diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd3248d37..c32f15624 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -280,6 +280,10 @@ jobs: run: make test TESTS="test_external_gost_engine" - name: test external krb5 run: make test TESTS="test_external_krb5" + - name: test external_tlsfuzzer + run: make test TESTS="test_external_tlsfuzzer" + - name: test external oqs-provider + run: make test TESTS="test_external_oqsprovider" external-test-pyca: runs-on: ubuntu-latest diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index 31b6cbd3f..51dc58a23 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -1,4 +1,4 @@ -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -30,8 +30,24 @@ jobs: # to never run the tests, otherwise its value is passed to # the "make test" command to allow selective disabling of # tests. + # qemucpu: optional; string that describes CPU properties. + # The string will be used to set the QEMU_CPU variable. + # opensslcapsname: optional; string that describes the postfix of the + # OpenSSL environment variable that defines CPU + # capabilities. E.g. "foo" will result in an + # environment variable with the name OPENSSL_foo. + # opensslcaps: optional; if opensslcapsname (see above) is set, then + # this string will be used as content for the OpenSSL + # capabilities variable. + # ppa: Launchpad PPA repository to download packages from. platform: [ { + arch: i386-pc-msdosdjgpp, + libs: libc-djgpp-dev libwatt-djgpp-dev djgpp-utils, + target: no-threads 386 DJGPP, + tests: none, + ppa: jwt27/djgpp-toolchain + }, { arch: aarch64-linux-gnu, libs: libc6-dev-arm64-cross, target: linux-aarch64 @@ -80,7 +96,10 @@ jobs: }, { arch: powerpc64le-linux-gnu, libs: libc6-dev-ppc64el-cross, - target: linux-ppc64le + # The default compiler for this platform on Ubuntu 20.04 seems + # buggy and causes test failures. Dropping the optimisation level + # resolves it. + target: -O2 linux-ppc64le }, { arch: riscv64-linux-gnu, libs: libc6-dev-riscv64-cross, @@ -131,6 +150,10 @@ jobs: ] runs-on: ubuntu-latest steps: + - name: install package repository + if: matrix.platform.ppa != '' + run: | + sudo add-apt-repository ppa:${{ matrix.platform.ppa }} - name: install packages run: | sudo apt-get update @@ -161,14 +184,24 @@ jobs: if: github.event_name == 'push' && matrix.platform.tests != 'none' run: sudo apt-get -yq --force-yes install qemu-user + - name: Set QEMU environment + if: github.event_name == 'push' && matrix.platform.qemucpu != '' + run: echo "QEMU_CPU=${{ matrix.platform.qemucpu }}" >> $GITHUB_ENV + + - name: Set OpenSSL caps environment + if: github.event_name == 'push' && matrix.platform.opensslcapsname != '' + run: echo "OPENSSL_${{ matrix.platform.opensslcapsname }}=\ + ${{ matrix.platform.opensslcaps }}" >> $GITHUB_ENV + - name: make all tests if: github.event_name == 'push' && matrix.platform.tests == '' run: | make test HARNESS_JOBS=${HARNESS_JOBS:-4} \ + TESTS="-test_afalg" \ QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} - name: make some tests if: github.event_name == 'push' && matrix.platform.tests != 'none' && matrix.platform.tests != '' run: | make test HARNESS_JOBS=${HARNESS_JOBS:-4} \ - TESTS="${{ matrix.platform.tests }}" \ + TESTS="${{ matrix.platform.tests }} -test_afalg" \ QEMU_LD_PREFIX=/usr/${{ matrix.platform.arch }} diff --git a/.github/workflows/fips-provider.yml b/.github/workflows/fips-provider.yml new file mode 100644 index 000000000..18af712b6 --- /dev/null +++ b/.github/workflows/fips-provider.yml @@ -0,0 +1,94 @@ +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +name: Provider compat +on: [push] + +jobs: + fips-provider-30: + runs-on: ubuntu-latest + steps: + - name: create build dirs + run: | + mkdir ./build + mkdir ./build-3.0 + mkdir ./source + mkdir ./source-3.0 + - uses: actions/checkout@v2 + with: + path: source + - name: config current + run: ../source/config enable-shared enable-fips + working-directory: ./build + - name: config dump + run: ./configdata.pm --dump + working-directory: ./build + - name: make + run: make -s -j4 + working-directory: ./build + - uses: actions/checkout@v2 + with: + repository: openssl/openssl + ref: openssl-3.0 + path: source-3.0 + - name: config 3.0 + run: ../source-3.0/config enable-shared enable-fips + working-directory: ./build-3.0 + - name: config 3.0 dump + run: ./configdata.pm --dump + working-directory: ./build-3.0 + - name: make fips provider + run: make -s -j4 build_modules + working-directory: ./build-3.0 + - name: copy the provider + run: | + cp -a build-3.0/providers/fips.so build/providers/fips.so + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ./build + + fips-provider-master: + runs-on: ubuntu-latest + steps: + - name: create build dirs + run: | + mkdir ./build + mkdir ./build-3.0 + mkdir ./source + mkdir ./source-3.0 + - uses: actions/checkout@v2 + with: + repository: openssl/openssl + ref: openssl-3.0 + path: source-3.0 + - name: config 3.0 + run: ../source-3.0/config enable-shared enable-fips + working-directory: ./build-3.0 + - name: config 3.0 dump + run: ./configdata.pm --dump + working-directory: ./build-3.0 + - name: make 3.0 + run: make -s -j4 + working-directory: ./build-3.0 + - uses: actions/checkout@v2 + with: + path: source + - name: config current + run: ../source/config enable-shared enable-fips + working-directory: ./build + - name: config dump + run: ./configdata.pm --dump + working-directory: ./build + - name: make fips provider + run: make -s -j4 build_modules + working-directory: ./build + - name: copy the provider + run: | + cp -a build/providers/fips.so build-3.0/providers/fips.so + - name: make test 3.0 + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + working-directory: ./build-3.0 diff --git a/.gitignore b/.gitignore index 4f5857df8..ae3b0ac58 100644 --- a/.gitignore +++ b/.gitignore @@ -102,6 +102,7 @@ providers/common/include/prov/der_sm2.h /test/evp_extra_test2 /test/evp_pkey_ctx_new_from_name /test/threadstest_fips +/test/timing_load_creds # Certain files that get created by tests on the fly /test-runs diff --git a/.gitmodules b/.gitmodules index 35f803a99..6531705b2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -13,3 +13,15 @@ [submodule "wycheproof"] path = wycheproof url = https://github.com/google/wycheproof +[submodule "tlsfuzzer"] + path = tlsfuzzer + url = https://github.com/tlsfuzzer/tlsfuzzer +[submodule "python-ecdsa"] + path = python-ecdsa + url = https://github.com/tlsfuzzer/python-ecdsa +[submodule "tlslite-ng"] + path = tlslite-ng + url = https://github.com/tlsfuzzer/tlslite-ng +[submodule "oqs-provider"] + path = oqs-provider + url = https://github.com/open-quantum-safe/oqs-provider.git diff --git a/ACKNOWLEDGEMENTS.md b/ACKNOWLEDGEMENTS.md index a4dab0c4f..10178d7ca 100644 --- a/ACKNOWLEDGEMENTS.md +++ b/ACKNOWLEDGEMENTS.md @@ -1,5 +1,5 @@ -Acknowlegements -=============== +Acknowledgements +================ Please see our [Thanks!][] page for the current acknowledgements. diff --git a/CHANGES.md b/CHANGES.md index 7cdd9d974..762f42e2c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,7 @@ pick the appropriate release branch. OpenSSL Releases ---------------- + - [OpenSSL 3.1](#openssl-31) - [OpenSSL 3.0](#openssl-30) - [OpenSSL 1.1.1](#openssl-111) - [OpenSSL 1.1.0](#openssl-110) @@ -18,6 +19,87 @@ OpenSSL Releases - [OpenSSL 1.0.0](#openssl-100) - [OpenSSL 0.9.x](#openssl-09x) +OpenSSL 3.1 +----------- + +### Changes between 3.0 and 3.1.0 [14 Mar 2023] + + * Add FIPS provider configuration option to enforce the + Extended Master Secret (EMS) check during the TLS1_PRF KDF. + The option '-ems-check' can optionally be supplied to + 'openssl fipsinstall'. + + *Shane Lontis* + + * The FIPS provider includes a few non-approved algorithms for + backward compatibility purposes and the "fips=yes" property query + must be used for all algorithm fetches to ensure FIPS compliance. + + The algorithms that are included but not approved are Triple DES ECB, + Triple DES CBC and EdDSA. + + *Paul Dale* + + * Added support for KMAC in KBKDF. + + *Shane Lontis* + + * RNDR and RNDRRS support in provider functions to provide + random number generation for Arm CPUs (aarch64). + + *Orr Toledano* + + * s_client and s_server apps now explicitly say when the TLS version + does not include the renegotiation mechanism. This avoids confusion + between that scenario versus when the TLS version includes secure + renegotiation but the peer lacks support for it. + + *Felipe Gasper* + + * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. + + *Tomasz Kantecki, Andrey Matyukov* + + * The various OBJ_* functions have been made thread safe. + + *Paul Dale* + + * Parallel dual-prime 1536/2048-bit modular exponentiation for + AVX512_IFMA capable processors. + + *Sergey Kirillov, Andrey Matyukov (Intel Corp)* + + * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`, + `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`, + `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now + marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining + `OPENSSL_NO_DEPRECATED_3_1`. + + The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro + `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function + definitions for these functions regardless of whether + `OPENSSL_NO_DEPRECATED_3_1` is defined. + + Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these + functions regardless of whether they are using them. It is recommended that + users transition to the new macro, `DEFINE_LHASH_OF_EX`. + + *Hugo Landau* + + * When generating safe-prime DH parameters set the recommended private key + length equivalent to minimum key lengths as in RFC 7919. + + *Tomáš Mráz* + + * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the + maximum size that is smaller or equal to the digest length to comply with + FIPS 186-4 section 5. This is implemented by a new option + `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the + `rsa_pss_saltlen` parameter, which is now the default. Signature + verification is not affected by this change and continues to work as before. + + *Clemens Lang* + OpenSSL 3.0 ----------- @@ -191,6 +273,24 @@ breaking changes, and mappings for the large list of deprecated functions. *Nicola Tuveri* + * Fixed a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an `ASN1_STRING` + but subsequently interpreted by `GENERAL_NAME_cmp` as an `ASN1_TYPE`. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary pointers + to a `memcmp` call, creating a possible read primitive, subject to some + constraints. Refer to the advisory for more information. Thanks to David + Benjamin for discovering this issue. ([CVE-2023-0286]) + + This issue has been fixed by changing the public header file definition of + `GENERAL_NAME` so that `x400Address` reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the `x400Address` field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + + *Hugo Landau* + ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022] * Fixed two buffer overflows in punycode decoding functions. @@ -497,7 +597,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Matt Caswell* * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory - occuppied by the removed hash table entries. + occupied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will @@ -694,7 +794,7 @@ breaking changes, and mappings for the large list of deprecated functions. * The EVP_get_cipherbyname() function will return NULL for algorithms such as "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were - previously only accessible via low level interfaces. Use EVP_CIPHER_fetch() + previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch() instead to retrieve these algorithms from a provider. *Shane Lontis* @@ -1041,7 +1141,7 @@ breaking changes, and mappings for the large list of deprecated functions. *David von Oheimb* - * All of the low level EC_KEY functions have been deprecated. + * All of the low-level EC_KEY functions have been deprecated. *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz* @@ -1322,7 +1422,7 @@ breaking changes, and mappings for the large list of deprecated functions. *David von Oheimb* - * All of the low level RSA functions have been deprecated. + * All of the low-level RSA functions have been deprecated. *Paul Dale* @@ -1347,11 +1447,11 @@ breaking changes, and mappings for the large list of deprecated functions. *Paul Dale* - * All of the low level DH functions have been deprecated. + * All of the low-level DH functions have been deprecated. *Paul Dale and Matt Caswell* - * All of the low level DSA functions have been deprecated. + * All of the low-level DSA functions have been deprecated. *Paul Dale* @@ -1360,7 +1460,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Richard Levitte* - * Deprecated low level ECDH and ECDSA functions. + * Deprecated low-level ECDH and ECDSA functions. *Paul Dale* @@ -1379,7 +1479,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Paul Dale* - * All of the low level HMAC functions have been deprecated. + * All of the low-level HMAC functions have been deprecated. *Paul Dale and David von Oheimb* @@ -1395,7 +1495,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Rich Salz* - * All of the low level CMAC functions have been deprecated. + * All of the low-level CMAC functions have been deprecated. *Paul Dale* @@ -1414,7 +1514,7 @@ breaking changes, and mappings for the large list of deprecated functions. *Richard Levitte* - * All of the low level cipher functions have been deprecated. + * All of the low-level cipher functions have been deprecated. *Matt Caswell and Paul Dale* @@ -1684,7 +1784,7 @@ breaking changes, and mappings for the large list of deprecated functions. used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the - certifiate is not given and all recipientInfo are tried out. + certificate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. @@ -1704,7 +1804,7 @@ breaking changes, and mappings for the large list of deprecated functions. when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, the 2-prime and 3-prime RSA modules were easy to distinguish, since - `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore fingerprinting + `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore, fingerprinting 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. This avoids possible fingerprinting of newly generated RSA modules. @@ -2123,7 +2223,7 @@ OpenSSL 1.1.1 ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which - are repesented as a buffer for the string data which is terminated + are represented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using @@ -2211,7 +2311,7 @@ OpenSSL 1.1.1 * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data - contained within an X509 certificate. However it was failing to correctly + contained within an X509 certificate. However, it was failing to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of @@ -2229,7 +2329,7 @@ OpenSSL 1.1.1 Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some - cases where the input length is close to the maximum permissable length for + cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. @@ -2331,7 +2431,7 @@ OpenSSL 1.1.1 when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, the 2-prime and 3-prime RSA modules were easy to distinguish, since - N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting + N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore, fingerprinting 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. This avoids possible fingerprinting of newly generated RSA modules. @@ -2390,7 +2490,7 @@ OpenSSL 1.1.1 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child - processes did not share the same RNG state. However this protection was not + processes did not share the same RNG state. However, this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high @@ -2432,7 +2532,7 @@ OpenSSL 1.1.1 used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the - certifiate is not given and all recipientInfo are tried out. + certificate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. ([CVE-2019-1563]) @@ -3202,7 +3302,7 @@ OpenSSL 1.1.0 used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the - certifiate is not given and all recipientInfo are tried out. + certificate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. ([CVE-2019-1563]) @@ -3437,7 +3537,7 @@ OpenSSL 1.1.0 OpenSSL 1.0.2 and below had the ability to disable renegotiation using the (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity - changes this is no longer possible in 1.1.0. Therefore the new + changes this is no longer possible in 1.1.0. Therefore, the new SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to 1.1.0 to provide equivalent functionality. @@ -3528,7 +3628,7 @@ OpenSSL 1.1.0 During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then - this can cause OpenSSL to crash (dependant on ciphersuite). Both clients + this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected. This issue was reported to OpenSSL by Joe Orton (Red Hat). @@ -3700,7 +3800,7 @@ OpenSSL 1.1.0 place, and this would cause the connection to immediately fail. Assuming that the application calls SSL_free() on the failed connection in a timely manner then the 21Mb of allocated memory will then be immediately freed - again. Therefore the excessive memory allocation will be transitory in + again. Therefore, the excessive memory allocation will be transitory in nature. This then means that there is only a security impact if: 1) The application does not call SSL_free() in a timely manner in the event @@ -4467,7 +4567,7 @@ OpenSSL 1.1.0 * Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably - not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed. + not well tested). Therefore, the OPENSSL_NO_TLSEXT option has been removed. *Matt Caswell* @@ -4545,7 +4645,7 @@ OpenSSL 1.1.0 *Matt Caswell* - * SSLv2 support has been removed. It still supports receiving a SSLv2 + * SSLv2 support has been removed. It still supports receiving an SSLv2 compatible client hello. *Kurt Roeckx* @@ -4999,7 +5099,7 @@ OpenSSL 1.0.2 used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the - certifiate is not given and all recipientInfo are tried out. + certificate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. ([CVE-2019-1563]) @@ -5475,8 +5575,8 @@ OpenSSL 1.0.2 has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for - a message is 100k. Therefore the attacker could force an additional 1500k - to be consumed per connection. By opening many simulataneous connections an + a message is 100k. Therefore, the attacker could force an additional 1500k + to be consumed per connection. By opening many simultaneous connections an attacker could cause a DoS attack through memory exhaustion. This issue was reported to OpenSSL by Quan Luo. @@ -6640,7 +6740,7 @@ OpenSSL 1.0.1 message). The rules of C pointer arithmetic are such that "p + len" is only well - defined where len <= SIZE. Therefore the above idiom is actually + defined where len <= SIZE. Therefore, the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation @@ -6676,8 +6776,8 @@ OpenSSL 1.0.1 has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for - a message is 100k. Therefore the attacker could force an additional 1500k - to be consumed per connection. By opening many simulataneous connections an + a message is 100k. Therefore, the attacker could force an additional 1500k + to be consumed per connection. By opening many simultaneous connections an attacker could cause a DoS attack through memory exhaustion. This issue was reported to OpenSSL by Quan Luo. @@ -6743,7 +6843,7 @@ OpenSSL 1.0.1 amounts of input data then a length check can overflow resulting in a heap corruption. - Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by + Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by the `PEM_write_bio*` family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered @@ -7409,7 +7509,7 @@ OpenSSL 1.0.1 * Build option no-ssl3 is incomplete. When OpenSSL is configured with "no-ssl3" as a build option, servers - could accept and complete a SSL 3.0 handshake, and clients could be + could accept and complete an SSL 3.0 handshake, and clients could be configured to send them. ([CVE-2014-3568]) @@ -8426,7 +8526,7 @@ OpenSSL 1.0.0 * Build option no-ssl3 is incomplete. When OpenSSL is configured with "no-ssl3" as a build option, servers - could accept and complete a SSL 3.0 handshake, and clients could be + could accept and complete an SSL 3.0 handshake, and clients could be configured to send them. ([CVE-2014-3568]) @@ -9675,7 +9775,7 @@ OpenSSL 1.0.1.] * Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now - have new members for a host name. The SSL data structure has an + have new members for a hostname. The SSL data structure has an additional member `SSL_CTX *initial_ctx` so that new sessions can be stored in that context to allow for session resumption, even after the SSL has been switched to a new SSL_CTX in reaction to a client's @@ -9699,7 +9799,7 @@ OpenSSL 1.0.1.] openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows - testing the HostName extension for a specific single host name ('-cert' + testing the HostName extension for a specific single hostname ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecognized_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' @@ -10202,7 +10302,7 @@ OpenSSL 0.9.x The OpenSSL project does not recommend any specific CA and does not have any policy with respect to including or excluding any CA. - Therefore it does not make any sense to ship an arbitrary selection + Therefore, it does not make any sense to ship an arbitrary selection of root CA certificates with the OpenSSL software. *Lutz Jaenicke* @@ -10382,7 +10482,7 @@ OpenSSL 0.9.x * Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now - have new members for a host name. The SSL data structure has an + have new members for a hostname. The SSL data structure has an additional member `SSL_CTX *initial_ctx` so that new sessions can be stored in that context to allow for session resumption, even after the SSL has been switched to a new SSL_CTX in reaction to a client's @@ -10406,7 +10506,7 @@ OpenSSL 0.9.x openssl s_server has new options '-servername_host ...', '-cert2 ...', '-key2 ...', '-servername_fatal' (subject to change). This allows - testing the HostName extension for a specific single host name ('-cert' + testing the HostName extension for a specific single hostname ('-cert' and '-key' remain fallbacks for handshakes without HostName negotiation). If the unrecognized_name alert has to be sent, this by default is a warning; it becomes fatal with the '-servername_fatal' @@ -19588,7 +19688,7 @@ ndif [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 -[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 +[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md new file mode 100644 index 000000000..a5ba2ae6d --- /dev/null +++ b/CODE-OF-CONDUCT.md @@ -0,0 +1,6 @@ +Code of Conduct +=============== + +The OpenSSL [Code of Conduct] is published on the project's website. + +[Code of Conduct]: https://www.openssl.org/community/conduct.html diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index efb4be871..13a5d6369 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -14,7 +14,7 @@ To request new features or report bugs, please open an issue on GitHub To submit a patch, please open a pull request on GitHub. If you are thinking of making a large contribution, open an issue for it before starting work, to get comments from the community. Someone may be already working on -the same thing or there may be reasons why that feature isn't implemented. +the same thing, or there may be reasons why that feature isn't implemented. To make it easier to review and accept your pull request, please follow these guidelines: @@ -54,7 +54,7 @@ guidelines: (usually by rebasing) before it will be acceptable. 4. Patches should follow our [coding style] and compile without warnings. - Where `gcc` or `clang` is available you should use the + Where `gcc` or `clang` is available, you should use the `--strict-warnings` `Configure` option. OpenSSL compiles on many varied platforms: try to ensure you only use portable features. Clean builds via GitHub Actions and AppVeyor are required, and they are started automatically diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index b578a3c2a..8f8ac3228 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -317,7 +317,7 @@ my %targets = ( ex_libs => add(threads("-pthread")), bn_ops => "BN_LLONG RC4_CHAR", shared_cflag => "-fPIC", - shared_ldflag => add_before("-shared"), + shared_ldflag => add_before("-shared -static-libgcc"), }, "solaris-sparcv8-gcc" => { inherit_from => [ "solaris-sparcv7-gcc" ], @@ -811,11 +811,18 @@ my %targets = ( multilib => "64", }, - # riscv64 below refers to contemporary RISCV Architecture + # riscv below refers to contemporary RISCV Architecture # specifications, "linux64-riscv64" => { inherit_from => [ "linux-generic64"], perlasm_scheme => "linux64", + asm_arch => 'riscv64', + }, + + "linux32-riscv32" => { + inherit_from => [ "linux-generic32"], + perlasm_scheme => "linux32", + asm_arch => 'riscv32', }, # loongarch64 below refers to contemporary LoongArch Architecture @@ -823,6 +830,7 @@ my %targets = ( "linux64-loongarch64" => { inherit_from => [ "linux-generic64"], perlasm_scheme => "linux64", + asm_arch => 'loongarch64', }, #### IA-32 targets... @@ -1077,11 +1085,80 @@ my %targets = ( perlasm_scheme => "linux64", }, - # riscv64 below refers to contemporary RISCV Architecture + "BSD-ppc" => { + inherit_from => [ "BSD-generic32" ], + asm_arch => 'ppc32', + perlasm_scheme => "linux32", + lib_cppflags => add("-DB_ENDIAN"), + }, + + "BSD-ppc64" => { + inherit_from => [ "BSD-generic64" ], + cflags => add("-m64"), + cxxflags => add("-m64"), + lib_cppflags => add("-DB_ENDIAN"), + asm_arch => 'ppc64', + perlasm_scheme => "linux64", + }, + + "BSD-ppc64le" => { + inherit_from => [ "BSD-generic64" ], + cflags => add("-m64"), + cxxflags => add("-m64"), + lib_cppflags => add("-DL_ENDIAN"), + asm_arch => 'ppc64', + perlasm_scheme => "linux64le", + }, + + # riscv below refers to contemporary RISCV Architecture # specifications, "BSD-riscv64" => { inherit_from => [ "BSD-generic64"], perlasm_scheme => "linux64", + asm_arch => 'riscv64', + }, + + "BSD-riscv32" => { + inherit_from => [ "BSD-generic32"], + perlasm_scheme => "linux32", + asm_arch => 'riscv32', + }, + + "BSD-armv4" => { + ################################################################ + # Note that -march is not among compiler options in linux-armv4 + # target description. Not specifying one is intentional to give + # you choice to: + # + # a) rely on your compiler default by not specifying one; + # b) specify your target platform explicitly for optimal + # performance, e.g. -march=armv6 or -march=armv7-a; + # c) build "universal" binary that targets *range* of platforms + # by specifying minimum and maximum supported architecture; + # + # As for c) option. It actually makes no sense to specify + # maximum to be less than ARMv7, because it's the least + # requirement for run-time switch between platform-specific + # code paths. And without run-time switch performance would be + # equivalent to one for minimum. Secondly, there are some + # natural limitations that you'd have to accept and respect. + # Most notably you can *not* build "universal" binary for + # big-endian platform. This is because ARMv7 processor always + # picks instructions in little-endian order. Another similar + # limitation is that -mthumb can't "cross" -march=armv6t2 + # boundary, because that's where it became Thumb-2. Well, this + # limitation is a bit artificial, because it's not really + # impossible, but it's deemed too tricky to support. And of + # course you have to be sure that your binutils are actually + # up to the task of handling maximum target platform. With all + # this in mind here is an example of how to configure + # "universal" build: + # + # ./Configure BSD-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8 + # + inherit_from => [ "BSD-generic32" ], + asm_arch => 'armv4', + perlasm_scheme => "linux32", }, "bsdi-elf-gcc" => { diff --git a/Configurations/50-nonstop.conf b/Configurations/50-nonstop.conf index ed3fe828b..50c37f3de 100644 --- a/Configurations/50-nonstop.conf +++ b/Configurations/50-nonstop.conf @@ -58,7 +58,7 @@ # Itanium + guardian: 'nonstop-archenv-itanium-guardian' => { template => 1, - defines => ['NO_GETPID', '_TANDEM_ARCH=2'], + defines => ['NO_GETPID'], cflags => '-Wtarget=tns/e -Wsystype=guardian', lflags => '-Weld="-set systype guardian"', shared_ldflag => '-Wshared -Weld="-soname $(@:lib%.so=%)"', @@ -69,7 +69,7 @@ # x86 + guardian: 'nonstop-archenv-x86_64-guardian' => { template => 1, - defines => ['NO_GETPID', '_TANDEM_ARCH=3'], + defines => ['NO_GETPID'], cflags => '-Wtarget=tns/x -Wsystype=guardian', lflags => '-Wxld="-set systype guardian"', shared_ldflag => '-Wshared -Wxld="-soname $(@:lib%.so=%)"', @@ -89,7 +89,6 @@ # Itanium + oss: 'nonstop-archenv-itanium-oss' => { template => 1, - defines => ['_TANDEM_ARCH=2'], cflags => '-Wtarget=tns/e -Wsystype=oss', lflags => '-Weld="-set systype oss"', shared_ldflag => '-Wshared', @@ -99,7 +98,6 @@ # x86_64 + oss: 'nonstop-archenv-x86_64-oss' => { template => 1, - defines => ['_TANDEM_ARCH=3'], cflags => '-Wtarget=tns/x -Wsystype=oss', lflags => '-Wxld="-set systype oss"', shared_ldflag => '-Wshared', diff --git a/Configurations/50-win-clang-cl.conf b/Configurations/50-win-clang-cl.conf new file mode 100644 index 000000000..cfc96ef15 --- /dev/null +++ b/Configurations/50-win-clang-cl.conf @@ -0,0 +1,35 @@ +## -*- mode: perl; -*- +# Windows on Arm clang-cl targets. +# + +my %targets = ( + "VC-WIN64-CLANGASM-ARM" => { + inherit_from => [ "VC-noCE-common" ], + defines => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE", + "OPENSSL_SYS_WIN_CORE"), + bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", + multilib => "-arm64", + asm_arch => "aarch64", + AS => "clang-cl.exe", + ASFLAGS => "/nologo /Zi", + asflags => "/c", + asoutflag => "/Fo", + perlasm_scheme => "win64", + uplink_arch => 'armv8', + }, + "VC-CLANG-WIN64-CLANGASM-ARM" => { + CC => "clang-cl", + inherit_from => [ "VC-noCE-common" ], + defines => add("_ARM_WINAPI_PARTITION_DESKTOP_SDK_AVAILABLE", + "OPENSSL_SYS_WIN_CORE"), + bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", + multilib => "-arm64", + asm_arch => "aarch64", + AS => "clang-cl.exe", + ASFLAGS => "/nologo /Zi", + asflags => "/c", + asoutflag => "/Fo", + perlasm_scheme => "win64", + uplink_arch => 'armv8', + }, +); diff --git a/Configurations/90-team.norelease.conf b/Configurations/90-team.norelease.conf deleted file mode 100644 index c0a14328c..000000000 --- a/Configurations/90-team.norelease.conf +++ /dev/null @@ -1,94 +0,0 @@ -## -*- mode: perl; -*- -## Build configuration targets for openssl-team members - -my %targets = ( - "purify" => { - inherit_from => [ 'BASE_unix' ], - cc => "purify gcc", - CFLAGS => "-g -Wall", - thread_scheme => "(unknown)", - ex_libs => add(" ","-lsocket -lnsl"), - }, - "debug" => { - inherit_from => [ 'BASE_unix' ], - cc => "gcc", - cflags => combine(join(' ', @gcc_devteam_warn), - "-DOPENSSL_NO_ASM -ggdb -g2" - . " -DBN_DEBUG -DBN_RAND_DEBUG" - ), - thread_scheme => "(unknown)", - }, - "debug-erbridge" => { - inherit_from => [ 'BASE_unix', "x86_64_asm" ], - cc => "gcc", - cflags => combine(join(' ', @gcc_devteam_warn), - "-m64 -DL_ENDIAN -DTERMIO -g", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - asm_arch => 'x86_64', - perlasm_scheme => "elf", - dso_scheme => "dlfcn", - shared_target => "linux-shared", - shared_cflag => "-fPIC", - shared_ldflag => "-m64", - multilib => "64", - }, - "debug-linux-pentium" => { - inherit_from => [ 'BASE_unix', "x86_elf_asm" ], - cc => "gcc", - cflags => combine("-DL_ENDIAN -g -mcpu=pentium -Wall", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "BN_LLONG", - asm_arch => 'x86', - perlasm_scheme => 'elf', - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - }, - "debug-linux-ppro" => { - inherit_from => [ 'BASE_unix', "x86_elf_asm" ], - cc => "gcc", - cflags => combine("-DL_ENDIAN -g -mcpu=pentiumpro -Wall", - threads("-D_REENTRANT")), - ex_libs => add(" ","-ldl"), - bn_ops => "BN_LLONG", - asm_arch => 'x86', - perlasm_scheme => 'elf', - thread_scheme => "pthreads", - dso_scheme => "dlfcn", - }, - "debug-test-64-clang" => { - inherit_from => [ 'BASE_unix', "x86_64_asm" ], - cc => "clang", - cflags => combine(join(' ', @gcc_devteam_warn), - "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -g3 -O3 -pipe", - threads("${BSDthreads}")), - bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - asm_arch => 'x86_64', - perlasm_scheme => "elf", - dso_scheme => "dlfcn", - shared_target => "bsd-gcc-shared", - shared_cflag => "-fPIC", - }, - "darwin64-debug-test-64-clang" => { - inherit_from => [ 'BASE_unix', "x86_64_asm" ], - cc => "clang", - cflags => combine("-arch x86_64 -DL_ENDIAN", - join(' ', @gcc_devteam_warn), - "-Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -g3 -O3 -pipe", - threads("${BSDthreads}")), - sys_id => "MACOSX", - bn_ops => "SIXTY_FOUR_BIT_LONG", - thread_scheme => "pthreads", - asm_arch => 'x86_64', - perlasm_scheme => "macosx", - dso_scheme => "dlfcn", - shared_target => "darwin-shared", - shared_cflag => "-fPIC -fno-common", - shared_ldflag => "-arch x86_64 -dynamiclib", - shared_extension => ".\$(SHLIB_VERSION_NUMBER).dylib", - }, -); diff --git a/Configurations/README.md b/Configurations/README.md index be8c394d0..53f2277f8 100644 --- a/Configurations/README.md +++ b/Configurations/README.md @@ -145,7 +145,7 @@ In each table entry, the following keys are significant: would then be 'OPENSSL_ABC_' rather than the default 'OPENSSL_'. The string inserted into symbol versions is obtained by mapping all - letters in the "variant" identifier to upper case + letters in the "variant" identifier to uppercase and all non-alphanumeric characters to '_'. thread_scheme => The type of threads is used on the @@ -555,7 +555,7 @@ They are all expected to return a string with the lines they produce. obj2lib(lib => "PATH/TO/libfile", objs => [ "PATH/TO/objectfile", ... ]); - 'lib' has the intended library file name *without* + 'lib' has the intended library filename *without* extension, obj2lib is expected to add that. 'objs' has the list of object files to build this library. @@ -578,7 +578,7 @@ They are all expected to return a string with the lines they produce. objs => [ "PATH/TO/objectfile", ... ], deps => [ "PATH/TO/otherlibfile", ... ]); - 'lib' has the base (static) library ffile name + 'lib' has the base (static) library filename *without* extension. This is useful in case supporting files are needed (such as import libraries on Windows). @@ -611,7 +611,7 @@ They are all expected to return a string with the lines they produce. objs => [ "PATH/TO/objectfile", ... ], deps => [ "PATH/TO/libfile", ... ]); - 'bin' has the intended executable file name + 'bin' has the intended executable filename *without* extension, obj2bin is expected to add that. 'objs' has the list of object files to build this library. 'deps' has the list of library files @@ -626,7 +626,7 @@ They are all expected to return a string with the lines they produce. in2script(script => "PATH/TO/scriptfile", sources => [ "PATH/TO/infile", ... ]); - 'script' has the intended script file name. + 'script' has the intended script filename. 'sources' has the list of source files to build the resulting script from. diff --git a/Configurations/descrip.mms.tmpl b/Configurations/descrip.mms.tmpl index d4a1792ec..ed8646e9f 100644 --- a/Configurations/descrip.mms.tmpl +++ b/Configurations/descrip.mms.tmpl @@ -1242,16 +1242,28 @@ EOF # previous line's file spec as default, so if no directory spec # is present in the current line and the previous line has one that # doesn't apply, you're in for a surprise. + # Furthermore, we collect all object files and static libraries in + # an explicit cluster, to make it clear to the linker that these files + # shall be processed before shareable images. + # The shareable images are used with /SELECTIVE, to avoid warnings of + # multiply defined symbols when the module object files override some + # symbols that are present in the shareable image. my $write_opt1 = - join(",-\"\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_; - "WRITE OPT_FILE \"$x" } @objs). - "\""; + join(",-\"\n\t", + "\@ WRITE OPT_FILE \"CLUSTER=_,,", + (map { my $x = $_ =~ /\[/ ? $_ : "[]".$_; + "\@ WRITE OPT_FILE \"$x" } @objs), + (map { my $x = ($_->{lib} =~ /\[/) ? $_->{lib} : "[]".$_->{lib}; + "\@ WRITE OPT_FILE \"$x/LIB" } + grep { $_->{lib} =~ m|\.OLB$| } + @deps)) + ."\""; my $write_opt2 = - join("\n\t", map { my $x = $_->{lib} =~ /\[/ - ? $_->{lib} : "[]".$_->{lib}; - $x =~ s|(\.EXE)|$1/SHARE|; - $x =~ s|(\.OLB)|$1/LIB|; - "WRITE OPT_FILE \"$x\"" } @deps) + join("\n\t", + (map { my $x = ($_->{lib} =~ /\[/) ? $_->{lib} : "[]".$_->{lib}; + "\@ WRITE OPT_FILE \"$x/SHARE/SELECTIVE\"" } + grep { $_->{lib} =~ m|\.EXE$| } + @deps)) || "\@ !"; return <<"EOF" $dso : $deps @@ -1306,30 +1318,30 @@ EOF # is present in the current line and the previous line has one that # doesn't apply, you're in for a surprise. my $write_opt1 = - join(",-\"\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_; - "\@ WRITE OPT_FILE \"$x" } @objs). - "\""; + "\@ WRITE OPT_FILE \"CASE_SENSITIVE=YES\"\n\t" + .join(",-\"\n\t", + "\@ WRITE OPT_FILE \"CLUSTER=_,,", + (map { my $x = $_ =~ /\[/ ? $_ : "[]".$_; + "\@ WRITE OPT_FILE \"$x" } @objs), + (map { my $x = ($_->{lib} =~ /\[/) ? $_->{lib} : "[]".$_->{lib}; + # Special hack to include the MAIN object module + # explicitly, if it's known that there is one. + # |incmain| is defined in the rule generation further + # down, with the necessary /INCLUDE=main option unless + # the program has been determined to have a main function + # already. + $_->{attrs}->{has_main} + ? "\@ WRITE OPT_FILE \"$x/LIB''incmain'" + : "\@ WRITE OPT_FILE \"$x/LIB" } + grep { $_->{lib} =~ m|\.OLB$| } + @deps)) + ."\""; my $write_opt2 = - join("\n\t", "WRITE OPT_FILE \"CASE_SENSITIVE=YES\"", - map { my @lines = (); - use Data::Dumper; - my $x = $_->{lib} =~ /\[/ - ? $_->{lib} : "[]".$_->{lib}; - if ($x =~ m|\.EXE$|) { - push @lines, "\@ WRITE OPT_FILE \"$x/SHARE\""; - } elsif ($x =~ m|\.OLB$|) { - # Special hack to include the MAIN object - # module explicitly. This will only be done - # if there isn't a 'main' in the program's - # object modules already. - my $main = $_->{attrs}->{has_main} - ? '/INCLUDE=main' : ''; - push @lines, - "\@ IF nomain THEN WRITE OPT_FILE \"$x/LIB$main\"", - "\@ IF .NOT. nomain THEN WRITE OPT_FILE \"$x/LIB\"" - } - @lines - } @deps) + join("\n\t", + (map { my $x = $_->{lib} =~ /\[/ ? $_->{lib} : "[]".$_->{lib}; + "\@ WRITE OPT_FILE \"$x/SHARE/SELECTIVE\"" } + grep { $_->{lib} =~ m|\.EXE$| } + @deps)) || "\@ !"; # The linking commands looks a bit complex, but it's for good reason. # When you link, say, foo.obj, bar.obj and libsomething.exe/share, and @@ -1352,6 +1364,8 @@ EOF return <<"EOF" $bin : $deps $analyse_objs + @ incmain = "/INCLUDE=main" + @ IF .NOT. nomain THEN incmain = "" @ OPEN/WRITE/SHARE=READ OPT_FILE $binname.OPT $write_opt1 $write_opt2 diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 5d41af41b..f9c58eae9 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -780,7 +780,7 @@ EOF } return <<"EOF"; $target: "$gen0" $deps - \$(CPP) $incs $cppflags $defs "$gen0" > \$@.i + \$(CPP) /D__ASSEMBLER__ $incs $cppflags $defs "$gen0" > \$@.i move /Y \$@.i \$@ EOF } elsif ($gen0 =~ m|^.*\.in$|) { diff --git a/Configure b/Configure index 5ac4b5222..ab57c2073 100755 --- a/Configure +++ b/Configure @@ -603,7 +603,7 @@ my @disable_cascades = ( # Without shared libraries, dynamic engines aren't possible. # This is due to them having to link with libcrypto and register features # using the ENGINE functionality, and since that relies on global tables, - # those *have* to be exacty the same as the ones accessed from the app, + # those *have* to be exactly the same as the ones accessed from the app, # which cannot be guaranteed if shared libraries aren't present. # (note that even with shared libraries, both the app and dynamic engines # must be linked with the same library) @@ -1547,7 +1547,7 @@ my %predefined_CXX = $config{CXX} unless ($disabled{asm}) { # big endian systems can use ELFv2 ABI - if ($target eq "linux-ppc64") { + if ($target eq "linux-ppc64" || $target eq "BSD-ppc64") { $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2); } } @@ -1678,20 +1678,7 @@ $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings' unless ($disabled{afalgeng}) { $config{afalgeng}=""; if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { - my $minver = 4*10000 + 1*100 + 0; - if ($config{CROSS_COMPILE} eq "") { - my $verstr = `uname -r`; - my ($ma, $mi1, $mi2) = split("\\.", $verstr); - ($mi2) = $mi2 =~ /(\d+)/; - my $ver = $ma*10000 + $mi1*100 + $mi2; - if ($ver < $minver) { - disable('too-old-kernel', 'afalgeng'); - } else { - push @{$config{engdirs}}, "afalg"; - } - } else { - disable('cross-compiling', 'afalgeng'); - } + push @{$config{engdirs}}, "afalg"; } else { disable('not-linux', 'afalgeng'); } @@ -1791,7 +1778,7 @@ my %skipdir = (); my %disabled_info = (); # For configdata.pm foreach my $what (sort keys %disabled) { # There are deprecated disablables that translate to themselves. - # They cause disabling cascades, but should otherwise not regiter. + # They cause disabling cascades, but should otherwise not register. next if $deprecated_disablables{$what}; # The generated $disabled{"deprecated-x.y"} entries are special # and treated properly elsewhere diff --git a/HACKING.md b/HACKING.md index 6375450c2..9a1f7b9f5 100644 --- a/HACKING.md +++ b/HACKING.md @@ -9,7 +9,7 @@ This document describes the way to add custom modifications to OpenSSL sources. [Configurations/unix-Makefile.tmpl](Configurations/unix-Makefile.tmpl) to pick up that file. - After that perform the following steps: + After that, perform the following steps: ./Configure -Werror --strict-warnings [your-options] make update @@ -27,7 +27,7 @@ This document describes the way to add custom modifications to OpenSSL sources. `make update` also generates files related to OIDs (in the `crypto/objects/` folder) and errors. - If a merge error occurs in one of these generated files then the + If a merge error occurs in one of these generated files, then the generated files need to be removed and regenerated using `make update`. - To aid in this process the generated files can be committed separately + To aid in this process, the generated files can be committed separately so they can be removed easily. diff --git a/INSTALL.md b/INSTALL.md index 84e8a7d54..a0194d493 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -455,7 +455,8 @@ This source is ignored by the FIPS provider. ### rdcpu -Use the `RDSEED` or `RDRAND` command if provided by the CPU. +Use the `RDSEED` or `RDRAND` command on x86 or `RNDRRS` command on aarch64 +if provided by the CPU. ### librandom @@ -1019,7 +1020,7 @@ below and how these flags interact with those variables. Additional options that are not otherwise recognised are passed through as they are to the compiler as well. Unix-style options beginning with a -`-` or `+` and Windows-style options beginning with a `/` are recognized. +`-` or `+` and Windows-style options beginning with a `/` are recognised. Again, consult your compiler documentation. If the option contains arguments separated by spaces, then the URL-style @@ -1612,7 +1613,7 @@ working incorrectly. If you think you encountered a bug, please Along with a short description of the bug, please provide the complete configure command line and the relevant output including the error message. -Note: To make the output readable, pleace add a 'code fence' (three backquotes +Note: To make the output readable, please add a 'code fence' (three backquotes ` ``` ` on a separate line) before and after your output: ``` diff --git a/NEWS.md b/NEWS.md index 36dbfa72f..784691967 100644 --- a/NEWS.md +++ b/NEWS.md @@ -7,6 +7,7 @@ release. For more details please read the CHANGES file. OpenSSL Releases ---------------- + - [OpenSSL 3.1](#openssl-31) - [OpenSSL 3.0](#openssl-30) - [OpenSSL 1.1.1](#openssl-111) - [OpenSSL 1.1.0](#openssl-110) @@ -15,6 +16,17 @@ OpenSSL Releases - [OpenSSL 1.0.0](#openssl-100) - [OpenSSL 0.9.x](#openssl-09x) +OpenSSL 3.1 +----------- + +### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] + + * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. + * Performance enhancements and new platform support including new + assembler code algorithm implementations. + * Deprecated LHASH statistics functions. + * FIPS 140-3 compliance changes. + OpenSSL 3.0 ----------- @@ -83,7 +95,7 @@ OpenSSL 3.0 * Enhanced 'openssl list' with many new options. * Added migration guide to man7. * Implemented support for fully "pluggable" TLSv1.3 groups. - * Added suport for Kernel TLS (KTLS). + * Added support for Kernel TLS (KTLS). * Changed the license to the Apache License v2.0. * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider. @@ -126,7 +138,7 @@ OpenSSL 3.0 * Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and ERR_func_error_string(). - * Added OSSL_PROVIDER_available(), to check provider availibility. + * Added OSSL_PROVIDER_available(), to check provider availability. * Added 'openssl mac' that uses the EVP_MAC API. * Added 'openssl kdf' that uses the EVP_KDF API. * Add OPENSSL_info() and 'openssl info' to get built-in data. @@ -1440,7 +1452,7 @@ OpenSSL 0.9.x [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 -[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274 +[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563 diff --git a/NOTES-ANDROID.md b/NOTES-ANDROID.md index eebf03a4c..c79b2212d 100644 --- a/NOTES-ANDROID.md +++ b/NOTES-ANDROID.md @@ -4,7 +4,7 @@ Notes for Android platforms Requirement details ------------------- - Beside basic tools like perl and make you'll need to download the Android + Beside basic tools like perl and make, you'll need to download the Android NDK. It's available for Linux, macOS and Windows, but only Linux version was actually tested. There is no reason to believe that macOS wouldn't work. And as for Windows, it's unclear which "shell" would be @@ -26,13 +26,13 @@ Notes for Android platforms invoke `$(CROSS_COMPILE)clang` [`*gcc` on NDK 19 and lower] and company. (`./Configure` will fail and give you a hint if you get it wrong.) - Apart from `PATH` adjustment you need to set `ANDROID_NDK_ROOT` environment + Apart from `PATH` adjustment, you need to set `ANDROID_NDK_ROOT` environment to point at the `NDK` directory. If you're using a side-by-side NDK the path will look something like `/some/where/android-sdk/ndk/`, and for a standalone NDK the path will be something like `/some/where/android-ndk-`. Both variables are significant at both configuration and compilation times. The NDK customarily supports multiple Android API levels, e.g. `android-14`, - `android-21`, etc. By default latest API level is chosen. If you need to target + `android-21`, etc. By default, latest API level is chosen. If you need to target an older platform pass the argument `-D__ANDROID_API__=N` to `Configure`, with `N` being the numerical value of the target platform version. For example, to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570 @@ -59,7 +59,7 @@ Notes for Android platforms conflict, and mixing the two is therefore not supported. Migration to `CROSS_SYSROOT`-less setup is recommended. - One can engage clang by adjusting PATH to cover same NDK's clang. Just + One can engage clang by adjusting PATH to cover the same NDK's clang. Just keep in mind that if you miss it, Configure will try to use gcc... Also, PATH would need even further adjustment to cover unprefixed, yet target-specific, ar and ranlib. It's possible that you don't need to @@ -67,7 +67,7 @@ Notes for Android platforms Another option is to create so called "standalone toolchain" tailored for single specific platform including Android API level, and assign its - location to `ANDROID_NDK_ROOT`. In such case you have to pass matching + location to `ANDROID_NDK_ROOT`. In such case, you have to pass matching target name to Configure and shouldn't use `-D__ANDROID_API__=N`. `PATH` adjustment becomes simpler, `$ANDROID_NDK_ROOT/bin:$PATH` suffices. diff --git a/NOTES-NONSTOP.md b/NOTES-NONSTOP.md index 627843bab..68438b998 100644 --- a/NOTES-NONSTOP.md +++ b/NOTES-NONSTOP.md @@ -44,6 +44,20 @@ instead of `nsx` in the set above. You cannot build for TNS/E for FIPS, so you must specify the `no-fips` option to `./Configure`. +Linking and Loading Considerations +---------------------------------- + +Because of how the NonStop Common Runtime Environment (CRE) works, there are +restrictions on how programs can link and load with OpenSSL libraries. +On current NonStop platforms, programs cannot both statically link OpenSSL +libraries and dynamically load OpenSSL shared libraries concurrently. If this +is done, there is a high probability of encountering a SIGSEGV condition +relating to `atexit()` processing when a shared library is unloaded and when +the program terminates. This limitation applies to all OpenSSL shared library +components. + +A resolution to this situation is under investigation. + About Prefix and OpenSSLDir --------------------------- diff --git a/NOTES-PERL.md b/NOTES-PERL.md index b7fc83fc7..3a91f09c2 100644 --- a/NOTES-PERL.md +++ b/NOTES-PERL.md @@ -33,12 +33,12 @@ Perl on Windows --------------- There are a number of build targets that can be viewed as "Windows". -Indeed, there are `VC-*` configs targeting VisualStudio C, as well as +Indeed, there are `VC-*` configs targeting Visual Studio C, as well as MinGW and Cygwin. The key recommendation is to use a Perl installation that matches the build environment. For example, if you will build on Cygwin be sure to use the Cygwin package manager to install Perl. For MSYS builds use the MSYS provided Perl. -For VC-* builds we recommend Strawberry Perl, from . +For VC-* builds, we recommend Strawberry Perl, from . An alternative is ActiveState Perl, from for which you may need to explicitly select the Perl module Win32/Console.pm available via . @@ -117,7 +117,7 @@ descriptions below, `Text::Template` will serve as an example. $ cpan -f -i Text::Template - Note: on VMS, you must quote any argument that contains upper case + Note: on VMS, you must quote any argument that contains uppercase characters, so the lines above would be: $ cpan -i "Text::Template" diff --git a/NOTES-UNIX.md b/NOTES-UNIX.md index 293793b60..fa52de68a 100644 --- a/NOTES-UNIX.md +++ b/NOTES-UNIX.md @@ -101,14 +101,14 @@ Notes for UNIX-like platforms shared library face exactly the same problem with non-default locations. The OpenSSL config options mentioned above might or might not have bearing on linking of the target application. "Might" means that under some - circumstances it would be sufficient to link with OpenSSL shared library + circumstances, it would be sufficient to link with OpenSSL shared library "naturally", i.e. with `-L/whatever/path -lssl -lcrypto`. But there are also cases when you'd have to explicitly specify runtime search path when linking your application. Consult your system documentation and use above section as inspiration... Shared OpenSSL builds also install static libraries. Linking with the - latter is likely to require special care, because linkers usually look + latter is likely to require special care because linkers usually look for shared libraries first and tend to remain "blind" to static OpenSSL libraries. Referring to system documentation would suffice, if not for a corner case. On AIX static libraries (in shared build) are named diff --git a/NOTES-WINDOWS.md b/NOTES-WINDOWS.md index b1d6c4fe1..63264b573 100644 --- a/NOTES-WINDOWS.md +++ b/NOTES-WINDOWS.md @@ -23,7 +23,7 @@ or "Hosted" OpenSSL relies on an external POSIX compatibility layer for building (using GNU/Unix shell, compiler, and tools) and at run time. -For this option you can use Cygwin. +For this option, you can use Cygwin. Native builds using Visual C++ ============================== @@ -212,7 +212,7 @@ Linking native applications This section applies to all native builds. -If you link with static OpenSSL libraries then you're expected to +If you link with static OpenSSL libraries, then you're expected to additionally link your application with `WS2_32.LIB`, `GDI32.LIB`, `ADVAPI32.LIB`, `CRYPT32.LIB` and `USER32.LIB`. Those developing non-interactive service applications might feel concerned about @@ -220,7 +220,7 @@ linking with `GDI32.LIB` and `USER32.LIB`, as they are justly associated with interactive desktop, which is not available to service processes. The toolkit is designed to detect in which context it's currently executed, GUI, console app or service, and act accordingly, -namely whether or not to actually make GUI calls. Additionally those +namely whether to actually make GUI calls. Additionally, those who wish to `/DELAYLOAD:GDI32.DLL` and `/DELAYLOAD:USER32.DLL` and actually keep them off service process should consider implementing and exporting from .exe image in question own `_OPENSSL_isservice` not @@ -261,5 +261,5 @@ Apart from that, follow the Unix / Linux instructions in INSTALL.md. NOTE: `make test` and normal file operations may fail in directories mounted as text (i.e. `mount -t c:\somewhere /home`) due to Cygwin -stripping of carriage returns. To avoid this ensure that a binary +stripping of carriage returns. To avoid this, ensure that a binary mount is used, e.g. `mount -b c:\somewhere /home`. diff --git a/README-ENGINES.md b/README-ENGINES.md index 9874276f1..24ec748fe 100644 --- a/README-ENGINES.md +++ b/README-ENGINES.md @@ -8,7 +8,7 @@ The ENGINE API was introduced in OpenSSL version 0.9.6 as a low level interface for adding alternative implementations of cryptographic primitives, most notably for integrating hardware crypto devices. -The ENGINE interface has its limitations and it has been superseeded +The ENGINE interface has its limitations and it has been superseded by the [PROVIDER API](README-PROVIDERS.md), it is deprecated in OpenSSL version 3.0. The following documentation is retained as an aid for users who need to maintain or support existing ENGINE implementations. @@ -22,9 +22,9 @@ Built-in ENGINE implementations There are currently built-in ENGINE implementations for the following crypto devices: - * Microsoft CryptoAPI - * VIA Padlock - * nCipher CHIL +- Microsoft CryptoAPI +- VIA Padlock +- nCipher CHIL In addition, dynamic binding to external ENGINE implementations is now provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE" @@ -32,9 +32,9 @@ section below for details. At this stage, a number of things are still needed and are being worked on: - 1. Integration of EVP support. - 2. Configuration support. - 3. Documentation! +1. Integration of EVP support. +2. Configuration support. +3. Documentation! Integration of EVP support -------------------------- @@ -87,17 +87,17 @@ devices from common OpenSSL-based applications. Bugs and/or inexplicable behaviour in using a specific ENGINE implementation should be sent to the author of that implementation (if it is mentioned in the corresponding C file), and in the case of implementations for commercial hardware -devices, also through whatever vendor support channels are available. If +devices, also through whatever vendor support channels are available. If none of this is possible, or the problem seems to be something about the ENGINE API itself (ie. not necessarily specific to a particular ENGINE implementation) then you should mail complete details to the relevant OpenSSL mailing list. For a definition of "complete details", refer to the OpenSSL "README" file. As for which list to send it to: - * openssl-users: if you are *using* the ENGINE abstraction, either in an - pre-compiled application or in your own application code. +- openssl-users: if you are *using* the ENGINE abstraction, either in an + pre-compiled application or in your own application code. - * openssl-dev: if you are discussing problems with OpenSSL source code. +- openssl-dev: if you are discussing problems with OpenSSL source code. USAGE ===== @@ -185,7 +185,7 @@ the shared-library ENGINE implementation. If this command succeeds, the (copy of the) 'dynamic' ENGINE will magically morph into the ENGINE that has been loaded from the shared-library. As such, any control commands supported by the loaded ENGINE could then be executed as per -normal. Eg. if ENGINE "foo" is implemented in the shared-library +normal. For instance, if ENGINE "foo" is implemented in the shared-library "libfoo.so" and it supports some special control command "CMD_FOO", the following code would load and use it (NB: obviously this code has no error checking); @@ -270,35 +270,36 @@ This example will show building the "atalla" ENGINE in the crypto/engine/ directory as a shared-library for use via the "dynamic" ENGINE. - 1. "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL - source tree. +1. "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL + source tree. - 2. Recompile at least one source file so you can see all the compiler - flags (and syntax) being used to build normally. Eg; +2. Recompile at least one source file so you can see all the compiler + flags (and syntax) being used to build normally. Eg; - touch hw_atalla.c ; make + touch hw_atalla.c ; make - will rebuild "hw_atalla.o" using all such flags. + will rebuild "hw_atalla.o" using all such flags. - 3. Manually enter the same compilation line to compile the - "hw_atalla.c" file but with the following two changes; - * add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches, - * change the output file from "hw_atalla.o" to something new, - eg. "tmp_atalla.o" +3. Manually enter the same compilation line to compile the + "hw_atalla.c" file but with the following two changes; - 4. Link "tmp_atalla.o" into a shared-library using the top-level - OpenSSL libraries to resolve any dependencies. The syntax for doing - this depends heavily on your system/compiler and is a nightmare - known well to anyone who has worked with shared-library portability - before. 'gcc' on Linux, for example, would use the following syntax; + - add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches, + - change the output file from "hw_atalla.o" to something new, + eg. "tmp_atalla.o" - gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto +4. Link "tmp_atalla.o" into a shared-library using the top-level + OpenSSL libraries to resolve any dependencies. The syntax for doing + this depends heavily on your system/compiler and is a nightmare + known well to anyone who has worked with shared-library portability + before. 'gcc' on Linux, for example, would use the following syntax; - 5. Test your shared library using "openssl engine" as explained in the - previous section. Eg. from the top-level directory, you might try + gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto - apps/openssl engine -vvvv dynamic \ - -pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD +5. Test your shared library using "openssl engine" as explained in the + previous section. Eg. from the top-level directory, you might try + + apps/openssl engine -vvvv dynamic \ + -pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD If the shared-library loads successfully, you will see both "-pre" commands marked as "SUCCESS" and the list of control commands diff --git a/README-FIPS.md b/README-FIPS.md index ba88ff2c4..f365d13c3 100644 --- a/README-FIPS.md +++ b/README-FIPS.md @@ -69,7 +69,7 @@ The FIPS module must have the self tests run, and the FIPS module config file output generated on every machine that it is to be used on. You must not copy the FIPS module config file output data from one machine to another. -On Unix the `openssl fipsinstall` command will be invoked as follows by default: +On Unix, the `openssl fipsinstall` command will be invoked as follows by default: $ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so diff --git a/README-PROVIDERS.md b/README-PROVIDERS.md index 25e49c861..96cacfe03 100644 --- a/README-PROVIDERS.md +++ b/README-PROVIDERS.md @@ -15,7 +15,7 @@ Standard Providers Providers are containers for algorithm implementations. Whenever a cryptographic algorithm is used via the high level APIs a provider is selected. It is that provider implementation that actually does the required work. There are five -providers distributed with OpenSSL. In the future we expect third parties to +providers distributed with OpenSSL. In the future, we expect third parties to distribute their own providers which can be added to OpenSSL dynamically. Documentation about writing providers is available on the [provider(7)] manual page. @@ -31,10 +31,10 @@ explicitly (e.g. in the application or via config), then this is the provider that will be used. It is loaded automatically the first time that we try to get an algorithm from a provider if no other provider has been loaded yet. If another provider has already been loaded then it won't be loaded -automatically. Therefore if you want to use it in conjunction with other -providers then you must load it explicitly. +automatically. Therefore, if you want to use it in conjunction with other +providers, then you must load it explicitly. -This is a "built-in" provider which means that it is compiled and linked +This is a "built-in" provider, which means that it is compiled and linked into the libcrypto library and does not exist as a separate standalone module. The Legacy Provider @@ -58,7 +58,7 @@ The FIPS provider contains a sub-set of the algorithm implementations available from the default provider, consisting of algorithms conforming to FIPS standards. It is intended that this provider will be FIPS140-2 validated. -In some cases there may be minor behavioural differences between algorithm +In some cases, there may be minor behavioural differences between algorithm implementations in this provider compared to the equivalent algorithm in the default provider. This is typically in order to conform to FIPS standards. diff --git a/README.md b/README.md index f2f4fd39a..f542b722d 100644 --- a/README.md +++ b/README.md @@ -63,8 +63,8 @@ Source code tarballs of the official releases can be downloaded from The OpenSSL project does not distribute the toolkit in binary form. However, for a large variety of operating systems precompiled versions -of the OpenSSL toolkit are available. In particular on Linux and other -Unix operating systems it is normally recommended to link against the +of the OpenSSL toolkit are available. In particular, on Linux and other +Unix operating systems, it is normally recommended to link against the precompiled shared libraries provided by the distributor or vendor. For Testing and Development @@ -94,7 +94,7 @@ GitHub and clone your public fork instead. git clone https://github.com/yourname/openssl.git -This is necessary, because all development of OpenSSL nowadays is done via +This is necessary because all development of OpenSSL nowadays is done via GitHub pull requests. For more details, see [Contributing](#contributing). Build and Install @@ -133,7 +133,7 @@ Wiki ---- There is a Wiki at [wiki.openssl.org] which is currently not very active. -It contains a lot of useful information, not all of which is up to date. +It contains a lot of useful information, not all of which is up-to-date. License ======= @@ -148,7 +148,7 @@ Support ======= There are various ways to get in touch. The correct channel depends on -your requirement. see the [SUPPORT](SUPPORT.md) file for more details. +your requirement. See the [SUPPORT](SUPPORT.md) file for more details. Contributing ============ @@ -160,7 +160,7 @@ Legalities ========== A number of nations restrict the use or export of cryptography. If you are -potentially subject to such restrictions you should seek legal advice before +potentially subject to such restrictions, you should seek legal advice before attempting to develop or distribute cryptographic code. Copyright diff --git a/VERSION.dat b/VERSION.dat index 375a0de7e..5befb23f7 100644 --- a/VERSION.dat +++ b/VERSION.dat @@ -1,7 +1,7 @@ MAJOR=3 -MINOR=0 -PATCH=8 +MINOR=1 +PATCH=0 PRE_RELEASE_TAG= BUILD_METADATA= -RELEASE_DATE="7 Feb 2023" +RELEASE_DATE="14 Mar 2023" SHLIB_VERSION=3 diff --git a/apps/cmp.c b/apps/cmp.c index 9b9e405bb..4c4919392 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -1101,7 +1101,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_grant_implicitconf) (void)OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(srv_ctx, 1); - if (opt_failure != INT_MIN) { /* option has been set explicity */ + if (opt_failure != INT_MIN) { /* option has been set explicitly */ if (opt_failure < 0 || OSSL_CMP_PKIFAILUREINFO_MAX < opt_failure) { CMP_err1("-failure out of range, should be >= 0 and <= %d", OSSL_CMP_PKIFAILUREINFO_MAX); @@ -1283,7 +1283,9 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host, /* disable any cert status/revocation checking etc. */ X509_VERIFY_PARAM_clear_flags(tls_vpm, ~(X509_V_FLAG_USE_CHECK_TIME - | X509_V_FLAG_NO_CHECK_TIME)); + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); } CMP_debug("trying to build cert chain for own TLS cert"); if (SSL_CTX_build_cert_chain(ssl_ctx, diff --git a/apps/demoSRP/srp_verifier.txt b/apps/demoSRP/srp_verifier.txt index c2d5c6033..50a52c152 100644 --- a/apps/demoSRP/srp_verifier.txt +++ b/apps/demoSRP/srp_verifier.txt @@ -1,6 +1,6 @@ # This is a file that will be filled by the openssl srp routine. # You can initialize the file with additional groups, these are -# records starting with a I followed by the g and N values and the id. +# records starting with an I followed by the g and N values and the id. # The exact values ... you have to dig this out from the source of srp.c # or srp_vfy.c # The last value of an I is used as the default group for new users. diff --git a/apps/dhparam.c b/apps/dhparam.c index 43906cea5..66b0bd655 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -272,7 +272,7 @@ int dhparam_main(int argc, char **argv) * because, unlike PEM, there is no header to declare what * the contents of the DER file are. The decoders just try * and guess. Unfortunately with DHX key types they may guess - * wrong and think we have a DSA keytype. Therefore we try + * wrong and think we have a DSA keytype. Therefore, we try * both DH and DHX sequentially. */ keytype = "DHX"; @@ -354,7 +354,7 @@ int dhparam_main(int argc, char **argv) } /* - * Historically we had the low level call DSA_dup_DH() to do this. + * Historically we had the low-level call DSA_dup_DH() to do this. * That is now deprecated with no replacement. Since we still need to do this * for backwards compatibility reasons, we do it "manually". */ diff --git a/apps/engine.c b/apps/engine.c index 1b0f64309..f9dce6e4b 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -347,7 +347,7 @@ int engine_main(int argc, char **argv) break; case OPT_TT: test_avail_noise++; - /* fall thru */ + /* fall through */ case OPT_T: test_avail++; break; diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index d0efdf764..fb237bc73 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -39,7 +39,8 @@ typedef enum OPTION_choice { OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG, OPT_NO_CONDITIONAL_ERRORS, OPT_NO_SECURITY_CHECKS, - OPT_SELF_TEST_ONLOAD + OPT_TLS_PRF_EMS_CHECK, + OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL } OPTION_CHOICE; const OPTIONS fipsinstall_options[] = { @@ -51,13 +52,17 @@ const OPTIONS fipsinstall_options[] = { {"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"}, {"section_name", OPT_SECTION_NAME, 's', "FIPS Provider config section name (optional)"}, - {"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-', - "Disable the ability of the fips module to enter an error state if" - " any conditional self tests fail"}, + {"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-', + "Disable the ability of the fips module to enter an error state if" + " any conditional self tests fail"}, {"no_security_checks", OPT_NO_SECURITY_CHECKS, '-', "Disable the run-time FIPS security checks in the module"}, {"self_test_onload", OPT_SELF_TEST_ONLOAD, '-', "Forces self tests to always run on module load"}, + {"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-', + "Forces self tests to run once on module installation"}, + {"ems_check", OPT_TLS_PRF_EMS_CHECK, '-', + "Enable the run-time FIPS check for EMS during TLS1_PRF"}, OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input config file, used when verifying"}, @@ -101,12 +106,33 @@ static int load_fips_prov_and_run_self_test(const char *prov_name) { int ret = 0; OSSL_PROVIDER *prov = NULL; + OSSL_PARAM params[4], *p = params; + char *name = "", *vers = "", *build = ""; prov = OSSL_PROVIDER_load(NULL, prov_name); if (prov == NULL) { BIO_printf(bio_err, "Failed to load FIPS module\n"); goto end; } + if (!quiet) { + *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME, + &name, sizeof(name)); + *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION, + &vers, sizeof(vers)); + *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO, + &build, sizeof(build)); + *p = OSSL_PARAM_construct_end(); + if (!OSSL_PROVIDER_get_params(prov, params)) { + BIO_printf(bio_err, "Failed to query FIPS module parameters\n"); + goto end; + } + if (OSSL_PARAM_modified(params)) + BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name); + if (OSSL_PARAM_modified(params + 1)) + BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers); + if (OSSL_PARAM_modified(params + 2)) + BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build); + } ret = 1; end: OSSL_PROVIDER_unload(prov); @@ -149,6 +175,7 @@ static int write_config_fips_section(BIO *out, const char *section, size_t module_mac_len, int conditional_errors, int security_checks, + int ems_check, unsigned char *install_mac, size_t install_mac_len) { @@ -162,6 +189,8 @@ static int write_config_fips_section(BIO *out, const char *section, conditional_errors ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, security_checks ? "1" : "0") <= 0 + || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, + ems_check ? "1" : "0") <= 0 || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, module_mac_len)) goto end; @@ -183,7 +212,8 @@ static CONF *generate_config_and_load(const char *prov_name, unsigned char *module_mac, size_t module_mac_len, int conditional_errors, - int security_checks) + int security_checks, + int ems_check) { BIO *mem_bio = NULL; CONF *conf = NULL; @@ -196,6 +226,7 @@ static CONF *generate_config_and_load(const char *prov_name, module_mac, module_mac_len, conditional_errors, security_checks, + ems_check, NULL, 0)) goto end; @@ -291,8 +322,9 @@ static int verify_config(const char *infile, const char *section, int fipsinstall_main(int argc, char **argv) { - int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0; + int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1; int enable_conditional_errors = 1, enable_security_checks = 1; + int enable_tls_prf_ems_check = 0; /* This is off by default */ const char *section_name = "fips_sect"; const char *mac_name = "HMAC"; const char *prov_name = "fips"; @@ -338,6 +370,9 @@ int fipsinstall_main(int argc, char **argv) case OPT_NO_SECURITY_CHECKS: enable_security_checks = 0; break; + case OPT_TLS_PRF_EMS_CHECK: + enable_tls_prf_ems_check = 1; + break; case OPT_QUIET: quiet = 1; /* FALLTHROUGH */ @@ -379,6 +414,9 @@ int fipsinstall_main(int argc, char **argv) case OPT_SELF_TEST_ONLOAD: self_test_onload = 1; break; + case OPT_SELF_TEST_ONINSTALL: + self_test_onload = 0; + break; } } @@ -391,9 +429,10 @@ int fipsinstall_main(int argc, char **argv) /* Test that a parent config can load the module */ if (verify_module_load(parent_config)) { ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1; - if (!quiet) + if (!quiet) { BIO_printf(bio_err, "FIPS provider is %s\n", ret == 0 ? "available" : " not available"); + } } goto end; } @@ -494,7 +533,8 @@ int fipsinstall_main(int argc, char **argv) conf = generate_config_and_load(prov_name, section_name, module_mac, module_mac_len, enable_conditional_errors, - enable_security_checks); + enable_security_checks, + enable_tls_prf_ems_check); if (conf == NULL) goto end; if (!load_fips_prov_and_run_self_test(prov_name)) @@ -511,6 +551,7 @@ int fipsinstall_main(int argc, char **argv) module_mac, module_mac_len, enable_conditional_errors, enable_security_checks, + enable_tls_prf_ems_check, install_mac, install_mac_len)) goto end; if (!quiet) diff --git a/apps/include/apps.h b/apps/include/apps.h index baacd0025..8b96fa723 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -10,7 +10,7 @@ #ifndef OSSL_APPS_H # define OSSL_APPS_H -# include "e_os.h" /* struct timeval for DTLS */ +# include "internal/e_os.h" /* struct timeval for DTLS */ # include "internal/nelem.h" # include "internal/sockets.h" /* for openssl_fdset() */ # include "internal/cryptlib.h" /* ossl_assert() */ diff --git a/apps/include/function.h b/apps/include/function.h index 14e8dd388..c45a8f21f 100644 --- a/apps/include/function.h +++ b/apps/include/function.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,7 +29,7 @@ typedef struct function_st { const char *deprecated_version; } FUNCTION; -DEFINE_LHASH_OF(FUNCTION); +DEFINE_LHASH_OF_EX(FUNCTION); /* Structure to hold the number of columns to be displayed and the * field width used to display them. diff --git a/apps/include/http_server.h b/apps/include/http_server.h index 8c339660a..3a259038b 100644 --- a/apps/include/http_server.h +++ b/apps/include/http_server.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -93,7 +93,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq, * Send an ASN.1-formatted HTTP response * cbio: destination BIO (typically as returned by http_server_get_asn1_req()) * note: cbio should not do an encoding that changes the output length - * keep_alive: grant persistent connnection + * keep_alive: grant persistent connection * content_type: string identifying the type of the response * it: the response ASN.1 type * resp: the response to send diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h index d610df40b..a86106ce2 100644 --- a/apps/include/s_apps.h +++ b/apps/include/s_apps.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,6 +15,9 @@ #define PORT "4433" #define PROTOCOL "tcp" +#define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \ + (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION)) + typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context); int report_server_accept(BIO *out, int asock, int with_address, int with_pid); int do_server(int *accept_sock, const char *host, const char *port, @@ -79,6 +82,7 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose); int set_keylog_file(SSL_CTX *ctx, const char *keylog_file); void print_ca_names(BIO *bio, SSL *s); +void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s); #ifndef OPENSSL_NO_SRP /* The client side SRP context that we pass to all SRP related callbacks */ diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 0d7a20b52..9a53a1093 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -44,7 +44,6 @@ #include #include #include -#include #include #include "s_apps.h" #include "apps.h" @@ -79,15 +78,6 @@ static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL * in_tbl); static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL * in_tbl); -static -int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, - const char *pass, const char *desc, - EVP_PKEY **ppkey, EVP_PKEY **ppubkey, - EVP_PKEY **pparams, - X509 **pcert, STACK_OF(X509) **pcerts, - X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls, - int suppress_decode_errors); - int app_init(long mesgwin); int chopup_args(ARGS *arg, char *buf) @@ -469,16 +459,17 @@ X509 *load_cert_pass(const char *uri, int format, int maybe_stdin, if (desc == NULL) desc = "certificate"; - if (IS_HTTPS(uri)) + if (IS_HTTPS(uri)) { BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc); - else if (IS_HTTP(uri)) + } else if (IS_HTTP(uri)) { cert = X509_load_http(uri, NULL, NULL, 0 /* timeout */); - else + if (cert == NULL) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, "Unable to load %s from %s\n", desc, uri); + } + } else { (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, NULL, NULL, NULL, &cert, NULL, NULL, NULL); - if (cert == NULL) { - BIO_printf(bio_err, "Unable to load %s\n", desc); - ERR_print_errors(bio_err); } return cert; } @@ -490,16 +481,17 @@ X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, if (desc == NULL) desc = "CRL"; - if (IS_HTTPS(uri)) + if (IS_HTTPS(uri)) { BIO_printf(bio_err, "Loading %s over HTTPS is unsupported\n", desc); - else if (IS_HTTP(uri)) + } else if (IS_HTTP(uri)) { crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */); - else + if (crl == NULL) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, "Unable to load %s from %s\n", desc, uri); + } + } else { (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, NULL, NULL, NULL, NULL, NULL, &crl, NULL); - if (crl == NULL) { - BIO_printf(bio_err, "Unable to load %s\n", desc); - ERR_print_errors(bio_err); } return crl; } @@ -526,8 +518,8 @@ X509_REQ *load_csr(const char *file, int format, const char *desc) end: if (req == NULL) { - BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); + BIO_printf(bio_err, "Unable to load %s\n", desc); } BIO_free(in); return req; @@ -588,23 +580,23 @@ EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin, int suppress_decode_errors) { EVP_PKEY *params = NULL; + BIO *bio_bak = bio_err; if (desc == NULL) desc = "key parameters"; - - (void)load_key_certs_crls_suppress(uri, format, maybe_stdin, NULL, desc, - NULL, NULL, ¶ms, NULL, NULL, NULL, - NULL, suppress_decode_errors); + if (suppress_decode_errors) + bio_err = NULL; + (void)load_key_certs_crls(uri, format, maybe_stdin, NULL, desc, + NULL, NULL, ¶ms, NULL, NULL, NULL, NULL); if (params != NULL && keytype != NULL && !EVP_PKEY_is_a(params, keytype)) { - if (!suppress_decode_errors) { - BIO_printf(bio_err, - "Unable to load %s from %s (unexpected parameters type)\n", - desc, uri); - ERR_print_errors(bio_err); - } + ERR_print_errors(bio_err); + BIO_printf(bio_err, + "Unable to load %s from %s (unexpected parameters type)\n", + desc, uri); EVP_PKEY_free(params); params = NULL; } + bio_err = bio_bak; return params; } @@ -689,6 +681,8 @@ int load_cert_certs(const char *uri, int ret = 0; char *pass_string; + if (desc == NULL) + desc = pcerts == NULL ? "certificate" : "certificates"; if (exclude_http && (OPENSSL_strncasecmp(uri, "http://", 7) == 0 || OPENSSL_strncasecmp(uri, "https://", 8) == 0)) { BIO_printf(bio_err, "error: HTTP retrieval not allowed for %s\n", desc); @@ -696,8 +690,7 @@ int load_cert_certs(const char *uri, } pass_string = get_passwd(pass, desc); ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass_string, desc, - NULL, NULL, NULL, - pcert, pcerts, NULL, NULL); + NULL, NULL, NULL, pcert, pcerts, NULL, NULL); clear_free(pass_string); if (ret) { @@ -800,10 +793,12 @@ X509_STORE *load_certstore(char *input, const char *pass, const char *desc, int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, const char *pass, const char *desc) { - int was_NULL = *certs == NULL; - int ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin, - pass, desc, NULL, NULL, - NULL, NULL, certs, NULL, NULL); + int ret, was_NULL = *certs == NULL; + + if (desc == NULL) + desc = "certificates"; + ret = load_key_certs_crls(uri, FORMAT_UNDEF, maybe_stdin, pass, desc, + NULL, NULL, NULL, NULL, certs, NULL, NULL); if (!ret && was_NULL) { sk_X509_pop_free(*certs, X509_free); @@ -819,10 +814,12 @@ int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs, int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc) { - int was_NULL = *crls == NULL; - int ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc, - NULL, NULL, NULL, - NULL, NULL, NULL, crls); + int ret, was_NULL = *crls == NULL; + + if (desc == NULL) + desc = "CRLs"; + ret = load_key_certs_crls(uri, FORMAT_UNDEF, 0, pass, desc, + NULL, NULL, NULL, NULL, NULL, NULL, crls); if (!ret && was_NULL) { sk_X509_CRL_pop_free(*crls, X509_CRL_free); @@ -857,14 +854,12 @@ static const char *format2string(int format) * In any case (also on error) the caller is responsible for freeing all members * of *pcerts and *pcrls (as far as they are not NULL). */ -static -int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, - const char *pass, const char *desc, - EVP_PKEY **ppkey, EVP_PKEY **ppubkey, - EVP_PKEY **pparams, - X509 **pcert, STACK_OF(X509) **pcerts, - X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls, - int suppress_decode_errors) +int load_key_certs_crls(const char *uri, int format, int maybe_stdin, + const char *pass, const char *desc, + EVP_PKEY **ppkey, EVP_PKEY **ppubkey, + EVP_PKEY **pparams, + X509 **pcert, STACK_OF(X509) **pcerts, + X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls) { PW_CB_DATA uidata; OSSL_STORE_CTX *ctx = NULL; @@ -883,6 +878,7 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, OSSL_PARAM itp[2]; const OSSL_PARAM *params = NULL; + ERR_set_mark(); if (ppkey != NULL) { *ppkey = NULL; cnt_expectations++; @@ -925,9 +921,9 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, SET_EXPECT(expect, OSSL_STORE_INFO_CRL); } if (cnt_expectations == 0) { - BIO_printf(bio_err, "Internal error: nothing to load from %s\n", - uri != NULL ? uri : ""); - return 0; + BIO_printf(bio_err, "Internal error: no expectation to load"); + failed = "anything"; + goto end; } uidata.password = pass; @@ -1063,14 +1059,14 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, any = 1; failed = "CRL"; } - if (!suppress_decode_errors) { - if (failed != NULL) - BIO_printf(bio_err, "Could not read"); - if (any) - BIO_printf(bio_err, " any"); - } + if (failed != NULL) + BIO_printf(bio_err, "Could not read"); + if (any) + BIO_printf(bio_err, " any"); } - if (!suppress_decode_errors && failed != NULL) { + if (failed != NULL) { + unsigned long err = ERR_peek_last_error(); + if (desc != NULL && strstr(desc, failed) != NULL) { BIO_printf(bio_err, " %s", desc); } else { @@ -1080,27 +1076,23 @@ int load_key_certs_crls_suppress(const char *uri, int format, int maybe_stdin, } if (uri != NULL) BIO_printf(bio_err, " from %s", uri); + if (ERR_SYSTEM_ERROR(err)) { + /* provide more readable diagnostic output */ + BIO_printf(bio_err, ": %s", strerror(ERR_GET_REASON(err))); + ERR_pop_to_mark(); + ERR_set_mark(); + } BIO_printf(bio_err, "\n"); ERR_print_errors(bio_err); } - if (suppress_decode_errors || failed == NULL) - /* clear any spurious errors */ - ERR_clear_error(); + if (bio_err == NULL || failed == NULL) + /* clear any suppressed or spurious errors */ + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); return failed == NULL; } -int load_key_certs_crls(const char *uri, int format, int maybe_stdin, - const char *pass, const char *desc, - EVP_PKEY **ppkey, EVP_PKEY **ppubkey, - EVP_PKEY **pparams, - X509 **pcert, STACK_OF(X509) **pcerts, - X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls) -{ - return load_key_certs_crls_suppress(uri, format, maybe_stdin, pass, desc, - ppkey, ppubkey, pparams, pcert, pcerts, - pcrl, pcrls, 0); -} - #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) /* Return error for unknown extensions */ #define X509V3_EXT_DEFAULT 0 diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index b37f3dd3d..0cbd65df3 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index f2ddd94c3..b27518c76 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -7,7 +7,10 @@ * https://www.openssl.org/source/license.html */ -/* callback functions used by s_client, s_server, and s_time */ +/* + * callback functions used by s_client, s_server, and s_time, + * as well as other common logic for those apps + */ #include #include #include /* for memcpy() and strcmp() */ @@ -1567,3 +1570,13 @@ void print_ca_names(BIO *bio, SSL *s) BIO_write(bio, "\n", 1); } } + +void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s) +{ + if (SSL_VERSION_ALLOWS_RENEGOTIATION(s)) { + BIO_printf(bio, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); + } else { + BIO_printf(bio, "This TLS version forbids renegotiation.