implementation -- backport SM3/SM4 optimization - -* Tue Feb 7 2023 wangcheng - 1:3.0.8-1 -- upgrade to 3.0.8 for fixing CVEs - -* Tue Feb 7 2023 wangcheng - 1:3.0.7-2 -- disable sctp in openssl building - -* Thu Jan 19 2023 wangcheng - 1:3.0.7-1 +* Wed Jul 30 2025 Julian Zhu - 1:3.5.1-1 - Package init - -