\n"); + } +} diff --git a/apps/lib/s_socket.c b/apps/lib/s_socket.c index 059afe47b..452714ea0 100644 --- a/apps/lib/s_socket.c +++ b/apps/lib/s_socket.c @@ -56,7 +56,7 @@ BIO_ADDR *ourpeer = NULL; /* * init_client - helper routine to set up socket communication * @sock: pointer to storage of resulting socket. - * @host: the host name or path (for AF_UNIX) to connect to. + * @host: the hostname or path (for AF_UNIX) to connect to. * @port: the port to connect to (ignored for AF_UNIX). * @bindhost: source host or path (for AF_UNIX). * @bindport: source port (ignored for AF_UNIX). @@ -239,7 +239,7 @@ int report_server_accept(BIO *out, int asock, int with_address, int with_pid) /* * do_server - helper routine to perform a server operation * @accept_sock: pointer to storage of resulting socket. - * @host: the host name or path (for AF_UNIX) to connect to. + * @host: the hostname or path (for AF_UNIX) to connect to. * @port: the port to connect to (ignored for AF_UNIX). * @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or * AF_UNSPEC diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 59c6776a1..c141010e8 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -13,7 +13,7 @@ # defined. HOME = . - # Use this in order to automatically load providers. +# Use this in order to automatically load providers. openssl_conf = openssl_init # Comment out the next line to ignore configuration errors @@ -92,7 +92,7 @@ serial = $dir]serial. # The current serial number crlnumber = $dir]crlnumber. # the current crl number # must be commented out to leave a V1 CRL crl = $dir]crl.pem # The current CRL -private_key = $dir.private]cakey.pem# The private key +private_key = $dir.private]cakey.pem # The private key x509_extensions = usr_cert # The extensions to add to the cert diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 03330e012..1933f9ebe 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -13,7 +13,7 @@ # defined. HOME = . - # Use this in order to automatically load providers. +# Use this in order to automatically load providers. openssl_conf = openssl_init # Comment out the next line to ignore configuration errors @@ -92,7 +92,7 @@ serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key +private_key = $dir/private/cakey.pem # The private key x509_extensions = usr_cert # The extensions to add to the cert diff --git a/apps/rsautl.c b/apps/rsautl.c index df29069bc..a61f21f86 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/s_client.c b/apps/s_client.c index a91423864..f056adb68 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -8,13 +8,14 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include #include #include #include +#include "internal/nelem.h" #ifndef OPENSSL_NO_SOCK @@ -3244,8 +3245,9 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio, "Server public key is %d bit\n", EVP_PKEY_get_bits(pktmp)); } - BIO_printf(bio, "Secure Renegotiation IS%s supported\n", - SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); + + ssl_print_secure_renegotiation_notes(bio, s); + #ifndef OPENSSL_NO_COMP comp = SSL_get_current_compression(s); expansion = SSL_get_current_expansion(s); diff --git a/apps/s_server.c b/apps/s_server.c index 2b0b6ba38..476089335 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -42,7 +42,6 @@ typedef unsigned int u_int; #include #include #include -#include #include #include #ifndef OPENSSL_NO_DH @@ -229,6 +228,7 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity, || !SSL_SESSION_set_cipher(tmpsess, cipher) || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) { OPENSSL_free(key); + SSL_SESSION_free(tmpsess); return 0; } OPENSSL_free(key); @@ -2995,8 +2995,9 @@ static void print_connection_info(SSL *con) #endif if (SSL_session_reused(con)) BIO_printf(bio_s_out, "Reused session-id\n"); - BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", - SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); + + ssl_print_secure_renegotiation_notes(bio_s_out, con); + if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION)) BIO_printf(bio_s_out, "Renegotiation is DISABLED\n"); @@ -3230,10 +3231,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context) } BIO_puts(io, "\n"); - BIO_printf(io, - "Secure Renegotiation IS%s supported\n", - SSL_get_secure_renegotiation_support(con) ? - "" : " NOT"); + ssl_print_secure_renegotiation_notes(io, con); /* * The following is evil and should not really be done diff --git a/apps/speed.c b/apps/speed.c index addf7e321..cace25eda 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -49,6 +49,21 @@ #if defined(_WIN32) # include +/* + * While VirtualLock is available under the app partition (e.g. UWP), + * the headers do not define the API. Define it ourselves instead. + */ +WINBASEAPI +BOOL +WINAPI +VirtualLock( + _In_ LPVOID lpAddress, + _In_ SIZE_T dwSize + ); +#endif + +#if defined(OPENSSL_SYS_LINUX) +# include #endif #include @@ -111,6 +126,8 @@ static void print_result(int alg, int run_no, int count, double time_used); static int do_multi(int multi, int size_num); #endif +static int domlock = 0; + static const int lengths_list[] = { 16, 64, 256, 1024, 8 * 1024, 16 * 1024 }; @@ -211,8 +228,8 @@ static int opt_found(const char *name, unsigned int *result, typedef enum OPTION_choice { OPT_COMMON, OPT_ELAPSED, OPT_EVP, OPT_HMAC, OPT_DECRYPT, OPT_ENGINE, OPT_MULTI, - OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM, OPT_PROV_ENUM, - OPT_PRIMES, OPT_SECONDS, OPT_BYTES, OPT_AEAD, OPT_CMAC + OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM, OPT_PROV_ENUM, OPT_CONFIG, + OPT_PRIMES, OPT_SECONDS, OPT_BYTES, OPT_AEAD, OPT_CMAC, OPT_MLOCK } OPTION_CHOICE; const OPTIONS speed_options[] = { @@ -234,6 +251,8 @@ const OPTIONS speed_options[] = { {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif {"primes", OPT_PRIMES, 'p', "Specify number of primes (for RSA only)"}, + {"mlock", OPT_MLOCK, '-', "Lock memory for better result determinism"}, + OPT_CONFIG_OPTION, OPT_SECTION("Selection"), {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"}, @@ -1342,6 +1361,7 @@ static EVP_PKEY *get_ecdsa(const EC_CURVE *curve) int speed_main(int argc, char **argv) { + CONF *conf = NULL; ENGINE *e = NULL; loopargs_t *loopargs = NULL; const char *prog; @@ -1467,7 +1487,7 @@ int speed_main(int argc, char **argv) uint8_t ecdh_doit[EC_NUM] = { 0 }; uint8_t eddsa_doit[EdDSA_NUM] = { 0 }; - /* checks declarated curves against choices list. */ + /* checks declared curves against choices list. */ OPENSSL_assert(ed_curves[EdDSA_NUM - 1].nid == NID_ED448); OPENSSL_assert(strcmp(eddsa_choices[EdDSA_NUM - 1].name, "ed448") == 0); @@ -1598,6 +1618,11 @@ int speed_main(int argc, char **argv) if (!opt_provider(o)) goto end; break; + case OPT_CONFIG: + conf = app_load_config_modules(opt_arg()); + if (conf == NULL) + goto end; + break; case OPT_PRIMES: primes = opt_int_arg(); break; @@ -1614,6 +1639,15 @@ int speed_main(int argc, char **argv) case OPT_AEAD: aead = 1; break; + case OPT_MLOCK: + domlock = 1; +#if !defined(_WIN32) && !defined(OPENSSL_SYS_LINUX) + BIO_printf(bio_err, + "%s: -mlock not supported on this platform\n", + prog); + goto end; +#endif + break; } } @@ -1767,6 +1801,14 @@ int speed_main(int argc, char **argv) app_malloc(loopargs_len * sizeof(loopargs_t), "array of loopargs"); memset(loopargs, 0, loopargs_len * sizeof(loopargs_t)); + buflen = lengths[size_num - 1]; + if (buflen < 36) /* size of random vector in RSA benchmark */ + buflen = 36; + if (INT_MAX - (MAX_MISALIGNMENT + 1) < buflen) { + BIO_printf(bio_err, "Error: buffer size too large\n"); + goto end; + } + buflen += MAX_MISALIGNMENT + 1; for (i = 0; i < loopargs_len; i++) { if (async_jobs > 0) { loopargs[i].wait_ctx = ASYNC_WAIT_CTX_new(); @@ -1776,18 +1818,8 @@ int speed_main(int argc, char **argv) } } - buflen = lengths[size_num - 1]; - if (buflen < 36) /* size of random vector in RSA benchmark */ - buflen = 36; - if (INT_MAX - (MAX_MISALIGNMENT + 1) < buflen) { - BIO_printf(bio_err, "Error: buffer size too large\n"); - goto end; - } - buflen += MAX_MISALIGNMENT + 1; loopargs[i].buf_malloc = app_malloc(buflen, "input buffer"); loopargs[i].buf2_malloc = app_malloc(buflen, "input buffer"); - memset(loopargs[i].buf_malloc, 0, buflen); - memset(loopargs[i].buf2_malloc, 0, buflen); /* Align the start of buffers on a 64 byte boundary */ loopargs[i].buf = loopargs[i].buf_malloc + misalign; @@ -1807,6 +1839,20 @@ int speed_main(int argc, char **argv) goto show_res; #endif + for (i = 0; i < loopargs_len; ++i) { + if (domlock) { +#if defined(_WIN32) + (void)VirtualLock(loopargs[i].buf_malloc, buflen); + (void)VirtualLock(loopargs[i].buf2_malloc, buflen); +#elif defined(OPENSSL_SYS_LINUX) + (void)mlock(loopargs[i].buf_malloc, buflen); + (void)mlock(loopargs[i].buf_malloc, buflen); +#endif + } + memset(loopargs[i].buf_malloc, 0, buflen); + memset(loopargs[i].buf2_malloc, 0, buflen); + } + /* Initialize the engine after the fork */ e = setup_engine(engine_id, 0); @@ -3350,6 +3396,7 @@ int speed_main(int argc, char **argv) release_engine(e); EVP_CIPHER_free(evp_cipher); EVP_MAC_free(mac); + NCONF_free(conf); return ret; } diff --git a/apps/storeutl.c b/apps/storeutl.c index 30c9915de..cb237de0a 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/apps/verify.c b/apps/verify.c index 3aae931f6..22b8eb94b 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -352,7 +352,7 @@ static int cb(int ok, X509_STORE_CTX *ctx) switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(ctx); - /* fall thru */ + /* fall through */ case X509_V_ERR_CERT_HAS_EXPIRED: /* Continue even if the leaf is a self-signed cert */ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: diff --git a/configdata.pm.in b/configdata.pm.in index 04b901144..68439ae93 100644 --- a/configdata.pm.in +++ b/configdata.pm.in @@ -20,7 +20,7 @@ # Unix form /VOLUME/DIR1/DIR2/FILE, which is what VMS perl supports # for 'use lib'. - # Start with spliting the native path + # Start with splitting the native path (my $vol, my $dirs, my $file) = File::Spec->splitpath($path); my @dirs = File::Spec->splitdir($dirs); @@ -89,7 +89,7 @@ unless (caller) { if (scalar @ARGV == 0) { # With no arguments, re-create the build file # We do that in two steps, where the first step emits perl - # snipets. + # snippets. my $buildfile = $config{build_file}; my $buildfile_template = "$buildfile.in"; diff --git a/crypto/aes/asm/aes-riscv32-zkn.pl b/crypto/aes/asm/aes-riscv32-zkn.pl new file mode 100644 index 000000000..7a20f66e5 --- /dev/null +++ b/crypto/aes/asm/aes-riscv32-zkn.pl @@ -0,0 +1,1061 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$output and open STDOUT,">$output"; + +################################################################################ +# Utility functions to help with keeping track of which registers to stack/ +# unstack when entering / exiting routines. +################################################################################ +{ + # Callee-saved registers + my @callee_saved = map("x$_",(2,8,9,18..27)); + # Caller-saved registers + my @caller_saved = map("x$_",(1,5..7,10..17,28..31)); + my @must_save; + sub use_reg { + my $reg = shift; + if (grep(/^$reg$/, @callee_saved)) { + push(@must_save, $reg); + } elsif (!grep(/^$reg$/, @caller_saved)) { + # Register is not usable! + die("Unusable register ".$reg); + } + return $reg; + } + sub use_regs { + return map(use_reg("x$_"), @_); + } + sub save_regs { + my $ret = ''; + my $stack_reservation = ($#must_save + 1) * 8; + my $stack_offset = $stack_reservation; + if ($stack_reservation % 16) { + $stack_reservation += 8; + } + $ret.=" addi sp,sp,-$stack_reservation\n"; + foreach (@must_save) { + $stack_offset -= 8; + $ret.=" sw $_,$stack_offset(sp)\n"; + } + return $ret; + } + sub load_regs { + my $ret = ''; + my $stack_reservation = ($#must_save + 1) * 8; + my $stack_offset = $stack_reservation; + if ($stack_reservation % 16) { + $stack_reservation += 8; + } + foreach (@must_save) { + $stack_offset -= 8; + $ret.=" lw $_,$stack_offset(sp)\n"; + } + $ret.=" addi sp,sp,$stack_reservation\n"; + return $ret; + } + sub clear_regs { + @must_save = (); + } +} + +################################################################################ +# util for encoding scalar crypto extension instructions +################################################################################ + +my @regs = map("x$_",(0..31)); +my %reglookup; +@reglookup{@regs} = @regs; + +# Takes a register name, possibly an alias, and converts it to a register index +# from 0 to 31 +sub read_reg { + my $reg = lc shift; + if (!exists($reglookup{$reg})) { + die("Unknown register ".$reg); + } + my $regstr = $reglookup{$reg}; + if (!($regstr =~ /^x([0-9]+)$/)) { + die("Could not process register ".$reg); + } + return $1; +} + +sub aes32dsi { + # Encoding for aes32dsi rd, rs1, rs2, bs instruction on RV32 + # bs_XXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b00_10101_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + my $bs = shift; + + return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub aes32dsmi { + # Encoding for aes32dsmi rd, rs1, rs2, bs instruction on RV32 + # bs_XXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b00_10111_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + my $bs = shift; + + return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub aes32esi { + # Encoding for aes32esi rd, rs1, rs2, bs instruction on RV32 + # bs_XXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b00_10001_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + my $bs = shift; + + return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub aes32esmi { + # Encoding for aes32esmi rd, rs1, rs2, bs instruction on RV32 + # bs_XXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b00_10011_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + my $bs = shift; + + return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rori { + # Encoding for ror rd, rs1, imm instruction on RV64 + # XXXXXXX_shamt_ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0110000_00000_00000_101_00000_0010011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $shamt = shift; + + return ".word ".($template | ($shamt << 20) | ($rs1 << 15) | ($rd << 7)); +} + +################################################################################ +# Register assignment for rv32i_zkne_encrypt and rv32i_zknd_decrypt +################################################################################ + +# Registers initially to hold AES state (called s0-s3 or y0-y3 elsewhere) +my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9); + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Input block pointer, output block pointer, key pointer +my ($INP,$OUTP,$KEYP) = use_regs(10..12); + +# Registers initially to hold Key +my ($T0,$T1,$T2,$T3) = use_regs(13..16); + +# Loop counter +my ($loopcntr) = use_regs(30); + +################################################################################ +# Utility for rv32i_zkne_encrypt and rv32i_zknd_decrypt +################################################################################ + +# outer product of whole state into one column of key +sub outer { + my $inst = shift; + my $key = shift; + # state 0 to 3 + my $s0 = shift; + my $s1 = shift; + my $s2 = shift; + my $s3 = shift; + my $ret = ''; +$ret .= <<___; + @{[$inst->($key,$key,$s0,0)]} + @{[$inst->($key,$key,$s1,1)]} + @{[$inst->($key,$key,$s2,2)]} + @{[$inst->($key,$key,$s3,3)]} +___ + return $ret; +} + +sub aes32esmi4 { + return outer(\&aes32esmi, @_) +} + +sub aes32esi4 { + return outer(\&aes32esi, @_) +} + +sub aes32dsmi4 { + return outer(\&aes32dsmi, @_) +} + +sub aes32dsi4 { + return outer(\&aes32dsi, @_) +} + +################################################################################ +# void rv32i_zkne_encrypt(const unsigned char *in, unsigned char *out, +# const AES_KEY *key); +################################################################################ +my $code .= <<___; +.text +.balign 16 +.globl rv32i_zkne_encrypt +.type rv32i_zkne_encrypt,\@function +rv32i_zkne_encrypt: +___ + +$code .= save_regs(); + +$code .= <<___; + # Load input to block cipher + lw $Q0,0($INP) + lw $Q1,4($INP) + lw $Q2,8($INP) + lw $Q3,12($INP) + + # Load key + lw $T0,0($KEYP) + lw $T1,4($KEYP) + lw $T2,8($KEYP) + lw $T3,12($KEYP) + + # Load number of rounds + lw $loopcntr,240($KEYP) + + # initial transformation + xor $Q0,$Q0,$T0 + xor $Q1,$Q1,$T1 + xor $Q2,$Q2,$T2 + xor $Q3,$Q3,$T3 + + # The main loop only executes the first N-2 rounds, each loop consumes two rounds + add $loopcntr,$loopcntr,-2 + srli $loopcntr,$loopcntr,1 +1: + # Grab next key in schedule + add $KEYP,$KEYP,16 + lw $T0,0($KEYP) + lw $T1,4($KEYP) + lw $T2,8($KEYP) + lw $T3,12($KEYP) + + @{[aes32esmi4 $T0,$Q0,$Q1,$Q2,$Q3]} + @{[aes32esmi4 $T1,$Q1,$Q2,$Q3,$Q0]} + @{[aes32esmi4 $T2,$Q2,$Q3,$Q0,$Q1]} + @{[aes32esmi4 $T3,$Q3,$Q0,$Q1,$Q2]} + # now T0~T3 hold the new state + + # Grab next key in schedule + add $KEYP,$KEYP,16 + lw $Q0,0($KEYP) + lw $Q1,4($KEYP) + lw $Q2,8($KEYP) + lw $Q3,12($KEYP) + + @{[aes32esmi4 $Q0,$T0,$T1,$T2,$T3]} + @{[aes32esmi4 $Q1,$T1,$T2,$T3,$T0]} + @{[aes32esmi4 $Q2,$T2,$T3,$T0,$T1]} + @{[aes32esmi4 $Q3,$T3,$T0,$T1,$T2]} + # now Q0~Q3 hold the new state + + add $loopcntr,$loopcntr,-1 + bgtz $loopcntr,1b + +# final two rounds + # Grab next key in schedule + add $KEYP,$KEYP,16 + lw $T0,0($KEYP) + lw $T1,4($KEYP) + lw $T2,8($KEYP) + lw $T3,12($KEYP) + + @{[aes32esmi4 $T0,$Q0,$Q1,$Q2,$Q3]} + @{[aes32esmi4 $T1,$Q1,$Q2,$Q3,$Q0]} + @{[aes32esmi4 $T2,$Q2,$Q3,$Q0,$Q1]} + @{[aes32esmi4 $T3,$Q3,$Q0,$Q1,$Q2]} + # now T0~T3 hold the new state + + # Grab next key in schedule + add $KEYP,$KEYP,16 + lw $Q0,0($KEYP) + lw $Q1,4($KEYP) + lw $Q2,8($KEYP) + lw $Q3,12($KEYP) + + # no mix column now + @{[aes32esi4 $Q0,$T0,$T1,$T2,$T3]} + @{[aes32esi4 $Q1,$T1,$T2,$T3,$T0]} + @{[aes32esi4 $Q2,$T2,$T3,$T0,$T1]} + @{[aes32esi4 $Q3,$T3,$T0,$T1,$T2]} + # now Q0~Q3 hold the new state + + sw $Q0,0($OUTP) + sw $Q1,4($OUTP) + sw $Q2,8($OUTP) + sw $Q3,12($OUTP) + + # Pop registers and return +___ + +$code .= load_regs(); + +$code .= <<___; + ret +___ + +################################################################################ +# void rv32i_zknd_decrypt(const unsigned char *in, unsigned char *out, +# const AES_KEY *key); +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl rv32i_zknd_decrypt +.type rv32i_zknd_decrypt,\@function +rv32i_zknd_decrypt: +___ + +$code .= save_regs(); + +$code .= <<___; + # Load input to block cipher + lw $Q0,0($INP) + lw $Q1,4($INP) + lw $Q2,8($INP) + lw $Q3,12($INP) + + # Load number of rounds + lw $loopcntr,240($KEYP) + + # Load the last key + # use T0 as temporary now + slli $T0,$loopcntr,4 + add $KEYP,$KEYP,$T0 + # Load key + lw $T0,0($KEYP) + lw $T1,4($KEYP) + lw $T2,8($KEYP) + lw $T3,12($KEYP) + + # initial transformation + xor $Q0,$Q0,$T0 + xor $Q1,$Q1,$T1 + xor $Q2,$Q2,$T2 + xor $Q3,$Q3,$T3 + + # The main loop only executes the first N-2 rounds, each loop consumes two rounds + add $loopcntr,$loopcntr,-2 + srli $loopcntr,$loopcntr,1 +1: + # Grab next key in schedule + add $KEYP,$KEYP,-16 + lw $T0,0($KEYP) + lw $T1,4($KEYP) + lw $T2,8($KEYP) + lw $T3,12($KEYP) + + @{[aes32dsmi4 $T0,$Q0,$Q3,$Q2,$Q1]} + @{[aes32dsmi4 $T1,$Q1,$Q0,$Q3,$Q2]} + @{[aes32dsmi4 $T2,$Q2,$Q1,$Q0,$Q3]} + @{[aes32dsmi4 $T3,$Q3,$Q2,$Q1,$Q0]} + # now T0~T3 hold the new state + + # Grab next key in schedule + add $KEYP,$KEYP,-16 + lw $Q0,0($KEYP) + lw $Q1,4($KEYP) + lw $Q2,8($KEYP) + lw $Q3,12($KEYP) + + @{[aes32dsmi4 $Q0,$T0,$T3,$T2,$T1]} + @{[aes32dsmi4 $Q1,$T1,$T0,$T3,$T2]} + @{[aes32dsmi4 $Q2,$T2,$T1,$T0,$T3]} + @{[aes32dsmi4 $Q3,$T3,$T2,$T1,$T0]} + # now Q0~Q3 hold the new state + + add $loopcntr,$loopcntr,-1 + bgtz $loopcntr,1b + +# final two rounds + # Grab next key in schedule + add $KEYP,$KEYP,-16 + lw $T0,0($KEYP) + lw $T1,4($KEYP) + lw $T2,8($KEYP) + lw $T3,12($KEYP) + + @{[aes32dsmi4 $T0,$Q0,$Q3,$Q2,$Q1]} + @{[aes32dsmi4 $T1,$Q1,$Q0,$Q3,$Q2]} + @{[aes32dsmi4 $T2,$Q2,$Q1,$Q0,$Q3]} + @{[aes32dsmi4 $T3,$Q3,$Q2,$Q1,$Q0]} + # now T0~T3 hold the new state + + # Grab next key in schedule + add $KEYP,$KEYP,-16 + lw $Q0,0($KEYP) + lw $Q1,4($KEYP) + lw $Q2,8($KEYP) + lw $Q3,12($KEYP) + + # no mix column now + @{[aes32dsi4 $Q0,$T0,$T3,$T2,$T1]} + @{[aes32dsi4 $Q1,$T1,$T0,$T3,$T2]} + @{[aes32dsi4 $Q2,$T2,$T1,$T0,$T3]} + @{[aes32dsi4 $Q3,$T3,$T2,$T1,$T0]} + # now Q0~Q3 hold the new state + + sw $Q0,0($OUTP) + sw $Q1,4($OUTP) + sw $Q2,8($OUTP) + sw $Q3,12($OUTP) + + # Pop registers and return +___ + +$code .= load_regs(); + +$code .= <<___; + ret +___ + +clear_regs(); + +################################################################################ +# Register assignment for rv32i_zkn[e/d]_set_[en/de]crypt +################################################################################ + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Pointer to user key, number of bits in key, key pointer +my ($UKEY,$BITS,$KEYP) = use_regs(10..12); + +# Temporaries +my ($T0,$T1,$T2,$T3,$T4,$T5,$T6,$T7,$T8) = use_regs(13..17,28..31); + +################################################################################ +# utility functions for rv32i_zkne_set_encrypt_key +################################################################################ + +my @rcon = (0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36); + +# do 4 sbox on 4 bytes of rs, (possibly mix), then xor with rd +sub sbox4 { + my $inst = shift; + my $rd = shift; + my $rs = shift; + my $ret = <<___; + @{[$inst->($rd,$rd,$rs,0)]} + @{[$inst->($rd,$rd,$rs,1)]} + @{[$inst->($rd,$rd,$rs,2)]} + @{[$inst->($rd,$rd,$rs,3)]} +___ + return $ret; +} + +sub fwdsbox4 { + return sbox4(\&aes32esi, @_); +} + +sub ke128enc { + my $zbkb = shift; + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + lw $T0,0($UKEY) + lw $T1,4($UKEY) + lw $T2,8($UKEY) + lw $T3,12($UKEY) + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + while($rnum < 10) { +$ret .= <<___; + # use T4 to store rcon + li $T4,$rcon[$rnum] + # as xor is associative and commutative + # we fist xor T0 with RCON, then use T0 to + # xor the result of each SBOX result of T3 + xor $T0,$T0,$T4 + # use T4 to store rotated T3 +___ + # right rotate by 8 + if ($zbkb) { +$ret .= <<___; + @{[rori $T4,$T3,8]} +___ + } else { +$ret .= <<___; + srli $T4,$T3,8 + slli $T5,$T3,24 + or $T4,$T4,$T5 +___ + } +$ret .= <<___; + # update T0 + @{[fwdsbox4 $T0,$T4]} + + # update new T1~T3 + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + add $KEYP,$KEYP,16 + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + $rnum++; + } + return $ret; +} + +sub ke192enc { + my $zbkb = shift; + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + lw $T0,0($UKEY) + lw $T1,4($UKEY) + lw $T2,8($UKEY) + lw $T3,12($UKEY) + lw $T4,16($UKEY) + lw $T5,20($UKEY) + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + sw $T4,16($KEYP) + sw $T5,20($KEYP) +___ + while($rnum < 8) { +$ret .= <<___; + # see the comment in ke128enc + li $T6,$rcon[$rnum] + xor $T0,$T0,$T6 +___ + # right rotate by 8 + if ($zbkb) { +$ret .= <<___; + @{[rori $T6,$T5,8]} +___ + } else { +$ret .= <<___; + srli $T6,$T5,8 + slli $T7,$T5,24 + or $T6,$T6,$T7 +___ + } +$ret .= <<___; + @{[fwdsbox4 $T0,$T6]} + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 +___ + if ($rnum != 7) { + # note that (8+1)*24 = 216, (12+1)*16 = 208 + # thus the last 8 bytes can be dropped +$ret .= <<___; + xor $T4,$T4,$T3 + xor $T5,$T5,$T4 +___ + } +$ret .= <<___; + add $KEYP,$KEYP,24 + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + if ($rnum != 7) { +$ret .= <<___; + sw $T4,16($KEYP) + sw $T5,20($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +sub ke256enc { + my $zbkb = shift; + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + lw $T0,0($UKEY) + lw $T1,4($UKEY) + lw $T2,8($UKEY) + lw $T3,12($UKEY) + lw $T4,16($UKEY) + lw $T5,20($UKEY) + lw $T6,24($UKEY) + lw $T7,28($UKEY) + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + sw $T4,16($KEYP) + sw $T5,20($KEYP) + sw $T6,24($KEYP) + sw $T7,28($KEYP) +___ + while($rnum < 7) { +$ret .= <<___; + # see the comment in ke128enc + li $T8,$rcon[$rnum] + xor $T0,$T0,$T8 +___ + # right rotate by 8 + if ($zbkb) { +$ret .= <<___; + @{[rori $T8,$T7,8]} +___ + } else { +$ret .= <<___; + srli $T8,$T7,8 + slli $BITS,$T7,24 + or $T8,$T8,$BITS +___ + } +$ret .= <<___; + @{[fwdsbox4 $T0,$T8]} + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + add $KEYP,$KEYP,32 + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + if ($rnum != 6) { + # note that (7+1)*32 = 256, (14+1)*16 = 240 + # thus the last 16 bytes can be dropped +$ret .= <<___; + # for aes256, T3->T4 needs 4sbox but no rotate/rcon + @{[fwdsbox4 $T4,$T3]} + xor $T5,$T5,$T4 + xor $T6,$T6,$T5 + xor $T7,$T7,$T6 + sw $T4,16($KEYP) + sw $T5,20($KEYP) + sw $T6,24($KEYP) + sw $T7,28($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +################################################################################ +# void rv32i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits, +# AES_KEY *key) +################################################################################ +sub AES_set_common { + my ($ke128, $ke192, $ke256) = @_; + my $ret = ''; +$ret .= <<___; + bnez $UKEY,1f # if (!userKey || !key) return -1; + bnez $KEYP,1f + li a0,-1 + ret +1: + # Determine number of rounds from key size in bits + li $T0,128 + bne $BITS,$T0,1f + li $T1,10 # key->rounds = 10 if bits == 128 + sw $T1,240($KEYP) # store key->rounds +$ke128 + j 4f +1: + li $T0,192 + bne $BITS,$T0,2f + li $T1,12 # key->rounds = 12 if bits == 192 + sw $T1,240($KEYP) # store key->rounds +$ke192 + j 4f +2: + li $T1,14 # key->rounds = 14 if bits == 256 + li $T0,256 + beq $BITS,$T0,3f + li a0,-2 # If bits != 128, 192, or 256, return -2 + j 5f +3: + sw $T1,240($KEYP) # store key->rounds +$ke256 +4: # return 0 + li a0,0 +5: # return a0 +___ + return $ret; +} +$code .= <<___; +.text +.balign 16 +.globl rv32i_zkne_set_encrypt_key +.type rv32i_zkne_set_encrypt_key,\@function +rv32i_zkne_set_encrypt_key: +___ + +$code .= save_regs(); +$code .= AES_set_common(ke128enc(0), ke192enc(0),ke256enc(0)); +$code .= load_regs(); +$code .= <<___; + ret +___ + +################################################################################ +# void rv32i_zbkb_zkne_set_encrypt_key(const unsigned char *userKey, +# const int bits, AES_KEY *key) +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl rv32i_zbkb_zkne_set_encrypt_key +.type rv32i_zbkb_zkne_set_encrypt_key,\@function +rv32i_zbkb_zkne_set_encrypt_key: +___ + +$code .= save_regs(); +$code .= AES_set_common(ke128enc(1), ke192enc(1),ke256enc(1)); +$code .= load_regs(); +$code .= <<___; + ret +___ + +################################################################################ +# utility functions for rv32i_zknd_zkne_set_decrypt_key +################################################################################ + +sub invm4 { + # fwd sbox then inv sbox then mix column + # the result is only mix column + # this simulates aes64im T0 + my $rd = shift; + my $tmp = shift; + my $rs = shift; + my $ret = <<___; + li $tmp,0 + li $rd,0 + @{[fwdsbox4 $tmp,$rs]} + @{[sbox4(\&aes32dsmi, $rd,$tmp)]} +___ + return $ret; +} + +sub ke128dec { + my $zbkb = shift; + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + lw $T0,0($UKEY) + lw $T1,4($UKEY) + lw $T2,8($UKEY) + lw $T3,12($UKEY) + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + while($rnum < 10) { +$ret .= <<___; + # see comments in ke128enc + li $T4,$rcon[$rnum] + xor $T0,$T0,$T4 +___ + # right rotate by 8 + if ($zbkb) { +$ret .= <<___; + @{[rori $T4,$T3,8]} +___ + } else { +$ret .= <<___; + srli $T4,$T3,8 + slli $T5,$T3,24 + or $T4,$T4,$T5 +___ + } +$ret .= <<___; + @{[fwdsbox4 $T0,$T4]} + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + add $KEYP,$KEYP,16 +___ + # need to mixcolumn only for [1:N-1] round keys + # this is from the fact that aes32dsmi subwords first then mix column + # intuitively decryption needs to first mix column then subwords + # however, for merging datapaths (encryption first subwords then mix column) + # aes32dsmi chooses to inverse the order of them, thus + # transform should then be done on the round key + if ($rnum < 9) { +$ret .= <<___; + # T4 and T5 are temp variables + @{[invm4 $T5,$T4,$T0]} + sw $T5,0($KEYP) + @{[invm4 $T5,$T4,$T1]} + sw $T5,4($KEYP) + @{[invm4 $T5,$T4,$T2]} + sw $T5,8($KEYP) + @{[invm4 $T5,$T4,$T3]} + sw $T5,12($KEYP) +___ + } else { +$ret .= <<___; + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +sub ke192dec { + my $zbkb = shift; + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + lw $T0,0($UKEY) + lw $T1,4($UKEY) + lw $T2,8($UKEY) + lw $T3,12($UKEY) + lw $T4,16($UKEY) + lw $T5,20($UKEY) + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + # see the comment in ke128dec + # T7 and T6 are temp variables + @{[invm4 $T7,$T6,$T4]} + sw $T7,16($KEYP) + @{[invm4 $T7,$T6,$T5]} + sw $T7,20($KEYP) +___ + while($rnum < 8) { +$ret .= <<___; + # see the comment in ke128enc + li $T6,$rcon[$rnum] + xor $T0,$T0,$T6 +___ + # right rotate by 8 + if ($zbkb) { +$ret .= <<___; + @{[rori $T6,$T5,8]} +___ + } else { +$ret .= <<___; + srli $T6,$T5,8 + slli $T7,$T5,24 + or $T6,$T6,$T7 +___ + } +$ret .= <<___; + @{[fwdsbox4 $T0,$T6]} + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + add $KEYP,$KEYP,24 +___ + if ($rnum < 7) { +$ret .= <<___; + xor $T4,$T4,$T3 + xor $T5,$T5,$T4 + + # see the comment in ke128dec + # T7 and T6 are temp variables + @{[invm4 $T7,$T6,$T0]} + sw $T7,0($KEYP) + @{[invm4 $T7,$T6,$T1]} + sw $T7,4($KEYP) + @{[invm4 $T7,$T6,$T2]} + sw $T7,8($KEYP) + @{[invm4 $T7,$T6,$T3]} + sw $T7,12($KEYP) + @{[invm4 $T7,$T6,$T4]} + sw $T7,16($KEYP) + @{[invm4 $T7,$T6,$T5]} + sw $T7,20($KEYP) +___ + } else { # rnum == 7 +$ret .= <<___; + # the reason for dropping T4/T5 is in ke192enc + # the reason for not invm4 is in ke128dec + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +sub ke256dec { + my $zbkb = shift; + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + lw $T0,0($UKEY) + lw $T1,4($UKEY) + lw $T2,8($UKEY) + lw $T3,12($UKEY) + lw $T4,16($UKEY) + lw $T5,20($UKEY) + lw $T6,24($UKEY) + lw $T7,28($UKEY) + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + # see the comment in ke128dec + # BITS and T8 are temp variables + # BITS are not used anymore + @{[invm4 $T8,$BITS,$T4]} + sw $T8,16($KEYP) + @{[invm4 $T8,$BITS,$T5]} + sw $T8,20($KEYP) + @{[invm4 $T8,$BITS,$T6]} + sw $T8,24($KEYP) + @{[invm4 $T8,$BITS,$T7]} + sw $T8,28($KEYP) +___ + while($rnum < 7) { +$ret .= <<___; + # see the comment in ke128enc + li $T8,$rcon[$rnum] + xor $T0,$T0,$T8 +___ + # right rotate by 8 + if ($zbkb) { +$ret .= <<___; + @{[rori $T8,$T7,8]} +___ + } else { +$ret .= <<___; + srli $T8,$T7,8 + slli $BITS,$T7,24 + or $T8,$T8,$BITS +___ + } +$ret .= <<___; + @{[fwdsbox4 $T0,$T8]} + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + add $KEYP,$KEYP,32 +___ + if ($rnum < 6) { +$ret .= <<___; + # for aes256, T3->T4 needs 4sbox but no rotate/rcon + @{[fwdsbox4 $T4,$T3]} + xor $T5,$T5,$T4 + xor $T6,$T6,$T5 + xor $T7,$T7,$T6 + + # see the comment in ke128dec + # T8 and BITS are temp variables + @{[invm4 $T8,$BITS,$T0]} + sw $T8,0($KEYP) + @{[invm4 $T8,$BITS,$T1]} + sw $T8,4($KEYP) + @{[invm4 $T8,$BITS,$T2]} + sw $T8,8($KEYP) + @{[invm4 $T8,$BITS,$T3]} + sw $T8,12($KEYP) + @{[invm4 $T8,$BITS,$T4]} + sw $T8,16($KEYP) + @{[invm4 $T8,$BITS,$T5]} + sw $T8,20($KEYP) + @{[invm4 $T8,$BITS,$T6]} + sw $T8,24($KEYP) + @{[invm4 $T8,$BITS,$T7]} + sw $T8,28($KEYP) +___ + } else { +$ret .= <<___; + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + # last 16 bytes are dropped + # see the comment in ke256enc +___ + } + $rnum++; + } + return $ret; +} + +################################################################################ +# void rv32i_zknd_zkne_set_decrypt_key(const unsigned char *userKey, const int bits, +# AES_KEY *key) +################################################################################ +# a note on naming: set_decrypt_key needs aes32esi thus add zkne on name +$code .= <<___; +.text +.balign 16 +.globl rv32i_zknd_zkne_set_decrypt_key +.type rv32i_zknd_zkne_set_decrypt_key,\@function +rv32i_zknd_zkne_set_decrypt_key: +___ +$code .= save_regs(); +$code .= AES_set_common(ke128dec(0), ke192dec(0),ke256dec(0)); +$code .= load_regs(); +$code .= <<___; + ret +___ + +################################################################################ +# void rv32i_zbkb_zknd_zkne_set_decrypt_key(const unsigned char *userKey, +# const int bits, AES_KEY *key) +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl rv32i_zbkb_zknd_zkne_set_decrypt_key +.type rv32i_zbkb_zknd_zkne_set_decrypt_key,\@function +rv32i_zbkb_zknd_zkne_set_decrypt_key: +___ + +$code .= save_regs(); +$code .= AES_set_common(ke128dec(1), ke192dec(1),ke256dec(1)); +$code .= load_regs(); +$code .= <<___; + ret +___ + + + +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/aes/asm/aes-riscv64-zkn.pl b/crypto/aes/asm/aes-riscv64-zkn.pl new file mode 100644 index 000000000..fe4d26eac --- /dev/null +++ b/crypto/aes/asm/aes-riscv64-zkn.pl @@ -0,0 +1,655 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$output and open STDOUT,">$output"; + +################################################################################ +# Utility functions to help with keeping track of which registers to stack/ +# unstack when entering / exiting routines. +################################################################################ +{ + # Callee-saved registers + my @callee_saved = map("x$_",(2,8,9,18..27)); + # Caller-saved registers + my @caller_saved = map("x$_",(1,5..7,10..17,28..31)); + my @must_save; + sub use_reg { + my $reg = shift; + if (grep(/^$reg$/, @callee_saved)) { + push(@must_save, $reg); + } elsif (!grep(/^$reg$/, @caller_saved)) { + # Register is not usable! + die("Unusable register ".$reg); + } + return $reg; + } + sub use_regs { + return map(use_reg("x$_"), @_); + } + sub save_regs { + my $ret = ''; + my $stack_reservation = ($#must_save + 1) * 8; + my $stack_offset = $stack_reservation; + if ($stack_reservation % 16) { + $stack_reservation += 8; + } + $ret.=" addi sp,sp,-$stack_reservation\n"; + foreach (@must_save) { + $stack_offset -= 8; + $ret.=" sd $_,$stack_offset(sp)\n"; + } + return $ret; + } + sub load_regs { + my $ret = ''; + my $stack_reservation = ($#must_save + 1) * 8; + my $stack_offset = $stack_reservation; + if ($stack_reservation % 16) { + $stack_reservation += 8; + } + foreach (@must_save) { + $stack_offset -= 8; + $ret.=" ld $_,$stack_offset(sp)\n"; + } + $ret.=" addi sp,sp,$stack_reservation\n"; + return $ret; + } + sub clear_regs { + @must_save = (); + } +} + +################################################################################ +# util for encoding scalar crypto extension instructions +################################################################################ + +my @regs = map("x$_",(0..31)); +my %reglookup; +@reglookup{@regs} = @regs; + +# Takes a register name, possibly an alias, and converts it to a register index +# from 0 to 31 +sub read_reg { + my $reg = lc shift; + if (!exists($reglookup{$reg})) { + die("Unknown register ".$reg); + } + my $regstr = $reglookup{$reg}; + if (!($regstr =~ /^x([0-9]+)$/)) { + die("Could not process register ".$reg); + } + return $1; +} + +sub rv64_aes64ds { + # Encoding for aes64ds rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0011101_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_aes64dsm { + # Encoding for aes64dsm rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0011111_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_aes64es { + # Encoding for aes64es rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0011001_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_aes64esm { + # Encoding for aes64esm rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0011011_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_aes64im { + # Encoding for aes64im rd, rs1 instruction on RV64 + # XXXXXXXXXXXX_ rs1 _XXX_ rd _XXXXXXX + my $template = 0b001100000000_00000_001_00000_0010011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + + return ".word ".($template | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_aes64ks1i { + # Encoding for aes64ks1i rd, rs1, rnum instruction on RV64 + # XXXXXXXX_rnum_ rs1 _XXX_ rd _XXXXXXX + my $template = 0b00110001_0000_00000_001_00000_0010011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rnum = shift; + + return ".word ".($template | ($rnum << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_aes64ks2 { + # Encoding for aes64ks2 rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0111111_00000_00000_000_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} +################################################################################ +# Register assignment for rv64i_zkne_encrypt and rv64i_zknd_decrypt +################################################################################ + +# Registers to hold AES state (called s0-s3 or y0-y3 elsewhere) +my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9); + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Input block pointer, output block pointer, key pointer +my ($INP,$OUTP,$KEYP) = use_regs(10..12); + +# Temporaries +my ($T0,$T1) = use_regs(13..14); + +# Loop counter +my ($loopcntr) = use_regs(30); + +################################################################################ +# void rv64i_zkne_encrypt(const unsigned char *in, unsigned char *out, +# const AES_KEY *key); +################################################################################ +my $code .= <<___; +.text +.balign 16 +.globl rv64i_zkne_encrypt +.type rv64i_zkne_encrypt,\@function +rv64i_zkne_encrypt: +___ + +$code .= save_regs(); + +$code .= <<___; + + # Load input to block cipher + ld $Q0,0($INP) + ld $Q1,8($INP) + + # Load key + ld $T0,0($KEYP) + ld $T1,8($KEYP) + + # Load number of rounds + lwu $loopcntr,240($KEYP) + + # initial transformation + xor $Q0,$Q0,$T0 + xor $Q1,$Q1,$T1 + + # The main loop only executes the first N-1 rounds. + add $loopcntr,$loopcntr,-1 + + # Do Nr - 1 rounds (final round is special) +1: + @{[rv64_aes64esm $Q2,$Q0,$Q1]} + @{[rv64_aes64esm $Q3,$Q1,$Q0]} + + # Update key ptr to point to next key in schedule + add $KEYP,$KEYP,16 + + # Grab next key in schedule + ld $T0,0($KEYP) + ld $T1,8($KEYP) + xor $Q0,$Q2,$T0 + xor $Q1,$Q3,$T1 + + add $loopcntr,$loopcntr,-1 + bgtz $loopcntr,1b + + # final round + @{[rv64_aes64es $Q2,$Q0,$Q1]} + @{[rv64_aes64es $Q3,$Q1,$Q0]} + + # since not added 16 before + ld $T0,16($KEYP) + ld $T1,24($KEYP) + xor $Q0,$Q2,$T0 + xor $Q1,$Q3,$T1 + + sd $Q0,0($OUTP) + sd $Q1,8($OUTP) + + # Pop registers and return +___ + +$code .= load_regs(); + +$code .= <<___; + ret +___ + +################################################################################ +# void rv64i_zknd_decrypt(const unsigned char *in, unsigned char *out, +# const AES_KEY *key); +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl rv64i_zknd_decrypt +.type rv64i_zknd_decrypt,\@function +rv64i_zknd_decrypt: +___ + +$code .= save_regs(); + +$code .= <<___; + + # Load input to block cipher + ld $Q0,0($INP) + ld $Q1,8($INP) + + # Load number of rounds + lwu $loopcntr,240($KEYP) + + # Load the last key + slli $T0,$loopcntr,4 + add $KEYP,$KEYP,$T0 + ld $T0,0($KEYP) + ld $T1,8($KEYP) + + xor $Q0,$Q0,$T0 + xor $Q1,$Q1,$T1 + + # The main loop only executes the first N-1 rounds. + add $loopcntr,$loopcntr,-1 + + # Do Nr - 1 rounds (final round is special) +1: + @{[rv64_aes64dsm $Q2,$Q0,$Q1]} + @{[rv64_aes64dsm $Q3,$Q1,$Q0]} + + # Update key ptr to point to next key in schedule + add $KEYP,$KEYP,-16 + + # Grab next key in schedule + ld $T0,0($KEYP) + ld $T1,8($KEYP) + xor $Q0,$Q2,$T0 + xor $Q1,$Q3,$T1 + + add $loopcntr,$loopcntr,-1 + bgtz $loopcntr,1b + + # final round + @{[rv64_aes64ds $Q2,$Q0,$Q1]} + @{[rv64_aes64ds $Q3,$Q1,$Q0]} + + add $KEYP,$KEYP,-16 + ld $T0,0($KEYP) + ld $T1,8($KEYP) + xor $Q0,$Q2,$T0 + xor $Q1,$Q3,$T1 + + sd $Q0,0($OUTP) + sd $Q1,8($OUTP) + # Pop registers and return +___ + +$code .= load_regs(); + +$code .= <<___; + ret +___ + +clear_regs(); + +################################################################################ +# Register assignment for rv64i_zkn[e/d]_set_[en/de]crypt_key +################################################################################ + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Pointer to user key, number of bits in key, key pointer +my ($UKEY,$BITS,$KEYP) = use_regs(10..12); + +# Temporaries +my ($T0,$T1,$T2,$T3,$T4) = use_regs(6..8,13..14); + +################################################################################ +# utility functions for rv64i_zkne_set_encrypt_key +################################################################################ +sub ke128enc { + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + ld $T0,0($UKEY) + ld $T1,8($UKEY) + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + while($rnum < 10) { +$ret .= <<___; + @{[rv64_aes64ks1i $T2,$T1,$rnum]} + @{[rv64_aes64ks2 $T0,$T2,$T0]} + @{[rv64_aes64ks2 $T1,$T0,$T1]} + add $KEYP,$KEYP,16 + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + $rnum++; + } + return $ret; +} + +sub ke192enc { + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + ld $T0,0($UKEY) + ld $T1,8($UKEY) + ld $T2,16($UKEY) + sd $T0,0($KEYP) + sd $T1,8($KEYP) + sd $T2,16($KEYP) +___ + while($rnum < 8) { +$ret .= <<___; + @{[rv64_aes64ks1i $T3,$T2,$rnum]} + @{[rv64_aes64ks2 $T0,$T3,$T0]} + @{[rv64_aes64ks2 $T1,$T0,$T1]} +___ + if ($rnum != 7) { + # note that (8+1)*24 = 216, (12+1)*16 = 208 + # thus the last 8 bytes can be dropped +$ret .= <<___; + @{[rv64_aes64ks2 $T2,$T1,$T2]} +___ + } +$ret .= <<___; + add $KEYP,$KEYP,24 + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + if ($rnum != 7) { +$ret .= <<___; + sd $T2,16($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +sub ke256enc { + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + ld $T0,0($UKEY) + ld $T1,8($UKEY) + ld $T2,16($UKEY) + ld $T3,24($UKEY) + sd $T0,0($KEYP) + sd $T1,8($KEYP) + sd $T2,16($KEYP) + sd $T3,24($KEYP) +___ + while($rnum < 7) { +$ret .= <<___; + @{[rv64_aes64ks1i $T4,$T3,$rnum]} + @{[rv64_aes64ks2 $T0,$T4,$T0]} + @{[rv64_aes64ks2 $T1,$T0,$T1]} + add $KEYP,$KEYP,32 + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + if ($rnum != 6) { + # note that (7+1)*32 = 256, (14+1)*16 = 240 + # thus the last 16 bytes can be dropped +$ret .= <<___; + @{[rv64_aes64ks1i $T4,$T1,0xA]} + @{[rv64_aes64ks2 $T2,$T4,$T2]} + @{[rv64_aes64ks2 $T3,$T2,$T3]} + sd $T2,16($KEYP) + sd $T3,24($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +################################################################################ +# void rv64i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits, +# AES_KEY *key) +################################################################################ +sub AES_set_common { + my ($ke128, $ke192, $ke256) = @_; + my $ret = ''; +$ret .= <<___; + bnez $UKEY,1f # if (!userKey || !key) return -1; + bnez $KEYP,1f + li a0,-1 + ret +1: + # Determine number of rounds from key size in bits + li $T0,128 + bne $BITS,$T0,1f + li $T1,10 # key->rounds = 10 if bits == 128 + sw $T1,240($KEYP) # store key->rounds +$ke128 + j 4f +1: + li $T0,192 + bne $BITS,$T0,2f + li $T1,12 # key->rounds = 12 if bits == 192 + sw $T1,240($KEYP) # store key->rounds +$ke192 + j 4f +2: + li $T1,14 # key->rounds = 14 if bits == 256 + li $T0,256 + beq $BITS,$T0,3f + li a0,-2 # If bits != 128, 192, or 256, return -2 + j 5f +3: + sw $T1,240($KEYP) # store key->rounds +$ke256 +4: # return 0 + li a0,0 +5: # return a0 +___ + return $ret; +} +$code .= <<___; +.text +.balign 16 +.globl rv64i_zkne_set_encrypt_key +.type rv64i_zkne_set_encrypt_key,\@function +rv64i_zkne_set_encrypt_key: +___ +$code .= save_regs(); +$code .= AES_set_common(ke128enc(), ke192enc(),ke256enc()); +$code .= load_regs(); +$code .= <<___; + ret +___ + +################################################################################ +# utility functions for rv64i_zknd_set_decrypt_key +################################################################################ +sub ke128dec { + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + ld $T0,0($UKEY) + ld $T1,8($UKEY) + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + while($rnum < 10) { +$ret .= <<___; + @{[rv64_aes64ks1i $T2,$T1,$rnum]} + @{[rv64_aes64ks2 $T0,$T2,$T0]} + @{[rv64_aes64ks2 $T1,$T0,$T1]} + add $KEYP,$KEYP,16 +___ + # need to aes64im for [1:N-1] round keys + # this is from the fact that aes64dsm subwords first then mix column + # intuitively decryption needs to first mix column then subwords + # however, for merging datapaths (encryption first subwords then mix column) + # aes64dsm chooses to inverse the order of them, thus + # transform should then be done on the round key + if ($rnum < 9) { +$ret .= <<___; + @{[rv64_aes64im $T2,$T0]} + sd $T2,0($KEYP) + @{[rv64_aes64im $T2,$T1]} + sd $T2,8($KEYP) +___ + } else { +$ret .= <<___; + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +sub ke192dec { + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + ld $T0,0($UKEY) + ld $T1,8($UKEY) + ld $T2,16($UKEY) + sd $T0,0($KEYP) + sd $T1,8($KEYP) + @{[rv64_aes64im $T3,$T2]} + sd $T3,16($KEYP) +___ + while($rnum < 8) { +$ret .= <<___; + @{[rv64_aes64ks1i $T3,$T2,$rnum]} + @{[rv64_aes64ks2 $T0,$T3,$T0]} + @{[rv64_aes64ks2 $T1,$T0,$T1]} + add $KEYP,$KEYP,24 +___ + if ($rnum < 7) { +$ret .= <<___; + @{[rv64_aes64im $T3,$T0]} + sd $T3,0($KEYP) + @{[rv64_aes64im $T3,$T1]} + sd $T3,8($KEYP) + # the reason is in ke192enc + @{[rv64_aes64ks2 $T2,$T1,$T2]} + @{[rv64_aes64im $T3,$T2]} + sd $T3,16($KEYP) +___ + } else { # rnum == 7 +$ret .= <<___; + sd $T0,0($KEYP) + sd $T1,8($KEYP) +___ + } + $rnum++; + } + return $ret; +} + +sub ke256dec { + my $rnum = 0; + my $ret = ''; +$ret .= <<___; + ld $T0,0($UKEY) + ld $T1,8($UKEY) + ld $T2,16($UKEY) + ld $T3,24($UKEY) + sd $T0,0($KEYP) + sd $T1,8($KEYP) + @{[rv64_aes64im $T4,$T2]} + sd $T4,16($KEYP) + @{[rv64_aes64im $T4,$T3]} + sd $T4,24($KEYP) +___ + while($rnum < 7) { +$ret .= <<___; + @{[rv64_aes64ks1i $T4,$T3,$rnum]} + @{[rv64_aes64ks2 $T0,$T4,$T0]} + @{[rv64_aes64ks2 $T1,$T0,$T1]} + add $KEYP,$KEYP,32 +___ + if ($rnum < 6) { +$ret .= <<___; + @{[rv64_aes64ks1i $T4,$T1,0xA]} + @{[rv64_aes64ks2 $T2,$T4,$T2]} + @{[rv64_aes64ks2 $T3,$T2,$T3]} + @{[rv64_aes64im $T4,$T0]} + sd $T4,0($KEYP) + @{[rv64_aes64im $T4,$T1]} + sd $T4,8($KEYP) + @{[rv64_aes64im $T4,$T2]} + sd $T4,16($KEYP) + @{[rv64_aes64im $T4,$T3]} + sd $T4,24($KEYP) +___ + } else { +$ret .= <<___; + sd $T0,0($KEYP) + sd $T1,8($KEYP) + # last two one dropped +___ + } + $rnum++; + } + return $ret; +} + +################################################################################ +# void rv64i_zknd_set_decrypt_key(const unsigned char *userKey, const int bits, +# AES_KEY *key) +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl rv64i_zknd_set_decrypt_key +.type rv64i_zknd_set_decrypt_key,\@function +rv64i_zknd_set_decrypt_key: +___ +$code .= save_regs(); +$code .= AES_set_common(ke128dec(), ke192dec(),ke256dec()); +$code .= load_regs(); +$code .= <<___; + ret +___ + +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/aes/asm/aes-riscv64.pl b/crypto/aes/asm/aes-riscv64.pl new file mode 100644 index 000000000..525eba4b4 --- /dev/null +++ b/crypto/aes/asm/aes-riscv64.pl @@ -0,0 +1,1709 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$output and open STDOUT,">$output"; + +################################################################################ +# Utility functions to help with keeping track of which registers to stack/ +# unstack when entering / exiting routines. +################################################################################ +{ + # Callee-saved registers + my @callee_saved = map("x$_",(2,8,9,18..27)); + # Caller-saved registers + my @caller_saved = map("x$_",(1,5..7,10..17,28..31)); + my @must_save; + sub use_reg { + my $reg = shift; + if (grep(/^$reg$/, @callee_saved)) { + push(@must_save, $reg); + } elsif (!grep(/^$reg$/, @caller_saved)) { + # Register is not usable! + die("Unusable register ".$reg); + } + return $reg; + } + sub use_regs { + return map(use_reg("x$_"), @_); + } + sub save_regs { + my $ret = ''; + my $stack_reservation = ($#must_save + 1) * 8; + my $stack_offset = $stack_reservation; + if ($stack_reservation % 16) { + $stack_reservation += 8; + } + $ret.=" addi sp,sp,-$stack_reservation\n"; + foreach (@must_save) { + $stack_offset -= 8; + $ret.=" sd $_,$stack_offset(sp)\n"; + } + return $ret; + } + sub load_regs { + my $ret = ''; + my $stack_reservation = ($#must_save + 1) * 8; + my $stack_offset = $stack_reservation; + if ($stack_reservation % 16) { + $stack_reservation += 8; + } + foreach (@must_save) { + $stack_offset -= 8; + $ret.=" ld $_,$stack_offset(sp)\n"; + } + $ret.=" addi sp,sp,$stack_reservation\n"; + return $ret; + } + sub clear_regs { + @must_save = (); + } +} + +################################################################################ +# Register assignment for AES_encrypt and AES_decrypt +################################################################################ + +# Registers to hold AES state (called s0-s3 or y0-y3 elsewhere) +my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9); + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Input block pointer, output block pointer, key pointer +my ($INP,$OUTP,$KEYP) = use_regs(10..12); + +# Temporaries +my ($T0,$T1,$T2,$T3) = use_regs(13..16); +my ($T4,$T5,$T6,$T7,$T8,$T9,$T10,$T11) = use_regs(17..24); +my ($T12,$T13,$T14,$T15) = use_regs(25..28); + +# Register to hold table offset +my ($I0) = use_regs(29); + +# Loop counter +my ($loopcntr) = use_regs(30); + +# Lookup table address register +my ($TBL) = use_regs(31); + +# Lookup table mask register +my ($MSK) = use_regs(5); + +# Aliases for readability +my $K0 = $loopcntr; +my $K1 = $KEYP; + +################################################################################ +# Table lookup utility functions for AES_encrypt and AES_decrypt +################################################################################ + +# do_lookup([destination regs], [state regs], [temporary regs], shamt) +# do_lookup loads four entries from an AES encryption/decryption table +# and stores the result in the specified destination register set +# Ds->[0] = Table[Qs->[0] >> shamt] +# Ds->[1] = Table[Qs->[1] >> shamt] +# Ds->[2] = Table[Qs->[2] >> shamt] +# Ds->[3] = Table[Qs->[3] >> shamt] +# Four temporary regs are used to generate these lookups. The temporary regs +# can be equal to the destination regs, but only if they appear in the same +# order. I.e. do_lookup([A,B,C,D],[...],[A,B,C,D],...) is OK +sub do_lookup { + # (destination regs, state regs, temporary regs, shift amount) + my ($Ds, $Qs, $Ts, $shamt) = @_; + + my $ret = ''; + + # AES encryption/decryption table entries have word-sized (4-byte) entries. + # To convert the table index into a byte offset, we compute + # ((Qs->[i] >> shamt) & 0xFF) << 2 + # However, to save work, we compute the equivalent expression + # (Qs->[i] >> (shamt-2)) & 0x3FC + if ($shamt < 2) { +$ret .= <<___; + + slli $Ts->[0],$Qs->[0],$shamt+2 + slli $Ts->[1],$Qs->[1],$shamt+2 + slli $Ts->[2],$Qs->[2],$shamt+2 + slli $Ts->[3],$Qs->[3],$shamt+2 +___ + } else { +$ret .= <<___; + + srli $Ts->[0],$Qs->[0],$shamt-2 + srli $Ts->[1],$Qs->[1],$shamt-2 + srli $Ts->[2],$Qs->[2],$shamt-2 + srli $Ts->[3],$Qs->[3],$shamt-2 +___ + } + +$ret .= <<___; + + andi $Ts->[0],$Ts->[0],0x3FC + andi $Ts->[1],$Ts->[1],0x3FC + andi $Ts->[2],$Ts->[2],0x3FC + andi $Ts->[3],$Ts->[3],0x3FC + + # Index into table. + add $I0,$TBL,$Ts->[0] + lwu $Ds->[0],0($I0) + add $I0,$TBL,$Ts->[1] + lwu $Ds->[1],0($I0) + add $I0,$TBL,$Ts->[2] + lwu $Ds->[2],0($I0) + add $I0,$TBL,$Ts->[3] + lwu $Ds->[3],0($I0) + +___ + + return $ret; +} + +# Identical to do_lookup(), but loads only a single byte into each destination +# register (replaces lwu with lbu). Used in the final round of AES_encrypt. +sub do_lookup_byte { + my $ret = do_lookup(@_); + $ret =~ s/lwu/lbu/g; + return $ret; +} + +# do_lookup_Td4([destination regs], [state regs], [temporary regs]) +# Used in final phase of AES_decrypt +# Ds->[0] = Table[(Qs->[0]) &0xFF] +# Ds->[1] = Table[(Qs->[1] >> 8 )&0xFF] +# Ds->[2] = Table[(Qs->[2] >> 16)&0xFF] +# Ds->[3] = Table[(Qs->[3] >> 24)&0xFF] +# Four temporary regs are used to generate these lookups. The temporary regs +# can be equal to the destination regs, but only if they appear in the same +# order. I.e. do_lookup([A,B,C,D],[...],[A,B,C,D],...) is OK +sub do_lookup_Td4 { + my ($Ds, $Qs, $Ts) = @_; + + my $ret = ''; + +$ret .= <<___; + srli $Ts->[1],$Qs->[1],8 + srli $Ts->[2],$Qs->[2],16 + srli $Ts->[3],$Qs->[3],24 + + andi $Ts->[0],$Qs->[0],0xFF + andi $Ts->[1],$Ts->[1],0xFF + andi $Ts->[2],$Ts->[2],0xFF + andi $Ts->[3],$Ts->[3],0xFF + + add $I0,$TBL,$Ts->[0] + lbu $Ds->[0],0($I0) + add $I0,$TBL,$Ts->[1] + lbu $Ds->[1],0($I0) + add $I0,$TBL,$Ts->[2] + lbu $Ds->[2],0($I0) + add $I0,$TBL,$Ts->[3] + lbu $Ds->[3],0($I0) + +___ + + return $ret; +} + +################################################################################ +# void AES_encrypt(const unsigned char *in, unsigned char *out, +# const AES_KEY *key); +################################################################################ +my $code .= <<___; +.text +.balign 16 +.globl AES_encrypt +.type AES_encrypt,\@function +AES_encrypt: +___ + +$code .= save_regs(); + +$code .= <<___; + + # Load input to block cipher + ld $Q0,0($INP) + ld $Q2,8($INP) + + + # Load key + ld $T0,0($KEYP) + ld $T2,8($KEYP) + + + # Load number of rounds + lwu $loopcntr,240($KEYP) + + # Load address of substitution table and wrap-around mask + la $TBL,AES_Te0 + li $MSK,~0xFFF + + # y = n xor k, stored in Q0-Q3 + + xor $Q0,$Q0,$T0 + xor $Q2,$Q2,$T2 + srli $Q1,$Q0,32 + srli $Q3,$Q2,32 + + # The main loop only executes the first N-1 rounds. + add $loopcntr,$loopcntr,-1 + + # Do Nr - 1 rounds (final round is special) + +1: +___ + +# Lookup in table Te0 +$code .= do_lookup( + [$T4,$T5,$T6,$T7], # Destination registers + [$Q0,$Q1,$Q2,$Q3], # State registers + [$T0,$T1,$T2,$T3], # Temporaries + 0 # Shift amount +); + +$code .= <<___; + add $TBL,$TBL,1024 +___ + +# Lookup in table Te1 +$code .= do_lookup( + [$T8,$T9,$T10,$T11], + [$Q1,$Q2,$Q3,$Q0], + [$T0,$T1,$T2,$T3], + 8 +); + +$code .= <<___; + add $TBL,$TBL,1024 +___ + +# Lookup in table Te2 +$code .= do_lookup( + [$T12,$T13,$T14,$T15], + [$Q2,$Q3,$Q0,$Q1], + [$T0,$T1,$T2,$T3], + 16 +); + +$code .= <<___; + add $TBL,$TBL,1024 +___ + +# Lookup in table Te3 +$code .= do_lookup( + [$T0,$T1,$T2,$T3], + [$Q3,$Q0,$Q1,$Q2], + [$T0,$T1,$T2,$T3], + 24 +); + +$code .= <<___; + + # Combine table lookups + xor $T4,$T4,$T8 + xor $T5,$T5,$T9 + xor $T6,$T6,$T10 + xor $T7,$T7,$T11 + + xor $T4,$T4,$T12 + xor $T5,$T5,$T13 + xor $T6,$T6,$T14 + xor $T7,$T7,$T15 + + xor $T0,$T0,$T4 + xor $T1,$T1,$T5 + xor $T2,$T2,$T6 + xor $T3,$T3,$T7 + + # Update key ptr to point to next key in schedule + add $KEYP,$KEYP,16 + + # Grab next key in schedule + ld $T4,0($KEYP) + ld $T6,8($KEYP) + + # Round TBL back to 4k boundary + and $TBL,$TBL,$MSK + + add $loopcntr,$loopcntr,-1 + + xor $Q0,$T0,$T4 + xor $Q2,$T2,$T6 + srli $T5,$T4,32 + xor $Q1,$T1,$T5 + srli $T7,$T6,32 + xor $Q3,$T3,$T7 + + bgtz $loopcntr,1b + +#================================FINAL ROUND==================================== + +# In the final round, all lookup table accesses would appear as follows: +# +# ... compute index I0 +# add I0,TBL,T0 +# lbu T0,1(I0) +# +# Instead of indexing with a 1 offset, we can add 1 to the TBL pointer, and use +# a 0 offset when indexing in the following code. This enables some instruction +# fusion opportunities. + + add $TBL,$TBL,1 + + ld $K0,16($KEYP) + ld $K1,24($KEYP) +___ + +$code .= do_lookup_byte( + [$T4,$T5,$T6,$T7], + [$Q0,$Q1,$Q2,$Q3], + [$T0,$T1,$T2,$T3], + 0 +); + +$code .= do_lookup_byte( + [$T8,$T9,$T10,$T11], + [$Q1,$Q2,$Q3,$Q0], + [$T0,$T1,$T2,$T3], + 8 +); + +$code .= do_lookup_byte( + [$T12,$T13,$T14,$T15], + [$Q2,$Q3,$Q0,$Q1], + [$T0,$T1,$T2,$T3], + 16 +); + +$code .= do_lookup_byte( + [$T0,$T1,$T2,$T3], + [$Q3,$Q0,$Q1,$Q2], + [$T0,$T1,$T2,$T3], + 24 +); + +$code .= <<___; + + # Combine table lookups into T0 and T2 + + slli $T5,$T5,32 + slli $T7,$T7,32 + slli $T8,$T8,8 + slli $T9,$T9,8+32 + slli $T10,$T10,8 + slli $T11,$T11,8+32 + slli $T12,$T12,16 + slli $T13,$T13,16+32 + slli $T14,$T14,16 + slli $T15,$T15,16+32 + + slli $T0,$T0,24 + slli $T1,$T1,24+32 + slli $T2,$T2,24 + slli $T3,$T3,24+32 + + xor $T4,$T4,$T0 + xor $T5,$T5,$T1 + xor $T6,$T6,$T2 + xor $T7,$T7,$T3 + + xor $T8,$T8,$T12 + xor $T9,$T9,$T13 + xor $T10,$T10,$T14 + xor $T11,$T11,$T15 + + xor $T0,$T4,$T8 + xor $T1,$T5,$T9 + xor $T2,$T6,$T10 + xor $T3,$T7,$T11 + + + xor $T0,$T0,$T1 + # T0 = [T1 T13 T9 T5 T0 T12 T8 T4] + xor $T0,$T0,$K0 # XOR in key + + xor $T2,$T2,$T3 + # T2 = [T3 T15 T11 T7 T2 T14 T10 T6] + xor $T2,$T2,$K1 # XOR in key + + sd $T0,0($OUTP) + sd $T2,8($OUTP) + + # Pop registers and return +2: +___ + +$code .= load_regs(); + +$code .= <<___; + ret +___ + +################################################################################ +# void AES_decrypt(const unsigned char *in, unsigned char *out, +# const AES_KEY *key); +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl AES_decrypt +.type AES_decrypt,\@function +AES_decrypt: +___ + +$code .= save_regs(); + +$code .= <<___; + + # Load input to block cipher + ld $Q0,0($INP) + ld $Q2,8($INP) + + # Load key + # Note that key is assumed in BE byte order + # (This routine was written against a key scheduling implementation that + # placed keys in BE byte order.) + ld $T0,0($KEYP) + ld $T2,8($KEYP) + + # Load number of rounds + lwu $loopcntr,240($KEYP) + + # Load address of substitution table and wrap-around mask + la $TBL,AES_Td0 + li $MSK,~0xFFF + + xor $Q0,$Q0,$T0 + xor $Q2,$Q2,$T2 + srli $Q1,$Q0,32 + srli $Q3,$Q2,32 + + # The main loop only executes the first N-1 rounds. + add $loopcntr,$loopcntr,-1 + + # Do Nr - 1 rounds (final round is special) +1: +___ + +# Lookup in Td0 +$code .= do_lookup( + [$T4,$T5,$T6,$T7], # Destination registers + [$Q0,$Q1,$Q2,$Q3], # State registers + [$T0,$T1,$T2,$T3], # Temporaries + 0 # Shift amount +); + +$code .= <<___; + add $TBL,$TBL,1024 +___ + +# Lookup in Td1 +$code .= do_lookup( + [$T8,$T9,$T10,$T11], + [$Q3,$Q0,$Q1,$Q2], + [$T0,$T1,$T2,$T3], + 8 +); + +$code .= <<___; + add $TBL,$TBL,1024 +___ + +# Lookup in Td2 +$code .= do_lookup( + [$T12,$T13,$T14,$T15], + [$Q2,$Q3,$Q0,$Q1], + [$T0,$T1,$T2,$T3], + 16 +); + +$code .= <<___; + add $TBL,$TBL,1024 +___ + +# Lookup in Td3 +$code .= do_lookup( + [$T0,$T1,$T2,$T3], + [$Q1,$Q2,$Q3,$Q0], + [$T0,$T1,$T2,$T3], + 24 +); + +$code .= <<___; + xor $T4,$T4,$T8 + xor $T5,$T5,$T9 + xor $T6,$T6,$T10 + xor $T7,$T7,$T11 + + xor $T4,$T4,$T12 + xor $T5,$T5,$T13 + xor $T6,$T6,$T14 + xor $T7,$T7,$T15 + + xor $T0,$T0,$T4 + xor $T1,$T1,$T5 + xor $T2,$T2,$T6 + xor $T3,$T3,$T7 + + # Update key ptr to point to next key in schedule + add $KEYP,$KEYP,16 + + # Grab next key in schedule + ld $T4,0($KEYP) + ld $T6,8($KEYP) + + # Round TBL back to 4k boundary + and $TBL,$TBL,$MSK + + add $loopcntr,$loopcntr,-1 + + xor $Q0,$T0,$T4 + xor $Q2,$T2,$T6 + srli $T5,$T4,32 + xor $Q1,$T1,$T5 + srli $T7,$T6,32 + xor $Q3,$T3,$T7 + + bgtz $loopcntr,1b + +#================================FINAL ROUND==================================== + + la $TBL,AES_Td4 + + # K0,K1 are aliases for loopcntr,KEYP + # As these registers will no longer be used after these loads, reuse them + # to store the final key in the schedule. + ld $K0,16($KEYP) + ld $K1,24($KEYP) +___ + +$code .= do_lookup_Td4( + [$T4,$T5,$T6,$T7], + [$Q0,$Q3,$Q2,$Q1], + [$T0,$T1,$T2,$T3] +); + +$code .= do_lookup_Td4( + [$T8,$T9,$T10,$T11], + [$Q1,$Q0,$Q3,$Q2], + [$T0,$T1,$T2,$T3] +); + +$code .= do_lookup_Td4( + [$T12,$T13,$T14,$T15], + [$Q2,$Q1,$Q0,$Q3], + [$T0,$T1,$T2,$T3] +); + +$code .= do_lookup_Td4( + [$T0,$T1,$T2,$T3], + [$Q3,$Q2,$Q1,$Q0], + [$T0,$T1,$T2,$T3] +); + +$code .= <<___; + + # T0-T15 now contain the decrypted block, minus xoring with the final round + # key. We pack T0-T15 into the two 64-bit registers T0 and T4, then xor + # in the key and store. + + slli $T5,$T5,8 + slli $T6,$T6,16 + slli $T7,$T7,24 + slli $T8,$T8,32 + slli $T9,$T9,8+32 + slli $T10,$T10,16+32 + slli $T11,$T11,32+24 + slli $T13,$T13,8 + slli $T14,$T14,16 + slli $T15,$T15,24 + slli $T0,$T0,32 + slli $T1,$T1,8+32 + slli $T2,$T2,16+32 + slli $T3,$T3,24+32 + + xor $T4,$T4,$T5 + xor $T6,$T6,$T7 + xor $T8,$T8,$T9 + xor $T10,$T10,$T11 + + xor $T12,$T12,$T13 + xor $T14,$T14,$T15 + xor $T0,$T0,$T1 + xor $T2,$T2,$T3 + + xor $T4,$T4,$T6 + xor $T8,$T8,$T10 + xor $T12,$T12,$T14 + xor $T0,$T0,$T2 + + xor $T4,$T4,$T8 + # T4 = [T11 T10 T9 T8 T7 T6 T5 T4] + xor $T4,$T4,$K0 # xor in key + + xor $T0,$T0,$T12 + # T0 = [T3 T2 T1 T0 T15 T14 T13 T12] + xor $T0,$T0,$K1 # xor in key + + sd $T4,0($OUTP) + sd $T0,8($OUTP) + + # Pop registers and return +___ + +$code .= load_regs(); + +$code .= <<___; + ret +___ + +clear_regs(); + +################################################################################ +# Register assignment for AES_set_encrypt_key +################################################################################ + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Pointer to user key, number of bits in key, key pointer +my ($UKEY,$BITS,$KEYP) = use_regs(10..12); + +# Temporaries +my ($T0,$T1,$T2,$T3) = use_regs(6..8,13); +my ($T4,$T5,$T6,$T7,$T8,$T9,$T10,$T11) = use_regs(14..17,28..31); + +# Pointer into rcon table +my ($RCON) = use_regs(9); + +# Register to hold table offset and used as a temporary +my ($I0) = use_regs(18); + +# Loop counter +my ($loopcntr) = use_regs(19); + +# Lookup table address register +my ($TBL) = use_regs(20); + +# Calculates dest = [ +# S[(in>>shifts[3])&0xFF], +# S[(in>>shifts[2])&0xFF], +# S[(in>>shifts[1])&0xFF], +# S[(in>>shifts[0])&0xFF] +# ] +# This routine spreads accesses across Te0-Te3 to help bring those tables +# into cache, in anticipation of running AES_[en/de]crypt. +sub do_enc_lookup { + # (destination reg, input reg, shifts array, temporary regs) + my ($dest, $in, $shifts, $Ts) = @_; + + my $ret = ''; + +$ret .= <<___; + + # Round TBL back to 4k boundary + srli $TBL,$TBL,12 + slli $TBL,$TBL,12 + + # Offset by 1 byte, since Te0[x] = S[x].[03, 01, 01, 02] + # So that, later on, a 0-offset lbu yields S[x].01 == S[x] + addi $TBL,$TBL,1 +___ + + for ($i = 0; $i < 4; $i++) { + if ($shifts->[$i] < 2) { + $ret .= " slli $Ts->[$i],$in,2-$shifts->[$i]\n"; + } else { + $ret .= " srli $Ts->[$i],$in,$shifts->[$i]-2\n"; + } + } + +$ret .= <<___; + + andi $Ts->[0],$Ts->[0],0x3FC + andi $Ts->[1],$Ts->[1],0x3FC + andi $Ts->[2],$Ts->[2],0x3FC + andi $Ts->[3],$Ts->[3],0x3FC + + # Index into tables Te0-Te3 (spread access across tables to help bring + # them into cache for later) + + add $I0,$TBL,$Ts->[0] + lbu $Ts->[0],0($I0) + + add $TBL,$TBL,1025 # yes, 1025 + add $I0,$TBL,$Ts->[1] + lbu $Ts->[1],0($I0) + + add $TBL,$TBL,1025 + add $I0,$TBL,$Ts->[2] + lbu $Ts->[2],0($I0) + + add $TBL,$TBL,1022 + add $I0,$TBL,$Ts->[3] + lbu $Ts->[3],0($I0) + + slli $Ts->[1],$Ts->[1],8 + slli $Ts->[2],$Ts->[2],16 + slli $Ts->[3],$Ts->[3],24 + + xor $Ts->[0],$Ts->[0],$Ts->[1] + xor $Ts->[2],$Ts->[2],$Ts->[3] + xor $dest,$Ts->[0],$Ts->[2] +___ + + return $ret; +} + +################################################################################ +# void AES_set_encrypt_key(const unsigned char *userKey, const int bits, +# AES_KEY *key) +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl AES_set_encrypt_key +.type AES_set_encrypt_key,\@function +AES_set_encrypt_key: +___ +$code .= save_regs(); +$code .= <<___; + bnez $UKEY,1f # if (!userKey || !key) return -1; + bnez $KEYP,1f + li a0,-1 + ret +1: + la $RCON,AES_rcon + la $TBL,AES_Te0 + li $T8,128 + li $T9,192 + li $T10,256 + + # Determine number of rounds from key size in bits + bne $BITS,$T8,1f + li $T3,10 # key->rounds = 10 if bits == 128 + j 3f +1: + bne $BITS,$T9,2f + li $T3,12 # key->rounds = 12 if bits == 192 + j 3f +2: + li $T3,14 # key->rounds = 14 if bits == 256 + beq $BITS,$T10,3f + li a0,-2 # If bits != 128, 192, or 256, return -2 + j 5f +3: + ld $T0,0($UKEY) + ld $T2,8($UKEY) + + sw $T3,240($KEYP) + + li $loopcntr,0 # == i*4 + + srli $T1,$T0,32 + srli $T3,$T2,32 + + sd $T0,0($KEYP) + sd $T2,8($KEYP) + + # if bits == 128 + # jump into loop + beq $BITS,$T8,1f + + ld $T4,16($UKEY) + srli $T5,$T4,32 + sd $T4,16($KEYP) + + # if bits == 192 + # jump into loop + beq $BITS,$T9,2f + + ld $T6,24($UKEY) + srli $T7,$T6,32 + sd $T6,24($KEYP) + + # bits == 256 + j 3f +___ + +$code .= <<___; +1: + addi $KEYP,$KEYP,16 +1: +___ +$code .= do_enc_lookup($T4,$T3,[8,16,24,0],[$T4,$T5,$T6,$T7]); + +$code .= <<___; + add $T5,$RCON,$loopcntr # rcon[i] (i increments by 4 so it can double as + # a word offset) + lwu $T5,0($T5) + + addi $loopcntr,$loopcntr,4 + li $I0,10*4 + + xor $T0,$T0,$T4 + xor $T0,$T0,$T5 + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + + addi $KEYP,$KEYP,16 + + + bne $loopcntr,$I0,1b + j 4f +___ +$code .= <<___; +2: + addi $KEYP,$KEYP,24 +2: +___ +$code .= do_enc_lookup($T6,$T5,[8,16,24,0],[$T6,$T7,$T8,$T9]); + +$code .= <<___; + add $T7,$RCON,$loopcntr # rcon[i] (i increments by 4 so it can double as + # a word offset) + lwu $T7,0($T7) + + addi $loopcntr,$loopcntr,4 + li $I0,8*4 + + xor $T0,$T0,$T6 + xor $T0,$T0,$T7 + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + + beq $loopcntr,$I0,4f + + xor $T4,$T4,$T3 + xor $T5,$T5,$T4 + sw $T4,16($KEYP) + sw $T5,20($KEYP) + + addi $KEYP,$KEYP,24 + j 2b +___ +$code .= <<___; +3: + addi $KEYP,$KEYP,32 +3: +___ +$code .= do_enc_lookup($T8,$T7,[8,16,24,0],[$T8,$T9,$T10,$T11]); + +$code .= <<___; + add $T9,$RCON,$loopcntr # rcon[i] (i increments by 4 so it can double as + # a word offset) + lwu $T9,0($T9) + + addi $loopcntr,$loopcntr,4 + li $I0,7*4 + + xor $T0,$T0,$T8 + xor $T0,$T0,$T9 + xor $T1,$T1,$T0 + xor $T2,$T2,$T1 + xor $T3,$T3,$T2 + + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + + beq $loopcntr,$I0,4f +___ +$code .= do_enc_lookup($T8,$T3,[0,8,16,24],[$T8,$T9,$T10,$T11]); +$code .= <<___; + xor $T4,$T4,$T8 + xor $T5,$T5,$T4 + xor $T6,$T6,$T5 + xor $T7,$T7,$T6 + sw $T4,16($KEYP) + sw $T5,20($KEYP) + sw $T6,24($KEYP) + sw $T7,28($KEYP) + + addi $KEYP,$KEYP,32 + j 3b + +4: # return 0 + li a0,0 +5: # return a0 +___ +$code .= load_regs(); +$code .= <<___; + ret +___ + +clear_regs(); + +################################################################################ +# Register assignment for AES_set_decrypt_key +################################################################################ + +# Function arguments (x10-x12 are a0-a2 in the ABI) +# Pointer to user key, number of bits in key, key pointer +my ($UKEY,$BITS,$KEYP) = use_regs(10..12); + +# Temporaries +my ($T0,$T1,$T2,$T3) = use_regs(6..8,9); +my ($T4,$T5,$T6,$T7,$T8) = use_regs(13..17); + +my ($I1) = use_regs(18); + +# Register to hold table offset and used as a temporary +my ($I0) = use_regs(19); + +# Loop counter +my ($loopcntr) = use_regs(20); + +# Lookup table address register +my ($TBL) = use_regs(21); + +# Calculates dest = [ +# Td0[Te1[(in >> 24) & 0xff] & 0xff] ^ +# Td1[Te1[(in >> 16) & 0xff] & 0xff] ^ +# Td2[Te1[(in >> 8) & 0xff] & 0xff] ^ +# Td3[Te1[(in ) & 0xff] & 0xff] +# ] +sub do_dec_lookup { + # (destination reg, input reg, temporary regs) + my ($dest, $in, $Ts) = @_; + + my $ret = ''; + +$ret .= <<___; + + la $TBL,AES_Te2 + + slli $Ts->[0],$in,2 + srli $Ts->[1],$in,8-2 + srli $Ts->[2],$in,16-2 + srli $Ts->[3],$in,24-2 + + andi $Ts->[0],$Ts->[0],0x3FC + andi $Ts->[1],$Ts->[1],0x3FC + andi $Ts->[2],$Ts->[2],0x3FC + andi $Ts->[3],$Ts->[3],0x3FC + + # Index into table Te2 + + add $I0,$TBL,$Ts->[0] + lwu $Ts->[0],0($I0) + + add $I0,$TBL,$Ts->[1] + lwu $Ts->[1],0($I0) + + add $I0,$TBL,$Ts->[2] + lwu $Ts->[2],0($I0) + + add $I0,$TBL,$Ts->[3] + lwu $Ts->[3],0($I0) + + andi $Ts->[0],$Ts->[0],0xFF + andi $Ts->[1],$Ts->[1],0xFF + andi $Ts->[2],$Ts->[2],0xFF + andi $Ts->[3],$Ts->[3],0xFF + + slli $Ts->[0],$Ts->[0],2 + slli $Ts->[1],$Ts->[1],2 + slli $Ts->[2],$Ts->[2],2 + slli $Ts->[3],$Ts->[3],2 + + la $TBL,AES_Td0 + + # Lookup in Td0-Td3 + + add $I0,$TBL,$Ts->[0] + lwu $Ts->[0],0($I0) + + add $TBL,$TBL,1024 + add $I0,$TBL,$Ts->[1] + lwu $Ts->[1],0($I0) + + add $TBL,$TBL,1024 + add $I0,$TBL,$Ts->[2] + lwu $Ts->[2],0($I0) + + add $TBL,$TBL,1024 + add $I0,$TBL,$Ts->[3] + lwu $Ts->[3],0($I0) + + xor $Ts->[0],$Ts->[0],$Ts->[1] + xor $Ts->[2],$Ts->[2],$Ts->[3] + xor $dest,$Ts->[0],$Ts->[2] +___ + + return $ret; +} + +################################################################################ +# void AES_set_decrypt_key(const unsigned char *userKey, const int bits, +# AES_KEY *key) +################################################################################ +$code .= <<___; +.text +.balign 16 +.globl AES_set_decrypt_key +.type AES_set_decrypt_key,\@function +AES_set_decrypt_key: + # Call AES_set_encrypt_key first + addi sp,sp,-16 + sd $KEYP,0(sp) # We need to hold onto this! + sd ra,8(sp) + jal ra,AES_set_encrypt_key + ld $KEYP,0(sp) + ld ra,8(sp) + addi sp,sp,16 + bgez a0,1f # If error, return error + ret +1: +___ +$code .= save_regs(); +$code .= <<___; + + li $T4,0 + lwu $T8,240($KEYP) + slli $T5,$T8,4 + # Invert order of round keys +1: + add $I0,$KEYP,$T4 + ld $T0,0($I0) + ld $T1,8($I0) + add $I1,$KEYP,$T5 + ld $T2,0($I1) + ld $T3,8($I1) + addi $T4,$T4,16 + addi $T5,$T5,-16 + sd $T0,0($I1) + sd $T1,8($I1) + sd $T2,0($I0) + sd $T3,8($I0) + blt $T4,$T5,1b + + li $loopcntr,1 + +1: + addi $KEYP,$KEYP,16 + lwu $T0,0($KEYP) + lwu $T1,4($KEYP) + lwu $T2,8($KEYP) + lwu $T3,12($KEYP) +___ +$code .= do_dec_lookup($T0,$T0,[$T4,$T5,$T6,$T7]); +$code .= do_dec_lookup($T1,$T1,[$T4,$T5,$T6,$T7]); +$code .= do_dec_lookup($T2,$T2,[$T4,$T5,$T6,$T7]); +$code .= do_dec_lookup($T3,$T3,[$T4,$T5,$T6,$T7]); +$code .= <<___; + sw $T0,0($KEYP) + sw $T1,4($KEYP) + sw $T2,8($KEYP) + sw $T3,12($KEYP) + addi $loopcntr,$loopcntr,1 + blt $loopcntr,$T8,1b +___ +$code .= load_regs(); +$code .= <<___; + li a0,0 + ret +___ +$code .= <<___; + +.section .rodata +.p2align 12 +.type AES_Te0,\@object +AES_Te0: +.word 0xa56363c6U, 0x847c7cf8U, 0x997777eeU, 0x8d7b7bf6U +.word 0x0df2f2ffU, 0xbd6b6bd6U, 0xb16f6fdeU, 0x54c5c591U +.word 0x50303060U, 0x03010102U, 0xa96767ceU, 0x7d2b2b56U +.word 0x19fefee7U, 0x62d7d7b5U, 0xe6abab4dU, 0x9a7676ecU +.word 0x45caca8fU, 0x9d82821fU, 0x40c9c989U, 0x877d7dfaU +.word 0x15fafaefU, 0xeb5959b2U, 0xc947478eU, 0x0bf0f0fbU +.word 0xecadad41U, 0x67d4d4b3U, 0xfda2a25fU, 0xeaafaf45U +.word 0xbf9c9c23U, 0xf7a4a453U, 0x967272e4U, 0x5bc0c09bU +.word 0xc2b7b775U, 0x1cfdfde1U, 0xae93933dU, 0x6a26264cU +.word 0x5a36366cU, 0x413f3f7eU, 0x02f7f7f5U, 0x4fcccc83U +.word 0x5c343468U, 0xf4a5a551U, 0x34e5e5d1U, 0x08f1f1f9U +.word 0x937171e2U, 0x73d8d8abU, 0x53313162U, 0x3f15152aU +.word 0x0c040408U, 0x52c7c795U, 0x65232346U, 0x5ec3c39dU +.word 0x28181830U, 0xa1969637U, 0x0f05050aU, 0xb59a9a2fU +.word 0x0907070eU, 0x36121224U, 0x9b80801bU, 0x3de2e2dfU +.word 0x26ebebcdU, 0x6927274eU, 0xcdb2b27fU, 0x9f7575eaU +.word 0x1b090912U, 0x9e83831dU, 0x742c2c58U, 0x2e1a1a34U +.word 0x2d1b1b36U, 0xb26e6edcU, 0xee5a5ab4U, 0xfba0a05bU +.word 0xf65252a4U, 0x4d3b3b76U, 0x61d6d6b7U, 0xceb3b37dU +.word 0x7b292952U, 0x3ee3e3ddU, 0x712f2f5eU, 0x97848413U +.word 0xf55353a6U, 0x68d1d1b9U, 0x00000000U, 0x2cededc1U +.word 0x60202040U, 0x1ffcfce3U, 0xc8b1b179U, 0xed5b5bb6U +.word 0xbe6a6ad4U, 0x46cbcb8dU, 0xd9bebe67U, 0x4b393972U +.word 0xde4a4a94U, 0xd44c4c98U, 0xe85858b0U, 0x4acfcf85U +.word 0x6bd0d0bbU, 0x2aefefc5U, 0xe5aaaa4fU, 0x16fbfbedU +.word 0xc5434386U, 0xd74d4d9aU, 0x55333366U, 0x94858511U +.word 0xcf45458aU, 0x10f9f9e9U, 0x06020204U, 0x817f7ffeU +.word 0xf05050a0U, 0x443c3c78U, 0xba9f9f25U, 0xe3a8a84bU +.word 0xf35151a2U, 0xfea3a35dU, 0xc0404080U, 0x8a8f8f05U +.word 0xad92923fU, 0xbc9d9d21U, 0x48383870U, 0x04f5f5f1U +.word 0xdfbcbc63U, 0xc1b6b677U, 0x75dadaafU, 0x63212142U +.word 0x30101020U, 0x1affffe5U, 0x0ef3f3fdU, 0x6dd2d2bfU +.word 0x4ccdcd81U, 0x140c0c18U, 0x35131326U, 0x2fececc3U +.word 0xe15f5fbeU, 0xa2979735U, 0xcc444488U, 0x3917172eU +.word 0x57c4c493U, 0xf2a7a755U, 0x827e7efcU, 0x473d3d7aU +.word 0xac6464c8U, 0xe75d5dbaU, 0x2b191932U, 0x957373e6U +.word 0xa06060c0U, 0x98818119U, 0xd14f4f9eU, 0x7fdcdca3U +.word 0x66222244U, 0x7e2a2a54U, 0xab90903bU, 0x8388880bU +.word 0xca46468cU, 0x29eeeec7U, 0xd3b8b86bU, 0x3c141428U +.word 0x79dedea7U, 0xe25e5ebcU, 0x1d0b0b16U, 0x76dbdbadU +.word 0x3be0e0dbU, 0x56323264U, 0x4e3a3a74U, 0x1e0a0a14U +.word 0xdb494992U, 0x0a06060cU, 0x6c242448U, 0xe45c5cb8U +.word 0x5dc2c29fU, 0x6ed3d3bdU, 0xefacac43U, 0xa66262c4U +.word 0xa8919139U, 0xa4959531U, 0x37e4e4d3U, 0x8b7979f2U +.word 0x32e7e7d5U, 0x43c8c88bU, 0x5937376eU, 0xb76d6ddaU +.word 0x8c8d8d01U, 0x64d5d5b1U, 0xd24e4e9cU, 0xe0a9a949U +.word 0xb46c6cd8U, 0xfa5656acU, 0x07f4f4f3U, 0x25eaeacfU +.word 0xaf6565caU, 0x8e7a7af4U, 0xe9aeae47U, 0x18080810U +.word 0xd5baba6fU, 0x887878f0U, 0x6f25254aU, 0x722e2e5cU +.word 0x241c1c38U, 0xf1a6a657U, 0xc7b4b473U, 0x51c6c697U +.word 0x23e8e8cbU, 0x7cdddda1U, 0x9c7474e8U, 0x211f1f3eU +.word 0xdd4b4b96U, 0xdcbdbd61U, 0x868b8b0dU, 0x858a8a0fU +.word 0x907070e0U, 0x423e3e7cU, 0xc4b5b571U, 0xaa6666ccU +.word 0xd8484890U, 0x05030306U, 0x01f6f6f7U, 0x120e0e1cU +.word 0xa36161c2U, 0x5f35356aU, 0xf95757aeU, 0xd0b9b969U +.word 0x91868617U, 0x58c1c199U, 0x271d1d3aU, 0xb99e9e27U +.word 0x38e1e1d9U, 0x13f8f8ebU, 0xb398982bU, 0x33111122U +.word 0xbb6969d2U, 0x70d9d9a9U, 0x898e8e07U, 0xa7949433U +.word 0xb69b9b2dU, 0x221e1e3cU, 0x92878715U, 0x20e9e9c9U +.word 0x49cece87U, 0xff5555aaU, 0x78282850U, 0x7adfdfa5U +.word 0x8f8c8c03U, 0xf8a1a159U, 0x80898909U, 0x170d0d1aU +.word 0xdabfbf65U, 0x31e6e6d7U, 0xc6424284U, 0xb86868d0U +.word 0xc3414182U, 0xb0999929U, 0x772d2d5aU, 0x110f0f1eU +.word 0xcbb0b07bU, 0xfc5454a8U, 0xd6bbbb6dU, 0x3a16162cU + +.type AES_Te1,\@object +AES_Te1: +.word 0x6363c6a5U, 0x7c7cf884U, 0x7777ee99U, 0x7b7bf68dU +.word 0xf2f2ff0dU, 0x6b6bd6bdU, 0x6f6fdeb1U, 0xc5c59154U +.word 0x30306050U, 0x01010203U, 0x6767cea9U, 0x2b2b567dU +.word 0xfefee719U, 0xd7d7b562U, 0xabab4de6U, 0x7676ec9aU +.word 0xcaca8f45U, 0x82821f9dU, 0xc9c98940U, 0x7d7dfa87U +.word 0xfafaef15U, 0x5959b2ebU, 0x47478ec9U, 0xf0f0fb0bU +.word 0xadad41ecU, 0xd4d4b367U, 0xa2a25ffdU, 0xafaf45eaU +.word 0x9c9c23bfU, 0xa4a453f7U, 0x7272e496U, 0xc0c09b5bU +.word 0xb7b775c2U, 0xfdfde11cU, 0x93933daeU, 0x26264c6aU +.word 0x36366c5aU, 0x3f3f7e41U, 0xf7f7f502U, 0xcccc834fU +.word 0x3434685cU, 0xa5a551f4U, 0xe5e5d134U, 0xf1f1f908U +.word 0x7171e293U, 0xd8d8ab73U, 0x31316253U, 0x15152a3fU +.word 0x0404080cU, 0xc7c79552U, 0x23234665U, 0xc3c39d5eU +.word 0x18183028U, 0x969637a1U, 0x05050a0fU, 0x9a9a2fb5U +.word 0x07070e09U, 0x12122436U, 0x80801b9bU, 0xe2e2df3dU +.word 0xebebcd26U, 0x27274e69U, 0xb2b27fcdU, 0x7575ea9fU +.word 0x0909121bU, 0x83831d9eU, 0x2c2c5874U, 0x1a1a342eU +.word 0x1b1b362dU, 0x6e6edcb2U, 0x5a5ab4eeU, 0xa0a05bfbU +.word 0x5252a4f6U, 0x3b3b764dU, 0xd6d6b761U, 0xb3b37dceU +.word 0x2929527bU, 0xe3e3dd3eU, 0x2f2f5e71U, 0x84841397U +.word 0x5353a6f5U, 0xd1d1b968U, 0x00000000U, 0xededc12cU +.word 0x20204060U, 0xfcfce31fU, 0xb1b179c8U, 0x5b5bb6edU +.word 0x6a6ad4beU, 0xcbcb8d46U, 0xbebe67d9U, 0x3939724bU +.word 0x4a4a94deU, 0x4c4c98d4U, 0x5858b0e8U, 0xcfcf854aU +.word 0xd0d0bb6bU, 0xefefc52aU, 0xaaaa4fe5U, 0xfbfbed16U +.word 0x434386c5U, 0x4d4d9ad7U, 0x33336655U, 0x85851194U +.word 0x45458acfU, 0xf9f9e910U, 0x02020406U, 0x7f7ffe81U +.word 0x5050a0f0U, 0x3c3c7844U, 0x9f9f25baU, 0xa8a84be3U +.word 0x5151a2f3U, 0xa3a35dfeU, 0x404080c0U, 0x8f8f058aU +.word 0x92923fadU, 0x9d9d21bcU, 0x38387048U, 0xf5f5f104U +.word 0xbcbc63dfU, 0xb6b677c1U, 0xdadaaf75U, 0x21214263U +.word 0x10102030U, 0xffffe51aU, 0xf3f3fd0eU, 0xd2d2bf6dU +.word 0xcdcd814cU, 0x0c0c1814U, 0x13132635U, 0xececc32fU +.word 0x5f5fbee1U, 0x979735a2U, 0x444488ccU, 0x17172e39U +.word 0xc4c49357U, 0xa7a755f2U, 0x7e7efc82U, 0x3d3d7a47U +.word 0x6464c8acU, 0x5d5dbae7U, 0x1919322bU, 0x7373e695U +.word 0x6060c0a0U, 0x81811998U, 0x4f4f9ed1U, 0xdcdca37fU +.word 0x22224466U, 0x2a2a547eU, 0x90903babU, 0x88880b83U +.word 0x46468ccaU, 0xeeeec729U, 0xb8b86bd3U, 0x1414283cU +.word 0xdedea779U, 0x5e5ebce2U, 0x0b0b161dU, 0xdbdbad76U +.word 0xe0e0db3bU, 0x32326456U, 0x3a3a744eU, 0x0a0a141eU +.word 0x494992dbU, 0x06060c0aU, 0x2424486cU, 0x5c5cb8e4U +.word 0xc2c29f5dU, 0xd3d3bd6eU, 0xacac43efU, 0x6262c4a6U +.word 0x919139a8U, 0x959531a4U, 0xe4e4d337U, 0x7979f28bU +.word 0xe7e7d532U, 0xc8c88b43U, 0x37376e59U, 0x6d6ddab7U +.word 0x8d8d018cU, 0xd5d5b164U, 0x4e4e9cd2U, 0xa9a949e0U +.word 0x6c6cd8b4U, 0x5656acfaU, 0xf4f4f307U, 0xeaeacf25U +.word 0x6565caafU, 0x7a7af48eU, 0xaeae47e9U, 0x08081018U +.word 0xbaba6fd5U, 0x7878f088U, 0x25254a6fU, 0x2e2e5c72U +.word 0x1c1c3824U, 0xa6a657f1U, 0xb4b473c7U, 0xc6c69751U +.word 0xe8e8cb23U, 0xdddda17cU, 0x7474e89cU, 0x1f1f3e21U +.word 0x4b4b96ddU, 0xbdbd61dcU, 0x8b8b0d86U, 0x8a8a0f85U +.word 0x7070e090U, 0x3e3e7c42U, 0xb5b571c4U, 0x6666ccaaU +.word 0x484890d8U, 0x03030605U, 0xf6f6f701U, 0x0e0e1c12U +.word 0x6161c2a3U, 0x35356a5fU, 0x5757aef9U, 0xb9b969d0U +.word 0x86861791U, 0xc1c19958U, 0x1d1d3a27U, 0x9e9e27b9U +.word 0xe1e1d938U, 0xf8f8eb13U, 0x98982bb3U, 0x11112233U +.word 0x6969d2bbU, 0xd9d9a970U, 0x8e8e0789U, 0x949433a7U +.word 0x9b9b2db6U, 0x1e1e3c22U, 0x87871592U, 0xe9e9c920U +.word 0xcece8749U, 0x5555aaffU, 0x28285078U, 0xdfdfa57aU +.word 0x8c8c038fU, 0xa1a159f8U, 0x89890980U, 0x0d0d1a17U +.word 0xbfbf65daU, 0xe6e6d731U, 0x424284c6U, 0x6868d0b8U +.word 0x414182c3U, 0x999929b0U, 0x2d2d5a77U, 0x0f0f1e11U +.word 0xb0b07bcbU, 0x5454a8fcU, 0xbbbb6dd6U, 0x16162c3aU + +.type AES_Te2,\@object +AES_Te2: +.word 0x63c6a563U, 0x7cf8847cU, 0x77ee9977U, 0x7bf68d7bU +.word 0xf2ff0df2U, 0x6bd6bd6bU, 0x6fdeb16fU, 0xc59154c5U +.word 0x30605030U, 0x01020301U, 0x67cea967U, 0x2b567d2bU +.word 0xfee719feU, 0xd7b562d7U, 0xab4de6abU, 0x76ec9a76U +.word 0xca8f45caU, 0x821f9d82U, 0xc98940c9U, 0x7dfa877dU +.word 0xfaef15faU, 0x59b2eb59U, 0x478ec947U, 0xf0fb0bf0U +.word 0xad41ecadU, 0xd4b367d4U, 0xa25ffda2U, 0xaf45eaafU +.word 0x9c23bf9cU, 0xa453f7a4U, 0x72e49672U, 0xc09b5bc0U +.word 0xb775c2b7U, 0xfde11cfdU, 0x933dae93U, 0x264c6a26U +.word 0x366c5a36U, 0x3f7e413fU, 0xf7f502f7U, 0xcc834fccU +.word 0x34685c34U, 0xa551f4a5U, 0xe5d134e5U, 0xf1f908f1U +.word 0x71e29371U, 0xd8ab73d8U, 0x31625331U, 0x152a3f15U +.word 0x04080c04U, 0xc79552c7U, 0x23466523U, 0xc39d5ec3U +.word 0x18302818U, 0x9637a196U, 0x050a0f05U, 0x9a2fb59aU +.word 0x070e0907U, 0x12243612U, 0x801b9b80U, 0xe2df3de2U +.word 0xebcd26ebU, 0x274e6927U, 0xb27fcdb2U, 0x75ea9f75U +.word 0x09121b09U, 0x831d9e83U, 0x2c58742cU, 0x1a342e1aU +.word 0x1b362d1bU, 0x6edcb26eU, 0x5ab4ee5aU, 0xa05bfba0U +.word 0x52a4f652U, 0x3b764d3bU, 0xd6b761d6U, 0xb37dceb3U +.word 0x29527b29U, 0xe3dd3ee3U, 0x2f5e712fU, 0x84139784U +.word 0x53a6f553U, 0xd1b968d1U, 0x00000000U, 0xedc12cedU +.word 0x20406020U, 0xfce31ffcU, 0xb179c8b1U, 0x5bb6ed5bU +.word 0x6ad4be6aU, 0xcb8d46cbU, 0xbe67d9beU, 0x39724b39U +.word 0x4a94de4aU, 0x4c98d44cU, 0x58b0e858U, 0xcf854acfU +.word 0xd0bb6bd0U, 0xefc52aefU, 0xaa4fe5aaU, 0xfbed16fbU +.word 0x4386c543U, 0x4d9ad74dU, 0x33665533U, 0x85119485U +.word 0x458acf45U, 0xf9e910f9U, 0x02040602U, 0x7ffe817fU +.word 0x50a0f050U, 0x3c78443cU, 0x9f25ba9fU, 0xa84be3a8U +.word 0x51a2f351U, 0xa35dfea3U, 0x4080c040U, 0x8f058a8fU +.word 0x923fad92U, 0x9d21bc9dU, 0x38704838U, 0xf5f104f5U +.word 0xbc63dfbcU, 0xb677c1b6U, 0xdaaf75daU, 0x21426321U +.word 0x10203010U, 0xffe51affU, 0xf3fd0ef3U, 0xd2bf6dd2U +.word 0xcd814ccdU, 0x0c18140cU, 0x13263513U, 0xecc32fecU +.word 0x5fbee15fU, 0x9735a297U, 0x4488cc44U, 0x172e3917U +.word 0xc49357c4U, 0xa755f2a7U, 0x7efc827eU, 0x3d7a473dU +.word 0x64c8ac64U, 0x5dbae75dU, 0x19322b19U, 0x73e69573U +.word 0x60c0a060U, 0x81199881U, 0x4f9ed14fU, 0xdca37fdcU +.word 0x22446622U, 0x2a547e2aU, 0x903bab90U, 0x880b8388U +.word 0x468cca46U, 0xeec729eeU, 0xb86bd3b8U, 0x14283c14U +.word 0xdea779deU, 0x5ebce25eU, 0x0b161d0bU, 0xdbad76dbU +.word 0xe0db3be0U, 0x32645632U, 0x3a744e3aU, 0x0a141e0aU +.word 0x4992db49U, 0x060c0a06U, 0x24486c24U, 0x5cb8e45cU +.word 0xc29f5dc2U, 0xd3bd6ed3U, 0xac43efacU, 0x62c4a662U +.word 0x9139a891U, 0x9531a495U, 0xe4d337e4U, 0x79f28b79U +.word 0xe7d532e7U, 0xc88b43c8U, 0x376e5937U, 0x6ddab76dU +.word 0x8d018c8dU, 0xd5b164d5U, 0x4e9cd24eU, 0xa949e0a9U +.word 0x6cd8b46cU, 0x56acfa56U, 0xf4f307f4U, 0xeacf25eaU +.word 0x65caaf65U, 0x7af48e7aU, 0xae47e9aeU, 0x08101808U +.word 0xba6fd5baU, 0x78f08878U, 0x254a6f25U, 0x2e5c722eU +.word 0x1c38241cU, 0xa657f1a6U, 0xb473c7b4U, 0xc69751c6U +.word 0xe8cb23e8U, 0xdda17cddU, 0x74e89c74U, 0x1f3e211fU +.word 0x4b96dd4bU, 0xbd61dcbdU, 0x8b0d868bU, 0x8a0f858aU +.word 0x70e09070U, 0x3e7c423eU, 0xb571c4b5U, 0x66ccaa66U +.word 0x4890d848U, 0x03060503U, 0xf6f701f6U, 0x0e1c120eU +.word 0x61c2a361U, 0x356a5f35U, 0x57aef957U, 0xb969d0b9U +.word 0x86179186U, 0xc19958c1U, 0x1d3a271dU, 0x9e27b99eU +.word 0xe1d938e1U, 0xf8eb13f8U, 0x982bb398U, 0x11223311U +.word 0x69d2bb69U, 0xd9a970d9U, 0x8e07898eU, 0x9433a794U +.word 0x9b2db69bU, 0x1e3c221eU, 0x87159287U, 0xe9c920e9U +.word 0xce8749ceU, 0x55aaff55U, 0x28507828U, 0xdfa57adfU +.word 0x8c038f8cU, 0xa159f8a1U, 0x89098089U, 0x0d1a170dU +.word 0xbf65dabfU, 0xe6d731e6U, 0x4284c642U, 0x68d0b868U +.word 0x4182c341U, 0x9929b099U, 0x2d5a772dU, 0x0f1e110fU +.word 0xb07bcbb0U, 0x54a8fc54U, 0xbb6dd6bbU, 0x162c3a16U + +.type AES_Te3,\@object +AES_Te3: +.word 0xc6a56363U, 0xf8847c7cU, 0xee997777U, 0xf68d7b7bU +.word 0xff0df2f2U, 0xd6bd6b6bU, 0xdeb16f6fU, 0x9154c5c5U +.word 0x60503030U, 0x02030101U, 0xcea96767U, 0x567d2b2bU +.word 0xe719fefeU, 0xb562d7d7U, 0x4de6ababU, 0xec9a7676U +.word 0x8f45cacaU, 0x1f9d8282U, 0x8940c9c9U, 0xfa877d7dU +.word 0xef15fafaU, 0xb2eb5959U, 0x8ec94747U, 0xfb0bf0f0U +.word 0x41ecadadU, 0xb367d4d4U, 0x5ffda2a2U, 0x45eaafafU +.word 0x23bf9c9cU, 0x53f7a4a4U, 0xe4967272U, 0x9b5bc0c0U +.word 0x75c2b7b7U, 0xe11cfdfdU, 0x3dae9393U, 0x4c6a2626U +.word 0x6c5a3636U, 0x7e413f3fU, 0xf502f7f7U, 0x834fccccU +.word 0x685c3434U, 0x51f4a5a5U, 0xd134e5e5U, 0xf908f1f1U +.word 0xe2937171U, 0xab73d8d8U, 0x62533131U, 0x2a3f1515U +.word 0x080c0404U, 0x9552c7c7U, 0x46652323U, 0x9d5ec3c3U +.word 0x30281818U, 0x37a19696U, 0x0a0f0505U, 0x2fb59a9aU +.word 0x0e090707U, 0x24361212U, 0x1b9b8080U, 0xdf3de2e2U +.word 0xcd26ebebU, 0x4e692727U, 0x7fcdb2b2U, 0xea9f7575U +.word 0x121b0909U, 0x1d9e8383U, 0x58742c2cU, 0x342e1a1aU +.word 0x362d1b1bU, 0xdcb26e6eU, 0xb4ee5a5aU, 0x5bfba0a0U +.word 0xa4f65252U, 0x764d3b3bU, 0xb761d6d6U, 0x7dceb3b3U +.word 0x527b2929U, 0xdd3ee3e3U, 0x5e712f2fU, 0x13978484U +.word 0xa6f55353U, 0xb968d1d1U, 0x00000000U, 0xc12cededU +.word 0x40602020U, 0xe31ffcfcU, 0x79c8b1b1U, 0xb6ed5b5bU +.word 0xd4be6a6aU, 0x8d46cbcbU, 0x67d9bebeU, 0x724b3939U +.word 0x94de4a4aU, 0x98d44c4cU, 0xb0e85858U, 0x854acfcfU +.word 0xbb6bd0d0U, 0xc52aefefU, 0x4fe5aaaaU, 0xed16fbfbU +.word 0x86c54343U, 0x9ad74d4dU, 0x66553333U, 0x11948585U +.word 0x8acf4545U, 0xe910f9f9U, 0x04060202U, 0xfe817f7fU +.word 0xa0f05050U, 0x78443c3cU, 0x25ba9f9fU, 0x4be3a8a8U +.word 0xa2f35151U, 0x5dfea3a3U, 0x80c04040U, 0x058a8f8fU +.word 0x3fad9292U, 0x21bc9d9dU, 0x70483838U, 0xf104f5f5U +.word 0x63dfbcbcU, 0x77c1b6b6U, 0xaf75dadaU, 0x42632121U +.word 0x20301010U, 0xe51affffU, 0xfd0ef3f3U, 0xbf6dd2d2U +.word 0x814ccdcdU, 0x18140c0cU, 0x26351313U, 0xc32fececU +.word 0xbee15f5fU, 0x35a29797U, 0x88cc4444U, 0x2e391717U +.word 0x9357c4c4U, 0x55f2a7a7U, 0xfc827e7eU, 0x7a473d3dU +.word 0xc8ac6464U, 0xbae75d5dU, 0x322b1919U, 0xe6957373U +.word 0xc0a06060U, 0x19988181U, 0x9ed14f4fU, 0xa37fdcdcU +.word 0x44662222U, 0x547e2a2aU, 0x3bab9090U, 0x0b838888U +.word 0x8cca4646U, 0xc729eeeeU, 0x6bd3b8b8U, 0x283c1414U +.word 0xa779dedeU, 0xbce25e5eU, 0x161d0b0bU, 0xad76dbdbU +.word 0xdb3be0e0U, 0x64563232U, 0x744e3a3aU, 0x141e0a0aU +.word 0x92db4949U, 0x0c0a0606U, 0x486c2424U, 0xb8e45c5cU +.word 0x9f5dc2c2U, 0xbd6ed3d3U, 0x43efacacU, 0xc4a66262U +.word 0x39a89191U, 0x31a49595U, 0xd337e4e4U, 0xf28b7979U +.word 0xd532e7e7U, 0x8b43c8c8U, 0x6e593737U, 0xdab76d6dU +.word 0x018c8d8dU, 0xb164d5d5U, 0x9cd24e4eU, 0x49e0a9a9U +.word 0xd8b46c6cU, 0xacfa5656U, 0xf307f4f4U, 0xcf25eaeaU +.word 0xcaaf6565U, 0xf48e7a7aU, 0x47e9aeaeU, 0x10180808U +.word 0x6fd5babaU, 0xf0887878U, 0x4a6f2525U, 0x5c722e2eU +.word 0x38241c1cU, 0x57f1a6a6U, 0x73c7b4b4U, 0x9751c6c6U +.word 0xcb23e8e8U, 0xa17cddddU, 0xe89c7474U, 0x3e211f1fU +.word 0x96dd4b4bU, 0x61dcbdbdU, 0x0d868b8bU, 0x0f858a8aU +.word 0xe0907070U, 0x7c423e3eU, 0x71c4b5b5U, 0xccaa6666U +.word 0x90d84848U, 0x06050303U, 0xf701f6f6U, 0x1c120e0eU +.word 0xc2a36161U, 0x6a5f3535U, 0xaef95757U, 0x69d0b9b9U +.word 0x17918686U, 0x9958c1c1U, 0x3a271d1dU, 0x27b99e9eU +.word 0xd938e1e1U, 0xeb13f8f8U, 0x2bb39898U, 0x22331111U +.word 0xd2bb6969U, 0xa970d9d9U, 0x07898e8eU, 0x33a79494U +.word 0x2db69b9bU, 0x3c221e1eU, 0x15928787U, 0xc920e9e9U +.word 0x8749ceceU, 0xaaff5555U, 0x50782828U, 0xa57adfdfU +.word 0x038f8c8cU, 0x59f8a1a1U, 0x09808989U, 0x1a170d0dU +.word 0x65dabfbfU, 0xd731e6e6U, 0x84c64242U, 0xd0b86868U +.word 0x82c34141U, 0x29b09999U, 0x5a772d2dU, 0x1e110f0fU +.word 0x7bcbb0b0U, 0xa8fc5454U, 0x6dd6bbbbU, 0x2c3a1616U + +.p2align 12 +.type AES_Td0,\@object +AES_Td0: +.word 0x50a7f451U, 0x5365417eU, 0xc3a4171aU, 0x965e273aU +.word 0xcb6bab3bU, 0xf1459d1fU, 0xab58faacU, 0x9303e34bU +.word 0x55fa3020U, 0xf66d76adU, 0x9176cc88U, 0x254c02f5U +.word 0xfcd7e54fU, 0xd7cb2ac5U, 0x80443526U, 0x8fa362b5U +.word 0x495ab1deU, 0x671bba25U, 0x980eea45U, 0xe1c0fe5dU +.word 0x02752fc3U, 0x12f04c81U, 0xa397468dU, 0xc6f9d36bU +.word 0xe75f8f03U, 0x959c9215U, 0xeb7a6dbfU, 0xda595295U +.word 0x2d83bed4U, 0xd3217458U, 0x2969e049U, 0x44c8c98eU +.word 0x6a89c275U, 0x78798ef4U, 0x6b3e5899U, 0xdd71b927U +.word 0xb64fe1beU, 0x17ad88f0U, 0x66ac20c9U, 0xb43ace7dU +.word 0x184adf63U, 0x82311ae5U, 0x60335197U, 0x457f5362U +.word 0xe07764b1U, 0x84ae6bbbU, 0x1ca081feU, 0x942b08f9U +.word 0x58684870U, 0x19fd458fU, 0x876cde94U, 0xb7f87b52U +.word 0x23d373abU, 0xe2024b72U, 0x578f1fe3U, 0x2aab5566U +.word 0x0728ebb2U, 0x03c2b52fU, 0x9a7bc586U, 0xa50837d3U +.word 0xf2872830U, 0xb2a5bf23U, 0xba6a0302U, 0x5c8216edU +.word 0x2b1ccf8aU, 0x92b479a7U, 0xf0f207f3U, 0xa1e2694eU +.word 0xcdf4da65U, 0xd5be0506U, 0x1f6234d1U, 0x8afea6c4U +.word 0x9d532e34U, 0xa055f3a2U, 0x32e18a05U, 0x75ebf6a4U +.word 0x39ec830bU, 0xaaef6040U, 0x069f715eU, 0x51106ebdU +.word 0xf98a213eU, 0x3d06dd96U, 0xae053eddU, 0x46bde64dU +.word 0xb58d5491U, 0x055dc471U, 0x6fd40604U, 0xff155060U +.word 0x24fb9819U, 0x97e9bdd6U, 0xcc434089U, 0x779ed967U +.word 0xbd42e8b0U, 0x888b8907U, 0x385b19e7U, 0xdbeec879U +.word 0x470a7ca1U, 0xe90f427cU, 0xc91e84f8U, 0x00000000U +.word 0x83868009U, 0x48ed2b32U, 0xac70111eU, 0x4e725a6cU +.word 0xfbff0efdU, 0x5638850fU, 0x1ed5ae3dU, 0x27392d36U +.word 0x64d90f0aU, 0x21a65c68U, 0xd1545b9bU, 0x3a2e3624U +.word 0xb1670a0cU, 0x0fe75793U, 0xd296eeb4U, 0x9e919b1bU +.word 0x4fc5c080U, 0xa220dc61U, 0x694b775aU, 0x161a121cU +.word 0x0aba93e2U, 0xe52aa0c0U, 0x43e0223cU, 0x1d171b12U +.word 0x0b0d090eU, 0xadc78bf2U, 0xb9a8b62dU, 0xc8a91e14U +.word 0x8519f157U, 0x4c0775afU, 0xbbdd99eeU, 0xfd607fa3U +.word 0x9f2601f7U, 0xbcf5725cU, 0xc53b6644U, 0x347efb5bU +.word 0x7629438bU, 0xdcc623cbU, 0x68fcedb6U, 0x63f1e4b8U +.word 0xcadc31d7U, 0x10856342U, 0x40229713U, 0x2011c684U +.word 0x7d244a85U, 0xf83dbbd2U, 0x1132f9aeU, 0x6da129c7U +.word 0x4b2f9e1dU, 0xf330b2dcU, 0xec52860dU, 0xd0e3c177U +.word 0x6c16b32bU, 0x99b970a9U, 0xfa489411U, 0x2264e947U +.word 0xc48cfca8U, 0x1a3ff0a0U, 0xd82c7d56U, 0xef903322U +.word 0xc74e4987U, 0xc1d138d9U, 0xfea2ca8cU, 0x360bd498U +.word 0xcf81f5a6U, 0x28de7aa5U, 0x268eb7daU, 0xa4bfad3fU +.word 0xe49d3a2cU, 0x0d927850U, 0x9bcc5f6aU, 0x62467e54U +.word 0xc2138df6U, 0xe8b8d890U, 0x5ef7392eU, 0xf5afc382U +.word 0xbe805d9fU, 0x7c93d069U, 0xa92dd56fU, 0xb31225cfU +.word 0x3b99acc8U, 0xa77d1810U, 0x6e639ce8U, 0x7bbb3bdbU +.word 0x097826cdU, 0xf418596eU, 0x01b79aecU, 0xa89a4f83U +.word 0x656e95e6U, 0x7ee6ffaaU, 0x08cfbc21U, 0xe6e815efU +.word 0xd99be7baU, 0xce366f4aU, 0xd4099feaU, 0xd67cb029U +.word 0xafb2a431U, 0x31233f2aU, 0x3094a5c6U, 0xc066a235U +.word 0x37bc4e74U, 0xa6ca82fcU, 0xb0d090e0U, 0x15d8a733U +.word 0x4a9804f1U, 0xf7daec41U, 0x0e50cd7fU, 0x2ff69117U +.word 0x8dd64d76U, 0x4db0ef43U, 0x544daaccU, 0xdf0496e4U +.word 0xe3b5d19eU, 0x1b886a4cU, 0xb81f2cc1U, 0x7f516546U +.word 0x04ea5e9dU, 0x5d358c01U, 0x737487faU, 0x2e410bfbU +.word 0x5a1d67b3U, 0x52d2db92U, 0x335610e9U, 0x1347d66dU +.word 0x8c61d79aU, 0x7a0ca137U, 0x8e14f859U, 0x893c13ebU +.word 0xee27a9ceU, 0x35c961b7U, 0xede51ce1U, 0x3cb1477aU +.word 0x59dfd29cU, 0x3f73f255U, 0x79ce1418U, 0xbf37c773U +.word 0xeacdf753U, 0x5baafd5fU, 0x146f3ddfU, 0x86db4478U +.word 0x81f3afcaU, 0x3ec468b9U, 0x2c342438U, 0x5f40a3c2U +.word 0x72c31d16U, 0x0c25e2bcU, 0x8b493c28U, 0x41950dffU +.word 0x7101a839U, 0xdeb30c08U, 0x9ce4b4d8U, 0x90c15664U +.word 0x6184cb7bU, 0x70b632d5U, 0x745c6c48U, 0x4257b8d0U + +.type AES_Td1,\@object +AES_Td1: +.word 0xa7f45150U, 0x65417e53U, 0xa4171ac3U, 0x5e273a96U +.word 0x6bab3bcbU, 0x459d1ff1U, 0x58faacabU, 0x03e34b93U +.word 0xfa302055U, 0x6d76adf6U, 0x76cc8891U, 0x4c02f525U +.word 0xd7e54ffcU, 0xcb2ac5d7U, 0x44352680U, 0xa362b58fU +.word 0x5ab1de49U, 0x1bba2567U, 0x0eea4598U, 0xc0fe5de1U +.word 0x752fc302U, 0xf04c8112U, 0x97468da3U, 0xf9d36bc6U +.word 0x5f8f03e7U, 0x9c921595U, 0x7a6dbfebU, 0x595295daU +.word 0x83bed42dU, 0x217458d3U, 0x69e04929U, 0xc8c98e44U +.word 0x89c2756aU, 0x798ef478U, 0x3e58996bU, 0x71b927ddU +.word 0x4fe1beb6U, 0xad88f017U, 0xac20c966U, 0x3ace7db4U +.word 0x4adf6318U, 0x311ae582U, 0x33519760U, 0x7f536245U +.word 0x7764b1e0U, 0xae6bbb84U, 0xa081fe1cU, 0x2b08f994U +.word 0x68487058U, 0xfd458f19U, 0x6cde9487U, 0xf87b52b7U +.word 0xd373ab23U, 0x024b72e2U, 0x8f1fe357U, 0xab55662aU +.word 0x28ebb207U, 0xc2b52f03U, 0x7bc5869aU, 0x0837d3a5U +.word 0x872830f2U, 0xa5bf23b2U, 0x6a0302baU, 0x8216ed5cU +.word 0x1ccf8a2bU, 0xb479a792U, 0xf207f3f0U, 0xe2694ea1U +.word 0xf4da65cdU, 0xbe0506d5U, 0x6234d11fU, 0xfea6c48aU +.word 0x532e349dU, 0x55f3a2a0U, 0xe18a0532U, 0xebf6a475U +.word 0xec830b39U, 0xef6040aaU, 0x9f715e06U, 0x106ebd51U +.word 0x8a213ef9U, 0x06dd963dU, 0x053eddaeU, 0xbde64d46U +.word 0x8d5491b5U, 0x5dc47105U, 0xd406046fU, 0x155060ffU +.word 0xfb981924U, 0xe9bdd697U, 0x434089ccU, 0x9ed96777U +.word 0x42e8b0bdU, 0x8b890788U, 0x5b19e738U, 0xeec879dbU +.word 0x0a7ca147U, 0x0f427ce9U, 0x1e84f8c9U, 0x00000000U +.word 0x86800983U, 0xed2b3248U, 0x70111eacU, 0x725a6c4eU +.word 0xff0efdfbU, 0x38850f56U, 0xd5ae3d1eU, 0x392d3627U +.word 0xd90f0a64U, 0xa65c6821U, 0x545b9bd1U, 0x2e36243aU +.word 0x670a0cb1U, 0xe757930fU, 0x96eeb4d2U, 0x919b1b9eU +.word 0xc5c0804fU, 0x20dc61a2U, 0x4b775a69U, 0x1a121c16U +.word 0xba93e20aU, 0x2aa0c0e5U, 0xe0223c43U, 0x171b121dU +.word 0x0d090e0bU, 0xc78bf2adU, 0xa8b62db9U, 0xa91e14c8U +.word 0x19f15785U, 0x0775af4cU, 0xdd99eebbU, 0x607fa3fdU +.word 0x2601f79fU, 0xf5725cbcU, 0x3b6644c5U, 0x7efb5b34U +.word 0x29438b76U, 0xc623cbdcU, 0xfcedb668U, 0xf1e4b863U +.word 0xdc31d7caU, 0x85634210U, 0x22971340U, 0x11c68420U +.word 0x244a857dU, 0x3dbbd2f8U, 0x32f9ae11U, 0xa129c76dU +.word 0x2f9e1d4bU, 0x30b2dcf3U, 0x52860decU, 0xe3c177d0U +.word 0x16b32b6cU, 0xb970a999U, 0x489411faU, 0x64e94722U +.word 0x8cfca8c4U, 0x3ff0a01aU, 0x2c7d56d8U, 0x903322efU +.word 0x4e4987c7U, 0xd138d9c1U, 0xa2ca8cfeU, 0x0bd49836U +.word 0x81f5a6cfU, 0xde7aa528U, 0x8eb7da26U, 0xbfad3fa4U +.word 0x9d3a2ce4U, 0x9278500dU, 0xcc5f6a9bU, 0x467e5462U +.word 0x138df6c2U, 0xb8d890e8U, 0xf7392e5eU, 0xafc382f5U +.word 0x805d9fbeU, 0x93d0697cU, 0x2dd56fa9U, 0x1225cfb3U +.word 0x99acc83bU, 0x7d1810a7U, 0x639ce86eU, 0xbb3bdb7bU +.word 0x7826cd09U, 0x18596ef4U, 0xb79aec01U, 0x9a4f83a8U +.word 0x6e95e665U, 0xe6ffaa7eU, 0xcfbc2108U, 0xe815efe6U +.word 0x9be7bad9U, 0x366f4aceU, 0x099fead4U, 0x7cb029d6U +.word 0xb2a431afU, 0x233f2a31U, 0x94a5c630U, 0x66a235c0U +.word 0xbc4e7437U, 0xca82fca6U, 0xd090e0b0U, 0xd8a73315U +.word 0x9804f14aU, 0xdaec41f7U, 0x50cd7f0eU, 0xf691172fU +.word 0xd64d768dU, 0xb0ef434dU, 0x4daacc54U, 0x0496e4dfU +.word 0xb5d19ee3U, 0x886a4c1bU, 0x1f2cc1b8U, 0x5165467fU +.word 0xea5e9d04U, 0x358c015dU, 0x7487fa73U, 0x410bfb2eU +.word 0x1d67b35aU, 0xd2db9252U, 0x5610e933U, 0x47d66d13U +.word 0x61d79a8cU, 0x0ca1377aU, 0x14f8598eU, 0x3c13eb89U +.word 0x27a9ceeeU, 0xc961b735U, 0xe51ce1edU, 0xb1477a3cU +.word 0xdfd29c59U, 0x73f2553fU, 0xce141879U, 0x37c773bfU +.word 0xcdf753eaU, 0xaafd5f5bU, 0x6f3ddf14U, 0xdb447886U +.word 0xf3afca81U, 0xc468b93eU, 0x3424382cU, 0x40a3c25fU +.word 0xc31d1672U, 0x25e2bc0cU, 0x493c288bU, 0x950dff41U +.word 0x01a83971U, 0xb30c08deU, 0xe4b4d89cU, 0xc1566490U +.word 0x84cb7b61U, 0xb632d570U, 0x5c6c4874U, 0x57b8d042U + +.type AES_Td2,\@object +AES_Td2: +.word 0xf45150a7U, 0x417e5365U, 0x171ac3a4U, 0x273a965eU +.word 0xab3bcb6bU, 0x9d1ff145U, 0xfaacab58U, 0xe34b9303U +.word 0x302055faU, 0x76adf66dU, 0xcc889176U, 0x02f5254cU +.word 0xe54ffcd7U, 0x2ac5d7cbU, 0x35268044U, 0x62b58fa3U +.word 0xb1de495aU, 0xba25671bU, 0xea45980eU, 0xfe5de1c0U +.word 0x2fc30275U, 0x4c8112f0U, 0x468da397U, 0xd36bc6f9U +.word 0x8f03e75fU, 0x9215959cU, 0x6dbfeb7aU, 0x5295da59U +.word 0xbed42d83U, 0x7458d321U, 0xe0492969U, 0xc98e44c8U +.word 0xc2756a89U, 0x8ef47879U, 0x58996b3eU, 0xb927dd71U +.word 0xe1beb64fU, 0x88f017adU, 0x20c966acU, 0xce7db43aU +.word 0xdf63184aU, 0x1ae58231U, 0x51976033U, 0x5362457fU +.word 0x64b1e077U, 0x6bbb84aeU, 0x81fe1ca0U, 0x08f9942bU +.word 0x48705868U, 0x458f19fdU, 0xde94876cU, 0x7b52b7f8U +.word 0x73ab23d3U, 0x4b72e202U, 0x1fe3578fU, 0x55662aabU +.word 0xebb20728U, 0xb52f03c2U, 0xc5869a7bU, 0x37d3a508U +.word 0x2830f287U, 0xbf23b2a5U, 0x0302ba6aU, 0x16ed5c82U +.word 0xcf8a2b1cU, 0x79a792b4U, 0x07f3f0f2U, 0x694ea1e2U +.word 0xda65cdf4U, 0x0506d5beU, 0x34d11f62U, 0xa6c48afeU +.word 0x2e349d53U, 0xf3a2a055U, 0x8a0532e1U, 0xf6a475ebU +.word 0x830b39ecU, 0x6040aaefU, 0x715e069fU, 0x6ebd5110U +.word 0x213ef98aU, 0xdd963d06U, 0x3eddae05U, 0xe64d46bdU +.word 0x5491b58dU, 0xc471055dU, 0x06046fd4U, 0x5060ff15U +.word 0x981924fbU, 0xbdd697e9U, 0x4089cc43U, 0xd967779eU +.word 0xe8b0bd42U, 0x8907888bU, 0x19e7385bU, 0xc879dbeeU +.word 0x7ca1470aU, 0x427ce90fU, 0x84f8c91eU, 0x00000000U +.word 0x80098386U, 0x2b3248edU, 0x111eac70U, 0x5a6c4e72U +.word 0x0efdfbffU, 0x850f5638U, 0xae3d1ed5U, 0x2d362739U +.word 0x0f0a64d9U, 0x5c6821a6U, 0x5b9bd154U, 0x36243a2eU +.word 0x0a0cb167U, 0x57930fe7U, 0xeeb4d296U, 0x9b1b9e91U +.word 0xc0804fc5U, 0xdc61a220U, 0x775a694bU, 0x121c161aU +.word 0x93e20abaU, 0xa0c0e52aU, 0x223c43e0U, 0x1b121d17U +.word 0x090e0b0dU, 0x8bf2adc7U, 0xb62db9a8U, 0x1e14c8a9U +.word 0xf1578519U, 0x75af4c07U, 0x99eebbddU, 0x7fa3fd60U +.word 0x01f79f26U, 0x725cbcf5U, 0x6644c53bU, 0xfb5b347eU +.word 0x438b7629U, 0x23cbdcc6U, 0xedb668fcU, 0xe4b863f1U +.word 0x31d7cadcU, 0x63421085U, 0x97134022U, 0xc6842011U +.word 0x4a857d24U, 0xbbd2f83dU, 0xf9ae1132U, 0x29c76da1U +.word 0x9e1d4b2fU, 0xb2dcf330U, 0x860dec52U, 0xc177d0e3U +.word 0xb32b6c16U, 0x70a999b9U, 0x9411fa48U, 0xe9472264U +.word 0xfca8c48cU, 0xf0a01a3fU, 0x7d56d82cU, 0x3322ef90U +.word 0x4987c74eU, 0x38d9c1d1U, 0xca8cfea2U, 0xd498360bU +.word 0xf5a6cf81U, 0x7aa528deU, 0xb7da268eU, 0xad3fa4bfU +.word 0x3a2ce49dU, 0x78500d92U, 0x5f6a9bccU, 0x7e546246U +.word 0x8df6c213U, 0xd890e8b8U, 0x392e5ef7U, 0xc382f5afU +.word 0x5d9fbe80U, 0xd0697c93U, 0xd56fa92dU, 0x25cfb312U +.word 0xacc83b99U, 0x1810a77dU, 0x9ce86e63U, 0x3bdb7bbbU +.word 0x26cd0978U, 0x596ef418U, 0x9aec01b7U, 0x4f83a89aU +.word 0x95e6656eU, 0xffaa7ee6U, 0xbc2108cfU, 0x15efe6e8U +.word 0xe7bad99bU, 0x6f4ace36U, 0x9fead409U, 0xb029d67cU +.word 0xa431afb2U, 0x3f2a3123U, 0xa5c63094U, 0xa235c066U +.word 0x4e7437bcU, 0x82fca6caU, 0x90e0b0d0U, 0xa73315d8U +.word 0x04f14a98U, 0xec41f7daU, 0xcd7f0e50U, 0x91172ff6U +.word 0x4d768dd6U, 0xef434db0U, 0xaacc544dU, 0x96e4df04U +.word 0xd19ee3b5U, 0x6a4c1b88U, 0x2cc1b81fU, 0x65467f51U +.word 0x5e9d04eaU, 0x8c015d35U, 0x87fa7374U, 0x0bfb2e41U +.word 0x67b35a1dU, 0xdb9252d2U, 0x10e93356U, 0xd66d1347U +.word 0xd79a8c61U, 0xa1377a0cU, 0xf8598e14U, 0x13eb893cU +.word 0xa9ceee27U, 0x61b735c9U, 0x1ce1ede5U, 0x477a3cb1U +.word 0xd29c59dfU, 0xf2553f73U, 0x141879ceU, 0xc773bf37U +.word 0xf753eacdU, 0xfd5f5baaU, 0x3ddf146fU, 0x447886dbU +.word 0xafca81f3U, 0x68b93ec4U, 0x24382c34U, 0xa3c25f40U +.word 0x1d1672c3U, 0xe2bc0c25U, 0x3c288b49U, 0x0dff4195U +.word 0xa8397101U, 0x0c08deb3U, 0xb4d89ce4U, 0x566490c1U +.word 0xcb7b6184U, 0x32d570b6U, 0x6c48745cU, 0xb8d04257U + +.type AES_Td3,\@object +AES_Td3: +.word 0x5150a7f4U, 0x7e536541U, 0x1ac3a417U, 0x3a965e27U +.word 0x3bcb6babU, 0x1ff1459dU, 0xacab58faU, 0x4b9303e3U +.word 0x2055fa30U, 0xadf66d76U, 0x889176ccU, 0xf5254c02U +.word 0x4ffcd7e5U, 0xc5d7cb2aU, 0x26804435U, 0xb58fa362U +.word 0xde495ab1U, 0x25671bbaU, 0x45980eeaU, 0x5de1c0feU +.word 0xc302752fU, 0x8112f04cU, 0x8da39746U, 0x6bc6f9d3U +.word 0x03e75f8fU, 0x15959c92U, 0xbfeb7a6dU, 0x95da5952U +.word 0xd42d83beU, 0x58d32174U, 0x492969e0U, 0x8e44c8c9U +.word 0x756a89c2U, 0xf478798eU, 0x996b3e58U, 0x27dd71b9U +.word 0xbeb64fe1U, 0xf017ad88U, 0xc966ac20U, 0x7db43aceU +.word 0x63184adfU, 0xe582311aU, 0x97603351U, 0x62457f53U +.word 0xb1e07764U, 0xbb84ae6bU, 0xfe1ca081U, 0xf9942b08U +.word 0x70586848U, 0x8f19fd45U, 0x94876cdeU, 0x52b7f87bU +.word 0xab23d373U, 0x72e2024bU, 0xe3578f1fU, 0x662aab55U +.word 0xb20728ebU, 0x2f03c2b5U, 0x869a7bc5U, 0xd3a50837U +.word 0x30f28728U, 0x23b2a5bfU, 0x02ba6a03U, 0xed5c8216U +.word 0x8a2b1ccfU, 0xa792b479U, 0xf3f0f207U, 0x4ea1e269U +.word 0x65cdf4daU, 0x06d5be05U, 0xd11f6234U, 0xc48afea6U +.word 0x349d532eU, 0xa2a055f3U, 0x0532e18aU, 0xa475ebf6U +.word 0x0b39ec83U, 0x40aaef60U, 0x5e069f71U, 0xbd51106eU +.word 0x3ef98a21U, 0x963d06ddU, 0xddae053eU, 0x4d46bde6U +.word 0x91b58d54U, 0x71055dc4U, 0x046fd406U, 0x60ff1550U +.word 0x1924fb98U, 0xd697e9bdU, 0x89cc4340U, 0x67779ed9U +.word 0xb0bd42e8U, 0x07888b89U, 0xe7385b19U, 0x79dbeec8U +.word 0xa1470a7cU, 0x7ce90f42U, 0xf8c91e84U, 0x00000000U +.word 0x09838680U, 0x3248ed2bU, 0x1eac7011U, 0x6c4e725aU +.word 0xfdfbff0eU, 0x0f563885U, 0x3d1ed5aeU, 0x3627392dU +.word 0x0a64d90fU, 0x6821a65cU, 0x9bd1545bU, 0x243a2e36U +.word 0x0cb1670aU, 0x930fe757U, 0xb4d296eeU, 0x1b9e919bU +.word 0x804fc5c0U, 0x61a220dcU, 0x5a694b77U, 0x1c161a12U +.word 0xe20aba93U, 0xc0e52aa0U, 0x3c43e022U, 0x121d171bU +.word 0x0e0b0d09U, 0xf2adc78bU, 0x2db9a8b6U, 0x14c8a91eU +.word 0x578519f1U, 0xaf4c0775U, 0xeebbdd99U, 0xa3fd607fU +.word 0xf79f2601U, 0x5cbcf572U, 0x44c53b66U, 0x5b347efbU +.word 0x8b762943U, 0xcbdcc623U, 0xb668fcedU, 0xb863f1e4U +.word 0xd7cadc31U, 0x42108563U, 0x13402297U, 0x842011c6U +.word 0x857d244aU, 0xd2f83dbbU, 0xae1132f9U, 0xc76da129U +.word 0x1d4b2f9eU, 0xdcf330b2U, 0x0dec5286U, 0x77d0e3c1U +.word 0x2b6c16b3U, 0xa999b970U, 0x11fa4894U, 0x472264e9U +.word 0xa8c48cfcU, 0xa01a3ff0U, 0x56d82c7dU, 0x22ef9033U +.word 0x87c74e49U, 0xd9c1d138U, 0x8cfea2caU, 0x98360bd4U +.word 0xa6cf81f5U, 0xa528de7aU, 0xda268eb7U, 0x3fa4bfadU +.word 0x2ce49d3aU, 0x500d9278U, 0x6a9bcc5fU, 0x5462467eU +.word 0xf6c2138dU, 0x90e8b8d8U, 0x2e5ef739U, 0x82f5afc3U +.word 0x9fbe805dU, 0x697c93d0U, 0x6fa92dd5U, 0xcfb31225U +.word 0xc83b99acU, 0x10a77d18U, 0xe86e639cU, 0xdb7bbb3bU +.word 0xcd097826U, 0x6ef41859U, 0xec01b79aU, 0x83a89a4fU +.word 0xe6656e95U, 0xaa7ee6ffU, 0x2108cfbcU, 0xefe6e815U +.word 0xbad99be7U, 0x4ace366fU, 0xead4099fU, 0x29d67cb0U +.word 0x31afb2a4U, 0x2a31233fU, 0xc63094a5U, 0x35c066a2U +.word 0x7437bc4eU, 0xfca6ca82U, 0xe0b0d090U, 0x3315d8a7U +.word 0xf14a9804U, 0x41f7daecU, 0x7f0e50cdU, 0x172ff691U +.word 0x768dd64dU, 0x434db0efU, 0xcc544daaU, 0xe4df0496U +.word 0x9ee3b5d1U, 0x4c1b886aU, 0xc1b81f2cU, 0x467f5165U +.word 0x9d04ea5eU, 0x015d358cU, 0xfa737487U, 0xfb2e410bU +.word 0xb35a1d67U, 0x9252d2dbU, 0xe9335610U, 0x6d1347d6U +.word 0x9a8c61d7U, 0x377a0ca1U, 0x598e14f8U, 0xeb893c13U +.word 0xceee27a9U, 0xb735c961U, 0xe1ede51cU, 0x7a3cb147U +.word 0x9c59dfd2U, 0x553f73f2U, 0x1879ce14U, 0x73bf37c7U +.word 0x53eacdf7U, 0x5f5baafdU, 0xdf146f3dU, 0x7886db44U +.word 0xca81f3afU, 0xb93ec468U, 0x382c3424U, 0xc25f40a3U +.word 0x1672c31dU, 0xbc0c25e2U, 0x288b493cU, 0xff41950dU +.word 0x397101a8U, 0x08deb30cU, 0xd89ce4b4U, 0x6490c156U +.word 0x7b6184cbU, 0xd570b632U, 0x48745c6cU, 0xd04257b8U + +.type AES_Td4,\@object +AES_Td4: +.byte 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U +.byte 0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU +.byte 0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U +.byte 0x34U, 0x8eU, 0x43U, 0x44U, 0xc4U, 0xdeU, 0xe9U, 0xcbU +.byte 0x54U, 0x7bU, 0x94U, 0x32U, 0xa6U, 0xc2U, 0x23U, 0x3dU +.byte 0xeeU, 0x4cU, 0x95U, 0x0bU, 0x42U, 0xfaU, 0xc3U, 0x4eU +.byte 0x08U, 0x2eU, 0xa1U, 0x66U, 0x28U, 0xd9U, 0x24U, 0xb2U +.byte 0x76U, 0x5bU, 0xa2U, 0x49U, 0x6dU, 0x8bU, 0xd1U, 0x25U +.byte 0x72U, 0xf8U, 0xf6U, 0x64U, 0x86U, 0x68U, 0x98U, 0x16U +.byte 0xd4U, 0xa4U, 0x5cU, 0xccU, 0x5dU, 0x65U, 0xb6U, 0x92U +.byte 0x6cU, 0x70U, 0x48U, 0x50U, 0xfdU, 0xedU, 0xb9U, 0xdaU +.byte 0x5eU, 0x15U, 0x46U, 0x57U, 0xa7U, 0x8dU, 0x9dU, 0x84U +.byte 0x90U, 0xd8U, 0xabU, 0x00U, 0x8cU, 0xbcU, 0xd3U, 0x0aU +.byte 0xf7U, 0xe4U, 0x58U, 0x05U, 0xb8U, 0xb3U, 0x45U, 0x06U +.byte 0xd0U, 0x2cU, 0x1eU, 0x8fU, 0xcaU, 0x3fU, 0x0fU, 0x02U +.byte 0xc1U, 0xafU, 0xbdU, 0x03U, 0x01U, 0x13U, 0x8aU, 0x6bU +.byte 0x3aU, 0x91U, 0x11U, 0x41U, 0x4fU, 0x67U, 0xdcU, 0xeaU +.byte 0x97U, 0xf2U, 0xcfU, 0xceU, 0xf0U, 0xb4U, 0xe6U, 0x73U +.byte 0x96U, 0xacU, 0x74U, 0x22U, 0xe7U, 0xadU, 0x35U, 0x85U +.byte 0xe2U, 0xf9U, 0x37U, 0xe8U, 0x1cU, 0x75U, 0xdfU, 0x6eU +.byte 0x47U, 0xf1U, 0x1aU, 0x71U, 0x1dU, 0x29U, 0xc5U, 0x89U +.byte 0x6fU, 0xb7U, 0x62U, 0x0eU, 0xaaU, 0x18U, 0xbeU, 0x1bU +.byte 0xfcU, 0x56U, 0x3eU, 0x4bU, 0xc6U, 0xd2U, 0x79U, 0x20U +.byte 0x9aU, 0xdbU, 0xc0U, 0xfeU, 0x78U, 0xcdU, 0x5aU, 0xf4U +.byte 0x1fU, 0xddU, 0xa8U, 0x33U, 0x88U, 0x07U, 0xc7U, 0x31U +.byte 0xb1U, 0x12U, 0x10U, 0x59U, 0x27U, 0x80U, 0xecU, 0x5fU +.byte 0x60U, 0x51U, 0x7fU, 0xa9U, 0x19U, 0xb5U, 0x4aU, 0x0dU +.byte 0x2dU, 0xe5U, 0x7aU, 0x9fU, 0x93U, 0xc9U, 0x9cU, 0xefU +.byte 0xa0U, 0xe0U, 0x3bU, 0x4dU, 0xaeU, 0x2aU, 0xf5U, 0xb0U +.byte 0xc8U, 0xebU, 0xbbU, 0x3cU, 0x83U, 0x53U, 0x99U, 0x61U +.byte 0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U +.byte 0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU + +.type AES_rcon,\@object +AES_rcon: +.word 0x00000001U, 0x00000002U, 0x00000004U, 0x00000008U +.word 0x00000010U, 0x00000020U, 0x00000040U, 0x00000080U +.word 0x0000001BU, 0x00000036U +___ + +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl index 6a7bf05d1..ea7421731 100755 --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -120,6 +120,8 @@ .Lenc_key: ___ $code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 ___ @@ -295,7 +297,7 @@ ${prefix}_set_decrypt_key: ___ $code.=<<___ if ($flavour =~ /64/); - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 ___ @@ -339,7 +341,7 @@ ___ $code.=<<___ if ($flavour =~ /64/); ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret ___ $code.=<<___; @@ -359,6 +361,11 @@ () .type ${prefix}_${dir}crypt,%function .align 5 ${prefix}_${dir}crypt: +___ +$code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET +___ +$code.=<<___; ldr $rounds,[$key,#240] vld1.32 {$rndkey0},[$key],#16 vld1.8 {$inout},[$inp] @@ -410,7 +417,7 @@ () # If lsize < 3*16 bytes, treat them as the tail, interleave the # two blocks AES instructions. # There is one special case, if the original input data size dsize -# = 16 bytes, we will treat it seperately to improve the +# = 16 bytes, we will treat it separately to improve the # performance: one independent code block without LR, FP load and # store, just looks like what the original ECB implementation does. @@ -442,6 +449,7 @@ () ${prefix}_ecb_encrypt: ___ $code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET subs $len,$len,#16 // Original input data size bigger than 16, jump to big size processing. b.ne .Lecb_big_size @@ -1236,6 +1244,8 @@ () ${prefix}_cbc_encrypt: ___ $code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 ___ @@ -1764,6 +1774,8 @@ () ${prefix}_ctr32_encrypt_blocks: ___ $code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 ___ @@ -2210,7 +2222,7 @@ () # will be processed specially, which be integrated into the 5*16 bytes # loop to improve the efficiency. # There is one special case, if the original input data size dsize -# = 16 bytes, we will treat it seperately to improve the +# = 16 bytes, we will treat it separately to improve the # performance: one independent code block without LR, FP load and # store. # Encryption will process the (length -tailcnt) bytes as mentioned @@ -2256,6 +2268,7 @@ () ${prefix}_xts_encrypt: ___ $code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET cmp $len,#16 // Original input data size bigger than 16, jump to big size processing. b.ne .Lxts_enc_big_size @@ -2930,6 +2943,7 @@ () .type ${prefix}_xts_decrypt,%function .align 5 ${prefix}_xts_decrypt: + AARCH64_VALID_CALL_TARGET ___ $code.=<<___ if ($flavour =~ /64/); cmp $len,#16 @@ -3541,7 +3555,7 @@ () cbnz x2,.Lxts_dec_1st_done vld1.32 {$dat0},[$inp],#16 - // Decrypt the last secod block to get the last plain text block + // Decrypt the last second block to get the last plain text block .Lxts_dec_1st_done: eor $tmpin,$dat0,$iv1 ldr $rounds,[$key1,#240] @@ -3659,6 +3673,9 @@ () s/\.[ui]?64//o and s/\.16b/\.2d/go; s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o; + # Switch preprocessor checks to aarch64 versions. + s/__ARME([BL])__/__AARCH64E$1__/go; + print $_,"\n"; } } else { ######## 32-bit code diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl new file mode 100644 index 000000000..3c2e8bdc9 --- /dev/null +++ b/crypto/aes/asm/bsaes-armv8.pl @@ -0,0 +1,2378 @@ +#!/usr/bin/env perl +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; + +my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; +my $xlate; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate ) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +my $code = data(); +print $code; + +close STDOUT or die "error closing STDOUT: $!"; # enforce flush + +sub data +{ + local $/; + return ; +} + +__END__ +// Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. +// +// Licensed under the OpenSSL license (the "License"). You may not use +// this file except in compliance with the License. You can obtain a copy +// in the file LICENSE in the source distribution or at +// https://www.openssl.org/source/license.html +// +// ==================================================================== +// Written by Ben Avison for the OpenSSL +// project. Rights for redistribution and usage in source and binary +// forms are granted according to the OpenSSL license. +// ==================================================================== +// +// This implementation is a translation of bsaes-armv7 for AArch64. +// No attempt has been made to carry across the build switches for +// kernel targets, since the Linux kernel crypto support has moved on +// from when it was based on OpenSSL. + +// A lot of hand-scheduling has been performed. Consequently, this code +// doesn't factor out neatly into macros in the same way that the +// AArch32 version did, and there is little to be gained by wrapping it +// up in Perl, and it is presented as pure assembly. + + +#include "crypto/arm_arch.h" + +.text + +.extern AES_cbc_encrypt +.extern AES_encrypt +.extern AES_decrypt + +.type _bsaes_decrypt8,%function +.align 4 +// On entry: +// x9 -> key (previously expanded using _bsaes_key_convert) +// x10 = number of rounds +// v0-v7 input data +// On exit: +// x9-x11 corrupted +// other general-purpose registers preserved +// v0-v7 output data +// v11-v15 preserved +// other SIMD registers corrupted +_bsaes_decrypt8: + ldr q8, [x9], #16 + adr x11, .LM0ISR + movi v9.16b, #0x55 + ldr q10, [x11], #16 + movi v16.16b, #0x33 + movi v17.16b, #0x0f + sub x10, x10, #1 + eor v0.16b, v0.16b, v8.16b + eor v1.16b, v1.16b, v8.16b + eor v2.16b, v2.16b, v8.16b + eor v4.16b, v4.16b, v8.16b + eor v3.16b, v3.16b, v8.16b + eor v5.16b, v5.16b, v8.16b + tbl v0.16b, {v0.16b}, v10.16b + tbl v1.16b, {v1.16b}, v10.16b + tbl v2.16b, {v2.16b}, v10.16b + tbl v4.16b, {v4.16b}, v10.16b + eor v6.16b, v6.16b, v8.16b + eor v7.16b, v7.16b, v8.16b + tbl v3.16b, {v3.16b}, v10.16b + tbl v5.16b, {v5.16b}, v10.16b + tbl v6.16b, {v6.16b}, v10.16b + ushr v8.2d, v0.2d, #1 + tbl v7.16b, {v7.16b}, v10.16b + ushr v10.2d, v4.2d, #1 + ushr v18.2d, v2.2d, #1 + eor v8.16b, v8.16b, v1.16b + ushr v19.2d, v6.2d, #1 + eor v10.16b, v10.16b, v5.16b + eor v18.16b, v18.16b, v3.16b + and v8.16b, v8.16b, v9.16b + eor v19.16b, v19.16b, v7.16b + and v10.16b, v10.16b, v9.16b + and v18.16b, v18.16b, v9.16b + eor v1.16b, v1.16b, v8.16b + shl v8.2d, v8.2d, #1 + and v9.16b, v19.16b, v9.16b + eor v5.16b, v5.16b, v10.16b + shl v10.2d, v10.2d, #1 + eor v3.16b, v3.16b, v18.16b + shl v18.2d, v18.2d, #1 + eor v0.16b, v0.16b, v8.16b + shl v8.2d, v9.2d, #1 + eor v7.16b, v7.16b, v9.16b + eor v4.16b, v4.16b, v10.16b + eor v2.16b, v2.16b, v18.16b + ushr v9.2d, v1.2d, #2 + eor v6.16b, v6.16b, v8.16b + ushr v8.2d, v0.2d, #2 + ushr v10.2d, v5.2d, #2 + ushr v18.2d, v4.2d, #2 + eor v9.16b, v9.16b, v3.16b + eor v8.16b, v8.16b, v2.16b + eor v10.16b, v10.16b, v7.16b + eor v18.16b, v18.16b, v6.16b + and v9.16b, v9.16b, v16.16b + and v8.16b, v8.16b, v16.16b + and v10.16b, v10.16b, v16.16b + and v16.16b, v18.16b, v16.16b + eor v3.16b, v3.16b, v9.16b + shl v9.2d, v9.2d, #2 + eor v2.16b, v2.16b, v8.16b + shl v8.2d, v8.2d, #2 + eor v7.16b, v7.16b, v10.16b + shl v10.2d, v10.2d, #2 + eor v6.16b, v6.16b, v16.16b + shl v16.2d, v16.2d, #2 + eor v1.16b, v1.16b, v9.16b + eor v0.16b, v0.16b, v8.16b + eor v5.16b, v5.16b, v10.16b + eor v4.16b, v4.16b, v16.16b + ushr v8.2d, v3.2d, #4 + ushr v9.2d, v2.2d, #4 + ushr v10.2d, v1.2d, #4 + ushr v16.2d, v0.2d, #4 + eor v8.16b, v8.16b, v7.16b + eor v9.16b, v9.16b, v6.16b + eor v10.16b, v10.16b, v5.16b + eor v16.16b, v16.16b, v4.16b + and v8.16b, v8.16b, v17.16b + and v9.16b, v9.16b, v17.16b + and v10.16b, v10.16b, v17.16b + and v16.16b, v16.16b, v17.16b + eor v7.16b, v7.16b, v8.16b + shl v8.2d, v8.2d, #4 + eor v6.16b, v6.16b, v9.16b + shl v9.2d, v9.2d, #4 + eor v5.16b, v5.16b, v10.16b + shl v10.2d, v10.2d, #4 + eor v4.16b, v4.16b, v16.16b + shl v16.2d, v16.2d, #4 + eor v3.16b, v3.16b, v8.16b + eor v2.16b, v2.16b, v9.16b + eor v1.16b, v1.16b, v10.16b + eor v0.16b, v0.16b, v16.16b + b .Ldec_sbox +.align 4 +.Ldec_loop: + ld1 {v16.16b, v17.16b, v18.16b, v19.16b}, [x9], #64 + ldp q8, q9, [x9], #32 + eor v0.16b, v16.16b, v0.16b + ldr q10, [x9], #16 + eor v1.16b, v17.16b, v1.16b + ldr q16, [x9], #16 + eor v2.16b, v18.16b, v2.16b + eor v3.16b, v19.16b, v3.16b + eor v4.16b, v8.16b, v4.16b + eor v5.16b, v9.16b, v5.16b + eor v6.16b, v10.16b, v6.16b + eor v7.16b, v16.16b, v7.16b + tbl v0.16b, {v0.16b}, v28.16b + tbl v1.16b, {v1.16b}, v28.16b + tbl v2.16b, {v2.16b}, v28.16b + tbl v3.16b, {v3.16b}, v28.16b + tbl v4.16b, {v4.16b}, v28.16b + tbl v5.16b, {v5.16b}, v28.16b + tbl v6.16b, {v6.16b}, v28.16b + tbl v7.16b, {v7.16b}, v28.16b +.Ldec_sbox: + eor v1.16b, v1.16b, v4.16b + eor v3.16b, v3.16b, v4.16b + subs x10, x10, #1 + eor v4.16b, v4.16b, v7.16b + eor v2.16b, v2.16b, v7.16b + eor v1.16b, v1.16b, v6.16b + eor v6.16b, v6.16b, v4.16b + eor v2.16b, v2.16b, v5.16b + eor v0.16b, v0.16b, v1.16b + eor v7.16b, v7.16b, v6.16b + eor v8.16b, v6.16b, v2.16b + and v9.16b, v4.16b, v6.16b + eor v10.16b, v2.16b, v6.16b + eor v3.16b, v3.16b, v0.16b + eor v5.16b, v5.16b, v0.16b + eor v16.16b, v7.16b, v4.16b + eor v17.16b, v4.16b, v0.16b + and v18.16b, v0.16b, v2.16b + eor v19.16b, v7.16b, v4.16b + eor v1.16b, v1.16b, v3.16b + eor v20.16b, v3.16b, v0.16b + eor v21.16b, v5.16b, v2.16b + eor v22.16b, v3.16b, v7.16b + and v8.16b, v17.16b, v8.16b + orr v17.16b, v3.16b, v5.16b + eor v23.16b, v1.16b, v6.16b + eor v24.16b, v20.16b, v16.16b + eor v25.16b, v1.16b, v5.16b + orr v26.16b, v20.16b, v21.16b + and v20.16b, v20.16b, v21.16b + and v27.16b, v7.16b, v1.16b + eor v21.16b, v21.16b, v23.16b + orr v28.16b, v16.16b, v23.16b + orr v29.16b, v22.16b, v25.16b + eor v26.16b, v26.16b, v8.16b + and v16.16b, v16.16b, v23.16b + and v22.16b, v22.16b, v25.16b + and v21.16b, v24.16b, v21.16b + eor v8.16b, v28.16b, v8.16b + eor v23.16b, v5.16b, v2.16b + eor v24.16b, v1.16b, v6.16b + eor v16.16b, v16.16b, v22.16b + eor v22.16b, v3.16b, v0.16b + eor v25.16b, v29.16b, v21.16b + eor v21.16b, v26.16b, v21.16b + eor v8.16b, v8.16b, v20.16b + eor v26.16b, v23.16b, v24.16b + eor v16.16b, v16.16b, v20.16b + eor v28.16b, v22.16b, v19.16b + eor v20.16b, v25.16b, v20.16b + eor v9.16b, v21.16b, v9.16b + eor v8.16b, v8.16b, v18.16b + eor v18.16b, v5.16b, v1.16b + eor v21.16b, v16.16b, v17.16b + eor v16.16b, v16.16b, v17.16b + eor v17.16b, v20.16b, v27.16b + eor v20.16b, v3.16b, v7.16b + eor v25.16b, v9.16b, v8.16b + eor v27.16b, v0.16b, v4.16b + and v29.16b, v9.16b, v17.16b + eor v30.16b, v8.16b, v29.16b + eor v31.16b, v21.16b, v29.16b + eor v29.16b, v21.16b, v29.16b + bsl v30.16b, v17.16b, v21.16b + bsl v31.16b, v9.16b, v8.16b + bsl v16.16b, v30.16b, v29.16b + bsl v21.16b, v29.16b, v30.16b + eor v8.16b, v31.16b, v30.16b + and v1.16b, v1.16b, v31.16b + and v9.16b, v16.16b, v31.16b + and v6.16b, v6.16b, v30.16b + eor v16.16b, v17.16b, v21.16b + and v4.16b, v4.16b, v30.16b + eor v17.16b, v8.16b, v30.16b + and v21.16b, v24.16b, v8.16b + eor v9.16b, v9.16b, v25.16b + and v19.16b, v19.16b, v8.16b + eor v24.16b, v30.16b, v16.16b + eor v25.16b, v30.16b, v16.16b + and v7.16b, v7.16b, v17.16b + and v10.16b, v10.16b, v16.16b + eor v29.16b, v9.16b, v16.16b + eor v30.16b, v31.16b, v9.16b + and v0.16b, v24.16b, v0.16b + and v9.16b, v18.16b, v9.16b + and v2.16b, v25.16b, v2.16b + eor v10.16b, v10.16b, v6.16b + eor v18.16b, v29.16b, v16.16b + and v5.16b, v30.16b, v5.16b + eor v24.16b, v8.16b, v29.16b + and v25.16b, v26.16b, v29.16b + and v26.16b, v28.16b, v29.16b + eor v8.16b, v8.16b, v29.16b + eor v17.16b, v17.16b, v18.16b + eor v5.16b, v1.16b, v5.16b + and v23.16b, v24.16b, v23.16b + eor v21.16b, v21.16b, v25.16b + eor v19.16b, v19.16b, v26.16b + eor v0.16b, v4.16b, v0.16b + and v3.16b, v17.16b, v3.16b + eor v1.16b, v9.16b, v1.16b + eor v9.16b, v25.16b, v23.16b + eor v5.16b, v5.16b, v21.16b + eor v2.16b, v6.16b, v2.16b + and v6.16b, v8.16b, v22.16b + eor v3.16b, v7.16b, v3.16b + and v8.16b, v20.16b, v18.16b + eor v10.16b, v10.16b, v9.16b + eor v0.16b, v0.16b, v19.16b + eor v9.16b, v1.16b, v9.16b + eor v1.16b, v2.16b, v21.16b + eor v3.16b, v3.16b, v19.16b + and v16.16b, v27.16b, v16.16b + eor v17.16b, v26.16b, v6.16b + eor v6.16b, v8.16b, v7.16b + eor v7.16b, v1.16b, v9.16b + eor v1.16b, v5.16b, v3.16b + eor v2.16b, v10.16b, v3.16b + eor v4.16b, v16.16b, v4.16b + eor v8.16b, v6.16b, v17.16b + eor v5.16b, v9.16b, v3.16b + eor v9.16b, v0.16b, v1.16b + eor v6.16b, v7.16b, v1.16b + eor v0.16b, v4.16b, v17.16b + eor v4.16b, v8.16b, v7.16b + eor v7.16b, v9.16b, v2.16b + eor v8.16b, v3.16b, v0.16b + eor v7.16b, v7.16b, v5.16b + eor v3.16b, v4.16b, v7.16b + eor v4.16b, v7.16b, v0.16b + eor v7.16b, v8.16b, v3.16b + bcc .Ldec_done + ext v8.16b, v0.16b, v0.16b, #8 + ext v9.16b, v1.16b, v1.16b, #8 + ldr q28, [x11] // load from .LISR in common case (x10 > 0) + ext v10.16b, v6.16b, v6.16b, #8 + ext v16.16b, v3.16b, v3.16b, #8 + ext v17.16b, v5.16b, v5.16b, #8 + ext v18.16b, v4.16b, v4.16b, #8 + eor v8.16b, v8.16b, v0.16b + eor v9.16b, v9.16b, v1.16b + eor v10.16b, v10.16b, v6.16b + eor v16.16b, v16.16b, v3.16b + eor v17.16b, v17.16b, v5.16b + ext v19.16b, v2.16b, v2.16b, #8 + ext v20.16b, v7.16b, v7.16b, #8 + eor v18.16b, v18.16b, v4.16b + eor v6.16b, v6.16b, v8.16b + eor v8.16b, v2.16b, v10.16b + eor v4.16b, v4.16b, v9.16b + eor v2.16b, v19.16b, v2.16b + eor v9.16b, v20.16b, v7.16b + eor v0.16b, v0.16b, v16.16b + eor v1.16b, v1.16b, v16.16b + eor v6.16b, v6.16b, v17.16b + eor v8.16b, v8.16b, v16.16b + eor v7.16b, v7.16b, v18.16b + eor v4.16b, v4.16b, v16.16b + eor v2.16b, v3.16b, v2.16b + eor v1.16b, v1.16b, v17.16b + eor v3.16b, v5.16b, v9.16b + eor v5.16b, v8.16b, v17.16b + eor v7.16b, v7.16b, v17.16b + ext v8.16b, v0.16b, v0.16b, #12 + ext v9.16b, v6.16b, v6.16b, #12 + ext v10.16b, v4.16b, v4.16b, #12 + ext v16.16b, v1.16b, v1.16b, #12 + ext v17.16b, v5.16b, v5.16b, #12 + ext v18.16b, v7.16b, v7.16b, #12 + eor v0.16b, v0.16b, v8.16b + eor v6.16b, v6.16b, v9.16b + eor v4.16b, v4.16b, v10.16b + ext v19.16b, v2.16b, v2.16b, #12 + ext v20.16b, v3.16b, v3.16b, #12 + eor v1.16b, v1.16b, v16.16b + eor v5.16b, v5.16b, v17.16b + eor v7.16b, v7.16b, v18.16b + eor v2.16b, v2.16b, v19.16b + eor v16.16b, v16.16b, v0.16b + eor v3.16b, v3.16b, v20.16b + eor v17.16b, v17.16b, v4.16b + eor v10.16b, v10.16b, v6.16b + ext v0.16b, v0.16b, v0.16b, #8 + eor v9.16b, v9.16b, v1.16b + ext v1.16b, v1.16b, v1.16b, #8 + eor v8.16b, v8.16b, v3.16b + eor v16.16b, v16.16b, v3.16b + eor v18.16b, v18.16b, v5.16b + eor v19.16b, v19.16b, v7.16b + ext v21.16b, v5.16b, v5.16b, #8 + ext v5.16b, v7.16b, v7.16b, #8 + eor v7.16b, v20.16b, v2.16b + ext v4.16b, v4.16b, v4.16b, #8 + ext v20.16b, v3.16b, v3.16b, #8 + eor v17.16b, v17.16b, v3.16b + ext v2.16b, v2.16b, v2.16b, #8 + eor v3.16b, v10.16b, v3.16b + ext v10.16b, v6.16b, v6.16b, #8 + eor v0.16b, v0.16b, v8.16b + eor v1.16b, v1.16b, v16.16b + eor v5.16b, v5.16b, v18.16b + eor v3.16b, v3.16b, v4.16b + eor v7.16b, v20.16b, v7.16b + eor v6.16b, v2.16b, v19.16b + eor v4.16b, v21.16b, v17.16b + eor v2.16b, v10.16b, v9.16b + bne .Ldec_loop + ldr q28, [x11, #16]! // load from .LISRM0 on last round (x10 == 0) + b .Ldec_loop +.align 4 +.Ldec_done: + ushr v8.2d, v0.2d, #1 + movi v9.16b, #0x55 + ldr q10, [x9] + ushr v16.2d, v2.2d, #1 + movi v17.16b, #0x33 + ushr v18.2d, v6.2d, #1 + movi v19.16b, #0x0f + eor v8.16b, v8.16b, v1.16b + ushr v20.2d, v3.2d, #1 + eor v16.16b, v16.16b, v7.16b + eor v18.16b, v18.16b, v4.16b + and v8.16b, v8.16b, v9.16b + eor v20.16b, v20.16b, v5.16b + and v16.16b, v16.16b, v9.16b + and v18.16b, v18.16b, v9.16b + shl v21.2d, v8.2d, #1 + eor v1.16b, v1.16b, v8.16b + and v8.16b, v20.16b, v9.16b + eor v7.16b, v7.16b, v16.16b + shl v9.2d, v16.2d, #1 + eor v4.16b, v4.16b, v18.16b + shl v16.2d, v18.2d, #1 + eor v0.16b, v0.16b, v21.16b + shl v18.2d, v8.2d, #1 + eor v5.16b, v5.16b, v8.16b + eor v2.16b, v2.16b, v9.16b + eor v6.16b, v6.16b, v16.16b + ushr v8.2d, v1.2d, #2 + eor v3.16b, v3.16b, v18.16b + ushr v9.2d, v0.2d, #2 + ushr v16.2d, v7.2d, #2 + ushr v18.2d, v2.2d, #2 + eor v8.16b, v8.16b, v4.16b + eor v9.16b, v9.16b, v6.16b + eor v16.16b, v16.16b, v5.16b + eor v18.16b, v18.16b, v3.16b + and v8.16b, v8.16b, v17.16b + and v9.16b, v9.16b, v17.16b + and v16.16b, v16.16b, v17.16b + and v17.16b, v18.16b, v17.16b + eor v4.16b, v4.16b, v8.16b + shl v8.2d, v8.2d, #2 + eor v6.16b, v6.16b, v9.16b + shl v9.2d, v9.2d, #2 + eor v5.16b, v5.16b, v16.16b + shl v16.2d, v16.2d, #2 + eor v3.16b, v3.16b, v17.16b + shl v17.2d, v17.2d, #2 + eor v1.16b, v1.16b, v8.16b + eor v0.16b, v0.16b, v9.16b + eor v7.16b, v7.16b, v16.16b + eor v2.16b, v2.16b, v17.16b + ushr v8.2d, v4.2d, #4 + ushr v9.2d, v6.2d, #4 + ushr v16.2d, v1.2d, #4 + ushr v17.2d, v0.2d, #4 + eor v8.16b, v8.16b, v5.16b + eor v9.16b, v9.16b, v3.16b + eor v16.16b, v16.16b, v7.16b + eor v17.16b, v17.16b, v2.16b + and v8.16b, v8.16b, v19.16b + and v9.16b, v9.16b, v19.16b + and v16.16b, v16.16b, v19.16b + and v17.16b, v17.16b, v19.16b + eor v5.16b, v5.16b, v8.16b + shl v8.2d, v8.2d, #4 + eor v3.16b, v3.16b, v9.16b + shl v9.2d, v9.2d, #4 + eor v7.16b, v7.16b, v16.16b + shl v16.2d, v16.2d, #4 + eor v2.16b, v2.16b, v17.16b + shl v17.2d, v17.2d, #4 + eor v4.16b, v4.16b, v8.16b + eor v6.16b, v6.16b, v9.16b + eor v7.16b, v7.16b, v10.16b + eor v1.16b, v1.16b, v16.16b + eor v2.16b, v2.16b, v10.16b + eor v0.16b, v0.16b, v17.16b + eor v4.16b, v4.16b, v10.16b + eor v6.16b, v6.16b, v10.16b + eor v3.16b, v3.16b, v10.16b + eor v5.16b, v5.16b, v10.16b + eor v1.16b, v1.16b, v10.16b + eor v0.16b, v0.16b, v10.16b + ret +.size _bsaes_decrypt8,.-_bsaes_decrypt8 + +.type _bsaes_const,%object +.align 6 +_bsaes_const: +// InvShiftRows constants +// Used in _bsaes_decrypt8, which assumes contiguity +// .LM0ISR used with round 0 key +// .LISR used with middle round keys +// .LISRM0 used with final round key +.LM0ISR: +.quad 0x0a0e0206070b0f03, 0x0004080c0d010509 +.LISR: +.quad 0x0504070602010003, 0x0f0e0d0c080b0a09 +.LISRM0: +.quad 0x01040b0e0205080f, 0x0306090c00070a0d + +// ShiftRows constants +// Used in _bsaes_encrypt8, which assumes contiguity +// .LM0SR used with round 0 key +// .LSR used with middle round keys +// .LSRM0 used with final round key +.LM0SR: +.quad 0x0a0e02060f03070b, 0x0004080c05090d01 +.LSR: +.quad 0x0504070600030201, 0x0f0e0d0c0a09080b +.LSRM0: +.quad 0x0304090e00050a0f, 0x01060b0c0207080d + +.LM0_bigendian: +.quad 0x02060a0e03070b0f, 0x0004080c0105090d +.LM0_littleendian: +.quad 0x0105090d0004080c, 0x03070b0f02060a0e + +// Used in ossl_bsaes_ctr32_encrypt_blocks, prior to dropping into +// _bsaes_encrypt8_alt, for round 0 key in place of .LM0SR +.LREVM0SR: +.quad 0x090d01050c000408, 0x03070b0f060a0e02 + +.align 6 +.size _bsaes_const,.-_bsaes_const + +.type _bsaes_encrypt8,%function +.align 4 +// On entry: +// x9 -> key (previously expanded using _bsaes_key_convert) +// x10 = number of rounds +// v0-v7 input data +// On exit: +// x9-x11 corrupted +// other general-purpose registers preserved +// v0-v7 output data +// v11-v15 preserved +// other SIMD registers corrupted +_bsaes_encrypt8: + ldr q8, [x9], #16 + adr x11, .LM0SR + ldr q9, [x11], #16 +_bsaes_encrypt8_alt: + eor v0.16b, v0.16b, v8.16b + eor v1.16b, v1.16b, v8.16b + sub x10, x10, #1 + eor v2.16b, v2.16b, v8.16b + eor v4.16b, v4.16b, v8.16b + eor v3.16b, v3.16b, v8.16b + eor v5.16b, v5.16b, v8.16b + tbl v0.16b, {v0.16b}, v9.16b + tbl v1.16b, {v1.16b}, v9.16b + tbl v2.16b, {v2.16b}, v9.16b + tbl v4.16b, {v4.16b}, v9.16b + eor v6.16b, v6.16b, v8.16b + eor v7.16b, v7.16b, v8.16b + tbl v3.16b, {v3.16b}, v9.16b + tbl v5.16b, {v5.16b}, v9.16b + tbl v6.16b, {v6.16b}, v9.16b + ushr v8.2d, v0.2d, #1 + movi v10.16b, #0x55 + tbl v7.16b, {v7.16b}, v9.16b + ushr v9.2d, v4.2d, #1 + movi v16.16b, #0x33 + ushr v17.2d, v2.2d, #1 + eor v8.16b, v8.16b, v1.16b + movi v18.16b, #0x0f + ushr v19.2d, v6.2d, #1 + eor v9.16b, v9.16b, v5.16b + eor v17.16b, v17.16b, v3.16b + and v8.16b, v8.16b, v10.16b + eor v19.16b, v19.16b, v7.16b + and v9.16b, v9.16b, v10.16b + and v17.16b, v17.16b, v10.16b + eor v1.16b, v1.16b, v8.16b + shl v8.2d, v8.2d, #1 + and v10.16b, v19.16b, v10.16b + eor v5.16b, v5.16b, v9.16b + shl v9.2d, v9.2d, #1 + eor v3.16b, v3.16b, v17.16b + shl v17.2d, v17.2d, #1 + eor v0.16b, v0.16b, v8.16b + shl v8.2d, v10.2d, #1 + eor v7.16b, v7.16b, v10.16b + eor v4.16b, v4.16b, v9.16b + eor v2.16b, v2.16b, v17.16b + ushr v9.2d, v1.2d, #2 + eor v6.16b, v6.16b, v8.16b + ushr v8.2d, v0.2d, #2 + ushr v10.2d, v5.2d, #2 + ushr v17.2d, v4.2d, #2 + eor v9.16b, v9.16b, v3.16b + eor v8.16b, v8.16b, v2.16b + eor v10.16b, v10.16b, v7.16b + eor v17.16b, v17.16b, v6.16b + and v9.16b, v9.16b, v16.16b + and v8.16b, v8.16b, v16.16b + and v10.16b, v10.16b, v16.16b + and v16.16b, v17.16b, v16.16b + eor v3.16b, v3.16b, v9.16b + shl v9.2d, v9.2d, #2 + eor v2.16b, v2.16b, v8.16b + shl v8.2d, v8.2d, #2 + eor v7.16b, v7.16b, v10.16b + shl v10.2d, v10.2d, #2 + eor v6.16b, v6.16b, v16.16b + shl v16.2d, v16.2d, #2 + eor v1.16b, v1.16b, v9.16b + eor v0.16b, v0.16b, v8.16b + eor v5.16b, v5.16b, v10.16b + eor v4.16b, v4.16b, v16.16b + ushr v8.2d, v3.2d, #4 + ushr v9.2d, v2.2d, #4 + ushr v10.2d, v1.2d, #4 + ushr v16.2d, v0.2d, #4 + eor v8.16b, v8.16b, v7.16b + eor v9.16b, v9.16b, v6.16b + eor v10.16b, v10.16b, v5.16b + eor v16.16b, v16.16b, v4.16b + and v8.16b, v8.16b, v18.16b + and v9.16b, v9.16b, v18.16b + and v10.16b, v10.16b, v18.16b + and v16.16b, v16.16b, v18.16b + eor v7.16b, v7.16b, v8.16b + shl v8.2d, v8.2d, #4 + eor v6.16b, v6.16b, v9.16b + shl v9.2d, v9.2d, #4 + eor v5.16b, v5.16b, v10.16b + shl v10.2d, v10.2d, #4 + eor v4.16b, v4.16b, v16.16b + shl v16.2d, v16.2d, #4 + eor v3.16b, v3.16b, v8.16b + eor v2.16b, v2.16b, v9.16b + eor v1.16b, v1.16b, v10.16b + eor v0.16b, v0.16b, v16.16b + b .Lenc_sbox +.align 4 +.Lenc_loop: + ld1 {v16.16b, v17.16b, v18.16b, v19.16b}, [x9], #64 + ldp q8, q9, [x9], #32 + eor v0.16b, v16.16b, v0.16b + ldr q10, [x9], #16 + eor v1.16b, v17.16b, v1.16b + ldr q16, [x9], #16 + eor v2.16b, v18.16b, v2.16b + eor v3.16b, v19.16b, v3.16b + eor v4.16b, v8.16b, v4.16b + eor v5.16b, v9.16b, v5.16b + eor v6.16b, v10.16b, v6.16b + eor v7.16b, v16.16b, v7.16b + tbl v0.16b, {v0.16b}, v28.16b + tbl v1.16b, {v1.16b}, v28.16b + tbl v2.16b, {v2.16b}, v28.16b + tbl v3.16b, {v3.16b}, v28.16b + tbl v4.16b, {v4.16b}, v28.16b + tbl v5.16b, {v5.16b}, v28.16b + tbl v6.16b, {v6.16b}, v28.16b + tbl v7.16b, {v7.16b}, v28.16b +.Lenc_sbox: + eor v5.16b, v5.16b, v6.16b + eor v3.16b, v3.16b, v0.16b + subs x10, x10, #1 + eor v2.16b, v2.16b, v1.16b + eor v5.16b, v5.16b, v0.16b + eor v8.16b, v3.16b, v7.16b + eor v6.16b, v6.16b, v2.16b + eor v7.16b, v7.16b, v5.16b + eor v8.16b, v8.16b, v4.16b + eor v3.16b, v6.16b, v3.16b + eor v4.16b, v4.16b, v5.16b + eor v6.16b, v1.16b, v5.16b + eor v2.16b, v2.16b, v7.16b + eor v1.16b, v8.16b, v1.16b + eor v8.16b, v7.16b, v4.16b + eor v9.16b, v3.16b, v0.16b + eor v10.16b, v7.16b, v6.16b + eor v16.16b, v5.16b, v3.16b + eor v17.16b, v6.16b, v2.16b + eor v18.16b, v5.16b, v1.16b + eor v19.16b, v2.16b, v4.16b + eor v20.16b, v1.16b, v0.16b + orr v21.16b, v8.16b, v9.16b + orr v22.16b, v10.16b, v16.16b + eor v23.16b, v8.16b, v17.16b + eor v24.16b, v9.16b, v18.16b + and v19.16b, v19.16b, v20.16b + orr v20.16b, v17.16b, v18.16b + and v8.16b, v8.16b, v9.16b + and v9.16b, v17.16b, v18.16b + and v17.16b, v23.16b, v24.16b + and v10.16b, v10.16b, v16.16b + eor v16.16b, v21.16b, v19.16b + eor v18.16b, v20.16b, v19.16b + and v19.16b, v2.16b, v1.16b + and v20.16b, v6.16b, v5.16b + eor v21.16b, v22.16b, v17.16b + eor v9.16b, v9.16b, v10.16b + eor v10.16b, v16.16b, v17.16b + eor v16.16b, v18.16b, v8.16b + and v17.16b, v4.16b, v0.16b + orr v18.16b, v7.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v8.16b, v9.16b, v8.16b + eor v9.16b, v10.16b, v19.16b + eor v10.16b, v3.16b, v0.16b + eor v16.16b, v16.16b, v17.16b + eor v17.16b, v5.16b, v1.16b + eor v19.16b, v21.16b, v20.16b + eor v20.16b, v8.16b, v18.16b + eor v8.16b, v8.16b, v18.16b + eor v18.16b, v7.16b, v4.16b + eor v21.16b, v9.16b, v16.16b + eor v22.16b, v6.16b, v2.16b + and v23.16b, v9.16b, v19.16b + eor v24.16b, v10.16b, v17.16b + eor v25.16b, v0.16b, v1.16b + eor v26.16b, v7.16b, v6.16b + eor v27.16b, v18.16b, v22.16b + eor v28.16b, v3.16b, v5.16b + eor v29.16b, v16.16b, v23.16b + eor v30.16b, v20.16b, v23.16b + eor v23.16b, v20.16b, v23.16b + eor v31.16b, v4.16b, v2.16b + bsl v29.16b, v19.16b, v20.16b + bsl v30.16b, v9.16b, v16.16b + bsl v8.16b, v29.16b, v23.16b + bsl v20.16b, v23.16b, v29.16b + eor v9.16b, v30.16b, v29.16b + and v5.16b, v5.16b, v30.16b + and v8.16b, v8.16b, v30.16b + and v1.16b, v1.16b, v29.16b + eor v16.16b, v19.16b, v20.16b + and v2.16b, v2.16b, v29.16b + eor v19.16b, v9.16b, v29.16b + and v17.16b, v17.16b, v9.16b + eor v8.16b, v8.16b, v21.16b + and v20.16b, v22.16b, v9.16b + eor v21.16b, v29.16b, v16.16b + eor v22.16b, v29.16b, v16.16b + and v23.16b, v25.16b, v16.16b + and v6.16b, v6.16b, v19.16b + eor v25.16b, v8.16b, v16.16b + eor v29.16b, v30.16b, v8.16b + and v4.16b, v21.16b, v4.16b + and v8.16b, v28.16b, v8.16b + and v0.16b, v22.16b, v0.16b + eor v21.16b, v23.16b, v1.16b + eor v22.16b, v9.16b, v25.16b + eor v9.16b, v9.16b, v25.16b + eor v23.16b, v25.16b, v16.16b + and v3.16b, v29.16b, v3.16b + and v24.16b, v24.16b, v25.16b + and v25.16b, v27.16b, v25.16b + and v10.16b, v22.16b, v10.16b + and v9.16b, v9.16b, v18.16b + eor v18.16b, v19.16b, v23.16b + and v19.16b, v26.16b, v23.16b + eor v3.16b, v5.16b, v3.16b + eor v17.16b, v17.16b, v24.16b + eor v10.16b, v24.16b, v10.16b + and v16.16b, v31.16b, v16.16b + eor v20.16b, v20.16b, v25.16b + eor v9.16b, v25.16b, v9.16b + eor v4.16b, v2.16b, v4.16b + and v7.16b, v18.16b, v7.16b + eor v18.16b, v19.16b, v6.16b + eor v5.16b, v8.16b, v5.16b + eor v0.16b, v1.16b, v0.16b + eor v1.16b, v21.16b, v10.16b + eor v8.16b, v3.16b, v17.16b + eor v2.16b, v16.16b, v2.16b + eor v3.16b, v6.16b, v7.16b + eor v6.16b, v18.16b, v9.16b + eor v4.16b, v4.16b, v20.16b + eor v10.16b, v5.16b, v10.16b + eor v0.16b, v0.16b, v17.16b + eor v9.16b, v2.16b, v9.16b + eor v3.16b, v3.16b, v20.16b + eor v7.16b, v6.16b, v1.16b + eor v5.16b, v8.16b, v4.16b + eor v6.16b, v10.16b, v1.16b + eor v2.16b, v4.16b, v0.16b + eor v4.16b, v3.16b, v10.16b + eor v9.16b, v9.16b, v7.16b + eor v3.16b, v0.16b, v5.16b + eor v0.16b, v1.16b, v4.16b + eor v1.16b, v4.16b, v8.16b + eor v4.16b, v9.16b, v5.16b + eor v6.16b, v6.16b, v3.16b + bcc .Lenc_done + ext v8.16b, v0.16b, v0.16b, #12 + ext v9.16b, v4.16b, v4.16b, #12 + ldr q28, [x11] + ext v10.16b, v6.16b, v6.16b, #12 + ext v16.16b, v1.16b, v1.16b, #12 + ext v17.16b, v3.16b, v3.16b, #12 + ext v18.16b, v7.16b, v7.16b, #12 + eor v0.16b, v0.16b, v8.16b + eor v4.16b, v4.16b, v9.16b + eor v6.16b, v6.16b, v10.16b + ext v19.16b, v2.16b, v2.16b, #12 + ext v20.16b, v5.16b, v5.16b, #12 + eor v1.16b, v1.16b, v16.16b + eor v3.16b, v3.16b, v17.16b + eor v7.16b, v7.16b, v18.16b + eor v2.16b, v2.16b, v19.16b + eor v16.16b, v16.16b, v0.16b + eor v5.16b, v5.16b, v20.16b + eor v17.16b, v17.16b, v6.16b + eor v10.16b, v10.16b, v4.16b + ext v0.16b, v0.16b, v0.16b, #8 + eor v9.16b, v9.16b, v1.16b + ext v1.16b, v1.16b, v1.16b, #8 + eor v8.16b, v8.16b, v5.16b + eor v16.16b, v16.16b, v5.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v7.16b + ext v3.16b, v3.16b, v3.16b, #8 + ext v7.16b, v7.16b, v7.16b, #8 + eor v20.16b, v20.16b, v2.16b + ext v6.16b, v6.16b, v6.16b, #8 + ext v21.16b, v5.16b, v5.16b, #8 + eor v17.16b, v17.16b, v5.16b + ext v2.16b, v2.16b, v2.16b, #8 + eor v10.16b, v10.16b, v5.16b + ext v22.16b, v4.16b, v4.16b, #8 + eor v0.16b, v0.16b, v8.16b + eor v1.16b, v1.16b, v16.16b + eor v5.16b, v7.16b, v18.16b + eor v4.16b, v3.16b, v17.16b + eor v3.16b, v6.16b, v10.16b + eor v7.16b, v21.16b, v20.16b + eor v6.16b, v2.16b, v19.16b + eor v2.16b, v22.16b, v9.16b + bne .Lenc_loop + ldr q28, [x11, #16]! // load from .LSRM0 on last round (x10 == 0) + b .Lenc_loop +.align 4 +.Lenc_done: + ushr v8.2d, v0.2d, #1 + movi v9.16b, #0x55 + ldr q10, [x9] + ushr v16.2d, v3.2d, #1 + movi v17.16b, #0x33 + ushr v18.2d, v4.2d, #1 + movi v19.16b, #0x0f + eor v8.16b, v8.16b, v1.16b + ushr v20.2d, v2.2d, #1 + eor v16.16b, v16.16b, v7.16b + eor v18.16b, v18.16b, v6.16b + and v8.16b, v8.16b, v9.16b + eor v20.16b, v20.16b, v5.16b + and v16.16b, v16.16b, v9.16b + and v18.16b, v18.16b, v9.16b + shl v21.2d, v8.2d, #1 + eor v1.16b, v1.16b, v8.16b + and v8.16b, v20.16b, v9.16b + eor v7.16b, v7.16b, v16.16b + shl v9.2d, v16.2d, #1 + eor v6.16b, v6.16b, v18.16b + shl v16.2d, v18.2d, #1 + eor v0.16b, v0.16b, v21.16b + shl v18.2d, v8.2d, #1 + eor v5.16b, v5.16b, v8.16b + eor v3.16b, v3.16b, v9.16b + eor v4.16b, v4.16b, v16.16b + ushr v8.2d, v1.2d, #2 + eor v2.16b, v2.16b, v18.16b + ushr v9.2d, v0.2d, #2 + ushr v16.2d, v7.2d, #2 + ushr v18.2d, v3.2d, #2 + eor v8.16b, v8.16b, v6.16b + eor v9.16b, v9.16b, v4.16b + eor v16.16b, v16.16b, v5.16b + eor v18.16b, v18.16b, v2.16b + and v8.16b, v8.16b, v17.16b + and v9.16b, v9.16b, v17.16b + and v16.16b, v16.16b, v17.16b + and v17.16b, v18.16b, v17.16b + eor v6.16b, v6.16b, v8.16b + shl v8.2d, v8.2d, #2 + eor v4.16b, v4.16b, v9.16b + shl v9.2d, v9.2d, #2 + eor v5.16b, v5.16b, v16.16b + shl v16.2d, v16.2d, #2 + eor v2.16b, v2.16b, v17.16b + shl v17.2d, v17.2d, #2 + eor v1.16b, v1.16b, v8.16b + eor v0.16b, v0.16b, v9.16b + eor v7.16b, v7.16b, v16.16b + eor v3.16b, v3.16b, v17.16b + ushr v8.2d, v6.2d, #4 + ushr v9.2d, v4.2d, #4 + ushr v16.2d, v1.2d, #4 + ushr v17.2d, v0.2d, #4 + eor v8.16b, v8.16b, v5.16b + eor v9.16b, v9.16b, v2.16b + eor v16.16b, v16.16b, v7.16b + eor v17.16b, v17.16b, v3.16b + and v8.16b, v8.16b, v19.16b + and v9.16b, v9.16b, v19.16b + and v16.16b, v16.16b, v19.16b + and v17.16b, v17.16b, v19.16b + eor v5.16b, v5.16b, v8.16b + shl v8.2d, v8.2d, #4 + eor v2.16b, v2.16b, v9.16b + shl v9.2d, v9.2d, #4 + eor v7.16b, v7.16b, v16.16b + shl v16.2d, v16.2d, #4 + eor v3.16b, v3.16b, v17.16b + shl v17.2d, v17.2d, #4 + eor v6.16b, v6.16b, v8.16b + eor v4.16b, v4.16b, v9.16b + eor v7.16b, v7.16b, v10.16b + eor v1.16b, v1.16b, v16.16b + eor v3.16b, v3.16b, v10.16b + eor v0.16b, v0.16b, v17.16b + eor v6.16b, v6.16b, v10.16b + eor v4.16b, v4.16b, v10.16b + eor v2.16b, v2.16b, v10.16b + eor v5.16b, v5.16b, v10.16b + eor v1.16b, v1.16b, v10.16b + eor v0.16b, v0.16b, v10.16b + ret +.size _bsaes_encrypt8,.-_bsaes_encrypt8 + +.type _bsaes_key_convert,%function +.align 4 +// On entry: +// x9 -> input key (big-endian) +// x10 = number of rounds +// x17 -> output key (native endianness) +// On exit: +// x9, x10 corrupted +// x11 -> .LM0_bigendian +// x17 -> last quadword of output key +// other general-purpose registers preserved +// v2-v6 preserved +// v7.16b[] = 0x63 +// v8-v14 preserved +// v15 = last round key (converted to native endianness) +// other SIMD registers corrupted +_bsaes_key_convert: +#ifdef __AARCH64EL__ + adr x11, .LM0_littleendian +#else + adr x11, .LM0_bigendian +#endif + ldr q0, [x9], #16 // load round 0 key + ldr q1, [x11] // .LM0 + ldr q15, [x9], #16 // load round 1 key + + movi v7.16b, #0x63 // compose .L63 + movi v16.16b, #0x01 // bit masks + movi v17.16b, #0x02 + movi v18.16b, #0x04 + movi v19.16b, #0x08 + movi v20.16b, #0x10 + movi v21.16b, #0x20 + movi v22.16b, #0x40 + movi v23.16b, #0x80 + +#ifdef __AARCH64EL__ + rev32 v0.16b, v0.16b +#endif + sub x10, x10, #1 + str q0, [x17], #16 // save round 0 key + +.align 4 +.Lkey_loop: + tbl v0.16b, {v15.16b}, v1.16b + ldr q15, [x9], #16 // load next round key + + eor v0.16b, v0.16b, v7.16b + cmtst v24.16b, v0.16b, v16.16b + cmtst v25.16b, v0.16b, v17.16b + cmtst v26.16b, v0.16b, v18.16b + cmtst v27.16b, v0.16b, v19.16b + cmtst v28.16b, v0.16b, v20.16b + cmtst v29.16b, v0.16b, v21.16b + cmtst v30.16b, v0.16b, v22.16b + cmtst v31.16b, v0.16b, v23.16b + sub x10, x10, #1 + st1 {v24.16b-v27.16b}, [x17], #64 // write bit-sliced round key + st1 {v28.16b-v31.16b}, [x17], #64 + cbnz x10, .Lkey_loop + + // don't save last round key +#ifdef __AARCH64EL__ + rev32 v15.16b, v15.16b + adr x11, .LM0_bigendian +#endif + ret +.size _bsaes_key_convert,.-_bsaes_key_convert + +.globl ossl_bsaes_cbc_encrypt +.type ossl_bsaes_cbc_encrypt,%function +.align 4 +// On entry: +// x0 -> input ciphertext +// x1 -> output plaintext +// x2 = size of ciphertext and plaintext in bytes (assumed a multiple of 16) +// x3 -> key +// x4 -> 128-bit initialisation vector (or preceding 128-bit block of ciphertext if continuing after an earlier call) +// w5 must be == 0 +// On exit: +// Output plaintext filled in +// Initialisation vector overwritten with last quadword of ciphertext +// No output registers, usual AAPCS64 register preservation +ossl_bsaes_cbc_encrypt: + cmp x2, #128 + bhs .Lcbc_do_bsaes + b AES_cbc_encrypt +.Lcbc_do_bsaes: + + // it is up to the caller to make sure we are called with enc == 0 + + stp x29, x30, [sp, #-48]! + stp d8, d9, [sp, #16] + stp d10, d15, [sp, #32] + lsr x2, x2, #4 // len in 16 byte blocks + + ldr w15, [x3, #240] // get # of rounds + mov x14, sp + + // allocate the key schedule on the stack + add x17, sp, #96 + sub x17, x17, x15, lsl #7 // 128 bytes per inner round key, less 96 bytes + + // populate the key schedule + mov x9, x3 // pass key + mov x10, x15 // pass # of rounds + mov sp, x17 // sp is sp + bl _bsaes_key_convert + ldr q6, [sp] + str q15, [x17] // save last round key + eor v6.16b, v6.16b, v7.16b // fix up round 0 key (by XORing with 0x63) + str q6, [sp] + + ldr q15, [x4] // load IV + b .Lcbc_dec_loop + +.align 4 +.Lcbc_dec_loop: + subs x2, x2, #0x8 + bmi .Lcbc_dec_loop_finish + + ldr q0, [x0], #16 // load input + mov x9, sp // pass the key + ldr q1, [x0], #16 + mov x10, x15 + ldr q2, [x0], #16 + ldr q3, [x0], #16 + ldr q4, [x0], #16 + ldr q5, [x0], #16 + ldr q6, [x0], #16 + ldr q7, [x0], #-7*16 + + bl _bsaes_decrypt8 + + ldr q16, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + eor v1.16b, v1.16b, v16.16b + str q0, [x1], #16 // write output + ldr q0, [x0], #16 + str q1, [x1], #16 + ldr q1, [x0], #16 + eor v1.16b, v4.16b, v1.16b + ldr q4, [x0], #16 + eor v2.16b, v2.16b, v4.16b + eor v0.16b, v6.16b, v0.16b + ldr q4, [x0], #16 + str q0, [x1], #16 + str q1, [x1], #16 + eor v0.16b, v7.16b, v4.16b + ldr q1, [x0], #16 + str q2, [x1], #16 + ldr q2, [x0], #16 + ldr q15, [x0], #16 + str q0, [x1], #16 + eor v0.16b, v5.16b, v2.16b + eor v1.16b, v3.16b, v1.16b + str q1, [x1], #16 + str q0, [x1], #16 + + b .Lcbc_dec_loop + +.Lcbc_dec_loop_finish: + adds x2, x2, #8 + beq .Lcbc_dec_done + + ldr q0, [x0], #16 // load input + cmp x2, #2 + blo .Lcbc_dec_one + ldr q1, [x0], #16 + mov x9, sp // pass the key + mov x10, x15 + beq .Lcbc_dec_two + ldr q2, [x0], #16 + cmp x2, #4 + blo .Lcbc_dec_three + ldr q3, [x0], #16 + beq .Lcbc_dec_four + ldr q4, [x0], #16 + cmp x2, #6 + blo .Lcbc_dec_five + ldr q5, [x0], #16 + beq .Lcbc_dec_six + ldr q6, [x0], #-6*16 + + bl _bsaes_decrypt8 + + ldr q5, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + ldr q8, [x0], #16 + ldr q9, [x0], #16 + ldr q10, [x0], #16 + str q0, [x1], #16 // write output + ldr q0, [x0], #16 + eor v1.16b, v1.16b, v5.16b + ldr q5, [x0], #16 + eor v6.16b, v6.16b, v8.16b + ldr q15, [x0] + eor v4.16b, v4.16b, v9.16b + eor v2.16b, v2.16b, v10.16b + str q1, [x1], #16 + eor v0.16b, v7.16b, v0.16b + str q6, [x1], #16 + eor v1.16b, v3.16b, v5.16b + str q4, [x1], #16 + str q2, [x1], #16 + str q0, [x1], #16 + str q1, [x1] + b .Lcbc_dec_done +.align 4 +.Lcbc_dec_six: + sub x0, x0, #0x60 + bl _bsaes_decrypt8 + ldr q3, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + ldr q5, [x0], #16 + ldr q8, [x0], #16 + ldr q9, [x0], #16 + str q0, [x1], #16 // write output + ldr q0, [x0], #16 + eor v1.16b, v1.16b, v3.16b + ldr q15, [x0] + eor v3.16b, v6.16b, v5.16b + eor v4.16b, v4.16b, v8.16b + eor v2.16b, v2.16b, v9.16b + str q1, [x1], #16 + eor v0.16b, v7.16b, v0.16b + str q3, [x1], #16 + str q4, [x1], #16 + str q2, [x1], #16 + str q0, [x1] + b .Lcbc_dec_done +.align 4 +.Lcbc_dec_five: + sub x0, x0, #0x50 + bl _bsaes_decrypt8 + ldr q3, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + ldr q5, [x0], #16 + ldr q7, [x0], #16 + ldr q8, [x0], #16 + str q0, [x1], #16 // write output + ldr q15, [x0] + eor v0.16b, v1.16b, v3.16b + eor v1.16b, v6.16b, v5.16b + eor v3.16b, v4.16b, v7.16b + str q0, [x1], #16 + eor v0.16b, v2.16b, v8.16b + str q1, [x1], #16 + str q3, [x1], #16 + str q0, [x1] + b .Lcbc_dec_done +.align 4 +.Lcbc_dec_four: + sub x0, x0, #0x40 + bl _bsaes_decrypt8 + ldr q2, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + ldr q3, [x0], #16 + ldr q5, [x0], #16 + str q0, [x1], #16 // write output + ldr q15, [x0] + eor v0.16b, v1.16b, v2.16b + eor v1.16b, v6.16b, v3.16b + eor v2.16b, v4.16b, v5.16b + str q0, [x1], #16 + str q1, [x1], #16 + str q2, [x1] + b .Lcbc_dec_done +.align 4 +.Lcbc_dec_three: + sub x0, x0, #0x30 + bl _bsaes_decrypt8 + ldr q2, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + ldr q3, [x0], #16 + ldr q15, [x0] + str q0, [x1], #16 // write output + eor v0.16b, v1.16b, v2.16b + eor v1.16b, v6.16b, v3.16b + str q0, [x1], #16 + str q1, [x1] + b .Lcbc_dec_done +.align 4 +.Lcbc_dec_two: + sub x0, x0, #0x20 + bl _bsaes_decrypt8 + ldr q2, [x0], #16 // reload input + eor v0.16b, v0.16b, v15.16b // ^= IV + ldr q15, [x0] + str q0, [x1], #16 // write output + eor v0.16b, v1.16b, v2.16b + str q0, [x1] + b .Lcbc_dec_done +.align 4 +.Lcbc_dec_one: + sub x0, x0, #0x10 + stp x1, x4, [sp, #-32]! + str x14, [sp, #16] + mov v8.16b, v15.16b + mov v15.16b, v0.16b + mov x2, x3 + bl AES_decrypt + ldr x14, [sp, #16] + ldp x1, x4, [sp], #32 + ldr q0, [x1] // load result + eor v0.16b, v0.16b, v8.16b // ^= IV + str q0, [x1] // write output + +.align 4 +.Lcbc_dec_done: + movi v0.16b, #0 + movi v1.16b, #0 +.Lcbc_dec_bzero:// wipe key schedule [if any] + stp q0, q1, [sp], #32 + cmp sp, x14 + bne .Lcbc_dec_bzero + str q15, [x4] // return IV + ldp d8, d9, [sp, #16] + ldp d10, d15, [sp, #32] + ldp x29, x30, [sp], #48 + ret +.size ossl_bsaes_cbc_encrypt,.-ossl_bsaes_cbc_encrypt + +.globl ossl_bsaes_ctr32_encrypt_blocks +.type ossl_bsaes_ctr32_encrypt_blocks,%function +.align 4 +// On entry: +// x0 -> input text (whole 16-byte blocks) +// x1 -> output text (whole 16-byte blocks) +// x2 = number of 16-byte blocks to encrypt/decrypt (> 0) +// x3 -> key +// x4 -> initial value of 128-bit counter (stored big-endian) which increments, modulo 2^32, for each block +// On exit: +// Output text filled in +// No output registers, usual AAPCS64 register preservation +ossl_bsaes_ctr32_encrypt_blocks: + + cmp x2, #8 // use plain AES for + blo .Lctr_enc_short // small sizes + + stp x29, x30, [sp, #-80]! + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] + + ldr w15, [x3, #240] // get # of rounds + mov x14, sp + + // allocate the key schedule on the stack + add x17, sp, #96 + sub x17, x17, x15, lsl #7 // 128 bytes per inner round key, less 96 bytes + + // populate the key schedule + mov x9, x3 // pass key + mov x10, x15 // pass # of rounds + mov sp, x17 // sp is sp + bl _bsaes_key_convert + eor v7.16b, v7.16b, v15.16b // fix up last round key + str q7, [x17] // save last round key + + ldr q0, [x4] // load counter + add x13, x11, #.LREVM0SR-.LM0_bigendian + ldr q4, [sp] // load round0 key + + movi v8.4s, #1 // compose 1<<96 + movi v9.16b, #0 + rev32 v15.16b, v0.16b + rev32 v0.16b, v0.16b + ext v11.16b, v9.16b, v8.16b, #4 + rev32 v4.16b, v4.16b + add v12.4s, v11.4s, v11.4s // compose 2<<96 + str q4, [sp] // save adjusted round0 key + add v13.4s, v11.4s, v12.4s // compose 3<<96 + add v14.4s, v12.4s, v12.4s // compose 4<<96 + b .Lctr_enc_loop + +.align 4 +.Lctr_enc_loop: + // Intermix prologue from _bsaes_encrypt8 to use the opportunity + // to flip byte order in 32-bit counter + + add v1.4s, v15.4s, v11.4s // +1 + add x9, sp, #0x10 // pass next round key + add v2.4s, v15.4s, v12.4s // +2 + ldr q9, [x13] // .LREVM0SR + ldr q8, [sp] // load round0 key + add v3.4s, v15.4s, v13.4s // +3 + mov x10, x15 // pass rounds + sub x11, x13, #.LREVM0SR-.LSR // pass constants + add v6.4s, v2.4s, v14.4s + add v4.4s, v15.4s, v14.4s // +4 + add v7.4s, v3.4s, v14.4s + add v15.4s, v4.4s, v14.4s // next counter + add v5.4s, v1.4s, v14.4s + + bl _bsaes_encrypt8_alt + + subs x2, x2, #8 + blo .Lctr_enc_loop_done + + ldr q16, [x0], #16 + ldr q17, [x0], #16 + eor v1.16b, v1.16b, v17.16b + ldr q17, [x0], #16 + eor v0.16b, v0.16b, v16.16b + eor v4.16b, v4.16b, v17.16b + str q0, [x1], #16 + ldr q16, [x0], #16 + str q1, [x1], #16 + mov v0.16b, v15.16b + str q4, [x1], #16 + ldr q1, [x0], #16 + eor v4.16b, v6.16b, v16.16b + eor v1.16b, v3.16b, v1.16b + ldr q3, [x0], #16 + eor v3.16b, v7.16b, v3.16b + ldr q6, [x0], #16 + eor v2.16b, v2.16b, v6.16b + ldr q6, [x0], #16 + eor v5.16b, v5.16b, v6.16b + str q4, [x1], #16 + str q1, [x1], #16 + str q3, [x1], #16 + str q2, [x1], #16 + str q5, [x1], #16 + + bne .Lctr_enc_loop + b .Lctr_enc_done + +.align 4 +.Lctr_enc_loop_done: + add x2, x2, #8 + ldr q16, [x0], #16 // load input + eor v0.16b, v0.16b, v16.16b + str q0, [x1], #16 // write output + cmp x2, #2 + blo .Lctr_enc_done + ldr q17, [x0], #16 + eor v1.16b, v1.16b, v17.16b + str q1, [x1], #16 + beq .Lctr_enc_done + ldr q18, [x0], #16 + eor v4.16b, v4.16b, v18.16b + str q4, [x1], #16 + cmp x2, #4 + blo .Lctr_enc_done + ldr q19, [x0], #16 + eor v6.16b, v6.16b, v19.16b + str q6, [x1], #16 + beq .Lctr_enc_done + ldr q20, [x0], #16 + eor v3.16b, v3.16b, v20.16b + str q3, [x1], #16 + cmp x2, #6 + blo .Lctr_enc_done + ldr q21, [x0], #16 + eor v7.16b, v7.16b, v21.16b + str q7, [x1], #16 + beq .Lctr_enc_done + ldr q22, [x0] + eor v2.16b, v2.16b, v22.16b + str q2, [x1], #16 + +.Lctr_enc_done: + movi v0.16b, #0 + movi v1.16b, #0 +.Lctr_enc_bzero: // wipe key schedule [if any] + stp q0, q1, [sp], #32 + cmp sp, x14 + bne .Lctr_enc_bzero + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] + ldp x29, x30, [sp], #80 + ret + +.Lctr_enc_short: + stp x29, x30, [sp, #-96]! + stp x19, x20, [sp, #16] + stp x21, x22, [sp, #32] + str x23, [sp, #48] + + mov x19, x0 // copy arguments + mov x20, x1 + mov x21, x2 + mov x22, x3 + ldr w23, [x4, #12] // load counter .LSW + ldr q1, [x4] // load whole counter value +#ifdef __AARCH64EL__ + rev w23, w23 +#endif + str q1, [sp, #80] // copy counter value + +.Lctr_enc_short_loop: + add x0, sp, #80 // input counter value + add x1, sp, #64 // output on the stack + mov x2, x22 // key + + bl AES_encrypt + + ldr q0, [x19], #16 // load input + ldr q1, [sp, #64] // load encrypted counter + add x23, x23, #1 +#ifdef __AARCH64EL__ + rev w0, w23 + str w0, [sp, #80+12] // next counter value +#else + str w23, [sp, #80+12] // next counter value +#endif + eor v0.16b, v0.16b, v1.16b + str q0, [x20], #16 // store output + subs x21, x21, #1 + bne .Lctr_enc_short_loop + + movi v0.16b, #0 + movi v1.16b, #0 + stp q0, q1, [sp, #64] + + ldr x23, [sp, #48] + ldp x21, x22, [sp, #32] + ldp x19, x20, [sp, #16] + ldp x29, x30, [sp], #96 + ret +.size ossl_bsaes_ctr32_encrypt_blocks,.-ossl_bsaes_ctr32_encrypt_blocks + +.globl ossl_bsaes_xts_encrypt +.type ossl_bsaes_xts_encrypt,%function +.align 4 +// On entry: +// x0 -> input plaintext +// x1 -> output ciphertext +// x2 -> length of text in bytes (must be at least 16) +// x3 -> key1 (used to encrypt the XORed plaintext blocks) +// x4 -> key2 (used to encrypt the initial vector to yield the initial tweak) +// x5 -> 16-byte initial vector (typically, sector number) +// On exit: +// Output ciphertext filled in +// No output registers, usual AAPCS64 register preservation +ossl_bsaes_xts_encrypt: + // Stack layout: + // sp -> + // nrounds*128-96 bytes: key schedule + // x19 -> + // 16 bytes: frame record + // 4*16 bytes: tweak storage across _bsaes_encrypt8 + // 6*8 bytes: storage for 5 callee-saved general-purpose registers + // 8*8 bytes: storage for 8 callee-saved SIMD registers + stp x29, x30, [sp, #-192]! + stp x19, x20, [sp, #80] + stp x21, x22, [sp, #96] + str x23, [sp, #112] + stp d8, d9, [sp, #128] + stp d10, d11, [sp, #144] + stp d12, d13, [sp, #160] + stp d14, d15, [sp, #176] + + mov x19, sp + mov x20, x0 + mov x21, x1 + mov x22, x2 + mov x23, x3 + + // generate initial tweak + sub sp, sp, #16 + mov x0, x5 // iv[] + mov x1, sp + mov x2, x4 // key2 + bl AES_encrypt + ldr q11, [sp], #16 + + ldr w1, [x23, #240] // get # of rounds + // allocate the key schedule on the stack + add x17, sp, #96 + sub x17, x17, x1, lsl #7 // 128 bytes per inner round key, less 96 bytes + + // populate the key schedule + mov x9, x23 // pass key + mov x10, x1 // pass # of rounds + mov sp, x17 + bl _bsaes_key_convert + eor v15.16b, v15.16b, v7.16b // fix up last round key + str q15, [x17] // save last round key + + subs x22, x22, #0x80 + blo .Lxts_enc_short + b .Lxts_enc_loop + +.align 4 +.Lxts_enc_loop: + ldr q8, .Lxts_magic + mov x10, x1 // pass rounds + add x2, x19, #16 + ldr q0, [x20], #16 + sshr v1.2d, v11.2d, #63 + mov x9, sp // pass key schedule + ldr q6, .Lxts_magic+16 + add v2.2d, v11.2d, v11.2d + cmtst v3.2d, v11.2d, v6.2d + and v1.16b, v1.16b, v8.16b + ext v1.16b, v1.16b, v1.16b, #8 + and v3.16b, v3.16b, v8.16b + ldr q4, [x20], #16 + eor v12.16b, v2.16b, v1.16b + eor v1.16b, v4.16b, v12.16b + eor v0.16b, v0.16b, v11.16b + cmtst v2.2d, v12.2d, v6.2d + add v4.2d, v12.2d, v12.2d + add x0, x19, #16 + ext v3.16b, v3.16b, v3.16b, #8 + and v2.16b, v2.16b, v8.16b + eor v13.16b, v4.16b, v3.16b + ldr q3, [x20], #16 + ext v4.16b, v2.16b, v2.16b, #8 + eor v2.16b, v3.16b, v13.16b + ldr q3, [x20], #16 + add v5.2d, v13.2d, v13.2d + cmtst v7.2d, v13.2d, v6.2d + and v7.16b, v7.16b, v8.16b + ldr q9, [x20], #16 + ext v7.16b, v7.16b, v7.16b, #8 + ldr q10, [x20], #16 + eor v14.16b, v5.16b, v4.16b + ldr q16, [x20], #16 + add v4.2d, v14.2d, v14.2d + eor v3.16b, v3.16b, v14.16b + eor v15.16b, v4.16b, v7.16b + add v5.2d, v15.2d, v15.2d + ldr q7, [x20], #16 + cmtst v4.2d, v14.2d, v6.2d + and v17.16b, v4.16b, v8.16b + cmtst v18.2d, v15.2d, v6.2d + eor v4.16b, v9.16b, v15.16b + ext v9.16b, v17.16b, v17.16b, #8 + eor v9.16b, v5.16b, v9.16b + add v17.2d, v9.2d, v9.2d + and v18.16b, v18.16b, v8.16b + eor v5.16b, v10.16b, v9.16b + str q9, [x2], #16 + ext v10.16b, v18.16b, v18.16b, #8 + cmtst v9.2d, v9.2d, v6.2d + and v9.16b, v9.16b, v8.16b + eor v10.16b, v17.16b, v10.16b + cmtst v17.2d, v10.2d, v6.2d + eor v6.16b, v16.16b, v10.16b + str q10, [x2], #16 + ext v9.16b, v9.16b, v9.16b, #8 + add v10.2d, v10.2d, v10.2d + eor v9.16b, v10.16b, v9.16b + str q9, [x2], #16 + eor v7.16b, v7.16b, v9.16b + add v9.2d, v9.2d, v9.2d + and v8.16b, v17.16b, v8.16b + ext v8.16b, v8.16b, v8.16b, #8 + eor v8.16b, v9.16b, v8.16b + str q8, [x2] // next round tweak + + bl _bsaes_encrypt8 + + ldr q8, [x0], #16 + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + ldr q9, [x0], #16 + eor v4.16b, v4.16b, v13.16b + eor v6.16b, v6.16b, v14.16b + ldr q10, [x0], #16 + eor v3.16b, v3.16b, v15.16b + subs x22, x22, #0x80 + str q0, [x21], #16 + ldr q11, [x0] // next round tweak + str q1, [x21], #16 + eor v0.16b, v7.16b, v8.16b + eor v1.16b, v2.16b, v9.16b + str q4, [x21], #16 + eor v2.16b, v5.16b, v10.16b + str q6, [x21], #16 + str q3, [x21], #16 + str q0, [x21], #16 + str q1, [x21], #16 + str q2, [x21], #16 + bpl .Lxts_enc_loop + +.Lxts_enc_short: + adds x22, x22, #0x70 + bmi .Lxts_enc_done + + ldr q8, .Lxts_magic + sshr v1.2d, v11.2d, #63 + add v2.2d, v11.2d, v11.2d + ldr q9, .Lxts_magic+16 + subs x22, x22, #0x10 + ldr q0, [x20], #16 + and v1.16b, v1.16b, v8.16b + cmtst v3.2d, v11.2d, v9.2d + ext v1.16b, v1.16b, v1.16b, #8 + and v3.16b, v3.16b, v8.16b + eor v12.16b, v2.16b, v1.16b + ext v1.16b, v3.16b, v3.16b, #8 + add v2.2d, v12.2d, v12.2d + cmtst v3.2d, v12.2d, v9.2d + eor v13.16b, v2.16b, v1.16b + and v22.16b, v3.16b, v8.16b + bmi .Lxts_enc_1 + + ext v2.16b, v22.16b, v22.16b, #8 + add v3.2d, v13.2d, v13.2d + ldr q1, [x20], #16 + cmtst v4.2d, v13.2d, v9.2d + subs x22, x22, #0x10 + eor v14.16b, v3.16b, v2.16b + and v23.16b, v4.16b, v8.16b + bmi .Lxts_enc_2 + + ext v3.16b, v23.16b, v23.16b, #8 + add v4.2d, v14.2d, v14.2d + ldr q2, [x20], #16 + cmtst v5.2d, v14.2d, v9.2d + eor v0.16b, v0.16b, v11.16b + subs x22, x22, #0x10 + eor v15.16b, v4.16b, v3.16b + and v24.16b, v5.16b, v8.16b + bmi .Lxts_enc_3 + + ext v4.16b, v24.16b, v24.16b, #8 + add v5.2d, v15.2d, v15.2d + ldr q3, [x20], #16 + cmtst v6.2d, v15.2d, v9.2d + eor v1.16b, v1.16b, v12.16b + subs x22, x22, #0x10 + eor v16.16b, v5.16b, v4.16b + and v25.16b, v6.16b, v8.16b + bmi .Lxts_enc_4 + + ext v5.16b, v25.16b, v25.16b, #8 + add v6.2d, v16.2d, v16.2d + add x0, x19, #16 + cmtst v7.2d, v16.2d, v9.2d + ldr q4, [x20], #16 + eor v2.16b, v2.16b, v13.16b + str q16, [x0], #16 + subs x22, x22, #0x10 + eor v17.16b, v6.16b, v5.16b + and v26.16b, v7.16b, v8.16b + bmi .Lxts_enc_5 + + ext v7.16b, v26.16b, v26.16b, #8 + add v18.2d, v17.2d, v17.2d + ldr q5, [x20], #16 + eor v3.16b, v3.16b, v14.16b + str q17, [x0], #16 + subs x22, x22, #0x10 + eor v18.16b, v18.16b, v7.16b + bmi .Lxts_enc_6 + + ldr q6, [x20], #16 + eor v4.16b, v4.16b, v15.16b + eor v5.16b, v5.16b, v16.16b + str q18, [x0] // next round tweak + mov x9, sp // pass key schedule + mov x10, x1 + add x0, x19, #16 + sub x22, x22, #0x10 + eor v6.16b, v6.16b, v17.16b + + bl _bsaes_encrypt8 + + ldr q16, [x0], #16 + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + ldr q17, [x0], #16 + eor v4.16b, v4.16b, v13.16b + eor v6.16b, v6.16b, v14.16b + eor v3.16b, v3.16b, v15.16b + ldr q11, [x0] // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + eor v0.16b, v7.16b, v16.16b + eor v1.16b, v2.16b, v17.16b + str q4, [x21], #16 + str q6, [x21], #16 + str q3, [x21], #16 + str q0, [x21], #16 + str q1, [x21], #16 + b .Lxts_enc_done + +.align 4 +.Lxts_enc_6: + eor v4.16b, v4.16b, v15.16b + eor v5.16b, v5.16b, v16.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_encrypt8 + + ldr q16, [x0], #16 + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + eor v4.16b, v4.16b, v13.16b + eor v6.16b, v6.16b, v14.16b + ldr q11, [x0] // next round tweak + eor v3.16b, v3.16b, v15.16b + str q0, [x21], #16 + str q1, [x21], #16 + eor v0.16b, v7.16b, v16.16b + str q4, [x21], #16 + str q6, [x21], #16 + str q3, [x21], #16 + str q0, [x21], #16 + b .Lxts_enc_done + +.align 4 +.Lxts_enc_5: + eor v3.16b, v3.16b, v14.16b + eor v4.16b, v4.16b, v15.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_encrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + ldr q11, [x0] // next round tweak + eor v4.16b, v4.16b, v13.16b + eor v6.16b, v6.16b, v14.16b + eor v3.16b, v3.16b, v15.16b + str q0, [x21], #16 + str q1, [x21], #16 + str q4, [x21], #16 + str q6, [x21], #16 + str q3, [x21], #16 + b .Lxts_enc_done + +.align 4 +.Lxts_enc_4: + eor v2.16b, v2.16b, v13.16b + eor v3.16b, v3.16b, v14.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_encrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + eor v4.16b, v4.16b, v13.16b + eor v6.16b, v6.16b, v14.16b + mov v11.16b, v15.16b // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + str q4, [x21], #16 + str q6, [x21], #16 + b .Lxts_enc_done + +.align 4 +.Lxts_enc_3: + eor v1.16b, v1.16b, v12.16b + eor v2.16b, v2.16b, v13.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_encrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + eor v4.16b, v4.16b, v13.16b + mov v11.16b, v14.16b // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + str q4, [x21], #16 + b .Lxts_enc_done + +.align 4 +.Lxts_enc_2: + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_encrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + mov v11.16b, v13.16b // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + b .Lxts_enc_done + +.align 4 +.Lxts_enc_1: + eor v0.16b, v0.16b, v11.16b + sub x0, sp, #16 + sub x1, sp, #16 + mov x2, x23 + mov v13.d[0], v11.d[1] // just in case AES_encrypt corrupts top half of callee-saved SIMD registers + mov v14.d[0], v12.d[1] + str q0, [sp, #-16]! + + bl AES_encrypt + + ldr q0, [sp], #16 + trn1 v13.2d, v11.2d, v13.2d + trn1 v11.2d, v12.2d, v14.2d // next round tweak + eor v0.16b, v0.16b, v13.16b + str q0, [x21], #16 + +.Lxts_enc_done: + adds x22, x22, #0x10 + beq .Lxts_enc_ret + + sub x6, x21, #0x10 + // Penultimate plaintext block produces final ciphertext part-block + // plus remaining part of final plaintext block. Move ciphertext part + // to final position and re-use penultimate ciphertext block buffer to + // construct final plaintext block +.Lxts_enc_steal: + ldrb w0, [x20], #1 + ldrb w1, [x21, #-0x10] + strb w0, [x21, #-0x10] + strb w1, [x21], #1 + + subs x22, x22, #1 + bhi .Lxts_enc_steal + + // Finally encrypt the penultimate ciphertext block using the + // last tweak + ldr q0, [x6] + eor v0.16b, v0.16b, v11.16b + str q0, [sp, #-16]! + mov x0, sp + mov x1, sp + mov x2, x23 + mov x21, x6 + mov v13.d[0], v11.d[1] // just in case AES_encrypt corrupts top half of callee-saved SIMD registers + + bl AES_encrypt + + trn1 v11.2d, v11.2d, v13.2d + ldr q0, [sp], #16 + eor v0.16b, v0.16b, v11.16b + str q0, [x21] + +.Lxts_enc_ret: + + movi v0.16b, #0 + movi v1.16b, #0 +.Lxts_enc_bzero: // wipe key schedule + stp q0, q1, [sp], #32 + cmp sp, x19 + bne .Lxts_enc_bzero + + ldp x19, x20, [sp, #80] + ldp x21, x22, [sp, #96] + ldr x23, [sp, #112] + ldp d8, d9, [sp, #128] + ldp d10, d11, [sp, #144] + ldp d12, d13, [sp, #160] + ldp d14, d15, [sp, #176] + ldp x29, x30, [sp], #192 + ret +.size ossl_bsaes_xts_encrypt,.-ossl_bsaes_xts_encrypt + +// The assembler doesn't seem capable of de-duplicating these when expressed +// using `ldr qd,=` syntax, so assign a symbolic address +.align 5 +.Lxts_magic: +.quad 1, 0x87, 0x4000000000000000, 0x4000000000000000 + +.globl ossl_bsaes_xts_decrypt +.type ossl_bsaes_xts_decrypt,%function +.align 4 +// On entry: +// x0 -> input ciphertext +// x1 -> output plaintext +// x2 -> length of text in bytes (must be at least 16) +// x3 -> key1 (used to decrypt the XORed ciphertext blocks) +// x4 -> key2 (used to encrypt the initial vector to yield the initial tweak) +// x5 -> 16-byte initial vector (typically, sector number) +// On exit: +// Output plaintext filled in +// No output registers, usual AAPCS64 register preservation +ossl_bsaes_xts_decrypt: + // Stack layout: + // sp -> + // nrounds*128-96 bytes: key schedule + // x19 -> + // 16 bytes: frame record + // 4*16 bytes: tweak storage across _bsaes_decrypt8 + // 6*8 bytes: storage for 5 callee-saved general-purpose registers + // 8*8 bytes: storage for 8 callee-saved SIMD registers + stp x29, x30, [sp, #-192]! + stp x19, x20, [sp, #80] + stp x21, x22, [sp, #96] + str x23, [sp, #112] + stp d8, d9, [sp, #128] + stp d10, d11, [sp, #144] + stp d12, d13, [sp, #160] + stp d14, d15, [sp, #176] + + mov x19, sp + mov x20, x0 + mov x21, x1 + mov x22, x2 + mov x23, x3 + + // generate initial tweak + sub sp, sp, #16 + mov x0, x5 // iv[] + mov x1, sp + mov x2, x4 // key2 + bl AES_encrypt + ldr q11, [sp], #16 + + ldr w1, [x23, #240] // get # of rounds + // allocate the key schedule on the stack + add x17, sp, #96 + sub x17, x17, x1, lsl #7 // 128 bytes per inner round key, less 96 bytes + + // populate the key schedule + mov x9, x23 // pass key + mov x10, x1 // pass # of rounds + mov sp, x17 + bl _bsaes_key_convert + ldr q6, [sp] + str q15, [x17] // save last round key + eor v6.16b, v6.16b, v7.16b // fix up round 0 key (by XORing with 0x63) + str q6, [sp] + + sub x30, x22, #0x10 + tst x22, #0xf // if not multiple of 16 + csel x22, x30, x22, ne // subtract another 16 bytes + subs x22, x22, #0x80 + + blo .Lxts_dec_short + b .Lxts_dec_loop + +.align 4 +.Lxts_dec_loop: + ldr q8, .Lxts_magic + mov x10, x1 // pass rounds + add x2, x19, #16 + ldr q0, [x20], #16 + sshr v1.2d, v11.2d, #63 + mov x9, sp // pass key schedule + ldr q6, .Lxts_magic+16 + add v2.2d, v11.2d, v11.2d + cmtst v3.2d, v11.2d, v6.2d + and v1.16b, v1.16b, v8.16b + ext v1.16b, v1.16b, v1.16b, #8 + and v3.16b, v3.16b, v8.16b + ldr q4, [x20], #16 + eor v12.16b, v2.16b, v1.16b + eor v1.16b, v4.16b, v12.16b + eor v0.16b, v0.16b, v11.16b + cmtst v2.2d, v12.2d, v6.2d + add v4.2d, v12.2d, v12.2d + add x0, x19, #16 + ext v3.16b, v3.16b, v3.16b, #8 + and v2.16b, v2.16b, v8.16b + eor v13.16b, v4.16b, v3.16b + ldr q3, [x20], #16 + ext v4.16b, v2.16b, v2.16b, #8 + eor v2.16b, v3.16b, v13.16b + ldr q3, [x20], #16 + add v5.2d, v13.2d, v13.2d + cmtst v7.2d, v13.2d, v6.2d + and v7.16b, v7.16b, v8.16b + ldr q9, [x20], #16 + ext v7.16b, v7.16b, v7.16b, #8 + ldr q10, [x20], #16 + eor v14.16b, v5.16b, v4.16b + ldr q16, [x20], #16 + add v4.2d, v14.2d, v14.2d + eor v3.16b, v3.16b, v14.16b + eor v15.16b, v4.16b, v7.16b + add v5.2d, v15.2d, v15.2d + ldr q7, [x20], #16 + cmtst v4.2d, v14.2d, v6.2d + and v17.16b, v4.16b, v8.16b + cmtst v18.2d, v15.2d, v6.2d + eor v4.16b, v9.16b, v15.16b + ext v9.16b, v17.16b, v17.16b, #8 + eor v9.16b, v5.16b, v9.16b + add v17.2d, v9.2d, v9.2d + and v18.16b, v18.16b, v8.16b + eor v5.16b, v10.16b, v9.16b + str q9, [x2], #16 + ext v10.16b, v18.16b, v18.16b, #8 + cmtst v9.2d, v9.2d, v6.2d + and v9.16b, v9.16b, v8.16b + eor v10.16b, v17.16b, v10.16b + cmtst v17.2d, v10.2d, v6.2d + eor v6.16b, v16.16b, v10.16b + str q10, [x2], #16 + ext v9.16b, v9.16b, v9.16b, #8 + add v10.2d, v10.2d, v10.2d + eor v9.16b, v10.16b, v9.16b + str q9, [x2], #16 + eor v7.16b, v7.16b, v9.16b + add v9.2d, v9.2d, v9.2d + and v8.16b, v17.16b, v8.16b + ext v8.16b, v8.16b, v8.16b, #8 + eor v8.16b, v9.16b, v8.16b + str q8, [x2] // next round tweak + + bl _bsaes_decrypt8 + + eor v6.16b, v6.16b, v13.16b + eor v0.16b, v0.16b, v11.16b + ldr q8, [x0], #16 + eor v7.16b, v7.16b, v8.16b + str q0, [x21], #16 + eor v0.16b, v1.16b, v12.16b + ldr q1, [x0], #16 + eor v1.16b, v3.16b, v1.16b + subs x22, x22, #0x80 + eor v2.16b, v2.16b, v15.16b + eor v3.16b, v4.16b, v14.16b + ldr q4, [x0], #16 + str q0, [x21], #16 + ldr q11, [x0] // next round tweak + eor v0.16b, v5.16b, v4.16b + str q6, [x21], #16 + str q3, [x21], #16 + str q2, [x21], #16 + str q7, [x21], #16 + str q1, [x21], #16 + str q0, [x21], #16 + bpl .Lxts_dec_loop + +.Lxts_dec_short: + adds x22, x22, #0x70 + bmi .Lxts_dec_done + + ldr q8, .Lxts_magic + sshr v1.2d, v11.2d, #63 + add v2.2d, v11.2d, v11.2d + ldr q9, .Lxts_magic+16 + subs x22, x22, #0x10 + ldr q0, [x20], #16 + and v1.16b, v1.16b, v8.16b + cmtst v3.2d, v11.2d, v9.2d + ext v1.16b, v1.16b, v1.16b, #8 + and v3.16b, v3.16b, v8.16b + eor v12.16b, v2.16b, v1.16b + ext v1.16b, v3.16b, v3.16b, #8 + add v2.2d, v12.2d, v12.2d + cmtst v3.2d, v12.2d, v9.2d + eor v13.16b, v2.16b, v1.16b + and v22.16b, v3.16b, v8.16b + bmi .Lxts_dec_1 + + ext v2.16b, v22.16b, v22.16b, #8 + add v3.2d, v13.2d, v13.2d + ldr q1, [x20], #16 + cmtst v4.2d, v13.2d, v9.2d + subs x22, x22, #0x10 + eor v14.16b, v3.16b, v2.16b + and v23.16b, v4.16b, v8.16b + bmi .Lxts_dec_2 + + ext v3.16b, v23.16b, v23.16b, #8 + add v4.2d, v14.2d, v14.2d + ldr q2, [x20], #16 + cmtst v5.2d, v14.2d, v9.2d + eor v0.16b, v0.16b, v11.16b + subs x22, x22, #0x10 + eor v15.16b, v4.16b, v3.16b + and v24.16b, v5.16b, v8.16b + bmi .Lxts_dec_3 + + ext v4.16b, v24.16b, v24.16b, #8 + add v5.2d, v15.2d, v15.2d + ldr q3, [x20], #16 + cmtst v6.2d, v15.2d, v9.2d + eor v1.16b, v1.16b, v12.16b + subs x22, x22, #0x10 + eor v16.16b, v5.16b, v4.16b + and v25.16b, v6.16b, v8.16b + bmi .Lxts_dec_4 + + ext v5.16b, v25.16b, v25.16b, #8 + add v6.2d, v16.2d, v16.2d + add x0, x19, #16 + cmtst v7.2d, v16.2d, v9.2d + ldr q4, [x20], #16 + eor v2.16b, v2.16b, v13.16b + str q16, [x0], #16 + subs x22, x22, #0x10 + eor v17.16b, v6.16b, v5.16b + and v26.16b, v7.16b, v8.16b + bmi .Lxts_dec_5 + + ext v7.16b, v26.16b, v26.16b, #8 + add v18.2d, v17.2d, v17.2d + ldr q5, [x20], #16 + eor v3.16b, v3.16b, v14.16b + str q17, [x0], #16 + subs x22, x22, #0x10 + eor v18.16b, v18.16b, v7.16b + bmi .Lxts_dec_6 + + ldr q6, [x20], #16 + eor v4.16b, v4.16b, v15.16b + eor v5.16b, v5.16b, v16.16b + str q18, [x0] // next round tweak + mov x9, sp // pass key schedule + mov x10, x1 + add x0, x19, #16 + sub x22, x22, #0x10 + eor v6.16b, v6.16b, v17.16b + + bl _bsaes_decrypt8 + + ldr q16, [x0], #16 + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + ldr q17, [x0], #16 + eor v6.16b, v6.16b, v13.16b + eor v4.16b, v4.16b, v14.16b + eor v2.16b, v2.16b, v15.16b + ldr q11, [x0] // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + eor v0.16b, v7.16b, v16.16b + eor v1.16b, v3.16b, v17.16b + str q6, [x21], #16 + str q4, [x21], #16 + str q2, [x21], #16 + str q0, [x21], #16 + str q1, [x21], #16 + b .Lxts_dec_done + +.align 4 +.Lxts_dec_6: + eor v4.16b, v4.16b, v15.16b + eor v5.16b, v5.16b, v16.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_decrypt8 + + ldr q16, [x0], #16 + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v4.16b, v4.16b, v14.16b + ldr q11, [x0] // next round tweak + eor v2.16b, v2.16b, v15.16b + str q0, [x21], #16 + str q1, [x21], #16 + eor v0.16b, v7.16b, v16.16b + str q6, [x21], #16 + str q4, [x21], #16 + str q2, [x21], #16 + str q0, [x21], #16 + b .Lxts_dec_done + +.align 4 +.Lxts_dec_5: + eor v3.16b, v3.16b, v14.16b + eor v4.16b, v4.16b, v15.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_decrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + ldr q11, [x0] // next round tweak + eor v6.16b, v6.16b, v13.16b + eor v4.16b, v4.16b, v14.16b + eor v2.16b, v2.16b, v15.16b + str q0, [x21], #16 + str q1, [x21], #16 + str q6, [x21], #16 + str q4, [x21], #16 + str q2, [x21], #16 + b .Lxts_dec_done + +.align 4 +.Lxts_dec_4: + eor v2.16b, v2.16b, v13.16b + eor v3.16b, v3.16b, v14.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_decrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v4.16b, v4.16b, v14.16b + mov v11.16b, v15.16b // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + str q6, [x21], #16 + str q4, [x21], #16 + b .Lxts_dec_done + +.align 4 +.Lxts_dec_3: + eor v1.16b, v1.16b, v12.16b + eor v2.16b, v2.16b, v13.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_decrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + mov v11.16b, v14.16b // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + str q6, [x21], #16 + b .Lxts_dec_done + +.align 4 +.Lxts_dec_2: + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + mov x9, sp // pass key schedule + mov x10, x1 // pass rounds + add x0, x19, #16 + + bl _bsaes_decrypt8 + + eor v0.16b, v0.16b, v11.16b + eor v1.16b, v1.16b, v12.16b + mov v11.16b, v13.16b // next round tweak + str q0, [x21], #16 + str q1, [x21], #16 + b .Lxts_dec_done + +.align 4 +.Lxts_dec_1: + eor v0.16b, v0.16b, v11.16b + sub x0, sp, #16 + sub x1, sp, #16 + mov x2, x23 + mov v13.d[0], v11.d[1] // just in case AES_decrypt corrupts top half of callee-saved SIMD registers + mov v14.d[0], v12.d[1] + str q0, [sp, #-16]! + + bl AES_decrypt + + ldr q0, [sp], #16 + trn1 v13.2d, v11.2d, v13.2d + trn1 v11.2d, v12.2d, v14.2d // next round tweak + eor v0.16b, v0.16b, v13.16b + str q0, [x21], #16 + +.Lxts_dec_done: + adds x22, x22, #0x10 + beq .Lxts_dec_ret + + // calculate one round of extra tweak for the stolen ciphertext + ldr q8, .Lxts_magic + sshr v6.2d, v11.2d, #63 + and v6.16b, v6.16b, v8.16b + add v12.2d, v11.2d, v11.2d + ext v6.16b, v6.16b, v6.16b, #8 + eor v12.16b, v12.16b, v6.16b + + // perform the final decryption with the last tweak value + ldr q0, [x20], #16 + eor v0.16b, v0.16b, v12.16b + str q0, [sp, #-16]! + mov x0, sp + mov x1, sp + mov x2, x23 + mov v13.d[0], v11.d[1] // just in case AES_decrypt corrupts top half of callee-saved SIMD registers + mov v14.d[0], v12.d[1] + + bl AES_decrypt + + trn1 v12.2d, v12.2d, v14.2d + trn1 v11.2d, v11.2d, v13.2d + ldr q0, [sp], #16 + eor v0.16b, v0.16b, v12.16b + str q0, [x21] + + mov x6, x21 + // Penultimate ciphertext block produces final plaintext part-block + // plus remaining part of final ciphertext block. Move plaintext part + // to final position and re-use penultimate plaintext block buffer to + // construct final ciphertext block +.Lxts_dec_steal: + ldrb w1, [x21] + ldrb w0, [x20], #1 + strb w1, [x21, #0x10] + strb w0, [x21], #1 + + subs x22, x22, #1 + bhi .Lxts_dec_steal + + // Finally decrypt the penultimate plaintext block using the + // penultimate tweak + ldr q0, [x6] + eor v0.16b, v0.16b, v11.16b + str q0, [sp, #-16]! + mov x0, sp + mov x1, sp + mov x2, x23 + mov x21, x6 + + bl AES_decrypt + + trn1 v11.2d, v11.2d, v13.2d + ldr q0, [sp], #16 + eor v0.16b, v0.16b, v11.16b + str q0, [x21] + +.Lxts_dec_ret: + + movi v0.16b, #0 + movi v1.16b, #0 +.Lxts_dec_bzero: // wipe key schedule + stp q0, q1, [sp], #32 + cmp sp, x19 + bne .Lxts_dec_bzero + + ldp x19, x20, [sp, #80] + ldp x21, x22, [sp, #96] + ldr x23, [sp, #112] + ldp d8, d9, [sp, #128] + ldp d10, d11, [sp, #144] + ldp d12, d13, [sp, #160] + ldp d14, d15, [sp, #176] + ldp x29, x30, [sp], #192 + ret +.size ossl_bsaes_xts_decrypt,.-ossl_bsaes_xts_decrypt diff --git a/crypto/aes/asm/vpaes-armv8.pl b/crypto/aes/asm/vpaes-armv8.pl index dcd5065e6..6b85324f8 100755 --- a/crypto/aes/asm/vpaes-armv8.pl +++ b/crypto/aes/asm/vpaes-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -53,6 +53,8 @@ *STDOUT=*OUT; $code.=<<___; +#include "arm_arch.h" + .text .type _vpaes_consts,%object @@ -259,7 +261,7 @@ .type vpaes_encrypt,%function .align 4 vpaes_encrypt: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -269,7 +271,7 @@ st1 {v0.16b}, [$out] ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_encrypt,.-vpaes_encrypt @@ -492,7 +494,7 @@ .type vpaes_decrypt,%function .align 4 vpaes_decrypt: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -502,7 +504,7 @@ st1 {v0.16b}, [$out] ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_decrypt,.-vpaes_decrypt @@ -673,7 +675,7 @@ .type _vpaes_schedule_core,%function .align 4 _vpaes_schedule_core: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29, x30, [sp,#-16]! add x29,sp,#0 @@ -838,7 +840,7 @@ eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6 eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7 ldp x29, x30, [sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size _vpaes_schedule_core,.-_vpaes_schedule_core @@ -1051,7 +1053,7 @@ .type vpaes_set_encrypt_key,%function .align 4 vpaes_set_encrypt_key: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]! // ABI spec says so @@ -1067,7 +1069,7 @@ ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key @@ -1075,7 +1077,7 @@ .type vpaes_set_decrypt_key,%function .align 4 vpaes_set_decrypt_key: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]! // ABI spec says so @@ -1095,7 +1097,7 @@ ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key ___ @@ -1108,11 +1110,11 @@ .type vpaes_cbc_encrypt,%function .align 4 vpaes_cbc_encrypt: + AARCH64_SIGN_LINK_REGISTER cbz $len, .Lcbc_abort cmp w5, #0 // check direction b.eq vpaes_cbc_decrypt - .inst 0xd503233f // paciasp stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1135,15 +1137,16 @@ st1 {v0.16b}, [$ivec] // write ivec ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp .Lcbc_abort: + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt .type vpaes_cbc_decrypt,%function .align 4 vpaes_cbc_decrypt: - .inst 0xd503233f // paciasp + // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to + // only from vpaes_cbc_encrypt which has already signed the return address. stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]! // ABI spec says so @@ -1185,7 +1188,7 @@ ldp d10,d11,[sp],#16 ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt ___ @@ -1195,7 +1198,7 @@ .type vpaes_ecb_encrypt,%function .align 4 vpaes_ecb_encrypt: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]! // ABI spec says so @@ -1229,7 +1232,7 @@ ldp d10,d11,[sp],#16 ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt @@ -1237,7 +1240,7 @@ .type vpaes_ecb_decrypt,%function .align 4 vpaes_ecb_decrypt: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 stp d8,d9,[sp,#-16]! // ABI spec says so @@ -1271,7 +1274,7 @@ ldp d10,d11,[sp],#16 ldp d8,d9,[sp],#16 ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt ___ diff --git a/crypto/aes/asm/vpaes-loongarch64.pl b/crypto/aes/asm/vpaes-loongarch64.pl new file mode 100644 index 000000000..286adc25f --- /dev/null +++ b/crypto/aes/asm/vpaes-loongarch64.pl @@ -0,0 +1,1003 @@ +#! /usr/bin/env perl +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +###################################################################### +## Constant-time SSSE3 AES core implementation. +## version 0.1 +## +## By Mike Hamburg (Stanford University), 2009 +## Public domain. +## +## For details see http://shiftleft.org/papers/vector_aes/ and +## http://crypto.stanford.edu/vpaes/. +## +###################################################################### + +# Loongarch64 LSX adaptation by , +# and +# + +($zero,$ra,$tp,$sp)=map("\$r$_",(0..3)); +($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$r$_",(4..11)); +($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9)=map("\$r$_",(12..21)); +($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$r$_",(23..30)); +($vr0,$vr1,$vr2,$vr3,$vr4,$vr5,$vr6,$vr7,$vr8,$vr9,$vr10,$vr11,$vr12,$vr13,$vr14,$vr15,$vr16,$vr17,$vr18,$vr19)=map("\$vr$_",(0..19)); +($fp)=map("\$r$_",(22)); + +for (@ARGV) { $output=$_ if (/\w[\w\-]*\.\w+$/); } +open STDOUT,">$output"; +while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} +open STDOUT,">$output"; + +$PREFIX="vpaes"; + +$code.=<<___; + +## +## _aes_encrypt_core +## +## AES-encrypt %vr0. +## +## Inputs: +## %vr0 = input +## %vr9-%vr15 as in _vpaes_preheat +## (%a2) = scheduled keys +## +## Output in %vr0 +## Clobbers %vr1-%vr5, %r9, %r10, %r11, %t5 +## Preserves %vr6 - %vr8 so you get some local vectors +## +## +##.type _vpaes_encrypt_core +.align 4 +_vpaes_encrypt_core: +.cfi_startproc + move $a5,$a2 + li.d $a7,0x10 + ld.w $t5,$a2,240 + vori.b $vr1,$vr9,0 + la.local $t0,Lk_ipt + vld $vr2,$t0,0 # iptlo + vandn.v $vr1,$vr1,$vr0 + vld $vr5,$a5,0 # round0 key + vsrli.w $vr1,$vr1,4 + vand.v $vr0,$vr0,$vr9 + vshuf.b $vr2,$vr0,$vr2,$vr0 + vld $vr0,$t0,16 # ipthi + vshuf.b $vr0,$vr1,$vr0,$vr1 + vxor.v $vr2,$vr2,$vr5 + addi.d $a5,$a5,16 + vxor.v $vr0,$vr0,$vr2 + la.local $a6,Lk_mc_backward + b .Lenc_entry + +.align 4 +.Lenc_loop: + # middle of middle round + vori.b $vr4,$vr13,0 # 4 : sb1u + vori.b $vr0,$vr12,0 # 0 : sb1t + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sb1u + vshuf.b $vr0,$vr3,$vr0,$vr3 # 0 = sb1t + vxor.v $vr4,$vr4,$vr5 # 4 = sb1u + k + vori.b $vr5,$vr15,0 # 4 : sb2u + vxor.v $vr0,$vr0,$vr4 # 0 = A + add.d $t0,$a7,$a6 # Lk_mc_forward[] + vld $vr1,$t0,-0x40 + vshuf.b $vr5,$vr2,$vr5,$vr2 # 4 = sb2u + vld $vr4,$t0,0 # Lk_mc_backward[] + vori.b $vr2,$vr14,0 # 2 : sb2t + vshuf.b $vr2,$vr3,$vr2,$vr3 # 2 = sb2t + vori.b $vr3,$vr0,0 # 3 = A + vxor.v $vr2,$vr5,$vr2 # 2 = 2A + vshuf.b $vr0,$vr1,$vr0,$vr1 # 0 = B + addi.d $a5,$a5,16 # next key + vxor.v $vr0,$vr0,$vr2 # 0 = 2A+B + vshuf.b $vr3,$vr4,$vr3,$vr4 # 3 = D + addi.d $a7,$a7,16 # next mc + vxor.v $vr3,$vr3,$vr0 # 3 = 2A+B+D + vshuf.b $vr0,$vr1,$vr0,$vr1 # 0 = 2B+C + andi $a7,$a7,0x30 # ... mod 4 + addi.d $t5,$t5,-1 # nr-- + vxor.v $vr0,$vr0,$vr3 # 0 = 2A+3B+C+D + +.Lenc_entry: + # top of round + vori.b $vr1,$vr9,0 # 1 : i + vori.b $vr5,$vr11,0 # 2 : a/k + vandn.v $vr1,$vr1,$vr0 # 1 = i<<4 + vsrli.w $vr1,$vr1,4 # 1 = i + vand.v $vr0,$vr0,$vr9 # 0 = k + vshuf.b $vr5,$vr0,$vr5,$vr0 # 2 = a/k + vori.b $vr3,$vr10,0 # 3 : 1/i + vxor.v $vr0,$vr0,$vr1 # 0 = j + vshuf.b $vr3,$vr1,$vr3,$vr1 # 3 = 1/i + vori.b $vr4,$vr10,0 # 4 : 1/j + vxor.v $vr3,$vr3,$vr5 # 3 = iak = 1/i + a/k + vshuf.b $vr4,$vr0,$vr4,$vr0 # 4 = 1/j + vori.b $vr2,$vr10,0 # 2 : 1/iak + vxor.v $vr4,$vr4,$vr5 # 4 = jak = 1/j + a/k + vshuf.b $vr2,$vr3,$vr2,$vr3 # 2 = 1/iak + vori.b $vr3,$vr10,0 # 3 : 1/jak + vxor.v $vr2,$vr2,$vr0 # 2 = io + vshuf.b $vr3,$vr4,$vr3,$vr4 # 3 = 1/jak + vld $vr5,$a5, 0 + vxor.v $vr3,$vr3,$vr1 # 3 = jo + bnez $t5,.Lenc_loop + + # middle of last round + vld $vr4,$a6, -0x60 # 3 : sbou Lk_sbo + vld $vr0,$a6, -0x50 # 0 : sbot Lk_sbo+16 + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sbou + vxor.v $vr4,$vr4,$vr5 # 4 = sb1u + k + vshuf.b $vr0,$vr3,$vr0,$vr3 # 0 = sb1t + add.d $t0,$a7,$a6 # Lk_sr[] + vld $vr1,$t0, 0x40 + vxor.v $vr0,$vr0,$vr4 # 0 = A + vshuf.b $vr0,$vr1,$vr0,$vr1 + jr $ra +.cfi_endproc +.size _vpaes_encrypt_core,.-_vpaes_encrypt_core + +## +## Decryption core +## +## Same API as encryption core. +## +#.type _vpaes_decrypt_core,\@abi-omnipotent +.align 4 +_vpaes_decrypt_core: +.cfi_startproc + move $a5,$a2 # load key + ld.w $t5,$a2,240 + vori.b $vr1,$vr9,0 + la.local $t0,Lk_dipt + vld $vr2,$t0,0 # iptlo + vandn.v $vr1,$vr1,$vr0 + move $a7,$t5 + vsrli.w $vr1,$vr1,4 + vld $vr5,$a5,0 # round0 key + slli.d $a7,$a7,4 + vand.v $vr0,$vr9,$vr0 + vshuf.b $vr2,$vr0,$vr2,$vr0 + vld $vr0,$t0,16 # ipthi + xori $a7,$a7,0x30 + la.local $a6,Lk_dsbd + vshuf.b $vr0,$vr1,$vr0,$vr1 + andi $a7,$a7,0x30 + vxor.v $vr2,$vr2,$vr5 + la.local $t0,Lk_mc_forward + vld $vr5,$t0,48 + vxor.v $vr0,$vr0,$vr2 + addi.d $a5,$a5,16 + add.d $a7,$a7,$a6 + b .Ldec_entry + +.align 4 +.Ldec_loop: +## +## Inverse mix columns +## + vld $vr4,$a6,-0x20 # 4 : sb9u + vld $vr1,$a6,-0x10 # 0 : sb9t + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sb9u + vshuf.b $vr1,$vr3,$vr1,$vr3 # 0 = sb9t + vxor.v $vr0,$vr0,$vr4 + vld $vr4,$a6,0x0 # 4 : sbdu + vxor.v $vr0,$vr0,$vr1 # 0 = ch + vld $vr1,$a6,0x10 # 0 : sbdt + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sbdu + vshuf.b $vr0,$vr5,$vr0,$vr5 # MC ch + vshuf.b $vr1,$vr3,$vr1,$vr3 # 0 = sbdt + vxor.v $vr0,$vr0,$vr4 # 4 = ch + vld $vr4,$a6,0x20 # 4 : sbbu + vxor.v $vr0,$vr0,$vr1 # 0 = ch + vld $vr1,$a6,0x30 # 0 : sbbt + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sbbu + vshuf.b $vr0,$vr5,$vr0,$vr5 # MC ch + vshuf.b $vr1,$vr3,$vr1,$vr3 # 0 = sbbt + vxor.v $vr0,$vr0,$vr4 # 4 = ch + vld $vr4,$a6,0x40 # 4 : sbeu + vxor.v $vr0,$vr0,$vr1 # 0 = ch + vld $vr1,$a6,0x50 # 0 : sbet + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sbeu + vshuf.b $vr0,$vr5,$vr0,$vr5 # MC ch + vshuf.b $vr1,$vr3,$vr1,$vr3 # 0 = sbet + vxor.v $vr0,$vr0,$vr4 # 4 = ch + addi.d $a5,$a5, 16 # next round key + vbsrl.v $vr16,$vr5,0xc + vbsll.v $vr5,$vr5,0x4 + vor.v $vr5,$vr5,$vr16 + vxor.v $vr0,$vr0,$vr1 # 0 = ch + addi.d $t5,$t5,-1 # nr-- + +.Ldec_entry: + # top of round + vori.b $vr1,$vr9,0 # 1 : i + vandn.v $vr1,$vr1,$vr0 # 1 = i<<4 + vori.b $vr2,$vr11,0 # 2 : a/k + vsrli.w $vr1,$vr1,4 # 1 = i + vand.v $vr0,$vr0,$vr9 # 0 = k + vshuf.b $vr2,$vr0,$vr2,$vr0 # 2 = a/k + vori.b $vr3,$vr10,0 # 3 : 1/i + vxor.v $vr0,$vr0,$vr1 # 0 = j + vshuf.b $vr3,$vr1,$vr3,$vr1 # 3 = 1/i + vori.b $vr4,$vr10,0 # 4 : 1/j + vxor.v $vr3,$vr3,$vr2 # 3 = iak = 1/i + a/k + vshuf.b $vr4,$vr0,$vr4,$vr0 # 4 = 1/j + vxor.v $vr4,$vr4,$vr2 # 4 = jak = 1/j + a/k + vori.b $vr2,$vr10,0 # 2 : 1/iak + vshuf.b $vr2,$vr3,$vr2,$vr3 # 2 = 1/iak + vori.b $vr3,$vr10,0 # 3 : 1/jak + vxor.v $vr2,$vr2,$vr0 # 2 = io + vshuf.b $vr3,$vr4,$vr3,$vr4 # 3 = 1/jak + vld $vr0,$a5,0 + vxor.v $vr3,$vr3,$vr1 # 3 = jo + bnez $t5,.Ldec_loop + + # middle of last round + vld $vr4,$a6,0x60 # 3 : sbou + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sbou + vxor.v $vr4,$vr4,$vr0 # 4 = sb1u + k + vld $vr0,$a6,0x70 # 0 : sbot + vld $vr2,$a7,-0x160 # Lk_sr-.Lk_dsbd=-0x160 + vshuf.b $vr0,$vr3,$vr0,$vr3 # 0 = sb1t + vxor.v $vr0,$vr0,$vr4 # 0 = A + vshuf.b $vr0,$vr2,$vr0,$vr2 + jr $ra +.cfi_endproc +.size _vpaes_decrypt_core,.-_vpaes_decrypt_core + +######################################################## +## ## +## AES key schedule ## +## ## +######################################################## +#.type _vpaes_schedule_core,\@abi-omnipotent +.align 4 +_vpaes_schedule_core: +.cfi_startproc + # a0 = key + # a1 = size in bits + # a2 = buffer + # a3 = direction. 0=encrypt, 1=decrypt + + addi.d $sp,$sp,-48 + st.d $ra,$sp,40 + st.d $fp,$sp,32 + + bl _vpaes_preheat # load the tables + la.local $t0,Lk_rcon + vld $vr8,$t0,0 # load rcon + vld $vr0,$a0,0 # load key (unaligned) + + # input transform + vori.b $vr3,$vr0,0 + la.local $a7,Lk_ipt + bl _vpaes_schedule_transform + vori.b $vr7,$vr0,0 + + la.local $a6,Lk_sr + bnez $a3,.Lschedule_am_decrypting + + # encrypting, output zeroth round key after transform + vst $vr0,$a2,0 + b .Lschedule_go + +.Lschedule_am_decrypting: + # decrypting, output zeroth round key after shiftrows + add.d $t2,$a4,$a6 + vld $vr1,$t2,0 + vshuf.b $vr3,$vr1,$vr3,$vr1 + vst $vr3,$a2,0 + xori $a4,$a4,0x30 + +.Lschedule_go: + li.d $t6,192 + bltu $t6,$a1,.Lschedule_256 + beq $t6,$a1,.Lschedule_192 + # 128: fall though + +## +## .schedule_128 +## +## 128-bit specific part of key schedule. +## +## This schedule is really simple, because all its parts +## are accomplished by the subroutines. +## +.Lschedule_128: + li.w $a1,10 + +.Loop_schedule_128: + bl _vpaes_schedule_round + addi.w $a1,$a1,-1 + beqz $a1,.Lschedule_mangle_last + bl _vpaes_schedule_mangle + b .Loop_schedule_128 + +## +## .aes_schedule_192 +## +## 192-bit specific part of key schedule. +## +## The main body of this schedule is the same as the 128-bit +## schedule, but with more smearing. The long, high side is +## stored in %vr7 as before, and the short, low side is in +## the high bits of %vr6. +## +## This schedule is somewhat nastier, however, because each +## round produces 192 bits of key material, or 1.5 round keys. +## Therefore, on each cycle we do 2 rounds and produce 3 round +## keys. +## +.align 4 +.Lschedule_192: + vld $vr0,$a0,8 #load key part 2 + bl _vpaes_schedule_transform #input transform + vaddi.du $vr6,$vr0,0x0 #save short part + vxor.v $vr4,$vr4,$vr4 #clear 4 + vpackod.d $vr6,$vr6,$vr4 #clobber low side with zeros + li.w $a1,4 + +.Loop_schedule_192: + bl _vpaes_schedule_round + vbsrl.v $vr16,$vr6,0x8 + vbsll.v $vr0,$vr0,0x8 + vor.v $vr0,$vr0,$vr16 + + bl _vpaes_schedule_mangle # save key n + bl _vpaes_schedule_192_smear + bl _vpaes_schedule_mangle # save key n+1 + bl _vpaes_schedule_round + addi.w $a1,$a1,-1 + beqz $a1,.Lschedule_mangle_last + bl _vpaes_schedule_mangle # save key n+2 + bl _vpaes_schedule_192_smear + b .Loop_schedule_192 + +## +## .aes_schedule_256 +## +## 256-bit specific part of key schedule. +## +## The structure here is very similar to the 128-bit +## schedule, but with an additional "low side" in +## %vr6. The low side's rounds are the same as the +## high side's, except no rcon and no rotation. +## +.align 4 +.Lschedule_256: + vld $vr0,$a0,16 # load key part 2 (unaligned) + bl _vpaes_schedule_transform # input transform + addi.w $a1,$zero,7 + +.Loop_schedule_256: + bl _vpaes_schedule_mangle # output low result + vori.b $vr6,$vr0,0 # save cur_lo in vr6 + + # high round + bl _vpaes_schedule_round + addi.d $a1,$a1,-1 + beqz $a1,.Lschedule_mangle_last + bl _vpaes_schedule_mangle + + # low round. swap vr7 and vr6 + vshuf4i.w $vr0,$vr0,0xFF + vori.b $vr5,$vr7,0 + vori.b $vr7,$vr6,0 + bl _vpaes_schedule_low_round + vori.b $vr7,$vr5,0 + + b .Loop_schedule_256 + + +## +## .aes_schedule_mangle_last +## +## Mangler for last round of key schedule +## Mangles %vr0 +## when encrypting, outputs out(%vr0) ^ 63 +## when decrypting, outputs unskew(%vr0) +## +## Always called right before return... jumps to cleanup and exits +## +.align 4 +.Lschedule_mangle_last: + # schedule last round key from vr0 + la.local $a7,Lk_deskew # prepare to deskew + bnez $a3,.Lschedule_mangle_last_dec + + # encrypting + add.d $t0,$a4,$a6 + vld $vr1,$t0,0 + vshuf.b $vr0,$vr1,$vr0,$vr1 # output permute + la.local $a7,Lk_opt # prepare to output transform + addi.d $a2,$a2,32 + +.Lschedule_mangle_last_dec: + addi.d $a2,$a2,-16 + la.local $t0,Lk_s63 + vld $vr16,$t0,0 + vxor.v $vr0,$vr0,$vr16 + bl _vpaes_schedule_transform # output transform + vst $vr0,$a2,0 # save last key + + # cleanup + vxor.v $vr0,$vr0,$vr0 + vxor.v $vr1,$vr1,$vr1 + vxor.v $vr2,$vr2,$vr2 + vxor.v $vr3,$vr3,$vr3 + vxor.v $vr4,$vr4,$vr4 + vxor.v $vr5,$vr5,$vr5 + vxor.v $vr6,$vr6,$vr6 + vxor.v $vr7,$vr7,$vr7 + ld.d $ra,$sp,40 + ld.d $fp,$sp,32 + addi.d $sp,$sp,48 + jr $ra +.cfi_endproc +.size _vpaes_schedule_core,.-_vpaes_schedule_core + +## +## .aes_schedule_192_smear +## +## Smear the short, low side in the 192-bit key schedule. +## +## Inputs: +## %vr7: high side, b a x y +## %vr6: low side, d c 0 0 +## %vr13: 0 +## +## Outputs: +## %vr6: b+c+d b+c 0 0 +## %vr0: b+c+d b+c b a +## +#.type _vpaes_schedule_192_smear,\@abi-omnipotent +.align 4 +_vpaes_schedule_192_smear: +.cfi_startproc + vshuf4i.w $vr1,$vr6,0x80 # d c 0 0 -> c 0 0 0 + vshuf4i.w $vr0,$vr7,0xFE # b a _ _ -> b b b a + vxor.v $vr6,$vr6,$vr1 # -> c+d c 0 0 + vxor.v $vr1,$vr1,$vr1 + vxor.v $vr6,$vr6,$vr0 # -> b+c+d b+c b a + vori.b $vr0,$vr6,0 + vilvh.d $vr6,$vr6,$vr1 # clobber low side with zeros + jr $ra +.cfi_endproc +.size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear + +## +## .aes_schedule_round +## +## Runs one main round of the key schedule on %vr0, %vr7 +## +## Specifically, runs subbytes on the high dword of %vr0 +## then rotates it by one byte and xors into the low dword of +## %vr7. +## +## Adds rcon from low byte of %vr8, then rotates %vr8 for +## next rcon. +## +## Smears the dwords of %vr7 by xoring the low into the +## second low, result into third, result into highest. +## +## Returns results in %vr7 = %vr0. +## Clobbers %vr1-%vr4, %a7. +## +#.type _vpaes_schedule_round,\@abi-omnipotent +.align 4 +_vpaes_schedule_round: +.cfi_startproc + # extract rcon from vr8 + vxor.v $vr1,$vr1,$vr1 + vbsrl.v $vr16,$vr8,0xf + vbsll.v $vr1,$vr1,0x1 + vor.v $vr1,$vr1,$vr16 + vbsrl.v $vr16,$vr8,0xf + vbsll.v $vr8,$vr8,0x1 + vor.v $vr8,$vr8,$vr16 + + vxor.v $vr7,$vr7,$vr1 + + # rotate + vshuf4i.w $vr0,$vr0,0xff #put $vr0 lowest 32 bit to each words + vbsrl.v $vr16,$vr0,0x1 + vbsll.v $vr0,$vr0,0xf + vor.v $vr0,$vr0,$vr16 + + # fall through... + + # low round: same as high round, but no rotation and no rcon. +_vpaes_schedule_low_round: + # smear vr7 + vaddi.du $vr1,$vr7,0x0 + vbsll.v $vr7,$vr7,0x4 + vxor.v $vr7,$vr7,$vr1 + vaddi.du $vr1,$vr7,0x0 + vbsll.v $vr7,$vr7,0x8 + vxor.v $vr7,$vr7,$vr1 + vxori.b $vr7,$vr7,0x5B + + # subbytes + vaddi.du $vr1,$vr9,0x0 + vandn.v $vr1,$vr1,$vr0 + vsrli.w $vr1,$vr1,0x4 # 1 = i + vand.v $vr0,$vr0,$vr9 # 0 = k + vaddi.du $vr2,$vr11,0x0 # 2 : a/k + vshuf.b $vr2,$vr0,$vr2,$vr0 # 2 = a/k + vxor.v $vr0,$vr0,$vr1 # 0 = j + vaddi.du $vr3,$vr10,0x0 # 3 : 1/i + vshuf.b $vr3,$vr1,$vr3,$vr1 # 3 = 1/i + vxor.v $vr3,$vr3,$vr2 # 3 = iak = 1/i + a/k + vaddi.du $vr4,$vr10,0x0 # 4 : 1/j + vshuf.b $vr4,$vr0,$vr4,$vr0 # 4 = 1/j + vxor.v $vr4,$vr4,$vr2 # 4 = jak = 1/j + a/k + vaddi.du $vr2,$vr10,0x0 # 2 : 1/iak + vshuf.b $vr2,$vr3,$vr2,$vr3 # 2 = 1/iak + vxor.v $vr2,$vr2,$vr0 # 2 = io + vaddi.du $vr3,$vr10,0x0 # 3 : 1/jak + vshuf.b $vr3,$vr4,$vr3,$vr4 # 3 = 1/jak + vxor.v $vr3,$vr3,$vr1 # 3 = jo + vaddi.du $vr4,$vr13,0x0 # 4 : sbou + vshuf.b $vr4,$vr2,$vr4,$vr2 # 4 = sbou + vaddi.du $vr0,$vr12,0x0 # 0 : sbot + vshuf.b $vr0,$vr3,$vr0,$vr3 # 0 = sb1t + vxor.v $vr0,$vr0,$vr4 # 0 = sbox output + + # add in smeared stuff + vxor.v $vr0,$vr0,$vr7 + vaddi.du $vr7,$vr0,0x0 + jr $ra +.cfi_endproc +.size _vpaes_schedule_round,.-_vpaes_schedule_round + +## +## .aes_schedule_transform +## +## Linear-transform %vr0 according to tables at (%r11) +## +## Requires that %vr9 = 0x0F0F... as in preheat +## Output in %vr0 +## Clobbers %vr1, %vr2 +## +#.type _vpaes_schedule_transform,\@abi-omnipotent +.align 4 +_vpaes_schedule_transform: +.cfi_startproc + vori.b $vr1,$vr9,0 + vandn.v $vr1,$vr1,$vr0 + vsrli.w $vr1,$vr1,4 + vand.v $vr0,$vr0,$vr9 + vld $vr2,$a7,0 # lo + vshuf.b $vr2,$vr0,$vr2,$vr0 + vld $vr0,$a7,16 # hi + vshuf.b $vr0,$vr1,$vr0,$vr1 + vxor.v $vr0,$vr0,$vr2 + jr $ra +.cfi_endproc +.size _vpaes_schedule_transform,.-_vpaes_schedule_transform + +## +## .aes_schedule_mangle +## +## Mangle vr0 from (basis-transformed) standard version +## to our version. +## +## On encrypt, +## xor with 0x63 +## multiply by circulant 0,1,1,1 +## apply shiftrows transform +## +## On decrypt, +## xor with 0x63 +## multiply by "inverse mixcolumns" circulant E,B,D,9 +## deskew +## apply shiftrows transform +## +## +## Writes out to (%a2), and increments or decrements it +## Keeps track of round number mod 4 in %a4 +## Preserves vr0 +## Clobbers vr1-vr5 +## +#.type _vpaes_schedule_mangle,\@abi-omnipotent +.align 4 +_vpaes_schedule_mangle: +.cfi_startproc + vori.b $vr4,$vr0,0 # save vr0 for later + la.local $t0,Lk_mc_forward + vld $vr5,$t0,0 + bnez $a3,.Lschedule_mangle_dec + + # encrypting + addi.d $a2,$a2,16 + la.local $t0,Lk_s63 + vld $vr16,$t0,0 + vxor.v $vr4,$vr4,$vr16 + vshuf.b $vr4,$vr5,$vr4,$vr5 + vori.b $vr3,$vr4,0 + vshuf.b $vr4,$vr5,$vr4,$vr5 + vxor.v $vr3,$vr3,$vr4 + vshuf.b $vr4,$vr5,$vr4,$vr5 + vxor.v $vr3,$vr3,$vr4 + + b .Lschedule_mangle_both +.align 4 +.Lschedule_mangle_dec: + # inverse mix columns + la.local $a7,Lk_dksd + vori.b $vr1,$vr9,0 + vandn.v $vr1,$vr1,$vr4 + vsrli.w $vr1,$vr1,4 # 1 = hi + vand.v $vr4,$vr4,$vr9 # 4 = lo + + vld $vr2,$a7,0 + vshuf.b $vr2,$vr4,$vr2,$vr4 + vld $vr3,$a7,0x10 + vshuf.b $vr3,$vr1,$vr3,$vr1 + vxor.v $vr3,$vr3,$vr2 + vshuf.b $vr3,$vr5,$vr3,$vr5 + + vld $vr2,$a7,0x20 + vshuf.b $vr2,$vr4,$vr2,$vr4 + vxor.v $vr2,$vr2,$vr3 + vld $vr3,$a7,0x30 + vshuf.b $vr3,$vr1,$vr3,$vr1 + vxor.v $vr3,$vr3,$vr2 + vshuf.b $vr3,$vr5,$vr3,$vr5 + + vld $vr2,$a7,0x40 + vshuf.b $vr2,$vr4,$vr2,$vr4 + vxor.v $vr2,$vr2,$vr3 + vld $vr3,$a7,0x50 + vshuf.b $vr3,$vr1,$vr3,$vr1 + vxor.v $vr3,$vr3,$vr2 + vshuf.b $vr3,$vr5,$vr3,$vr5 + + vld $vr2,$a7,0x60 + vshuf.b $vr2,$vr4,$vr2,$vr4 + vxor.v $vr2,$vr2,$vr3 + vld $vr3,$a7,0x70 + vshuf.b $vr3,$vr1,$vr3,$vr1 + vxor.v $vr3,$vr3,$vr2 + + addi.d $a2,$a2,-16 + +.Lschedule_mangle_both: + add.d $t2,$a4,$a6 + vld $vr1,$t2,0 + vshuf.b $vr3,$vr1,$vr3,$vr1 + addi.d $a4,$a4,-16 + andi $a4,$a4,0x30 + vst $vr3,$a2,0 + jirl $zero,$ra,0 +.cfi_endproc +.size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle + +# +# Interface to OpenSSL +# +.globl ${PREFIX}_set_encrypt_key +#.type ${PREFIX}_set_encrypt_key,\@function,3 +.align 4 +${PREFIX}_set_encrypt_key: +.cfi_startproc +___ +$code.=<<___; + addi.d $sp,$sp,-48 + st.d $ra,$sp,40 + st.d $fp,$sp,32 + move $t5,$a1 + srli.w $t5,$t5,0x5 + addi.w $t5,$t5,0x5 + st.w $t5,$a2,240 # AES_KEY->rounds = nbits/32+5; + + move $a3,$zero + li.d $a4,0x30 + bl _vpaes_schedule_core +___ +$code.=<<___; + xor $a0,$a0,$a0 + ld.d $ra,$sp,40 + ld.d $fp,$sp,32 + addi.d $sp,$sp,48 + jirl $zero,$ra,0 +.cfi_endproc +.size ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key + +.globl ${PREFIX}_set_decrypt_key +#.type ${PREFIX}_set_decrypt_key,\@function,3 +.align 4 +${PREFIX}_set_decrypt_key: +.cfi_startproc + +.Ldec_key_body: +___ +$code.=<<___; + addi.d $sp,$sp,-48 + st.d $ra,$sp,40 + st.d $fp,$sp,32 + + move $t5,$a1 + srli.w $t5,$t5,5 + addi.w $t5,$t5,5 + st.w $t5,$a2,240 # AES_KEY->rounds = nbits/32+5; + slli.w $t5,$t5,4 + add.d $t0,$a2,$t5 + addi.d $a2,$t0,16 + + li.d $a3,0x1 + move $a4,$a1 + srli.w $a4,$a4,1 + andi $a4,$a4,32 + xori $a4,$a4,32 # nbits==192?0:32 + bl _vpaes_schedule_core + +.Ldec_key_epilogue: +___ +$code.=<<___; + xor $a0,$a0,$a0 + ld.d $ra,$sp,40 + ld.d $fp,$sp,32 + addi.d $sp,$sp,48 + jirl $zero,$ra,0 +.cfi_endproc +.size ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key + +.globl ${PREFIX}_encrypt +#.type ${PREFIX}_encrypt,\@function,3 +.align 4 +${PREFIX}_encrypt: +.cfi_startproc +.Lenc_body: +___ +$code.=<<___; + addi.d $sp,$sp,-48 + st.d $ra,$sp,40 + st.d $fp,$sp,32 + vld $vr0,$a0,0x0 + bl _vpaes_preheat + bl _vpaes_encrypt_core + vst $vr0,$a1,0x0 +.Lenc_epilogue: +___ +$code.=<<___; + ld.d $ra,$sp,40 + ld.d $fp,$sp,32 + addi.d $sp,$sp,48 + jirl $zero,$ra,0 +.cfi_endproc +.size ${PREFIX}_encrypt,.-${PREFIX}_encrypt + +.globl ${PREFIX}_decrypt +#.type ${PREFIX}_decrypt,\@function,3 +.align 4 +${PREFIX}_decrypt: +.cfi_startproc +___ +$code.=<<___; + addi.d $sp,$sp,-48 + st.d $ra,$sp,40 + st.d $fp,$sp,32 + vld $vr0,$a0,0x0 + bl _vpaes_preheat + bl _vpaes_decrypt_core + vst $vr0,$a1,0x0 +___ +$code.=<<___; + ld.d $ra,$sp,40 + ld.d $fp,$sp,32 + addi.d $sp,$sp,48 + jirl $zero,$ra,0 +.cfi_endproc +.size ${PREFIX}_decrypt,.-${PREFIX}_decrypt +___ +{ +my ($inp,$out,$len,$key,$ivp,$enc)=("$a0","$a1","$a2","$a3","$a4","$a5"); +# void AES_cbc_encrypt (const void char *inp, unsigned char *out, +# size_t length, const AES_KEY *key, +# unsigned char *ivp,const int enc); +$code.=<<___; +.globl ${PREFIX}_cbc_encrypt +#.type ${PREFIX}_cbc_encrypt,\@function,6 +.align 4 +${PREFIX}_cbc_encrypt: +.cfi_startproc + addi.d $sp,$sp,-48 + st.d $ra,$sp,40 + st.d $fp,$sp,32 + + ori $t0,$len,0 + ori $len,$key,0 + ori $key,$t0,0 +___ +($len,$key)=($key,$len); +$code.=<<___; + addi.d $len,$len,-16 + blt $len,$zero,.Lcbc_abort +___ +$code.=<<___; + vld $vr6,$ivp,0 # load IV + sub.d $out,$out,$inp + bl _vpaes_preheat + beqz $a5,.Lcbc_dec_loop + b .Lcbc_enc_loop +.align 4 +.Lcbc_enc_loop: + vld $vr0,$inp,0 + vxor.v $vr0,$vr0,$vr6 + bl _vpaes_encrypt_core + vori.b $vr6,$vr0,0 + add.d $t0,$out,$inp + vst $vr0,$t0,0 + addi.d $inp,$inp,16 + addi.d $len,$len,-16 + bge $len,$zero,.Lcbc_enc_loop + b .Lcbc_done +.align 4 +.Lcbc_dec_loop: + vld $vr0,$inp,0 + vori.b $vr7,$vr0,0 + bl _vpaes_decrypt_core + vxor.v $vr0,$vr0,$vr6 + vori.b $vr6,$vr7,0 + add.d $t0,$out,$inp + vst $vr0,$t0,0 + addi.d $inp,$inp,16 + addi.d $len,$len,-16 + bge $len,$zero,.Lcbc_dec_loop +.Lcbc_done: + vst $vr6,$ivp,0 # save IV +___ +$code.=<<___; +.Lcbc_abort: + ld.d $ra,$sp,40 + ld.d $fp,$sp,32 + addi.d $sp,$sp,48 + jirl $zero,$ra,0 +.cfi_endproc +.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt +___ +} +{ +$code.=<<___; +## +## _aes_preheat +## +## Fills register %a6 -> .aes_consts (so you can -fPIC) +## and %vr9-%vr15 as specified below. +## +#.type _vpaes_preheat,\@abi-omnipotent +.align 4 +_vpaes_preheat: +.cfi_startproc + la.local $a6,Lk_s0F + vld $vr10,$a6,-0x20 # Lk_inv + vld $vr11,$a6,-0x10 # Lk_inv+16 + vld $vr9,$a6,0 # Lk_s0F + vld $vr13,$a6,0x30 # Lk_sb1 + vld $vr12,$a6,0x40 # Lk_sb1+16 + vld $vr15,$a6,0x50 # Lk_sb2 + vld $vr14,$a6,0x60 # Lk_sb2+16 + jirl $zero,$ra,0 +.cfi_endproc +.size _vpaes_preheat,.-_vpaes_preheat +___ +} +######################################################## +## ## +## Constants ## +## ## +######################################################## +$code.=<<___; +.section .rodata +.align 6 +Lk_inv: # inv, inva + .quad 0x0E05060F0D080180, 0x040703090A0B0C02 + .quad 0x01040A060F0B0780, 0x030D0E0C02050809 + +Lk_s0F: # s0F + .quad 0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F + +Lk_ipt: # input transform (lo, hi) + .quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 + .quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 + +Lk_sb1: # sb1u, sb1t + .quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 + .quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF +Lk_sb2: # sb2u, sb2t + .quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD + .quad 0x69EB88400AE12900, 0xC2A163C8AB82234A +Lk_sbo: # sbou, sbot + .quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 + .quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA + +Lk_mc_forward: # mc_forward + .quad 0x0407060500030201, 0x0C0F0E0D080B0A09 + .quad 0x080B0A0904070605, 0x000302010C0F0E0D + .quad 0x0C0F0E0D080B0A09, 0x0407060500030201 + .quad 0x000302010C0F0E0D, 0x080B0A0904070605 + +Lk_mc_backward:# mc_backward + .quad 0x0605040702010003, 0x0E0D0C0F0A09080B + .quad 0x020100030E0D0C0F, 0x0A09080B06050407 + .quad 0x0E0D0C0F0A09080B, 0x0605040702010003 + .quad 0x0A09080B06050407, 0x020100030E0D0C0F + +Lk_sr: # sr + .quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 + .quad 0x030E09040F0A0500, 0x0B06010C07020D08 + .quad 0x0F060D040B020900, 0x070E050C030A0108 + .quad 0x0B0E0104070A0D00, 0x0306090C0F020508 + +Lk_rcon: # rcon + .quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 + +Lk_s63: # s63: all equal to 0x63 transformed + .quad 0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B + +Lk_opt: # output transform + .quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 + .quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 + +Lk_deskew: # deskew tables: inverts the sbox's "skew" + .quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A + .quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 + +## +## Decryption stuff +## Key schedule constants +## +Lk_dksd: # decryption key schedule: invskew x*D + .quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 + .quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E +Lk_dksb: # decryption key schedule: invskew x*B + .quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 + .quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 +Lk_dkse: # decryption key schedule: invskew x*E + 0x63 + .quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 + .quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 +Lk_dks9: # decryption key schedule: invskew x*9 + .quad 0xB6116FC87ED9A700, 0x4AED933482255BFC + .quad 0x4576516227143300, 0x8BB89FACE9DAFDCE + +## +## Decryption stuff +## Round function constants +## +Lk_dipt: # decryption input transform + .quad 0x0F505B040B545F00, 0x154A411E114E451A + .quad 0x86E383E660056500, 0x12771772F491F194 + +Lk_dsb9: # decryption sbox output *9*u, *9*t + .quad 0x851C03539A86D600, 0xCAD51F504F994CC9 + .quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 +Lk_dsbd: # decryption sbox output *D*u, *D*t + .quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 + .quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 +Lk_dsbb: # decryption sbox output *B*u, *B*t + .quad 0xD022649296B44200, 0x602646F6B0F2D404 + .quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B +Lk_dsbe: # decryption sbox output *E*u, *E*t + .quad 0x46F2929626D4D000, 0x2242600464B4F6B0 + .quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 +Lk_dsbo: # decryption sbox final output + .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D + .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C +.asciz "Vector Permutation AES for loongarch64/lsx, Mike Hamburg (Stanford University)" +.align 6 +___ + + +$code =~ s/\`([^\`]*)\`/eval($1)/gem; + +print $code; + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/aes/build.info b/crypto/aes/build.info index b250903fa..aff318b34 100644 --- a/crypto/aes/build.info +++ b/crypto/aes/build.info @@ -30,8 +30,8 @@ IF[{- !$disabled{asm} -}] $AESASM_armv4=aes_cbc.c aes-armv4.S bsaes-armv7.S aesv8-armx.S $AESDEF_armv4=AES_ASM BSAES_ASM - $AESASM_aarch64=aes_core.c aes_cbc.c aesv8-armx.S vpaes-armv8.S - $AESDEF_aarch64=VPAES_ASM + $AESASM_aarch64=aes_core.c aes_cbc.c aesv8-armx.S bsaes-armv8.S vpaes-armv8.S + $AESDEF_aarch64=BSAES_ASM VPAES_ASM $AESASM_parisc11=aes_core.c aes_cbc.c aes-parisc.s $AESDEF_parisc11=AES_ASM @@ -47,6 +47,13 @@ IF[{- !$disabled{asm} -}] # aes-c64xplus.s implements AES_ctr32_encrypt $AESDEF_c64xplus=AES_ASM AES_CTR_ASM + $AESASM_riscv64=aes_cbc.c aes-riscv64.s aes-riscv64-zkn.s + $AESDEF_riscv64=AES_ASM + $AESASM_riscv32=aes_core.c aes_cbc.c aes-riscv32-zkn.s + + $AESASM_loongarch64=aes_core.c aes_cbc.c vpaes-loongarch64.S + $AESDEF_loongarch64=VPAES_ASM + # Now that we have defined all the arch specific variables, use the # appropriate one, and define the appropriate macros IF[$AESASM_{- $target{asm_arch} -}] @@ -80,6 +87,7 @@ IF[{- !$disabled{module} && !$disabled{shared} -}] ENDIF GENERATE[aes-ia64.s]=asm/aes-ia64.S +GENERATE[bsaes-armv8.S]=asm/bsaes-armv8.pl GENERATE[aes-586.S]=asm/aes-586.pl DEPEND[aes-586.S]=../perlasm/x86asm.pl @@ -113,9 +121,14 @@ GENERATE[aes-parisc.s]=asm/aes-parisc.pl GENERATE[aes-mips.S]=asm/aes-mips.pl INCLUDE[aes-mips.o]=.. +GENERATE[aes-riscv64.s]=asm/aes-riscv64.pl +GENERATE[aes-riscv64-zkn.s]=asm/aes-riscv64-zkn.pl +GENERATE[aes-riscv32-zkn.s]=asm/aes-riscv32-zkn.pl + GENERATE[aesv8-armx.S]=asm/aesv8-armx.pl INCLUDE[aesv8-armx.o]=.. GENERATE[vpaes-armv8.S]=asm/vpaes-armv8.pl +INCLUDE[vpaes-armv8.o]=.. GENERATE[aes-armv4.S]=asm/aes-armv4.pl INCLUDE[aes-armv4.o]=.. @@ -126,3 +139,6 @@ GENERATE[aes-s390x.S]=asm/aes-s390x.pl INCLUDE[aes-s390x.o]=.. GENERATE[aes-c64xplus.S]=asm/aes-c64xplus.pl + +GENERATE[vpaes-loongarch64.S]=asm/vpaes-loongarch64.pl +INCLUDE[vpaes-loongarch64.o]=.. diff --git a/crypto/arm64cpuid.pl b/crypto/arm64cpuid.pl index ac76dd449..8dc06dd52 100755 --- a/crypto/arm64cpuid.pl +++ b/crypto/arm64cpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -31,6 +31,7 @@ .globl _armv7_neon_probe .type _armv7_neon_probe,%function _armv7_neon_probe: + AARCH64_VALID_CALL_TARGET orr v15.16b, v15.16b, v15.16b ret .size _armv7_neon_probe,.-_armv7_neon_probe @@ -38,6 +39,7 @@ .globl _armv7_tick .type _armv7_tick,%function _armv7_tick: + AARCH64_VALID_CALL_TARGET #ifdef __APPLE__ mrs x0, CNTPCT_EL0 #else @@ -49,6 +51,7 @@ .globl _armv8_aes_probe .type _armv8_aes_probe,%function _armv8_aes_probe: + AARCH64_VALID_CALL_TARGET aese v0.16b, v0.16b ret .size _armv8_aes_probe,.-_armv8_aes_probe @@ -56,6 +59,7 @@ .globl _armv8_sha1_probe .type _armv8_sha1_probe,%function _armv8_sha1_probe: + AARCH64_VALID_CALL_TARGET sha1h s0, s0 ret .size _armv8_sha1_probe,.-_armv8_sha1_probe @@ -63,6 +67,7 @@ .globl _armv8_sha256_probe .type _armv8_sha256_probe,%function _armv8_sha256_probe: + AARCH64_VALID_CALL_TARGET sha256su0 v0.4s, v0.4s ret .size _armv8_sha256_probe,.-_armv8_sha256_probe @@ -70,28 +75,72 @@ .globl _armv8_pmull_probe .type _armv8_pmull_probe,%function _armv8_pmull_probe: + AARCH64_VALID_CALL_TARGET pmull v0.1q, v0.1d, v0.1d ret .size _armv8_pmull_probe,.-_armv8_pmull_probe +.globl _armv8_sm4_probe +.type _armv8_sm4_probe,%function +_armv8_sm4_probe: + AARCH64_VALID_CALL_TARGET + .inst 0xcec08400 // sm4e v0.4s, v0.4s + ret +.size _armv8_sm4_probe,.-_armv8_sm4_probe + .globl _armv8_sha512_probe .type _armv8_sha512_probe,%function _armv8_sha512_probe: - .long 0xcec08000 // sha512su0 v0.2d,v0.2d + AARCH64_VALID_CALL_TARGET + .inst 0xcec08000 // sha512su0 v0.2d,v0.2d ret .size _armv8_sha512_probe,.-_armv8_sha512_probe +.globl _armv8_eor3_probe +.type _armv8_eor3_probe,%function +_armv8_eor3_probe: + AARCH64_VALID_CALL_TARGET + .inst 0xce010800 // eor3 v0.16b, v0.16b, v1.16b, v2.16b + ret +.size _armv8_eor3_probe,.-_armv8_eor3_probe + +.globl _armv8_sve_probe +.type _armv8_sve_probe,%function +_armv8_sve_probe: + AARCH64_VALID_CALL_TARGET + .inst 0x04a03000 // eor z0.d,z0.d,z0.d + ret +.size _armv8_sve_probe,.-_armv8_sve_probe + +.globl _armv8_sve2_probe +.type _armv8_sve2_probe,%function +_armv8_sve2_probe: + AARCH64_VALID_CALL_TARGET + .inst 0x04e03400 // xar z0.d,z0.d,z0.d + ret +.size _armv8_sve2_probe,.-_armv8_sve2_probe + .globl _armv8_cpuid_probe .type _armv8_cpuid_probe,%function _armv8_cpuid_probe: + AARCH64_VALID_CALL_TARGET mrs x0, midr_el1 ret .size _armv8_cpuid_probe,.-_armv8_cpuid_probe +.globl _armv8_sm3_probe +.type _armv8_sm3_probe,%function +_armv8_sm3_probe: + AARCH64_VALID_CALL_TARGET + .inst 0xce63c004 // sm3partw1 v4.4s, v0.4s, v3.4s + ret +.size _armv8_sm3_probe,.-_armv8_sm3_probe + .globl OPENSSL_cleanse .type OPENSSL_cleanse,%function .align 5 OPENSSL_cleanse: + AARCH64_VALID_CALL_TARGET cbz x1,.Lret // len==0? cmp x1,#15 b.hi .Lot // len>15 @@ -123,6 +172,7 @@ .type CRYPTO_memcmp,%function .align 4 CRYPTO_memcmp: + AARCH64_VALID_CALL_TARGET eor w3,w3,w3 cbz x2,.Lno_data // len==0? cmp x2,#16 @@ -151,7 +201,70 @@ lsr w0,w0,#31 ret .size CRYPTO_memcmp,.-CRYPTO_memcmp + +.globl _armv8_rng_probe +.type _armv8_rng_probe,%function +_armv8_rng_probe: + AARCH64_VALID_CALL_TARGET + mrs x0, s3_3_c2_c4_0 // rndr + mrs x0, s3_3_c2_c4_1 // rndrrs + ret +.size _armv8_rng_probe,.-_armv8_rng_probe ___ +sub gen_random { +my $rdop = shift; +my $rand_reg = $rdop eq "rndr" ? "s3_3_c2_c4_0" : "s3_3_c2_c4_1"; + +return <<___; +// Fill buffer with Randomly Generated Bytes +// inputs: char * in x0 - Pointer to buffer +// size_t in x1 - Number of bytes to write to buffer +// outputs: size_t in x0 - Number of bytes successfully written to buffer +.globl OPENSSL_${rdop}_asm +.type OPENSSL_${rdop}_asm,%function +.align 4 +OPENSSL_${rdop}_asm: + AARCH64_VALID_CALL_TARGET + mov x2,xzr + mov x3,xzr + +.align 4 +.Loop_${rdop}: + cmp x1,#0 + b.eq .${rdop}_done + mov x3,xzr + mrs x3,$rand_reg + b.eq .${rdop}_done + + cmp x1,#8 + b.lt .Loop_single_byte_${rdop} + + str x3,[x0] + add x0,x0,#8 + add x2,x2,#8 + subs x1,x1,#8 + b.ge .Loop_${rdop} + +.align 4 +.Loop_single_byte_${rdop}: + strb w3,[x0] + lsr x3,x3,#8 + add x2,x2,#1 + add x0,x0,#1 + subs x1,x1,#1 + b.gt .Loop_single_byte_${rdop} + +.align 4 +.${rdop}_done: + mov x0,x2 + ret +.size OPENSSL_${rdop}_asm,.-OPENSSL_${rdop}_asm +___ +} + +$code .= gen_random("rndr"); +$code .= gen_random("rndrrs"); + print $code; close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h index 45d7e1556..da8fb5eeb 100644 --- a/crypto/arm_arch.h +++ b/crypto/arm_arch.h @@ -21,11 +21,6 @@ # elif defined(__GNUC__) # if defined(__aarch64__) # define __ARM_ARCH__ 8 -# if __BYTE_ORDER__==__ORDER_BIG_ENDIAN__ -# define __ARMEB__ -# else -# define __ARMEL__ -# endif /* * Why doesn't gcc define __ARM_ARCH__? Instead it defines * bunch of below macros. See all_architectures[] table in @@ -83,6 +78,13 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; # define ARMV8_PMULL (1<<5) # define ARMV8_SHA512 (1<<6) # define ARMV8_CPUID (1<<7) +# define ARMV8_RNG (1<<8) +# define ARMV8_SM3 (1<<9) +# define ARMV8_SM4 (1<<10) +# define ARMV8_SHA3 (1<<11) +# define ARMV8_UNROLL8_EOR3 (1<<12) +# define ARMV8_SVE (1<<13) +# define ARMV8_SVE2 (1<<14) /* * MIDR_EL1 system register @@ -98,6 +100,8 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; # define ARM_CPU_PART_CORTEX_A72 0xD08 # define ARM_CPU_PART_N1 0xD0C +# define ARM_CPU_PART_V1 0xD40 +# define ARM_CPU_PART_N2 0xD49 # define MIDR_PARTNUM_SHIFT 4 # define MIDR_PARTNUM_MASK (0xfffU << MIDR_PARTNUM_SHIFT) @@ -126,4 +130,65 @@ extern unsigned int OPENSSL_armv8_rsa_neonized; # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) + +#if defined(__ASSEMBLER__) + + /* + * Support macros for + * - Armv8.3-A Pointer Authentication and + * - Armv8.5-A Branch Target Identification + * features which require emitting a .note.gnu.property section with the + * appropriate architecture-dependent feature bits set. + * Read more: "ELF for the Arm® 64-bit Architecture" + */ + +# if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 +# define GNU_PROPERTY_AARCH64_BTI (1 << 0) /* Has Branch Target Identification */ +# define AARCH64_VALID_CALL_TARGET hint #34 /* BTI 'c' */ +# else +# define GNU_PROPERTY_AARCH64_BTI 0 /* No Branch Target Identification */ +# define AARCH64_VALID_CALL_TARGET +# endif + +# if defined(__ARM_FEATURE_PAC_DEFAULT) && \ + (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 /* Signed with A-key */ +# define GNU_PROPERTY_AARCH64_POINTER_AUTH \ + (1 << 1) /* Has Pointer Authentication */ +# define AARCH64_SIGN_LINK_REGISTER hint #25 /* PACIASP */ +# define AARCH64_VALIDATE_LINK_REGISTER hint #29 /* AUTIASP */ +# elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ + (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 /* Signed with B-key */ +# define GNU_PROPERTY_AARCH64_POINTER_AUTH \ + (1 << 1) /* Has Pointer Authentication */ +# define AARCH64_SIGN_LINK_REGISTER hint #27 /* PACIBSP */ +# define AARCH64_VALIDATE_LINK_REGISTER hint #31 /* AUTIBSP */ +# else +# define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 /* No Pointer Authentication */ +# if GNU_PROPERTY_AARCH64_BTI != 0 +# define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET +# else +# define AARCH64_SIGN_LINK_REGISTER +# endif +# define AARCH64_VALIDATE_LINK_REGISTER +# endif + +# if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 + .pushsection .note.gnu.property, "a"; + .balign 8; + .long 4; + .long 0x10; + .long 0x5; + .asciz "GNU"; + .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ + .long 4; + .long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); + .long 0; + .popsection; +# endif + +# endif /* defined __ASSEMBLER__ */ + +# define IS_CPU_SUPPORT_UNROLL8_EOR3() \ + (OPENSSL_armcap_P & ARMV8_UNROLL8_EOR3) + #endif diff --git a/crypto/armcap.c b/crypto/armcap.c index c021330e3..71296786c 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -17,14 +17,36 @@ #include #endif #include "internal/cryptlib.h" - +#ifndef _WIN32 +#include +#else +#include +#endif #include "arm_arch.h" unsigned int OPENSSL_armcap_P = 0; unsigned int OPENSSL_arm_midr = 0; unsigned int OPENSSL_armv8_rsa_neonized = 0; -#if __ARM_MAX_ARCH__<7 +#ifdef _WIN32 +void OPENSSL_cpuid_setup(void) +{ + OPENSSL_armcap_P |= ARMV7_NEON; + OPENSSL_armv8_rsa_neonized = 1; + if (IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE)) { + // These are all covered by one call in Windows + OPENSSL_armcap_P |= ARMV8_AES; + OPENSSL_armcap_P |= ARMV8_PMULL; + OPENSSL_armcap_P |= ARMV8_SHA1; + OPENSSL_armcap_P |= ARMV8_SHA256; + } +} + +uint32_t OPENSSL_rdtsc(void) +{ + return 0; +} +#elif __ARM_MAX_ARCH__<7 void OPENSSL_cpuid_setup(void) { } @@ -52,8 +74,44 @@ void _armv8_sha1_probe(void); void _armv8_sha256_probe(void); void _armv8_pmull_probe(void); # ifdef __aarch64__ +void _armv8_sm3_probe(void); +void _armv8_sm4_probe(void); +void _armv8_eor3_probe(void); void _armv8_sha512_probe(void); unsigned int _armv8_cpuid_probe(void); +void _armv8_sve_probe(void); +void _armv8_sve2_probe(void); +void _armv8_rng_probe(void); + +size_t OPENSSL_rndr_asm(unsigned char *buf, size_t len); +size_t OPENSSL_rndrrs_asm(unsigned char *buf, size_t len); + +size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len); +size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len); + +static size_t OPENSSL_rndr_wrapper(size_t (*func)(unsigned char *, size_t), unsigned char *buf, size_t len) +{ + size_t buffer_size = 0; + int i; + + for (i = 0; i < 8; i++) { + buffer_size = func(buf, len); + if (buffer_size == len) + break; + usleep(5000); /* 5000 microseconds (5 milliseconds) */ + } + return buffer_size; +} + +size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len) +{ + return OPENSSL_rndr_wrapper(OPENSSL_rndr_asm, buf, len); +} + +size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len) +{ + return OPENSSL_rndr_wrapper(OPENSSL_rndrrs_asm, buf, len); +} # endif uint32_t _armv7_tick(void); @@ -137,7 +195,15 @@ static unsigned long getauxval(unsigned long key) # define HWCAP_CE_SHA1 (1 << 5) # define HWCAP_CE_SHA256 (1 << 6) # define HWCAP_CPUID (1 << 11) +# define HWCAP_SHA3 (1 << 17) +# define HWCAP_CE_SM3 (1 << 18) +# define HWCAP_CE_SM4 (1 << 19) # define HWCAP_CE_SHA512 (1 << 21) +# define HWCAP_SVE (1 << 22) + /* AT_HWCAP2 */ +# define HWCAP2 26 +# define HWCAP2_SVE2 (1 << 1) +# define HWCAP2_RNG (1 << 16) # endif void OPENSSL_cpuid_setup(void) @@ -177,11 +243,20 @@ void OPENSSL_cpuid_setup(void) */ # else { - unsigned int sha512; - size_t len = sizeof(sha512); + unsigned int feature; + size_t len = sizeof(feature); + char uarch[64]; - if (sysctlbyname("hw.optional.armv8_2_sha512", &sha512, &len, NULL, 0) == 0 && sha512 == 1) + if (sysctlbyname("hw.optional.armv8_2_sha512", &feature, &len, NULL, 0) == 0 && feature == 1) OPENSSL_armcap_P |= ARMV8_SHA512; + feature = 0; + if (sysctlbyname("hw.optional.armv8_2_sha3", &feature, &len, NULL, 0) == 0 && feature == 1) { + OPENSSL_armcap_P |= ARMV8_SHA3; + len = sizeof(uarch); + if ((sysctlbyname("machdep.cpu.brand_string", uarch, &len, NULL, 0) == 0) && + (strncmp(uarch, "Apple M1", 8) == 0)) + OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; + } } # endif # endif @@ -205,13 +280,31 @@ void OPENSSL_cpuid_setup(void) OPENSSL_armcap_P |= ARMV8_SHA256; # ifdef __aarch64__ + if (hwcap & HWCAP_CE_SM4) + OPENSSL_armcap_P |= ARMV8_SM4; + if (hwcap & HWCAP_CE_SHA512) OPENSSL_armcap_P |= ARMV8_SHA512; if (hwcap & HWCAP_CPUID) OPENSSL_armcap_P |= ARMV8_CPUID; + + if (hwcap & HWCAP_CE_SM3) + OPENSSL_armcap_P |= ARMV8_SM3; + if (hwcap & HWCAP_SHA3) + OPENSSL_armcap_P |= ARMV8_SHA3; # endif } +# ifdef __aarch64__ + if (getauxval(HWCAP) & HWCAP_SVE) + OPENSSL_armcap_P |= ARMV8_SVE; + + if (getauxval(HWCAP2) & HWCAP2_SVE2) + OPENSSL_armcap_P |= ARMV8_SVE2; + + if (getauxval(HWCAP2) & HWCAP2_RNG) + OPENSSL_armcap_P |= ARMV8_RNG; +# endif # endif sigfillset(&all_masked); @@ -249,12 +342,42 @@ void OPENSSL_cpuid_setup(void) OPENSSL_armcap_P |= ARMV8_SHA256; } # if defined(__aarch64__) && !defined(__APPLE__) + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_sm4_probe(); + OPENSSL_armcap_P |= ARMV8_SM4; + } + if (sigsetjmp(ill_jmp, 1) == 0) { _armv8_sha512_probe(); OPENSSL_armcap_P |= ARMV8_SHA512; } + + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_sm3_probe(); + OPENSSL_armcap_P |= ARMV8_SM3; + } + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_eor3_probe(); + OPENSSL_armcap_P |= ARMV8_SHA3; + } # endif } +# ifdef __aarch64__ + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_sve_probe(); + OPENSSL_armcap_P |= ARMV8_SVE; + } + + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_sve2_probe(); + OPENSSL_armcap_P |= ARMV8_SVE2; + } + + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_rng_probe(); + OPENSSL_armcap_P |= ARMV8_RNG; + } +# endif # endif /* @@ -275,6 +398,10 @@ void OPENSSL_cpuid_setup(void) (OPENSSL_armcap_P & ARMV7_NEON)) { OPENSSL_armv8_rsa_neonized = 1; } + if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1) || + MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N2)) && + (OPENSSL_armcap_P & ARMV8_SHA3)) + OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; # endif } #endif diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index 9b3074e47..5d63dbbc2 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -92,7 +92,7 @@ int ossl_asn1_time_to_tm(struct tm *tm, const ASN1_TIME *d) * * 1. "seconds" is a 'MUST' * 2. "Zulu" timezone is a 'MUST' - * 3. "+|-" is not allowed to indicate a time zone + * 3. "+|-" is not allowed to indicate a timezone */ if (d->type == V_ASN1_UTCTIME) { if (d->flags & ASN1_STRING_FLAG_X509_TIME) { diff --git a/crypto/asn1/asn1_parse.c b/crypto/asn1/asn1_parse.c index 04d7ef66c..6a4618d25 100644 --- a/crypto/asn1/asn1_parse.c +++ b/crypto/asn1/asn1_parse.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -50,7 +50,7 @@ static int asn1_print_info(BIO *bp, long offset, int depth, int hl, long len, pop_f_prefix = 1; } saved_indent = BIO_get_indent(bp); - if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) < 0) + if (BIO_set_prefix(bp, str) <= 0 || BIO_set_indent(bp, indent) <= 0) goto err; } diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c index 292e6d817..2389264f1 100644 --- a/crypto/asn1/asn_pack.c +++ b/crypto/asn1/asn_pack.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,7 +29,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct) OPENSSL_free(octmp->data); octmp->data = NULL; - if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) == 0) { + if ((octmp->length = ASN1_item_i2d(obj, &octmp->data, it)) <= 0) { ERR_raise(ERR_LIB_ASN1, ASN1_R_ENCODE_ERROR); goto err; } diff --git a/crypto/asn1/x_int64.c b/crypto/asn1/x_int64.c index eb78c7e36..0cf8c76cd 100644 --- a/crypto/asn1/x_int64.c +++ b/crypto/asn1/x_int64.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -224,8 +224,8 @@ static int uint32_print(BIO *out, const ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx) { if ((it->size & INTxx_FLAG_SIGNED) == INTxx_FLAG_SIGNED) - return BIO_printf(out, "%d\n", **(int32_t **)pval); - return BIO_printf(out, "%u\n", **(uint32_t **)pval); + return BIO_printf(out, "%d\n", (int)**(int32_t **)pval); + return BIO_printf(out, "%u\n", (unsigned int)**(uint32_t **)pval); } diff --git a/crypto/bf/bf_local.h b/crypto/bf/bf_local.h index 080f37a5f..a7ea4acc0 100644 --- a/crypto/bf/bf_local.h +++ b/crypto/bf/bf_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,19 +17,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c))))<<24; \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c))))<<24; \ } \ } @@ -39,19 +39,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \ } \ } diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index 53bd02fe1..e9f03ed45 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c index 6908e64d3..30220b0a0 100644 --- a/crypto/bio/bf_lbuf.c +++ b/crypto/bio/bf_lbuf.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/bio/bio_addr.c b/crypto/bio/bio_addr.c index a80774bbd..20c2895b5 100644 --- a/crypto/bio/bio_addr.c +++ b/crypto/bio/bio_addr.c @@ -83,13 +83,13 @@ int BIO_ADDR_make(BIO_ADDR *ap, const struct sockaddr *sa) memcpy(&(ap->s_in), sa, sizeof(struct sockaddr_in)); return 1; } -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 if (sa->sa_family == AF_INET6) { memcpy(&(ap->s_in6), sa, sizeof(struct sockaddr_in6)); return 1; } #endif -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (sa->sa_family == AF_UNIX) { memcpy(&(ap->s_un), sa, sizeof(struct sockaddr_un)); return 1; @@ -103,7 +103,7 @@ int BIO_ADDR_rawmake(BIO_ADDR *ap, int family, const void *where, size_t wherelen, unsigned short port) { -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (family == AF_UNIX) { if (wherelen + 1 > sizeof(ap->s_un.sun_path)) return 0; @@ -122,7 +122,7 @@ int BIO_ADDR_rawmake(BIO_ADDR *ap, int family, ap->s_in.sin_addr = *(struct in_addr *)where; return 1; } -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 if (family == AF_INET6) { if (wherelen != sizeof(struct in6_addr)) return 0; @@ -151,13 +151,13 @@ int BIO_ADDR_rawaddress(const BIO_ADDR *ap, void *p, size_t *l) len = sizeof(ap->s_in.sin_addr); addrptr = &ap->s_in.sin_addr; } -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 else if (ap->sa.sa_family == AF_INET6) { len = sizeof(ap->s_in6.sin6_addr); addrptr = &ap->s_in6.sin6_addr; } #endif -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK else if (ap->sa.sa_family == AF_UNIX) { len = strlen(ap->s_un.sun_path); addrptr = &ap->s_un.sun_path; @@ -180,7 +180,7 @@ unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap) { if (ap->sa.sa_family == AF_INET) return ap->s_in.sin_port; -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 if (ap->sa.sa_family == AF_INET6) return ap->s_in6.sin6_port; #endif @@ -193,7 +193,7 @@ unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap) * @numeric: 0 if actual names should be returned, 1 if the numeric * representation should be returned. * @hostname: a pointer to a pointer to a memory area to store the - * host name or numeric representation. Unused if NULL. + * hostname or numeric representation. Unused if NULL. * @service: a pointer to a pointer to a memory area to store the * service name or numeric representation. Unused if NULL. * @@ -296,7 +296,7 @@ char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric) char *BIO_ADDR_path_string(const BIO_ADDR *ap) { -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (ap->sa.sa_family == AF_UNIX) return OPENSSL_strdup(ap->s_un.sun_path); #endif @@ -334,11 +334,11 @@ socklen_t BIO_ADDR_sockaddr_size(const BIO_ADDR *ap) { if (ap->sa.sa_family == AF_INET) return sizeof(ap->s_in); -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 if (ap->sa.sa_family == AF_INET6) return sizeof(ap->s_in6); #endif -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (ap->sa.sa_family == AF_UNIX) return sizeof(ap->s_un); #endif @@ -378,7 +378,7 @@ int BIO_ADDRINFO_protocol(const BIO_ADDRINFO *bai) if (bai->bai_protocol != 0) return bai->bai_protocol; -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (bai->bai_family == AF_UNIX) return 0; #endif @@ -430,7 +430,7 @@ void BIO_ADDRINFO_free(BIO_ADDRINFO *bai) return; #ifdef AI_PASSIVE -# ifdef AF_UNIX +# ifndef OPENSSL_NO_UNIX_SOCK # define _cond bai->bai_family != AF_UNIX # else # define _cond 1 @@ -589,7 +589,7 @@ static int addrinfo_wrap(int family, int socktype, (*bai)->bai_protocol = IPPROTO_TCP; if (socktype == SOCK_DGRAM) (*bai)->bai_protocol = IPPROTO_UDP; -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (family == AF_UNIX) (*bai)->bai_protocol = 0; #endif @@ -656,10 +656,10 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, switch(family) { case AF_INET: -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 case AF_INET6: #endif -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK case AF_UNIX: #endif #ifdef AF_UNSPEC @@ -671,7 +671,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, return 0; } -#ifdef AF_UNIX +#ifndef OPENSSL_NO_UNIX_SOCK if (family == AF_UNIX) { if (addrinfo_wrap(family, socktype, host, strlen(host), 0, res)) return 1; diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index ecc16a5ee..faea9a63e 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -784,7 +784,7 @@ BIO *BIO_dup_chain(BIO *in) /* This will let SSL_s_sock() work with stdin/stdout */ new_bio->num = bio->num; - if (!BIO_dup_state(bio, (char *)new_bio)) { + if (BIO_dup_state(bio, (char *)new_bio) <= 0) { BIO_free(new_bio); goto err; } @@ -857,7 +857,7 @@ void bio_cleanup(void) bio_type_lock = NULL; } -/* Internal variant of the below BIO_wait() not calling BIOerr() */ +/* Internal variant of the below BIO_wait() not calling ERR_raise(...) */ static int bio_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds) { #ifndef OPENSSL_NO_SOCK @@ -895,7 +895,7 @@ static int bio_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds) * Succeed immediately if max_time == 0. * If sockets are not available support polling: succeed after waiting at most * the number of nap_milliseconds in order to avoid a tight busy loop. - * Call BIOerr(...) on timeout or error. + * Call ERR_raise(ERR_LIB_BIO, ...) on timeout or error. * Returns -1 on error, 0 on timeout, and 1 on success. */ int BIO_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds) diff --git a/crypto/bio/bio_local.h b/crypto/bio/bio_local.h index 749e8f810..87779c8e0 100644 --- a/crypto/bio/bio_local.h +++ b/crypto/bio/bio_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "internal/sockets.h" /* BEGIN BIO_ADDRINFO/BIO_ADDR stuff. */ @@ -33,13 +33,6 @@ # error openssl/bio.h included before bio_local.h # endif -/* - * Undefine AF_UNIX on systems that define it but don't support it. - */ -# if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VMS) -# undef AF_UNIX -# endif - # ifdef AI_PASSIVE /* @@ -73,11 +66,11 @@ struct bio_addrinfo_st { union bio_addr_st { struct sockaddr sa; -# ifdef AF_INET6 +# if OPENSSL_USE_IPV6 struct sockaddr_in6 s_in6; # endif struct sockaddr_in s_in; -# ifdef AF_UNIX +# ifndef OPENSSL_NO_UNIX_SOCK struct sockaddr_un s_un; # endif }; diff --git a/crypto/bio/bio_print.c b/crypto/bio/bio_print.c index 4c9c3af7c..eb192e824 100644 --- a/crypto/bio/bio_print.c +++ b/crypto/bio/bio_print.c @@ -276,7 +276,7 @@ _dopr(char **sbuffer, break; case 'E': flags |= DP_F_UP; - /* fall thru */ + /* fall through */ case 'e': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); @@ -288,7 +288,7 @@ _dopr(char **sbuffer, break; case 'G': flags |= DP_F_UP; - /* fall thru */ + /* fall through */ case 'g': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); diff --git a/crypto/bio/bio_sock2.c b/crypto/bio/bio_sock2.c index 8bdad0c0b..b746e40ba 100644 --- a/crypto/bio/bio_sock2.c +++ b/crypto/bio/bio_sock2.c @@ -262,7 +262,7 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int options) } } - /* On OpenBSD it is always ipv6 only with ipv6 sockets thus read-only */ + /* On OpenBSD it is always IPv6 only with IPv6 sockets thus read-only */ # if defined(IPV6_V6ONLY) && !defined(__OpenBSD__) if (BIO_ADDR_family(addr) == AF_INET6) { /* diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 1cda96733..3da66f355 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -188,7 +188,7 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c) * at least the "else" part will always be * compiled. */ -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 family = AF_INET6; } else { #endif @@ -497,7 +497,7 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr) *pp = data->cache_peer_serv; } else if (num == 4) { switch (BIO_ADDRINFO_family(data->addr_iter)) { -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 case AF_INET6: ret = BIO_FAMILY_IPV6; break; @@ -566,7 +566,7 @@ BIO *BIO_new_accept(const char *str) ret = BIO_new(BIO_s_accept()); if (ret == NULL) return NULL; - if (BIO_set_accept_name(ret, str)) + if (BIO_set_accept_name(ret, str) > 0) return ret; BIO_free(ret); return NULL; diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c index 7fa8778ca..5039a621f 100644 --- a/crypto/bio/bss_bio.c +++ b/crypto/bio/bss_bio.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,7 @@ * See ssl/ssltest.c for some hints on how this can be used. */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 0d91f25fe..2247678ae 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -105,7 +105,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) * at least the "else" part will always be * compiled. */ -#ifdef AF_INET6 +#if OPENSSL_USE_IPV6 family = AF_INET6; } else { #endif @@ -422,7 +422,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) *pptr = (const char *)BIO_ADDRINFO_address(data->addr_iter); } else if (num == 3) { switch (BIO_ADDRINFO_family(data->addr_iter)) { -# ifdef AF_INET6 +# if OPENSSL_USE_IPV6 case AF_INET6: ret = BIO_FAMILY_IPV6; break; diff --git a/crypto/bio/bss_core.c b/crypto/bio/bss_core.c index 7a84b2046..b9a8eff34 100644 --- a/crypto/bio/bss_core.c +++ b/crypto/bio/bss_core.c @@ -10,6 +10,7 @@ #include #include "bio_local.h" #include "internal/cryptlib.h" +#include "crypto/context.h" typedef struct { OSSL_FUNC_BIO_read_ex_fn *c_bio_read_ex; @@ -21,26 +22,19 @@ typedef struct { OSSL_FUNC_BIO_free_fn *c_bio_free; } BIO_CORE_GLOBALS; -static void bio_core_globals_free(void *vbcg) +void ossl_bio_core_globals_free(void *vbcg) { OPENSSL_free(vbcg); } -static void *bio_core_globals_new(OSSL_LIB_CTX *ctx) +void *ossl_bio_core_globals_new(OSSL_LIB_CTX *ctx) { return OPENSSL_zalloc(sizeof(BIO_CORE_GLOBALS)); } -static const OSSL_LIB_CTX_METHOD bio_core_globals_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - bio_core_globals_new, - bio_core_globals_free, -}; - static ossl_inline BIO_CORE_GLOBALS *get_globals(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_BIO_CORE_INDEX, - &bio_core_globals_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_BIO_CORE_INDEX); } static int bio_core_read_ex(BIO *bio, char *data, size_t data_len, diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 8ca1cf64e..cdbb786b5 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -218,7 +218,7 @@ static void dgram_adjust_rcv_timeout(BIO *b) &(data->socket_timeout), &sz) < 0) { perror("getsockopt"); } else - OPENSSL_assert(sz <= sizeof(data->socket_timeout)); + OPENSSL_assert((size_t)sz <= sizeof(data->socket_timeout)); # endif /* Get current time */ @@ -393,7 +393,9 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) long ret = 1; int *ip; bio_dgram_data *data = NULL; +# ifndef __DJGPP__ int sockopt_val = 0; +# endif int d_errno; # if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU)) socklen_t sockopt_len; /* assume that system supporting IP_MTU is @@ -623,7 +625,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) perror("getsockopt"); ret = -1; } else { - OPENSSL_assert(sz <= sizeof(struct timeval)); + OPENSSL_assert((size_t)sz <= sizeof(struct timeval)); ret = (int)sz; } # endif @@ -674,7 +676,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) perror("getsockopt"); ret = -1; } else { - OPENSSL_assert(sz <= sizeof(struct timeval)); + OPENSSL_assert((size_t)sz <= sizeof(struct timeval)); ret = (int)sz; } # endif @@ -705,24 +707,24 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) break; # endif case BIO_CTRL_DGRAM_SET_DONT_FRAG: - sockopt_val = num ? 1 : 0; - switch (data->peer.sa.sa_family) { case AF_INET: # if defined(IP_DONTFRAG) + sockopt_val = num ? 1 : 0; if ((ret = setsockopt(b->num, IPPROTO_IP, IP_DONTFRAG, &sockopt_val, sizeof(sockopt_val))) < 0) { perror("setsockopt"); ret = -1; } # elif defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined (IP_PMTUDISC_PROBE) - if ((sockopt_val = num ? IP_PMTUDISC_PROBE : IP_PMTUDISC_DONT), - (ret = setsockopt(b->num, IPPROTO_IP, IP_MTU_DISCOVER, + sockopt_val = num ? IP_PMTUDISC_PROBE : IP_PMTUDISC_DONT; + if ((ret = setsockopt(b->num, IPPROTO_IP, IP_MTU_DISCOVER, &sockopt_val, sizeof(sockopt_val))) < 0) { perror("setsockopt"); ret = -1; } # elif defined(OPENSSL_SYS_WINDOWS) && defined(IP_DONTFRAGMENT) + sockopt_val = num ? 1 : 0; if ((ret = setsockopt(b->num, IPPROTO_IP, IP_DONTFRAGMENT, (const char *)&sockopt_val, sizeof(sockopt_val))) < 0) { @@ -736,6 +738,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) # if OPENSSL_USE_IPV6 case AF_INET6: # if defined(IPV6_DONTFRAG) + sockopt_val = num ? 1 : 0; if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_DONTFRAG, (const void *)&sockopt_val, sizeof(sockopt_val))) < 0) { @@ -743,8 +746,8 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) ret = -1; } # elif defined(OPENSSL_SYS_LINUX) && defined(IPV6_MTUDISCOVER) - if ((sockopt_val = num ? IP_PMTUDISC_PROBE : IP_PMTUDISC_DONT), - (ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER, + sockopt_val = num ? IP_PMTUDISC_PROBE : IP_PMTUDISC_DONT; + if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER, &sockopt_val, sizeof(sockopt_val))) < 0) { perror("setsockopt"); ret = -1; diff --git a/crypto/bio/bss_fd.c b/crypto/bio/bss_fd.c index f756225ed..b830f3cbf 100644 --- a/crypto/bio/bss_fd.c +++ b/crypto/bio/bss_fd.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -149,7 +149,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) switch (cmd) { case BIO_CTRL_RESET: num = 0; - /* fall thru */ + /* fall through */ case BIO_C_FILE_SEEK: ret = (long)UP_lseek(b->num, num, 0); break; diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index a6143b6ab..5b10b22ad 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,7 +11,7 @@ /* * Following definition aliases fopen to fopen64 on above mentioned * platforms. This makes it possible to open and sequentially access files - * larger than 2GB from 32-bit application. It does not allow to traverse + * larger than 2GB from 32-bit application. It does not allow one to traverse * them beyond 2GB with fseek/ftell, but on the other hand *no* 32-bit * platform permits that, not with fseek/ftell. Not to mention that breaking * 2GB limit for seeking would require surgery to *our* API. But sequential diff --git a/crypto/bn/asm/armv8-mont.pl b/crypto/bn/asm/armv8-mont.pl index 54d2e8245..93cd45cd3 100755 --- a/crypto/bn/asm/armv8-mont.pl +++ b/crypto/bn/asm/armv8-mont.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -67,8 +67,8 @@ $num="x5"; # int num); $code.=<<___; +#include "arm_arch.h" #ifndef __KERNEL__ -# include "arm_arch.h" .extern OPENSSL_armv8_rsa_neonized .hidden OPENSSL_armv8_rsa_neonized #endif @@ -78,6 +78,7 @@ .type bn_mul_mont,%function .align 5 bn_mul_mont: + AARCH64_SIGN_LINK_REGISTER .Lbn_mul_mont: tst $num,#3 b.ne .Lmul_mont @@ -288,6 +289,7 @@ mov x0,#1 ldp x23,x24,[x29,#48] ldr x29,[sp],#64 + AARCH64_VALIDATE_LINK_REGISTER ret .size bn_mul_mont,.-bn_mul_mont ___ @@ -309,6 +311,8 @@ .type bn_mul8x_mont_neon,%function .align 5 bn_mul8x_mont_neon: + // Not adding AARCH64_SIGN_LINK_REGISTER here because bn_mul8x_mont_neon is jumped to + // only from bn_mul_mont which has already signed the return address. stp x29,x30,[sp,#-80]! mov x16,sp stp d8,d9,[sp,#16] @@ -649,6 +653,7 @@ ldp d10,d11,[sp,#32] ldp d8,d9,[sp,#16] ldr x29,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER ret // bx lr .size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon @@ -671,7 +676,8 @@ cmp $ap,$bp b.ne __bn_mul4x_mont .Lsqr8x_mont: - .inst 0xd503233f // paciasp + // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to + // only from bn_mul_mont which has already signed the return address. stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -1425,7 +1431,8 @@ ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldr x29,[sp],#128 - .inst 0xd50323bf // autiasp + // x30 is loaded earlier + AARCH64_VALIDATE_LINK_REGISTER ret .size __bn_sqr8x_mont,.-__bn_sqr8x_mont ___ @@ -1449,7 +1456,8 @@ .type __bn_mul4x_mont,%function .align 5 __bn_mul4x_mont: - .inst 0xd503233f // paciasp + // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to + // only from bn_mul_mont (or __bn_sqr8x_mont from bn_mul_mont) which has already signed the return address. stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -1883,7 +1891,8 @@ ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldr x29,[sp],#128 - .inst 0xd50323bf // autiasp + // x30 loaded earlier + AARCH64_VALIDATE_LINK_REGISTER ret .size __bn_mul4x_mont,.-__bn_mul4x_mont ___ diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl index e69de29bb..e27d0ad93 100755 --- a/crypto/bn/asm/ppc64-mont-fixed.pl +++ b/crypto/bn/asm/ppc64-mont-fixed.pl @@ -0,0 +1,583 @@ +#! /usr/bin/env perl +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# ==================================================================== +# Written by Amitay Isaacs , Martin Schwenke +# & Alastair D'Silva for +# the OpenSSL project. +# ==================================================================== + +# +# Fixed length (n=6), unrolled PPC Montgomery Multiplication +# + +# 2021 +# +# Although this is a generic implementation for unrolling Montgomery +# Multiplication for arbitrary values of n, this is currently only +# used for n = 6 to improve the performance of ECC p384. +# +# Unrolling allows intermediate results to be stored in registers, +# rather than on the stack, improving performance by ~7% compared to +# the existing PPC assembly code. +# +# The ISA 3.0 implementation uses combination multiply/add +# instructions (maddld, maddhdu) to improve performance by an +# additional ~10% on Power 9. +# +# Finally, saving non-volatile registers into volatile vector +# registers instead of onto the stack saves a little more. +# +# On a Power 9 machine we see an overall improvement of ~18%. +# + +use strict; +use warnings; + +my ($flavour, $output, $dir, $xlate); + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +die "can't locate ppc-xlate.pl"; + +open STDOUT,"| $^X $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; + +if ($flavour !~ /64/) { + die "bad flavour ($flavour) - only ppc64 permitted"; +} + +my $SIZE_T= 8; + +# Registers are global so the code is remotely readable + +# Parameters for Montgomery multiplication +my $ze = "r0"; +my $sp = "r1"; +my $toc = "r2"; +my $rp = "r3"; +my $ap = "r4"; +my $bp = "r5"; +my $np = "r6"; +my $n0 = "r7"; +my $num = "r8"; + +my $i = "r9"; +my $c0 = "r10"; +my $bp0 = "r11"; +my $bpi = "r11"; +my $bpj = "r11"; +my $tj = "r12"; +my $apj = "r12"; +my $npj = "r12"; +my $lo = "r14"; +my $c1 = "r14"; + +# Non-volatile registers used for tp[i] +# +# 12 registers are available but the limit on unrolling is 10, +# since registers from $tp[0] to $tp[$n+1] are used. +my @tp = ("r20" .. "r31"); + +# volatile VSRs for saving non-volatile GPRs - faster than stack +my @vsrs = ("v32" .. "v46"); + +package Mont; + +sub new($$) +{ + my ($class, $n) = @_; + + if ($n > 10) { + die "Can't unroll for BN length ${n} (maximum 10)" + } + + my $self = { + code => "", + n => $n, + }; + bless $self, $class; + + return $self; +} + +sub add_code($$) +{ + my ($self, $c) = @_; + + $self->{code} .= $c; +} + +sub get_code($) +{ + my ($self) = @_; + + return $self->{code}; +} + +sub get_function_name($) +{ + my ($self) = @_; + + return "bn_mul_mont_fixed_n" . $self->{n}; +} + +sub get_label($$) +{ + my ($self, $l) = @_; + + return "L" . $l . "_" . $self->{n}; +} + +sub get_labels($@) +{ + my ($self, @labels) = @_; + + my %out = (); + + foreach my $l (@labels) { + $out{"$l"} = $self->get_label("$l"); + } + + return \%out; +} + +sub nl($) +{ + my ($self) = @_; + + $self->add_code("\n"); +} + +sub copy_result($) +{ + my ($self) = @_; + + my ($n) = $self->{n}; + + for (my $j = 0; $j < $n; $j++) { + $self->add_code(<<___); + std $tp[$j],`$j*$SIZE_T`($rp) +___ + } + +} + +sub mul_mont_fixed($) +{ + my ($self) = @_; + + my ($n) = $self->{n}; + my $fname = $self->get_function_name(); + my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); + + $self->add_code(<<___); + +.globl .${fname} +.align 5 +.${fname}: + +___ + + $self->save_registers(); + + $self->add_code(<<___); + li $ze,0 + ld $n0,0($n0) + + ld $bp0,0($bp) + + ld $apj,0($ap) +___ + + $self->mul_c_0($tp[0], $apj, $bp0, $c0); + + for (my $j = 1; $j < $n - 1; $j++) { + $self->add_code(<<___); + ld $apj,`$j*$SIZE_T`($ap) +___ + $self->mul($tp[$j], $apj, $bp0, $c0); + } + + $self->add_code(<<___); + ld $apj,`($n-1)*$SIZE_T`($ap) +___ + + $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); + + $self->add_code(<<___); + li $tp[$n+1],0 + +___ + + $self->add_code(<<___); + li $i,0 + mtctr $num + b $label->{"enter"} + +.align 4 +$label->{"outer"}: + ldx $bpi,$bp,$i + + ld $apj,0($ap) +___ + + $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); + + for (my $j = 1; $j < $n; $j++) { + $self->add_code(<<___); + ld $apj,`$j*$SIZE_T`($ap) +___ + $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); + } + + $self->add_code(<<___); + addc $tp[$n],$tp[$n],$c0 + addze $tp[$n+1],$ze +___ + + $self->add_code(<<___); +.align 4 +$label->{"enter"}: + mulld $bpi,$tp[0],$n0 + + ld $npj,0($np) +___ + + $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); + + for (my $j = 1; $j < $n; $j++) { + $self->add_code(<<___); + ld $npj,`$j*$SIZE_T`($np) +___ + $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); + } + + $self->add_code(<<___); + addc $tp[$n-1],$tp[$n],$c0 + addze $tp[$n],$tp[$n+1] + + addi $i,$i,$SIZE_T + bdnz $label->{"outer"} + + and. $tp[$n],$tp[$n],$tp[$n] + bne $label->{"sub"} + + cmpld $tp[$n-1],$npj + blt $label->{"copy"} + +$label->{"sub"}: +___ + + # + # Reduction + # + + $self->add_code(<<___); + ld $bpj,`0*$SIZE_T`($np) + subfc $c1,$bpj,$tp[0] + std $c1,`0*$SIZE_T`($rp) + +___ + for (my $j = 1; $j < $n - 1; $j++) { + $self->add_code(<<___); + ld $bpj,`$j*$SIZE_T`($np) + subfe $c1,$bpj,$tp[$j] + std $c1,`$j*$SIZE_T`($rp) + +___ + } + + $self->add_code(<<___); + subfe $c1,$npj,$tp[$n-1] + std $c1,`($n-1)*$SIZE_T`($rp) + +___ + + $self->add_code(<<___); + addme. $tp[$n],$tp[$n] + beq $label->{"end"} + +$label->{"copy"}: +___ + + $self->copy_result(); + + $self->add_code(<<___); + +$label->{"end"}: +___ + + $self->restore_registers(); + + $self->add_code(<<___); + li r3,1 + blr +.size .${fname},.-.${fname} +___ + +} + +package Mont::GPR; + +our @ISA = ('Mont'); + +sub new($$) +{ + my ($class, $n) = @_; + + return $class->SUPER::new($n); +} + +sub save_registers($) +{ + my ($self) = @_; + + my $n = $self->{n}; + + $self->add_code(<<___); + std $lo,-8($sp) +___ + + for (my $j = 0; $j <= $n+1; $j++) { + $self->{code}.=<<___; + std $tp[$j],-`($j+2)*8`($sp) +___ + } + + $self->add_code(<<___); + +___ +} + +sub restore_registers($) +{ + my ($self) = @_; + + my $n = $self->{n}; + + $self->add_code(<<___); + ld $lo,-8($sp) +___ + + for (my $j = 0; $j <= $n+1; $j++) { + $self->{code}.=<<___; + ld $tp[$j],-`($j+2)*8`($sp) +___ + } + + $self->{code} .=<<___; + +___ +} + +# Direct translation of C mul() +sub mul($$$$$) +{ + my ($self, $r, $a, $w, $c) = @_; + + $self->add_code(<<___); + mulld $lo,$a,$w + addc $r,$lo,$c + mulhdu $c,$a,$w + addze $c,$c + +___ +} + +# Like mul() but $c is ignored as an input - an optimisation to save a +# preliminary instruction that would set input $c to 0 +sub mul_c_0($$$$$) +{ + my ($self, $r, $a, $w, $c) = @_; + + $self->add_code(<<___); + mulld $r,$a,$w + mulhdu $c,$a,$w + +___ +} + +# Like mul() but does not to the final addition of CA into $c - an +# optimisation to save an instruction +sub mul_last($$$$$$) +{ + my ($self, $r1, $r2, $a, $w, $c) = @_; + + $self->add_code(<<___); + mulld $lo,$a,$w + addc $r1,$lo,$c + mulhdu $c,$a,$w + + addze $r2,$c +___ +} + +# Like C mul_add() but allow $r_out and $r_in to be different +sub mul_add($$$$$$) +{ + my ($self, $r_out, $r_in, $a, $w, $c) = @_; + + $self->add_code(<<___); + mulld $lo,$a,$w + addc $lo,$lo,$c + mulhdu $c,$a,$w + addze $c,$c + addc $r_out,$r_in,$lo + addze $c,$c + +___ +} + +# Like mul_add() but $c is ignored as an input - an optimisation to save a +# preliminary instruction that would set input $c to 0 +sub mul_add_c_0($$$$$$) +{ + my ($self, $r_out, $r_in, $a, $w, $c) = @_; + + $self->add_code(<<___); + mulld $lo,$a,$w + addc $r_out,$r_in,$lo + mulhdu $c,$a,$w + addze $c,$c + +___ +} + +package Mont::GPR_300; + +our @ISA = ('Mont::GPR'); + +sub new($$) +{ + my ($class, $n) = @_; + + my $mont = $class->SUPER::new($n); + + return $mont; +} + +sub get_function_name($) +{ + my ($self) = @_; + + return "bn_mul_mont_300_fixed_n" . $self->{n}; +} + +sub get_label($$) +{ + my ($self, $l) = @_; + + return "L" . $l . "_300_" . $self->{n}; +} + +# Direct translation of C mul() +sub mul($$$$$) +{ + my ($self, $r, $a, $w, $c, $last) = @_; + + $self->add_code(<<___); + maddld $r,$a,$w,$c + maddhdu $c,$a,$w,$c + +___ +} + +# Save the last carry as the final entry +sub mul_last($$$$$) +{ + my ($self, $r1, $r2, $a, $w, $c) = @_; + + $self->add_code(<<___); + maddld $r1,$a,$w,$c + maddhdu $r2,$a,$w,$c + +___ +} + +# Like mul() but $c is ignored as an input - an optimisation to save a +# preliminary instruction that would set input $c to 0 +sub mul_c_0($$$$$) +{ + my ($self, $r, $a, $w, $c) = @_; + + $self->add_code(<<___); + mulld $r,$a,$w + mulhdu $c,$a,$w + +___ +} + +# Like C mul_add() but allow $r_out and $r_in to be different +sub mul_add($$$$$$) +{ + my ($self, $r_out, $r_in, $a, $w, $c) = @_; + + $self->add_code(<<___); + maddld $lo,$a,$w,$c + maddhdu $c,$a,$w,$c + addc $r_out,$r_in,$lo + addze $c,$c + +___ +} + +# Like mul_add() but $c is ignored as an input - an optimisation to save a +# preliminary instruction that would set input $c to 0 +sub mul_add_c_0($$$$$$) +{ + my ($self, $r_out, $r_in, $a, $w, $c) = @_; + + $self->add_code(<<___); + maddld $lo,$a,$w,$r_in + maddhdu $c,$a,$w,$r_in +___ + + if ($r_out ne $lo) { + $self->add_code(<<___); + mr $r_out,$lo +___ + } + + $self->nl(); +} + + +package main; + +my $code; + +$code.=<<___; +.machine "any" +.text +___ + +my $mont; + +$mont = new Mont::GPR(6); +$mont->mul_mont_fixed(); +$code .= $mont->get_code(); + +$mont = new Mont::GPR_300(6); +$mont->mul_mont_fixed(); +$code .= $mont->get_code(); + +$code =~ s/\`([^\`]*)\`/eval $1/gem; + +$code.=<<___; +.asciz "Montgomery Multiplication for PPC by , " +___ + +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/bn/asm/rsaz-avx512.pl b/crypto/bn/asm/rsaz-2k-avx512.pl similarity index 71% rename from crypto/bn/asm/rsaz-avx512.pl rename to crypto/bn/asm/rsaz-2k-avx512.pl index 8d1d19f6c..2ae7f70b7 100644 --- a/crypto/bn/asm/rsaz-avx512.pl +++ b/crypto/bn/asm/rsaz-2k-avx512.pl @@ -7,7 +7,8 @@ # https://www.openssl.org/source/license.html # # -# Originally written by Ilya Albrekht, Sergey Kirillov and Andrey Matyukov +# Originally written by Sergey Kirillov and Andrey Matyukov. +# Special thanks to Ilya Albrekht for his valuable hints. # Intel Corporation # # December 2020 @@ -86,26 +87,29 @@ ############################################################################### # Almost Montgomery Multiplication (AMM) for 20-digit number in radix 2^52. # -# AMM is defined as presented in the paper -# "Efficient Software Implementations of Modular Exponentiation" by Shay Gueron. +# AMM is defined as presented in the paper [1]. # # The input and output are presented in 2^52 radix domain, i.e. # |res|, |a|, |b|, |m| are arrays of 20 64-bit qwords with 12 high bits zeroed. # |k0| is a Montgomery coefficient, which is here k0 = -1/m mod 2^64 -# (note, the implementation counts only 52 bits from it). # -# NB: the AMM implementation does not perform "conditional" subtraction step as -# specified in the original algorithm as according to the paper "Enhanced Montgomery -# Multiplication" by Shay Gueron (see Lemma 1), the result will be always < 2*2^1024 -# and can be used as a direct input to the next AMM iteration. -# This post-condition is true, provided the correct parameter |s| is choosen, i.e. -# s >= n + 2 * k, which matches our case: 1040 > 1024 + 2 * 1. +# NB: the AMM implementation does not perform "conditional" subtraction step +# specified in the original algorithm as according to the Lemma 1 from the paper +# [2], the result will be always < 2*m and can be used as a direct input to +# the next AMM iteration. This post-condition is true, provided the correct +# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e. s >= n + 2 * k, +# which matches our case: 1040 > 1024 + 2 * 1. # -# void ossl_rsaz_amm52x20_x1_256(BN_ULONG *res, -# const BN_ULONG *a, -# const BN_ULONG *b, -# const BN_ULONG *m, -# BN_ULONG k0); +# [1] Gueron, S. Efficient software implementations of modular exponentiation. +# DOI: 10.1007/s13389-012-0031-5 +# [2] Gueron, S. Enhanced Montgomery Multiplication. +# DOI: 10.1007/3-540-36400-5_5 +# +# void ossl_rsaz_amm52x20_x1_ifma256(BN_ULONG *res, +# const BN_ULONG *a, +# const BN_ULONG *b, +# const BN_ULONG *m, +# BN_ULONG k0); ############################################################################### { # input parameters ("%rdi","%rsi","%rdx","%rcx","%r8") @@ -121,16 +125,13 @@ my $iter = "%ebx"; my $zero = "%ymm0"; -my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0) = ("%ymm1", map("%ymm$_",(16..19))); -my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1) = ("%ymm2", map("%ymm$_",(20..23))); -my $Bi = "%ymm3"; -my $Yi = "%ymm4"; +my $Bi = "%ymm1"; +my $Yi = "%ymm2"; +my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0) = ("%ymm3",map("%ymm$_",(16..19))); +my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1) = ("%ymm4",map("%ymm$_",(20..23))); # Registers mapping for normalization. -# We can reuse Bi, Yi registers here. -my $TMP = $Bi; -my $mask52x4 = $Yi; -my ($T0,$T0h,$T1,$T1h,$T2) = map("%ymm$_", (24..28)); +my ($T0,$T0h,$T1,$T1h,$T2) = ("$zero", "$Bi", "$Yi", map("%ymm$_", (25..26))); sub amm52x20_x1() { # _data_offset - offset in the |a| or |m| arrays pointing to the beginning @@ -199,16 +200,16 @@ () ___ } -# Normalization routine: handles carry bits in R0..R2 QWs and -# gets R0..R2 back to normalized 2^52 representation. +# Normalization routine: handles carry bits and gets bignum qwords to normalized +# 2^52 representation. # # Uses %r8-14,%e[bcd]x sub amm52x20_x1_norm { my ($_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2) = @_; $code.=<<___; # Put accumulator to low qword in R0 - vpbroadcastq $_acc, $TMP - vpblendd \$3, $TMP, $_R0, $_R0 + vpbroadcastq $_acc, $T0 + vpblendd \$3, $T0, $_R0, $_R0 # Extract "carries" (12 high bits) from each QW of R0..R2 # Save them to LSB of QWs in T0..T2 @@ -223,14 +224,14 @@ sub amm52x20_x1_norm { valignq \$3, $T1, $T1h, $T1h valignq \$3, $T0h, $T1, $T1 valignq \$3, $T0, $T0h, $T0h - valignq \$3, $zero, $T0, $T0 + valignq \$3, .Lzeros(%rip), $T0, $T0 # Drop "carries" from R0..R2 QWs - vpandq $mask52x4, $_R0, $_R0 - vpandq $mask52x4, $_R0h, $_R0h - vpandq $mask52x4, $_R1, $_R1 - vpandq $mask52x4, $_R1h, $_R1h - vpandq $mask52x4, $_R2, $_R2 + vpandq .Lmask52x4(%rip), $_R0, $_R0 + vpandq .Lmask52x4(%rip), $_R0h, $_R0h + vpandq .Lmask52x4(%rip), $_R1, $_R1 + vpandq .Lmask52x4(%rip), $_R1h, $_R1h + vpandq .Lmask52x4(%rip), $_R2, $_R2 # Sum R0..R2 with corresponding adjusted carries vpaddq $T0, $_R0, $_R0 @@ -241,11 +242,11 @@ sub amm52x20_x1_norm { # Now handle carry bits from this addition # Get mask of QWs which 52-bit parts overflow... - vpcmpuq \$1, $_R0, $mask52x4, %k1 # OP=lt - vpcmpuq \$1, $_R0h, $mask52x4, %k2 - vpcmpuq \$1, $_R1, $mask52x4, %k3 - vpcmpuq \$1, $_R1h, $mask52x4, %k4 - vpcmpuq \$1, $_R2, $mask52x4, %k5 + vpcmpuq \$6, .Lmask52x4(%rip), $_R0, %k1 # OP=nle (i.e. gt) + vpcmpuq \$6, .Lmask52x4(%rip), $_R0h, %k2 + vpcmpuq \$6, .Lmask52x4(%rip), $_R1, %k3 + vpcmpuq \$6, .Lmask52x4(%rip), $_R1h, %k4 + vpcmpuq \$6, .Lmask52x4(%rip), $_R2, %k5 kmovb %k1, %r14d # k1 kmovb %k2, %r13d # k1h kmovb %k3, %r12d # k2 @@ -253,11 +254,11 @@ sub amm52x20_x1_norm { kmovb %k5, %r10d # k3 # ...or saturated - vpcmpuq \$0, $_R0, $mask52x4, %k1 # OP=eq - vpcmpuq \$0, $_R0h, $mask52x4, %k2 - vpcmpuq \$0, $_R1, $mask52x4, %k3 - vpcmpuq \$0, $_R1h, $mask52x4, %k4 - vpcmpuq \$0, $_R2, $mask52x4, %k5 + vpcmpuq \$0, .Lmask52x4(%rip), $_R0, %k1 # OP=eq + vpcmpuq \$0, .Lmask52x4(%rip), $_R0h, %k2 + vpcmpuq \$0, .Lmask52x4(%rip), $_R1, %k3 + vpcmpuq \$0, .Lmask52x4(%rip), $_R1h, %k4 + vpcmpuq \$0, .Lmask52x4(%rip), $_R2, %k5 kmovb %k1, %r9d # k4 kmovb %k2, %r8d # k4h kmovb %k3, %ebx # k5 @@ -297,27 +298,27 @@ sub amm52x20_x1_norm { kmovb %r10d, %k5 # Add carries according to the obtained mask - vpsubq $mask52x4, $_R0, ${_R0}{%k1} - vpsubq $mask52x4, $_R0h, ${_R0h}{%k2} - vpsubq $mask52x4, $_R1, ${_R1}{%k3} - vpsubq $mask52x4, $_R1h, ${_R1h}{%k4} - vpsubq $mask52x4, $_R2, ${_R2}{%k5} - - vpandq $mask52x4, $_R0, $_R0 - vpandq $mask52x4, $_R0h, $_R0h - vpandq $mask52x4, $_R1, $_R1 - vpandq $mask52x4, $_R1h, $_R1h - vpandq $mask52x4, $_R2, $_R2 + vpsubq .Lmask52x4(%rip), $_R0, ${_R0}{%k1} + vpsubq .Lmask52x4(%rip), $_R0h, ${_R0h}{%k2} + vpsubq .Lmask52x4(%rip), $_R1, ${_R1}{%k3} + vpsubq .Lmask52x4(%rip), $_R1h, ${_R1h}{%k4} + vpsubq .Lmask52x4(%rip), $_R2, ${_R2}{%k5} + + vpandq .Lmask52x4(%rip), $_R0, $_R0 + vpandq .Lmask52x4(%rip), $_R0h, $_R0h + vpandq .Lmask52x4(%rip), $_R1, $_R1 + vpandq .Lmask52x4(%rip), $_R1h, $_R1h + vpandq .Lmask52x4(%rip), $_R2, $_R2 ___ } $code.=<<___; .text -.globl ossl_rsaz_amm52x20_x1_256 -.type ossl_rsaz_amm52x20_x1_256,\@function,5 +.globl ossl_rsaz_amm52x20_x1_ifma256 +.type ossl_rsaz_amm52x20_x1_ifma256,\@function,5 .align 32 -ossl_rsaz_amm52x20_x1_256: +ossl_rsaz_amm52x20_x1_ifma256: .cfi_startproc endbranch push %rbx @@ -332,7 +333,7 @@ sub amm52x20_x1_norm { .cfi_push %r14 push %r15 .cfi_push %r15 -.Lrsaz_amm52x20_x1_256_body: +.Lossl_rsaz_amm52x20_x1_ifma256_body: # Zeroing accumulators vpxord $zero, $zero, $zero @@ -360,17 +361,15 @@ sub amm52x20_x1_norm { lea `4*8`($b_ptr), $b_ptr dec $iter jne .Lloop5 - - vmovdqa64 .Lmask52x4(%rip), $mask52x4 ___ &amm52x20_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0); $code.=<<___; - vmovdqu64 $R0_0, ($res) - vmovdqu64 $R0_0h, 32($res) - vmovdqu64 $R1_0, 64($res) - vmovdqu64 $R1_0h, 96($res) - vmovdqu64 $R2_0, 128($res) + vmovdqu64 $R0_0, `0*32`($res) + vmovdqu64 $R0_0h, `1*32`($res) + vmovdqu64 $R1_0, `2*32`($res) + vmovdqu64 $R1_0h, `3*32`($res) + vmovdqu64 $R2_0, `4*32`($res) vzeroupper mov 0(%rsp),%r15 @@ -387,10 +386,10 @@ sub amm52x20_x1_norm { .cfi_restore %rbx lea 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 -.Lrsaz_amm52x20_x1_256_epilogue: +.Lossl_rsaz_amm52x20_x1_ifma256_epilogue: ret .cfi_endproc -.size ossl_rsaz_amm52x20_x1_256, .-ossl_rsaz_amm52x20_x1_256 +.size ossl_rsaz_amm52x20_x1_ifma256, .-ossl_rsaz_amm52x20_x1_ifma256 ___ $code.=<<___; @@ -406,25 +405,25 @@ sub amm52x20_x1_norm { ############################################################################### # Dual Almost Montgomery Multiplication for 20-digit number in radix 2^52 # -# See description of ossl_rsaz_amm52x20_x1_256() above for details about Almost +# See description of ossl_rsaz_amm52x20_x1_ifma256() above for details about Almost # Montgomery Multiplication algorithm and function input parameters description. # # This function does two AMMs for two independent inputs, hence dual. # -# void ossl_rsaz_amm52x20_x2_256(BN_ULONG out[2][20], -# const BN_ULONG a[2][20], -# const BN_ULONG b[2][20], -# const BN_ULONG m[2][20], -# const BN_ULONG k0[2]); +# void ossl_rsaz_amm52x20_x2_ifma256(BN_ULONG out[2][20], +# const BN_ULONG a[2][20], +# const BN_ULONG b[2][20], +# const BN_ULONG m[2][20], +# const BN_ULONG k0[2]); ############################################################################### $code.=<<___; .text -.globl ossl_rsaz_amm52x20_x2_256 -.type ossl_rsaz_amm52x20_x2_256,\@function,5 +.globl ossl_rsaz_amm52x20_x2_ifma256 +.type ossl_rsaz_amm52x20_x2_ifma256,\@function,5 .align 32 -ossl_rsaz_amm52x20_x2_256: +ossl_rsaz_amm52x20_x2_ifma256: .cfi_startproc endbranch push %rbx @@ -439,7 +438,7 @@ sub amm52x20_x1_norm { .cfi_push %r14 push %r15 .cfi_push %r15 -.Lrsaz_amm52x20_x2_256_body: +.Lossl_rsaz_amm52x20_x2_ifma256_body: # Zeroing accumulators vpxord $zero, $zero, $zero @@ -472,24 +471,22 @@ sub amm52x20_x1_norm { lea 8($b_ptr), $b_ptr dec $iter jne .Lloop20 - - vmovdqa64 .Lmask52x4(%rip), $mask52x4 ___ &amm52x20_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0); &amm52x20_x1_norm($acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1); $code.=<<___; - vmovdqu64 $R0_0, ($res) - vmovdqu64 $R0_0h, 32($res) - vmovdqu64 $R1_0, 64($res) - vmovdqu64 $R1_0h, 96($res) - vmovdqu64 $R2_0, 128($res) + vmovdqu64 $R0_0, `0*32`($res) + vmovdqu64 $R0_0h, `1*32`($res) + vmovdqu64 $R1_0, `2*32`($res) + vmovdqu64 $R1_0h, `3*32`($res) + vmovdqu64 $R2_0, `4*32`($res) - vmovdqu64 $R0_1, 160($res) - vmovdqu64 $R0_1h, 192($res) - vmovdqu64 $R1_1, 224($res) - vmovdqu64 $R1_1h, 256($res) - vmovdqu64 $R2_1, 288($res) + vmovdqu64 $R0_1, `5*32`($res) + vmovdqu64 $R0_1h, `6*32`($res) + vmovdqu64 $R1_1, `7*32`($res) + vmovdqu64 $R1_1h, `8*32`($res) + vmovdqu64 $R2_1, `9*32`($res) vzeroupper mov 0(%rsp),%r15 @@ -506,10 +503,10 @@ sub amm52x20_x1_norm { .cfi_restore %rbx lea 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 -.Lrsaz_amm52x20_x2_256_epilogue: +.Lossl_rsaz_amm52x20_x2_ifma256_epilogue: ret .cfi_endproc -.size ossl_rsaz_amm52x20_x2_256, .-ossl_rsaz_amm52x20_x2_256 +.size ossl_rsaz_amm52x20_x2_ifma256, .-ossl_rsaz_amm52x20_x2_ifma256 ___ } @@ -517,77 +514,76 @@ sub amm52x20_x1_norm { # Constant time extraction from the precomputed table of powers base^i, where # i = 0..2^EXP_WIN_SIZE-1 # -# The input |red_table| contains precomputations for two independent base values, -# so the |tbl_idx| indicates for which base shall we extract the value. -# |red_table_idx| is a power index. +# The input |red_table| contains precomputations for two independent base values. +# |red_table_idx1| and |red_table_idx2| are corresponding power indexes. # -# Extracted value (output) is 20 digit number in 2^52 radix. +# Extracted value (output) is 2 20 digit numbers in 2^52 radix. # # void ossl_extract_multiplier_2x20_win5(BN_ULONG *red_Y, # const BN_ULONG red_table[1 << EXP_WIN_SIZE][2][20], -# int red_table_idx, -# int tbl_idx); # 0 or 1 +# int red_table_idx1, int red_table_idx2); # # EXP_WIN_SIZE = 5 ############################################################################### { # input parameters -my ($out,$red_tbl,$red_tbl_idx,$tbl_idx) = @_6_args_universal_ABI; +my ($out,$red_tbl,$red_tbl_idx1,$red_tbl_idx2)=$win64 ? ("%rcx","%rdx","%r8", "%r9") : # Win64 order + ("%rdi","%rsi","%rdx","%rcx"); # Unix order -my ($t0,$t1,$t2,$t3,$t4) = map("%ymm$_", (0..4)); -my $t4xmm = $t4; -$t4xmm =~ s/%y/%x/; -my ($tmp0,$tmp1,$tmp2,$tmp3,$tmp4) = map("%ymm$_", (16..20)); -my ($cur_idx,$idx,$ones) = map("%ymm$_", (21..23)); +my ($t0,$t1,$t2,$t3,$t4,$t5) = map("%ymm$_", (0..5)); +my ($t6,$t7,$t8,$t9) = map("%ymm$_", (16..19)); +my ($tmp,$cur_idx,$idx1,$idx2,$ones) = map("%ymm$_", (20..24)); + +my @t = ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9); +my $t0xmm = $t0; +$t0xmm =~ s/%y/%x/; $code.=<<___; .text .align 32 .globl ossl_extract_multiplier_2x20_win5 -.type ossl_extract_multiplier_2x20_win5,\@function,4 +.type ossl_extract_multiplier_2x20_win5,\@abi-omnipotent ossl_extract_multiplier_2x20_win5: .cfi_startproc endbranch - leaq ($tbl_idx,$tbl_idx,4), %rax - salq \$5, %rax - addq %rax, $red_tbl - vmovdqa64 .Lones(%rip), $ones # broadcast ones - vpbroadcastq $red_tbl_idx, $idx + vpbroadcastq $red_tbl_idx1, $idx1 + vpbroadcastq $red_tbl_idx2, $idx2 leaq `(1<<5)*2*20*8`($red_tbl), %rax # holds end of the tbl - vpxor $t4xmm, $t4xmm, $t4xmm - vmovdqa64 $t4, $t3 # zeroing t0..4, cur_idx - vmovdqa64 $t4, $t2 - vmovdqa64 $t4, $t1 - vmovdqa64 $t4, $t0 - vmovdqa64 $t4, $cur_idx + # zeroing t0..n, cur_idx + vpxor $t0xmm, $t0xmm, $t0xmm + vmovdqa64 $t0, $cur_idx +___ +foreach (1..9) { + $code.="vmovdqa64 $t0, $t[$_] \n"; +} +$code.=<<___; .align 32 .Lloop: - vpcmpq \$0, $cur_idx, $idx, %k1 # mask of (idx == cur_idx) - addq \$320, $red_tbl # 320 = 2 * 20 digits * 8 bytes - vpaddq $ones, $cur_idx, $cur_idx # increment cur_idx - vmovdqu64 -320($red_tbl), $tmp0 # load data from red_tbl - vmovdqu64 -288($red_tbl), $tmp1 - vmovdqu64 -256($red_tbl), $tmp2 - vmovdqu64 -224($red_tbl), $tmp3 - vmovdqu64 -192($red_tbl), $tmp4 - vpblendmq $tmp0, $t0, ${t0}{%k1} # extract data when mask is not zero - vpblendmq $tmp1, $t1, ${t1}{%k1} - vpblendmq $tmp2, $t2, ${t2}{%k1} - vpblendmq $tmp3, $t3, ${t3}{%k1} - vpblendmq $tmp4, $t4, ${t4}{%k1} + vpcmpq \$0, $cur_idx, $idx1, %k1 # mask of (idx1 == cur_idx) + vpcmpq \$0, $cur_idx, $idx2, %k2 # mask of (idx2 == cur_idx) +___ +foreach (0..9) { + my $mask = $_<5?"%k1":"%k2"; +$code.=<<___; + vmovdqu64 `${_}*32`($red_tbl), $tmp # load data from red_tbl + vpblendmq $tmp, $t[$_], ${t[$_]}{$mask} # extract data when mask is not zero +___ +} +$code.=<<___; + vpaddq $ones, $cur_idx, $cur_idx # increment cur_idx + addq \$`2*20*8`, $red_tbl cmpq $red_tbl, %rax jne .Lloop - - vmovdqu64 $t0, ($out) # store t0..4 - vmovdqu64 $t1, 32($out) - vmovdqu64 $t2, 64($out) - vmovdqu64 $t3, 96($out) - vmovdqu64 $t4, 128($out) - +___ +# store t0..n +foreach (0..9) { + $code.="vmovdqu64 $t[$_], `${_}*32`($out) \n"; +} +$code.=<<___; ret .cfi_endproc .size ossl_extract_multiplier_2x20_win5, .-ossl_extract_multiplier_2x20_win5 @@ -597,6 +593,8 @@ sub amm52x20_x1_norm { .align 32 .Lones: .quad 1,1,1,1 +.Lzeros: + .quad 0,0,0,0 ___ } @@ -606,7 +604,7 @@ sub amm52x20_x1_norm { $context="%r8"; $disp="%r9"; -$code.=<<___ +$code.=<<___; .extern __imp_RtlVirtualUnwind .type rsaz_def_handler,\@abi-omnipotent .align 16 @@ -697,32 +695,24 @@ sub amm52x20_x1_norm { .section .pdata .align 4 - .rva .LSEH_begin_ossl_rsaz_amm52x20_x1_256 - .rva .LSEH_end_ossl_rsaz_amm52x20_x1_256 - .rva .LSEH_info_ossl_rsaz_amm52x20_x1_256 - - .rva .LSEH_begin_ossl_rsaz_amm52x20_x2_256 - .rva .LSEH_end_ossl_rsaz_amm52x20_x2_256 - .rva .LSEH_info_ossl_rsaz_amm52x20_x2_256 + .rva .LSEH_begin_ossl_rsaz_amm52x20_x1_ifma256 + .rva .LSEH_end_ossl_rsaz_amm52x20_x1_ifma256 + .rva .LSEH_info_ossl_rsaz_amm52x20_x1_ifma256 - .rva .LSEH_begin_ossl_extract_multiplier_2x20_win5 - .rva .LSEH_end_ossl_extract_multiplier_2x20_win5 - .rva .LSEH_info_ossl_extract_multiplier_2x20_win5 + .rva .LSEH_begin_ossl_rsaz_amm52x20_x2_ifma256 + .rva .LSEH_end_ossl_rsaz_amm52x20_x2_ifma256 + .rva .LSEH_info_ossl_rsaz_amm52x20_x2_ifma256 .section .xdata .align 8 -.LSEH_info_ossl_rsaz_amm52x20_x1_256: - .byte 9,0,0,0 - .rva rsaz_def_handler - .rva .Lrsaz_amm52x20_x1_256_body,.Lrsaz_amm52x20_x1_256_epilogue -.LSEH_info_ossl_rsaz_amm52x20_x2_256: +.LSEH_info_ossl_rsaz_amm52x20_x1_ifma256: .byte 9,0,0,0 .rva rsaz_def_handler - .rva .Lrsaz_amm52x20_x2_256_body,.Lrsaz_amm52x20_x2_256_epilogue -.LSEH_info_ossl_extract_multiplier_2x20_win5: + .rva .Lossl_rsaz_amm52x20_x1_ifma256_body,.Lossl_rsaz_amm52x20_x1_ifma256_epilogue +.LSEH_info_ossl_rsaz_amm52x20_x2_ifma256: .byte 9,0,0,0 .rva rsaz_def_handler - .rva .LSEH_begin_ossl_extract_multiplier_2x20_win5,.LSEH_begin_ossl_extract_multiplier_2x20_win5 + .rva .Lossl_rsaz_amm52x20_x2_ifma256_body,.Lossl_rsaz_amm52x20_x2_ifma256_epilogue ___ } }}} else {{{ # fallback for old assembler @@ -736,16 +726,16 @@ sub amm52x20_x1_norm { ret .size ossl_rsaz_avx512ifma_eligible, .-ossl_rsaz_avx512ifma_eligible -.globl ossl_rsaz_amm52x20_x1_256 -.globl ossl_rsaz_amm52x20_x2_256 +.globl ossl_rsaz_amm52x20_x1_ifma256 +.globl ossl_rsaz_amm52x20_x2_ifma256 .globl ossl_extract_multiplier_2x20_win5 -.type ossl_rsaz_amm52x20_x1_256,\@abi-omnipotent -ossl_rsaz_amm52x20_x1_256: -ossl_rsaz_amm52x20_x2_256: +.type ossl_rsaz_amm52x20_x1_ifma256,\@abi-omnipotent +ossl_rsaz_amm52x20_x1_ifma256: +ossl_rsaz_amm52x20_x2_ifma256: ossl_extract_multiplier_2x20_win5: .byte 0x0f,0x0b # ud2 ret -.size ossl_rsaz_amm52x20_x1_256, .-ossl_rsaz_amm52x20_x1_256 +.size ossl_rsaz_amm52x20_x1_ifma256, .-ossl_rsaz_amm52x20_x1_ifma256 ___ }}} diff --git a/crypto/bn/asm/rsaz-3k-avx512.pl b/crypto/bn/asm/rsaz-3k-avx512.pl new file mode 100644 index 000000000..ef82beef0 --- /dev/null +++ b/crypto/bn/asm/rsaz-3k-avx512.pl @@ -0,0 +1,874 @@ +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright (c) 2021, Intel Corporation. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# +# Originally written by Sergey Kirillov and Andrey Matyukov +# Intel Corporation +# +# March 2021 +# +# Initial release. +# +# Implementation utilizes 256-bit (ymm) registers to avoid frequency scaling issues. +# +# IceLake-Client @ 1.3GHz +# |---------+-----------------------+---------------+-------------| +# | | OpenSSL 3.0.0-alpha15 | this | Unit | +# |---------+-----------------------+---------------+-------------| +# | rsa3072 | 6 397 637 | 2 866 593 | cycles/sign | +# | | 203.2 | 453.5 / +123% | sign/s | +# |---------+-----------------------+---------------+-------------| +# + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); +$avx512ifma=0; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or +die "can't locate x86_64-xlate.pl"; + +if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1` + =~ /GNU assembler version ([2-9]\.[0-9]+)/) { + $avx512ifma = ($1>=2.26); +} + +if (!$avx512 && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && + `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) { + $avx512ifma = ($1==2.11 && $2>=8) + ($1>=2.12); +} + +if (!$avx512 && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { + $avx512ifma = ($2>=7.0); +} + +open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT=*OUT; + +if ($avx512ifma>0) {{{ +@_6_args_universal_ABI = ("%rdi","%rsi","%rdx","%rcx","%r8","%r9"); + +############################################################################### +# Almost Montgomery Multiplication (AMM) for 30-digit number in radix 2^52. +# +# AMM is defined as presented in the paper [1]. +# +# The input and output are presented in 2^52 radix domain, i.e. +# |res|, |a|, |b|, |m| are arrays of 32 64-bit qwords with 12 high bits zeroed +# +# NOTE: the function uses zero-padded data - 2 high QWs is a padding. +# +# |k0| is a Montgomery coefficient, which is here k0 = -1/m mod 2^64 +# +# NB: the AMM implementation does not perform "conditional" subtraction step +# specified in the original algorithm as according to the Lemma 1 from the paper +# [2], the result will be always < 2*m and can be used as a direct input to +# the next AMM iteration. This post-condition is true, provided the correct +# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e. s >= n + 2 * k, +# which matches our case: 1560 > 1536 + 2 * 1. +# +# [1] Gueron, S. Efficient software implementations of modular exponentiation. +# DOI: 10.1007/s13389-012-0031-5 +# [2] Gueron, S. Enhanced Montgomery Multiplication. +# DOI: 10.1007/3-540-36400-5_5 +# +# void ossl_rsaz_amm52x30_x1_ifma256(BN_ULONG *res, +# const BN_ULONG *a, +# const BN_ULONG *b, +# const BN_ULONG *m, +# BN_ULONG k0); +############################################################################### +{ +# input parameters ("%rdi","%rsi","%rdx","%rcx","%r8") +my ($res,$a,$b,$m,$k0) = @_6_args_universal_ABI; + +my $mask52 = "%rax"; +my $acc0_0 = "%r9"; +my $acc0_0_low = "%r9d"; +my $acc0_1 = "%r15"; +my $acc0_1_low = "%r15d"; +my $b_ptr = "%r11"; + +my $iter = "%ebx"; + +my $zero = "%ymm0"; +my $Bi = "%ymm1"; +my $Yi = "%ymm2"; +my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h) = map("%ymm$_",(3..10)); +my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h) = map("%ymm$_",(11..18)); + +# Registers mapping for normalization +my ($T0,$T0h,$T1,$T1h,$T2,$T2h,$T3,$T3h) = ("$zero", "$Bi", "$Yi", map("%ymm$_", (19..23))); + +sub amm52x30_x1() { +# _data_offset - offset in the |a| or |m| arrays pointing to the beginning +# of data for corresponding AMM operation; +# _b_offset - offset in the |b| array pointing to the next qword digit; +my ($_data_offset,$_b_offset,$_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h,$_k0) = @_; +my $_R0_xmm = $_R0; +$_R0_xmm =~ s/%y/%x/; +$code.=<<___; + movq $_b_offset($b_ptr), %r13 # b[i] + + vpbroadcastq %r13, $Bi # broadcast b[i] + movq $_data_offset($a), %rdx + mulx %r13, %r13, %r12 # a[0]*b[i] = (t0,t2) + addq %r13, $_acc # acc += t0 + movq %r12, %r10 + adcq \$0, %r10 # t2 += CF + + movq $_k0, %r13 + imulq $_acc, %r13 # acc * k0 + andq $mask52, %r13 # yi = (acc * k0) & mask52 + + vpbroadcastq %r13, $Yi # broadcast y[i] + movq $_data_offset($m), %rdx + mulx %r13, %r13, %r12 # yi * m[0] = (t0,t1) + addq %r13, $_acc # acc += t0 + adcq %r12, %r10 # t2 += (t1 + CF) + + shrq \$52, $_acc + salq \$12, %r10 + or %r10, $_acc # acc = ((acc >> 52) | (t2 << 12)) + + vpmadd52luq `$_data_offset+64*0`($a), $Bi, $_R0 + vpmadd52luq `$_data_offset+64*0+32`($a), $Bi, $_R0h + vpmadd52luq `$_data_offset+64*1`($a), $Bi, $_R1 + vpmadd52luq `$_data_offset+64*1+32`($a), $Bi, $_R1h + vpmadd52luq `$_data_offset+64*2`($a), $Bi, $_R2 + vpmadd52luq `$_data_offset+64*2+32`($a), $Bi, $_R2h + vpmadd52luq `$_data_offset+64*3`($a), $Bi, $_R3 + vpmadd52luq `$_data_offset+64*3+32`($a), $Bi, $_R3h + + vpmadd52luq `$_data_offset+64*0`($m), $Yi, $_R0 + vpmadd52luq `$_data_offset+64*0+32`($m), $Yi, $_R0h + vpmadd52luq `$_data_offset+64*1`($m), $Yi, $_R1 + vpmadd52luq `$_data_offset+64*1+32`($m), $Yi, $_R1h + vpmadd52luq `$_data_offset+64*2`($m), $Yi, $_R2 + vpmadd52luq `$_data_offset+64*2+32`($m), $Yi, $_R2h + vpmadd52luq `$_data_offset+64*3`($m), $Yi, $_R3 + vpmadd52luq `$_data_offset+64*3+32`($m), $Yi, $_R3h + + # Shift accumulators right by 1 qword, zero extending the highest one + valignq \$1, $_R0, $_R0h, $_R0 + valignq \$1, $_R0h, $_R1, $_R0h + valignq \$1, $_R1, $_R1h, $_R1 + valignq \$1, $_R1h, $_R2, $_R1h + valignq \$1, $_R2, $_R2h, $_R2 + valignq \$1, $_R2h, $_R3, $_R2h + valignq \$1, $_R3, $_R3h, $_R3 + valignq \$1, $_R3h, $zero, $_R3h + + vmovq $_R0_xmm, %r13 + addq %r13, $_acc # acc += R0[0] + + vpmadd52huq `$_data_offset+64*0`($a), $Bi, $_R0 + vpmadd52huq `$_data_offset+64*0+32`($a), $Bi, $_R0h + vpmadd52huq `$_data_offset+64*1`($a), $Bi, $_R1 + vpmadd52huq `$_data_offset+64*1+32`($a), $Bi, $_R1h + vpmadd52huq `$_data_offset+64*2`($a), $Bi, $_R2 + vpmadd52huq `$_data_offset+64*2+32`($a), $Bi, $_R2h + vpmadd52huq `$_data_offset+64*3`($a), $Bi, $_R3 + vpmadd52huq `$_data_offset+64*3+32`($a), $Bi, $_R3h + + vpmadd52huq `$_data_offset+64*0`($m), $Yi, $_R0 + vpmadd52huq `$_data_offset+64*0+32`($m), $Yi, $_R0h + vpmadd52huq `$_data_offset+64*1`($m), $Yi, $_R1 + vpmadd52huq `$_data_offset+64*1+32`($m), $Yi, $_R1h + vpmadd52huq `$_data_offset+64*2`($m), $Yi, $_R2 + vpmadd52huq `$_data_offset+64*2+32`($m), $Yi, $_R2h + vpmadd52huq `$_data_offset+64*3`($m), $Yi, $_R3 + vpmadd52huq `$_data_offset+64*3+32`($m), $Yi, $_R3h +___ +} + +# Normalization routine: handles carry bits and gets bignum qwords to normalized +# 2^52 representation. +# +# Uses %r8-14,%e[abcd]x +sub amm52x30_x1_norm { +my ($_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h) = @_; +$code.=<<___; + # Put accumulator to low qword in R0 + vpbroadcastq $_acc, $T0 + vpblendd \$3, $T0, $_R0, $_R0 + + # Extract "carries" (12 high bits) from each QW of the bignum + # Save them to LSB of QWs in T0..Tn + vpsrlq \$52, $_R0, $T0 + vpsrlq \$52, $_R0h, $T0h + vpsrlq \$52, $_R1, $T1 + vpsrlq \$52, $_R1h, $T1h + vpsrlq \$52, $_R2, $T2 + vpsrlq \$52, $_R2h, $T2h + vpsrlq \$52, $_R3, $T3 + vpsrlq \$52, $_R3h, $T3h + + # "Shift left" T0..Tn by 1 QW + valignq \$3, $T3, $T3h, $T3h + valignq \$3, $T2h, $T3, $T3 + valignq \$3, $T2, $T2h, $T2h + valignq \$3, $T1h, $T2, $T2 + valignq \$3, $T1, $T1h, $T1h + valignq \$3, $T0h, $T1, $T1 + valignq \$3, $T0, $T0h, $T0h + valignq \$3, .Lzeros(%rip), $T0, $T0 + + # Drop "carries" from R0..Rn QWs + vpandq .Lmask52x4(%rip), $_R0, $_R0 + vpandq .Lmask52x4(%rip), $_R0h, $_R0h + vpandq .Lmask52x4(%rip), $_R1, $_R1 + vpandq .Lmask52x4(%rip), $_R1h, $_R1h + vpandq .Lmask52x4(%rip), $_R2, $_R2 + vpandq .Lmask52x4(%rip), $_R2h, $_R2h + vpandq .Lmask52x4(%rip), $_R3, $_R3 + vpandq .Lmask52x4(%rip), $_R3h, $_R3h + + # Sum R0..Rn with corresponding adjusted carries + vpaddq $T0, $_R0, $_R0 + vpaddq $T0h, $_R0h, $_R0h + vpaddq $T1, $_R1, $_R1 + vpaddq $T1h, $_R1h, $_R1h + vpaddq $T2, $_R2, $_R2 + vpaddq $T2h, $_R2h, $_R2h + vpaddq $T3, $_R3, $_R3 + vpaddq $T3h, $_R3h, $_R3h + + # Now handle carry bits from this addition + # Get mask of QWs whose 52-bit parts overflow + vpcmpuq \$6,.Lmask52x4(%rip),${_R0},%k1 # OP=nle (i.e. gt) + vpcmpuq \$6,.Lmask52x4(%rip),${_R0h},%k2 + kmovb %k1,%r14d + kmovb %k2,%r13d + shl \$4,%r13b + or %r13b,%r14b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R1},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R1h},%k2 + kmovb %k1,%r13d + kmovb %k2,%r12d + shl \$4,%r12b + or %r12b,%r13b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R2},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R2h},%k2 + kmovb %k1,%r12d + kmovb %k2,%r11d + shl \$4,%r11b + or %r11b,%r12b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R3},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R3h},%k2 + kmovb %k1,%r11d + kmovb %k2,%r10d + shl \$4,%r10b + or %r10b,%r11b + + addb %r14b,%r14b + adcb %r13b,%r13b + adcb %r12b,%r12b + adcb %r11b,%r11b + + # Get mask of QWs whose 52-bit parts saturated + vpcmpuq \$0,.Lmask52x4(%rip),${_R0},%k1 # OP=eq + vpcmpuq \$0,.Lmask52x4(%rip),${_R0h},%k2 + kmovb %k1,%r9d + kmovb %k2,%r8d + shl \$4,%r8b + or %r8b,%r9b + + vpcmpuq \$0,.Lmask52x4(%rip),${_R1},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R1h},%k2 + kmovb %k1,%r8d + kmovb %k2,%edx + shl \$4,%dl + or %dl,%r8b + + vpcmpuq \$0,.Lmask52x4(%rip),${_R2},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R2h},%k2 + kmovb %k1,%edx + kmovb %k2,%ecx + shl \$4,%cl + or %cl,%dl + + vpcmpuq \$0,.Lmask52x4(%rip),${_R3},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R3h},%k2 + kmovb %k1,%ecx + kmovb %k2,%ebx + shl \$4,%bl + or %bl,%cl + + addb %r9b,%r14b + adcb %r8b,%r13b + adcb %dl,%r12b + adcb %cl,%r11b + + xor %r9b,%r14b + xor %r8b,%r13b + xor %dl,%r12b + xor %cl,%r11b + + kmovb %r14d,%k1 + shr \$4,%r14b + kmovb %r14d,%k2 + kmovb %r13d,%k3 + shr \$4,%r13b + kmovb %r13d,%k4 + kmovb %r12d,%k5 + shr \$4,%r12b + kmovb %r12d,%k6 + kmovb %r11d,%k7 + + vpsubq .Lmask52x4(%rip), $_R0, ${_R0}{%k1} + vpsubq .Lmask52x4(%rip), $_R0h, ${_R0h}{%k2} + vpsubq .Lmask52x4(%rip), $_R1, ${_R1}{%k3} + vpsubq .Lmask52x4(%rip), $_R1h, ${_R1h}{%k4} + vpsubq .Lmask52x4(%rip), $_R2, ${_R2}{%k5} + vpsubq .Lmask52x4(%rip), $_R2h, ${_R2h}{%k6} + vpsubq .Lmask52x4(%rip), $_R3, ${_R3}{%k7} + + vpandq .Lmask52x4(%rip), $_R0, $_R0 + vpandq .Lmask52x4(%rip), $_R0h, $_R0h + vpandq .Lmask52x4(%rip), $_R1, $_R1 + vpandq .Lmask52x4(%rip), $_R1h, $_R1h + vpandq .Lmask52x4(%rip), $_R2, $_R2 + vpandq .Lmask52x4(%rip), $_R2h, $_R2h + vpandq .Lmask52x4(%rip), $_R3, $_R3 + + shr \$4,%r11b + kmovb %r11d,%k1 + + vpsubq .Lmask52x4(%rip), $_R3h, ${_R3h}{%k1} + + vpandq .Lmask52x4(%rip), $_R3h, $_R3h +___ +} + +$code.=<<___; +.text + +.globl ossl_rsaz_amm52x30_x1_ifma256 +.type ossl_rsaz_amm52x30_x1_ifma256,\@function,5 +.align 32 +ossl_rsaz_amm52x30_x1_ifma256: +.cfi_startproc + endbranch + push %rbx +.cfi_push %rbx + push %rbp +.cfi_push %rbp + push %r12 +.cfi_push %r12 + push %r13 +.cfi_push %r13 + push %r14 +.cfi_push %r14 + push %r15 +.cfi_push %r15 +___ +$code.=<<___ if ($win64); + lea -168(%rsp),%rsp # 16*10 + (8 bytes to get correct 16-byte SIMD alignment) + vmovdqa64 %xmm6, `0*16`(%rsp) # save non-volatile registers + vmovdqa64 %xmm7, `1*16`(%rsp) + vmovdqa64 %xmm8, `2*16`(%rsp) + vmovdqa64 %xmm9, `3*16`(%rsp) + vmovdqa64 %xmm10,`4*16`(%rsp) + vmovdqa64 %xmm11,`5*16`(%rsp) + vmovdqa64 %xmm12,`6*16`(%rsp) + vmovdqa64 %xmm13,`7*16`(%rsp) + vmovdqa64 %xmm14,`8*16`(%rsp) + vmovdqa64 %xmm15,`9*16`(%rsp) +.Lossl_rsaz_amm52x30_x1_ifma256_body: +___ +$code.=<<___; + # Zeroing accumulators + vpxord $zero, $zero, $zero + vmovdqa64 $zero, $R0_0 + vmovdqa64 $zero, $R0_0h + vmovdqa64 $zero, $R1_0 + vmovdqa64 $zero, $R1_0h + vmovdqa64 $zero, $R2_0 + vmovdqa64 $zero, $R2_0h + vmovdqa64 $zero, $R3_0 + vmovdqa64 $zero, $R3_0h + + xorl $acc0_0_low, $acc0_0_low + + movq $b, $b_ptr # backup address of b + movq \$0xfffffffffffff, $mask52 # 52-bit mask + + # Loop over 30 digits unrolled by 4 + mov \$7, $iter + +.align 32 +.Lloop7: +___ + foreach my $idx (0..3) { + &amm52x30_x1(0,8*$idx,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$k0); + } +$code.=<<___; + lea `4*8`($b_ptr), $b_ptr + dec $iter + jne .Lloop7 +___ + &amm52x30_x1(0,8*0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$k0); + &amm52x30_x1(0,8*1,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$k0); + + &amm52x30_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h); +$code.=<<___; + + vmovdqu64 $R0_0, `0*32`($res) + vmovdqu64 $R0_0h, `1*32`($res) + vmovdqu64 $R1_0, `2*32`($res) + vmovdqu64 $R1_0h, `3*32`($res) + vmovdqu64 $R2_0, `4*32`($res) + vmovdqu64 $R2_0h, `5*32`($res) + vmovdqu64 $R3_0, `6*32`($res) + vmovdqu64 $R3_0h, `7*32`($res) + + vzeroupper + lea (%rsp),%rax +.cfi_def_cfa_register %rax +___ +$code.=<<___ if ($win64); + vmovdqa64 `0*16`(%rax),%xmm6 + vmovdqa64 `1*16`(%rax),%xmm7 + vmovdqa64 `2*16`(%rax),%xmm8 + vmovdqa64 `3*16`(%rax),%xmm9 + vmovdqa64 `4*16`(%rax),%xmm10 + vmovdqa64 `5*16`(%rax),%xmm11 + vmovdqa64 `6*16`(%rax),%xmm12 + vmovdqa64 `7*16`(%rax),%xmm13 + vmovdqa64 `8*16`(%rax),%xmm14 + vmovdqa64 `9*16`(%rax),%xmm15 + lea 168(%rsp),%rax +___ +$code.=<<___; + mov 0(%rax),%r15 +.cfi_restore %r15 + mov 8(%rax),%r14 +.cfi_restore %r14 + mov 16(%rax),%r13 +.cfi_restore %r13 + mov 24(%rax),%r12 +.cfi_restore %r12 + mov 32(%rax),%rbp +.cfi_restore %rbp + mov 40(%rax),%rbx +.cfi_restore %rbx + lea 48(%rax),%rsp # restore rsp +.cfi_def_cfa %rsp,8 +.Lossl_rsaz_amm52x30_x1_ifma256_epilogue: + ret +.cfi_endproc +.size ossl_rsaz_amm52x30_x1_ifma256, .-ossl_rsaz_amm52x30_x1_ifma256 +___ + +$code.=<<___; +.data +.align 32 +.Lmask52x4: + .quad 0xfffffffffffff + .quad 0xfffffffffffff + .quad 0xfffffffffffff + .quad 0xfffffffffffff +___ + +############################################################################### +# Dual Almost Montgomery Multiplication for 30-digit number in radix 2^52 +# +# See description of ossl_rsaz_amm52x30_x1_ifma256() above for details about Almost +# Montgomery Multiplication algorithm and function input parameters description. +# +# This function does two AMMs for two independent inputs, hence dual. +# +# NOTE: the function uses zero-padded data - 2 high QWs is a padding. +# +# void ossl_rsaz_amm52x30_x2_ifma256(BN_ULONG out[2][32], +# const BN_ULONG a[2][32], +# const BN_ULONG b[2][32], +# const BN_ULONG m[2][32], +# const BN_ULONG k0[2]); +############################################################################### + +$code.=<<___; +.text + +.globl ossl_rsaz_amm52x30_x2_ifma256 +.type ossl_rsaz_amm52x30_x2_ifma256,\@function,5 +.align 32 +ossl_rsaz_amm52x30_x2_ifma256: +.cfi_startproc + endbranch + push %rbx +.cfi_push %rbx + push %rbp +.cfi_push %rbp + push %r12 +.cfi_push %r12 + push %r13 +.cfi_push %r13 + push %r14 +.cfi_push %r14 + push %r15 +.cfi_push %r15 +___ +$code.=<<___ if ($win64); + lea -168(%rsp),%rsp + vmovdqa64 %xmm6, `0*16`(%rsp) # save non-volatile registers + vmovdqa64 %xmm7, `1*16`(%rsp) + vmovdqa64 %xmm8, `2*16`(%rsp) + vmovdqa64 %xmm9, `3*16`(%rsp) + vmovdqa64 %xmm10,`4*16`(%rsp) + vmovdqa64 %xmm11,`5*16`(%rsp) + vmovdqa64 %xmm12,`6*16`(%rsp) + vmovdqa64 %xmm13,`7*16`(%rsp) + vmovdqa64 %xmm14,`8*16`(%rsp) + vmovdqa64 %xmm15,`9*16`(%rsp) +.Lossl_rsaz_amm52x30_x2_ifma256_body: +___ +$code.=<<___; + # Zeroing accumulators + vpxord $zero, $zero, $zero + vmovdqa64 $zero, $R0_0 + vmovdqa64 $zero, $R0_0h + vmovdqa64 $zero, $R1_0 + vmovdqa64 $zero, $R1_0h + vmovdqa64 $zero, $R2_0 + vmovdqa64 $zero, $R2_0h + vmovdqa64 $zero, $R3_0 + vmovdqa64 $zero, $R3_0h + + vmovdqa64 $zero, $R0_1 + vmovdqa64 $zero, $R0_1h + vmovdqa64 $zero, $R1_1 + vmovdqa64 $zero, $R1_1h + vmovdqa64 $zero, $R2_1 + vmovdqa64 $zero, $R2_1h + vmovdqa64 $zero, $R3_1 + vmovdqa64 $zero, $R3_1h + + + xorl $acc0_0_low, $acc0_0_low + xorl $acc0_1_low, $acc0_1_low + + movq $b, $b_ptr # backup address of b + movq \$0xfffffffffffff, $mask52 # 52-bit mask + + mov \$30, $iter + +.align 32 +.Lloop30: +___ + &amm52x30_x1( 0, 0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,"($k0)"); + # 32*8 = offset of the next dimension in two-dimension array + &amm52x30_x1(32*8,32*8,$acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,"8($k0)"); +$code.=<<___; + lea 8($b_ptr), $b_ptr + dec $iter + jne .Lloop30 +___ + &amm52x30_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h); + &amm52x30_x1_norm($acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h); +$code.=<<___; + + vmovdqu64 $R0_0, `0*32`($res) + vmovdqu64 $R0_0h, `1*32`($res) + vmovdqu64 $R1_0, `2*32`($res) + vmovdqu64 $R1_0h, `3*32`($res) + vmovdqu64 $R2_0, `4*32`($res) + vmovdqu64 $R2_0h, `5*32`($res) + vmovdqu64 $R3_0, `6*32`($res) + vmovdqu64 $R3_0h, `7*32`($res) + + vmovdqu64 $R0_1, `8*32`($res) + vmovdqu64 $R0_1h, `9*32`($res) + vmovdqu64 $R1_1, `10*32`($res) + vmovdqu64 $R1_1h, `11*32`($res) + vmovdqu64 $R2_1, `12*32`($res) + vmovdqu64 $R2_1h, `13*32`($res) + vmovdqu64 $R3_1, `14*32`($res) + vmovdqu64 $R3_1h, `15*32`($res) + + vzeroupper + lea (%rsp),%rax +.cfi_def_cfa_register %rax +___ +$code.=<<___ if ($win64); + vmovdqa64 `0*16`(%rax),%xmm6 + vmovdqa64 `1*16`(%rax),%xmm7 + vmovdqa64 `2*16`(%rax),%xmm8 + vmovdqa64 `3*16`(%rax),%xmm9 + vmovdqa64 `4*16`(%rax),%xmm10 + vmovdqa64 `5*16`(%rax),%xmm11 + vmovdqa64 `6*16`(%rax),%xmm12 + vmovdqa64 `7*16`(%rax),%xmm13 + vmovdqa64 `8*16`(%rax),%xmm14 + vmovdqa64 `9*16`(%rax),%xmm15 + lea 168(%rsp),%rax +___ +$code.=<<___; + mov 0(%rax),%r15 +.cfi_restore %r15 + mov 8(%rax),%r14 +.cfi_restore %r14 + mov 16(%rax),%r13 +.cfi_restore %r13 + mov 24(%rax),%r12 +.cfi_restore %r12 + mov 32(%rax),%rbp +.cfi_restore %rbp + mov 40(%rax),%rbx +.cfi_restore %rbx + lea 48(%rax),%rsp +.cfi_def_cfa %rsp,8 +.Lossl_rsaz_amm52x30_x2_ifma256_epilogue: + ret +.cfi_endproc +.size ossl_rsaz_amm52x30_x2_ifma256, .-ossl_rsaz_amm52x30_x2_ifma256 +___ +} + +############################################################################### +# Constant time extraction from the precomputed table of powers base^i, where +# i = 0..2^EXP_WIN_SIZE-1 +# +# The input |red_table| contains precomputations for two independent base values. +# |red_table_idx1| and |red_table_idx2| are corresponding power indexes. +# +# Extracted value (output) is 2 (30 + 2) digits numbers in 2^52 radix. +# (2 high QW is zero padding) +# +# void ossl_extract_multiplier_2x30_win5(BN_ULONG *red_Y, +# const BN_ULONG red_table[1 << EXP_WIN_SIZE][2][32], +# int red_table_idx1, int red_table_idx2); +# +# EXP_WIN_SIZE = 5 +############################################################################### +{ +# input parameters +my ($out,$red_tbl,$red_tbl_idx1,$red_tbl_idx2)=$win64 ? ("%rcx","%rdx","%r8", "%r9") : # Win64 order + ("%rdi","%rsi","%rdx","%rcx"); # Unix order + +my ($t0,$t1,$t2,$t3,$t4,$t5) = map("%ymm$_", (0..5)); +my ($t6,$t7,$t8,$t9,$t10,$t11,$t12,$t13,$t14,$t15) = map("%ymm$_", (16..25)); +my ($tmp,$cur_idx,$idx1,$idx2,$ones) = map("%ymm$_", (26..30)); + +my @t = ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11,$t12,$t13,$t14,$t15); +my $t0xmm = $t0; +$t0xmm =~ s/%y/%x/; + +$code.=<<___; +.text + +.align 32 +.globl ossl_extract_multiplier_2x30_win5 +.type ossl_extract_multiplier_2x30_win5,\@abi-omnipotent +ossl_extract_multiplier_2x30_win5: +.cfi_startproc + endbranch + vmovdqa64 .Lones(%rip), $ones # broadcast ones + vpbroadcastq $red_tbl_idx1, $idx1 + vpbroadcastq $red_tbl_idx2, $idx2 + leaq `(1<<5)*2*32*8`($red_tbl), %rax # holds end of the tbl + + # zeroing t0..n, cur_idx + vpxor $t0xmm, $t0xmm, $t0xmm + vmovdqa64 $t0, $cur_idx +___ +foreach (1..15) { + $code.="vmovdqa64 $t0, $t[$_] \n"; +} +$code.=<<___; + +.align 32 +.Lloop: + vpcmpq \$0, $cur_idx, $idx1, %k1 # mask of (idx1 == cur_idx) + vpcmpq \$0, $cur_idx, $idx2, %k2 # mask of (idx2 == cur_idx) +___ +foreach (0..15) { + my $mask = $_<8?"%k1":"%k2"; +$code.=<<___; + vmovdqu64 `${_}*32`($red_tbl), $tmp # load data from red_tbl + vpblendmq $tmp, $t[$_], ${t[$_]}{$mask} # extract data when mask is not zero +___ +} +$code.=<<___; + vpaddq $ones, $cur_idx, $cur_idx # increment cur_idx + addq \$`2*32*8`, $red_tbl + cmpq $red_tbl, %rax + jne .Lloop +___ +# store t0..n +foreach (0..15) { + $code.="vmovdqu64 $t[$_], `${_}*32`($out) \n"; +} +$code.=<<___; + + ret +.cfi_endproc +.size ossl_extract_multiplier_2x30_win5, .-ossl_extract_multiplier_2x30_win5 +___ +$code.=<<___; +.data +.align 32 +.Lones: + .quad 1,1,1,1 +.Lzeros: + .quad 0,0,0,0 +___ +} + +if ($win64) { +$rec="%rcx"; +$frame="%rdx"; +$context="%r8"; +$disp="%r9"; + +$code.=<<___; +.extern __imp_RtlVirtualUnwind +.type rsaz_avx_handler,\@abi-omnipotent +.align 16 +rsaz_avx_handler: + push %rsi + push %rdi + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 + pushfq + sub \$64,%rsp + + mov 120($context),%rax # pull context->Rax + mov 248($context),%rbx # pull context->Rip + + mov 8($disp),%rsi # disp->ImageBase + mov 56($disp),%r11 # disp->HandlerData + + mov 0(%r11),%r10d # HandlerData[0] + lea (%rsi,%r10),%r10 # prologue label + cmp %r10,%rbx # context->Rip<.Lprologue + jb .Lcommon_seh_tail + + mov 4(%r11),%r10d # HandlerData[1] + lea (%rsi,%r10),%r10 # epilogue label + cmp %r10,%rbx # context->Rip>=.Lepilogue + jae .Lcommon_seh_tail + + mov 152($context),%rax # pull context->Rsp + + lea (%rax),%rsi # %xmm save area + lea 512($context),%rdi # & context.Xmm6 + mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax) + .long 0xa548f3fc # cld; rep movsq + + lea `48+168`(%rax),%rax + + mov -8(%rax),%rbx + mov -16(%rax),%rbp + mov -24(%rax),%r12 + mov -32(%rax),%r13 + mov -40(%rax),%r14 + mov -48(%rax),%r15 + mov %rbx,144($context) # restore context->Rbx + mov %rbp,160($context) # restore context->Rbp + mov %r12,216($context) # restore context->R12 + mov %r13,224($context) # restore context->R13 + mov %r14,232($context) # restore context->R14 + mov %r15,240($context) # restore context->R14 + +.Lcommon_seh_tail: + mov 8(%rax),%rdi + mov 16(%rax),%rsi + mov %rax,152($context) # restore context->Rsp + mov %rsi,168($context) # restore context->Rsi + mov %rdi,176($context) # restore context->Rdi + + mov 40($disp),%rdi # disp->ContextRecord + mov $context,%rsi # context + mov \$154,%ecx # sizeof(CONTEXT) + .long 0xa548f3fc # cld; rep movsq + + mov $disp,%rsi + xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER + mov 8(%rsi),%rdx # arg2, disp->ImageBase + mov 0(%rsi),%r8 # arg3, disp->ControlPc + mov 16(%rsi),%r9 # arg4, disp->FunctionEntry + mov 40(%rsi),%r10 # disp->ContextRecord + lea 56(%rsi),%r11 # &disp->HandlerData + lea 24(%rsi),%r12 # &disp->EstablisherFrame + mov %r10,32(%rsp) # arg5 + mov %r11,40(%rsp) # arg6 + mov %r12,48(%rsp) # arg7 + mov %rcx,56(%rsp) # arg8, (NULL) + call *__imp_RtlVirtualUnwind(%rip) + + mov \$1,%eax # ExceptionContinueSearch + add \$64,%rsp + popfq + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rbp + pop %rbx + pop %rdi + pop %rsi + ret +.size rsaz_avx_handler,.-rsaz_avx_handler + +.section .pdata +.align 4 + .rva .LSEH_begin_ossl_rsaz_amm52x30_x1_ifma256 + .rva .LSEH_end_ossl_rsaz_amm52x30_x1_ifma256 + .rva .LSEH_info_ossl_rsaz_amm52x30_x1_ifma256 + + .rva .LSEH_begin_ossl_rsaz_amm52x30_x2_ifma256 + .rva .LSEH_end_ossl_rsaz_amm52x30_x2_ifma256 + .rva .LSEH_info_ossl_rsaz_amm52x30_x2_ifma256 + +.section .xdata +.align 8 +.LSEH_info_ossl_rsaz_amm52x30_x1_ifma256: + .byte 9,0,0,0 + .rva rsaz_avx_handler + .rva .Lossl_rsaz_amm52x30_x1_ifma256_body,.Lossl_rsaz_amm52x30_x1_ifma256_epilogue +.LSEH_info_ossl_rsaz_amm52x30_x2_ifma256: + .byte 9,0,0,0 + .rva rsaz_avx_handler + .rva .Lossl_rsaz_amm52x30_x2_ifma256_body,.Lossl_rsaz_amm52x30_x2_ifma256_epilogue +___ +} +}}} else {{{ # fallback for old assembler +$code.=<<___; +.text + +.globl ossl_rsaz_amm52x30_x1_ifma256 +.globl ossl_rsaz_amm52x30_x2_ifma256 +.globl ossl_extract_multiplier_2x30_win5 +.type ossl_rsaz_amm52x30_x1_ifma256,\@abi-omnipotent +ossl_rsaz_amm52x30_x1_ifma256: +ossl_rsaz_amm52x30_x2_ifma256: +ossl_extract_multiplier_2x30_win5: + .byte 0x0f,0x0b # ud2 + ret +.size ossl_rsaz_amm52x30_x1_ifma256, .-ossl_rsaz_amm52x30_x1_ifma256 +___ +}}} + +$code =~ s/\`([^\`]*)\`/eval $1/gem; +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/bn/asm/rsaz-4k-avx512.pl b/crypto/bn/asm/rsaz-4k-avx512.pl new file mode 100644 index 000000000..559316590 --- /dev/null +++ b/crypto/bn/asm/rsaz-4k-avx512.pl @@ -0,0 +1,930 @@ +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright (c) 2021, Intel Corporation. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# +# Originally written by Sergey Kirillov and Andrey Matyukov +# Intel Corporation +# +# March 2021 +# +# Initial release. +# +# Implementation utilizes 256-bit (ymm) registers to avoid frequency scaling issues. +# +# IceLake-Client @ 1.3GHz +# |---------+-----------------------+---------------+-------------| +# | | OpenSSL 3.0.0-alpha15 | this | Unit | +# |---------+-----------------------+---------------+-------------| +# | rsa4096 | 14 301 4300 | 5 813 953 | cycles/sign | +# | | 90.9 | 223.6 / +146% | sign/s | +# |---------+-----------------------+---------------+-------------| +# + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); +$avx512ifma=0; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or +die "can't locate x86_64-xlate.pl"; + +if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1` + =~ /GNU assembler version ([2-9]\.[0-9]+)/) { + $avx512ifma = ($1>=2.26); +} + +if (!$avx512 && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && + `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) { + $avx512ifma = ($1==2.11 && $2>=8) + ($1>=2.12); +} + +if (!$avx512 && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { + $avx512ifma = ($2>=7.0); +} + +open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT=*OUT; + +if ($avx512ifma>0) {{{ +@_6_args_universal_ABI = ("%rdi","%rsi","%rdx","%rcx","%r8","%r9"); + +############################################################################### +# Almost Montgomery Multiplication (AMM) for 40-digit number in radix 2^52. +# +# AMM is defined as presented in the paper [1]. +# +# The input and output are presented in 2^52 radix domain, i.e. +# |res|, |a|, |b|, |m| are arrays of 40 64-bit qwords with 12 high bits zeroed. +# |k0| is a Montgomery coefficient, which is here k0 = -1/m mod 2^64 +# +# NB: the AMM implementation does not perform "conditional" subtraction step +# specified in the original algorithm as according to the Lemma 1 from the paper +# [2], the result will be always < 2*m and can be used as a direct input to +# the next AMM iteration. This post-condition is true, provided the correct +# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e. s >= n + 2 * k, +# which matches our case: 2080 > 2048 + 2 * 1. +# +# [1] Gueron, S. Efficient software implementations of modular exponentiation. +# DOI: 10.1007/s13389-012-0031-5 +# [2] Gueron, S. Enhanced Montgomery Multiplication. +# DOI: 10.1007/3-540-36400-5_5 +# +# void ossl_rsaz_amm52x40_x1_ifma256(BN_ULONG *res, +# const BN_ULONG *a, +# const BN_ULONG *b, +# const BN_ULONG *m, +# BN_ULONG k0); +############################################################################### +{ +# input parameters ("%rdi","%rsi","%rdx","%rcx","%r8") +my ($res,$a,$b,$m,$k0) = @_6_args_universal_ABI; + +my $mask52 = "%rax"; +my $acc0_0 = "%r9"; +my $acc0_0_low = "%r9d"; +my $acc0_1 = "%r15"; +my $acc0_1_low = "%r15d"; +my $b_ptr = "%r11"; + +my $iter = "%ebx"; + +my $zero = "%ymm0"; +my $Bi = "%ymm1"; +my $Yi = "%ymm2"; +my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h) = map("%ymm$_",(3..12)); +my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,$R4_1,$R4_1h) = map("%ymm$_",(13..22)); + +# Registers mapping for normalization +my ($T0,$T0h,$T1,$T1h,$T2,$T2h,$T3,$T3h,$T4,$T4h) = ("$zero", "$Bi", "$Yi", map("%ymm$_", (23..29))); + +sub amm52x40_x1() { +# _data_offset - offset in the |a| or |m| arrays pointing to the beginning +# of data for corresponding AMM operation; +# _b_offset - offset in the |b| array pointing to the next qword digit; +my ($_data_offset,$_b_offset,$_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h,$_R4,$_R4h,$_k0) = @_; +my $_R0_xmm = $_R0; +$_R0_xmm =~ s/%y/%x/; +$code.=<<___; + movq $_b_offset($b_ptr), %r13 # b[i] + + vpbroadcastq %r13, $Bi # broadcast b[i] + movq $_data_offset($a), %rdx + mulx %r13, %r13, %r12 # a[0]*b[i] = (t0,t2) + addq %r13, $_acc # acc += t0 + movq %r12, %r10 + adcq \$0, %r10 # t2 += CF + + movq $_k0, %r13 + imulq $_acc, %r13 # acc * k0 + andq $mask52, %r13 # yi = (acc * k0) & mask52 + + vpbroadcastq %r13, $Yi # broadcast y[i] + movq $_data_offset($m), %rdx + mulx %r13, %r13, %r12 # yi * m[0] = (t0,t1) + addq %r13, $_acc # acc += t0 + adcq %r12, %r10 # t2 += (t1 + CF) + + shrq \$52, $_acc + salq \$12, %r10 + or %r10, $_acc # acc = ((acc >> 52) | (t2 << 12)) + + vpmadd52luq `$_data_offset+64*0`($a), $Bi, $_R0 + vpmadd52luq `$_data_offset+64*0+32`($a), $Bi, $_R0h + vpmadd52luq `$_data_offset+64*1`($a), $Bi, $_R1 + vpmadd52luq `$_data_offset+64*1+32`($a), $Bi, $_R1h + vpmadd52luq `$_data_offset+64*2`($a), $Bi, $_R2 + vpmadd52luq `$_data_offset+64*2+32`($a), $Bi, $_R2h + vpmadd52luq `$_data_offset+64*3`($a), $Bi, $_R3 + vpmadd52luq `$_data_offset+64*3+32`($a), $Bi, $_R3h + vpmadd52luq `$_data_offset+64*4`($a), $Bi, $_R4 + vpmadd52luq `$_data_offset+64*4+32`($a), $Bi, $_R4h + + vpmadd52luq `$_data_offset+64*0`($m), $Yi, $_R0 + vpmadd52luq `$_data_offset+64*0+32`($m), $Yi, $_R0h + vpmadd52luq `$_data_offset+64*1`($m), $Yi, $_R1 + vpmadd52luq `$_data_offset+64*1+32`($m), $Yi, $_R1h + vpmadd52luq `$_data_offset+64*2`($m), $Yi, $_R2 + vpmadd52luq `$_data_offset+64*2+32`($m), $Yi, $_R2h + vpmadd52luq `$_data_offset+64*3`($m), $Yi, $_R3 + vpmadd52luq `$_data_offset+64*3+32`($m), $Yi, $_R3h + vpmadd52luq `$_data_offset+64*4`($m), $Yi, $_R4 + vpmadd52luq `$_data_offset+64*4+32`($m), $Yi, $_R4h + + # Shift accumulators right by 1 qword, zero extending the highest one + valignq \$1, $_R0, $_R0h, $_R0 + valignq \$1, $_R0h, $_R1, $_R0h + valignq \$1, $_R1, $_R1h, $_R1 + valignq \$1, $_R1h, $_R2, $_R1h + valignq \$1, $_R2, $_R2h, $_R2 + valignq \$1, $_R2h, $_R3, $_R2h + valignq \$1, $_R3, $_R3h, $_R3 + valignq \$1, $_R3h, $_R4, $_R3h + valignq \$1, $_R4, $_R4h, $_R4 + valignq \$1, $_R4h, $zero, $_R4h + + vmovq $_R0_xmm, %r13 + addq %r13, $_acc # acc += R0[0] + + vpmadd52huq `$_data_offset+64*0`($a), $Bi, $_R0 + vpmadd52huq `$_data_offset+64*0+32`($a), $Bi, $_R0h + vpmadd52huq `$_data_offset+64*1`($a), $Bi, $_R1 + vpmadd52huq `$_data_offset+64*1+32`($a), $Bi, $_R1h + vpmadd52huq `$_data_offset+64*2`($a), $Bi, $_R2 + vpmadd52huq `$_data_offset+64*2+32`($a), $Bi, $_R2h + vpmadd52huq `$_data_offset+64*3`($a), $Bi, $_R3 + vpmadd52huq `$_data_offset+64*3+32`($a), $Bi, $_R3h + vpmadd52huq `$_data_offset+64*4`($a), $Bi, $_R4 + vpmadd52huq `$_data_offset+64*4+32`($a), $Bi, $_R4h + + vpmadd52huq `$_data_offset+64*0`($m), $Yi, $_R0 + vpmadd52huq `$_data_offset+64*0+32`($m), $Yi, $_R0h + vpmadd52huq `$_data_offset+64*1`($m), $Yi, $_R1 + vpmadd52huq `$_data_offset+64*1+32`($m), $Yi, $_R1h + vpmadd52huq `$_data_offset+64*2`($m), $Yi, $_R2 + vpmadd52huq `$_data_offset+64*2+32`($m), $Yi, $_R2h + vpmadd52huq `$_data_offset+64*3`($m), $Yi, $_R3 + vpmadd52huq `$_data_offset+64*3+32`($m), $Yi, $_R3h + vpmadd52huq `$_data_offset+64*4`($m), $Yi, $_R4 + vpmadd52huq `$_data_offset+64*4+32`($m), $Yi, $_R4h +___ +} + +# Normalization routine: handles carry bits and gets bignum qwords to normalized +# 2^52 representation. +# +# Uses %r8-14,%e[abcd]x +sub amm52x40_x1_norm { +my ($_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h,$_R4,$_R4h) = @_; +$code.=<<___; + # Put accumulator to low qword in R0 + vpbroadcastq $_acc, $T0 + vpblendd \$3, $T0, $_R0, $_R0 + + # Extract "carries" (12 high bits) from each QW of the bignum + # Save them to LSB of QWs in T0..Tn + vpsrlq \$52, $_R0, $T0 + vpsrlq \$52, $_R0h, $T0h + vpsrlq \$52, $_R1, $T1 + vpsrlq \$52, $_R1h, $T1h + vpsrlq \$52, $_R2, $T2 + vpsrlq \$52, $_R2h, $T2h + vpsrlq \$52, $_R3, $T3 + vpsrlq \$52, $_R3h, $T3h + vpsrlq \$52, $_R4, $T4 + vpsrlq \$52, $_R4h, $T4h + + # "Shift left" T0..Tn by 1 QW + valignq \$3, $T4, $T4h, $T4h + valignq \$3, $T3h, $T4, $T4 + valignq \$3, $T3, $T3h, $T3h + valignq \$3, $T2h, $T3, $T3 + valignq \$3, $T2, $T2h, $T2h + valignq \$3, $T1h, $T2, $T2 + valignq \$3, $T1, $T1h, $T1h + valignq \$3, $T0h, $T1, $T1 + valignq \$3, $T0, $T0h, $T0h + valignq \$3, .Lzeros(%rip), $T0, $T0 + + # Drop "carries" from R0..Rn QWs + vpandq .Lmask52x4(%rip), $_R0, $_R0 + vpandq .Lmask52x4(%rip), $_R0h, $_R0h + vpandq .Lmask52x4(%rip), $_R1, $_R1 + vpandq .Lmask52x4(%rip), $_R1h, $_R1h + vpandq .Lmask52x4(%rip), $_R2, $_R2 + vpandq .Lmask52x4(%rip), $_R2h, $_R2h + vpandq .Lmask52x4(%rip), $_R3, $_R3 + vpandq .Lmask52x4(%rip), $_R3h, $_R3h + vpandq .Lmask52x4(%rip), $_R4, $_R4 + vpandq .Lmask52x4(%rip), $_R4h, $_R4h + + # Sum R0..Rn with corresponding adjusted carries + vpaddq $T0, $_R0, $_R0 + vpaddq $T0h, $_R0h, $_R0h + vpaddq $T1, $_R1, $_R1 + vpaddq $T1h, $_R1h, $_R1h + vpaddq $T2, $_R2, $_R2 + vpaddq $T2h, $_R2h, $_R2h + vpaddq $T3, $_R3, $_R3 + vpaddq $T3h, $_R3h, $_R3h + vpaddq $T4, $_R4, $_R4 + vpaddq $T4h, $_R4h, $_R4h + + # Now handle carry bits from this addition + # Get mask of QWs whose 52-bit parts overflow + vpcmpuq \$6,.Lmask52x4(%rip),${_R0},%k1 # OP=nle (i.e. gt) + vpcmpuq \$6,.Lmask52x4(%rip),${_R0h},%k2 + kmovb %k1,%r14d + kmovb %k2,%r13d + shl \$4,%r13b + or %r13b,%r14b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R1},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R1h},%k2 + kmovb %k1,%r13d + kmovb %k2,%r12d + shl \$4,%r12b + or %r12b,%r13b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R2},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R2h},%k2 + kmovb %k1,%r12d + kmovb %k2,%r11d + shl \$4,%r11b + or %r11b,%r12b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R3},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R3h},%k2 + kmovb %k1,%r11d + kmovb %k2,%r10d + shl \$4,%r10b + or %r10b,%r11b + + vpcmpuq \$6,.Lmask52x4(%rip),${_R4},%k1 + vpcmpuq \$6,.Lmask52x4(%rip),${_R4h},%k2 + kmovb %k1,%r10d + kmovb %k2,%r9d + shl \$4,%r9b + or %r9b,%r10b + + addb %r14b,%r14b + adcb %r13b,%r13b + adcb %r12b,%r12b + adcb %r11b,%r11b + adcb %r10b,%r10b + + # Get mask of QWs whose 52-bit parts saturated + vpcmpuq \$0,.Lmask52x4(%rip),${_R0},%k1 # OP=eq + vpcmpuq \$0,.Lmask52x4(%rip),${_R0h},%k2 + kmovb %k1,%r9d + kmovb %k2,%r8d + shl \$4,%r8b + or %r8b,%r9b + + vpcmpuq \$0,.Lmask52x4(%rip),${_R1},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R1h},%k2 + kmovb %k1,%r8d + kmovb %k2,%edx + shl \$4,%dl + or %dl,%r8b + + vpcmpuq \$0,.Lmask52x4(%rip),${_R2},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R2h},%k2 + kmovb %k1,%edx + kmovb %k2,%ecx + shl \$4,%cl + or %cl,%dl + + vpcmpuq \$0,.Lmask52x4(%rip),${_R3},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R3h},%k2 + kmovb %k1,%ecx + kmovb %k2,%ebx + shl \$4,%bl + or %bl,%cl + + vpcmpuq \$0,.Lmask52x4(%rip),${_R4},%k1 + vpcmpuq \$0,.Lmask52x4(%rip),${_R4h},%k2 + kmovb %k1,%ebx + kmovb %k2,%eax + shl \$4,%al + or %al,%bl + + addb %r9b,%r14b + adcb %r8b,%r13b + adcb %dl,%r12b + adcb %cl,%r11b + adcb %bl,%r10b + + xor %r9b,%r14b + xor %r8b,%r13b + xor %dl,%r12b + xor %cl,%r11b + xor %bl,%r10b + + kmovb %r14d,%k1 + shr \$4,%r14b + kmovb %r14d,%k2 + kmovb %r13d,%k3 + shr \$4,%r13b + kmovb %r13d,%k4 + kmovb %r12d,%k5 + shr \$4,%r12b + kmovb %r12d,%k6 + kmovb %r11d,%k7 + + vpsubq .Lmask52x4(%rip), $_R0, ${_R0}{%k1} + vpsubq .Lmask52x4(%rip), $_R0h, ${_R0h}{%k2} + vpsubq .Lmask52x4(%rip), $_R1, ${_R1}{%k3} + vpsubq .Lmask52x4(%rip), $_R1h, ${_R1h}{%k4} + vpsubq .Lmask52x4(%rip), $_R2, ${_R2}{%k5} + vpsubq .Lmask52x4(%rip), $_R2h, ${_R2h}{%k6} + vpsubq .Lmask52x4(%rip), $_R3, ${_R3}{%k7} + + vpandq .Lmask52x4(%rip), $_R0, $_R0 + vpandq .Lmask52x4(%rip), $_R0h, $_R0h + vpandq .Lmask52x4(%rip), $_R1, $_R1 + vpandq .Lmask52x4(%rip), $_R1h, $_R1h + vpandq .Lmask52x4(%rip), $_R2, $_R2 + vpandq .Lmask52x4(%rip), $_R2h, $_R2h + vpandq .Lmask52x4(%rip), $_R3, $_R3 + + shr \$4,%r11b + kmovb %r11d,%k1 + kmovb %r10d,%k2 + shr \$4,%r10b + kmovb %r10d,%k3 + + vpsubq .Lmask52x4(%rip), $_R3h, ${_R3h}{%k1} + vpsubq .Lmask52x4(%rip), $_R4, ${_R4}{%k2} + vpsubq .Lmask52x4(%rip), $_R4h, ${_R4h}{%k3} + + vpandq .Lmask52x4(%rip), $_R3h, $_R3h + vpandq .Lmask52x4(%rip), $_R4, $_R4 + vpandq .Lmask52x4(%rip), $_R4h, $_R4h +___ +} + +$code.=<<___; +.text + +.globl ossl_rsaz_amm52x40_x1_ifma256 +.type ossl_rsaz_amm52x40_x1_ifma256,\@function,5 +.align 32 +ossl_rsaz_amm52x40_x1_ifma256: +.cfi_startproc + endbranch + push %rbx +.cfi_push %rbx + push %rbp +.cfi_push %rbp + push %r12 +.cfi_push %r12 + push %r13 +.cfi_push %r13 + push %r14 +.cfi_push %r14 + push %r15 +.cfi_push %r15 +___ +$code.=<<___ if ($win64); + lea -168(%rsp),%rsp # 16*10 + (8 bytes to get correct 16-byte SIMD alignment) + vmovdqa64 %xmm6, `0*16`(%rsp) # save non-volatile registers + vmovdqa64 %xmm7, `1*16`(%rsp) + vmovdqa64 %xmm8, `2*16`(%rsp) + vmovdqa64 %xmm9, `3*16`(%rsp) + vmovdqa64 %xmm10,`4*16`(%rsp) + vmovdqa64 %xmm11,`5*16`(%rsp) + vmovdqa64 %xmm12,`6*16`(%rsp) + vmovdqa64 %xmm13,`7*16`(%rsp) + vmovdqa64 %xmm14,`8*16`(%rsp) + vmovdqa64 %xmm15,`9*16`(%rsp) +.Lossl_rsaz_amm52x40_x1_ifma256_body: +___ +$code.=<<___; + # Zeroing accumulators + vpxord $zero, $zero, $zero + vmovdqa64 $zero, $R0_0 + vmovdqa64 $zero, $R0_0h + vmovdqa64 $zero, $R1_0 + vmovdqa64 $zero, $R1_0h + vmovdqa64 $zero, $R2_0 + vmovdqa64 $zero, $R2_0h + vmovdqa64 $zero, $R3_0 + vmovdqa64 $zero, $R3_0h + vmovdqa64 $zero, $R4_0 + vmovdqa64 $zero, $R4_0h + + xorl $acc0_0_low, $acc0_0_low + + movq $b, $b_ptr # backup address of b + movq \$0xfffffffffffff, $mask52 # 52-bit mask + + # Loop over 40 digits unrolled by 4 + mov \$10, $iter + +.align 32 +.Lloop10: +___ + foreach my $idx (0..3) { + &amm52x40_x1(0,8*$idx,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h,$k0); + } +$code.=<<___; + lea `4*8`($b_ptr), $b_ptr + dec $iter + jne .Lloop10 +___ + &amm52x40_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h); +$code.=<<___; + + vmovdqu64 $R0_0, `0*32`($res) + vmovdqu64 $R0_0h, `1*32`($res) + vmovdqu64 $R1_0, `2*32`($res) + vmovdqu64 $R1_0h, `3*32`($res) + vmovdqu64 $R2_0, `4*32`($res) + vmovdqu64 $R2_0h, `5*32`($res) + vmovdqu64 $R3_0, `6*32`($res) + vmovdqu64 $R3_0h, `7*32`($res) + vmovdqu64 $R4_0, `8*32`($res) + vmovdqu64 $R4_0h, `9*32`($res) + + vzeroupper + lea (%rsp),%rax +.cfi_def_cfa_register %rax +___ +$code.=<<___ if ($win64); + vmovdqa64 `0*16`(%rax),%xmm6 + vmovdqa64 `1*16`(%rax),%xmm7 + vmovdqa64 `2*16`(%rax),%xmm8 + vmovdqa64 `3*16`(%rax),%xmm9 + vmovdqa64 `4*16`(%rax),%xmm10 + vmovdqa64 `5*16`(%rax),%xmm11 + vmovdqa64 `6*16`(%rax),%xmm12 + vmovdqa64 `7*16`(%rax),%xmm13 + vmovdqa64 `8*16`(%rax),%xmm14 + vmovdqa64 `9*16`(%rax),%xmm15 + lea 168(%rsp),%rax +___ +$code.=<<___; + mov 0(%rax),%r15 +.cfi_restore %r15 + mov 8(%rax),%r14 +.cfi_restore %r14 + mov 16(%rax),%r13 +.cfi_restore %r13 + mov 24(%rax),%r12 +.cfi_restore %r12 + mov 32(%rax),%rbp +.cfi_restore %rbp + mov 40(%rax),%rbx +.cfi_restore %rbx + lea 48(%rax),%rsp # restore rsp +.cfi_def_cfa %rsp,8 +.Lossl_rsaz_amm52x40_x1_ifma256_epilogue: + + ret +.cfi_endproc +.size ossl_rsaz_amm52x40_x1_ifma256, .-ossl_rsaz_amm52x40_x1_ifma256 +___ + +$code.=<<___; +.data +.align 32 +.Lmask52x4: + .quad 0xfffffffffffff + .quad 0xfffffffffffff + .quad 0xfffffffffffff + .quad 0xfffffffffffff +___ + +############################################################################### +# Dual Almost Montgomery Multiplication for 40-digit number in radix 2^52 +# +# See description of ossl_rsaz_amm52x40_x1_ifma256() above for details about Almost +# Montgomery Multiplication algorithm and function input parameters description. +# +# This function does two AMMs for two independent inputs, hence dual. +# +# void ossl_rsaz_amm52x40_x2_ifma256(BN_ULONG out[2][40], +# const BN_ULONG a[2][40], +# const BN_ULONG b[2][40], +# const BN_ULONG m[2][40], +# const BN_ULONG k0[2]); +############################################################################### + +$code.=<<___; +.text + +.globl ossl_rsaz_amm52x40_x2_ifma256 +.type ossl_rsaz_amm52x40_x2_ifma256,\@function,5 +.align 32 +ossl_rsaz_amm52x40_x2_ifma256: +.cfi_startproc + endbranch + push %rbx +.cfi_push %rbx + push %rbp +.cfi_push %rbp + push %r12 +.cfi_push %r12 + push %r13 +.cfi_push %r13 + push %r14 +.cfi_push %r14 + push %r15 +.cfi_push %r15 +___ +$code.=<<___ if ($win64); + lea -168(%rsp),%rsp + vmovdqa64 %xmm6, `0*16`(%rsp) # save non-volatile registers + vmovdqa64 %xmm7, `1*16`(%rsp) + vmovdqa64 %xmm8, `2*16`(%rsp) + vmovdqa64 %xmm9, `3*16`(%rsp) + vmovdqa64 %xmm10,`4*16`(%rsp) + vmovdqa64 %xmm11,`5*16`(%rsp) + vmovdqa64 %xmm12,`6*16`(%rsp) + vmovdqa64 %xmm13,`7*16`(%rsp) + vmovdqa64 %xmm14,`8*16`(%rsp) + vmovdqa64 %xmm15,`9*16`(%rsp) +.Lossl_rsaz_amm52x40_x2_ifma256_body: +___ +$code.=<<___; + # Zeroing accumulators + vpxord $zero, $zero, $zero + vmovdqa64 $zero, $R0_0 + vmovdqa64 $zero, $R0_0h + vmovdqa64 $zero, $R1_0 + vmovdqa64 $zero, $R1_0h + vmovdqa64 $zero, $R2_0 + vmovdqa64 $zero, $R2_0h + vmovdqa64 $zero, $R3_0 + vmovdqa64 $zero, $R3_0h + vmovdqa64 $zero, $R4_0 + vmovdqa64 $zero, $R4_0h + + vmovdqa64 $zero, $R0_1 + vmovdqa64 $zero, $R0_1h + vmovdqa64 $zero, $R1_1 + vmovdqa64 $zero, $R1_1h + vmovdqa64 $zero, $R2_1 + vmovdqa64 $zero, $R2_1h + vmovdqa64 $zero, $R3_1 + vmovdqa64 $zero, $R3_1h + vmovdqa64 $zero, $R4_1 + vmovdqa64 $zero, $R4_1h + + + xorl $acc0_0_low, $acc0_0_low + xorl $acc0_1_low, $acc0_1_low + + movq $b, $b_ptr # backup address of b + movq \$0xfffffffffffff, $mask52 # 52-bit mask + + mov \$40, $iter + +.align 32 +.Lloop40: +___ + &amm52x40_x1( 0, 0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h,"($k0)"); + # 40*8 = offset of the next dimension in two-dimension array + &amm52x40_x1(40*8,40*8,$acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,$R4_1,$R4_1h,"8($k0)"); +$code.=<<___; + lea 8($b_ptr), $b_ptr + dec $iter + jne .Lloop40 +___ + &amm52x40_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h); + &amm52x40_x1_norm($acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,$R4_1,$R4_1h); +$code.=<<___; + + vmovdqu64 $R0_0, `0*32`($res) + vmovdqu64 $R0_0h, `1*32`($res) + vmovdqu64 $R1_0, `2*32`($res) + vmovdqu64 $R1_0h, `3*32`($res) + vmovdqu64 $R2_0, `4*32`($res) + vmovdqu64 $R2_0h, `5*32`($res) + vmovdqu64 $R3_0, `6*32`($res) + vmovdqu64 $R3_0h, `7*32`($res) + vmovdqu64 $R4_0, `8*32`($res) + vmovdqu64 $R4_0h, `9*32`($res) + + vmovdqu64 $R0_1, `10*32`($res) + vmovdqu64 $R0_1h, `11*32`($res) + vmovdqu64 $R1_1, `12*32`($res) + vmovdqu64 $R1_1h, `13*32`($res) + vmovdqu64 $R2_1, `14*32`($res) + vmovdqu64 $R2_1h, `15*32`($res) + vmovdqu64 $R3_1, `16*32`($res) + vmovdqu64 $R3_1h, `17*32`($res) + vmovdqu64 $R4_1, `18*32`($res) + vmovdqu64 $R4_1h, `19*32`($res) + + vzeroupper + lea (%rsp),%rax +.cfi_def_cfa_register %rax +___ +$code.=<<___ if ($win64); + vmovdqa64 `0*16`(%rax),%xmm6 + vmovdqa64 `1*16`(%rax),%xmm7 + vmovdqa64 `2*16`(%rax),%xmm8 + vmovdqa64 `3*16`(%rax),%xmm9 + vmovdqa64 `4*16`(%rax),%xmm10 + vmovdqa64 `5*16`(%rax),%xmm11 + vmovdqa64 `6*16`(%rax),%xmm12 + vmovdqa64 `7*16`(%rax),%xmm13 + vmovdqa64 `8*16`(%rax),%xmm14 + vmovdqa64 `9*16`(%rax),%xmm15 + lea 168(%rsp),%rax +___ +$code.=<<___; + mov 0(%rax),%r15 +.cfi_restore %r15 + mov 8(%rax),%r14 +.cfi_restore %r14 + mov 16(%rax),%r13 +.cfi_restore %r13 + mov 24(%rax),%r12 +.cfi_restore %r12 + mov 32(%rax),%rbp +.cfi_restore %rbp + mov 40(%rax),%rbx +.cfi_restore %rbx + lea 48(%rax),%rsp +.cfi_def_cfa %rsp,8 +.Lossl_rsaz_amm52x40_x2_ifma256_epilogue: + ret +.cfi_endproc +.size ossl_rsaz_amm52x40_x2_ifma256, .-ossl_rsaz_amm52x40_x2_ifma256 +___ +} + +############################################################################### +# Constant time extraction from the precomputed table of powers base^i, where +# i = 0..2^EXP_WIN_SIZE-1 +# +# The input |red_table| contains precomputations for two independent base values. +# |red_table_idx1| and |red_table_idx2| are corresponding power indexes. +# +# Extracted value (output) is 2 40 digits numbers in 2^52 radix. +# +# void ossl_extract_multiplier_2x40_win5(BN_ULONG *red_Y, +# const BN_ULONG red_table[1 << EXP_WIN_SIZE][2][40], +# int red_table_idx1, int red_table_idx2); +# +# EXP_WIN_SIZE = 5 +############################################################################### +{ +# input parameters +my ($out,$red_tbl,$red_tbl_idx1,$red_tbl_idx2)=$win64 ? ("%rcx","%rdx","%r8", "%r9") : # Win64 order + ("%rdi","%rsi","%rdx","%rcx"); # Unix order + +my ($t0,$t1,$t2,$t3,$t4,$t5) = map("%ymm$_", (0..5)); +my ($t6,$t7,$t8,$t9) = map("%ymm$_", (16..19)); +my ($tmp,$cur_idx,$idx1,$idx2,$ones) = map("%ymm$_", (20..24)); + +my @t = ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9); +my $t0xmm = $t0; +$t0xmm =~ s/%y/%x/; + +sub get_table_value_consttime() { +my ($_idx,$_offset) = @_; +$code.=<<___; + vpxorq $cur_idx, $cur_idx, $cur_idx +.align 32 +.Lloop_$_offset: + vpcmpq \$0, $cur_idx, $_idx, %k1 # mask of (idx == cur_idx) +___ +foreach (0..9) { +$code.=<<___; + vmovdqu64 `$_offset+${_}*32`($red_tbl), $tmp # load data from red_tbl + vpblendmq $tmp, $t[$_], ${t[$_]}{%k1} # extract data when mask is not zero +___ +} +$code.=<<___; + vpaddq $ones, $cur_idx, $cur_idx # increment cur_idx + addq \$`2*40*8`, $red_tbl + cmpq $red_tbl, %rax + jne .Lloop_$_offset +___ +} + +$code.=<<___; +.text + +.align 32 +.globl ossl_extract_multiplier_2x40_win5 +.type ossl_extract_multiplier_2x40_win5,\@abi-omnipotent +ossl_extract_multiplier_2x40_win5: +.cfi_startproc + endbranch + vmovdqa64 .Lones(%rip), $ones # broadcast ones + vpbroadcastq $red_tbl_idx1, $idx1 + vpbroadcastq $red_tbl_idx2, $idx2 + leaq `(1<<5)*2*40*8`($red_tbl), %rax # holds end of the tbl + + # backup red_tbl address + movq $red_tbl, %r10 + + # zeroing t0..n, cur_idx + vpxor $t0xmm, $t0xmm, $t0xmm +___ +foreach (1..9) { + $code.="vmovdqa64 $t0, $t[$_] \n"; +} + +&get_table_value_consttime($idx1, 0); +foreach (0..9) { + $code.="vmovdqu64 $t[$_], `(0+$_)*32`($out) \n"; +} +$code.="movq %r10, $red_tbl \n"; +&get_table_value_consttime($idx2, 40*8); +foreach (0..9) { + $code.="vmovdqu64 $t[$_], `(10+$_)*32`($out) \n"; +} +$code.=<<___; + + ret +.cfi_endproc +.size ossl_extract_multiplier_2x40_win5, .-ossl_extract_multiplier_2x40_win5 +___ +$code.=<<___; +.data +.align 32 +.Lones: + .quad 1,1,1,1 +.Lzeros: + .quad 0,0,0,0 +___ +} + +if ($win64) { +$rec="%rcx"; +$frame="%rdx"; +$context="%r8"; +$disp="%r9"; + +$code.=<<___; +.extern __imp_RtlVirtualUnwind +.type rsaz_avx_handler,\@abi-omnipotent +.align 16 +rsaz_avx_handler: + push %rsi + push %rdi + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 + pushfq + sub \$64,%rsp + + mov 120($context),%rax # pull context->Rax + mov 248($context),%rbx # pull context->Rip + + mov 8($disp),%rsi # disp->ImageBase + mov 56($disp),%r11 # disp->HandlerData + + mov 0(%r11),%r10d # HandlerData[0] + lea (%rsi,%r10),%r10 # prologue label + cmp %r10,%rbx # context->Rip<.Lprologue + jb .Lcommon_seh_tail + + mov 4(%r11),%r10d # HandlerData[1] + lea (%rsi,%r10),%r10 # epilogue label + cmp %r10,%rbx # context->Rip>=.Lepilogue + jae .Lcommon_seh_tail + + mov 152($context),%rax # pull context->Rsp + + lea (%rax),%rsi # %xmm save area + lea 512($context),%rdi # & context.Xmm6 + mov \$20,%ecx # 10*sizeof(%xmm0)/sizeof(%rax) + .long 0xa548f3fc # cld; rep movsq + + lea `48+168`(%rax),%rax + + mov -8(%rax),%rbx + mov -16(%rax),%rbp + mov -24(%rax),%r12 + mov -32(%rax),%r13 + mov -40(%rax),%r14 + mov -48(%rax),%r15 + mov %rbx,144($context) # restore context->Rbx + mov %rbp,160($context) # restore context->Rbp + mov %r12,216($context) # restore context->R12 + mov %r13,224($context) # restore context->R13 + mov %r14,232($context) # restore context->R14 + mov %r15,240($context) # restore context->R14 + +.Lcommon_seh_tail: + mov 8(%rax),%rdi + mov 16(%rax),%rsi + mov %rax,152($context) # restore context->Rsp + mov %rsi,168($context) # restore context->Rsi + mov %rdi,176($context) # restore context->Rdi + + mov 40($disp),%rdi # disp->ContextRecord + mov $context,%rsi # context + mov \$154,%ecx # sizeof(CONTEXT) + .long 0xa548f3fc # cld; rep movsq + + mov $disp,%rsi + xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER + mov 8(%rsi),%rdx # arg2, disp->ImageBase + mov 0(%rsi),%r8 # arg3, disp->ControlPc + mov 16(%rsi),%r9 # arg4, disp->FunctionEntry + mov 40(%rsi),%r10 # disp->ContextRecord + lea 56(%rsi),%r11 # &disp->HandlerData + lea 24(%rsi),%r12 # &disp->EstablisherFrame + mov %r10,32(%rsp) # arg5 + mov %r11,40(%rsp) # arg6 + mov %r12,48(%rsp) # arg7 + mov %rcx,56(%rsp) # arg8, (NULL) + call *__imp_RtlVirtualUnwind(%rip) + + mov \$1,%eax # ExceptionContinueSearch + add \$64,%rsp + popfq + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rbp + pop %rbx + pop %rdi + pop %rsi + ret +.size rsaz_avx_handler,.-rsaz_avx_handler + +.section .pdata +.align 4 + .rva .LSEH_begin_ossl_rsaz_amm52x40_x1_ifma256 + .rva .LSEH_end_ossl_rsaz_amm52x40_x1_ifma256 + .rva .LSEH_info_ossl_rsaz_amm52x40_x1_ifma256 + + .rva .LSEH_begin_ossl_rsaz_amm52x40_x2_ifma256 + .rva .LSEH_end_ossl_rsaz_amm52x40_x2_ifma256 + .rva .LSEH_info_ossl_rsaz_amm52x40_x2_ifma256 + +.section .xdata +.align 8 +.LSEH_info_ossl_rsaz_amm52x40_x1_ifma256: + .byte 9,0,0,0 + .rva rsaz_avx_handler + .rva .Lossl_rsaz_amm52x40_x1_ifma256_body,.Lossl_rsaz_amm52x40_x1_ifma256_epilogue +.LSEH_info_ossl_rsaz_amm52x40_x2_ifma256: + .byte 9,0,0,0 + .rva rsaz_avx_handler + .rva .Lossl_rsaz_amm52x40_x2_ifma256_body,.Lossl_rsaz_amm52x40_x2_ifma256_epilogue +___ +} +}}} else {{{ # fallback for old assembler +$code.=<<___; +.text + +.globl ossl_rsaz_amm52x40_x1_ifma256 +.globl ossl_rsaz_amm52x40_x2_ifma256 +.globl ossl_extract_multiplier_2x40_win5 +.type ossl_rsaz_amm52x40_x1_ifma256,\@abi-omnipotent +ossl_rsaz_amm52x40_x1_ifma256: +ossl_rsaz_amm52x40_x2_ifma256: +ossl_extract_multiplier_2x40_win5: + .byte 0x0f,0x0b # ud2 + ret +.size ossl_rsaz_amm52x40_x1_ifma256, .-ossl_rsaz_amm52x40_x1_ifma256 +___ +}}} + +$code =~ s/\`([^\`]*)\`/eval $1/gem; +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c index 257701d9d..f53b88f2c 100644 --- a/crypto/bn/bn_asm.c +++ b/crypto/bn/bn_asm.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -422,11 +422,6 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, #if defined(BN_MUL_COMBA) && !defined(OPENSSL_SMALL_FOOTPRINT) -# undef bn_mul_comba8 -# undef bn_mul_comba4 -# undef bn_sqr_comba8 -# undef bn_sqr_comba4 - /* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */ /* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */ /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ @@ -950,8 +945,6 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, #else /* !BN_MUL_COMBA */ /* hmm... is it faster just to do a multiply? */ -# undef bn_sqr_comba4 -# undef bn_sqr_comba8 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) { BN_ULONG t[8]; diff --git a/crypto/bn/bn_const.c b/crypto/bn/bn_const.c index a36e0ac79..96ad0268b 100644 --- a/crypto/bn/bn_const.c +++ b/crypto/bn/bn_const.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,7 +19,7 @@ * The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 } * * RFC2409 specifies a generator of 2. - * RFC2412 specifies a generator of of 22. + * RFC2412 specifies a generator of 22. */ BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 4e169ae1f..4d02dcda5 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -1439,12 +1439,20 @@ int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, const BIGNUM *p1 BN_MONT_CTX *mont2 = NULL; if (ossl_rsaz_avx512ifma_eligible() && - ((a1->top == 16) && (p1->top == 16) && (BN_num_bits(m1) == 1024) && - (a2->top == 16) && (p2->top == 16) && (BN_num_bits(m2) == 1024))) { - - if (bn_wexpand(rr1, 16) == NULL) + (((a1->top == 16) && (p1->top == 16) && (BN_num_bits(m1) == 1024) && + (a2->top == 16) && (p2->top == 16) && (BN_num_bits(m2) == 1024)) || + ((a1->top == 24) && (p1->top == 24) && (BN_num_bits(m1) == 1536) && + (a2->top == 24) && (p2->top == 24) && (BN_num_bits(m2) == 1536)) || + ((a1->top == 32) && (p1->top == 32) && (BN_num_bits(m1) == 2048) && + (a2->top == 32) && (p2->top == 32) && (BN_num_bits(m2) == 2048)))) { + + int topn = a1->top; + /* Modulus bits of |m1| and |m2| are equal */ + int mod_bits = BN_num_bits(m1); + + if (bn_wexpand(rr1, topn) == NULL) goto err; - if (bn_wexpand(rr2, 16) == NULL) + if (bn_wexpand(rr2, topn) == NULL) goto err; /* Ensure that montgomery contexts are initialized */ @@ -1469,14 +1477,14 @@ int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1, const BIGNUM *p1 mont1->RR.d, mont1->n0[0], rr2->d, a2->d, p2->d, m2->d, mont2->RR.d, mont2->n0[0], - 1024 /* factor bit size */); + mod_bits); - rr1->top = 16; + rr1->top = topn; rr1->neg = 0; bn_correct_top(rr1); bn_check_top(rr1); - rr2->top = 16; + rr2->top = topn; rr2->neg = 0; bn_correct_top(rr2); bn_check_top(rr2); diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c index 59d024f67..d0a3d3eb9 100644 --- a/crypto/bn/bn_gcd.c +++ b/crypto/bn/bn_gcd.c @@ -534,6 +534,37 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, return rv; } +/* + * The numbers a and b are coprime if the only positive integer that is a + * divisor of both of them is 1. + * i.e. gcd(a,b) = 1. + * + * Coprimes have the property: b has a multiplicative inverse modulo a + * i.e there is some value x such that bx = 1 (mod a). + * + * Testing the modulo inverse is currently much faster than the constant + * time version of BN_gcd(). + */ +int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +{ + int ret = 0; + BIGNUM *tmp; + + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto end; + + ERR_set_mark(); + BN_set_flags(a, BN_FLG_CONSTTIME); + ret = (BN_mod_inverse(tmp, a, b, ctx) != NULL); + /* Clear any errors (an error is returned if there is no inverse) */ + ERR_pop_to_mark(); +end: + BN_CTX_end(ctx); + return ret; +} + /*- * This function is based on the constant-time GCD work by Bernstein and Yang: * https://eprint.iacr.org/2019/266 diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 7ad684256..73ef4949f 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -829,9 +829,6 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) BN_ULONG t; int i; - if (a == b) - return; - bn_wcheck_size(a, nwords); bn_wcheck_size(b, nwords); diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c index dc6b6f5a1..0d4a0a232 100644 --- a/crypto/bn/bn_mul.c +++ b/crypto/bn/bn_mul.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -115,12 +115,12 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, r[1] = a[1]; if (--dl <= 0) break; - /* fall thru */ + /* fall through */ case 2: r[2] = a[2]; if (--dl <= 0) break; - /* fall thru */ + /* fall through */ case 3: r[3] = a[3]; if (--dl <= 0) diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c index 3ee76ea96..1e9421bee 100644 --- a/crypto/bn/bn_ppc.c +++ b/crypto/bn/bn_ppc.c @@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); + int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, const BN_ULONG *np, + const BN_ULONG *n0, int num); + int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *bp, const BN_ULONG *np, + const BN_ULONG *n0, int num); if (num < 4) return 0; @@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, * no opportunity to figure it out... */ +#if defined(_ARCH_PPC64) && !defined(__ILP32__) + if (num == 6) { + if (OPENSSL_ppccap_P & PPC_MADD300) + return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); + else + return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); + } +#endif + return bn_mul_mont_int(rp, ap, bp, np, n0, num); } diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index ddd31a025..79776f1ce 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -252,6 +252,17 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx, return bn_is_prime_int(w, checks, ctx, do_trial_division, cb); } +/* + * Use this only for key generation. + * It always uses trial division. The number of checks + * (MR rounds) passed in is used without being clamped to a minimum value. + */ +int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, + BN_GENCB *cb) +{ + return bn_is_prime_int(w, checks, ctx, 1, cb); +} + int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) { return ossl_bn_check_prime(p, 0, ctx, 1, cb); diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c index abce1aa2d..c3466dfc3 100644 --- a/crypto/bn/bn_rsa_fips186_4.c +++ b/crypto/bn/bn_rsa_fips186_4.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -48,6 +48,34 @@ const BIGNUM ossl_bn_inv_sqrt_2 = { BN_FLG_STATIC_DATA }; +/* + * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin + * required for generation of RSA aux primes (p1, p2, q1 and q2). + */ +static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits) +{ + if (nbits >= 4096) + return 44; + if (nbits >= 3072) + return 41; + if (nbits >= 2048) + return 38; + return 0; /* Error */ +} + +/* + * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin + * required for generation of RSA primes (p and q) + */ +static int bn_rsa_fips186_5_prime_MR_rounds(int nbits) +{ + if (nbits >= 3072) + return 4; + if (nbits >= 2048) + return 5; + return 0; /* Error */ +} + /* * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2". * (FIPS 186-5 has an entry for >= 4096 bits). @@ -97,11 +125,13 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) * Xp1 The passed in starting point to find a probably prime. * p1 The returned probable prime (first odd integer >= Xp1) * ctx A BN_CTX object. + * rounds The number of Miller Rabin rounds * cb An optional BIGNUM callback. * Returns: 1 on success otherwise it returns 0. */ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, BIGNUM *p1, BN_CTX *ctx, + int rounds, BN_GENCB *cb) { int ret = 0; @@ -117,7 +147,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, i++; BN_GENCB_call(cb, 0, i); /* MR test with trial division */ - tmp = BN_check_prime(p1, ctx, cb); + tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb); if (tmp > 0) break; if (tmp < 0) @@ -160,7 +190,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, { int ret = 0; BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; - int bitlen; + int bitlen, rounds; if (p == NULL || Xpout == NULL) return 0; @@ -177,6 +207,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen); if (bitlen == 0) goto err; + rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen); /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ if (Xp1 == NULL) { @@ -194,8 +225,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, } /* (Steps 4.2/5.2) - find first auxiliary probable primes */ - if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb) - || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb)) + if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) + || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb)) goto err; /* (Table B.1) auxiliary prime Max length check */ if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= @@ -243,11 +274,11 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, */ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, const BIGNUM *r1, const BIGNUM *r2, - int nlen, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb) + int nlen, const BIGNUM *e, + BN_CTX *ctx, BN_GENCB *cb) { int ret = 0; - int i, imax; + int i, imax, rounds; int bits = nlen >> 1; BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; BIGNUM *base, *range; @@ -286,14 +317,20 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, goto err; } + /* + * (Step 1) GCD(2r1, r2) = 1. + * Note: This algorithm was doing a gcd(2r1, r2)=1 test before doing an + * mod_inverse(2r1, r2) which are effectively the same operation. + * (The algorithm assumed that the gcd test would be faster). Since the + * mod_inverse is currently faster than calling the constant time + * BN_gcd(), the call to BN_gcd() has been omitted. The inverse result + * is used further down. + */ if (!(BN_lshift1(r1x2, r1) - /* (Step 1) GCD(2r1, r2) = 1 */ - && BN_gcd(tmp, r1x2, r2, ctx) - && BN_is_one(tmp) + && (BN_mod_inverse(tmp, r1x2, r2, ctx) != NULL) /* (Step 2) R = ((r2^-1 mod 2r1) * r2) - ((2r1^-1 mod r2)*2r1) */ - && BN_mod_inverse(R, r2, r1x2, ctx) + && (BN_mod_inverse(R, r2, r1x2, ctx) != NULL) && BN_mul(R, R, r2, ctx) /* R = (r2^-1 mod 2r1) * r2 */ - && BN_mod_inverse(tmp, r1x2, r2, ctx) && BN_mul(tmp, tmp, r1x2, ctx) /* tmp = (2r1^-1 mod r2)*2r1 */ && BN_sub(R, R, tmp) /* Calculate 2r1r2 */ @@ -305,11 +342,13 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, /* * In FIPS 186-4 imax was set to 5 * nlen/2. - * Analysis by Allen Roginsky (See https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf + * Analysis by Allen Roginsky + * (See https://csrc.nist.gov/CSRC/media/Publications/fips/186/4/final/documents/comments-received-fips186-4-december-2015.pdf * page 68) indicates this has a 1 in 2 million chance of failure. * The number has been updated to 20 * nlen/2 as used in * FIPS186-5 Appendix B.9 Step 9. */ + rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen); imax = 20 * bits; /* max = 20/2 * nbits */ for (;;) { if (Xin == NULL) { @@ -318,7 +357,7 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, * sqrt(2) * 2^(nlen/2-1) <= Random X <= (2^(nlen/2)) - 1. */ if (!BN_priv_rand_range_ex(X, range, 0, ctx) || !BN_add(X, X, base)) - goto end; + goto err; } /* (Step 4) Y = X + ((R - X) mod 2r1r2) */ if (!BN_mod_sub(Y, R, X, r1r2x2, ctx) || !BN_add(Y, Y, X)) @@ -337,11 +376,11 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, /* (Step 7) If GCD(Y-1) == 1 & Y is probably prime then return Y */ if (BN_copy(y1, Y) == NULL - || !BN_sub_word(y1, 1) - || !BN_gcd(tmp, y1, e, ctx)) + || !BN_sub_word(y1, 1)) goto err; - if (BN_is_one(tmp)) { - int rv = BN_check_prime(Y, ctx, cb); + + if (BN_are_coprime(y1, e, ctx)) { + int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb); if (rv > 0) goto end; diff --git a/crypto/bn/build.info b/crypto/bn/build.info index f4ff61923..0732519a1 100644 --- a/crypto/bn/build.info +++ b/crypto/bn/build.info @@ -24,7 +24,7 @@ IF[{- !$disabled{asm} -}] $BNASM_x86_64=\ x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s \ - rsaz-avx2.s rsaz_exp_x2.c rsaz-avx512.s + rsaz-avx2.s rsaz_exp_x2.c rsaz-2k-avx512.s rsaz-3k-avx512.s rsaz-4k-avx512.s IF[{- $config{target} !~ /^VC/ -}] $BNASM_x86_64=asm/x86_64-gcc.c $BNASM_x86_64 ELSE @@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}] $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s $BNDEF_ppc32=OPENSSL_BN_ASM_MONT - $BNASM_ppc64=$BNASM_ppc32 + $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s $BNDEF_ppc64=$BNDEF_ppc32 $BNASM_c64xplus=asm/bn-c64xplus.asm @@ -155,7 +155,9 @@ GENERATE[x86_64-mont5.s]=asm/x86_64-mont5.pl GENERATE[x86_64-gf2m.s]=asm/x86_64-gf2m.pl GENERATE[rsaz-x86_64.s]=asm/rsaz-x86_64.pl GENERATE[rsaz-avx2.s]=asm/rsaz-avx2.pl -GENERATE[rsaz-avx512.s]=asm/rsaz-avx512.pl +GENERATE[rsaz-2k-avx512.s]=asm/rsaz-2k-avx512.pl +GENERATE[rsaz-3k-avx512.s]=asm/rsaz-3k-avx512.pl +GENERATE[rsaz-4k-avx512.s]=asm/rsaz-4k-avx512.pl GENERATE[bn-ia64.s]=asm/ia64.S GENERATE[ia64-mont.s]=asm/ia64-mont.pl @@ -166,6 +168,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl GENERATE[bn-ppc.s]=asm/ppc.pl GENERATE[ppc-mont.s]=asm/ppc-mont.pl GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl +GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl GENERATE[alpha-mont.S]=asm/alpha-mont.pl diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c index 0e0d02e19..3b57161b4 100644 --- a/crypto/bn/rsa_sup_mul.c +++ b/crypto/bn/rsa_sup_mul.c @@ -110,12 +110,34 @@ static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) *lo = (limb_t)t; } #elif (BN_BYTES == 8) && (defined _MSC_VER) -/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ +# if defined(_M_X64) +/* + * on x86_64 (x64) we can use the _umul128 intrinsic to get one `mul` + * instruction to get both high and low 64 bits of the multiplication. + * https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-140 + */ +#include #pragma intrinsic(_umul128) static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) { *lo = _umul128(a, b, hi); } +# elif defined(_M_ARM64) || defined (_M_IA64) +/* + * We can't use the __umulh() on x86_64 as then msvc generates two `mul` + * instructions; so use this more portable intrinsic on platforms that + * don't support _umul128 (like aarch64 (ARM64) or ia64) + * https://learn.microsoft.com/en-us/cpp/intrinsics/umulh?view=msvc-140 + */ +#include +static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) +{ + *lo = a * b; + *hi = __umulh(a, b); +} +# else +# error Only x64, ARM64 and IA64 supported. +# endif /* defined(_M_X64) */ #else /* * if the compiler doesn't have either a 128bit data type nor a "return diff --git a/crypto/bn/rsaz_exp_x2.c b/crypto/bn/rsaz_exp_x2.c index b19050dfe..e458b856b 100644 --- a/crypto/bn/rsaz_exp_x2.c +++ b/crypto/bn/rsaz_exp_x2.c @@ -1,6 +1,6 @@ /* * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2020, Intel Corporation. All Rights Reserved. + * Copyright (c) 2020-2021, Intel Corporation. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,8 @@ * https://www.openssl.org/source/license.html * * - * Originally written by Ilya Albrekht, Sergey Kirillov and Andrey Matyukov + * Originally written by Sergey Kirillov and Andrey Matyukov. + * Special thanks to Ilya Albrekht for his valuable hints. * Intel Corporation * */ @@ -23,14 +24,6 @@ NON_EMPTY_TRANSLATION_UNIT # include # include -# if defined(__GNUC__) -# define ALIGN64 __attribute__((aligned(64))) -# elif defined(_MSC_VER) -# define ALIGN64 __declspec(align(64)) -# else -# define ALIGN64 -# endif - # define ALIGN_OF(ptr, boundary) \ ((unsigned char *)(ptr) + (boundary - (((size_t)(ptr)) & (boundary - 1)))) @@ -42,8 +35,12 @@ NON_EMPTY_TRANSLATION_UNIT # define BITS2WORD8_SIZE(x) (((x) + 7) >> 3) # define BITS2WORD64_SIZE(x) (((x) + 63) >> 6) -static ossl_inline uint64_t get_digit52(const uint8_t *in, int in_len); -static ossl_inline void put_digit52(uint8_t *out, int out_len, uint64_t digit); +/* Number of registers required to hold |digits_num| amount of qword digits */ +# define NUMBER_OF_REGISTERS(digits_num, register_size) \ + (((digits_num) * 64 + (register_size) - 1) / (register_size)) + +static ossl_inline uint64_t get_digit(const uint8_t *in, int in_len); +static ossl_inline void put_digit(uint8_t *out, int out_len, uint64_t digit); static void to_words52(BN_ULONG *out, int out_len, const BN_ULONG *in, int in_bitsize); static void from_words52(BN_ULONG *bn_out, int out_bitsize, const BN_ULONG *in); @@ -55,37 +52,52 @@ static ossl_inline int number_of_digits(int bitsize, int digit_size) return (bitsize + digit_size - 1) / digit_size; } -typedef void (*AMM52)(BN_ULONG *res, const BN_ULONG *base, - const BN_ULONG *exp, const BN_ULONG *m, BN_ULONG k0); -typedef void (*EXP52_x2)(BN_ULONG *res, const BN_ULONG *base, - const BN_ULONG *exp[2], const BN_ULONG *m, - const BN_ULONG *rr, const BN_ULONG k0[2]); - /* * For details of the methods declared below please refer to * crypto/bn/asm/rsaz-avx512.pl * - * Naming notes: + * Naming conventions: * amm = Almost Montgomery Multiplication * ams = Almost Montgomery Squaring - * 52x20 - data represented as array of 20 digits in 52-bit radix + * 52xZZ - data represented as array of ZZ digits in 52-bit radix * _x1_/_x2_ - 1 or 2 independent inputs/outputs - * _256 suffix - uses 256-bit (AVX512VL) registers + * _ifma256 - uses 256-bit wide IFMA ISA (AVX512_IFMA256) */ -/*AMM = Almost Montgomery Multiplication. */ -void ossl_rsaz_amm52x20_x1_256(BN_ULONG *res, const BN_ULONG *base, - const BN_ULONG *exp, const BN_ULONG *m, - BN_ULONG k0); -static void RSAZ_exp52x20_x2_256(BN_ULONG *res, const BN_ULONG *base, - const BN_ULONG *exp[2], const BN_ULONG *m, - const BN_ULONG *rr, const BN_ULONG k0[2]); -void ossl_rsaz_amm52x20_x2_256(BN_ULONG *out, const BN_ULONG *a, - const BN_ULONG *b, const BN_ULONG *m, - const BN_ULONG k0[2]); +void ossl_rsaz_amm52x20_x1_ifma256(BN_ULONG *res, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + BN_ULONG k0); +void ossl_rsaz_amm52x20_x2_ifma256(BN_ULONG *out, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + const BN_ULONG k0[2]); void ossl_extract_multiplier_2x20_win5(BN_ULONG *red_Y, const BN_ULONG *red_table, - int red_table_idx, int tbl_idx); + int red_table_idx1, int red_table_idx2); + +void ossl_rsaz_amm52x30_x1_ifma256(BN_ULONG *res, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + BN_ULONG k0); +void ossl_rsaz_amm52x30_x2_ifma256(BN_ULONG *out, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + const BN_ULONG k0[2]); +void ossl_extract_multiplier_2x30_win5(BN_ULONG *red_Y, + const BN_ULONG *red_table, + int red_table_idx1, int red_table_idx2); + +void ossl_rsaz_amm52x40_x1_ifma256(BN_ULONG *res, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + BN_ULONG k0); +void ossl_rsaz_amm52x40_x2_ifma256(BN_ULONG *out, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + const BN_ULONG k0[2]); +void ossl_extract_multiplier_2x40_win5(BN_ULONG *red_Y, + const BN_ULONG *red_table, + int red_table_idx1, int red_table_idx2); + +static int RSAZ_mod_exp_x2_ifma256(BN_ULONG *res, const BN_ULONG *base, + const BN_ULONG *exp[2], const BN_ULONG *m, + const BN_ULONG *rr, const BN_ULONG k0[2], + int modulus_bitsize); /* * Dual Montgomery modular exponentiation using prime moduli of the @@ -98,7 +110,10 @@ void ossl_extract_multiplier_2x20_win5(BN_ULONG *red_Y, * * Each moduli shall be |factor_size| bit size. * - * NOTE: currently only 2x1024 case is supported. + * Supported cases: + * - 2x1024 + * - 2x1536 + * - 2x2048 * * [out] res|i| - result of modular exponentiation: array of qword values * in regular (2^64) radix. Size of array shall be enough @@ -127,6 +142,8 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, BN_ULONG k0_2, int factor_size) { + typedef void (*AMM)(BN_ULONG *res, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, BN_ULONG k0); int ret = 0; /* @@ -135,52 +152,60 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, */ int exp_digits = number_of_digits(factor_size + 2, DIGIT_SIZE); int coeff_pow = 4 * (DIGIT_SIZE * exp_digits - factor_size); + + /* Number of YMM registers required to store exponent's digits */ + int ymm_regs_num = NUMBER_OF_REGISTERS(exp_digits, 256 /* ymm bit size */); + /* Capacity of the register set (in qwords) to store exponent */ + int regs_capacity = ymm_regs_num * 4; + BN_ULONG *base1_red, *m1_red, *rr1_red; BN_ULONG *base2_red, *m2_red, *rr2_red; BN_ULONG *coeff_red; BN_ULONG *storage = NULL; BN_ULONG *storage_aligned = NULL; - BN_ULONG storage_len_bytes = 7 * exp_digits * sizeof(BN_ULONG); - - /* AMM = Almost Montgomery Multiplication */ - AMM52 amm = NULL; - /* Dual (2-exps in parallel) exponentiation */ - EXP52_x2 exp_x2 = NULL; + int storage_len_bytes = 7 * regs_capacity * sizeof(BN_ULONG) + + 64 /* alignment */; const BN_ULONG *exp[2] = {0}; BN_ULONG k0[2] = {0}; + /* AMM = Almost Montgomery Multiplication */ + AMM amm = NULL; - /* Only 1024-bit factor size is supported now */ switch (factor_size) { case 1024: - amm = ossl_rsaz_amm52x20_x1_256; - exp_x2 = RSAZ_exp52x20_x2_256; + amm = ossl_rsaz_amm52x20_x1_ifma256; + break; + case 1536: + amm = ossl_rsaz_amm52x30_x1_ifma256; + break; + case 2048: + amm = ossl_rsaz_amm52x40_x1_ifma256; break; default: goto err; } - storage = (BN_ULONG *)OPENSSL_malloc(storage_len_bytes + 64); + storage = (BN_ULONG *)OPENSSL_malloc(storage_len_bytes); if (storage == NULL) goto err; storage_aligned = (BN_ULONG *)ALIGN_OF(storage, 64); /* Memory layout for red(undant) representations */ base1_red = storage_aligned; - base2_red = storage_aligned + 1 * exp_digits; - m1_red = storage_aligned + 2 * exp_digits; - m2_red = storage_aligned + 3 * exp_digits; - rr1_red = storage_aligned + 4 * exp_digits; - rr2_red = storage_aligned + 5 * exp_digits; - coeff_red = storage_aligned + 6 * exp_digits; + base2_red = storage_aligned + 1 * regs_capacity; + m1_red = storage_aligned + 2 * regs_capacity; + m2_red = storage_aligned + 3 * regs_capacity; + rr1_red = storage_aligned + 4 * regs_capacity; + rr2_red = storage_aligned + 5 * regs_capacity; + coeff_red = storage_aligned + 6 * regs_capacity; /* Convert base_i, m_i, rr_i, from regular to 52-bit radix */ - to_words52(base1_red, exp_digits, base1, factor_size); - to_words52(base2_red, exp_digits, base2, factor_size); - to_words52(m1_red, exp_digits, m1, factor_size); - to_words52(m2_red, exp_digits, m2, factor_size); - to_words52(rr1_red, exp_digits, rr1, factor_size); - to_words52(rr2_red, exp_digits, rr2, factor_size); + to_words52(base1_red, regs_capacity, base1, factor_size); + to_words52(base2_red, regs_capacity, base2, factor_size); + to_words52(m1_red, regs_capacity, m1, factor_size); + to_words52(m2_red, regs_capacity, m2, factor_size); + to_words52(rr1_red, regs_capacity, rr1, factor_size); + to_words52(rr2_red, regs_capacity, rr2, factor_size); /* * Compute target domain Montgomery converters RR' for each modulus @@ -193,10 +218,10 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, * where * k = 4 * (52 * digits52 - modlen) * R = 2^(64 * ceil(modlen/64)) mod m - * RR = R^2 mod M + * RR = R^2 mod m * R' = 2^(52 * ceil(modlen/52)) mod m * - * modlen = 1024: k = 64, RR = 2^2048 mod m, RR' = 2^2080 mod m + * EX/ modlen = 1024: k = 64, RR = 2^2048 mod m, RR' = 2^2080 mod m */ memset(coeff_red, 0, exp_digits * sizeof(BN_ULONG)); /* (1) in reduced domain representation */ @@ -214,7 +239,11 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, k0[0] = k0_1; k0[1] = k0_2; - exp_x2(rr1_red, base1_red, exp, m1_red, rr1_red, k0); + /* Dual (2-exps in parallel) exponentiation */ + ret = RSAZ_mod_exp_x2_ifma256(rr1_red, base1_red, exp, m1_red, rr1_red, + k0, factor_size); + if (!ret) + goto err; /* Convert rr_i back to regular radix */ from_words52(res1, factor_size, rr1_red); @@ -225,8 +254,6 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); - - ret = 1; err: if (storage != NULL) { OPENSSL_cleanse(storage, storage_len_bytes); @@ -236,91 +263,150 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, } /* - * Dual 1024-bit w-ary modular exponentiation using prime moduli of the same - * bit size using Almost Montgomery Multiplication, optimized with AVX512_IFMA - * ISA. + * Dual {1024,1536,2048}-bit w-ary modular exponentiation using prime moduli of + * the same bit size using Almost Montgomery Multiplication, optimized with + * AVX512_IFMA256 ISA. * * The parameter w (window size) = 5. * - * [out] res - result of modular exponentiation: 2x20 qword + * [out] res - result of modular exponentiation: 2x{20,30,40} qword * values in 2^52 radix. - * [in] base - base (2x20 qword values in 2^52 radix) - * [in] exp - array of 2 pointers to 16 qword values in 2^64 radix. + * [in] base - base (2x{20,30,40} qword values in 2^52 radix) + * [in] exp - array of 2 pointers to {16,24,32} qword values in 2^64 radix. * Exponent is not converted to redundant representation. - * [in] m - moduli (2x20 qword values in 2^52 radix) - * [in] rr - Montgomery parameter for 2 moduli: RR = 2^2080 mod m. - * (2x20 qword values in 2^52 radix) + * [in] m - moduli (2x{20,30,40} qword values in 2^52 radix) + * [in] rr - Montgomery parameter for 2 moduli: + * RR(1024) = 2^2080 mod m. + * RR(1536) = 2^3120 mod m. + * RR(2048) = 2^4160 mod m. + * (2x{20,30,40} qword values in 2^52 radix) * [in] k0 - Montgomery parameter for 2 moduli: k0 = -1/m mod 2^64 * * \return (void). */ -static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ - const BN_ULONG *base, /* [2][20] */ - const BN_ULONG *exp[2], /* 2x16 */ - const BN_ULONG *m, /* [2][20] */ - const BN_ULONG *rr, /* [2][20] */ - const BN_ULONG k0[2]) +int RSAZ_mod_exp_x2_ifma256(BN_ULONG *out, + const BN_ULONG *base, + const BN_ULONG *exp[2], + const BN_ULONG *m, + const BN_ULONG *rr, + const BN_ULONG k0[2], + int modulus_bitsize) { -# define BITSIZE_MODULUS (1024) -# define EXP_WIN_SIZE (5) -# define EXP_WIN_MASK ((1U << EXP_WIN_SIZE) - 1) -/* - * Number of digits (64-bit words) in redundant representation to handle - * modulus bits - */ -# define RED_DIGITS (20) -# define EXP_DIGITS (16) -# define DAMM ossl_rsaz_amm52x20_x2_256 + typedef void (*DAMM)(BN_ULONG *res, const BN_ULONG *a, + const BN_ULONG *b, const BN_ULONG *m, + const BN_ULONG k0[2]); + typedef void (*DEXTRACT)(BN_ULONG *res, const BN_ULONG *red_table, + int red_table_idx, int tbl_idx); + + int ret = 0; + int idx; + + /* Exponent window size */ + int exp_win_size = 5; + int exp_win_mask = (1U << exp_win_size) - 1; + + /* + * Number of digits (64-bit words) in redundant representation to handle + * modulus bits + */ + int red_digits = 0; + int exp_digits = 0; + + BN_ULONG *storage = NULL; + BN_ULONG *storage_aligned = NULL; + int storage_len_bytes = 0; + + /* Red(undant) result Y and multiplier X */ + BN_ULONG *red_Y = NULL; /* [2][red_digits] */ + BN_ULONG *red_X = NULL; /* [2][red_digits] */ + /* Pre-computed table of base powers */ + BN_ULONG *red_table = NULL; /* [1U << exp_win_size][2][red_digits] */ + /* Expanded exponent */ + BN_ULONG *expz = NULL; /* [2][exp_digits + 1] */ + + /* Dual AMM */ + DAMM damm = NULL; + /* Extractor from red_table */ + DEXTRACT extract = NULL; + /* * Squaring is done using multiplication now. That can be a subject of * optimization in future. */ -# define DAMS(r,a,m,k0) \ - ossl_rsaz_amm52x20_x2_256((r),(a),(a),(m),(k0)) +# define DAMS(r,a,m,k0) damm((r),(a),(a),(m),(k0)) - /* Allocate stack for red(undant) result Y and multiplier X */ - ALIGN64 BN_ULONG red_Y[2][RED_DIGITS]; - ALIGN64 BN_ULONG red_X[2][RED_DIGITS]; - - /* Allocate expanded exponent */ - ALIGN64 BN_ULONG expz[2][EXP_DIGITS + 1]; + switch (modulus_bitsize) { + case 1024: + red_digits = 20; + exp_digits = 16; + damm = ossl_rsaz_amm52x20_x2_ifma256; + extract = ossl_extract_multiplier_2x20_win5; + break; + case 1536: + /* Extended with 2 digits padding to avoid mask ops in high YMM register */ + red_digits = 30 + 2; + exp_digits = 24; + damm = ossl_rsaz_amm52x30_x2_ifma256; + extract = ossl_extract_multiplier_2x30_win5; + break; + case 2048: + red_digits = 40; + exp_digits = 32; + damm = ossl_rsaz_amm52x40_x2_ifma256; + extract = ossl_extract_multiplier_2x40_win5; + break; + default: + goto err; + } - /* Pre-computed table of base powers */ - ALIGN64 BN_ULONG red_table[1U << EXP_WIN_SIZE][2][RED_DIGITS]; + storage_len_bytes = (2 * red_digits /* red_Y */ + + 2 * red_digits /* red_X */ + + 2 * red_digits * (1U << exp_win_size) /* red_table */ + + 2 * (exp_digits + 1)) /* expz */ + * sizeof(BN_ULONG) + + 64; /* alignment */ - int idx; + storage = (BN_ULONG *)OPENSSL_zalloc(storage_len_bytes); + if (storage == NULL) + goto err; + storage_aligned = (BN_ULONG *)ALIGN_OF(storage, 64); - memset(red_Y, 0, sizeof(red_Y)); - memset(red_table, 0, sizeof(red_table)); - memset(red_X, 0, sizeof(red_X)); + red_Y = storage_aligned; + red_X = red_Y + 2 * red_digits; + red_table = red_X + 2 * red_digits; + expz = red_table + 2 * red_digits * (1U << exp_win_size); /* * Compute table of powers base^i, i = 0, ..., (2^EXP_WIN_SIZE) - 1 * table[0] = mont(x^0) = mont(1) * table[1] = mont(x^1) = mont(x) */ - red_X[0][0] = 1; - red_X[1][0] = 1; - DAMM(red_table[0][0], (const BN_ULONG*)red_X, rr, m, k0); - DAMM(red_table[1][0], base, rr, m, k0); - - for (idx = 1; idx < (int)((1U << EXP_WIN_SIZE) / 2); idx++) { - DAMS(red_table[2 * idx + 0][0], red_table[1 * idx][0], m, k0); - DAMM(red_table[2 * idx + 1][0], red_table[2 * idx][0], red_table[1][0], m, k0); + red_X[0 * red_digits] = 1; + red_X[1 * red_digits] = 1; + damm(&red_table[0 * 2 * red_digits], (const BN_ULONG*)red_X, rr, m, k0); + damm(&red_table[1 * 2 * red_digits], base, rr, m, k0); + + for (idx = 1; idx < (int)((1U << exp_win_size) / 2); idx++) { + DAMS(&red_table[(2 * idx + 0) * 2 * red_digits], + &red_table[(1 * idx) * 2 * red_digits], m, k0); + damm(&red_table[(2 * idx + 1) * 2 * red_digits], + &red_table[(2 * idx) * 2 * red_digits], + &red_table[1 * 2 * red_digits], m, k0); } /* Copy and expand exponents */ - memcpy(expz[0], exp[0], EXP_DIGITS * sizeof(BN_ULONG)); - expz[0][EXP_DIGITS] = 0; - memcpy(expz[1], exp[1], EXP_DIGITS * sizeof(BN_ULONG)); - expz[1][EXP_DIGITS] = 0; + memcpy(&expz[0 * (exp_digits + 1)], exp[0], exp_digits * sizeof(BN_ULONG)); + expz[1 * (exp_digits + 1) - 1] = 0; + memcpy(&expz[1 * (exp_digits + 1)], exp[1], exp_digits * sizeof(BN_ULONG)); + expz[2 * (exp_digits + 1) - 1] = 0; /* Exponentiation */ { - const int rem = BITSIZE_MODULUS % EXP_WIN_SIZE; - BN_ULONG table_idx_mask = EXP_WIN_MASK; + int rem = modulus_bitsize % exp_win_size; + int delta = rem ? rem : exp_win_size; + BN_ULONG table_idx_mask = exp_win_mask; - int exp_bit_no = BITSIZE_MODULUS - rem; + int exp_bit_no = modulus_bitsize - delta; int exp_chunk_no = exp_bit_no / 64; int exp_chunk_shift = exp_bit_no % 64; @@ -337,8 +423,8 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ OPENSSL_assert(rem != 0); /* Process 1-st exp window - just init result */ - red_table_idx_0 = expz[0][exp_chunk_no]; - red_table_idx_1 = expz[1][exp_chunk_no]; + red_table_idx_0 = expz[exp_chunk_no + 0 * (exp_digits + 1)]; + red_table_idx_1 = expz[exp_chunk_no + 1 * (exp_digits + 1)]; /* * The function operates with fixed moduli sizes divisible by 64, * thus table index here is always in supported range [0, EXP_WIN_SIZE). @@ -346,13 +432,10 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ red_table_idx_0 >>= exp_chunk_shift; red_table_idx_1 >>= exp_chunk_shift; - ossl_extract_multiplier_2x20_win5(red_Y[0], (const BN_ULONG*)red_table, - (int)red_table_idx_0, 0); - ossl_extract_multiplier_2x20_win5(red_Y[1], (const BN_ULONG*)red_table, - (int)red_table_idx_1, 1); + extract(&red_Y[0 * red_digits], (const BN_ULONG*)red_table, (int)red_table_idx_0, (int)red_table_idx_1); /* Process other exp windows */ - for (exp_bit_no -= EXP_WIN_SIZE; exp_bit_no >= 0; exp_bit_no -= EXP_WIN_SIZE) { + for (exp_bit_no -= exp_win_size; exp_bit_no >= 0; exp_bit_no -= exp_win_size) { /* Extract pre-computed multiplier from the table */ { BN_ULONG T; @@ -360,43 +443,37 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ exp_chunk_no = exp_bit_no / 64; exp_chunk_shift = exp_bit_no % 64; { - red_table_idx_0 = expz[0][exp_chunk_no]; - T = expz[0][exp_chunk_no + 1]; + red_table_idx_0 = expz[exp_chunk_no + 0 * (exp_digits + 1)]; + T = expz[exp_chunk_no + 1 + 0 * (exp_digits + 1)]; red_table_idx_0 >>= exp_chunk_shift; /* * Get additional bits from then next quadword * when 64-bit boundaries are crossed. */ - if (exp_chunk_shift > 64 - EXP_WIN_SIZE) { + if (exp_chunk_shift > 64 - exp_win_size) { T <<= (64 - exp_chunk_shift); red_table_idx_0 ^= T; } red_table_idx_0 &= table_idx_mask; - - ossl_extract_multiplier_2x20_win5(red_X[0], - (const BN_ULONG*)red_table, - (int)red_table_idx_0, 0); } { - red_table_idx_1 = expz[1][exp_chunk_no]; - T = expz[1][exp_chunk_no + 1]; + red_table_idx_1 = expz[exp_chunk_no + 1 * (exp_digits + 1)]; + T = expz[exp_chunk_no + 1 + 1 * (exp_digits + 1)]; red_table_idx_1 >>= exp_chunk_shift; /* * Get additional bits from then next quadword * when 64-bit boundaries are crossed. */ - if (exp_chunk_shift > 64 - EXP_WIN_SIZE) { + if (exp_chunk_shift > 64 - exp_win_size) { T <<= (64 - exp_chunk_shift); red_table_idx_1 ^= T; } red_table_idx_1 &= table_idx_mask; - - ossl_extract_multiplier_2x20_win5(red_X[1], - (const BN_ULONG*)red_table, - (int)red_table_idx_1, 1); } + + extract(&red_X[0 * red_digits], (const BN_ULONG*)red_table, (int)red_table_idx_0, (int)red_table_idx_1); } /* Series of squaring */ @@ -406,43 +483,46 @@ static void RSAZ_exp52x20_x2_256(BN_ULONG *out, /* [2][20] */ DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0); DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0); - DAMM((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, (const BN_ULONG*)red_X, m, k0); + damm((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, (const BN_ULONG*)red_X, m, k0); } } /* * * NB: After the last AMM of exponentiation in Montgomery domain, the result - * may be 1025-bit, but the conversion out of Montgomery domain performs an - * AMM(x,1) which guarantees that the final result is less than |m|, so no - * conditional subtraction is needed here. See "Efficient Software - * Implementations of Modular Exponentiation" (by Shay Gueron) paper for details. + * may be (modulus_bitsize + 1), but the conversion out of Montgomery domain + * performs an AMM(x,1) which guarantees that the final result is less than + * |m|, so no conditional subtraction is needed here. See [1] for details. + * + * [1] Gueron, S. Efficient software implementations of modular exponentiation. + * DOI: 10.1007/s13389-012-0031-5 */ /* Convert result back in regular 2^52 domain */ - memset(red_X, 0, sizeof(red_X)); - red_X[0][0] = 1; - red_X[1][0] = 1; - DAMM(out, (const BN_ULONG*)red_Y, (const BN_ULONG*)red_X, m, k0); - - /* Clear exponents */ - OPENSSL_cleanse(expz, sizeof(expz)); - OPENSSL_cleanse(red_Y, sizeof(red_Y)); - -# undef DAMS -# undef DAMM -# undef EXP_DIGITS -# undef RED_DIGITS -# undef EXP_WIN_MASK -# undef EXP_WIN_SIZE -# undef BITSIZE_MODULUS + memset(red_X, 0, 2 * red_digits * sizeof(BN_ULONG)); + red_X[0 * red_digits] = 1; + red_X[1 * red_digits] = 1; + damm(out, (const BN_ULONG*)red_Y, (const BN_ULONG*)red_X, m, k0); + + ret = 1; + +err: + if (storage != NULL) { + /* Clear whole storage */ + OPENSSL_cleanse(storage, storage_len_bytes); + OPENSSL_free(storage); + } + +#undef DAMS + return ret; } -static ossl_inline uint64_t get_digit52(const uint8_t *in, int in_len) +static ossl_inline uint64_t get_digit(const uint8_t *in, int in_len) { uint64_t digit = 0; assert(in != NULL); + assert(in_len <= 8); for (; in_len > 0; in_len--) { digit <<= 8; @@ -480,17 +560,17 @@ static void to_words52(BN_ULONG *out, int out_len, } if (in_bitsize > DIGIT_SIZE) { - uint64_t digit = get_digit52(in_str, 7); + uint64_t digit = get_digit(in_str, 7); out[0] = digit & DIGIT_MASK; in_str += 6; in_bitsize -= DIGIT_SIZE; - digit = get_digit52(in_str, BITS2WORD8_SIZE(in_bitsize)); + digit = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); out[1] = digit >> 4; out += 2; out_len -= 2; } else if (in_bitsize > 0) { - out[0] = get_digit52(in_str, BITS2WORD8_SIZE(in_bitsize)); + out[0] = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); out++; out_len--; } @@ -502,12 +582,13 @@ static void to_words52(BN_ULONG *out, int out_len, } } -static ossl_inline void put_digit52(uint8_t *pStr, int strLen, uint64_t digit) +static ossl_inline void put_digit(uint8_t *out, int out_len, uint64_t digit) { - assert(pStr != NULL); + assert(out != NULL); + assert(out_len <= 8); - for (; strLen > 0; strLen--) { - *pStr++ = (uint8_t)(digit & 0xFF); + for (; out_len > 0; out_len--) { + *out++ = (uint8_t)(digit & 0xFF); digit >>= 8; } } @@ -543,13 +624,13 @@ static void from_words52(BN_ULONG *out, int out_bitsize, const BN_ULONG *in) } if (out_bitsize > DIGIT_SIZE) { - put_digit52(out_str, 7, in[0]); + put_digit(out_str, 7, in[0]); out_str += 6; out_bitsize -= DIGIT_SIZE; - put_digit52(out_str, BITS2WORD8_SIZE(out_bitsize), + put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), (in[1] << 4 | in[0] >> 48)); } else if (out_bitsize) { - put_digit52(out_str, BITS2WORD8_SIZE(out_bitsize), in[0]); + put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), in[0]); } } } diff --git a/crypto/build.info b/crypto/build.info index 16584234f..b67658c3c 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -51,6 +51,10 @@ IF[{- !$disabled{asm} && $config{processor} ne '386' -}] $CPUIDASM_c64xplus=c64xpluscpuid.s + $CPUIDASM_riscv64=riscvcap.c riscv64cpuid.s + $CPUIDASM_riscv32=riscvcap.c riscv32cpuid.s + + $CPUIDASM_loongarch64=loongarchcap.c loongarch64cpuid.s # Now that we have defined all the arch specific variables, use the # appropriate one, and define the appropriate macros IF[$CPUIDASM_{- $target{asm_arch} -}] @@ -74,8 +78,8 @@ DEFINE[../providers/libfips.a]=$CPUIDDEF # already gets everything that the static libcrypto.a has, and doesn't need it # added again. IF[{- !$disabled{module} && !$disabled{shared} -}] - SOURCE[../providers/liblegacy.a]=$CPUID_COMMON - DEFINE[../providers/liblegacy.a]=$CPUIDDEF + SOURCE[../providers/legacy]=$CPUID_COMMON + DEFINE[../providers/legacy]=$CPUIDDEF ENDIF # Implementations are now spread across several libraries, so the CPUID define @@ -97,9 +101,7 @@ $UTIL_COMMON=\ context.c sparse_array.c asn1_dsa.c packet.c param_build.c \ param_build_set.c der_writer.c threads_lib.c params_dup.c -IF[{- !$disabled{shared} -}] - SOURCE[../libssl]=sparse_array.c -ENDIF +SHARED_SOURCE[../libssl]=sparse_array.c SOURCE[../libcrypto]=$UTIL_COMMON \ mem.c mem_sec.c \ @@ -134,7 +136,10 @@ GENERATE[armv4cpuid.S]=armv4cpuid.pl INCLUDE[armv4cpuid.o]=. GENERATE[s390xcpuid.S]=s390xcpuid.pl INCLUDE[s390xcpuid.o]=. +GENERATE[riscv64cpuid.s]=riscv64cpuid.pl +GENERATE[riscv32cpuid.s]=riscv32cpuid.pl +GENERATE[loongarch64cpuid.s]=loongarch64cpuid.pl IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}] SHARED_SOURCE[../libcrypto]=dllmain.c ENDIF diff --git a/crypto/cast/cast_local.h b/crypto/cast/cast_local.h index 4434a3420..546baa86c 100644 --- a/crypto/cast/cast_local.h +++ b/crypto/cast/cast_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -62,19 +62,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c))))<<24; \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c))))<<24; \ } \ } @@ -84,19 +84,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \ } \ } diff --git a/crypto/chacha/asm/chacha-armv8-sve.pl b/crypto/chacha/asm/chacha-armv8-sve.pl new file mode 100755 index 000000000..0e19bffc4 --- /dev/null +++ b/crypto/chacha/asm/chacha-armv8-sve.pl @@ -0,0 +1,1157 @@ +#! /usr/bin/env perl +# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# +# ChaCha20 for ARMv8 via SVE +# +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT=*OUT; + +sub AUTOLOAD() # thunk [simplified] x86-style perlasm +{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; + my $arg = pop; + $arg = "#$arg" if ($arg*1 eq $arg); + $code .= "\t$opcode\t".join(',',@_,$arg)."\n"; +} + +my ($outp,$inp,$len,$key,$ctr) = map("x$_",(0..4)); +my ($veclen) = ("x5"); +my ($counter) = ("x6"); +my ($counter_w) = ("w6"); +my @xx=(7..22); +my @sxx=map("x$_",@xx); +my @sx=map("w$_",@xx); +my @K=map("x$_",(23..30)); +my @elem=(0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15); +my @KL=map("w$_",(23..30)); +my @mx=map("z$_",@elem); +my @vx=map("v$_",@elem); +my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, + $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = @mx; +my ($zctr) = ("z16"); +my @tt=(17..24); +my @xt=map("z$_",@tt); +my @vt=map("v$_",@tt); +my @perm=map("z$_",(25..30)); +my ($rot8) = ("z31"); +my @bak=(@perm[0],@perm[1],@perm[2],@perm[3],@perm[4],@perm[5],@xt[4],@xt[5],@xt[6],@xt[7],@xt[0],@xt[1],$zctr,@xt[2],@xt[3],$rot8); +my $debug_encoder=0; + +sub SVE_ADD() { + my $x = shift; + my $y = shift; + +$code.=<<___; + add @mx[$x].s,@mx[$x].s,@mx[$y].s + .if mixin == 1 + add @sx[$x],@sx[$x],@sx[$y] + .endif +___ + if (@_) { + &SVE_ADD(@_); + } +} + +sub SVE_EOR() { + my $x = shift; + my $y = shift; + +$code.=<<___; + eor @mx[$x].d,@mx[$x].d,@mx[$y].d + .if mixin == 1 + eor @sx[$x],@sx[$x],@sx[$y] + .endif +___ + if (@_) { + &SVE_EOR(@_); + } +} + +sub SVE_LSL() { + my $bits = shift; + my $x = shift; + my $y = shift; + my $next = $x + 1; + +$code.=<<___; + lsl @xt[$x].s,@mx[$y].s,$bits +___ + if (@_) { + &SVE_LSL($bits,$next,@_); + } +} + +sub SVE_LSR() { + my $bits = shift; + my $x = shift; + +$code.=<<___; + lsr @mx[$x].s,@mx[$x].s,$bits + .if mixin == 1 + ror @sx[$x],@sx[$x],$bits + .endif +___ + if (@_) { + &SVE_LSR($bits,@_); + } +} + +sub SVE_ORR() { + my $x = shift; + my $y = shift; + my $next = $x + 1; + +$code.=<<___; + orr @mx[$y].d,@mx[$y].d,@xt[$x].d +___ + if (@_) { + &SVE_ORR($next,@_); + } +} + +sub SVE_REV16() { + my $x = shift; + +$code.=<<___; + revh @mx[$x].s,p0/m,@mx[$x].s + .if mixin == 1 + ror @sx[$x],@sx[$x],#16 + .endif +___ + if (@_) { + &SVE_REV16(@_); + } +} + +sub SVE_ROT8() { + my $x = shift; + +$code.=<<___; + tbl @mx[$x].b,{@mx[$x].b},$rot8.b + .if mixin == 1 + ror @sx[$x],@sx[$x],#24 + .endif +___ + if (@_) { + &SVE_ROT8(@_); + } +} + +sub SVE2_XAR() { + my $bits = shift; + my $x = shift; + my $y = shift; + my $rbits = 32-$bits; + +$code.=<<___; + .if mixin == 1 + eor @sx[$x],@sx[$x],@sx[$y] + .endif + xar @mx[$x].s,@mx[$x].s,@mx[$y].s,$rbits + .if mixin == 1 + ror @sx[$x],@sx[$x],$rbits + .endif +___ + if (@_) { + &SVE2_XAR($bits,@_); + } +} + +sub SVE2_QR_GROUP() { + my ($a0,$b0,$c0,$d0,$a1,$b1,$c1,$d1,$a2,$b2,$c2,$d2,$a3,$b3,$c3,$d3) = @_; + + &SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3); + &SVE2_XAR(16,$d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3); + + &SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3); + &SVE2_XAR(12,$b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3); + + &SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3); + &SVE2_XAR(8,$d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3); + + &SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3); + &SVE2_XAR(7,$b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3); +} + +sub SVE_QR_GROUP() { + my ($a0,$b0,$c0,$d0,$a1,$b1,$c1,$d1,$a2,$b2,$c2,$d2,$a3,$b3,$c3,$d3) = @_; + + &SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3); + &SVE_EOR($d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3); + &SVE_REV16($d0,$d1,$d2,$d3); + + &SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3); + &SVE_EOR($b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3); + &SVE_LSL(12,0,$b0,$b1,$b2,$b3); + &SVE_LSR(20,$b0,$b1,$b2,$b3); + &SVE_ORR(0,$b0,$b1,$b2,$b3); + + &SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3); + &SVE_EOR($d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3); + &SVE_ROT8($d0,$d1,$d2,$d3); + + &SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3); + &SVE_EOR($b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3); + &SVE_LSL(7,0,$b0,$b1,$b2,$b3); + &SVE_LSR(25,$b0,$b1,$b2,$b3); + &SVE_ORR(0,$b0,$b1,$b2,$b3); +} + +sub SVE_INNER_BLOCK() { +$code.=<<___; + mov $counter,#10 +10: +.align 5 +___ + &SVE_QR_GROUP(0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15); + &SVE_QR_GROUP(0,5,10,15,1,6,11,12,2,7,8,13,3,4,9,14); +$code.=<<___; + sub $counter,$counter,1 + cbnz $counter,10b +___ +} + +sub SVE2_INNER_BLOCK() { +$code.=<<___; + mov $counter,#10 +10: +.align 5 +___ + &SVE2_QR_GROUP(0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15); + &SVE2_QR_GROUP(0,5,10,15,1,6,11,12,2,7,8,13,3,4,9,14); +$code.=<<___; + sub $counter,$counter,1 + cbnz $counter,10b +___ +} + +sub load_regs() { + my $offset = shift; + my $reg = shift; + my $next_offset = $offset + 1; +$code.=<<___; + ld1w {$reg.s},p0/z,[$inp,#$offset,MUL VL] +#ifdef __AARCH64EB__ + revb $reg.s,p0/m,$reg.s +#endif +___ + if (@_) { + &load_regs($next_offset, @_); + } else { +$code.=<<___; + addvl $inp,$inp,$next_offset +___ + } +} + +sub load() { + if (@_) { + &load_regs(0, @_); + } +} + +sub store_regs() { + my $offset = shift; + my $reg = shift; + my $next_offset = $offset + 1; +$code.=<<___; +#ifdef __AARCH64EB__ + revb $reg.s,p0/m,$reg.s +#endif + st1w {$reg.s},p0,[$outp,#$offset,MUL VL] +___ + if (@_) { + &store_regs($next_offset, @_); + } else { +$code.=<<___; + addvl $outp,$outp,$next_offset +___ + } +} + +sub store() { + if (@_) { + &store_regs(0, @_); + } +} + +sub transpose() { + my $xa = shift; + my $xb = shift; + my $xc = shift; + my $xd = shift; + my $xa1 = shift; + my $xb1 = shift; + my $xc1 = shift; + my $xd1 = shift; +$code.=<<___; + zip1 @xt[0].s,$xa.s,$xb.s + zip2 @xt[1].s,$xa.s,$xb.s + zip1 @xt[2].s,$xc.s,$xd.s + zip2 @xt[3].s,$xc.s,$xd.s + + zip1 @xt[4].s,$xa1.s,$xb1.s + zip2 @xt[5].s,$xa1.s,$xb1.s + zip1 @xt[6].s,$xc1.s,$xd1.s + zip2 @xt[7].s,$xc1.s,$xd1.s + + zip1 $xa.d,@xt[0].d,@xt[2].d + zip2 $xb.d,@xt[0].d,@xt[2].d + zip1 $xc.d,@xt[1].d,@xt[3].d + zip2 $xd.d,@xt[1].d,@xt[3].d + + zip1 $xa1.d,@xt[4].d,@xt[6].d + zip2 $xb1.d,@xt[4].d,@xt[6].d + zip1 $xc1.d,@xt[5].d,@xt[7].d + zip2 $xd1.d,@xt[5].d,@xt[7].d +___ +} + +sub ACCUM() { + my $idx0 = shift; + my $idx1 = $idx0 + 1; + my $x0 = @sx[$idx0]; + my $xx0 = @sxx[$idx0]; + my $x1 = @sx[$idx1]; + my $xx1 = @sxx[$idx1]; + my $d = $idx0/2; + my ($tmp,$tmpw) = ($counter,$counter_w); + my $bk0 = @_ ? shift : @bak[$idx0]; + my $bk1 = @_ ? shift : @bak[$idx1]; + +$code.=<<___; + .if mixin == 1 + add @sx[$idx0],@sx[$idx0],@KL[$d] + .endif + add @mx[$idx0].s,@mx[$idx0].s,$bk0.s + .if mixin == 1 + add @sxx[$idx1],@sxx[$idx1],@K[$d],lsr #32 + .endif + add @mx[$idx1].s,@mx[$idx1].s,$bk1.s + .if mixin == 1 + add @sxx[$idx0],@sxx[$idx0],$sxx[$idx1],lsl #32 // pack + .endif +___ +} + +sub SCA_INP() { + my $idx0 = shift; + my $idx1 = $idx0 + 2; +$code.=<<___; + .if mixin == 1 + ldp @sxx[$idx0],@sxx[$idx1],[$inp],#16 + .endif +___ +} + +sub SVE_ACCUM_STATES() { + my ($tmp,$tmpw) = ($counter,$counter_w); + +$code.=<<___; + lsr $tmp,@K[5],#32 + dup @bak[10].s,@KL[5] + dup @bak[11].s,$tmpw + lsr $tmp,@K[6],#32 + dup @bak[13].s,$tmpw + lsr $tmp,@K[7],#32 +___ + &ACCUM(0); + &ACCUM(2); + &SCA_INP(1); + &ACCUM(4); + &ACCUM(6); + &SCA_INP(5); + &ACCUM(8); + &ACCUM(10); + &SCA_INP(9); +$code.=<<___; + dup @bak[14].s,@KL[7] + dup @bak[0].s,$tmpw // bak[15] not available for SVE +___ + &ACCUM(12); + &ACCUM(14, @bak[14],@bak[0]); + &SCA_INP(13); +} + +sub SVE2_ACCUM_STATES() { + &ACCUM(0); + &ACCUM(2); + &SCA_INP(1); + &ACCUM(4); + &ACCUM(6); + &SCA_INP(5); + &ACCUM(8); + &ACCUM(10); + &SCA_INP(9); + &ACCUM(12); + &ACCUM(14); + &SCA_INP(13); +} + +sub SCA_EOR() { + my $idx0 = shift; + my $idx1 = $idx0 + 1; +$code.=<<___; + .if mixin == 1 + eor @sxx[$idx0],@sxx[$idx0],@sxx[$idx1] + .endif +___ +} + +sub SCA_SAVE() { + my $idx0 = shift; + my $idx1 = shift; +$code.=<<___; + .if mixin == 1 + stp @sxx[$idx0],@sxx[$idx1],[$outp],#16 + .endif +___ +} + +sub SVE_VL128_TRANSFORMS() { + &SCA_EOR(0); + &SCA_EOR(2); + &SCA_EOR(4); + &transpose($xa0,$xa1,$xa2,$xa3,$xb0,$xb1,$xb2,$xb3); + &SCA_EOR(6); + &SCA_EOR(8); + &SCA_EOR(10); + &transpose($xc0,$xc1,$xc2,$xc3,$xd0,$xd1,$xd2,$xd3); + &SCA_EOR(12); + &SCA_EOR(14); +$code.=<<___; + ld1 {@vt[0].4s-@vt[3].4s},[$inp],#64 + ld1 {@vt[4].4s-@vt[7].4s},[$inp],#64 + eor $xa0.d,$xa0.d,@xt[0].d + eor $xb0.d,$xb0.d,@xt[1].d + eor $xc0.d,$xc0.d,@xt[2].d + eor $xd0.d,$xd0.d,@xt[3].d + eor $xa1.d,$xa1.d,@xt[4].d + eor $xb1.d,$xb1.d,@xt[5].d + eor $xc1.d,$xc1.d,@xt[6].d + eor $xd1.d,$xd1.d,@xt[7].d + ld1 {@vt[0].4s-@vt[3].4s},[$inp],#64 + ld1 {@vt[4].4s-@vt[7].4s},[$inp],#64 +___ + &SCA_SAVE(0,2); +$code.=<<___; + eor $xa2.d,$xa2.d,@xt[0].d + eor $xb2.d,$xb2.d,@xt[1].d +___ + &SCA_SAVE(4,6); +$code.=<<___; + eor $xc2.d,$xc2.d,@xt[2].d + eor $xd2.d,$xd2.d,@xt[3].d +___ + &SCA_SAVE(8,10); +$code.=<<___; + eor $xa3.d,$xa3.d,@xt[4].d + eor $xb3.d,$xb3.d,@xt[5].d +___ + &SCA_SAVE(12,14); +$code.=<<___; + eor $xc3.d,$xc3.d,@xt[6].d + eor $xd3.d,$xd3.d,@xt[7].d + st1 {@vx[0].4s-@vx[12].4s},[$outp],#64 + st1 {@vx[1].4s-@vx[13].4s},[$outp],#64 + st1 {@vx[2].4s-@vx[14].4s},[$outp],#64 + st1 {@vx[3].4s-@vx[15].4s},[$outp],#64 +___ +} + +sub SVE_TRANSFORMS() { +$code.=<<___; +#ifdef __AARCH64EB__ + rev @sxx[0],@sxx[0] + rev @sxx[2],@sxx[2] + rev @sxx[4],@sxx[4] + rev @sxx[6],@sxx[6] + rev @sxx[8],@sxx[8] + rev @sxx[10],@sxx[10] + rev @sxx[12],@sxx[12] + rev @sxx[14],@sxx[14] +#endif + .if mixin == 1 + add @K[6],@K[6],#1 + .endif + cmp $veclen,4 + b.ne 200f +___ + &SVE_VL128_TRANSFORMS(); +$code.=<<___; + b 210f +200: +___ + &transpose($xa0,$xb0,$xc0,$xd0,$xa1,$xb1,$xc1,$xd1); + &SCA_EOR(0); + &SCA_EOR(2); + &transpose($xa2,$xb2,$xc2,$xd2,$xa3,$xb3,$xc3,$xd3); + &SCA_EOR(4); + &SCA_EOR(6); + &transpose($xa0,$xa1,$xa2,$xa3,$xb0,$xb1,$xb2,$xb3); + &SCA_EOR(8); + &SCA_EOR(10); + &transpose($xc0,$xc1,$xc2,$xc3,$xd0,$xd1,$xd2,$xd3); + &SCA_EOR(12); + &SCA_EOR(14); + &load(@xt[0],@xt[1],@xt[2],@xt[3],@xt[4],@xt[5],@xt[6],@xt[7]); +$code.=<<___; + eor $xa0.d,$xa0.d,@xt[0].d + eor $xa1.d,$xa1.d,@xt[1].d + eor $xa2.d,$xa2.d,@xt[2].d + eor $xa3.d,$xa3.d,@xt[3].d + eor $xb0.d,$xb0.d,@xt[4].d + eor $xb1.d,$xb1.d,@xt[5].d + eor $xb2.d,$xb2.d,@xt[6].d + eor $xb3.d,$xb3.d,@xt[7].d +___ + &load(@xt[0],@xt[1],@xt[2],@xt[3],@xt[4],@xt[5],@xt[6],@xt[7]); + &SCA_SAVE(0,2); +$code.=<<___; + eor $xc0.d,$xc0.d,@xt[0].d + eor $xc1.d,$xc1.d,@xt[1].d +___ + &SCA_SAVE(4,6); +$code.=<<___; + eor $xc2.d,$xc2.d,@xt[2].d + eor $xc3.d,$xc3.d,@xt[3].d +___ + &SCA_SAVE(8,10); +$code.=<<___; + eor $xd0.d,$xd0.d,@xt[4].d + eor $xd1.d,$xd1.d,@xt[5].d +___ + &SCA_SAVE(12,14); +$code.=<<___; + eor $xd2.d,$xd2.d,@xt[6].d + eor $xd3.d,$xd3.d,@xt[7].d +___ + &store($xa0,$xa1,$xa2,$xa3,$xb0,$xb1,$xb2,$xb3); + &store($xc0,$xc1,$xc2,$xc3,$xd0,$xd1,$xd2,$xd3); +$code.=<<___; +210: + incw @K[6], ALL, MUL #1 +___ +} + +sub SET_STATE_BAK() { + my $idx0 = shift; + my $idx1 = $idx0 + 1; + my $x0 = @sx[$idx0]; + my $xx0 = @sxx[$idx0]; + my $x1 = @sx[$idx1]; + my $xx1 = @sxx[$idx1]; + my $d = $idx0/2; + +$code.=<<___; + lsr $xx1,@K[$d],#32 + dup @mx[$idx0].s,@KL[$d] + dup @bak[$idx0].s,@KL[$d] + .if mixin == 1 + mov $x0,@KL[$d] + .endif + dup @mx[$idx1].s,$x1 + dup @bak[$idx1].s,$x1 +___ +} + +sub SET_STATE() { + my $idx0 = shift; + my $idx1 = $idx0 + 1; + my $x0 = @sx[$idx0]; + my $xx0 = @sxx[$idx0]; + my $x1 = @sx[$idx1]; + my $xx1 = @sxx[$idx1]; + my $d = $idx0/2; + +$code.=<<___; + lsr $xx1,@K[$d],#32 + dup @mx[$idx0].s,@KL[$d] + .if mixin == 1 + mov $x0,@KL[$d] + .endif + dup @mx[$idx1].s,$x1 +___ +} + +sub SVE_LOAD_STATES() { + &SET_STATE_BAK(0); + &SET_STATE_BAK(2); + &SET_STATE_BAK(4); + &SET_STATE_BAK(6); + &SET_STATE_BAK(8); + &SET_STATE(10); + &SET_STATE(14); +$code.=<<___; + .if mixin == 1 + add @sx[13],@KL[6],#1 + mov @sx[12],@KL[6] + index $zctr.s,@sx[13],1 + index @mx[12].s,@sx[13],1 + .else + index $zctr.s,@KL[6],1 + index @mx[12].s,@KL[6],1 + .endif + lsr @sxx[13],@K[6],#32 + dup @mx[13].s,@sx[13] +___ +} + +sub SVE2_LOAD_STATES() { + &SET_STATE_BAK(0); + &SET_STATE_BAK(2); + &SET_STATE_BAK(4); + &SET_STATE_BAK(6); + &SET_STATE_BAK(8); + &SET_STATE_BAK(10); + &SET_STATE_BAK(14); + +$code.=<<___; + .if mixin == 1 + add @sx[13],@KL[6],#1 + mov @sx[12],@KL[6] + index $zctr.s,@sx[13],1 + index @mx[12].s,@sx[13],1 + .else + index $zctr.s,@KL[6],1 + index @mx[12].s,@KL[6],1 + .endif + lsr @sxx[13],@K[6],#32 + dup @mx[13].s,@sx[13] + dup @bak[13].s,@sx[13] +___ +} + +sub chacha20_sve() { + my ($tmp) = (@sxx[0]); + +$code.=<<___; +.align 5 +100: + subs $tmp,$len,$veclen,lsl #6 + b.lt 110f + mov $len,$tmp + b.eq 101f + cmp $len,64 + b.lt 101f + mixin=1 +___ + &SVE_LOAD_STATES(); + &SVE_INNER_BLOCK(); + &SVE_ACCUM_STATES(); + &SVE_TRANSFORMS(); +$code.=<<___; + subs $len,$len,64 + b.gt 100b + b 110f +101: + mixin=0 +___ + &SVE_LOAD_STATES(); + &SVE_INNER_BLOCK(); + &SVE_ACCUM_STATES(); + &SVE_TRANSFORMS(); +$code.=<<___; +110: +___ +} + +sub chacha20_sve2() { + my ($tmp) = (@sxx[0]); + +$code.=<<___; +.align 5 +100: + subs $tmp,$len,$veclen,lsl #6 + b.lt 110f + mov $len,$tmp + b.eq 101f + cmp $len,64 + b.lt 101f + mixin=1 +___ + &SVE2_LOAD_STATES(); + &SVE2_INNER_BLOCK(); + &SVE2_ACCUM_STATES(); + &SVE_TRANSFORMS(); +$code.=<<___; + subs $len,$len,64 + b.gt 100b + b 110f +101: + mixin=0 +___ + &SVE2_LOAD_STATES(); + &SVE2_INNER_BLOCK(); + &SVE2_ACCUM_STATES(); + &SVE_TRANSFORMS(); +$code.=<<___; +110: +___ +} + + +{{{ + my ($tmp,$tmpw) = ("x6", "w6"); + my ($tmpw0,$tmp0,$tmpw1,$tmp1) = ("w9","x9", "w10","x10"); + my ($sve2flag) = ("x7"); + +$code.=<<___; +#include "arm_arch.h" + +.arch armv8-a + +.extern OPENSSL_armcap_P +.hidden OPENSSL_armcap_P + +.text +.align 5 +.Lchacha20_consts: +.quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral +.Lrot8: + .word 0x02010003,0x04040404,0x02010003,0x04040404 +.globl ChaCha20_ctr32_sve +.type ChaCha20_ctr32_sve,%function +.align 5 +ChaCha20_ctr32_sve: + AARCH64_VALID_CALL_TARGET + cntw $veclen, ALL, MUL #1 + cmp $len,$veclen,lsl #6 + b.lt .Lreturn + mov $sve2flag,0 + adrp $tmp,OPENSSL_armcap_P + ldr $tmpw,[$tmp,#:lo12:OPENSSL_armcap_P] + tst $tmpw,#ARMV8_SVE2 + b.eq 1f + mov $sve2flag,1 + b 2f +1: + cmp $veclen,4 + b.le .Lreturn + adr $tmp,.Lrot8 + ldp $tmpw0,$tmpw1,[$tmp] + index $rot8.s,$tmpw0,$tmpw1 +2: + AARCH64_SIGN_LINK_REGISTER + stp d8,d9,[sp,-192]! + stp d10,d11,[sp,16] + stp d12,d13,[sp,32] + stp d14,d15,[sp,48] + stp x16,x17,[sp,64] + stp x18,x19,[sp,80] + stp x20,x21,[sp,96] + stp x22,x23,[sp,112] + stp x24,x25,[sp,128] + stp x26,x27,[sp,144] + stp x28,x29,[sp,160] + str x30,[sp,176] + + adr $tmp,.Lchacha20_consts + ldp @K[0],@K[1],[$tmp] + ldp @K[2],@K[3],[$key] + ldp @K[4],@K[5],[$key, 16] + ldp @K[6],@K[7],[$ctr] + ptrues p0.s,ALL +#ifdef __AARCH64EB__ + ror @K[2],@K[2],#32 + ror @K[3],@K[3],#32 + ror @K[4],@K[4],#32 + ror @K[5],@K[5],#32 + ror @K[6],@K[6],#32 + ror @K[7],@K[7],#32 +#endif + cbz $sve2flag, 1f +___ + &chacha20_sve2(); +$code.=<<___; + b 2f +1: +___ + &chacha20_sve(); +$code.=<<___; +2: + str @KL[6],[$ctr] + ldp d10,d11,[sp,16] + ldp d12,d13,[sp,32] + ldp d14,d15,[sp,48] + ldp x16,x17,[sp,64] + ldp x18,x19,[sp,80] + ldp x20,x21,[sp,96] + ldp x22,x23,[sp,112] + ldp x24,x25,[sp,128] + ldp x26,x27,[sp,144] + ldp x28,x29,[sp,160] + ldr x30,[sp,176] + ldp d8,d9,[sp],192 + AARCH64_VALIDATE_LINK_REGISTER +.Lreturn: + ret +.size ChaCha20_ctr32_sve,.-ChaCha20_ctr32_sve +___ + +}}} + +######################################## +{ +my %opcode_unpred = ( + "movprfx" => 0x0420BC00, + "eor" => 0x04a03000, + "add" => 0x04200000, + "orr" => 0x04603000, + "lsl" => 0x04209C00, + "lsr" => 0x04209400, + "incw" => 0x04B00000, + "xar" => 0x04203400, + "zip1" => 0x05206000, + "zip2" => 0x05206400, + "uzp1" => 0x05206800, + "uzp2" => 0x05206C00, + "index" => 0x04204C00, + "mov" => 0x05203800, + "dup" => 0x05203800, + "cntw" => 0x04A0E000, + "tbl" => 0x05203000); + +my %opcode_imm_unpred = ( + "dup" => 0x2538C000, + "index" => 0x04204400); + +my %opcode_scalar_pred = ( + "mov" => 0x0528A000, + "cpy" => 0x0528A000, + "st4w" => 0xE5606000, + "st1w" => 0xE5004000, + "ld1w" => 0xA5404000); + +my %opcode_gather_pred = ( + "ld1w" => 0x85204000); + +my %opcode_pred = ( + "eor" => 0x04190000, + "add" => 0x04000000, + "orr" => 0x04180000, + "whilelo" => 0x25200C00, + "whilelt" => 0x25200400, + "cntp" => 0x25208000, + "addvl" => 0x04205000, + "lsl" => 0x04038000, + "lsr" => 0x04018000, + "sel" => 0x0520C000, + "mov" => 0x0520C000, + "ptrue" => 0x2518E000, + "pfalse" => 0x2518E400, + "ptrues" => 0x2519E000, + "pnext" => 0x2519C400, + "ld4w" => 0xA560E000, + "st4w" => 0xE570E000, + "st1w" => 0xE500E000, + "ld1w" => 0xA540A000, + "ld1rw" => 0x8540C000, + "lasta" => 0x0520A000, + "revh" => 0x05258000, + "revb" => 0x05248000); + +my %tsize = ( + 'b' => 0, + 'h' => 1, + 's' => 2, + 'd' => 3); + +my %sf = ( + "w" => 0, + "x" => 1); + +my %pattern = ( + "POW2" => 0, + "VL1" => 1, + "VL2" => 2, + "VL3" => 3, + "VL4" => 4, + "VL5" => 5, + "VL6" => 6, + "VL7" => 7, + "VL8" => 8, + "VL16" => 9, + "VL32" => 10, + "VL64" => 11, + "VL128" => 12, + "VL256" => 13, + "MUL4" => 29, + "MUL3" => 30, + "ALL" => 31); + +sub create_verifier { + my $filename="./compile_sve.sh"; + +$scripts = <<___; +#! /bin/bash +set -e +CROSS_COMPILE=\${CROSS_COMPILE:-'aarch64-none-linux-gnu-'} + +[ -z "\$1" ] && exit 1 +ARCH=`uname -p | xargs echo -n` + +# need gcc-10 and above to compile SVE code +# change this according to your system during debugging +if [ \$ARCH == 'aarch64' ]; then + CC=gcc-11 + OBJDUMP=objdump +else + CC=\${CROSS_COMPILE}gcc + OBJDUMP=\${CROSS_COMPILE}objdump +fi +TMPFILE=/tmp/\$\$ +cat > \$TMPFILE.c << EOF +extern __attribute__((noinline, section("disasm_output"))) void dummy_func() +{ + asm("\$@\\t\\n"); +} +int main(int argc, char *argv[]) +{ +} +EOF +\$CC -march=armv8.2-a+sve+sve2 -o \$TMPFILE.out \$TMPFILE.c +\$OBJDUMP -d \$TMPFILE.out | awk -F"\\n" -v RS="\\n\\n" '\$1 ~ /dummy_func/' | awk 'FNR == 2 {printf "%s",\$2}' +rm \$TMPFILE.c \$TMPFILE.out +___ + open(FH, '>', $filename) or die $!; + print FH $scripts; + close(FH); + system("chmod a+x ./compile_sve.sh"); +} + +sub compile_sve { + return `./compile_sve.sh '@_'` +} + +sub verify_inst { + my ($code,$inst)=@_; + my $hexcode = (sprintf "%08x", $code); + + if ($debug_encoder == 1) { + my $expect=&compile_sve($inst); + if ($expect ne $hexcode) { + return (sprintf "%s // Encode Error! expect [%s] actual [%s]", $inst, $expect, $hexcode); + } + } + return (sprintf ".inst\t0x%s\t//%s", $hexcode, $inst); +} + +sub reg_code { + my $code = shift; + + if ($code == "zr") { + return "31"; + } + return $code; +} + +sub encode_size_imm() { + my ($mnemonic, $isize, $const)=@_; + my $esize = (8<<$tsize{$isize}); + my $tsize_imm = $esize + $const; + + if ($mnemonic eq "lsr" || $mnemonic eq "xar") { + $tsize_imm = 2*$esize - $const; + } + return (($tsize_imm>>5)<<22)|(($tsize_imm&0x1f)<<16); +} + +sub encode_shift_pred() { + my ($mnemonic, $isize, $const)=@_; + my $esize = (8<<$tsize{$isize}); + my $tsize_imm = $esize + $const; + + if ($mnemonic eq "lsr") { + $tsize_imm = 2*$esize - $const; + } + return (($tsize_imm>>5)<<22)|(($tsize_imm&0x1f)<<5); +} + +sub sve_unpred { + my ($mnemonic,$arg)=@_; + my $inst = (sprintf "%s %s", $mnemonic,$arg); + + if ($arg =~ m/z([0-9]+)\.([bhsd]),\s*\{\s*z([0-9]+)\.[bhsd].*\},\s*z([0-9]+)\.[bhsd].*/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$1|($3<<5)|($tsize{$2}<<22)|($4<<16), + $inst) + } elsif ($arg =~ m/z([0-9]+)\.([bhsd]),\s*([zwx][0-9]+.*)/o) { + my $regd = $1; + my $isize = $2; + my $regs=$3; + + if (($mnemonic eq "lsl") || ($mnemonic eq "lsr")) { + if ($regs =~ m/z([0-9]+)[^,]*(?:,\s*#?([0-9]+))?/o + && ((8<<$tsize{$isize}) > $2)) { + return &verify_inst($opcode_unpred{$mnemonic}|$regd|($1<<5)|&encode_size_imm($mnemonic,$isize,$2), + $inst); + } + } elsif($regs =~ m/[wx]([0-9]+),\s*[wx]([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$regd|($tsize{$isize}<<22)|($1<<5)|($2<<16), $inst); + } elsif ($regs =~ m/[wx]([0-9]+),\s*#?([0-9]+)/o) { + return &verify_inst($opcode_imm_unpred{$mnemonic}|$regd|($tsize{$isize}<<22)|($1<<5)|($2<<16), $inst); + } elsif ($regs =~ m/[wx]([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$regd|($tsize{$isize}<<22)|($1<<5), $inst); + } else { + my $encoded_size = 0; + if (($mnemonic eq "add") || ($mnemonic =~ /zip./) || ($mnemonic =~ /uzp./) ) { + $encoded_size = ($tsize{$isize}<<22); + } + if ($regs =~ m/z([0-9]+)\.[bhsd],\s*z([0-9]+)\.[bhsd],\s*([0-9]+)/o && + $1 == $regd) { + return &verify_inst($opcode_unpred{$mnemonic}|$regd|($2<<5)|&encode_size_imm($mnemonic,$isize,$3), $inst); + } elsif ($regs =~ m/z([0-9]+)\.[bhsd],\s*z([0-9]+)\.[bhsd]/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$regd|$encoded_size|($1<<5)|($2<<16), $inst); + } + } + } elsif ($arg =~ m/z([0-9]+)\.([bhsd]),\s*#?([0-9]+)/o) { + return &verify_inst($opcode_imm_unpred{$mnemonic}|$1|($3<<5)|($tsize{$2}<<22), + $inst) + } + sprintf "%s // fail to parse", $inst; +} + +sub sve_pred { + my ($mnemonic,,$arg)=@_; + my $inst = (sprintf "%s %s", $mnemonic,$arg); + + if ($arg =~ m/\{\s*z([0-9]+)\.([bhsd]).*\},\s*p([0-9])+(\/z)?,\s*\[(\s*[xs].*)\]/o) { + my $zt = $1; + my $size = $tsize{$2}; + my $pg = $3; + my $addr = $5; + my $xn = 31; + + if ($addr =~ m/x([0-9]+)\s*/o) { + $xn = $1; + } + + if ($mnemonic =~m/ld1r[bhwd]/o) { + $size = 0; + } + if ($addr =~ m/\w+\s*,\s*x([0-9]+),.*/o) { + return &verify_inst($opcode_scalar_pred{$mnemonic}|($size<<21)|$zt|($pg<<10)|($1<<16)|($xn<<5),$inst); + } elsif ($addr =~ m/\w+\s*,\s*z([0-9]+)\.s,\s*([US]\w+)/o) { + my $xs = ($2 eq "SXTW") ? 1 : 0; + return &verify_inst($opcode_gather_pred{$mnemonic}|($xs<<22)|$zt|($pg<<10)|($1<<16)|($xn<<5),$inst); + } elsif($addr =~ m/\w+\s*,\s*#?([0-9]+)/o) { + return &verify_inst($opcode_pred{$mnemonic}|($size<<21)|$zt|($pg<<10)|($1<<16)|($xn<<5),$inst); + } else { + return &verify_inst($opcode_pred{$mnemonic}|($size<<21)|$zt|($pg<<10)|($xn<<5),$inst); + } + } elsif ($arg =~ m/z([0-9]+)\.([bhsd]),\s*p([0-9]+)\/([mz]),\s*([zwx][0-9]+.*)/o) { + my $regd = $1; + my $isize = $2; + my $pg = $3; + my $mod = $4; + my $regs = $5; + + if (($mnemonic eq "lsl") || ($mnemonic eq "lsr")) { + if ($regs =~ m/z([0-9]+)[^,]*(?:,\s*#?([0-9]+))?/o + && $regd == $1 + && $mode == 'm' + && ((8<<$tsize{$isize}) > $2)) { + return &verify_inst($opcode_pred{$mnemonic}|$regd|($pg<<10)|&encode_shift_pred($mnemonic,$isize,$2), $inst); + } + } elsif($regs =~ m/[wx]([0-9]+)/o) { + return &verify_inst($opcode_scalar_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5), $inst); + } elsif ($regs =~ m/z([0-9]+)[^,]*(?:,\s*z([0-9]+))?/o) { + if ($mnemonic eq "sel") { + return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5)|($2<<16), $inst); + } elsif ($mnemonic eq "mov") { + return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5)|($regd<<16), $inst); + } elsif (length $2 > 0) { + return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($2<<5), $inst); + } else { + return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5), $inst); + } + } + } elsif ($arg =~ m/p([0-9]+)\.([bhsd]),\s*(\w+.*)/o) { + my $pg = $1; + my $isize = $2; + my $regs = $3; + + if ($regs =~ m/([wx])(zr|[0-9]+),\s*[wx](zr|[0-9]+)/o) { + return &verify_inst($opcode_pred{$mnemonic}|($tsize{$isize}<<22)|$pg|($sf{$1}<<12)|(®_code($2)<<5)|(®_code($3)<<16), $inst); + } elsif ($regs =~ m/p([0-9]+),\s*p([0-9]+)\.[bhsd]/o) { + return &verify_inst($opcode_pred{$mnemonic}|($tsize{$isize}<<22)|$pg|($1<<5), $inst); + } else { + return &verify_inst($opcode_pred{$mnemonic}|($tsize{$isize}<<22)|$pg|($pattern{$regs}<<5), $inst); + } + } elsif ($arg =~ m/p([0-9]+)\.([bhsd])/o) { + return &verify_inst($opcode_pred{$mnemonic}|$1, $inst); + } + + sprintf "%s // fail to parse", $inst; +} + +sub sve_other { + my ($mnemonic,$arg)=@_; + my $inst = (sprintf "%s %s", $mnemonic,$arg); + + if ($arg =~ m/x([0-9]+)[^,]*,\s*p([0-9]+)[^,]*,\s*p([0-9]+)\.([bhsd])/o) { + return &verify_inst($opcode_pred{$mnemonic}|($tsize{$4}<<22)|$1|($2<<10)|($3<<5), $inst); + } elsif ($arg =~ m/(x|w)([0-9]+)[^,]*,\s*p([0-9]+)[^,]*,\s*z([0-9]+)\.([bhsd])/o) { + return &verify_inst($opcode_pred{$mnemonic}|($tsize{$5}<<22)|$1|($3<<10)|($4<<5)|$2, $inst); + }elsif ($mnemonic =~ /inc[bhdw]/) { + if ($arg =~ m/x([0-9]+)[^,]*,\s*(\w+)[^,]*,\s*MUL\s*#?([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$1|($pattern{$2}<<5)|(2<<12)|(($3 - 1)<<16)|0xE000, $inst); + } elsif ($arg =~ m/z([0-9]+)[^,]*,\s*(\w+)[^,]*,\s*MUL\s*#?([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$1|($pattern{$2}<<5)|(($3 - 1)<<16)|0xC000, $inst); + } elsif ($arg =~ m/x([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$1|(31<<5)|(0<<16)|0xE000, $inst); + } + } elsif ($mnemonic =~ /cnt[bhdw]/) { + if ($arg =~ m/x([0-9]+)[^,]*,\s*(\w+)[^,]*,\s*MUL\s*#?([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$1|($pattern{$2}<<5)|(($3 - 1)<<16), $inst); + } + } elsif ($arg =~ m/x([0-9]+)[^,]*,\s*x([0-9]+)[^,]*,\s*#?([0-9]+)/o) { + return &verify_inst($opcode_pred{$mnemonic}|$1|($2<<16)|($3<<5), $inst); + } elsif ($arg =~ m/z([0-9]+)[^,]*,\s*z([0-9]+)/o) { + return &verify_inst($opcode_unpred{$mnemonic}|$1|($2<<5), $inst); + } + sprintf "%s // fail to parse", $inst; +} +} + +open SELF,$0; +while() { + next if (/^#!/); + last if (!s/^#/\/\// and !/^$/); + print; +} +close SELF; + +if ($debug_encoder == 1) { + &create_verifier(); +} + +foreach(split("\n",$code)) { + s/\`([^\`]*)\`/eval($1)/ge; + s/\b(\w+)\s+(z[0-9]+\.[bhsd],\s*[#zwx]?[0-9]+.*)/sve_unpred($1,$2)/ge; + s/\b(\w+)\s+(z[0-9]+\.[bhsd],\s*\{.*\},\s*z[0-9]+.*)/sve_unpred($1,$2)/ge; + s/\b(\w+)\s+(z[0-9]+\.[bhsd],\s*p[0-9].*)/sve_pred($1,$2)/ge; + s/\b(\w+[1-4]r[bhwd])\s+(\{\s*z[0-9]+.*\},\s*p[0-9]+.*)/sve_pred($1,$2)/ge; + s/\b(\w+[1-4][bhwd])\s+(\{\s*z[0-9]+.*\},\s*p[0-9]+.*)/sve_pred($1,$2)/ge; + s/\b(\w+)\s+(p[0-9]+\.[bhsd].*)/sve_pred($1,$2)/ge; + s/\b(movprfx|lasta|cntp|cnt[bhdw]|addvl|inc[bhdw])\s+((x|z|w).*)/sve_other($1,$2)/ge; + print $_,"\n"; +} + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/chacha/asm/chacha-armv8.pl b/crypto/chacha/asm/chacha-armv8.pl index dcdc4a04e..bd5ff8877 100755 --- a/crypto/chacha/asm/chacha-armv8.pl +++ b/crypto/chacha/asm/chacha-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -132,10 +132,12 @@ sub ROUND { } $code.=<<___; +#include "arm_arch.h" #ifndef __KERNEL__ -# include "arm_arch.h" .extern OPENSSL_armcap_P .hidden OPENSSL_armcap_P + +.extern ChaCha20_ctr32_sve #endif .text @@ -149,23 +151,22 @@ sub ROUND { .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f .asciz "ChaCha20 for ARMv8, CRYPTOGAMS by \@dot-asm" -.globl ChaCha20_ctr32 -.type ChaCha20_ctr32,%function +.globl ChaCha20_ctr32_dflt +.type ChaCha20_ctr32_dflt,%function .align 5 -ChaCha20_ctr32: - cbz $len,.Labort +ChaCha20_ctr32_dflt: + AARCH64_SIGN_LINK_REGISTER cmp $len,#192 b.lo .Lshort - #ifndef __KERNEL__ adrp x17,OPENSSL_armcap_P ldr w17,[x17,#:lo12:OPENSSL_armcap_P] +.Lcheck_neon: tst w17,#ARMV7_NEON b.ne .LChaCha20_neon #endif .Lshort: - .inst 0xd503233f // paciasp stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -285,8 +286,8 @@ sub ROUND { ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp .Labort: + AARCH64_VALIDATE_LINK_REGISTER ret .align 4 @@ -342,8 +343,43 @@ sub ROUND { ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret +.size ChaCha20_ctr32_dflt,.-ChaCha20_ctr32_dflt + +.globl ChaCha20_ctr32 +.type ChaCha20_ctr32,%function +.align 5 +ChaCha20_ctr32: + AARCH64_SIGN_LINK_REGISTER + cbz $len,.Labort + cmp $len,#192 + b.lo .Lshort +#ifndef __KERNEL__ + adrp x17,OPENSSL_armcap_P + ldr w17,[x17,#:lo12:OPENSSL_armcap_P] + tst w17,#ARMV8_SVE + b.eq .Lcheck_neon + stp x29,x30,[sp,#-16]! + sub sp,sp,#16 + // SVE handling will inevitably increment the counter + // Neon/Scalar code that follows to process tail data needs to + // use new counter, unfortunately the input counter buffer + // pointed to by ctr is meant to be read-only per API contract + // we have to copy the buffer to stack to be writable by SVE + ldp x5,x6,[$ctr] + stp x5,x6,[sp] + mov $ctr,sp + bl ChaCha20_ctr32_sve + cbz $len,1f + bl ChaCha20_ctr32_dflt +1: + add sp,sp,#16 + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +#endif + b .Lshort .size ChaCha20_ctr32,.-ChaCha20_ctr32 ___ @@ -432,8 +468,8 @@ sub NEON_lane_ROUND { .type ChaCha20_neon,%function .align 5 ChaCha20_neon: + AARCH64_SIGN_LINK_REGISTER .LChaCha20_neon: - .inst 0xd503233f // paciasp stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -667,7 +703,7 @@ sub NEON_lane_ROUND { ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .align 4 @@ -799,7 +835,7 @@ sub NEON_lane_ROUND { ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ChaCha20_neon,.-ChaCha20_neon ___ @@ -844,7 +880,7 @@ sub NEONROUND { .type ChaCha20_512_neon,%function .align 5 ChaCha20_512_neon: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1268,7 +1304,7 @@ sub NEONROUND { ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ChaCha20_512_neon,.-ChaCha20_512_neon ___ diff --git a/crypto/chacha/asm/chachap10-ppc.pl b/crypto/chacha/asm/chachap10-ppc.pl new file mode 100755 index 000000000..78cd4aed0 --- /dev/null +++ b/crypto/chacha/asm/chachap10-ppc.pl @@ -0,0 +1,1288 @@ +#! /usr/bin/env perl +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# ==================================================================== +# Written by Andy Polyakov for the OpenSSL +# project. The module is, however, dual licensed under OpenSSL and +# CRYPTOGAMS licenses depending on where you obtain it. For further +# details see http://www.openssl.org/~appro/cryptogams/. +# ==================================================================== +# +# October 2015 +# +# ChaCha20 for PowerPC/AltiVec. +# +# June 2018 +# +# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for +# processors that can't issue more than one vector instruction per +# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x +# interleave would perform better. Incidentally PowerISA 2.07 (first +# implemented by POWER8) defined new usable instructions, hence 4xVSX +# code path... +# +# Performance in cycles per byte out of large buffer. +# +# IALU/gcc-4.x 3xAltiVec+1xIALU 4xVSX +# +# Freescale e300 13.6/+115% - - +# PPC74x0/G4e 6.81/+310% 3.81 - +# PPC970/G5 9.29/+160% ? - +# POWER7 8.62/+61% 3.35 - +# POWER8 8.70/+51% 2.91 2.09 +# POWER9 8.80/+29% 4.44(*) 2.45(**) +# +# (*) this is trade-off result, it's possible to improve it, but +# then it would negatively affect all others; +# (**) POWER9 seems to be "allergic" to mixing vector and integer +# instructions, which is why switch to vector-only code pays +# off that much; + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +if ($flavour =~ /64/) { + $SIZE_T =8; + $LRSAVE =2*$SIZE_T; + $STU ="stdu"; + $POP ="ld"; + $PUSH ="std"; + $UCMP ="cmpld"; +} elsif ($flavour =~ /32/) { + $SIZE_T =4; + $LRSAVE =$SIZE_T; + $STU ="stwu"; + $POP ="lwz"; + $PUSH ="stw"; + $UCMP ="cmplw"; +} else { die "nonsense $flavour"; } + +$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +die "can't locate ppc-xlate.pl"; + +open STDOUT,"| $^X $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; + +$LOCALS=6*$SIZE_T; +$FRAME=$LOCALS+64+18*$SIZE_T; # 64 is for local variables + +sub AUTOLOAD() # thunk [simplified] x86-style perlasm +{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; + $code .= "\t$opcode\t".join(',',@_)."\n"; +} + +my $sp = "r1"; + +my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); + + +{{{ +my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, + $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15)); +my @K = map("v$_",(16..19)); +my $CTR = "v26"; +my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30)); +my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3); +my $beperm = "v31"; + +my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); + +my $FRAME=$LOCALS+64+7*16; # 7*16 is for v26-v31 offload + + +sub VSX_lane_ROUND_4x { +my ($a0,$b0,$c0,$d0)=@_; +my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); +my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); +my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); +my @x=map("\"v$_\"",(0..15)); + + ( + "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 + "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 + "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 + "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 + "&vxor (@x[$d0],@x[$d0],@x[$a0])", + "&vxor (@x[$d1],@x[$d1],@x[$a1])", + "&vxor (@x[$d2],@x[$d2],@x[$a2])", + "&vxor (@x[$d3],@x[$d3],@x[$a3])", + "&vrlw (@x[$d0],@x[$d0],'$sixteen')", + "&vrlw (@x[$d1],@x[$d1],'$sixteen')", + "&vrlw (@x[$d2],@x[$d2],'$sixteen')", + "&vrlw (@x[$d3],@x[$d3],'$sixteen')", + + "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", + "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", + "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", + "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", + "&vxor (@x[$b0],@x[$b0],@x[$c0])", + "&vxor (@x[$b1],@x[$b1],@x[$c1])", + "&vxor (@x[$b2],@x[$b2],@x[$c2])", + "&vxor (@x[$b3],@x[$b3],@x[$c3])", + "&vrlw (@x[$b0],@x[$b0],'$twelve')", + "&vrlw (@x[$b1],@x[$b1],'$twelve')", + "&vrlw (@x[$b2],@x[$b2],'$twelve')", + "&vrlw (@x[$b3],@x[$b3],'$twelve')", + + "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", + "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", + "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", + "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", + "&vxor (@x[$d0],@x[$d0],@x[$a0])", + "&vxor (@x[$d1],@x[$d1],@x[$a1])", + "&vxor (@x[$d2],@x[$d2],@x[$a2])", + "&vxor (@x[$d3],@x[$d3],@x[$a3])", + "&vrlw (@x[$d0],@x[$d0],'$eight')", + "&vrlw (@x[$d1],@x[$d1],'$eight')", + "&vrlw (@x[$d2],@x[$d2],'$eight')", + "&vrlw (@x[$d3],@x[$d3],'$eight')", + + "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", + "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", + "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", + "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", + "&vxor (@x[$b0],@x[$b0],@x[$c0])", + "&vxor (@x[$b1],@x[$b1],@x[$c1])", + "&vxor (@x[$b2],@x[$b2],@x[$c2])", + "&vxor (@x[$b3],@x[$b3],@x[$c3])", + "&vrlw (@x[$b0],@x[$b0],'$seven')", + "&vrlw (@x[$b1],@x[$b1],'$seven')", + "&vrlw (@x[$b2],@x[$b2],'$seven')", + "&vrlw (@x[$b3],@x[$b3],'$seven')" + ); +} + +$code.=<<___; + +.globl .ChaCha20_ctr32_vsx_p10 +.align 5 +.ChaCha20_ctr32_vsx_p10: + ${UCMP}i $len,255 + bgt ChaCha20_ctr32_vsx_8x + $STU $sp,-$FRAME($sp) + mflr r0 + li r10,`15+$LOCALS+64` + li r11,`31+$LOCALS+64` + mfspr r12,256 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp + addi r11,r11,32 + stvx v28,r10,$sp + addi r10,r10,32 + stvx v29,r11,$sp + addi r11,r11,32 + stvx v30,r10,$sp + stvx v31,r11,$sp + stw r12,`$FRAME-4`($sp) # save vrsave + li r12,-4096+63 + $PUSH r0, `$FRAME+$LRSAVE`($sp) + mtspr 256,r12 # preserve 29 AltiVec registers + + bl Lconsts # returns pointer Lsigma in r12 + lvx_4w @K[0],0,r12 # load sigma + addi r12,r12,0x70 + li $x10,16 + li $x20,32 + li $x30,48 + li r11,64 + + lvx_4w @K[1],0,$key # load key + lvx_4w @K[2],$x10,$key + lvx_4w @K[3],0,$ctr # load counter + + vxor $xt0,$xt0,$xt0 + lvx_4w $xt1,r11,r12 + vspltw $CTR,@K[3],0 + vsldoi @K[3],@K[3],$xt0,4 + vsldoi @K[3],$xt0,@K[3],12 # clear @K[3].word[0] + vadduwm $CTR,$CTR,$xt1 + + be?lvsl $beperm,0,$x10 # 0x00..0f + be?vspltisb $xt0,3 # 0x03..03 + be?vxor $beperm,$beperm,$xt0 # swap bytes within words + + li r0,10 # inner loop counter + mtctr r0 + b Loop_outer_vsx + +.align 5 +Loop_outer_vsx: + lvx $xa0,$x00,r12 # load [smashed] sigma + lvx $xa1,$x10,r12 + lvx $xa2,$x20,r12 + lvx $xa3,$x30,r12 + + vspltw $xb0,@K[1],0 # smash the key + vspltw $xb1,@K[1],1 + vspltw $xb2,@K[1],2 + vspltw $xb3,@K[1],3 + + vspltw $xc0,@K[2],0 + vspltw $xc1,@K[2],1 + vspltw $xc2,@K[2],2 + vspltw $xc3,@K[2],3 + + vmr $xd0,$CTR # smash the counter + vspltw $xd1,@K[3],1 + vspltw $xd2,@K[3],2 + vspltw $xd3,@K[3],3 + + vspltisw $sixteen,-16 # synthesize constants + vspltisw $twelve,12 + vspltisw $eight,8 + vspltisw $seven,7 + +Loop_vsx_4x: +___ + foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; } + foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; } +$code.=<<___; + + bdnz Loop_vsx_4x + + vadduwm $xd0,$xd0,$CTR + + vmrgew $xt0,$xa0,$xa1 # transpose data + vmrgew $xt1,$xa2,$xa3 + vmrgow $xa0,$xa0,$xa1 + vmrgow $xa2,$xa2,$xa3 + vmrgew $xt2,$xb0,$xb1 + vmrgew $xt3,$xb2,$xb3 + vpermdi $xa1,$xa0,$xa2,0b00 + vpermdi $xa3,$xa0,$xa2,0b11 + vpermdi $xa0,$xt0,$xt1,0b00 + vpermdi $xa2,$xt0,$xt1,0b11 + + vmrgow $xb0,$xb0,$xb1 + vmrgow $xb2,$xb2,$xb3 + vmrgew $xt0,$xc0,$xc1 + vmrgew $xt1,$xc2,$xc3 + vpermdi $xb1,$xb0,$xb2,0b00 + vpermdi $xb3,$xb0,$xb2,0b11 + vpermdi $xb0,$xt2,$xt3,0b00 + vpermdi $xb2,$xt2,$xt3,0b11 + + vmrgow $xc0,$xc0,$xc1 + vmrgow $xc2,$xc2,$xc3 + vmrgew $xt2,$xd0,$xd1 + vmrgew $xt3,$xd2,$xd3 + vpermdi $xc1,$xc0,$xc2,0b00 + vpermdi $xc3,$xc0,$xc2,0b11 + vpermdi $xc0,$xt0,$xt1,0b00 + vpermdi $xc2,$xt0,$xt1,0b11 + + vmrgow $xd0,$xd0,$xd1 + vmrgow $xd2,$xd2,$xd3 + vspltisw $xt0,4 + vadduwm $CTR,$CTR,$xt0 # next counter value + vpermdi $xd1,$xd0,$xd2,0b00 + vpermdi $xd3,$xd0,$xd2,0b11 + vpermdi $xd0,$xt2,$xt3,0b00 + vpermdi $xd2,$xt2,$xt3,0b11 + + vadduwm $xa0,$xa0,@K[0] + vadduwm $xb0,$xb0,@K[1] + vadduwm $xc0,$xc0,@K[2] + vadduwm $xd0,$xd0,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx + + vadduwm $xa0,$xa1,@K[0] + vadduwm $xb0,$xb1,@K[1] + vadduwm $xc0,$xc1,@K[2] + vadduwm $xd0,$xd1,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx + + vadduwm $xa0,$xa2,@K[0] + vadduwm $xb0,$xb2,@K[1] + vadduwm $xc0,$xc2,@K[2] + vadduwm $xd0,$xd2,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx + + vadduwm $xa0,$xa3,@K[0] + vadduwm $xb0,$xb3,@K[1] + vadduwm $xc0,$xc3,@K[2] + vadduwm $xd0,$xd3,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + mtctr r0 + bne Loop_outer_vsx + +Ldone_vsx: + lwz r12,`$FRAME-4`($sp) # pull vrsave + li r10,`15+$LOCALS+64` + li r11,`31+$LOCALS+64` + $POP r0, `$FRAME+$LRSAVE`($sp) + mtspr 256,r12 # restore vrsave + lvx v26,r10,$sp + addi r10,r10,32 + lvx v27,r11,$sp + addi r11,r11,32 + lvx v28,r10,$sp + addi r10,r10,32 + lvx v29,r11,$sp + addi r11,r11,32 + lvx v30,r10,$sp + lvx v31,r11,$sp + mtlr r0 + addi $sp,$sp,$FRAME + blr + +.align 4 +Ltail_vsx: + addi r11,$sp,$LOCALS + mtctr $len + stvx_4w $xa0,$x00,r11 # offload block to stack + stvx_4w $xb0,$x10,r11 + stvx_4w $xc0,$x20,r11 + stvx_4w $xd0,$x30,r11 + subi r12,r11,1 # prepare for *++ptr + subi $inp,$inp,1 + subi $out,$out,1 + +Loop_tail_vsx: + lbzu r6,1(r12) + lbzu r7,1($inp) + xor r6,r6,r7 + stbu r6,1($out) + bdnz Loop_tail_vsx + + stvx_4w $K[0],$x00,r11 # wipe copy of the block + stvx_4w $K[0],$x10,r11 + stvx_4w $K[0],$x20,r11 + stvx_4w $K[0],$x30,r11 + + b Ldone_vsx + .long 0 + .byte 0,12,0x04,1,0x80,0,5,0 + .long 0 +.size .ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10 +___ +}}} + +##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to +# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info. +# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value. +# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel. +# +{{{ +#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); +my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, + $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3, + $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7, + $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31)); +my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15)); +my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3)); +my @K = map("v$_",27,(24..26)); +my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31)); +my $xr0 = "v4"; +my $CTR0 = "v22"; +my $CTR1 = "v5"; +my $beperm = "v31"; +my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); +my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7)); +my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17)); +my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21)); +my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26)); + +my $FRAME=$LOCALS+64+9*16; # 8*16 is for v24-v31 offload + +sub VSX_lane_ROUND_8x { +my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_; +my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); +my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); +my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); +my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4)); +my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5)); +my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6)); +my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17)); +my @x=map("\"v$_\"",(0..31)); + + ( + "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", #copy v30 to v13 + "&vxxlorc (@x[$c7], $xv9,$xv9)", + + "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 + "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 + "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 + "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 + "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", # Q1 + "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", # Q2 + "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", # Q3 + "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", # Q4 + + "&vxor (@x[$d0],@x[$d0],@x[$a0])", + "&vxor (@x[$d1],@x[$d1],@x[$a1])", + "&vxor (@x[$d2],@x[$d2],@x[$a2])", + "&vxor (@x[$d3],@x[$d3],@x[$a3])", + "&vxor (@x[$d4],@x[$d4],@x[$a4])", + "&vxor (@x[$d5],@x[$d5],@x[$a5])", + "&vxor (@x[$d6],@x[$d6],@x[$a6])", + "&vxor (@x[$d7],@x[$d7],@x[$a7])", + + "&vrlw (@x[$d0],@x[$d0],@x[$c7])", + "&vrlw (@x[$d1],@x[$d1],@x[$c7])", + "&vrlw (@x[$d2],@x[$d2],@x[$c7])", + "&vrlw (@x[$d3],@x[$d3],@x[$c7])", + "&vrlw (@x[$d4],@x[$d4],@x[$c7])", + "&vrlw (@x[$d5],@x[$d5],@x[$c7])", + "&vrlw (@x[$d6],@x[$d6],@x[$c7])", + "&vrlw (@x[$d7],@x[$d7],@x[$c7])", + + "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", + "&vxxlorc (@x[$c7], $xv15,$xv15)", + "&vxxlorc (@x[$a7], $xv10,$xv10)", + + "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", + "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", + "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", + "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", + "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", + "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", + "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", + "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", + + "&vxor (@x[$b0],@x[$b0],@x[$c0])", + "&vxor (@x[$b1],@x[$b1],@x[$c1])", + "&vxor (@x[$b2],@x[$b2],@x[$c2])", + "&vxor (@x[$b3],@x[$b3],@x[$c3])", + "&vxor (@x[$b4],@x[$b4],@x[$c4])", + "&vxor (@x[$b5],@x[$b5],@x[$c5])", + "&vxor (@x[$b6],@x[$b6],@x[$c6])", + "&vxor (@x[$b7],@x[$b7],@x[$c7])", + + "&vrlw (@x[$b0],@x[$b0],@x[$a7])", + "&vrlw (@x[$b1],@x[$b1],@x[$a7])", + "&vrlw (@x[$b2],@x[$b2],@x[$a7])", + "&vrlw (@x[$b3],@x[$b3],@x[$a7])", + "&vrlw (@x[$b4],@x[$b4],@x[$a7])", + "&vrlw (@x[$b5],@x[$b5],@x[$a7])", + "&vrlw (@x[$b6],@x[$b6],@x[$a7])", + "&vrlw (@x[$b7],@x[$b7],@x[$a7])", + + "&vxxlorc (@x[$a7], $xv13,$xv13)", + "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", + "&vxxlorc (@x[$c7], $xv11,$xv11)", + + + "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", + "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", + "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", + "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", + "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", + "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", + "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", + "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", + + "&vxor (@x[$d0],@x[$d0],@x[$a0])", + "&vxor (@x[$d1],@x[$d1],@x[$a1])", + "&vxor (@x[$d2],@x[$d2],@x[$a2])", + "&vxor (@x[$d3],@x[$d3],@x[$a3])", + "&vxor (@x[$d4],@x[$d4],@x[$a4])", + "&vxor (@x[$d5],@x[$d5],@x[$a5])", + "&vxor (@x[$d6],@x[$d6],@x[$a6])", + "&vxor (@x[$d7],@x[$d7],@x[$a7])", + + "&vrlw (@x[$d0],@x[$d0],@x[$c7])", + "&vrlw (@x[$d1],@x[$d1],@x[$c7])", + "&vrlw (@x[$d2],@x[$d2],@x[$c7])", + "&vrlw (@x[$d3],@x[$d3],@x[$c7])", + "&vrlw (@x[$d4],@x[$d4],@x[$c7])", + "&vrlw (@x[$d5],@x[$d5],@x[$c7])", + "&vrlw (@x[$d6],@x[$d6],@x[$c7])", + "&vrlw (@x[$d7],@x[$d7],@x[$c7])", + + "&vxxlorc (@x[$c7], $xv15,$xv15)", + "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", + "&vxxlorc (@x[$a7], $xv12,$xv12)", + + "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", + "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", + "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", + "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", + "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", + "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", + "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", + "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", + "&vxor (@x[$b0],@x[$b0],@x[$c0])", + "&vxor (@x[$b1],@x[$b1],@x[$c1])", + "&vxor (@x[$b2],@x[$b2],@x[$c2])", + "&vxor (@x[$b3],@x[$b3],@x[$c3])", + "&vxor (@x[$b4],@x[$b4],@x[$c4])", + "&vxor (@x[$b5],@x[$b5],@x[$c5])", + "&vxor (@x[$b6],@x[$b6],@x[$c6])", + "&vxor (@x[$b7],@x[$b7],@x[$c7])", + "&vrlw (@x[$b0],@x[$b0],@x[$a7])", + "&vrlw (@x[$b1],@x[$b1],@x[$a7])", + "&vrlw (@x[$b2],@x[$b2],@x[$a7])", + "&vrlw (@x[$b3],@x[$b3],@x[$a7])", + "&vrlw (@x[$b4],@x[$b4],@x[$a7])", + "&vrlw (@x[$b5],@x[$b5],@x[$a7])", + "&vrlw (@x[$b6],@x[$b6],@x[$a7])", + "&vrlw (@x[$b7],@x[$b7],@x[$a7])", + + "&vxxlorc (@x[$a7], $xv13,$xv13)", + ); +} + +$code.=<<___; + +.globl .ChaCha20_ctr32_vsx_8x +.align 5 +.ChaCha20_ctr32_vsx_8x: + $STU $sp,-$FRAME($sp) + mflr r0 + li r10,`15+$LOCALS+64` + li r11,`31+$LOCALS+64` + mfspr r12,256 + stvx v24,r10,$sp + addi r10,r10,32 + stvx v25,r11,$sp + addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp + addi r11,r11,32 + stvx v28,r10,$sp + addi r10,r10,32 + stvx v29,r11,$sp + addi r11,r11,32 + stvx v30,r10,$sp + stvx v31,r11,$sp + stw r12,`$FRAME-4`($sp) # save vrsave + li r12,-4096+63 + $PUSH r0, `$FRAME+$LRSAVE`($sp) + mtspr 256,r12 # preserve 29 AltiVec registers + + bl Lconsts # returns pointer Lsigma in r12 + + lvx_4w @K[0],0,r12 # load sigma + addi r12,r12,0x70 + li $x10,16 + li $x20,32 + li $x30,48 + li r11,64 + + vspltisw $xa4,-16 # synthesize constants + vspltisw $xb4,12 # synthesize constants + vspltisw $xc4,8 # synthesize constants + vspltisw $xd4,7 # synthesize constants + + lvx $xa0,$x00,r12 # load [smashed] sigma + lvx $xa1,$x10,r12 + lvx $xa2,$x20,r12 + lvx $xa3,$x30,r12 + + vxxlor $xv9 ,$xa4,$xa4 #save shift val in vr9-12 + vxxlor $xv10 ,$xb4,$xb4 + vxxlor $xv11 ,$xc4,$xc4 + vxxlor $xv12 ,$xd4,$xd4 + vxxlor $xv22 ,$xa0,$xa0 #save sigma in vr22-25 + vxxlor $xv23 ,$xa1,$xa1 + vxxlor $xv24 ,$xa2,$xa2 + vxxlor $xv25 ,$xa3,$xa3 + + lvx_4w @K[1],0,$key # load key + lvx_4w @K[2],$x10,$key + lvx_4w @K[3],0,$ctr # load counter + vspltisw $xt3,4 + + + vxor $xt2,$xt2,$xt2 + lvx_4w $xt1,r11,r12 + vspltw $xa2,@K[3],0 #save the original count after spltw + vsldoi @K[3],@K[3],$xt2,4 + vsldoi @K[3],$xt2,@K[3],12 # clear @K[3].word[0] + vadduwm $xt1,$xa2,$xt1 + vadduwm $xt3,$xt1,$xt3 # next counter value + vspltw $xa0,@K[2],2 # save the K[2] spltw 2 and save v8. + + be?lvsl $beperm,0,$x10 # 0x00..0f + be?vspltisb $xt0,3 # 0x03..03 + be?vxor $beperm,$beperm,$xt0 # swap bytes within words + be?vxxlor $xv26 ,$beperm,$beperm + + vxxlor $xv0 ,@K[0],@K[0] # K0,k1,k2 to vr0,1,2 + vxxlor $xv1 ,@K[1],@K[1] + vxxlor $xv2 ,@K[2],@K[2] + vxxlor $xv3 ,@K[3],@K[3] + vxxlor $xv4 ,$xt1,$xt1 #CTR ->4, CTR+4-> 5 + vxxlor $xv5 ,$xt3,$xt3 + vxxlor $xv8 ,$xa0,$xa0 + + li r0,10 # inner loop counter + mtctr r0 + b Loop_outer_vsx_8x + +.align 5 +Loop_outer_vsx_8x: + vxxlorc $xa0,$xv22,$xv22 # load [smashed] sigma + vxxlorc $xa1,$xv23,$xv23 + vxxlorc $xa2,$xv24,$xv24 + vxxlorc $xa3,$xv25,$xv25 + vxxlorc $xa4,$xv22,$xv22 + vxxlorc $xa5,$xv23,$xv23 + vxxlorc $xa6,$xv24,$xv24 + vxxlorc $xa7,$xv25,$xv25 + + vspltw $xb0,@K[1],0 # smash the key + vspltw $xb1,@K[1],1 + vspltw $xb2,@K[1],2 + vspltw $xb3,@K[1],3 + vspltw $xb4,@K[1],0 # smash the key + vspltw $xb5,@K[1],1 + vspltw $xb6,@K[1],2 + vspltw $xb7,@K[1],3 + + vspltw $xc0,@K[2],0 + vspltw $xc1,@K[2],1 + vspltw $xc2,@K[2],2 + vspltw $xc3,@K[2],3 + vspltw $xc4,@K[2],0 + vspltw $xc7,@K[2],3 + vspltw $xc5,@K[2],1 + + vxxlorc $xd0,$xv4,$xv4 # smash the counter + vspltw $xd1,@K[3],1 + vspltw $xd2,@K[3],2 + vspltw $xd3,@K[3],3 + vxxlorc $xd4,$xv5,$xv5 # smash the counter + vspltw $xd5,@K[3],1 + vspltw $xd6,@K[3],2 + vspltw $xd7,@K[3],3 + vxxlorc $xc6,$xv8,$xv8 #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done + +Loop_vsx_8x: +___ + foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; } + foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; } +$code.=<<___; + + bdnz Loop_vsx_8x + vxxlor $xv13 ,$xd4,$xd4 # save the register vr24-31 + vxxlor $xv14 ,$xd5,$xd5 # + vxxlor $xv15 ,$xd6,$xd6 # + vxxlor $xv16 ,$xd7,$xd7 # + + vxxlor $xv18 ,$xc4,$xc4 # + vxxlor $xv19 ,$xc5,$xc5 # + vxxlor $xv20 ,$xc6,$xc6 # + vxxlor $xv21 ,$xc7,$xc7 # + + vxxlor $xv6 ,$xb6,$xb6 # save vr23, so we get 8 regs + vxxlor $xv7 ,$xb7,$xb7 # save vr23, so we get 8 regs + be?vxxlorc $beperm,$xv26,$xv26 # copy back the the beperm. + + vxxlorc @K[0],$xv0,$xv0 #27 + vxxlorc @K[1],$xv1,$xv1 #24 + vxxlorc @K[2],$xv2,$xv2 #25 + vxxlorc @K[3],$xv3,$xv3 #26 + vxxlorc $CTR0,$xv4,$xv4 +###changing to vertical + + vmrgew $xt0,$xa0,$xa1 # transpose data + vmrgew $xt1,$xa2,$xa3 + vmrgow $xa0,$xa0,$xa1 + vmrgow $xa2,$xa2,$xa3 + + vmrgew $xt2,$xb0,$xb1 + vmrgew $xt3,$xb2,$xb3 + vmrgow $xb0,$xb0,$xb1 + vmrgow $xb2,$xb2,$xb3 + + vadduwm $xd0,$xd0,$CTR0 + + vpermdi $xa1,$xa0,$xa2,0b00 + vpermdi $xa3,$xa0,$xa2,0b11 + vpermdi $xa0,$xt0,$xt1,0b00 + vpermdi $xa2,$xt0,$xt1,0b11 + vpermdi $xb1,$xb0,$xb2,0b00 + vpermdi $xb3,$xb0,$xb2,0b11 + vpermdi $xb0,$xt2,$xt3,0b00 + vpermdi $xb2,$xt2,$xt3,0b11 + + vmrgew $xt0,$xc0,$xc1 + vmrgew $xt1,$xc2,$xc3 + vmrgow $xc0,$xc0,$xc1 + vmrgow $xc2,$xc2,$xc3 + vmrgew $xt2,$xd0,$xd1 + vmrgew $xt3,$xd2,$xd3 + vmrgow $xd0,$xd0,$xd1 + vmrgow $xd2,$xd2,$xd3 + + vpermdi $xc1,$xc0,$xc2,0b00 + vpermdi $xc3,$xc0,$xc2,0b11 + vpermdi $xc0,$xt0,$xt1,0b00 + vpermdi $xc2,$xt0,$xt1,0b11 + vpermdi $xd1,$xd0,$xd2,0b00 + vpermdi $xd3,$xd0,$xd2,0b11 + vpermdi $xd0,$xt2,$xt3,0b00 + vpermdi $xd2,$xt2,$xt3,0b11 + + vspltisw $xt0,8 + vadduwm $CTR0,$CTR0,$xt0 # next counter value + vxxlor $xv4 ,$CTR0,$CTR0 #CTR+4-> 5 + + vadduwm $xa0,$xa0,@K[0] + vadduwm $xb0,$xb0,@K[1] + vadduwm $xc0,$xc0,@K[2] + vadduwm $xd0,$xd0,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + vadduwm $xa0,$xa1,@K[0] + vadduwm $xb0,$xb1,@K[1] + vadduwm $xc0,$xc1,@K[2] + vadduwm $xd0,$xd1,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + vadduwm $xa0,$xa2,@K[0] + vadduwm $xb0,$xb2,@K[1] + vadduwm $xc0,$xc2,@K[2] + vadduwm $xd0,$xd2,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + vadduwm $xa0,$xa3,@K[0] + vadduwm $xb0,$xb3,@K[1] + vadduwm $xc0,$xc3,@K[2] + vadduwm $xd0,$xd3,@K[3] + + be?vperm $xa0,$xa0,$xa0,$beperm + be?vperm $xb0,$xb0,$xb0,$beperm + be?vperm $xc0,$xc0,$xc0,$beperm + be?vperm $xd0,$xd0,$xd0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x + + lvx_4w $xt0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xt0,$xt0,$xa0 + vxor $xt1,$xt1,$xb0 + vxor $xt2,$xt2,$xc0 + vxor $xt3,$xt3,$xd0 + + stvx_4w $xt0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + +#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31. +#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0. + + vxxlorc $CTR1 ,$xv5,$xv5 + + vxxlorc $xcn4 ,$xv18,$xv18 + vxxlorc $xcn5 ,$xv19,$xv19 + vxxlorc $xcn6 ,$xv20,$xv20 + vxxlorc $xcn7 ,$xv21,$xv21 + + vxxlorc $xdn4 ,$xv13,$xv13 + vxxlorc $xdn5 ,$xv14,$xv14 + vxxlorc $xdn6 ,$xv15,$xv15 + vxxlorc $xdn7 ,$xv16,$xv16 + vadduwm $xdn4,$xdn4,$CTR1 + + vxxlorc $xb6 ,$xv6,$xv6 + vxxlorc $xb7 ,$xv7,$xv7 +#use xa1->xr0, as xt0...in the block 4-7 + + vmrgew $xr0,$xa4,$xa5 # transpose data + vmrgew $xt1,$xa6,$xa7 + vmrgow $xa4,$xa4,$xa5 + vmrgow $xa6,$xa6,$xa7 + vmrgew $xt2,$xb4,$xb5 + vmrgew $xt3,$xb6,$xb7 + vmrgow $xb4,$xb4,$xb5 + vmrgow $xb6,$xb6,$xb7 + + vpermdi $xa5,$xa4,$xa6,0b00 + vpermdi $xa7,$xa4,$xa6,0b11 + vpermdi $xa4,$xr0,$xt1,0b00 + vpermdi $xa6,$xr0,$xt1,0b11 + vpermdi $xb5,$xb4,$xb6,0b00 + vpermdi $xb7,$xb4,$xb6,0b11 + vpermdi $xb4,$xt2,$xt3,0b00 + vpermdi $xb6,$xt2,$xt3,0b11 + + vmrgew $xr0,$xcn4,$xcn5 + vmrgew $xt1,$xcn6,$xcn7 + vmrgow $xcn4,$xcn4,$xcn5 + vmrgow $xcn6,$xcn6,$xcn7 + vmrgew $xt2,$xdn4,$xdn5 + vmrgew $xt3,$xdn6,$xdn7 + vmrgow $xdn4,$xdn4,$xdn5 + vmrgow $xdn6,$xdn6,$xdn7 + + vpermdi $xcn5,$xcn4,$xcn6,0b00 + vpermdi $xcn7,$xcn4,$xcn6,0b11 + vpermdi $xcn4,$xr0,$xt1,0b00 + vpermdi $xcn6,$xr0,$xt1,0b11 + vpermdi $xdn5,$xdn4,$xdn6,0b00 + vpermdi $xdn7,$xdn4,$xdn6,0b11 + vpermdi $xdn4,$xt2,$xt3,0b00 + vpermdi $xdn6,$xt2,$xt3,0b11 + + vspltisw $xr0,8 + vadduwm $CTR1,$CTR1,$xr0 # next counter value + vxxlor $xv5 ,$CTR1,$CTR1 #CTR+4-> 5 + + vadduwm $xan0,$xa4,@K[0] + vadduwm $xbn0,$xb4,@K[1] + vadduwm $xcn0,$xcn4,@K[2] + vadduwm $xdn0,$xdn4,@K[3] + + be?vperm $xan0,$xa4,$xa4,$beperm + be?vperm $xbn0,$xb4,$xb4,$beperm + be?vperm $xcn0,$xcn4,$xcn4,$beperm + be?vperm $xdn0,$xdn4,$xdn4,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x_1 + + lvx_4w $xr0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xr0,$xr0,$xan0 + vxor $xt1,$xt1,$xbn0 + vxor $xt2,$xt2,$xcn0 + vxor $xt3,$xt3,$xdn0 + + stvx_4w $xr0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + vadduwm $xan0,$xa5,@K[0] + vadduwm $xbn0,$xb5,@K[1] + vadduwm $xcn0,$xcn5,@K[2] + vadduwm $xdn0,$xdn5,@K[3] + + be?vperm $xan0,$xan0,$xan0,$beperm + be?vperm $xbn0,$xbn0,$xbn0,$beperm + be?vperm $xcn0,$xcn0,$xcn0,$beperm + be?vperm $xdn0,$xdn0,$xdn0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x_1 + + lvx_4w $xr0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xr0,$xr0,$xan0 + vxor $xt1,$xt1,$xbn0 + vxor $xt2,$xt2,$xcn0 + vxor $xt3,$xt3,$xdn0 + + stvx_4w $xr0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + vadduwm $xan0,$xa6,@K[0] + vadduwm $xbn0,$xb6,@K[1] + vadduwm $xcn0,$xcn6,@K[2] + vadduwm $xdn0,$xdn6,@K[3] + + be?vperm $xan0,$xan0,$xan0,$beperm + be?vperm $xbn0,$xbn0,$xbn0,$beperm + be?vperm $xcn0,$xcn0,$xcn0,$beperm + be?vperm $xdn0,$xdn0,$xdn0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x_1 + + lvx_4w $xr0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xr0,$xr0,$xan0 + vxor $xt1,$xt1,$xbn0 + vxor $xt2,$xt2,$xcn0 + vxor $xt3,$xt3,$xdn0 + + stvx_4w $xr0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + vadduwm $xan0,$xa7,@K[0] + vadduwm $xbn0,$xb7,@K[1] + vadduwm $xcn0,$xcn7,@K[2] + vadduwm $xdn0,$xdn7,@K[3] + + be?vperm $xan0,$xan0,$xan0,$beperm + be?vperm $xbn0,$xbn0,$xbn0,$beperm + be?vperm $xcn0,$xcn0,$xcn0,$beperm + be?vperm $xdn0,$xdn0,$xdn0,$beperm + + ${UCMP}i $len,0x40 + blt Ltail_vsx_8x_1 + + lvx_4w $xr0,$x00,$inp + lvx_4w $xt1,$x10,$inp + lvx_4w $xt2,$x20,$inp + lvx_4w $xt3,$x30,$inp + + vxor $xr0,$xr0,$xan0 + vxor $xt1,$xt1,$xbn0 + vxor $xt2,$xt2,$xcn0 + vxor $xt3,$xt3,$xdn0 + + stvx_4w $xr0,$x00,$out + stvx_4w $xt1,$x10,$out + addi $inp,$inp,0x40 + stvx_4w $xt2,$x20,$out + subi $len,$len,0x40 + stvx_4w $xt3,$x30,$out + addi $out,$out,0x40 + beq Ldone_vsx_8x + + mtctr r0 + bne Loop_outer_vsx_8x + +Ldone_vsx_8x: + lwz r12,`$FRAME-4`($sp) # pull vrsave + li r10,`15+$LOCALS+64` + li r11,`31+$LOCALS+64` + $POP r0, `$FRAME+$LRSAVE`($sp) + mtspr 256,r12 # restore vrsave + lvx v24,r10,$sp + addi r10,r10,32 + lvx v25,r11,$sp + addi r11,r11,32 + lvx v26,r10,$sp + addi r10,r10,32 + lvx v27,r11,$sp + addi r11,r11,32 + lvx v28,r10,$sp + addi r10,r10,32 + lvx v29,r11,$sp + addi r11,r11,32 + lvx v30,r10,$sp + lvx v31,r11,$sp + mtlr r0 + addi $sp,$sp,$FRAME + blr + +.align 4 +Ltail_vsx_8x: + addi r11,$sp,$LOCALS + mtctr $len + stvx_4w $xa0,$x00,r11 # offload block to stack + stvx_4w $xb0,$x10,r11 + stvx_4w $xc0,$x20,r11 + stvx_4w $xd0,$x30,r11 + subi r12,r11,1 # prepare for *++ptr + subi $inp,$inp,1 + subi $out,$out,1 + bl Loop_tail_vsx_8x +Ltail_vsx_8x_1: + addi r11,$sp,$LOCALS + mtctr $len + stvx_4w $xan0,$x00,r11 # offload block to stack + stvx_4w $xbn0,$x10,r11 + stvx_4w $xcn0,$x20,r11 + stvx_4w $xdn0,$x30,r11 + subi r12,r11,1 # prepare for *++ptr + subi $inp,$inp,1 + subi $out,$out,1 + bl Loop_tail_vsx_8x + +Loop_tail_vsx_8x: + lbzu r6,1(r12) + lbzu r7,1($inp) + xor r6,r6,r7 + stbu r6,1($out) + bdnz Loop_tail_vsx_8x + + stvx_4w $K[0],$x00,r11 # wipe copy of the block + stvx_4w $K[0],$x10,r11 + stvx_4w $K[0],$x20,r11 + stvx_4w $K[0],$x30,r11 + + b Ldone_vsx_8x + .long 0 + .byte 0,12,0x04,1,0x80,0,5,0 + .long 0 +.size .ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x +___ +}}} + + +$code.=<<___; +.align 5 +Lconsts: + mflr r0 + bcl 20,31,\$+4 + mflr r12 #vvvvv "distance between . and Lsigma + addi r12,r12,`64-8` + mtlr r0 + blr + .long 0 + .byte 0,12,0x14,0,0,0,0,0 + .space `64-9*4` +Lsigma: + .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 + .long 1,0,0,0 + .long 2,0,0,0 + .long 3,0,0,0 + .long 4,0,0,0 +___ +$code.=<<___ if ($LITTLE_ENDIAN); + .long 0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001 + .long 0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300 +___ +$code.=<<___ if (!$LITTLE_ENDIAN); # flipped words + .long 0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d + .long 0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c +___ +$code.=<<___; + .long 0x61707865,0x61707865,0x61707865,0x61707865 + .long 0x3320646e,0x3320646e,0x3320646e,0x3320646e + .long 0x79622d32,0x79622d32,0x79622d32,0x79622d32 + .long 0x6b206574,0x6b206574,0x6b206574,0x6b206574 + .long 0,1,2,3 + .long 0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c +.asciz "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by " +.align 2 +___ + +foreach (split("\n",$code)) { + s/\`([^\`]*)\`/eval $1/ge; + + # instructions prefixed with '?' are endian-specific and need + # to be adjusted accordingly... + if ($flavour !~ /le$/) { # big-endian + s/be\?// or + s/le\?/#le#/ or + s/\?lvsr/lvsl/ or + s/\?lvsl/lvsr/ or + s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or + s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/; + } else { # little-endian + s/le\?// or + s/be\?/#be#/ or + s/\?([a-z]+)/$1/ or + s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/; + } + + print $_,"\n"; +} + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/chacha/build.info b/crypto/chacha/build.info index e7159dc06..b8c0a7870 100644 --- a/crypto/chacha/build.info +++ b/crypto/chacha/build.info @@ -10,9 +10,12 @@ IF[{- !$disabled{asm} -}] $CHACHAASM_s390x=chacha-s390x.S $CHACHAASM_armv4=chacha-armv4.S - $CHACHAASM_aarch64=chacha-armv8.S + $CHACHAASM_aarch64=chacha-armv8.S chacha-armv8-sve.S $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s + IF[{- $target{sys_id} ne "AIX" -}] + $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s chachap10-ppc.s + ENDIF $CHACHAASM_ppc64=$CHACHAASM_ppc32 $CHACHAASM_c64xplus=chacha-c64xplus.s @@ -29,10 +32,13 @@ SOURCE[../../libcrypto]=$CHACHAASM GENERATE[chacha-x86.S]=asm/chacha-x86.pl GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl +GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl INCLUDE[chacha-armv4.o]=.. GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl +GENERATE[chacha-armv8-sve.S]=asm/chacha-armv8-sve.pl INCLUDE[chacha-armv8.o]=.. +INCLUDE[chacha-armv8-sve.o]=.. INCLUDE[chacha-s390x.o]=.. GENERATE[chacha-c64xplus.S]=asm/chacha-c64xplus.pl GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl diff --git a/crypto/chacha/chacha_enc.c b/crypto/chacha/chacha_enc.c index c5d1d63d8..7cd43be8c 100644 --- a/crypto/chacha/chacha_enc.c +++ b/crypto/chacha/chacha_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,28 @@ typedef union { # define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n)))) +# ifndef PEDANTIC +# if defined(__GNUC__) && __GNUC__>=2 && \ + !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +# if defined(__riscv_zbb) || defined(__riscv_zbkb) +# if __riscv_xlen == 64 +# undef ROTATE +# define ROTATE(x, n) ({ u32 ret; \ + asm ("roriw %0, %1, %2" \ + : "=r"(ret) \ + : "r"(x), "i"(32 - (n))); ret;}) +# endif +# if __riscv_xlen == 32 +# undef ROTATE +# define ROTATE(x, n) ({ u32 ret; \ + asm ("rori %0, %1, %2" \ + : "=r"(ret) \ + : "r"(x), "i"(32 - (n))); ret;}) +# endif +# endif +# endif +# endif + # define U32TO8_LITTLE(p, v) do { \ (p)[0] = (u8)(v >> 0); \ (p)[1] = (u8)(v >> 8); \ diff --git a/crypto/chacha/chacha_ppc.c b/crypto/chacha/chacha_ppc.c index 5319040cc..05d8cf100 100644 --- a/crypto/chacha/chacha_ppc.c +++ b/crypto/chacha/chacha_ppc.c @@ -1,5 +1,5 @@ /* - * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,13 +23,20 @@ void ChaCha20_ctr32_vmx(unsigned char *out, const unsigned char *inp, void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp, size_t len, const unsigned int key[8], const unsigned int counter[4]); +void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp, + size_t len, const unsigned int key[8], + const unsigned int counter[4]); void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, size_t len, const unsigned int key[8], const unsigned int counter[4]) { - OPENSSL_ppccap_P & PPC_CRYPTO207 - ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) - : OPENSSL_ppccap_P & PPC_ALTIVEC - ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) - : ChaCha20_ctr32_int(out, inp, len, key, counter); +#ifndef OPENSSL_SYS_AIX + OPENSSL_ppccap_P & PPC_BRD31 + ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter) : +#endif + OPENSSL_ppccap_P & PPC_CRYPTO207 + ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) + : OPENSSL_ppccap_P & PPC_ALTIVEC + ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) + : ChaCha20_ctr32_int(out, inp, len, key, counter); } diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 22ae7d07e..093ee8913 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -11,7 +11,7 @@ #include "cmp_local.h" #include "internal/cryptlib.h" -#include "e_os.h" /* ossl_sleep() */ +#include "internal/e_os.h" /* ossl_sleep() */ /* explicit #includes not strictly needed since implied by the above: */ #include @@ -493,18 +493,46 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, if (fail_info != 0) /* accept any error flagged by CMP core library */ return fail_info; - ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); - chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */, - 0, ctx->libctx, ctx->propq); + if (out_trusted == NULL) { + ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); + chain = X509_build_chain(cert, ctx->untrusted, out_trusted, + 0, ctx->libctx, ctx->propq); + } else { + X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq); + + ossl_cmp_debug(ctx, "validating newly enrolled cert"); + if (csc == NULL) + goto err; + if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted)) + goto err; + /* disable any cert status/revocation checking etc. */ + X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc), + ~(X509_V_FLAG_USE_CHECK_TIME + | X509_V_FLAG_NO_CHECK_TIME + | X509_V_FLAG_PARTIAL_CHAIN + | X509_V_FLAG_POLICY_CHECK)); + if (X509_verify_cert(csc) <= 0) + goto err; + + if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc), + X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP + | X509_ADD_FLAG_NO_SS)) { + sk_X509_free(chain); + chain = NULL; + } + err: + X509_STORE_CTX_free(csc); + } + if (sk_X509_num(chain) > 0) X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ if (out_trusted != NULL) { if (chain == NULL) { - ossl_cmp_err(ctx, "failed building chain for newly enrolled cert"); + ossl_cmp_err(ctx, "failed to validate newly enrolled cert"); fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; } else { ossl_cmp_debug(ctx, - "succeeded building proper chain for newly enrolled cert"); + "success validating newly enrolled cert"); } } else if (chain == NULL) { ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 4b610b746..a83f9c68a 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -882,7 +882,7 @@ int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, /* Set the proxy server to use for HTTP(S) connections */ DEFINE_OSSL_CMP_CTX_set1(proxy, char) -/* Set the (HTTP) host name of the CMP server */ +/* Set the (HTTP) hostname of the CMP server */ DEFINE_OSSL_CMP_CTX_set1(server, char) /* Set the server exclusion list of the HTTP proxy server */ diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c index d29bfa867..7c2e04868 100644 --- a/crypto/cmp/cmp_http.c +++ b/crypto/cmp/cmp_http.c @@ -25,7 +25,6 @@ #include #include #include -#include #include static int keep_alive(int keep_alive, int body_type) diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 3da021043..6692793d6 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -78,7 +78,7 @@ struct ossl_cmp_ctx_st { X509 *cert; /* protection cert used to identify and sign for MSG_SIG_ALG */ STACK_OF(X509) *chain; /* (cached) chain of protection cert including it */ EVP_PKEY *pkey; /* the key pair corresponding to cert */ - ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */ + ASN1_OCTET_STRING *referenceValue; /* optional username for MSG_MAC_ALG */ ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ /* PBMParameters for MSG_MAC_ALG */ size_t pbm_slen; /* salt length, currently fixed to 16 */ diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 946c32c45..4dbd61b7c 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c index bfe6cd990..41a6e77fd 100644 --- a/crypto/cmp/cmp_status.c +++ b/crypto/cmp/cmp_status.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 99cd56cb0..52b18dd86 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2020 * Copyright Siemens AG 2015-2020 * @@ -599,7 +599,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) break; } ossl_cmp_debug(ctx, - "sucessfully validated PBM-based CMP message protection"); + "successfully validated PBM-based CMP message protection"); return 1; } ossl_cmp_warn(ctx, "verifying PBM-based CMP message protection failed"); @@ -630,7 +630,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) /* use ctx->srvCert for signature check even if not acceptable */ if (verify_signature(ctx, msg, scrt)) { ossl_cmp_debug(ctx, - "sucessfully validated signature-based CMP message protection"); + "successfully validated signature-based CMP message protection"); return 1; } @@ -648,7 +648,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg) * Any msg->extraCerts are prepended to ctx->untrusted. * * Ensures that: - * its sender is of appropriate type (curently only X509_NAME) and + * its sender is of appropriate type (currently only X509_NAME) and * matches any expected sender or srvCert subject given in the ctx * it has a valid body type * its protection is valid (or invalid/absent, but only if a callback function diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 72cd14317..ebbc8e1bc 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -304,7 +304,7 @@ static int cms_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_STREAM_PRE: if (CMS_stream(&sarg->boundary, cms) <= 0) return 0; - /* fall thru */ + /* fall through */ case ASN1_OP_DETACHED_PRE: sarg->ndef_bio = CMS_dataInit(cms, sarg->out); if (!sarg->ndef_bio) diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c index 8ecf730aa..1ff83d36a 100644 --- a/crypto/cms/cms_ec.c +++ b/crypto/cms/cms_ec.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -346,7 +346,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); - if (penclen == 0) + if (penclen <= 0) goto err; if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) @@ -388,26 +388,3 @@ int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt) ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); return 0; } - -/* ECDSA and DSA implementation is the same */ -int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify) -{ - assert(verify == 0 || verify == 1); - - if (verify == 0) { - int snid, hnid; - X509_ALGOR *alg1, *alg2; - EVP_PKEY *pkey = si->pkey; - - CMS_SignerInfo_get0_algs(si, NULL, NULL, &alg1, &alg2); - if (alg1 == NULL || alg1->algorithm == NULL) - return -1; - hnid = OBJ_obj2nid(alg1->algorithm); - if (hnid == NID_undef) - return -1; - if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey))) - return -1; - X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); - } - return 1; -} diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 51a1d7df8..3105d3772 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -138,7 +138,7 @@ int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) return 1; } -CMS_EncryptedContentInfo* ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) +CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms) { switch (cms_get_enveloped_type(cms)) { case CMS_ENVELOPED_STANDARD: diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 1fd542d23..cbe0370ad 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,6 @@ #include #include #include -#include #include "internal/sizes.h" #include "crypto/x509.h" #include "cms_local.h" @@ -432,7 +431,7 @@ BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, (void)ERR_pop_to_mark(); mdbio = BIO_new(BIO_f_md()); - if (mdbio == NULL || !BIO_set_md(mdbio, digest)) { + if (mdbio == NULL || BIO_set_md(mdbio, digest) <= 0) { ERR_raise(ERR_LIB_CMS, CMS_R_MD_BIO_INIT_ERROR); goto err; } @@ -615,11 +614,12 @@ int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl) int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl) { - int r; - r = CMS_add0_crl(cms, crl); - if (r > 0) - X509_CRL_up_ref(crl); - return r; + if (!X509_CRL_up_ref(crl)) + return 0; + if (CMS_add0_crl(cms, crl)) + return 1; + X509_CRL_free(crl); + return 0; } STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 15b4a29ce..2f9b8e39a 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -479,7 +479,6 @@ int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt); int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt); int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt); -int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify); int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify); DECLARE_ASN1_ITEM(CMS_CertificateChoices) diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c index 997567fdb..a95975901 100644 --- a/crypto/cms/cms_rsa.c +++ b/crypto/cms/cms_rsa.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 34c021bba..fcaffea00 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -227,19 +227,50 @@ int ossl_cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) return -1; } +/* Method to map any, incl. provider-implemented PKEY types to OIDs */ +/* ECDSA and DSA and all provider-delivered signatures implementation is the same */ +static int cms_generic_sign(CMS_SignerInfo *si, int verify) +{ + if (!ossl_assert(verify == 0 || verify == 1)) + return -1; + + if (!verify) { + int snid, hnid, pknid; + X509_ALGOR *alg1, *alg2; + EVP_PKEY *pkey = si->pkey; + pknid = EVP_PKEY_get_id(pkey); + + CMS_SignerInfo_get0_algs(si, NULL, NULL, &alg1, &alg2); + if (alg1 == NULL || alg1->algorithm == NULL) + return -1; + hnid = OBJ_obj2nid(alg1->algorithm); + if (hnid == NID_undef) + return -1; + if (pknid <= 0) { /* check whether a provider registered a NID */ + const char *typename = EVP_PKEY_get0_type_name(pkey); + if (typename != NULL) + pknid = OBJ_txt2nid(typename); + } + if (!OBJ_find_sigid_by_algs(&snid, hnid, pknid)) + return -1; + return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL); + } + return 1; +} + static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) { EVP_PKEY *pkey = si->pkey; int i; if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC")) - return ossl_cms_ecdsa_dsa_sign(si, cmd); + return cms_generic_sign(si, cmd); else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) return ossl_cms_rsa_sign(si, cmd); - /* Something else? We'll give engines etc a chance to handle this */ + /* Now give engines, providers, etc a chance to handle this */ if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) - return 1; + return cms_generic_sign(si, cmd); i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si); if (i == -2) { ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index d17df31dd..479038d57 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -701,14 +701,21 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer) { - STACK_OF(CMS_RecipientInfo) *ris; + STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms); CMS_RecipientInfo *ri; int i, r, cms_pkey_ri_type; int debug = 0, match_ri = 0; + CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); - ris = CMS_get0_RecipientInfos(cms); - if (ris != NULL) - debug = ossl_cms_get0_env_enc_content(cms)->debug; + /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } + + if (ris != NULL && ec != NULL) + debug = ec->debug; cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk); if (cms_pkey_ri_type == CMS_RECIPINFO_NONE) { @@ -731,11 +738,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, if (r < 0) return 0; } - /* - * If we have a cert try matching RecipientInfo otherwise try them - * all. - */ - else if (cert == NULL|| !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + /* If we have a cert, try matching RecipientInfo, else try them all */ + else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); @@ -772,7 +776,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, return 1; } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -783,7 +788,7 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, { STACK_OF(CMS_RecipientInfo) *ris; CMS_RecipientInfo *ri; - int i, r; + int i, r, match_ri = 0; ris = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { @@ -791,11 +796,10 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK) continue; - /* - * If we have an id try matching RecipientInfo otherwise try them - * all. - */ - if (id == NULL || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + /* If we have an id, try matching RecipientInfo, else try them all */ + if (id == NULL + || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + match_ri = 1; CMS_RecipientInfo_set0_key(ri, key, keylen); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_key(ri, NULL, 0); @@ -809,7 +813,8 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, } } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -817,15 +822,25 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms, int CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass, ossl_ssize_t passlen) { - STACK_OF(CMS_RecipientInfo) *ris; + STACK_OF(CMS_RecipientInfo) *ris = CMS_get0_RecipientInfos(cms); CMS_RecipientInfo *ri; - int i, r; + int i, r, match_ri = 0; + CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); + + /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } - ris = CMS_get0_RecipientInfos(cms); for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { ri = sk_CMS_RecipientInfo_value(ris, i); if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS) continue; + + /* Must try each PasswordRecipientInfo */ + match_ri = 1; CMS_RecipientInfo_set0_password(ri, pass, passlen); r = CMS_RecipientInfo_decrypt(cms, ri); CMS_RecipientInfo_set0_password(ri, NULL, 0); @@ -833,7 +848,8 @@ int CMS_decrypt_set1_password(CMS_ContentInfo *cms, return 1; } - ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); + if (!match_ri) + ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_RECIPIENT); return 0; } @@ -843,7 +859,7 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, { int r; BIO *cont; - + CMS_EncryptedContentInfo *ec; int nid = OBJ_obj2nid(CMS_get0_type(cms)); if (nid != NID_pkcs7_enveloped @@ -853,14 +869,9 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, } if (dcont == NULL && !check_content(cms)) return 0; - if (flags & CMS_DEBUG_DECRYPT) - ossl_cms_get0_env_enc_content(cms)->debug = 1; - else - ossl_cms_get0_env_enc_content(cms)->debug = 0; - if (cert == NULL) - ossl_cms_get0_env_enc_content(cms)->havenocert = 1; - else - ossl_cms_get0_env_enc_content(cms)->havenocert = 0; + ec = ossl_cms_get0_env_enc_content(cms); + ec->debug = (flags & CMS_DEBUG_DECRYPT) != 0; + ec->havenocert = cert == NULL; if (pk == NULL && cert == NULL && dcont == NULL && out == NULL) return 1; if (pk != NULL && !CMS_decrypt_set1_pkey(cms, pk, cert)) diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c index 7a4efe6db..5b1bf0e78 100644 --- a/crypto/conf/conf_api.c +++ b/crypto/conf/conf_api.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,7 +9,7 @@ /* Part of the code in here was originally in conf.c, which is now removed */ -#include "e_os.h" +#include "internal/e_os.h" #include "internal/cryptlib.h" #include #include diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index b5d6668f4..a6aaf9d27 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -11,7 +11,7 @@ #include #include -#include "e_os.h" /* struct stat */ +#include "internal/e_os.h" /* struct stat */ #ifdef __TANDEM # include /* needed for stat.h */ # include /* struct stat */ diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c index a23600352..1766facd6 100644 --- a/crypto/conf/conf_lib.c +++ b/crypto/conf/conf_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include "internal/conf.h" diff --git a/crypto/context.c b/crypto/context.c index 548665fba..c6358afc8 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -14,34 +14,35 @@ #include "internal/core.h" #include "internal/bio.h" #include "internal/provider.h" -#include "crypto/ctype.h" -#include "crypto/rand.h" - -struct ossl_lib_ctx_onfree_list_st { - ossl_lib_ctx_onfree_fn *fn; - struct ossl_lib_ctx_onfree_list_st *next; -}; +#include "crypto/context.h" struct ossl_lib_ctx_st { - CRYPTO_RWLOCK *lock; - CRYPTO_EX_DATA data; - - /* - * For most data in the OSSL_LIB_CTX we just use ex_data to store it. But - * that doesn't work for ex_data itself - so we store that directly. - */ + CRYPTO_RWLOCK *lock, *rand_crngt_lock; OSSL_EX_DATA_GLOBAL global; - /* Map internal static indexes to dynamically created indexes */ - int dyn_indexes[OSSL_LIB_CTX_MAX_INDEXES]; - - /* Keep a separate lock for each index */ - CRYPTO_RWLOCK *index_locks[OSSL_LIB_CTX_MAX_INDEXES]; + void *property_string_data; + void *evp_method_store; + void *provider_store; + void *namemap; + void *property_defns; + void *global_properties; + void *drbg; + void *drbg_nonce; +#ifndef FIPS_MODULE + void *provider_conf; + void *bio_core; + void *child_provider; + OSSL_METHOD_STORE *decoder_store; + OSSL_METHOD_STORE *encoder_store; + OSSL_METHOD_STORE *store_loader_store; + void *self_test_cb; +#endif + void *rand_crngt; +#ifdef FIPS_MODULE + void *thread_event_handler; + void *fips_prov; +#endif - CRYPTO_RWLOCK *oncelock; - int run_once_done[OSSL_LIB_CTX_MAX_RUN_ONCE]; - int run_once_ret[OSSL_LIB_CTX_MAX_RUN_ONCE]; - struct ossl_lib_ctx_onfree_list_st *onfreelist; unsigned int ischild:1; }; @@ -69,75 +70,258 @@ int ossl_lib_ctx_is_child(OSSL_LIB_CTX *ctx) return ctx->ischild; } +static void context_deinit_objs(OSSL_LIB_CTX *ctx); + static int context_init(OSSL_LIB_CTX *ctx) { - size_t i; int exdata_done = 0; ctx->lock = CRYPTO_THREAD_lock_new(); if (ctx->lock == NULL) return 0; - ctx->oncelock = CRYPTO_THREAD_lock_new(); - if (ctx->oncelock == NULL) + ctx->rand_crngt_lock = CRYPTO_THREAD_lock_new(); + if (ctx->rand_crngt_lock == NULL) goto err; - for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) { - ctx->index_locks[i] = CRYPTO_THREAD_lock_new(); - ctx->dyn_indexes[i] = -1; - if (ctx->index_locks[i] == NULL) - goto err; - } - - /* OSSL_LIB_CTX is built on top of ex_data so we initialise that directly */ + /* Initialize ex_data. */ if (!ossl_do_ex_data_init(ctx)) goto err; exdata_done = 1; - if (!ossl_crypto_new_ex_data_ex(ctx, CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, - &ctx->data)) + /* P2. We want evp_method_store to be cleaned up before the provider store */ + ctx->evp_method_store = ossl_method_store_new(ctx); + if (ctx->evp_method_store == NULL) + goto err; + +#ifndef FIPS_MODULE + /* P2. Must be freed before the provider store is freed */ + ctx->provider_conf = ossl_prov_conf_ctx_new(ctx); + if (ctx->provider_conf == NULL) + goto err; +#endif + + /* P2. */ + ctx->drbg = ossl_rand_ctx_new(ctx); + if (ctx->drbg == NULL) + goto err; + +#ifndef FIPS_MODULE + /* P2. We want decoder_store to be cleaned up before the provider store */ + ctx->decoder_store = ossl_method_store_new(ctx); + if (ctx->decoder_store == NULL) + goto err; + + /* P2. We want encoder_store to be cleaned up before the provider store */ + ctx->encoder_store = ossl_method_store_new(ctx); + if (ctx->encoder_store == NULL) goto err; + /* P2. We want loader_store to be cleaned up before the provider store */ + ctx->store_loader_store = ossl_method_store_new(ctx); + if (ctx->store_loader_store == NULL) + goto err; +#endif + + /* P1. Needs to be freed before the child provider data is freed */ + ctx->provider_store = ossl_provider_store_new(ctx); + if (ctx->provider_store == NULL) + goto err; + + /* Default priority. */ + ctx->property_string_data = ossl_property_string_data_new(ctx); + if (ctx->property_string_data == NULL) + goto err; + + ctx->namemap = ossl_stored_namemap_new(ctx); + if (ctx->namemap == NULL) + goto err; + + ctx->property_defns = ossl_property_defns_new(ctx); + if (ctx->property_defns == NULL) + goto err; + + ctx->global_properties = ossl_ctx_global_properties_new(ctx); + if (ctx->global_properties == NULL) + goto err; + +#ifndef FIPS_MODULE + ctx->bio_core = ossl_bio_core_globals_new(ctx); + if (ctx->bio_core == NULL) + goto err; +#endif + + ctx->drbg_nonce = ossl_prov_drbg_nonce_ctx_new(ctx); + if (ctx->drbg_nonce == NULL) + goto err; + +#ifndef FIPS_MODULE + ctx->self_test_cb = ossl_self_test_set_callback_new(ctx); + if (ctx->self_test_cb == NULL) + goto err; +#endif + +#ifdef FIPS_MODULE + ctx->thread_event_handler = ossl_thread_event_ctx_new(ctx); + if (ctx->thread_event_handler == NULL) + goto err; + + ctx->fips_prov = ossl_fips_prov_ossl_ctx_new(ctx); + if (ctx->fips_prov == NULL) + goto err; +#endif + + /* Low priority. */ +#ifndef FIPS_MODULE + ctx->child_provider = ossl_child_prov_ctx_new(ctx); + if (ctx->child_provider == NULL) + goto err; +#endif + /* Everything depends on properties, so we also pre-initialise that */ if (!ossl_property_parse_init(ctx)) goto err; return 1; + err: + context_deinit_objs(ctx); + if (exdata_done) ossl_crypto_cleanup_all_ex_data_int(ctx); - for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) - CRYPTO_THREAD_lock_free(ctx->index_locks[i]); - CRYPTO_THREAD_lock_free(ctx->oncelock); + + CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock); CRYPTO_THREAD_lock_free(ctx->lock); memset(ctx, '\0', sizeof(*ctx)); return 0; } -static int context_deinit(OSSL_LIB_CTX *ctx) +static void context_deinit_objs(OSSL_LIB_CTX *ctx) { - struct ossl_lib_ctx_onfree_list_st *tmp, *onfree; - int i; + /* P2. We want evp_method_store to be cleaned up before the provider store */ + if (ctx->evp_method_store != NULL) { + ossl_method_store_free(ctx->evp_method_store); + ctx->evp_method_store = NULL; + } + + /* P2. */ + if (ctx->drbg != NULL) { + ossl_rand_ctx_free(ctx->drbg); + ctx->drbg = NULL; + } + +#ifndef FIPS_MODULE + /* P2. */ + if (ctx->provider_conf != NULL) { + ossl_prov_conf_ctx_free(ctx->provider_conf); + ctx->provider_conf = NULL; + } + + /* P2. We want decoder_store to be cleaned up before the provider store */ + if (ctx->decoder_store != NULL) { + ossl_method_store_free(ctx->decoder_store); + ctx->decoder_store = NULL; + } + /* P2. We want encoder_store to be cleaned up before the provider store */ + if (ctx->encoder_store != NULL) { + ossl_method_store_free(ctx->encoder_store); + ctx->encoder_store = NULL; + } + + /* P2. We want loader_store to be cleaned up before the provider store */ + if (ctx->store_loader_store != NULL) { + ossl_method_store_free(ctx->store_loader_store); + ctx->store_loader_store = NULL; + } +#endif + + /* P1. Needs to be freed before the child provider data is freed */ + if (ctx->provider_store != NULL) { + ossl_provider_store_free(ctx->provider_store); + ctx->provider_store = NULL; + } + + /* Default priority. */ + if (ctx->property_string_data != NULL) { + ossl_property_string_data_free(ctx->property_string_data); + ctx->property_string_data = NULL; + } + + if (ctx->namemap != NULL) { + ossl_stored_namemap_free(ctx->namemap); + ctx->namemap = NULL; + } + + if (ctx->property_defns != NULL) { + ossl_property_defns_free(ctx->property_defns); + ctx->property_defns = NULL; + } + + if (ctx->global_properties != NULL) { + ossl_ctx_global_properties_free(ctx->global_properties); + ctx->global_properties = NULL; + } + +#ifndef FIPS_MODULE + if (ctx->bio_core != NULL) { + ossl_bio_core_globals_free(ctx->bio_core); + ctx->bio_core = NULL; + } +#endif + + if (ctx->drbg_nonce != NULL) { + ossl_prov_drbg_nonce_ctx_free(ctx->drbg_nonce); + ctx->drbg_nonce = NULL; + } + +#ifndef FIPS_MODULE + if (ctx->self_test_cb != NULL) { + ossl_self_test_set_callback_free(ctx->self_test_cb); + ctx->self_test_cb = NULL; + } +#endif + + if (ctx->rand_crngt != NULL) { + ossl_rand_crng_ctx_free(ctx->rand_crngt); + ctx->rand_crngt = NULL; + } + +#ifdef FIPS_MODULE + if (ctx->thread_event_handler != NULL) { + ossl_thread_event_ctx_free(ctx->thread_event_handler); + ctx->thread_event_handler = NULL; + } + + if (ctx->fips_prov != NULL) { + ossl_fips_prov_ossl_ctx_free(ctx->fips_prov); + ctx->fips_prov = NULL; + } +#endif + + /* Low priority. */ +#ifndef FIPS_MODULE + if (ctx->child_provider != NULL) { + ossl_child_prov_ctx_free(ctx->child_provider); + ctx->child_provider = NULL; + } +#endif +} + +static int context_deinit(OSSL_LIB_CTX *ctx) +{ if (ctx == NULL) return 1; ossl_ctx_thread_stop(ctx); - onfree = ctx->onfreelist; - while (onfree != NULL) { - onfree->fn(ctx); - tmp = onfree; - onfree = onfree->next; - OPENSSL_free(tmp); - } - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, &ctx->data); + context_deinit_objs(ctx); + ossl_crypto_cleanup_all_ex_data_int(ctx); - for (i = 0; i < OSSL_LIB_CTX_MAX_INDEXES; i++) - CRYPTO_THREAD_lock_free(ctx->index_locks[i]); - CRYPTO_THREAD_lock_free(ctx->oncelock); + CRYPTO_THREAD_lock_free(ctx->rand_crngt_lock); CRYPTO_THREAD_lock_free(ctx->lock); + ctx->rand_crngt_lock = NULL; ctx->lock = NULL; return 1; } @@ -275,15 +459,10 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) void ossl_release_default_drbg_ctx(void) { - int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; - - /* early release of the DRBG in global default libctx, no locking */ - if (dynidx != -1) { - void *data; - - data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); - ossl_rand_ctx_free(data); - CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); + /* early release of the DRBG in global default libctx */ + if (default_context_int.drbg != NULL) { + ossl_rand_ctx_free(default_context_int.drbg); + default_context_int.drbg = NULL; } } #endif @@ -315,127 +494,89 @@ int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx) return 0; } -static void ossl_lib_ctx_generic_new(void *parent_ign, void *ptr_ign, - CRYPTO_EX_DATA *ad, int index, - long argl_ign, void *argp) +void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) { - const OSSL_LIB_CTX_METHOD *meth = argp; - OSSL_LIB_CTX *ctx = ossl_crypto_ex_data_get_ossl_lib_ctx(ad); - void *ptr = meth->new_func(ctx); - - if (ptr != NULL) { - if (!CRYPTO_THREAD_write_lock(ctx->lock)) - /* - * Can't return something, so best to hope that something will - * fail later. :( - */ - return; - CRYPTO_set_ex_data(ad, index, ptr); - CRYPTO_THREAD_unlock(ctx->lock); - } -} -static void ossl_lib_ctx_generic_free(void *parent_ign, void *ptr, - CRYPTO_EX_DATA *ad, int index, - long argl_ign, void *argp) -{ - const OSSL_LIB_CTX_METHOD *meth = argp; - - meth->free_func(ptr); -} - -static int ossl_lib_ctx_init_index(OSSL_LIB_CTX *ctx, int static_index, - const OSSL_LIB_CTX_METHOD *meth) -{ - int idx; + void *p; ctx = ossl_lib_ctx_get_concrete(ctx); if (ctx == NULL) - return 0; - - idx = ossl_crypto_get_ex_new_index_ex(ctx, CRYPTO_EX_INDEX_OSSL_LIB_CTX, 0, - (void *)meth, - ossl_lib_ctx_generic_new, - NULL, ossl_lib_ctx_generic_free, - meth->priority); - if (idx < 0) - return 0; + return NULL; - ctx->dyn_indexes[static_index] = idx; - return 1; -} + switch (index) { + case OSSL_LIB_CTX_PROPERTY_STRING_INDEX: + return ctx->property_string_data; + case OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX: + return ctx->evp_method_store; + case OSSL_LIB_CTX_PROVIDER_STORE_INDEX: + return ctx->provider_store; + case OSSL_LIB_CTX_NAMEMAP_INDEX: + return ctx->namemap; + case OSSL_LIB_CTX_PROPERTY_DEFN_INDEX: + return ctx->property_defns; + case OSSL_LIB_CTX_GLOBAL_PROPERTIES: + return ctx->global_properties; + case OSSL_LIB_CTX_DRBG_INDEX: + return ctx->drbg; + case OSSL_LIB_CTX_DRBG_NONCE_INDEX: + return ctx->drbg_nonce; +#ifndef FIPS_MODULE + case OSSL_LIB_CTX_PROVIDER_CONF_INDEX: + return ctx->provider_conf; + case OSSL_LIB_CTX_BIO_CORE_INDEX: + return ctx->bio_core; + case OSSL_LIB_CTX_CHILD_PROVIDER_INDEX: + return ctx->child_provider; + case OSSL_LIB_CTX_DECODER_STORE_INDEX: + return ctx->decoder_store; + case OSSL_LIB_CTX_ENCODER_STORE_INDEX: + return ctx->encoder_store; + case OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX: + return ctx->store_loader_store; + case OSSL_LIB_CTX_SELF_TEST_CB_INDEX: + return ctx->self_test_cb; +#endif -void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, - const OSSL_LIB_CTX_METHOD *meth) -{ - void *data = NULL; - int dynidx; + case OSSL_LIB_CTX_RAND_CRNGT_INDEX: { + + /* + * rand_crngt must be lazily initialized because it calls into + * libctx, so must not be called from context_init, else a deadlock + * will occur. + * + * We use a separate lock because code called by the instantiation + * of rand_crngt is liable to try and take the libctx lock. + */ + if (CRYPTO_THREAD_read_lock(ctx->rand_crngt_lock) != 1) + return NULL; - ctx = ossl_lib_ctx_get_concrete(ctx); - if (ctx == NULL) - return NULL; + if (ctx->rand_crngt == NULL) { + CRYPTO_THREAD_unlock(ctx->rand_crngt_lock); - if (!CRYPTO_THREAD_read_lock(ctx->lock)) - return NULL; - dynidx = ctx->dyn_indexes[index]; - CRYPTO_THREAD_unlock(ctx->lock); + if (CRYPTO_THREAD_write_lock(ctx->rand_crngt_lock) != 1) + return NULL; - if (dynidx != -1) { - if (!CRYPTO_THREAD_read_lock(ctx->index_locks[index])) - return NULL; - if (!CRYPTO_THREAD_read_lock(ctx->lock)) { - CRYPTO_THREAD_unlock(ctx->index_locks[index]); - return NULL; + if (ctx->rand_crngt == NULL) + ctx->rand_crngt = ossl_rand_crng_ctx_new(ctx); } - data = CRYPTO_get_ex_data(&ctx->data, dynidx); - CRYPTO_THREAD_unlock(ctx->lock); - CRYPTO_THREAD_unlock(ctx->index_locks[index]); - return data; - } - if (!CRYPTO_THREAD_write_lock(ctx->index_locks[index])) - return NULL; - if (!CRYPTO_THREAD_write_lock(ctx->lock)) { - CRYPTO_THREAD_unlock(ctx->index_locks[index]); - return NULL; - } + p = ctx->rand_crngt; - dynidx = ctx->dyn_indexes[index]; - if (dynidx != -1) { - data = CRYPTO_get_ex_data(&ctx->data, dynidx); - CRYPTO_THREAD_unlock(ctx->lock); - CRYPTO_THREAD_unlock(ctx->index_locks[index]); - return data; - } + CRYPTO_THREAD_unlock(ctx->rand_crngt_lock); - if (!ossl_lib_ctx_init_index(ctx, index, meth)) { - CRYPTO_THREAD_unlock(ctx->lock); - CRYPTO_THREAD_unlock(ctx->index_locks[index]); - return NULL; + return p; } - CRYPTO_THREAD_unlock(ctx->lock); - - /* - * The alloc call ensures there's a value there. We release the ctx->lock - * for this, because the allocation itself may recursively call - * ossl_lib_ctx_get_data for other indexes (never this one). The allocation - * will itself aquire the ctx->lock when it actually comes to store the - * allocated data (see ossl_lib_ctx_generic_new() above). We call - * ossl_crypto_alloc_ex_data_intern() here instead of CRYPTO_alloc_ex_data(). - * They do the same thing except that the latter calls CRYPTO_get_ex_data() - * as well - which we must not do without holding the ctx->lock. - */ - if (ossl_crypto_alloc_ex_data_intern(CRYPTO_EX_INDEX_OSSL_LIB_CTX, NULL, - &ctx->data, ctx->dyn_indexes[index])) { - if (!CRYPTO_THREAD_read_lock(ctx->lock)) - goto end; - data = CRYPTO_get_ex_data(&ctx->data, ctx->dyn_indexes[index]); - CRYPTO_THREAD_unlock(ctx->lock); - } +#ifdef FIPS_MODULE + case OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX: + return ctx->thread_event_handler; + + case OSSL_LIB_CTX_FIPS_PROV_INDEX: + return ctx->fips_prov; +#endif -end: - CRYPTO_THREAD_unlock(ctx->index_locks[index]); - return data; + default: + return NULL; + } } OSSL_EX_DATA_GLOBAL *ossl_lib_ctx_get_ex_data_global(OSSL_LIB_CTX *ctx) @@ -446,56 +587,6 @@ OSSL_EX_DATA_GLOBAL *ossl_lib_ctx_get_ex_data_global(OSSL_LIB_CTX *ctx) return &ctx->global; } -int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, - ossl_lib_ctx_run_once_fn run_once_fn) -{ - int done = 0, ret = 0; - - ctx = ossl_lib_ctx_get_concrete(ctx); - if (ctx == NULL) - return 0; - - if (!CRYPTO_THREAD_read_lock(ctx->oncelock)) - return 0; - done = ctx->run_once_done[idx]; - if (done) - ret = ctx->run_once_ret[idx]; - CRYPTO_THREAD_unlock(ctx->oncelock); - - if (done) - return ret; - - if (!CRYPTO_THREAD_write_lock(ctx->oncelock)) - return 0; - if (ctx->run_once_done[idx]) { - ret = ctx->run_once_ret[idx]; - CRYPTO_THREAD_unlock(ctx->oncelock); - return ret; - } - - ret = run_once_fn(ctx); - ctx->run_once_done[idx] = 1; - ctx->run_once_ret[idx] = ret; - CRYPTO_THREAD_unlock(ctx->oncelock); - - return ret; -} - -int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn) -{ - struct ossl_lib_ctx_onfree_list_st *newonfree - = OPENSSL_malloc(sizeof(*newonfree)); - - if (newonfree == NULL) - return 0; - - newonfree->fn = onfreefn; - newonfree->next = ctx->onfreelist; - ctx->onfreelist = newonfree; - - return 1; -} - const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx) { #ifdef FIPS_MODULE diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c index 7e11ab1c8..e2909d719 100644 --- a/crypto/core_namemap.c +++ b/crypto/core_namemap.c @@ -12,6 +12,7 @@ #include "crypto/lhash.h" /* ossl_lh_strcasehash */ #include "internal/tsan_assist.h" #include "internal/sizes.h" +#include "crypto/context.h" /*- * The namenum entry @@ -22,7 +23,7 @@ typedef struct { int number; } NAMENUM_ENTRY; -DEFINE_LHASH_OF(NAMENUM_ENTRY); +DEFINE_LHASH_OF_EX(NAMENUM_ENTRY); /*- * The namemap itself @@ -60,7 +61,7 @@ static void namenum_free(NAMENUM_ENTRY *n) /* OSSL_LIB_CTX_METHOD functions for a namemap stored in a library context */ -static void *stored_namemap_new(OSSL_LIB_CTX *libctx) +void *ossl_stored_namemap_new(OSSL_LIB_CTX *libctx) { OSSL_NAMEMAP *namemap = ossl_namemap_new(); @@ -70,7 +71,7 @@ static void *stored_namemap_new(OSSL_LIB_CTX *libctx) return namemap; } -static void stored_namemap_free(void *vnamemap) +void ossl_stored_namemap_free(void *vnamemap) { OSSL_NAMEMAP *namemap = vnamemap; @@ -81,12 +82,6 @@ static void stored_namemap_free(void *vnamemap) } } -static const OSSL_LIB_CTX_METHOD stored_namemap_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - stored_namemap_new, - stored_namemap_free, -}; - /*- * API functions * ============= @@ -171,22 +166,20 @@ int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number, return 1; } -static int namemap_name2num_n(const OSSL_NAMEMAP *namemap, - const char *name, size_t name_len) +/* This function is not thread safe, the namemap must be locked */ +static int namemap_name2num(const OSSL_NAMEMAP *namemap, + const char *name) { NAMENUM_ENTRY *namenum_entry, namenum_tmpl; - if ((namenum_tmpl.name = OPENSSL_strndup(name, name_len)) == NULL) - return 0; + namenum_tmpl.name = (char *)name; namenum_tmpl.number = 0; namenum_entry = lh_NAMENUM_ENTRY_retrieve(namemap->namenum, &namenum_tmpl); - OPENSSL_free(namenum_tmpl.name); return namenum_entry != NULL ? namenum_entry->number : 0; } -int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, - const char *name, size_t name_len) +int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name) { int number; @@ -200,18 +193,24 @@ int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, if (!CRYPTO_THREAD_read_lock(namemap->lock)) return 0; - number = namemap_name2num_n(namemap, name, name_len); + number = namemap_name2num(namemap, name); CRYPTO_THREAD_unlock(namemap->lock); return number; } -int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name) +int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, + const char *name, size_t name_len) { - if (name == NULL) + char *tmp; + int ret; + + if (name == NULL || (tmp = OPENSSL_strndup(name, name_len)) == NULL) return 0; - return ossl_namemap_name2num_n(namemap, name, strlen(name)); + ret = ossl_namemap_name2num(namemap, tmp); + OPENSSL_free(tmp); + return ret; } struct num2name_data_st { @@ -241,18 +240,21 @@ const char *ossl_namemap_num2name(const OSSL_NAMEMAP *namemap, int number, return data.name; } -static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - const char *name, size_t name_len) +/* This function is not thread safe, the namemap must be locked */ +static int namemap_add_name(OSSL_NAMEMAP *namemap, int number, + const char *name) { NAMENUM_ENTRY *namenum = NULL; int tmp_number; /* If it already exists, we don't add it */ - if ((tmp_number = namemap_name2num_n(namemap, name, name_len)) != 0) + if ((tmp_number = namemap_name2num(namemap, name)) != 0) return tmp_number; - if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL - || (namenum->name = OPENSSL_strndup(name, name_len)) == NULL) + if ((namenum = OPENSSL_zalloc(sizeof(*namenum))) == NULL) + return 0; + + if ((namenum->name = OPENSSL_strdup(name)) == NULL) goto err; /* The tsan_counter use here is safe since we're under lock */ @@ -269,8 +271,8 @@ static int namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, return 0; } -int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - const char *name, size_t name_len) +int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, + const char *name) { int tmp_number; @@ -279,29 +281,20 @@ int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, namemap = ossl_namemap_stored(NULL); #endif - if (name == NULL || name_len == 0 || namemap == NULL) + if (name == NULL || *name == 0 || namemap == NULL) return 0; if (!CRYPTO_THREAD_write_lock(namemap->lock)) return 0; - tmp_number = namemap_add_name_n(namemap, number, name, name_len); + tmp_number = namemap_add_name(namemap, number, name); CRYPTO_THREAD_unlock(namemap->lock); return tmp_number; } -int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name) -{ - if (name == NULL) - return 0; - - return ossl_namemap_add_name_n(namemap, number, name, strlen(name)); -} - int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, const char *names, const char separator) { - const char *p, *q; - size_t l; + char *tmp, *p, *q, *endp; /* Check that we have a namemap */ if (!ossl_assert(namemap != NULL)) { @@ -309,62 +302,71 @@ int ossl_namemap_add_names(OSSL_NAMEMAP *namemap, int number, return 0; } - if (!CRYPTO_THREAD_write_lock(namemap->lock)) + if ((tmp = OPENSSL_strdup(names)) == NULL) + return 0; + + if (!CRYPTO_THREAD_write_lock(namemap->lock)) { + OPENSSL_free(tmp); return 0; + } /* * Check that no name is an empty string, and that all names have at * most one numeric identity together. */ - for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { + for (p = tmp; *p != '\0'; p = q) { int this_number; + size_t l; - if ((q = strchr(p, separator)) == NULL) + if ((q = strchr(p, separator)) == NULL) { l = strlen(p); /* offset to \0 */ - else + q = p + l; + } else { l = q - p; /* offset to the next separator */ + *q++ = '\0'; + } - this_number = namemap_name2num_n(namemap, p, l); - - if (*p == '\0' || *p == separator) { + if (*p == '\0') { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_BAD_ALGORITHM_NAME); - goto err; + number = 0; + goto end; } + + this_number = namemap_name2num(namemap, p); + if (number == 0) { number = this_number; } else if (this_number != 0 && this_number != number) { ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_CONFLICTING_NAMES, - "\"%.*s\" has an existing different identity %d (from \"%s\")", - l, p, this_number, names); - goto err; + "\"%s\" has an existing different identity %d (from \"%s\")", + p, this_number, names); + number = 0; + goto end; } } + endp = p; /* Now that we have checked, register all names */ - for (p = names; *p != '\0'; p = (q == NULL ? p + l : q + 1)) { + for (p = tmp; p < endp; p = q) { int this_number; - if ((q = strchr(p, separator)) == NULL) - l = strlen(p); /* offset to \0 */ - else - l = q - p; /* offset to the next separator */ + q = p + strlen(p) + 1; - this_number = namemap_add_name_n(namemap, number, p, l); + this_number = namemap_add_name(namemap, number, p); if (number == 0) { number = this_number; } else if (this_number != number) { ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR, "Got number %d when expecting %d", this_number, number); - goto err; + number = 0; + goto end; } } + end: CRYPTO_THREAD_unlock(namemap->lock); + OPENSSL_free(tmp); return number; - - err: - CRYPTO_THREAD_unlock(namemap->lock); - return 0; } /*- @@ -468,8 +470,7 @@ OSSL_NAMEMAP *ossl_namemap_stored(OSSL_LIB_CTX *libctx) int nms; #endif OSSL_NAMEMAP *namemap = - ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX, - &stored_namemap_method); + ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_NAMEMAP_INDEX); if (namemap == NULL) return NULL; diff --git a/crypto/cpt_err.c b/crypto/cpt_err.c index 8574f31a8..02d631466 100644 --- a/crypto/cpt_err.c +++ b/crypto/cpt_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,14 +29,32 @@ static const ERR_STRING_DATA CRYPTO_str_reasons[] = { "insufficient param size"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE), "insufficient secure data space"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INTEGER_OVERFLOW), + "integer overflow"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_NEGATIVE_VALUE), "invalid negative value"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_INVALID_OSSL_PARAM_TYPE), "invalid ossl param type"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_NO_PARAMS_TO_MERGE), + "no params to merge"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_NO_SPACE_FOR_TERMINATING_NULL), + "no space for terminating null"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_CANNOT_BE_REPRESENTED_EXACTLY), + "param cannot be represented exactly"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_NOT_INTEGER_TYPE), + "param not integer type"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_OF_INCOMPATIBLE_TYPE), + "param of incompatible type"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_UNSIGNED_INTEGER_NEGATIVE_VALUE_UNSUPPORTED), + "param unsigned integer negative value unsupported"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_UNSUPPORTED_FLOATING_POINT_FORMAT), + "param unsupported floating point format"}, + {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PARAM_VALUE_TOO_LARGE_FOR_DESTINATION), + "param value too large for destination"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PROVIDER_ALREADY_EXISTS), "provider already exists"}, {ERR_PACK(ERR_LIB_CRYPTO, 0, CRYPTO_R_PROVIDER_SECTION_ERROR), diff --git a/crypto/cpuid.c b/crypto/cpuid.c index 090f6fe03..21b2a59b4 100644 --- a/crypto/cpuid.c +++ b/crypto/cpuid.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "crypto/cryptlib.h" #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index 88a8480cf..02f4c2fb4 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -1,5 +1,5 @@ /*- - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -22,7 +22,6 @@ #include #include #include -#include #include #include diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 6e73b8352..b722d2bb5 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -1,5 +1,5 @@ /* - * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -8,7 +8,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "crypto/cryptlib.h" #include diff --git a/crypto/des/cfb_enc.c b/crypto/des/cfb_enc.c index 30458d50a..51c4dd2ab 100644 --- a/crypto/des/cfb_enc.c +++ b/crypto/des/cfb_enc.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ */ #include "internal/deprecated.h" -#include "e_os.h" +#include "internal/e_os.h" #include "des_local.h" #include diff --git a/crypto/des/des_local.h b/crypto/des/des_local.h index f888cb800..24d93bd3f 100644 --- a/crypto/des/des_local.h +++ b/crypto/des/des_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,19 +37,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((DES_LONG)(*(--(c)))); \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((DES_LONG)(*(--(c)))); \ } \ } @@ -79,19 +79,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \ } \ } @@ -109,6 +109,19 @@ : "cc"); \ ret; \ }) +# elif defined(__riscv_zbb) || defined(__riscv_zbkb) +# if __riscv_xlen == 64 +# define ROTATE(x, n) ({ register unsigned int ret; \ + asm ("roriw %0, %1, %2" \ + : "=r"(ret) \ + : "r"(x), "i"(n)); ret; }) +# endif +# if __riscv_xlen == 32 +# define ROTATE(x, n) ({ register unsigned int ret; \ + asm ("rori %0, %1, %2" \ + : "=r"(ret) \ + : "r"(x), "i"(n)); ret; }) +# endif # endif # endif # ifndef ROTATE diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index aec6b8531..204662a81 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -28,6 +28,7 @@ #include #include #include "crypto/dh.h" +#include "crypto/security_bits.h" #include "dh_local.h" #ifndef FIPS_MODULE @@ -219,6 +220,9 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, goto err; if (!BN_set_word(ret->params.g, g)) goto err; + /* We are using safe prime p, set key length equivalent to RFC 7919 */ + ret->length = (2 * ossl_ifc_ffc_compute_security_bits(prime_len) + + 24) / 25 * 25; ret->dirty_cnt++; ok = 1; err: diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c index 6e99466e6..64f8064d9 100644 --- a/crypto/dh/dh_kdf.c +++ b/crypto/dh/dh_kdf.c @@ -13,8 +13,7 @@ */ #include "internal/deprecated.h" -#include "e_os.h" -#include "e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/crypto/dllmain.c b/crypto/dllmain.c index 48c0cd312..96198a939 100644 --- a/crypto/dllmain.c +++ b/crypto/dllmain.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "crypto/cryptlib.h" #if defined(_WIN32) || defined(__CYGWIN__) diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c index f9a71bdc9..389df304b 100644 --- a/crypto/dsa/dsa_backend.c +++ b/crypto/dsa/dsa_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -173,7 +173,10 @@ DSA *ossl_dsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, ERR_raise(ERR_LIB_DSA, DSA_R_BN_ERROR); goto dsaerr; } - DSA_set0_key(dsa, dsa_pubkey, dsa_privkey); + if (!DSA_set0_key(dsa, dsa_pubkey, dsa_privkey)) { + ERR_raise(ERR_LIB_DSA, ERR_R_INTERNAL_ERROR); + goto dsaerr; + } goto done; diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 5685d5e83..a92ca6166 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -36,6 +36,7 @@ static const ERR_STRING_DATA DSA_str_reasons[] = { {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_SEED_LEN_SMALL), "seed_len is less than the length of q"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_TOO_MANY_RETRIES), "too many retries"}, {0, NULL} }; diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index 1f951a9d3..bd67627e1 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,6 +59,54 @@ int ossl_dsa_generate_public_key(BN_CTX *ctx, const DSA *dsa, return ret; } +/* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int dsa_keygen_knownanswer_test(DSA *dsa, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + BIGNUM *pub_key2 = BN_new(); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + goto err; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_DSA); + + if (!ossl_dsa_generate_public_key(ctx, dsa, dsa->priv_key, pub_key2)) + goto err; + + if (BN_num_bytes(pub_key2) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2, bytes); + OSSL_SELF_TEST_oncorrupt_byte(st, bytes); + if (BN_bin2bn(bytes, len, pub_key2) != NULL) + ret = !BN_cmp(dsa->pub_key, pub_key2); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + BN_free(pub_key2); + return ret; +} + static int dsa_keygen(DSA *dsa, int pairwise_test) { int ok = 0; @@ -113,7 +161,8 @@ static int dsa_keygen(DSA *dsa, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(dsa->libctx, &cb, &cbarg); - ok = dsa_keygen_pairwise_test(dsa, cb, cbarg); + ok = dsa_keygen_pairwise_test(dsa, cb, cbarg) + && dsa_keygen_knownanswer_test(dsa, ctx, cb, cbarg); if (!ok) { ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT); BN_free(dsa->pub_key); diff --git a/crypto/dsa/dsa_local.h b/crypto/dsa/dsa_local.h index 9e33fae13..4e963809b 100644 --- a/crypto/dsa/dsa_local.h +++ b/crypto/dsa/dsa_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,7 @@ struct dsa_st { /* * This first variable is used to pick up errors where a DSA is passed - * instead of of a EVP_PKEY + * instead of an EVP_PKEY */ int pad; int32_t version; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 86d89f4c7..df0dba7a0 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,6 +21,9 @@ #include "dsa_local.h" #include +#define MIN_DSA_SIGN_QBITS 128 +#define MAX_DSA_SIGN_RETRIES 8 + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -75,6 +78,7 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int rv = 0; + int retries = 0; if (dsa->params.p == NULL || dsa->params.q == NULL @@ -129,7 +133,10 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) * s := blind^-1 * k^-1 * (blind * m + blind * r * priv_key) mod q */ - /* Generate a blinding value */ + /* + * Generate a blinding value + * The size of q is tested in dsa_sign_setup() so there should not be an infinite loop here. + */ do { if (!BN_priv_rand_ex(blind, BN_num_bits(dsa->params.q) - 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0, ctx)) @@ -164,14 +171,19 @@ DSA_SIG *ossl_dsa_do_sign_int(const unsigned char *dgst, int dlen, DSA *dsa) goto err; /* - * Redo if r or s is zero as required by FIPS 186-3: this is very - * unlikely. + * Redo if r or s is zero as required by FIPS 186-4: Section 4.6 + * This is very unlikely. + * Limit the retries so there is no possibility of an infinite + * loop for bad domain parameter values. */ - if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) + if (BN_is_zero(ret->r) || BN_is_zero(ret->s)) { + if (retries++ > MAX_DSA_SIGN_RETRIES) { + reason = DSA_R_TOO_MANY_RETRIES; + goto err; + } goto redo; - + } rv = 1; - err: if (rv == 0) { ERR_raise(ERR_LIB_DSA, reason); @@ -220,7 +232,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, ERR_raise(ERR_LIB_DSA, DSA_R_MISSING_PRIVATE_KEY); return 0; } - k = BN_new(); l = BN_new(); if (k == NULL || l == NULL) @@ -236,7 +247,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, /* Preallocate space */ q_bits = BN_num_bits(dsa->params.q); q_words = bn_get_top(dsa->params.q); - if (!bn_wexpand(k, q_words + 2) + if (q_bits < MIN_DSA_SIGN_QBITS + || !bn_wexpand(k, q_words + 2) || !bn_wexpand(l, q_words + 2)) goto err; diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c index 6a988cc72..c292b41c4 100644 --- a/crypto/dso/dso_dlfcn.c +++ b/crypto/dso/dso_dlfcn.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,7 @@ #endif #include "dso_local.h" -#include "e_os.h" +#include "internal/e_os.h" #ifdef DSO_DLFCN diff --git a/crypto/dso/dso_win32.c b/crypto/dso/dso_win32.c index 4d3059d43..20fa3dce7 100644 --- a/crypto/dso/dso_win32.c +++ b/crypto/dso/dso_win32.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "dso_local.h" #if defined(DSO_WIN32) diff --git a/crypto/ec/asm/ecp_nistp521-ppc64.pl b/crypto/ec/asm/ecp_nistp521-ppc64.pl index 4260e24a1..cf3bc7908 100755 --- a/crypto/ec/asm/ecp_nistp521-ppc64.pl +++ b/crypto/ec/asm/ecp_nistp521-ppc64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -140,6 +140,7 @@ ($$) } $code.=<<___; +.machine "any" .text ___ diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl index 81ee3947d..5bb6990e8 100644 --- a/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -122,7 +122,7 @@ .type ecp_nistz256_to_mont,%function .align 6 ecp_nistz256_to_mont: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-32]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -138,7 +138,7 @@ ldp x19,x20,[sp,#16] ldp x29,x30,[sp],#32 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont @@ -147,7 +147,7 @@ .type ecp_nistz256_from_mont,%function .align 4 ecp_nistz256_from_mont: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-32]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -163,7 +163,7 @@ ldp x19,x20,[sp,#16] ldp x29,x30,[sp],#32 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont @@ -173,7 +173,7 @@ .type ecp_nistz256_mul_mont,%function .align 4 ecp_nistz256_mul_mont: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-32]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -188,7 +188,7 @@ ldp x19,x20,[sp,#16] ldp x29,x30,[sp],#32 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont @@ -197,7 +197,7 @@ .type ecp_nistz256_sqr_mont,%function .align 4 ecp_nistz256_sqr_mont: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-32]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -211,7 +211,7 @@ ldp x19,x20,[sp,#16] ldp x29,x30,[sp],#32 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont @@ -221,7 +221,7 @@ .type ecp_nistz256_add,%function .align 4 ecp_nistz256_add: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -235,7 +235,7 @@ bl __ecp_nistz256_add ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_add,.-ecp_nistz256_add @@ -244,7 +244,7 @@ .type ecp_nistz256_div_by_2,%function .align 4 ecp_nistz256_div_by_2: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -256,7 +256,7 @@ bl __ecp_nistz256_div_by_2 ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 @@ -265,7 +265,7 @@ .type ecp_nistz256_mul_by_2,%function .align 4 ecp_nistz256_mul_by_2: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -281,7 +281,7 @@ bl __ecp_nistz256_add // ret = a+a // 2*a ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 @@ -290,7 +290,7 @@ .type ecp_nistz256_mul_by_3,%function .align 4 ecp_nistz256_mul_by_3: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -317,7 +317,7 @@ bl __ecp_nistz256_add // ret += a // 2*a+a=3*a ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 @@ -327,7 +327,7 @@ .type ecp_nistz256_sub,%function .align 4 ecp_nistz256_sub: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -339,7 +339,7 @@ bl __ecp_nistz256_sub_from ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_sub,.-ecp_nistz256_sub @@ -348,7 +348,7 @@ .type ecp_nistz256_neg,%function .align 4 ecp_nistz256_neg: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -363,7 +363,7 @@ bl __ecp_nistz256_sub_from ldp x29,x30,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_neg,.-ecp_nistz256_neg @@ -724,7 +724,7 @@ .type ecp_nistz256_point_double,%function .align 5 ecp_nistz256_point_double: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -859,7 +859,7 @@ ldp x19,x20,[x29,#16] ldp x21,x22,[x29,#32] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_point_double,.-ecp_nistz256_point_double ___ @@ -882,7 +882,7 @@ .type ecp_nistz256_point_add,%function .align 5 ecp_nistz256_point_add: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -1117,7 +1117,7 @@ ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_point_add,.-ecp_nistz256_point_add ___ @@ -1139,7 +1139,7 @@ .type ecp_nistz256_point_add_affine,%function .align 5 ecp_nistz256_point_add_affine: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-80]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -1328,7 +1328,7 @@ ldp x23,x24,[x29,#48] ldp x25,x26,[x29,#64] ldp x29,x30,[sp],#80 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine ___ @@ -1346,6 +1346,8 @@ .type ecp_nistz256_ord_mul_mont,%function .align 4 ecp_nistz256_ord_mul_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-64]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -1487,6 +1489,8 @@ .type ecp_nistz256_ord_sqr_mont,%function .align 4 ecp_nistz256_ord_sqr_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-64]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -1641,6 +1645,8 @@ .type ecp_nistz256_scatter_w5,%function .align 4 ecp_nistz256_scatter_w5: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1703,6 +1709,8 @@ .type ecp_nistz256_gather_w5,%function .align 4 ecp_nistz256_gather_w5: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1780,6 +1788,8 @@ .type ecp_nistz256_scatter_w7,%function .align 4 ecp_nistz256_scatter_w7: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1824,6 +1834,8 @@ .type ecp_nistz256_gather_w7,%function .align 4 ecp_nistz256_gather_w7: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 diff --git a/crypto/ec/curve25519.c b/crypto/ec/curve25519.c index 50a8e6b16..286d6bff8 100644 --- a/crypto/ec/curve25519.c +++ b/crypto/ec/curve25519.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1868,7 +1868,7 @@ static int ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) { fe u; fe v; - fe v3; + fe w; fe vxx; fe check; @@ -1879,15 +1879,10 @@ static int ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) fe_sub(u, u, h->Z); /* u = y^2-1 */ fe_add(v, v, h->Z); /* v = dy^2+1 */ - fe_sq(v3, v); - fe_mul(v3, v3, v); /* v3 = v^3 */ - fe_sq(h->X, v3); - fe_mul(h->X, h->X, v); - fe_mul(h->X, h->X, u); /* x = uv^7 */ + fe_mul(w, u, v); /* w = u*v */ - fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */ - fe_mul(h->X, h->X, v3); - fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */ + fe_pow22523(h->X, w); /* x = w^((q-5)/8) */ + fe_mul(h->X, h->X, u); /* x = u * w^((q-5)/8) */ fe_sq(vxx, h->X); fe_mul(vxx, vxx, v); diff --git a/crypto/ec/curve448/arch_32/f_impl32.c b/crypto/ec/curve448/arch_32/f_impl32.c index 8714a5142..14f7b786f 100644 --- a/crypto/ec/curve448/arch_32/f_impl32.c +++ b/crypto/ec/curve448/arch_32/f_impl32.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2014 Cryptography Research, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -10,7 +10,7 @@ * Originally written by Mike Hamburg */ -#include "e_os.h" +#include "internal/e_os.h" #include #include "internal/numbers.h" diff --git a/crypto/ec/curve448/arch_64/f_impl64.c b/crypto/ec/curve448/arch_64/f_impl64.c index 8f7a7dd39..10a9b065e 100644 --- a/crypto/ec/curve448/arch_64/f_impl64.c +++ b/crypto/ec/curve448/arch_64/f_impl64.c @@ -10,7 +10,7 @@ * Originally written by Mike Hamburg */ -#include "e_os.h" +#include "internal/e_os.h" #include #include "internal/numbers.h" diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 10a493259..4ed628756 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -272,7 +272,7 @@ int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } /* - * The first octet is the point converison octet PC, see X9.62, page 4 + * The first octet is the point conversion octet PC, see X9.62, page 4 * and section 4.4.2. It must be: * 0x00 for the point at infinity * 0x02 or 0x03 for compressed form diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 3a59544c8..d6a51137a 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -9,7 +9,7 @@ */ /* - * ECDSA low level APIs are deprecated for public use, but still ok for + * ECDSA low-level APIs are deprecated for public use, but still ok for * internal use. */ #include "internal/deprecated.h" @@ -923,7 +923,7 @@ int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r, /*- * Computes the multiplicative inverse of a in GF(2^m), storing the result in r. - * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. + * If a is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. * SCA hardening is with blinding: BN_GF2m_mod_inv does that. */ static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r, diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c index 98e2c418e..e159ba0c6 100644 --- a/crypto/ec/ec_backend.c +++ b/crypto/ec/ec_backend.c @@ -24,7 +24,8 @@ #include "crypto/bn.h" #include "crypto/ec.h" #include "ec_local.h" -#include "e_os.h" +#include "internal/e_os.h" +#include "internal/nelem.h" #include "internal/param_build_set.h" /* Mapping between a flag and a name */ @@ -523,7 +524,7 @@ static int ec_key_point_format_fromdata(EC_KEY *ec, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT); if (p != NULL) { if (!ossl_ec_pt_format_param2id(p, &format)) { - ECerr(0, EC_R_INVALID_FORM); + ERR_raise(ERR_LIB_EC, EC_R_INVALID_FORM); return 0; } EC_KEY_set_conv_form(ec, format); diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 4d6f2a76a..480376686 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -108,6 +108,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = { "random number generation failed"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_SHARED_INFO_ERROR), "shared info error"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_SLOT_FULL), "slot full"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_TOO_MANY_RETRIES), "too many retries"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_ORDER), "undefined order"}, {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 729d338b3..59862884a 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -236,6 +236,56 @@ int ossl_ec_key_gen(EC_KEY *eckey) return ret; } +/* + * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1 + * Perform a KAT by duplicating the public key generation. + * + * NOTE: This issue requires a background understanding, provided in a separate + * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for + * the key agreement scenario. + * + * Currently IG 10.3.A requires PCT in the mode of use prior to use of the + * key pair, citing the PCT defined in the associated standard. For key + * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4: + * the comparison of the original public key to a newly calculated public key. + */ +static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx, + OSSL_CALLBACK *cb, void *cbarg) +{ + int len, ret = 0; + OSSL_SELF_TEST *st = NULL; + unsigned char bytes[512] = {0}; + EC_POINT *pub_key2 = EC_POINT_new(eckey->group); + + if (pub_key2 == NULL) + return 0; + + st = OSSL_SELF_TEST_new(cb, cbarg); + if (st == NULL) + return 0; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT, + OSSL_SELF_TEST_DESC_PCT_ECDSA); + + /* pub_key = priv_key * G (where G is a point on the curve) */ + if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx)) + goto err; + + if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes)) + goto err; + len = BN_bn2bin(pub_key2->X, bytes); + if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes) + && BN_bin2bn(bytes, len, pub_key2->X) == NULL) + goto err; + ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx); + +err: + OSSL_SELF_TEST_onend(st, ret); + OSSL_SELF_TEST_free(st); + EC_POINT_free(pub_key2); + return ret; +} + /* * ECC Key generation. * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" @@ -332,7 +382,8 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test) void *cbarg = NULL; OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); - ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); + ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg) + && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg); } err: /* Step (9): If there is an error return an invalid keypair. */ @@ -492,6 +543,11 @@ int ossl_ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); goto err; } + /* Perform a second check on the public key */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { + ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); + goto err; + } if (!EC_POINT_is_at_infinity(eckey->group, point)) { ERR_raise(ERR_LIB_EC, EC_R_WRONG_ORDER); goto err; diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index b1696d93b..a84e088c1 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1507,7 +1507,7 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT); if (p != NULL) { if (!ossl_ec_pt_format_param2id(p, &format)) { - ECerr(0, EC_R_INVALID_FORM); + ERR_raise(ERR_LIB_EC, EC_R_INVALID_FORM); return 0; } EC_GROUP_set_point_conversion_form(group, format); @@ -1516,7 +1516,7 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING); if (p != NULL) { if (!ossl_ec_encoding_param2id(p, &encoding_flag)) { - ECerr(0, EC_R_INVALID_FORM); + ERR_raise(ERR_LIB_EC, EC_R_INVALID_FORM); return 0; } EC_GROUP_set_asn1_flag(group, encoding_flag); @@ -1527,7 +1527,7 @@ int ossl_ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]) /* The seed is allowed to be NULL */ if (p->data_type != OSSL_PARAM_OCTET_STRING || !EC_GROUP_set_seed(group, p->data, p->data_size)) { - ECerr(0, EC_R_INVALID_SEED); + ERR_raise(ERR_LIB_EC, EC_R_INVALID_SEED); return 0; } } diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c index fe9b3cf59..f90304a41 100644 --- a/crypto/ec/ecdsa_ossl.c +++ b/crypto/ec/ecdsa_ossl.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,6 +20,15 @@ #include "crypto/bn.h" #include "ec_local.h" +#define MIN_ECDSA_SIGN_ORDERBITS 64 +/* + * It is highly unlikely that a retry will happen, + * Multiple retries would indicate that something is wrong + * with the group parameters (which would normally only happen + * with a bad custom group). + */ +#define MAX_ECDSA_SIGN_RETRIES 8 + int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { @@ -120,7 +129,9 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, /* Preallocate space */ order_bits = BN_num_bits(order); - if (!BN_set_bit(k, order_bits) + /* Check the number of bits here so that an infinite loop is not possible */ + if (order_bits < MIN_ECDSA_SIGN_ORDERBITS + || !BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) goto err; @@ -195,6 +206,7 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { int ok = 0, i; + int retries = 0; BIGNUM *kinv = NULL, *s, *m = NULL; const BIGNUM *order, *ckinv; BN_CTX *ctx = NULL; @@ -304,6 +316,11 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ERR_raise(ERR_LIB_EC, EC_R_NEED_NEW_SETUP_VALUES); goto err; } + /* Avoid infinite loops cause by invalid group parameters */ + if (retries++ > MAX_ECDSA_SIGN_RETRIES) { + ERR_raise(ERR_LIB_EC, EC_R_TOO_MANY_RETRIES); + goto err; + } } else { /* s != 0 => we have a valid signature */ break; diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 35b492453..8f381fc36 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -9,7 +9,7 @@ */ /* - * ECDSA low level APIs are deprecated for public use, but still ok for + * ECDSA low-level APIs are deprecated for public use, but still ok for * internal use. */ #include "internal/deprecated.h" @@ -217,7 +217,7 @@ int ossl_ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a /*- * Computes the multiplicative inverse of a in GF(p), storing the result in r. - * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. + * If a is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. * We have a Mont structure, so SCA hardening is FLT inversion. */ int ossl_ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 31a97d793..ed2ac64fb 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -782,7 +782,6 @@ static void felem_inv(felem out, const felem in) felem_reduce(ftmp3, tmp); /* 2^7 - 2^3 */ felem_square(tmp, ftmp3); felem_reduce(ftmp3, tmp); /* 2^8 - 2^4 */ - felem_assign(ftmp4, ftmp3); felem_mul(tmp, ftmp3, ftmp); felem_reduce(ftmp4, tmp); /* 2^8 - 2^1 */ felem_square(tmp, ftmp4); diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index bde8cad34..dab9001fb 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -9,7 +9,7 @@ */ /* - * ECDSA low level APIs are deprecated for public use, but still ok for + * ECDSA low-level APIs are deprecated for public use, but still ok for * internal use. */ #include "internal/deprecated.h" @@ -171,7 +171,7 @@ int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *group, /* group->a */ if (!BN_nnmod(tmp_a, a, p, ctx)) goto err; - if (group->meth->field_encode) { + if (group->meth->field_encode != NULL) { if (!group->meth->field_encode(group, group->a, tmp_a, ctx)) goto err; } else if (!BN_copy(group->a, tmp_a)) @@ -180,7 +180,7 @@ int ossl_ec_GFp_simple_group_set_curve(EC_GROUP *group, /* group->b */ if (!BN_nnmod(group->b, b, p, ctx)) goto err; - if (group->meth->field_encode) + if (group->meth->field_encode != NULL) if (!group->meth->field_encode(group, group->b, group->b, ctx)) goto err; @@ -209,7 +209,7 @@ int ossl_ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, } if (a != NULL || b != NULL) { - if (group->meth->field_decode) { + if (group->meth->field_decode != NULL) { if (ctx == NULL) { ctx = new_ctx = BN_CTX_new_ex(group->libctx); if (ctx == NULL) @@ -271,7 +271,7 @@ int ossl_ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, if (order == NULL) goto err; - if (group->meth->field_decode) { + if (group->meth->field_decode != NULL) { if (!group->meth->field_decode(group, a, group->a, ctx)) goto err; if (!group->meth->field_decode(group, b, group->b, ctx)) @@ -440,7 +440,7 @@ int ossl_ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, BN_CTX *new_ctx = NULL; int ret = 0; - if (group->meth->field_decode != 0) { + if (group->meth->field_decode != NULL) { if (ctx == NULL) { ctx = new_ctx = BN_CTX_new_ex(group->libctx); if (ctx == NULL) @@ -529,7 +529,7 @@ int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */ - if (group->meth->field_decode) { + if (group->meth->field_decode != NULL) { if (!group->meth->field_decode(group, Z, point->Z, ctx)) goto err; Z_ = Z; @@ -538,7 +538,7 @@ int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, } if (BN_is_one(Z_)) { - if (group->meth->field_decode) { + if (group->meth->field_decode != NULL) { if (x != NULL) { if (!group->meth->field_decode(group, x, point->X, ctx)) goto err; @@ -563,7 +563,7 @@ int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, goto err; } - if (group->meth->field_encode == 0) { + if (group->meth->field_encode == NULL) { /* field_sqr works on standard representation */ if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err; @@ -582,7 +582,7 @@ int ossl_ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, } if (y != NULL) { - if (group->meth->field_encode == 0) { + if (group->meth->field_encode == NULL) { /* * field_mul works on standard representation */ @@ -1275,7 +1275,7 @@ int ossl_ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); goto err; } - if (group->meth->field_encode != 0) { + if (group->meth->field_encode != NULL) { /* * In the Montgomery case, we just turned R*H (representing H) into * 1/(R*H), but we need R*(1/H) (representing 1/H); i.e. we need to @@ -1376,7 +1376,7 @@ int ossl_ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM /*- * Computes the multiplicative inverse of a in GF(p), storing the result in r. - * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error. + * If a is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error. * Since we don't have a Mont structure here, SCA hardening is with blinding. * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.) */ diff --git a/crypto/encode_decode/decoder_lib.c b/crypto/encode_decode/decoder_lib.c index e24d2c6cd..8863c316d 100644 --- a/crypto/encode_decode/decoder_lib.c +++ b/crypto/encode_decode/decoder_lib.c @@ -18,9 +18,10 @@ #include #include "internal/bio.h" #include "internal/provider.h" +#include "internal/namemap.h" #include "crypto/decoder.h" #include "encoder_local.h" -#include "e_os.h" +#include "internal/e_os.h" struct decoder_process_data_st { OSSL_DECODER_CTX *ctx; @@ -241,6 +242,7 @@ OSSL_DECODER_INSTANCE *ossl_decoder_instance_new(OSSL_DECODER *decoder, /* The "input" property is mandatory */ prop = ossl_property_find_property(props, libctx, "input"); decoder_inst->input_type = ossl_property_get_string_value(libctx, prop); + decoder_inst->input_type_id = 0; if (decoder_inst->input_type == NULL) { ERR_raise_data(ERR_LIB_OSSL_DECODER, ERR_R_INVALID_PROPERTY_DEFINITION, "the mandatory 'input' property is missing " @@ -343,6 +345,8 @@ int OSSL_DECODER_CTX_add_decoder(OSSL_DECODER_CTX *ctx, OSSL_DECODER *decoder) struct collect_extra_decoder_data_st { OSSL_DECODER_CTX *ctx; const char *output_type; + int output_type_id; + /* * 0 to check that the decoder's input type is the same as the decoder name * 1 to check that the decoder's input type differs from the decoder name @@ -370,7 +374,7 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) const OSSL_PROVIDER *prov = OSSL_DECODER_get0_provider(decoder); void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); - if (OSSL_DECODER_is_a(decoder, data->output_type)) { + if (ossl_decoder_fast_is_a(decoder, data->output_type, &data->output_type_id)) { void *decoderctx = NULL; OSSL_DECODER_INSTANCE *di = NULL; @@ -413,8 +417,9 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) switch (data->type_check) { case IS_SAME: /* If it differs, this is not a decoder to add for now. */ - if (!OSSL_DECODER_is_a(decoder, - OSSL_DECODER_INSTANCE_get_input_type(di))) { + if (!ossl_decoder_fast_is_a(decoder, + OSSL_DECODER_INSTANCE_get_input_type(di), + &di->input_type_id)) { ossl_decoder_instance_free(di); OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, @@ -425,8 +430,9 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg) break; case IS_DIFFERENT: /* If it's the same, this is not a decoder to add for now. */ - if (OSSL_DECODER_is_a(decoder, - OSSL_DECODER_INSTANCE_get_input_type(di))) { + if (ossl_decoder_fast_is_a(decoder, + OSSL_DECODER_INSTANCE_get_input_type(di), + &di->input_type_id)) { ossl_decoder_instance_free(di); OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, @@ -534,6 +540,7 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx, data.output_type = OSSL_DECODER_INSTANCE_get_input_type(decoder_inst); + data.output_type_id = 0; for (j = 0; j < numdecoders; j++) collect_extra_decoder(sk_OSSL_DECODER_value(skdecoders, j), @@ -867,7 +874,8 @@ static int decoder_process(const OSSL_PARAM params[], void *arg) * |new_input_type| holds the value of the "input-type" parameter * for the decoder we're currently considering. */ - if (decoder != NULL && !OSSL_DECODER_is_a(decoder, new_input_type)) { + if (decoder != NULL && !ossl_decoder_fast_is_a(decoder, new_input_type, + &new_decoder_inst->input_type_id)) { OSSL_TRACE_BEGIN(DECODER) { BIO_printf(trc_out, "(ctx %p) %s [%u] the input type doesn't match the name of the previous decoder (%p), skipping...\n", diff --git a/crypto/encode_decode/decoder_meth.c b/crypto/encode_decode/decoder_meth.c index 56899a926..74c86a8fe 100644 --- a/crypto/encode_decode/decoder_meth.c +++ b/crypto/encode_decode/decoder_meth.c @@ -17,6 +17,7 @@ #include "internal/provider.h" #include "crypto/decoder.h" #include "encoder_local.h" +#include "crypto/context.h" /* * Decoder can have multiple names, separated with colons in a name string @@ -65,25 +66,6 @@ void OSSL_DECODER_free(OSSL_DECODER *decoder) OPENSSL_free(decoder); } -/* Permanent decoder method store, constructor and destructor */ -static void decoder_store_free(void *vstore) -{ - ossl_method_store_free(vstore); -} - -static void *decoder_store_new(OSSL_LIB_CTX *ctx) -{ - return ossl_method_store_new(ctx); -} - - -static const OSSL_LIB_CTX_METHOD decoder_store_method = { - /* We want decoder_store to be cleaned up before the provider store */ - OSSL_LIB_CTX_METHOD_PRIORITY_2, - decoder_store_new, - decoder_store_free, -}; - /* Data to be passed through ossl_method_construct() */ struct decoder_data_st { OSSL_LIB_CTX *libctx; @@ -120,8 +102,7 @@ static void dealloc_tmp_decoder_store(void *store) /* Get the permanent decoder store */ static OSSL_METHOD_STORE *get_decoder_store(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_STORE_INDEX, - &decoder_store_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DECODER_STORE_INDEX); } static int reserve_decoder_store(void *store, void *data) @@ -359,38 +340,27 @@ static void free_decoder(void *method) /* Fetching support. Can fetch by numeric identity or by name */ static OSSL_DECODER * -inner_ossl_decoder_fetch(struct decoder_data_st *methdata, int id, +inner_ossl_decoder_fetch(struct decoder_data_st *methdata, const char *name, const char *properties) { OSSL_METHOD_STORE *store = get_decoder_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); const char *const propq = properties != NULL ? properties : ""; void *method = NULL; - int unsupported = 0; + int unsupported, id; if (store == NULL || namemap == NULL) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; } - /* - * If we have been passed both an id and a name, we have an - * internal programming error. - */ - if (!ossl_assert(id == 0 || name == NULL)) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if (id == 0 && name != NULL) - id = ossl_namemap_name2num(namemap, name); + id = name != NULL ? ossl_namemap_name2num(namemap, name) : 0; /* * If we haven't found the name yet, chances are that the algorithm to * be fetched is unsupported. */ - if (id == 0) - unsupported = 1; + unsupported = id == 0; if (id == 0 || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { @@ -455,20 +425,7 @@ OSSL_DECODER *OSSL_DECODER_fetch(OSSL_LIB_CTX *libctx, const char *name, methdata.libctx = libctx; methdata.tmp_store = NULL; - method = inner_ossl_decoder_fetch(&methdata, 0, name, properties); - dealloc_tmp_decoder_store(methdata.tmp_store); - return method; -} - -OSSL_DECODER *ossl_decoder_fetch_by_number(OSSL_LIB_CTX *libctx, int id, - const char *properties) -{ - struct decoder_data_st methdata; - void *method; - - methdata.libctx = libctx; - methdata.tmp_store = NULL; - method = inner_ossl_decoder_fetch(&methdata, id, NULL, properties); + method = inner_ossl_decoder_fetch(&methdata, name, properties); dealloc_tmp_decoder_store(methdata.tmp_store); return method; } @@ -558,6 +515,24 @@ int OSSL_DECODER_is_a(const OSSL_DECODER *decoder, const char *name) return 0; } +static int resolve_name(OSSL_DECODER *decoder, const char *name) +{ + OSSL_LIB_CTX *libctx = ossl_provider_libctx(decoder->base.prov); + OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); + + return ossl_namemap_name2num(namemap, name); +} + +int ossl_decoder_fast_is_a(OSSL_DECODER *decoder, const char *name, int *id_cache) +{ + int id = *id_cache; + + if (id <= 0) + *id_cache = id = resolve_name(decoder, name); + + return id > 0 && ossl_decoder_get_number(decoder) == id; +} + struct do_one_data_st { void (*user_fn)(OSSL_DECODER *decoder, void *arg); void *user_arg; @@ -580,7 +555,7 @@ void OSSL_DECODER_do_all_provided(OSSL_LIB_CTX *libctx, methdata.libctx = libctx; methdata.tmp_store = NULL; - (void)inner_ossl_decoder_fetch(&methdata, 0, NULL, NULL /* properties */); + (void)inner_ossl_decoder_fetch(&methdata, NULL, NULL /* properties */); data.user_fn = user_fn; data.user_arg = user_arg; diff --git a/crypto/encode_decode/decoder_pkey.c b/crypto/encode_decode/decoder_pkey.c index ed10bb1ce..fa32f2b9f 100644 --- a/crypto/encode_decode/decoder_pkey.c +++ b/crypto/encode_decode/decoder_pkey.c @@ -17,7 +17,9 @@ #include #include "crypto/evp.h" #include "crypto/decoder.h" +#include "crypto/evp/evp_local.h" #include "encoder_local.h" +#include "internal/namemap.h" int OSSL_DECODER_CTX_set_passphrase(OSSL_DECODER_CTX *ctx, const unsigned char *kstr, @@ -195,53 +197,83 @@ static void decoder_clean_pkey_construct_arg(void *construct_data) } } -static void collect_name(const char *name, void *arg) -{ - STACK_OF(OPENSSL_CSTRING) *names = arg; +struct collect_data_st { + OSSL_LIB_CTX *libctx; + OSSL_DECODER_CTX *ctx; - sk_OPENSSL_CSTRING_push(names, name); -} + const char *keytype; /* the keytype requested, if any */ + int keytype_id; /* if keytype_resolved is set, keymgmt name_id; else 0 */ + int sm2_id; /* if keytype_resolved is set and EC, SM2 name_id; else 0 */ + int total; /* number of matching results */ + char error_occurred; + char keytype_resolved; -static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) + STACK_OF(EVP_KEYMGMT) *keymgmts; +}; + +static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder, + void *provctx, struct collect_data_st *data) { - STACK_OF(EVP_KEYMGMT) *keymgmts = arg; + void *decoderctx = NULL; + OSSL_DECODER_INSTANCE *di = NULL; + + /* + * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we + * don't check it again here. + */ - if (!EVP_KEYMGMT_up_ref(keymgmt) /* ref++ */) + if (keymgmt->name_id != decoder->base.id) + /* Mismatch is not an error, continue. */ return; - if (sk_EVP_KEYMGMT_push(keymgmts, keymgmt) <= 0) { - EVP_KEYMGMT_free(keymgmt); /* ref-- */ + + if ((decoderctx = decoder->newctx(provctx)) == NULL) { + data->error_occurred = 1; return; } -} -struct collect_decoder_data_st { - STACK_OF(OPENSSL_CSTRING) *names; - OSSL_DECODER_CTX *ctx; + if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { + decoder->freectx(decoderctx); + data->error_occurred = 1; + return; + } - int total; - unsigned int error_occurred:1; -}; + OSSL_TRACE_BEGIN(DECODER) { + BIO_printf(trc_out, + "(ctx %p) Checking out decoder %p:\n" + " %s with %s\n", + (void *)data->ctx, (void *)decoder, + OSSL_DECODER_get0_name(decoder), + OSSL_DECODER_get0_properties(decoder)); + } OSSL_TRACE_END(DECODER); + + if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { + ossl_decoder_instance_free(di); + data->error_occurred = 1; + return; + } + + ++data->total; +} static void collect_decoder(OSSL_DECODER *decoder, void *arg) { - struct collect_decoder_data_st *data = arg; - size_t i, end_i; - const OSSL_PROVIDER *prov = OSSL_DECODER_get0_provider(decoder); - void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); + struct collect_data_st *data = arg; + STACK_OF(EVP_KEYMGMT) *keymgmts = data->keymgmts; + int i, end_i; + EVP_KEYMGMT *keymgmt; + const OSSL_PROVIDER *prov; + void *provctx; if (data->error_occurred) return; - if (data->names == NULL) { - data->error_occurred = 1; - return; - } + prov = OSSL_DECODER_get0_provider(decoder); + provctx = OSSL_PROVIDER_get0_provider_ctx(prov); /* - * Either the caller didn't give a selection, or if they did, - * the decoder must tell us if it supports that selection to - * be accepted. If the decoder doesn't have |does_selection|, - * it's seen as taking anything. + * Either the caller didn't give us a selection, or if they did, the decoder + * must tell us if it supports that selection to be accepted. If the decoder + * doesn't have |does_selection|, it's seen as taking anything. */ if (decoder->does_selection != NULL && !decoder->does_selection(provctx, data->ctx->selection)) @@ -256,68 +288,101 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg) OSSL_DECODER_get0_properties(decoder)); } OSSL_TRACE_END(DECODER); - end_i = sk_OPENSSL_CSTRING_num(data->names); - for (i = 0; i < end_i; i++) { - const char *name = sk_OPENSSL_CSTRING_value(data->names, i); - - if (OSSL_DECODER_is_a(decoder, name)) { - void *decoderctx = NULL; - OSSL_DECODER_INSTANCE *di = NULL; - - if ((decoderctx = decoder->newctx(provctx)) == NULL) { - data->error_occurred = 1; - return; - } - if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) { - decoder->freectx(decoderctx); - data->error_occurred = 1; - return; - } - - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) Checking out decoder %p:\n" - " %s with %s\n", - (void *)data->ctx, (void *)decoder, - OSSL_DECODER_get0_name(decoder), - OSSL_DECODER_get0_properties(decoder)); - } OSSL_TRACE_END(DECODER); - - if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) { - ossl_decoder_instance_free(di); - data->error_occurred = 1; - return; - } - data->total++; - - /* Success */ + end_i = sk_EVP_KEYMGMT_num(keymgmts); + for (i = 0; i < end_i; ++i) { + keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i); + + collect_decoder_keymgmt(keymgmt, decoder, provctx, data); + if (data->error_occurred) return; - } + } +} + +/* + * Is this EVP_KEYMGMT applicable given the key type given in the call to + * ossl_decoder_ctx_setup_for_pkey (if any)? + */ +static int check_keymgmt(EVP_KEYMGMT *keymgmt, struct collect_data_st *data) +{ + /* If no keytype was specified, everything matches. */ + if (data->keytype == NULL) + return 1; + + if (!data->keytype_resolved) { + /* We haven't cached the IDs from the keytype string yet. */ + OSSL_NAMEMAP *namemap = ossl_namemap_stored(data->libctx); + data->keytype_id = ossl_namemap_name2num(namemap, data->keytype); + + /* + * If keytype is a value ambiguously used for both EC and SM2, + * collect the ID for SM2 as well. + */ + if (data->keytype_id != 0 + && (strcmp(data->keytype, "id-ecPublicKey") == 0 + || strcmp(data->keytype, "1.2.840.10045.2.1") == 0)) + data->sm2_id = ossl_namemap_name2num(namemap, "SM2"); + + /* + * If keytype_id is zero the name was not found, but we still + * set keytype_resolved to avoid trying all this again. + */ + data->keytype_resolved = 1; } - /* Decoder not suitable - but not a fatal error */ - data->error_occurred = 0; + /* Specified keytype could not be resolved, so nothing matches. */ + if (data->keytype_id == 0) + return 0; + + /* Does not match the keytype specified, so skip. */ + if (keymgmt->name_id != data->keytype_id + && keymgmt->name_id != data->sm2_id) + return 0; + + return 1; } +static void collect_keymgmt(EVP_KEYMGMT *keymgmt, void *arg) +{ + struct collect_data_st *data = arg; + + if (!check_keymgmt(keymgmt, data)) + return; + + /* + * We have to ref EVP_KEYMGMT here because in the success case, + * data->keymgmts is referenced by the constructor we register in the + * OSSL_DECODER_CTX. The registered cleanup function + * (decoder_clean_pkey_construct_arg) unrefs every element of the stack and + * frees it. + */ + if (!EVP_KEYMGMT_up_ref(keymgmt)) + return; + + if (sk_EVP_KEYMGMT_push(data->keymgmts, keymgmt) <= 0) { + EVP_KEYMGMT_free(keymgmt); + data->error_occurred = 1; + } +} + +/* + * This function does the actual binding of decoders to the OSSL_DECODER_CTX. It + * searches for decoders matching 'keytype', which is a string like "RSA", "DH", + * etc. If 'keytype' is NULL, decoders for all keytypes are bound. + */ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, EVP_PKEY **pkey, const char *keytype, OSSL_LIB_CTX *libctx, const char *propquery) { - struct decoder_pkey_data_st *process_data = NULL; - STACK_OF(OPENSSL_CSTRING) *names = NULL; - const char *input_type = ctx->start_input_type; - const char *input_structure = ctx->input_structure; int ok = 0; - int isecoid = 0; - int i, end; - - if (keytype != NULL - && (strcmp(keytype, "id-ecPublicKey") == 0 - || strcmp(keytype, "1.2.840.10045.2.1") == 0)) - isecoid = 1; + struct decoder_pkey_data_st *process_data = NULL; + struct collect_data_st collect_data = { NULL }; + STACK_OF(EVP_KEYMGMT) *keymgmts = NULL; OSSL_TRACE_BEGIN(DECODER) { + const char *input_type = ctx->start_input_type; + const char *input_structure = ctx->input_structure; + BIO_printf(trc_out, "(ctx %p) Looking for decoders producing %s%s%s%s%s%s\n", (void *)ctx, @@ -329,81 +394,67 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, input_structure != NULL ? input_structure : ""); } OSSL_TRACE_END(DECODER); + /* Allocate data. */ if ((process_data = OPENSSL_zalloc(sizeof(*process_data))) == NULL || (propquery != NULL - && (process_data->propq = OPENSSL_strdup(propquery)) == NULL) - || (process_data->keymgmts = sk_EVP_KEYMGMT_new_null()) == NULL - || (names = sk_OPENSSL_CSTRING_new_null()) == NULL) { + && (process_data->propq = OPENSSL_strdup(propquery)) == NULL)) { ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); goto err; } - process_data->object = (void **)pkey; - process_data->libctx = libctx; + /* Allocate our list of EVP_KEYMGMTs. */ + keymgmts = sk_EVP_KEYMGMT_new_null(); + if (keymgmts == NULL) { + ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_MALLOC_FAILURE); + goto err; + } + + process_data->object = (void **)pkey; + process_data->libctx = libctx; process_data->selection = ctx->selection; + process_data->keymgmts = keymgmts; - /* First, find all keymgmts to form goals */ - EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, - process_data->keymgmts); + /* + * Enumerate all keymgmts into a stack. + * + * We could nest EVP_KEYMGMT_do_all_provided inside + * OSSL_DECODER_do_all_provided or vice versa but these functions become + * bottlenecks if called repeatedly, which is why we collect the + * EVP_KEYMGMTs into a stack here and call both functions only once. + * + * We resolve the keytype string to a name ID so we don't have to resolve it + * multiple times, avoiding repeated calls to EVP_KEYMGMT_is_a, which is a + * performance bottleneck. However, we do this lazily on the first call to + * collect_keymgmt made by EVP_KEYMGMT_do_all_provided, rather than do it + * upfront, as this ensures that the names for all loaded providers have + * been registered by the time we try to resolve the keytype string. + */ + collect_data.ctx = ctx; + collect_data.libctx = libctx; + collect_data.keymgmts = keymgmts; + collect_data.keytype = keytype; + EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data); - /* Then, we collect all the keymgmt names */ - end = sk_EVP_KEYMGMT_num(process_data->keymgmts); - for (i = 0; i < end; i++) { - EVP_KEYMGMT *keymgmt = sk_EVP_KEYMGMT_value(process_data->keymgmts, i); + if (collect_data.error_occurred) + goto err; - /* - * If the key type is given by the caller, we only use the matching - * KEYMGMTs, otherwise we use them all. - * We have to special case SM2 here because of its abuse of the EC OID. - * The EC OID can be used to identify an EC key or an SM2 key - so if - * we have seen that OID we try both key types - */ - if (keytype == NULL - || EVP_KEYMGMT_is_a(keymgmt, keytype) - || (isecoid && EVP_KEYMGMT_is_a(keymgmt, "SM2"))) { - if (!EVP_KEYMGMT_names_do_all(keymgmt, collect_name, names)) { - ERR_raise(ERR_LIB_OSSL_DECODER, ERR_R_INTERNAL_ERROR); - goto err; - } - } - } + /* Enumerate all matching decoders. */ + OSSL_DECODER_do_all_provided(libctx, collect_decoder, &collect_data); + + if (collect_data.error_occurred) + goto err; OSSL_TRACE_BEGIN(DECODER) { - end = sk_OPENSSL_CSTRING_num(names); BIO_printf(trc_out, - " Found %d keytypes (possibly with duplicates)", - end); - for (i = 0; i < end; i++) - BIO_printf(trc_out, "%s%s", - i == 0 ? ": " : ", ", - sk_OPENSSL_CSTRING_value(names, i)); - BIO_printf(trc_out, "\n"); + "(ctx %p) Got %d decoders producing keys\n", + (void *)ctx, collect_data.total); } OSSL_TRACE_END(DECODER); /* - * Finally, find all decoders that have any keymgmt of the collected - * keymgmt names + * Finish initializing the decoder context. If one or more decoders matched + * above then the number of decoders attached to the OSSL_DECODER_CTX will + * be nonzero. Else nothing was found and we do nothing. */ - { - struct collect_decoder_data_st collect_decoder_data = { NULL, }; - - collect_decoder_data.names = names; - collect_decoder_data.ctx = ctx; - OSSL_DECODER_do_all_provided(libctx, - collect_decoder, &collect_decoder_data); - sk_OPENSSL_CSTRING_free(names); - names = NULL; - - if (collect_decoder_data.error_occurred) - goto err; - - OSSL_TRACE_BEGIN(DECODER) { - BIO_printf(trc_out, - "(ctx %p) Got %d decoders producing keys\n", - (void *)ctx, collect_decoder_data.total); - } OSSL_TRACE_END(DECODER); - } - if (OSSL_DECODER_CTX_get_num_decoders(ctx) != 0) { if (!OSSL_DECODER_CTX_set_construct(ctx, decoder_construct_pkey) || !OSSL_DECODER_CTX_set_construct_data(ctx, process_data) @@ -417,8 +468,6 @@ int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx, ok = 1; err: decoder_clean_pkey_construct_arg(process_data); - sk_OPENSSL_CSTRING_free(names); - return ok; } diff --git a/crypto/encode_decode/encoder_lib.c b/crypto/encode_decode/encoder_lib.c index 7a55c7ab9..7868da79b 100644 --- a/crypto/encode_decode/encoder_lib.c +++ b/crypto/encode_decode/encoder_lib.c @@ -522,7 +522,7 @@ static int encoder_process(struct encoder_process_data_st *data) OSSL_TRACE_BEGIN(ENCODER) { BIO_printf(trc_out, - "[%d] Skipping because recusion level %d failed\n", + "[%d] Skipping because recursion level %d failed\n", data->level, new_data.level); } OSSL_TRACE_END(ENCODER); } diff --git a/crypto/encode_decode/encoder_local.h b/crypto/encode_decode/encoder_local.h index c1885ffc7..6a5bf16ae 100644 --- a/crypto/encode_decode/encoder_local.h +++ b/crypto/encode_decode/encoder_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -108,6 +108,7 @@ struct ossl_decoder_instance_st { void *decoderctx; /* Never NULL */ const char *input_type; /* Never NULL */ const char *input_structure; /* May be NULL */ + int input_type_id; unsigned int flag_input_structure_was_set : 1; }; @@ -162,3 +163,6 @@ const OSSL_PROPERTY_LIST * ossl_decoder_parsed_properties(const OSSL_DECODER *decoder); const OSSL_PROPERTY_LIST * ossl_encoder_parsed_properties(const OSSL_ENCODER *encoder); + +int ossl_decoder_fast_is_a(OSSL_DECODER *decoder, + const char *name, int *id_cache); diff --git a/crypto/encode_decode/encoder_meth.c b/crypto/encode_decode/encoder_meth.c index 89e7b6abf..7092ba7ef 100644 --- a/crypto/encode_decode/encoder_meth.c +++ b/crypto/encode_decode/encoder_meth.c @@ -17,6 +17,7 @@ #include "internal/provider.h" #include "crypto/encoder.h" #include "encoder_local.h" +#include "crypto/context.h" /* * Encoder can have multiple names, separated with colons in a name string @@ -65,25 +66,6 @@ void OSSL_ENCODER_free(OSSL_ENCODER *encoder) OPENSSL_free(encoder); } -/* Permanent encoder method store, constructor and destructor */ -static void encoder_store_free(void *vstore) -{ - ossl_method_store_free(vstore); -} - -static void *encoder_store_new(OSSL_LIB_CTX *ctx) -{ - return ossl_method_store_new(ctx); -} - - -static const OSSL_LIB_CTX_METHOD encoder_store_method = { - /* We want encoder_store to be cleaned up before the provider store */ - OSSL_LIB_CTX_METHOD_PRIORITY_2, - encoder_store_new, - encoder_store_free, -}; - /* Data to be passed through ossl_method_construct() */ struct encoder_data_st { OSSL_LIB_CTX *libctx; @@ -120,8 +102,7 @@ static void dealloc_tmp_encoder_store(void *store) /* Get the permanent encoder store */ static OSSL_METHOD_STORE *get_encoder_store(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_ENCODER_STORE_INDEX, - &encoder_store_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_ENCODER_STORE_INDEX); } static int reserve_encoder_store(void *store, void *data) @@ -369,38 +350,27 @@ static void free_encoder(void *method) /* Fetching support. Can fetch by numeric identity or by name */ static OSSL_ENCODER * -inner_ossl_encoder_fetch(struct encoder_data_st *methdata, int id, +inner_ossl_encoder_fetch(struct encoder_data_st *methdata, const char *name, const char *properties) { OSSL_METHOD_STORE *store = get_encoder_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); const char *const propq = properties != NULL ? properties : ""; void *method = NULL; - int unsupported = 0; + int unsupported, id; if (store == NULL || namemap == NULL) { ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; } - /* - * If we have been passed both an id and a name, we have an - * internal programming error. - */ - if (!ossl_assert(id == 0 || name == NULL)) { - ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_INTERNAL_ERROR); - return NULL; - } - - if (id == 0) - id = ossl_namemap_name2num(namemap, name); + id = name != NULL ? ossl_namemap_name2num(namemap, name) : 0; /* * If we haven't found the name yet, chances are that the algorithm to * be fetched is unsupported. */ - if (id == 0) - unsupported = 1; + unsupported = id == 0; if (id == 0 || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { @@ -464,20 +434,7 @@ OSSL_ENCODER *OSSL_ENCODER_fetch(OSSL_LIB_CTX *libctx, const char *name, methdata.libctx = libctx; methdata.tmp_store = NULL; - method = inner_ossl_encoder_fetch(&methdata, 0, name, properties); - dealloc_tmp_encoder_store(methdata.tmp_store); - return method; -} - -OSSL_ENCODER *ossl_encoder_fetch_by_number(OSSL_LIB_CTX *libctx, int id, - const char *properties) -{ - struct encoder_data_st methdata; - void *method; - - methdata.libctx = libctx; - methdata.tmp_store = NULL; - method = inner_ossl_encoder_fetch(&methdata, id, NULL, properties); + method = inner_ossl_encoder_fetch(&methdata, name, properties); dealloc_tmp_encoder_store(methdata.tmp_store); return method; } @@ -589,7 +546,7 @@ void OSSL_ENCODER_do_all_provided(OSSL_LIB_CTX *libctx, methdata.libctx = libctx; methdata.tmp_store = NULL; - (void)inner_ossl_encoder_fetch(&methdata, 0, NULL, NULL /* properties */); + (void)inner_ossl_encoder_fetch(&methdata, NULL, NULL /* properties */); data.user_fn = user_fn; data.user_arg = user_arg; diff --git a/crypto/encode_decode/encoder_pkey.c b/crypto/encode_decode/encoder_pkey.c index 3a24317cf..58c279f6e 100644 --- a/crypto/encode_decode/encoder_pkey.c +++ b/crypto/encode_decode/encoder_pkey.c @@ -17,6 +17,7 @@ #include #include "internal/provider.h" #include "internal/property.h" +#include "internal/namemap.h" #include "crypto/evp.h" #include "encoder_local.h" @@ -72,6 +73,7 @@ int OSSL_ENCODER_CTX_set_passphrase_cb(OSSL_ENCODER_CTX *ctx, struct collected_encoder_st { STACK_OF(OPENSSL_CSTRING) *names; + int *id_names; const char *output_structure; const char *output_type; @@ -85,41 +87,42 @@ struct collected_encoder_st { static void collect_encoder(OSSL_ENCODER *encoder, void *arg) { struct collected_encoder_st *data = arg; - size_t i, end_i; + const OSSL_PROVIDER *prov; if (data->error_occurred) return; data->error_occurred = 1; /* Assume the worst */ - if (data->names == NULL) - return; - - end_i = sk_OPENSSL_CSTRING_num(data->names); - for (i = 0; i < end_i; i++) { - const char *name = sk_OPENSSL_CSTRING_value(data->names, i); - const OSSL_PROVIDER *prov = OSSL_ENCODER_get0_provider(encoder); + prov = OSSL_ENCODER_get0_provider(encoder); + /* + * collect_encoder() is called in two passes, one where the encoders + * from the same provider as the keymgmt are looked up, and one where + * the other encoders are looked up. |data->flag_find_same_provider| + * tells us which pass we're in. + */ + if ((data->keymgmt_prov == prov) == data->flag_find_same_provider) { void *provctx = OSSL_PROVIDER_get0_provider_ctx(prov); - - /* - * collect_encoder() is called in two passes, one where the encoders - * from the same provider as the keymgmt are looked up, and one where - * the other encoders are looked up. |data->flag_find_same_provider| - * tells us which pass we're in. - */ - if ((data->keymgmt_prov == prov) != data->flag_find_same_provider) - continue; - - if (!OSSL_ENCODER_is_a(encoder, name) - || (encoder->does_selection != NULL - && !encoder->does_selection(provctx, data->ctx->selection)) - || (data->keymgmt_prov != prov - && encoder->import_object == NULL)) - continue; - - /* Only add each encoder implementation once */ - if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder)) - break; + int i, end_i = sk_OPENSSL_CSTRING_num(data->names); + int match; + + for (i = 0; i < end_i; i++) { + if (data->flag_find_same_provider) + match = (data->id_names[i] == encoder->base.id); + else + match = OSSL_ENCODER_is_a(encoder, + sk_OPENSSL_CSTRING_value(data->names, i)); + if (!match + || (encoder->does_selection != NULL + && !encoder->does_selection(provctx, data->ctx->selection)) + || (data->keymgmt_prov != prov + && encoder->import_object == NULL)) + continue; + + /* Only add each encoder implementation once */ + if (OSSL_ENCODER_CTX_add_encoder(data->ctx, encoder)) + break; + } } data->error_occurred = 0; /* All is good now */ @@ -227,7 +230,8 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, struct construct_data_st *data = NULL; const OSSL_PROVIDER *prov = NULL; OSSL_LIB_CTX *libctx = NULL; - int ok = 0; + int ok = 0, i, end; + OSSL_NAMEMAP *namemap; if (!ossl_assert(ctx != NULL) || !ossl_assert(pkey != NULL)) { ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_PASSED_NULL_PARAMETER); @@ -271,7 +275,25 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, encoder_data.error_occurred = 0; encoder_data.keymgmt_prov = prov; encoder_data.ctx = ctx; + encoder_data.id_names = NULL; + /* + * collect_encoder() is called many times, and for every call it converts all encoder_data.names + * into namemap ids if it calls OSSL_ENCODER_is_a(). We cache the ids here instead, + * and can use them for encoders with the same provider as the keymgmt. + */ + namemap = ossl_namemap_stored(libctx); + end = sk_OPENSSL_CSTRING_num(encoder_data.names); + if (end > 0) { + encoder_data.id_names = OPENSSL_malloc(end * sizeof(int)); + if (encoder_data.id_names == NULL) + goto err; + for (i = 0; i < end; ++i) { + const char *name = sk_OPENSSL_CSTRING_value(keymgmt_data.names, i); + + encoder_data.id_names[i] = ossl_namemap_name2num(namemap, name); + } + } /* * Place the encoders with the a different provider as the keymgmt * last (the chain is processed in reverse order) @@ -286,6 +308,7 @@ static int ossl_encoder_ctx_setup_for_pkey(OSSL_ENCODER_CTX *ctx, encoder_data.flag_find_same_provider = 1; OSSL_ENCODER_do_all_provided(libctx, collect_encoder, &encoder_data); + OPENSSL_free(encoder_data.id_names); sk_OPENSSL_CSTRING_free(keymgmt_data.names); if (encoder_data.error_occurred) { ERR_raise(ERR_LIB_OSSL_ENCODER, ERR_R_MALLOC_FAILURE); diff --git a/crypto/engine/eng_init.c b/crypto/engine/eng_init.c index c204eb189..4bccab56a 100644 --- a/crypto/engine/eng_init.c +++ b/crypto/engine/eng_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,11 +10,11 @@ /* We need to use some engine deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED -#include "e_os.h" +#include "internal/e_os.h" #include "eng_local.h" /* - * Initialise a engine type for use (or up its functional reference count if + * Initialise an engine type for use (or up its functional reference count if * it's already in use). This version is only used internally. */ int engine_unlocked_init(ENGINE *e) @@ -41,7 +41,7 @@ int engine_unlocked_init(ENGINE *e) } /* - * Free a functional reference to a engine type. This version is only used + * Free a functional reference to an engine type. This version is only used * internally. */ int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 05c6a67c1..528520010 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "eng_local.h" #include #include "internal/refcount.h" diff --git a/crypto/engine/eng_local.h b/crypto/engine/eng_local.h index 03a86299c..c0b9df0f5 100644 --- a/crypto/engine/eng_local.h +++ b/crypto/engine/eng_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -156,6 +156,6 @@ struct engine_st { typedef struct st_engine_pile ENGINE_PILE; -DEFINE_LHASH_OF(ENGINE_PILE); +DEFINE_LHASH_OF_EX(ENGINE_PILE); #endif /* OSSL_CRYPTO_ENGINE_ENG_LOCAL_H */ diff --git a/crypto/engine/tb_asnmth.c b/crypto/engine/tb_asnmth.c index 81f8e7add..bd65ede2f 100644 --- a/crypto/engine/tb_asnmth.c +++ b/crypto/engine/tb_asnmth.c @@ -10,7 +10,7 @@ /* We need to use some engine deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED -#include "e_os.h" +#include "internal/e_os.h" #include "eng_local.h" #include #include "crypto/asn1.h" diff --git a/crypto/err/err.c b/crypto/err/err.c index ec5564230..672a55bcf 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -23,7 +23,7 @@ #include "internal/thread_once.h" #include "crypto/ctype.h" #include "internal/constant_time.h" -#include "e_os.h" +#include "internal/e_os.h" #include "err_local.h" /* Forward declaration in case it's not published because of configuration */ diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 49e42550d..d84272910 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -439,10 +439,23 @@ CRYPTO_R_ILLEGAL_HEX_DIGIT:102:illegal hex digit CRYPTO_R_INSUFFICIENT_DATA_SPACE:106:insufficient data space CRYPTO_R_INSUFFICIENT_PARAM_SIZE:107:insufficient param size CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE:108:insufficient secure data space +CRYPTO_R_INTEGER_OVERFLOW:127:integer overflow CRYPTO_R_INVALID_NEGATIVE_VALUE:122:invalid negative value CRYPTO_R_INVALID_NULL_ARGUMENT:109:invalid null argument CRYPTO_R_INVALID_OSSL_PARAM_TYPE:110:invalid ossl param type +CRYPTO_R_NO_PARAMS_TO_MERGE:131:no params to merge +CRYPTO_R_NO_SPACE_FOR_TERMINATING_NULL:128:no space for terminating null CRYPTO_R_ODD_NUMBER_OF_DIGITS:103:odd number of digits +CRYPTO_R_PARAM_CANNOT_BE_REPRESENTED_EXACTLY:123:\ + param cannot be represented exactly +CRYPTO_R_PARAM_NOT_INTEGER_TYPE:124:param not integer type +CRYPTO_R_PARAM_OF_INCOMPATIBLE_TYPE:129:param of incompatible type +CRYPTO_R_PARAM_UNSIGNED_INTEGER_NEGATIVE_VALUE_UNSUPPORTED:125:\ + param unsigned integer negative value unsupported +CRYPTO_R_PARAM_UNSUPPORTED_FLOATING_POINT_FORMAT:130:\ + param unsupported floating point format +CRYPTO_R_PARAM_VALUE_TOO_LARGE_FOR_DESTINATION:126:\ + param value too large for destination CRYPTO_R_PROVIDER_ALREADY_EXISTS:104:provider already exists CRYPTO_R_PROVIDER_SECTION_ERROR:105:provider section error CRYPTO_R_RANDOM_SECTION_ERROR:119:random section error @@ -514,6 +527,7 @@ DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error DSA_R_P_NOT_PRIME:115:p not prime DSA_R_Q_NOT_PRIME:113:q not prime DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q +DSA_R_TOO_MANY_RETRIES:116:too many retries DSO_R_CTRL_FAILED:100:control command failed DSO_R_DSO_ALREADY_LOADED:110:dso already loaded DSO_R_EMPTY_FILE_STRUCTURE:113:empty file structure @@ -597,6 +611,7 @@ EC_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve EC_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed EC_R_SHARED_INFO_ERROR:150:shared info error EC_R_SLOT_FULL:108:slot full +EC_R_TOO_MANY_RETRIES:176:too many retries EC_R_UNDEFINED_GENERATOR:113:undefined generator EC_R_UNDEFINED_ORDER:128:undefined order EC_R_UNKNOWN_COFACTOR:164:unknown cofactor @@ -972,6 +987,7 @@ PROV_R_BN_ERROR:160:bn error PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed +PROV_R_EMS_NOT_ENABLED:233:ems not enabled PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c index c767c3164..ac298cfc7 100644 --- a/crypto/evp/ctrl_params_translate.c +++ b/crypto/evp/ctrl_params_translate.c @@ -1,5 +1,5 @@ /* - * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -387,7 +387,7 @@ static int default_fixup_args(enum state state, { int ret; - if ((ret = default_check(state, translation, ctx)) < 0) + if ((ret = default_check(state, translation, ctx)) <= 0) return ret; switch (state) { @@ -2192,7 +2192,7 @@ static const struct translation_st evp_pkey_ctx_translations[] = { OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, /* * The "rsa_oaep_label" ctrl_str expects the value to always be hex. - * This is accomodated by default_fixup_args() above, which mimics that + * This is accommodated by default_fixup_args() above, which mimics that * expectation for any translation item where |ctrl_str| is NULL and * |ctrl_hexstr| is non-NULL. */ @@ -2520,7 +2520,7 @@ lookup_translation(struct translation_st *tmpl, tmpl->ctrl_hexstr = ctrl_hexstr; } else if (tmpl->param_key != NULL) { /* - * Search criteria that originates from a OSSL_PARAM setter or + * Search criteria that originates from an OSSL_PARAM setter or * getter. * * Ctrls were fundamentally bidirectional, with only the ctrl diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index e6e03eaf3..8c30089f6 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -141,6 +141,20 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx) OPENSSL_free(ctx); } +int evp_md_ctx_free_algctx(EVP_MD_CTX *ctx) +{ + if (ctx->algctx != NULL) { + if (!ossl_assert(ctx->digest != NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } + if (ctx->digest->freectx != NULL) + ctx->digest->freectx(ctx->algctx); + ctx->algctx = NULL; + } + return 1; +} + static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, const OSSL_PARAM params[], ENGINE *impl) { @@ -169,16 +183,6 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); - if (ctx->algctx != NULL) { - if (!ossl_assert(ctx->digest != NULL)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); - return 0; - } - if (ctx->digest->freectx != NULL) - ctx->digest->freectx(ctx->algctx); - ctx->algctx = NULL; - } - if (type != NULL) { ctx->reqdigest = type; } else { @@ -197,21 +201,20 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, * previous handle, re-querying for an ENGINE, and having a * reinitialisation, when it may all be unnecessary. */ - if (ctx->engine && ctx->digest && - (type == NULL || (type->type == ctx->digest->type))) + if (ctx->engine != NULL + && ctx->digest != NULL + && type->type == ctx->digest->type) goto skip_to_init; - if (type != NULL) { - /* - * Ensure an ENGINE left lying around from last time is cleared (the - * previous check attempted to avoid this if the same ENGINE and - * EVP_MD could be used). - */ - ENGINE_finish(ctx->engine); - ctx->engine = NULL; - } + /* + * Ensure an ENGINE left lying around from last time is cleared (the + * previous check attempted to avoid this if the same ENGINE and + * EVP_MD could be used). + */ + ENGINE_finish(ctx->engine); + ctx->engine = NULL; - if (type != NULL && impl == NULL) + if (impl == NULL) tmpimpl = ENGINE_get_digest_engine(type->type); #endif @@ -219,15 +222,21 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, * If there are engines involved or EVP_MD_CTX_FLAG_NO_INIT is set then we * should use legacy handling for now. */ - if (ctx->engine != NULL - || impl != NULL -#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) + if (impl != NULL +#if !defined(OPENSSL_NO_ENGINE) + || ctx->engine != NULL +# if !defined(FIPS_MODULE) || tmpimpl != NULL +# endif #endif || (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) != 0 || (type != NULL && type->origin == EVP_ORIG_METH) || (type == NULL && ctx->digest != NULL && ctx->digest->origin == EVP_ORIG_METH)) { + /* If we were using provided hash before, cleanup algctx */ + if (!evp_md_ctx_free_algctx(ctx)) + return 0; + if (ctx->digest == ctx->fetched_digest) ctx->digest = NULL; EVP_MD_free(ctx->fetched_digest); @@ -238,6 +247,15 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, cleanup_old_md_data(ctx, 1); /* Start of non-legacy code below */ + if (ctx->digest == type) { + if (!ossl_assert(type->prov != NULL)) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } + } else { + if (!evp_md_ctx_free_algctx(ctx)) + return 0; + } if (type->prov == NULL) { #ifdef FIPS_MODULE @@ -260,11 +278,6 @@ static int evp_md_init_internal(EVP_MD_CTX *ctx, const EVP_MD *type, #endif } - if (ctx->algctx != NULL && ctx->digest != NULL && ctx->digest != type) { - if (ctx->digest->freectx != NULL) - ctx->digest->freectx(ctx->algctx); - ctx->algctx = NULL; - } if (type->prov != NULL && ctx->fetched_digest != type) { if (!EVP_MD_up_ref((EVP_MD *)type)) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); @@ -447,7 +460,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize) if (isize != NULL) { if (size <= UINT_MAX) { - *isize = (int)size; + *isize = (unsigned int)size; } else { ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); ret = 0; @@ -514,6 +527,17 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size) return ret; } +EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) +{ + EVP_MD_CTX *out = EVP_MD_CTX_new(); + + if (out != NULL && !EVP_MD_CTX_copy_ex(out, in)) { + EVP_MD_CTX_free(out); + out = NULL; + } + return out; +} + int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) { EVP_MD_CTX_reset(out); diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 52b9e87c1..1ac3e60c5 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,7 @@ */ /* - * This file uses the low level AES functions (which are deprecated for + * This file uses the low-level AES functions (which are deprecated for * non-internal use) in order to implement the EVP AES ciphers. */ #include "internal/deprecated.h" @@ -146,20 +146,21 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, { int ret, mode; EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } mode = EVP_CIPHER_CTX_get_mode(ctx); if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { - ret = aesni_set_decrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = aesni_set_decrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) aesni_decrypt; dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? (cbc128_f) aesni_cbc_encrypt : NULL; } else { - ret = aesni_set_encrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = aesni_set_encrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) aesni_encrypt; if (mode == EVP_CIPH_CBC_MODE) dat->stream.cbc = (cbc128_f) aesni_cbc_encrypt; @@ -223,12 +224,19 @@ static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); - if (!iv && !key) + EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX, ctx); + + if (iv == NULL && key == NULL) return 1; + if (key) { - aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &gctx->ks.ks); + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + aesni_set_encrypt_key(key, keylen, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aesni_encrypt); gctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks; /* @@ -262,14 +270,19 @@ static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); - if (!iv && !key) + if (iv == NULL && key == NULL) return 1; if (key) { /* The key is two half length keys in reality */ - const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); + const int bytes = keylen / 2; const int bits = bytes * 8; + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } /* * Verify that the two keys are different. * @@ -315,11 +328,18 @@ static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) { - aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &cctx->ks.ks); + + if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + aesni_set_encrypt_key(key, keylen, &cctx->ks.ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f) aesni_encrypt); cctx->str = enc ? (ccm128_f) aesni_ccm64_encrypt_blocks : @@ -342,19 +362,25 @@ static int aesni_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) { + + if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } do { /* * We set both the encrypt and decrypt key here because decrypt * needs both. We could possibly optimise to remove setting the * decrypt for an encryption operation. */ - aesni_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksenc.ks); - aesni_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksdec.ks); + aesni_set_encrypt_key(key, keylen, &octx->ksenc.ks); + aesni_set_decrypt_key(key, keylen, &octx->ksdec.ks); if (!CRYPTO_ocb128_init(&octx->ocb, &octx->ksenc.ks, &octx->ksdec.ks, (block128_f) aesni_encrypt, @@ -452,6 +478,10 @@ static int aes_t4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, mode = EVP_CIPHER_CTX_get_mode(ctx); bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + if (bits <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { ret = 0; @@ -547,10 +577,16 @@ static int aes_t4_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; if (key) { - int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (bits <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } aes_t4_set_encrypt_key(key, bits, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) aes_t4_encrypt); @@ -603,9 +639,14 @@ static int aes_t4_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, if (key) { /* The key is two half length keys in reality */ - const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); + const int bytes = keylen / 2; const int bits = bytes * 8; + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } /* * Verify that the two keys are different. * @@ -670,10 +711,17 @@ static int aes_t4_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) { - int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (key != NULL) { + const int bits = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (bits <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } aes_t4_set_encrypt_key(key, bits, &cctx->ks.ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f) aes_t4_encrypt); @@ -696,19 +744,25 @@ static int aes_t4_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) { + + if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } do { /* * We set both the encrypt and decrypt key here because decrypt * needs both. We could possibly optimise to remove setting the * decrypt for an encryption operation. */ - aes_t4_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksenc.ks); - aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksdec.ks); + aes_t4_set_encrypt_key(key, keylen, &octx->ksenc.ks); + aes_t4_set_decrypt_key(key, keylen, &octx->ksdec.ks); if (!CRYPTO_ocb128_init(&octx->ocb, &octx->ksenc.ks, &octx->ksdec.ks, (block128_f) aes_t4_encrypt, @@ -973,6 +1027,10 @@ static int s390x_aes_ecb_init_key(EVP_CIPHER_CTX *ctx, S390X_AES_ECB_CTX *cctx = EVP_C_DATA(S390X_AES_ECB_CTX, ctx); const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } cctx->fc = S390X_AES_FC(keylen); if (!enc) cctx->fc |= S390X_DECRYPT; @@ -999,6 +1057,14 @@ static int s390x_aes_ofb_init_key(EVP_CIPHER_CTX *ctx, const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + if (ivlen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); + return 0; + } memcpy(cctx->kmo.param.cv, iv, ivlen); memcpy(cctx->kmo.param.k, key, keylen); cctx->fc = S390X_AES_FC(keylen); @@ -1058,6 +1124,14 @@ static int s390x_aes_cfb_init_key(EVP_CIPHER_CTX *ctx, const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + if (ivlen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); + return 0; + } cctx->fc = S390X_AES_FC(keylen); cctx->fc |= 16 << 24; /* 16 bytes cipher feedback */ if (!enc) @@ -1081,6 +1155,14 @@ static int s390x_aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, int rem; unsigned char tmp; + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + if (ivlen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); + return 0; + } memcpy(cctx->kmf.param.cv, iv, ivlen); while (n && len) { tmp = *in; @@ -1128,6 +1210,14 @@ static int s390x_aes_cfb8_init_key(EVP_CIPHER_CTX *ctx, const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); const int ivlen = EVP_CIPHER_CTX_get_iv_length(ctx); + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + if (ivlen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_IV_LENGTH); + return 0; + } cctx->fc = S390X_AES_FC(keylen); cctx->fc |= 1 << 24; /* 1 byte cipher feedback */ if (!enc) @@ -1533,6 +1623,11 @@ static int s390x_aes_gcm_init_key(EVP_CIPHER_CTX *ctx, if (key != NULL) { keylen = EVP_CIPHER_CTX_get_key_length(ctx); + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + memcpy(&gctx->kma.param.k, key, keylen); gctx->fc = S390X_AES_FC(keylen); @@ -1939,6 +2034,11 @@ static int s390x_aes_ccm_init_key(EVP_CIPHER_CTX *ctx, if (key != NULL) { keylen = EVP_CIPHER_CTX_get_key_length(ctx); + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } + cctx->aes.ccm.fc = S390X_AES_FC(keylen); memcpy(cctx->aes.ccm.kmac_param.k, key, keylen); @@ -2315,15 +2415,19 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, { int ret, mode; EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } mode = EVP_CIPHER_CTX_get_mode(ctx); if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) { #ifdef HWAES_CAPABLE if (HWAES_CAPABLE) { - ret = HWAES_set_decrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = HWAES_set_decrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) HWAES_decrypt; dat->stream.cbc = NULL; # ifdef HWAES_cbc_encrypt @@ -2334,27 +2438,21 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, #endif #ifdef BSAES_CAPABLE if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) { - ret = AES_set_decrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) AES_decrypt; dat->stream.cbc = (cbc128_f) ossl_bsaes_cbc_encrypt; } else #endif #ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { - ret = vpaes_set_decrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = vpaes_set_decrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) vpaes_decrypt; dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? (cbc128_f) vpaes_cbc_encrypt : NULL; } else #endif { - ret = AES_set_decrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = AES_set_decrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) AES_decrypt; dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? (cbc128_f) AES_cbc_encrypt : NULL; @@ -2362,9 +2460,7 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, } else #ifdef HWAES_CAPABLE if (HWAES_CAPABLE) { - ret = HWAES_set_encrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = HWAES_set_encrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) HWAES_encrypt; dat->stream.cbc = NULL; # ifdef HWAES_cbc_encrypt @@ -2382,25 +2478,21 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, #endif #ifdef BSAES_CAPABLE if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) { - ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) AES_encrypt; dat->stream.ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks; } else #endif #ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { - ret = vpaes_set_encrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = vpaes_set_encrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) vpaes_encrypt; dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? (cbc128_f) vpaes_cbc_encrypt : NULL; } else #endif { - ret = AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &dat->ks.ks); + ret = AES_set_encrypt_key(key, keylen, &dat->ks.ks); dat->block = (block128_f) AES_encrypt; dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ? (cbc128_f) AES_cbc_encrypt : NULL; @@ -2711,13 +2803,21 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_GCM_CTX *gctx = EVP_C_DATA(EVP_AES_GCM_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) { + + if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } do { #ifdef HWAES_CAPABLE if (HWAES_CAPABLE) { - HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); + HWAES_set_encrypt_key(key, keylen, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) HWAES_encrypt); # ifdef HWAES_ctr32_encrypt_blocks @@ -2730,7 +2830,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, #endif #ifdef BSAES_CAPABLE if (BSAES_CAPABLE) { - AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); + AES_set_encrypt_key(key, keylen, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) AES_encrypt); gctx->ctr = (ctr128_f) ossl_bsaes_ctr32_encrypt_blocks; @@ -2739,7 +2839,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, #endif #ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { - vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); + vpaes_set_encrypt_key(key, keylen, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) vpaes_encrypt); gctx->ctr = NULL; @@ -2748,7 +2848,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, #endif (void)0; /* terminate potentially open 'else' */ - AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); + AES_set_encrypt_key(key, keylen, &gctx->ks.ks); CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f) AES_encrypt); #ifdef AES_CTR_ASM @@ -3091,9 +3191,9 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, +BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, +BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) @@ -3128,15 +3228,20 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, { EVP_AES_XTS_CTX *xctx = EVP_C_DATA(EVP_AES_XTS_CTX,ctx); - if (!iv && !key) + if (iv == NULL && key == NULL) return 1; - if (key) { + if (key != NULL) { do { /* The key is two half length keys in reality */ - const int bytes = EVP_CIPHER_CTX_get_key_length(ctx) / 2; + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); + const int bytes = keylen / 2; const int bits = bytes * 8; + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } /* * Verify that the two keys are different. * @@ -3275,7 +3380,7 @@ static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, | EVP_CIPH_CUSTOM_COPY) BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) +BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { @@ -3331,7 +3436,7 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_AEAD_SET_IVLEN: arg = 15 - arg; - /* fall thru */ + /* fall through */ case EVP_CTRL_CCM_SET_L: if (arg < 2 || arg > 8) return 0; @@ -3382,15 +3487,21 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_CCM_CTX *cctx = EVP_C_DATA(EVP_AES_CCM_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) + + if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } do { #ifdef HWAES_CAPABLE if (HWAES_CAPABLE) { - HWAES_set_encrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &cctx->ks.ks); + HWAES_set_encrypt_key(key, keylen, &cctx->ks.ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f) HWAES_encrypt); @@ -3401,9 +3512,7 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, #endif #ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { - vpaes_set_encrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &cctx->ks.ks); + vpaes_set_encrypt_key(key, keylen, &cctx->ks.ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f) vpaes_encrypt); cctx->str = NULL; @@ -3411,14 +3520,14 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, break; } #endif - AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &cctx->ks.ks); + AES_set_encrypt_key(key, keylen, &cctx->ks.ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f) AES_encrypt); cctx->str = NULL; cctx->key_set = 1; } while (0); - if (iv) { + } + if (iv != NULL) { memcpy(ctx->iv, iv, 15 - cctx->L); cctx->iv_set = 1; } @@ -3573,12 +3682,16 @@ static int aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, if (iv == NULL && key == NULL) return 1; if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } if (EVP_CIPHER_CTX_is_encrypting(ctx)) - AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &wctx->ks.ks); + AES_set_encrypt_key(key, keylen, &wctx->ks.ks); else - AES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &wctx->ks.ks); + AES_set_decrypt_key(key, keylen, &wctx->ks.ks); if (iv == NULL) wctx->iv = NULL; } @@ -3806,9 +3919,17 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { EVP_AES_OCB_CTX *octx = EVP_C_DATA(EVP_AES_OCB_CTX,ctx); - if (!iv && !key) + + if (iv == NULL && key == NULL) return 1; - if (key) { + + if (key != NULL) { + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } do { /* * We set both the encrypt and decrypt key here because decrypt @@ -3817,10 +3938,8 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, */ # ifdef HWAES_CAPABLE if (HWAES_CAPABLE) { - HWAES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksenc.ks); - HWAES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksdec.ks); + HWAES_set_encrypt_key(key, keylen, &octx->ksenc.ks); + HWAES_set_decrypt_key(key, keylen, &octx->ksdec.ks); if (!CRYPTO_ocb128_init(&octx->ocb, &octx->ksenc.ks, &octx->ksdec.ks, (block128_f) HWAES_encrypt, @@ -3833,12 +3952,8 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, # endif # ifdef VPAES_CAPABLE if (VPAES_CAPABLE) { - vpaes_set_encrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksenc.ks); - vpaes_set_decrypt_key(key, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksdec.ks); + vpaes_set_encrypt_key(key, keylen, &octx->ksenc.ks); + vpaes_set_decrypt_key(key, keylen, &octx->ksdec.ks); if (!CRYPTO_ocb128_init(&octx->ocb, &octx->ksenc.ks, &octx->ksdec.ks, (block128_f) vpaes_encrypt, @@ -3848,10 +3963,8 @@ static int aes_ocb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, break; } # endif - AES_set_encrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksenc.ks); - AES_set_decrypt_key(key, EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &octx->ksdec.ks); + AES_set_encrypt_key(key, keylen, &octx->ksenc.ks); + AES_set_decrypt_key(key, keylen, &octx->ksdec.ks); if (!CRYPTO_ocb128_init(&octx->ocb, &octx->ksenc.ks, &octx->ksdec.ks, (block128_f) AES_encrypt, @@ -3902,7 +4015,7 @@ static int aes_ocb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (in != NULL) { /* - * Need to ensure we are only passing full blocks to low level OCB + * Need to ensure we are only passing full blocks to low-level OCB * routines. We do it here rather than in EVP_EncryptUpdate/ * EVP_DecryptUpdate because we need to pass full blocks of AAD too * and those routines don't support that diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 4941f98e6..8843c8ae1 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -72,15 +72,16 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, { EVP_AES_HMAC_SHA1 *key = data(ctx); int ret; + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx) * 8; + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } if (enc) - ret = aesni_set_encrypt_key(inkey, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &key->ks); + ret = aesni_set_encrypt_key(inkey, keylen, &key->ks); else - ret = aesni_set_decrypt_key(inkey, - EVP_CIPHER_CTX_get_key_length(ctx) * 8, - &key->ks); + ret = aesni_set_decrypt_key(inkey, keylen, &key->ks); SHA1_Init(&key->head); /* handy when benchmarking */ key->tail = key->head; @@ -496,6 +497,12 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, # if defined(STITCHED_DECRYPT_CALL) unsigned char tail_iv[AES_BLOCK_SIZE]; int stitch = 0; + const int keylen = EVP_CIPHER_CTX_get_key_length(ctx); + + if (keylen <= 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_KEY_LENGTH); + return 0; + } # endif if ((key->aux.tls_aad[plen - 4] << 8 | key->aux.tls_aad[plen - 3]) @@ -513,7 +520,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 0; # if defined(STITCHED_DECRYPT_CALL) - if (len >= 1024 && ctx->key_len == 32) { + if (len >= 1024 && keylen == 32) { /* decrypt last block */ memcpy(tail_iv, in + len - 2 * AES_BLOCK_SIZE, AES_BLOCK_SIZE); @@ -734,7 +741,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return ret; } else { # if defined(STITCHED_DECRYPT_CALL) - if (len >= 1024 && ctx->key_len == 32) { + if (len >= 1024 && keylen == 32) { if (sha_off %= SHA_CBLOCK) blocks = (len - 3 * SHA_CBLOCK) / SHA_CBLOCK; else diff --git a/crypto/evp/e_aria.c b/crypto/evp/e_aria.c index 7e1fda33e..059dd1e5a 100644 --- a/crypto/evp/e_aria.c +++ b/crypto/evp/e_aria.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -593,7 +593,7 @@ static int aria_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_AEAD_SET_IVLEN: arg = 15 - arg; - /* fall thru */ + /* fall through */ case EVP_CTRL_CCM_SET_L: if (arg < 2 || arg > 8) return 0; diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c index abd603015..eeb4fd8e0 100644 --- a/crypto/evp/e_sm4.c +++ b/crypto/evp/e_sm4.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -17,92 +17,211 @@ # include # include "crypto/sm4.h" # include "crypto/evp.h" +# include "crypto/sm4_platform.h" # include "evp_local.h" typedef struct { - SM4_KEY ks; + union { + OSSL_UNION_ALIGN; + SM4_KEY ks; + } ks; + block128_f block; + union { + ecb128_f ecb; + cbc128_f cbc; + ctr128_f ctr; + } stream; } EVP_SM4_KEY; +# define BLOCK_CIPHER_generic(nid,blocksize,ivlen,nmode,mode,MODE,flags) \ +static const EVP_CIPHER sm4_##mode = { \ + nid##_##nmode,blocksize,128/8,ivlen, \ + flags|EVP_CIPH_##MODE##_MODE, \ + EVP_ORIG_GLOBAL, \ + sm4_init_key, \ + sm4_##mode##_cipher, \ + NULL, \ + sizeof(EVP_SM4_KEY), \ + NULL,NULL,NULL,NULL }; \ +const EVP_CIPHER *EVP_sm4_##mode(void) \ +{ return &sm4_##mode; } + +#define DEFINE_BLOCK_CIPHERS(nid,flags) \ + BLOCK_CIPHER_generic(nid,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ + BLOCK_CIPHER_generic(nid,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ + BLOCK_CIPHER_generic(nid,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ + BLOCK_CIPHER_generic(nid,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ + BLOCK_CIPHER_generic(nid,1,16,ctr,ctr,CTR,flags) + static int sm4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - ossl_sm4_set_key(key, EVP_CIPHER_CTX_get_cipher_data(ctx)); + int mode; + EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); + + mode = EVP_CIPHER_CTX_get_mode(ctx); + if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) + && !enc) { +#ifdef HWSM4_CAPABLE + if (HWSM4_CAPABLE) { + HWSM4_set_decrypt_key(key, &dat->ks.ks); + dat->block = (block128_f) HWSM4_decrypt; + dat->stream.cbc = NULL; +# ifdef HWSM4_cbc_encrypt + if (mode == EVP_CIPH_CBC_MODE) + dat->stream.cbc = (cbc128_f) HWSM4_cbc_encrypt; +# endif +# ifdef HWSM4_ecb_encrypt + if (mode == EVP_CIPH_ECB_MODE) + dat->stream.ecb = (ecb128_f) HWSM4_ecb_encrypt; +# endif + } else +#endif +#ifdef VPSM4_CAPABLE + if (VPSM4_CAPABLE) { + vpsm4_set_decrypt_key(key, &dat->ks.ks); + dat->block = (block128_f) vpsm4_decrypt; + dat->stream.cbc = NULL; + if (mode == EVP_CIPH_CBC_MODE) + dat->stream.cbc = (cbc128_f) vpsm4_cbc_encrypt; + else if (mode == EVP_CIPH_ECB_MODE) + dat->stream.ecb = (ecb128_f) vpsm4_ecb_encrypt; + } else +#endif + { + dat->block = (block128_f) ossl_sm4_decrypt; + ossl_sm4_set_key(key, EVP_CIPHER_CTX_get_cipher_data(ctx)); + } + } else +#ifdef HWSM4_CAPABLE + if (HWSM4_CAPABLE) { + HWSM4_set_encrypt_key(key, &dat->ks.ks); + dat->block = (block128_f) HWSM4_encrypt; + dat->stream.cbc = NULL; +# ifdef HWSM4_cbc_encrypt + if (mode == EVP_CIPH_CBC_MODE) + dat->stream.cbc = (cbc128_f) HWSM4_cbc_encrypt; + else +# endif +# ifdef HWSM4_ecb_encrypt + if (mode == EVP_CIPH_ECB_MODE) + dat->stream.ecb = (ecb128_f) HWSM4_ecb_encrypt; + else +# endif +# ifdef HWSM4_ctr32_encrypt_blocks + if (mode == EVP_CIPH_CTR_MODE) + dat->stream.ctr = (ctr128_f) HWSM4_ctr32_encrypt_blocks; + else +# endif + (void)0; /* terminate potentially open 'else' */ + } else +#endif +#ifdef VPSM4_CAPABLE + if (VPSM4_CAPABLE) { + vpsm4_set_encrypt_key(key, &dat->ks.ks); + dat->block = (block128_f) vpsm4_encrypt; + dat->stream.cbc = NULL; + if (mode == EVP_CIPH_CBC_MODE) + dat->stream.cbc = (cbc128_f) vpsm4_cbc_encrypt; + else if (mode == EVP_CIPH_ECB_MODE) + dat->stream.ecb = (ecb128_f) vpsm4_ecb_encrypt; + else if (mode == EVP_CIPH_CTR_MODE) + dat->stream.ctr = (ctr128_f) vpsm4_ctr32_encrypt_blocks; + } else +#endif + { + dat->block = (block128_f) ossl_sm4_encrypt; + ossl_sm4_set_key(key, EVP_CIPHER_CTX_get_cipher_data(ctx)); + } return 1; } -static void sm4_cbc_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const SM4_KEY *key, - unsigned char *ivec, const int enc) +static int sm4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) { - if (enc) - CRYPTO_cbc128_encrypt(in, out, len, key, ivec, - (block128_f)ossl_sm4_encrypt); + EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); + + if (dat->stream.cbc) + (*dat->stream.cbc) (in, out, len, &dat->ks.ks, ctx->iv, + EVP_CIPHER_CTX_is_encrypting(ctx)); + else if (EVP_CIPHER_CTX_is_encrypting(ctx)) + CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv, + dat->block); else - CRYPTO_cbc128_decrypt(in, out, len, key, ivec, - (block128_f)ossl_sm4_decrypt); + CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, + ctx->iv, dat->block); + return 1; } -static void sm4_cfb128_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const SM4_KEY *key, - unsigned char *ivec, int *num, const int enc) +static int sm4_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) { - CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc, - (block128_f)ossl_sm4_encrypt); + EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); + int num = EVP_CIPHER_CTX_get_num(ctx); + + CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, + ctx->iv, &num, + EVP_CIPHER_CTX_is_encrypting(ctx), dat->block); + EVP_CIPHER_CTX_set_num(ctx, num); + return 1; } -static void sm4_ecb_encrypt(const unsigned char *in, unsigned char *out, - const SM4_KEY *key, const int enc) +static int sm4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) { - if (enc) - ossl_sm4_encrypt(in, out, key); + size_t bl = EVP_CIPHER_CTX_get_block_size(ctx); + size_t i; + EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); + + if (len < bl) + return 1; + + if (dat->stream.ecb != NULL) + (*dat->stream.ecb) (in, out, len, &dat->ks.ks, + EVP_CIPHER_CTX_is_encrypting(ctx)); else - ossl_sm4_decrypt(in, out, key); + for (i = 0, len -= bl; i <= len; i += bl) + (*dat->block) (in + i, out + i, &dat->ks); + + return 1; } -static void sm4_ofb128_encrypt(const unsigned char *in, unsigned char *out, - size_t length, const SM4_KEY *key, - unsigned char *ivec, int *num) +static int sm4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) { - CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num, - (block128_f)ossl_sm4_encrypt); -} + EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); + int num = EVP_CIPHER_CTX_get_num(ctx); -IMPLEMENT_BLOCK_CIPHER(sm4, ks, sm4, EVP_SM4_KEY, NID_sm4, - 16, 16, 16, 128, EVP_CIPH_FLAG_DEFAULT_ASN1, - sm4_init_key, 0, 0, 0, 0) + CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, + ctx->iv, &num, dat->block); + EVP_CIPHER_CTX_set_num(ctx, num); + return 1; +} static int sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { int n = EVP_CIPHER_CTX_get_num(ctx); unsigned int num; - EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY, ctx); + EVP_SM4_KEY *dat = EVP_C_DATA(EVP_SM4_KEY,ctx); if (n < 0) return 0; num = (unsigned int)n; - CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, ctx->iv, - EVP_CIPHER_CTX_buf_noconst(ctx), &num, - (block128_f)ossl_sm4_encrypt); + if (dat->stream.ctr) + CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks, + ctx->iv, + EVP_CIPHER_CTX_buf_noconst(ctx), + &num, dat->stream.ctr); + else + CRYPTO_ctr128_encrypt(in, out, len, &dat->ks, + ctx->iv, + EVP_CIPHER_CTX_buf_noconst(ctx), &num, + dat->block); EVP_CIPHER_CTX_set_num(ctx, num); return 1; } -static const EVP_CIPHER sm4_ctr_mode = { - NID_sm4_ctr, 1, 16, 16, - EVP_CIPH_CTR_MODE, - EVP_ORIG_GLOBAL, - sm4_init_key, - sm4_ctr_cipher, - NULL, - sizeof(EVP_SM4_KEY), - NULL, NULL, NULL, NULL -}; - -const EVP_CIPHER *EVP_sm4_ctr(void) -{ - return &sm4_ctr_mode; -} - +DEFINE_BLOCK_CIPHERS(NID_sm4, 0) #endif diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index b178d1086..e6af8b1c7 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -68,7 +68,14 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { - return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); + EVP_CIPHER_CTX *ctx; + + ctx = OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); + if (ctx == NULL) + return NULL; + + ctx->iv_len = -1; + return ctx; } void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) @@ -90,8 +97,6 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, ENGINE *tmpimpl = NULL; #endif - ctx->iv_len = -1; - /* * enc == 1 means we are encrypting. * enc == 0 means we are decrypting. @@ -994,7 +999,7 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen) if (c->cipher->prov != NULL) { int ok; OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; - size_t len = keylen; + size_t len; if (EVP_CIPHER_CTX_get_key_length(c) == keylen) return 1; @@ -1007,9 +1012,13 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen) } params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len); + if (!OSSL_PARAM_set_int(params, keylen)) + return 0; ok = evp_do_ciph_ctx_setparams(c->cipher, c->algctx, params); - - return ok > 0 ? 1 : 0; + if (ok <= 0) + return 0; + c->key_len = keylen; + return 1; } /* Code below to be removed when legacy support is dropped. */ @@ -1070,6 +1079,7 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) switch (type) { case EVP_CTRL_SET_KEY_LENGTH: params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &sz); + ctx->key_len = -1; break; case EVP_CTRL_RAND_KEY: /* Used by DES */ set_params = 0; @@ -1265,11 +1275,27 @@ int EVP_CIPHER_get_params(EVP_CIPHER *cipher, OSSL_PARAM params[]) int EVP_CIPHER_CTX_set_params(EVP_CIPHER_CTX *ctx, const OSSL_PARAM params[]) { + int r = 0; + const OSSL_PARAM *p; + if (ctx->cipher != NULL && ctx->cipher->set_ctx_params != NULL) { - ctx->iv_len = -1; - return ctx->cipher->set_ctx_params(ctx->algctx, params); + r = ctx->cipher->set_ctx_params(ctx->algctx, params); + if (r > 0) { + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); + if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->key_len)) { + r = 0; + ctx->key_len = -1; + } + } + if (r > 0) { + p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); + if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->iv_len)) { + r = 0; + ctx->iv_len = -1; + } + } } - return 0; + return r; } int EVP_CIPHER_CTX_get_params(EVP_CIPHER_CTX *ctx, OSSL_PARAM params[]) @@ -1365,6 +1391,17 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) #endif /* FIPS_MODULE */ } +EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) +{ + EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new(); + + if (out != NULL && !EVP_CIPHER_CTX_copy(out, in)) { + EVP_CIPHER_CTX_free(out); + out = NULL; + } + return out; +} + int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { if ((in == NULL) || (in->cipher == NULL)) { diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index aafd927e6..4908f6cfe 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -17,30 +17,11 @@ #include "internal/core.h" #include "internal/provider.h" #include "internal/namemap.h" -#include "internal/property.h" #include "crypto/evp.h" /* evp_local.h needs it */ #include "evp_local.h" #define NAME_SEPARATOR ':' -static void evp_method_store_free(void *vstore) -{ - ossl_method_store_free(vstore); -} - -static void *evp_method_store_new(OSSL_LIB_CTX *ctx) -{ - return ossl_method_store_new(ctx); -} - - -static const OSSL_LIB_CTX_METHOD evp_method_store_method = { - /* We want evp_method_store to be cleaned up before the provider store */ - OSSL_LIB_CTX_METHOD_PRIORITY_2, - evp_method_store_new, - evp_method_store_free, -}; - /* Data to be passed through ossl_method_construct() */ struct evp_method_data_st { OSSL_LIB_CTX *libctx; @@ -79,8 +60,7 @@ static void *get_tmp_evp_method_store(void *data) static OSSL_METHOD_STORE *get_evp_method_store(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX, - &evp_method_store_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_EVP_METHOD_STORE_INDEX); } static int reserve_evp_method_store(void *store, void *data) @@ -142,7 +122,7 @@ static void *get_evp_method_from_store(void *store, const OSSL_PROVIDER **prov, { struct evp_method_data_st *methdata = data; void *method = NULL; - int name_id = 0; + int name_id; uint32_t meth_id; /* @@ -259,8 +239,7 @@ static void destruct_evp_method(void *method, void *data) static void * inner_evp_generic_fetch(struct evp_method_data_st *methdata, OSSL_PROVIDER *prov, int operation_id, - int name_id, const char *name, - const char *properties, + const char *name, const char *properties, void *(*new_method)(int name_id, const OSSL_ALGORITHM *algodef, OSSL_PROVIDER *prov), @@ -272,7 +251,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, const char *const propq = properties != NULL ? properties : ""; uint32_t meth_id = 0; void *method = NULL; - int unsupported = 0; + int unsupported, name_id; if (store == NULL || namemap == NULL) { ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_INVALID_ARGUMENT); @@ -288,18 +267,8 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, return NULL; } - /* - * If we have been passed both a name_id and a name, we have an - * internal programming error. - */ - if (!ossl_assert(name_id == 0 || name == NULL)) { - ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); - return NULL; - } - /* If we haven't received a name id yet, try to get one for the name */ - if (name_id == 0 && name != NULL) - name_id = ossl_namemap_name2num(namemap, name); + name_id = name != NULL ? ossl_namemap_name2num(namemap, name) : 0; /* * If we have a name id, calculate a method id with evp_method_id(). @@ -318,8 +287,7 @@ inner_evp_generic_fetch(struct evp_method_data_st *methdata, * If we haven't found the name yet, chances are that the algorithm to * be fetched is unsupported. */ - if (name_id == 0) - unsupported = 1; + unsupported = name_id == 0; if (meth_id == 0 || !ossl_method_store_cache_get(store, prov, meth_id, propq, &method)) { @@ -394,34 +362,7 @@ void *evp_generic_fetch(OSSL_LIB_CTX *libctx, int operation_id, methdata.libctx = libctx; methdata.tmp_store = NULL; method = inner_evp_generic_fetch(&methdata, NULL, operation_id, - 0, name, properties, - new_method, up_ref_method, free_method); - dealloc_tmp_evp_method_store(methdata.tmp_store); - return method; -} - -/* - * evp_generic_fetch_by_number() is special, and only returns methods for - * already known names, i.e. it refuses to work if no name_id can be found - * (it's considered an internal programming error). - * This is meant to be used when one method needs to fetch an associated - * method. - */ -void *evp_generic_fetch_by_number(OSSL_LIB_CTX *libctx, int operation_id, - int name_id, const char *properties, - void *(*new_method)(int name_id, - const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov), - int (*up_ref_method)(void *), - void (*free_method)(void *)) -{ - struct evp_method_data_st methdata; - void *method; - - methdata.libctx = libctx; - methdata.tmp_store = NULL; - method = inner_evp_generic_fetch(&methdata, NULL, operation_id, - name_id, NULL, properties, + name, properties, new_method, up_ref_method, free_method); dealloc_tmp_evp_method_store(methdata.tmp_store); return method; @@ -447,7 +388,7 @@ void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, methdata.libctx = ossl_provider_libctx(prov); methdata.tmp_store = NULL; method = inner_evp_generic_fetch(&methdata, prov, operation_id, - 0, name, properties, + name, properties, new_method, up_ref_method, free_method); dealloc_tmp_evp_method_store(methdata.tmp_store); return method; @@ -651,7 +592,7 @@ void evp_generic_do_all(OSSL_LIB_CTX *libctx, int operation_id, methdata.libctx = libctx; methdata.tmp_store = NULL; - (void)inner_evp_generic_fetch(&methdata, NULL, operation_id, 0, NULL, NULL, + (void)inner_evp_generic_fetch(&methdata, NULL, operation_id, NULL, NULL, new_method, up_ref_method, free_method); data.operation_id = operation_id; diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 4f3d901eb..5dec2dffd 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -652,14 +652,28 @@ int EVP_CIPHER_get_key_length(const EVP_CIPHER *cipher) int EVP_CIPHER_CTX_get_key_length(const EVP_CIPHER_CTX *ctx) { - int ok; - size_t v = ctx->key_len; - OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + if (ctx->key_len <= 0 && ctx->cipher->prov != NULL) { + int ok; + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + size_t len; - params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &v); - ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); + params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, &len); + ok = evp_do_ciph_ctx_getparams(ctx->cipher, ctx->algctx, params); + if (ok <= 0) + return EVP_CTRL_RET_UNSUPPORTED; - return ok != 0 ? (int)v : EVP_CTRL_RET_UNSUPPORTED; + /*- + * The if branch should never be taken since EVP_MAX_KEY_LENGTH is + * less than INT_MAX but best to be safe. + * + * Casting away the const is annoying but required here. We need to + * cache the result for performance reasons. + */ + if (!OSSL_PARAM_get_int(params, &((EVP_CIPHER_CTX *)ctx)->key_len)) + return -1; + ((EVP_CIPHER_CTX *)ctx)->key_len = (int)len; + } + return ctx->key_len; } int EVP_CIPHER_get_nid(const EVP_CIPHER *cipher) diff --git a/crypto/evp/evp_local.h b/crypto/evp/evp_local.h index 3ccfaeb37..a85317445 100644 --- a/crypto/evp/evp_local.h +++ b/crypto/evp/evp_local.h @@ -270,13 +270,6 @@ void *evp_generic_fetch(OSSL_LIB_CTX *ctx, int operation_id, OSSL_PROVIDER *prov), int (*up_ref_method)(void *), void (*free_method)(void *)); -void *evp_generic_fetch_by_number(OSSL_LIB_CTX *ctx, int operation_id, - int name_id, const char *properties, - void *(*new_method)(int name_id, - const OSSL_ALGORITHM *algodef, - OSSL_PROVIDER *prov), - int (*up_ref_method)(void *), - void (*free_method)(void *)); void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, const char *name, const char *properties, void *(*new_method)(int name_id, diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 5f6720d2c..c42c16128 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -77,6 +77,10 @@ static const EVP_PBE_CTL builtin_pbe[] = { NID_id_GostR3411_2012_256, 0}, {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_2012_512, -1, NID_id_GostR3411_2012_512, 0}, + {EVP_PBE_TYPE_PRF, NID_hmac_sha3_224, -1, NID_sha3_224, 0}, + {EVP_PBE_TYPE_PRF, NID_hmac_sha3_256, -1, NID_sha3_256, 0}, + {EVP_PBE_TYPE_PRF, NID_hmac_sha3_384, -1, NID_sha3_384, 0}, + {EVP_PBE_TYPE_PRF, NID_hmac_sha3_512, -1, NID_sha3_512, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512_224, -1, NID_sha512_224, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512_256, -1, NID_sha512_256, 0}, {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen, &PKCS5_v2_PBKDF2_keyivgen_ex}, diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 8f3f15037..21e906267 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,6 +15,7 @@ #include #include #include "internal/provider.h" +#include "internal/sizes.h" #include "crypto/asn1.h" #include "crypto/evp.h" #include "crypto/x509.h" @@ -73,6 +74,13 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, int selection; size_t len; OSSL_DECODER_CTX *dctx = NULL; + const ASN1_OBJECT *algoid = NULL; + char keytype[OSSL_MAX_NAME_SIZE]; + + if (p8 == NULL + || !PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8) + || !OBJ_obj2txt(keytype, sizeof(keytype), algoid, 0)) + return NULL; if ((encoded_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &encoded_data)) <= 0 || encoded_data == NULL) @@ -82,7 +90,20 @@ EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx, len = encoded_len; selection = EVP_PKEY_KEYPAIR | EVP_PKEY_KEY_PARAMETERS; dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", "PrivateKeyInfo", - NULL, selection, libctx, propq); + keytype, selection, libctx, propq); + + if (dctx != NULL && OSSL_DECODER_CTX_get_num_decoders(dctx) == 0) { + OSSL_DECODER_CTX_free(dctx); + + /* + * This could happen if OBJ_obj2txt() returned a text OID and the + * decoder has not got that OID as an alias. We fall back to a NULL + * keytype + */ + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", "PrivateKeyInfo", + NULL, selection, libctx, propq); + } + if (dctx == NULL || !OSSL_DECODER_from_data(dctx, &p8_data, &len)) /* try legacy */ diff --git a/crypto/evp/evp_rand.c b/crypto/evp/evp_rand.c index c36dbdc56..3031ecbcc 100644 --- a/crypto/evp/evp_rand.c +++ b/crypto/evp/evp_rand.c @@ -320,7 +320,7 @@ int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]) return 1; } -static int evp_rand_ctx_up_ref(EVP_RAND_CTX *ctx) +int EVP_RAND_CTX_up_ref(EVP_RAND_CTX *ctx) { int ref = 0; @@ -345,7 +345,7 @@ EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent) return NULL; } if (parent != NULL) { - if (!evp_rand_ctx_up_ref(parent)) { + if (!EVP_RAND_CTX_up_ref(parent)) { ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); CRYPTO_THREAD_lock_free(ctx->refcnt_lock); OPENSSL_free(ctx); diff --git a/crypto/evp/keymgmt_meth.c b/crypto/evp/keymgmt_meth.c index 90fd8068d..5fab4a763 100644 --- a/crypto/evp/keymgmt_meth.c +++ b/crypto/evp/keymgmt_meth.c @@ -203,16 +203,6 @@ static void *keymgmt_from_algorithm(int name_id, return keymgmt; } -EVP_KEYMGMT *evp_keymgmt_fetch_by_number(OSSL_LIB_CTX *ctx, int name_id, - const char *properties) -{ - return evp_generic_fetch_by_number(ctx, - OSSL_OP_KEYMGMT, name_id, properties, - keymgmt_from_algorithm, - (int (*)(void *))EVP_KEYMGMT_up_ref, - (void (*)(void *))EVP_KEYMGMT_free); -} - EVP_KEYMGMT *evp_keymgmt_fetch_from_prov(OSSL_PROVIDER *prov, const char *name, const char *properties) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 76a6814b4..630d339c3 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -51,15 +51,8 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, void *provkey = NULL; int ret, iter, reinit = 1; - if (ctx->algctx != NULL) { - if (!ossl_assert(ctx->digest != NULL)) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); - return 0; - } - if (ctx->digest->freectx != NULL) - ctx->digest->freectx(ctx->algctx); - ctx->algctx = NULL; - } + if (!evp_md_ctx_free_algctx(ctx)) + return 0; if (ctx->pctx == NULL) { reinit = 0; @@ -239,7 +232,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, * This might be requested by a later call to EVP_MD_CTX_get0_md(). * In that case the "explicit fetch" rules apply for that * function (as per man pages), i.e. the ref count is not updated - * so the EVP_MD should not be used beyound the lifetime of the + * so the EVP_MD should not be used beyond the lifetime of the * EVP_MD_CTX. */ ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 5803974c3..56f56bcb1 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -447,7 +447,7 @@ static EVP_PKEY *new_raw_key_int(OSSL_LIB_CTX *libctx, } if (!pkey_set_type(pkey, e, nidtype, strtype, -1, NULL)) { - /* EVPerr already called */ + /* ERR_raise(ERR_LIB_EVP, ...) already called */ goto err; } @@ -1324,6 +1324,8 @@ static int evp_pkey_asn1_ctrl(EVP_PKEY *pkey, int op, int arg1, void *arg2) int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid) { + if (pkey == NULL) + return 0; return evp_pkey_asn1_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid); } @@ -1374,7 +1376,9 @@ int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx, int EVP_PKEY_set1_encoded_public_key(EVP_PKEY *pkey, const unsigned char *pub, size_t publen) { - if (pkey != NULL && evp_pkey_is_provided(pkey)) + if (pkey == NULL) + return 0; + if (evp_pkey_is_provided(pkey)) return EVP_PKEY_set_octet_string_param(pkey, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, @@ -1393,7 +1397,9 @@ size_t EVP_PKEY_get1_encoded_public_key(EVP_PKEY *pkey, unsigned char **ppub) { int rv; - if (pkey != NULL && evp_pkey_is_provided(pkey)) { + if (pkey == NULL) + return 0; + if (evp_pkey_is_provided(pkey)) { size_t return_size = OSSL_PARAM_UNMODIFIED; unsigned char *buf; diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index 475082d43..d84d01297 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,7 +15,6 @@ #include #include #include -#include int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek, int *ekl, unsigned char *iv, diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c index dbd28b0e6..fe0a82eac 100644 --- a/crypto/ffc/ffc_backend.c +++ b/crypto/ffc/ffc_backend.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -111,6 +111,7 @@ int ossl_ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[]) if (p1 != NULL) { if (p1->data_type != OSSL_PARAM_UTF8_STRING) goto err; + props = p1->data; } if (!ossl_ffc_set_digest(ffc, prm->data, props)) goto err; diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c index fb558f822..3536efd1a 100644 --- a/crypto/ffc/ffc_params.c +++ b/crypto/ffc/ffc_params.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -182,6 +182,8 @@ int ossl_ffc_params_copy(FFC_PARAMS *dst, const FFC_PARAMS *src) || !ffc_bn_cpy(&dst->j, src->j)) return 0; + dst->mdname = src->mdname; + dst->mdprops = src->mdprops; OPENSSL_free(dst->seed); dst->seedlen = src->seedlen; if (src->seed != NULL) { diff --git a/crypto/ffc/ffc_params_generate.c b/crypto/ffc/ffc_params_generate.c index 6b018edff..522525b9c 100644 --- a/crypto/ffc/ffc_params_generate.c +++ b/crypto/ffc/ffc_params_generate.c @@ -435,7 +435,7 @@ static int generate_q_fips186_2(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd, } if (r != 0) goto err; /* Exit if error */ - /* Try another iteration if it wasnt prime - was in old code.. */ + /* Try another iteration if it wasn't prime - was in old code.. */ generate_seed = 1; } err: @@ -621,7 +621,7 @@ int ossl_ffc_params_FIPS186_4_gen_verify(OSSL_LIB_CTX *libctx, p = params->p; q = params->q; goto g_only; - /* otherwise fall thru to validate p & q */ + /* otherwise fall through to validate p & q */ } /* p & q will be used for generation and validation */ @@ -922,7 +922,7 @@ int ossl_ffc_params_FIPS186_2_gen_verify(OSSL_LIB_CTX *libctx, p = params->p; q = params->q; goto g_only; - /* otherwise fall thru to validate p and q */ + /* otherwise fall through to validate p and q */ } use_random_seed = (seed_in == NULL); diff --git a/crypto/getenv.c b/crypto/getenv.c index e79b6cc16..fe8444f41 100644 --- a/crypto/getenv.c +++ b/crypto/getenv.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ #include #include "internal/cryptlib.h" -#include "e_os.h" +#include "internal/e_os.h" char *ossl_safe_getenv(const char *name) { diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 0d62f1c7b..6eb564bee 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Siemens AG 2018-2020 * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -8,7 +8,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include "crypto/ctype.h" @@ -20,6 +20,7 @@ #include #include #include +#include #include "internal/sockets.h" #include "internal/cryptlib.h" /* for ossl_assert() */ @@ -51,7 +52,7 @@ struct ossl_http_req_ctx_st { void *upd_arg; /* Optional arg for update callback function */ int use_ssl; /* Use HTTPS */ char *proxy; /* Optional proxy name or URI */ - char *server; /* Optional server host name */ + char *server; /* Optional server hostname */ char *port; /* Optional server port */ BIO *mem; /* Mem BIO holding request header or response */ BIO *req; /* BIO holding the request provided by caller */ @@ -513,6 +514,7 @@ static int may_still_retry(time_t max_time, int *ptimeout) int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) { int i, found_expected_ct = 0, found_keep_alive = 0; + int found_text_ct = 0; long n; size_t resp_len; const unsigned char *p; @@ -564,18 +566,24 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } rctx->state = OHS_WRITE_INIT; - /* fall thru */ + /* fall through */ case OHS_WRITE_INIT: rctx->len_to_send = BIO_get_mem_data(rctx->mem, &rctx->pos); rctx->state = OHS_WRITE_HDR; + if (OSSL_TRACE_ENABLED(HTTP)) + OSSL_TRACE(HTTP, "Sending request header:\n"); - /* fall thru */ + /* fall through */ case OHS_WRITE_HDR: /* Copy some chunk of data from rctx->mem to rctx->wbio */ case OHS_WRITE_REQ: /* Copy some chunk of data from rctx->req to rctx->wbio */ if (rctx->len_to_send > 0) { + if (OSSL_TRACE_ENABLED(HTTP) + && rctx->state == OHS_WRITE_HDR && rctx->len_to_send <= INT_MAX) + OSSL_TRACE2(HTTP, "%.*s", (int)rctx->len_to_send, rctx->pos); + i = BIO_write(rctx->wbio, rctx->pos, rctx->len_to_send); if (i <= 0) { if (BIO_should_retry(rctx->wbio)) @@ -605,7 +613,7 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) } rctx->state = OHS_FLUSH; - /* fall thru */ + /* fall through */ case OHS_FLUSH: i = BIO_flush(rctx->wbio); @@ -659,6 +667,13 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) return 0; } + /* dump all response header lines */ + if (OSSL_TRACE_ENABLED(HTTP)) { + if (rctx->state == OHS_FIRSTLINE) + OSSL_TRACE(HTTP, "Received response header:\n"); + OSSL_TRACE1(HTTP, "%s", buf); + } + /* First line */ if (rctx->state == OHS_FIRSTLINE) { switch (parse_http_line1(buf, &found_keep_alive)) { @@ -697,15 +712,20 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) rctx->redirection_url = value; return 0; } - if (rctx->state == OHS_HEADERS && rctx->expected_ct != NULL - && OPENSSL_strcasecmp(key, "Content-Type") == 0) { - if (OPENSSL_strcasecmp(rctx->expected_ct, value) != 0) { - ERR_raise_data(ERR_LIB_HTTP, HTTP_R_UNEXPECTED_CONTENT_TYPE, - "expected=%s, actual=%s", - rctx->expected_ct, value); - return 0; + if (OPENSSL_strcasecmp(key, "Content-Type") == 0) { + if (rctx->state == OHS_HEADERS + && rctx->expected_ct != NULL) { + if (OPENSSL_strcasecmp(rctx->expected_ct, value) != 0) { + ERR_raise_data(ERR_LIB_HTTP, + HTTP_R_UNEXPECTED_CONTENT_TYPE, + "expected=%s, actual=%s", + rctx->expected_ct, value); + return 0; + } + found_expected_ct = 1; } - found_expected_ct = 1; + if (OPENSSL_strncasecmp(value, "text/", 5) == 0) + found_text_ct = 1; } /* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */ @@ -745,8 +765,12 @@ int OSSL_HTTP_REQ_CTX_nbio(OSSL_HTTP_REQ_CTX *rctx) rctx->keep_alive = 0; } - if (rctx->state == OHS_ERROR) + if (rctx->state == OHS_ERROR) { + if (OSSL_TRACE_ENABLED(HTTP) + && found_text_ct && BIO_get_mem_data(rctx->mem, &p) > 0) + OSSL_TRACE1(HTTP, "%s", p); return 0; + } if (rctx->expected_ct != NULL && !found_expected_ct) { ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MISSING_CONTENT_TYPE, @@ -1122,7 +1146,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, char *port; char *path; int use_ssl; - OSSL_HTTP_REQ_CTX *rctx; + OSSL_HTTP_REQ_CTX *rctx = NULL; BIO *resp = NULL; time_t max_time = timeout > 0 ? time(NULL) + timeout : 0; @@ -1148,10 +1172,12 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, NULL /* req */, expected_ct, expect_asn1, max_resp_len, -1 /* use same max time (timeout) */, - 0 /* no keep_alive */)) + 0 /* no keep_alive */)) { OSSL_HTTP_REQ_CTX_free(rctx); - else + rctx = NULL; + } else { resp = OSSL_HTTP_exchange(rctx, &redirection_url); + } } OPENSSL_free(path); if (resp == NULL && redirection_url != NULL) { @@ -1166,6 +1192,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OPENSSL_free(host); OPENSSL_free(port); (void)OSSL_HTTP_close(rctx, 1); + rctx = NULL; BIO_free(resp); OPENSSL_free(current_url); return NULL; @@ -1175,6 +1202,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OPENSSL_free(host); OPENSSL_free(port); (void)OSSL_HTTP_close(rctx, 1); + rctx = NULL; continue; } /* if redirection not allowed, ignore it */ @@ -1184,6 +1212,7 @@ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy, OPENSSL_free(port); if (!OSSL_HTTP_close(rctx, resp != NULL)) { BIO_free(resp); + rctx = NULL; resp = NULL; } break; diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c index bd9c096b9..fd737bad9 100644 --- a/crypto/http/http_lib.c +++ b/crypto/http/http_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -83,9 +83,9 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost, else host = p; - /* parse host name/address as far as needed here */ + /* parse hostname/address as far as needed here */ if (host[0] == '[') { - /* ipv6 literal, which may include ':' */ + /* IPv6 literal, which may include ':' */ host_end = strchr(host + 1, ']'); if (host_end == NULL) goto parse_err; diff --git a/crypto/idea/idea_local.h b/crypto/idea/idea_local.h index 3c9ffa082..53a4ff47a 100644 --- a/crypto/idea/idea_local.h +++ b/crypto/idea/idea_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -23,19 +23,19 @@ else \ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c))))<<24; \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c))))<<24; \ } \ } @@ -45,19 +45,19 @@ else \ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \ } \ } diff --git a/crypto/info.c b/crypto/info.c index a0dc2e801..9ef9ee470 100644 --- a/crypto/info.c +++ b/crypto/info.c @@ -12,7 +12,7 @@ #include "crypto/dso_conf.h" #include "internal/thread_once.h" #include "internal/cryptlib.h" -#include "e_os.h" +#include "internal/e_os.h" #include "buildinf.h" #if defined(__arm__) || defined(__arm) || defined(__aarch64__) @@ -135,7 +135,11 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings) add_seeds_string("rdtsc"); #endif #ifdef OPENSSL_RAND_SEED_RDCPU +# ifdef __aarch64__ + add_seeds_string("rndr ( rndrrs rndr )"); +# else add_seeds_string("rdrand ( rdseed rdrand )"); +# endif #endif #ifdef OPENSSL_RAND_SEED_LIBRANDOM add_seeds_string("C-library-random"); diff --git a/crypto/init.c b/crypto/init.c index cacf637c8..983d76e45 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -10,7 +10,7 @@ /* We need to use some engine deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED -#include "e_os.h" +#include "internal/e_os.h" #include "crypto/cryptlib.h" #include #include "crypto/rand.h" diff --git a/crypto/initthread.c b/crypto/initthread.c index 1bdaeda9f..03586bcbc 100644 --- a/crypto/initthread.c +++ b/crypto/initthread.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ #include "crypto/cryptlib.h" #include "prov/providercommon.h" #include "internal/thread_once.h" +#include "crypto/context.h" #ifdef FIPS_MODULE #include "prov/provider_ctx.h" @@ -248,7 +249,7 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx) #else -static void *thread_event_ossl_ctx_new(OSSL_LIB_CTX *libctx) +void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *libctx) { THREAD_EVENT_HANDLER **hands = NULL; CRYPTO_THREAD_LOCAL *tlocal = OPENSSL_zalloc(sizeof(*tlocal)); @@ -274,17 +275,11 @@ static void *thread_event_ossl_ctx_new(OSSL_LIB_CTX *libctx) return NULL; } -static void thread_event_ossl_ctx_free(void *tlocal) +void ossl_thread_event_ctx_free(void *tlocal) { OPENSSL_free(tlocal); } -static const OSSL_LIB_CTX_METHOD thread_event_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - thread_event_ossl_ctx_new, - thread_event_ossl_ctx_free, -}; - static void ossl_arg_thread_stop(void *arg) { ossl_ctx_thread_stop((OSSL_LIB_CTX *)arg); @@ -294,8 +289,7 @@ void ossl_ctx_thread_stop(OSSL_LIB_CTX *ctx) { THREAD_EVENT_HANDLER **hands; CRYPTO_THREAD_LOCAL *local - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX, - &thread_event_ossl_ctx_method); + = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX); if (local == NULL) return; @@ -363,8 +357,7 @@ int ossl_init_thread_start(const void *index, void *arg, * OSSL_LIB_CTX gets informed about thread stop events individually. */ CRYPTO_THREAD_LOCAL *local - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX, - &thread_event_ossl_ctx_method); + = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_THREAD_EVENT_HANDLER_INDEX); #else /* * Outside of FIPS mode the list of THREAD_EVENT_HANDLERs is unique per diff --git a/crypto/lhash/lh_stats.c b/crypto/lhash/lh_stats.c index ba4d4ea89..ea0a3252a 100644 --- a/crypto/lhash/lh_stats.c +++ b/crypto/lhash/lh_stats.c @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include #include #include @@ -21,6 +23,7 @@ #include "lhash_local.h" # ifndef OPENSSL_NO_STDIO +# ifndef OPENSSL_NO_DEPRECATED_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp) { BIO *bp; @@ -56,9 +59,15 @@ void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp) OPENSSL_LH_node_usage_stats_bio(lh, bp); BIO_free(bp); } - +# endif # endif +# ifndef OPENSSL_NO_DEPRECATED_3_1 +/* + * These functions are implemented as separate static functions as they are + * called from the stdio functions above and calling deprecated functions will + * generate a warning. + */ void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out) { BIO_printf(out, "num_items = %lu\n", lh->num_items); @@ -115,3 +124,4 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out) (int)((total % lh->num_nodes) * 100 / lh->num_nodes), (int)(total / n_used), (int)((total % n_used) * 100 / n_used)); } +# endif diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 1cd988f01..c319a44c7 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -344,18 +344,37 @@ unsigned long OPENSSL_LH_strhash(const char *c) return (ret >> 16) ^ ret; } +/* + * Case insensitive string hashing. + * + * The lower/upper case bit is masked out (forcing all letters to be capitals). + * The major side effect on non-alpha characters is mapping the symbols and + * digits into the control character range (which should be harmless). + * The duplication (with respect to the hash value) of printable characters + * are that '`', '{', '|', '}' and '~' map to '@', '[', '\', ']' and '^' + * respectively (which seems tolerable). + * + * For EBCDIC, the alpha mapping is to lower case, most symbols go to control + * characters. The only duplication is '0' mapping to '^', which is better + * than for ASCII. + */ unsigned long ossl_lh_strcasehash(const char *c) { unsigned long ret = 0; long n; unsigned long v; int r; +#if defined(CHARSET_EBCDIC) && !defined(CHARSET_EBCDIC_TEST) + const long int case_adjust = ~0x40; +#else + const long int case_adjust = ~0x20; +#endif if (c == NULL || *c == '\0') return ret; for (n = 0x100; *c != '\0'; n += 0x100) { - v = n | ossl_tolower(*c); + v = n | (case_adjust & *c); r = (int)((v >> 2) ^ v) & 0x0f; /* cast to uint64_t to avoid 32 bit shift of 32 bit value */ ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r)); diff --git a/crypto/loongarch64cpuid.pl b/crypto/loongarch64cpuid.pl new file mode 100644 index 000000000..d16a8e98f --- /dev/null +++ b/crypto/loongarch64cpuid.pl @@ -0,0 +1,113 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +($zero,$ra,$tp,$sp)=map("\$r$_",(0..3)); +($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$r$_",(4..11)); +($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9)=map("\$r$_",(12..21)); +($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$r$_",(23..30)); +($vr0,$vr1,$vr2,$vr3,$vr4,$vr5,$vr6,$vr7,$vr8,$vr9,$vr10,$vr11,$vr12,$vr13,$vr14,$vr15,$vr16,$vr17,$vr18,$vr19)=map("\$vr$_",(0..19)); +($fp)=map("\$r$_",(22)); + + +for (@ARGV) { $output=$_ if (/\w[\w\-]*\.\w+$/); } +open STDOUT,">$output"; +while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} +open STDOUT,">$output"; + +{ +my ($in_a,$in_b,$len,$m,$temp1,$temp2) = ($a0,$a1,$a2,$t0,$t1,$t2); +$code.=<<___; +################################################################################ +# int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len) +################################################################################ +.text +.balign 16 +.globl CRYPTO_memcmp +.type CRYPTO_memcmp,\@function +CRYPTO_memcmp: + li.d $m,0 + beqz $len,2f # len == 0 +1: + ld.bu $temp1,$in_a,0 + ld.bu $temp2,$in_b,0 + addi.d $in_a,$in_a,1 + addi.d $in_b,$in_b,1 + addi.d $len,$len,-1 + xor $temp1,$temp1,$temp2 + or $m,$m,$temp1 + blt $zero,$len,1b +2: + move $a0,$m + jr $ra +___ +} +{ +my ($ptr,$len,$temp1,$temp2) = ($a0,$a1,$t0,$t1); +$code.=<<___; +################################################################################ +# void OPENSSL_cleanse(void *ptr, size_t len) +################################################################################ +.text +.balign 16 +.globl OPENSSL_cleanse +.type OPENSSL_cleanse,\@function +OPENSSL_cleanse: + beqz $len,2f # len == 0, return + srli.d $temp1,$len,4 + bnez $temp1,3f # len > 15 + +1: # Store <= 15 individual bytes + st.b $zero,$ptr,0 + addi.d $ptr,$ptr,1 + addi.d $len,$len,-1 + bnez $len,1b +2: + jr $ra + +3: # Store individual bytes until we are aligned + andi $temp1,$ptr,0x7 + beqz $temp1,4f + st.b $zero,$ptr,0 + addi.d $ptr,$ptr,1 + addi.d $len,$len,-1 + b 3b + +4: # Store aligned dwords + li.d $temp2,8 +4: + st.d $zero,$ptr,0 + addi.d $ptr,$ptr,8 + addi.d $len,$len,-8 + bge $len,$temp2,4b # if len>=8 loop + bnez $len,1b # if len<8 and len != 0, store remaining bytes + jr $ra +___ +} +{ +$code.=<<___; +################################################################################ +# uint32_t OPENSSL_rdtsc(void) +################################################################################ +.text +.balign 16 +.globl OPENSSL_rdtsc +.type OPENSSL_rdtsc,\@function +OPENSSL_rdtsc: + move $a0,$zero + jr $ra +___ +} + +$code =~ s/\`([^\`]*)\`/eval($1)/gem; + +print $code; + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/loongarch_arch.h b/crypto/loongarch_arch.h new file mode 100644 index 000000000..53caf53ef --- /dev/null +++ b/crypto/loongarch_arch.h @@ -0,0 +1,17 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#ifndef OSSL_CRYPTO_LOONGARCH_ARCH_H +# define OSSL_CRYPTO_LOONGARCH_ARCH_H + +extern unsigned int OPENSSL_loongarchcap_P; +# define LOONGARCH_CFG2 0x02 +# define LOONGARCH_CFG2_LSX (1<<6) +# define LOONGARCH_CFG2_LASX (1<<7) + +#endif diff --git a/crypto/loongarchcap.c b/crypto/loongarchcap.c new file mode 100644 index 000000000..67e3c02b4 --- /dev/null +++ b/crypto/loongarchcap.c @@ -0,0 +1,22 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#include "loongarch_arch.h" + +unsigned int OPENSSL_loongarchcap_P = 0; + +void OPENSSL_cpuid_setup(void) +{ + unsigned int reg; + __asm__ volatile( + "cpucfg %0, %1 \n\t" + : "+&r"(reg) + : "r"(LOONGARCH_CFG2) + ); + OPENSSL_loongarchcap_P = reg; +} diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl new file mode 100755 index 000000000..94d727fc9 --- /dev/null +++ b/crypto/md5/asm/md5-aarch64.pl @@ -0,0 +1,693 @@ +#! /usr/bin/env perl +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# MD5 optimized for aarch64. + +use strict; + +my $code; + +#no warnings qw(uninitialized); +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + or die "can't call $xlate: $1"; +*STDOUT=*OUT; + +$code .= <A and state->B + ldp w12, w13, [x0, #8] // Load MD5 state->C and state->D +.align 5 +ossl_md5_blocks_loop: + eor x17, x12, x13 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + and x16, x17, x11 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + ldp x15, x3, [x1] // Load 4 words of input data0 M[0]/0 + eor x14, x16, x13 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x9, #0xa478 // Load lower half of constant 0xd76aa478 + movk x9, #0xd76a, lsl #16 // Load upper half of constant 0xd76aa478 + add w8, w10, w15 // Add dest value + add w7, w8, w9 // Add constant 0xd76aa478 + add w6, w7, w14 // Add aux function result + ror w6, w6, #25 // Rotate left s=7 bits + eor x5, x11, x12 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w4, w11, w6 // Add X parameter round 1 A=FF(A, B, C, D, 0xd76aa478, s=7, M[0]) + and x8, x5, x4 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x17, x8, x12 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x16, #0xb756 // Load lower half of constant 0xe8c7b756 + movk x16, #0xe8c7, lsl #16 // Load upper half of constant 0xe8c7b756 + lsr x20, x15, #32 // Right shift high input value containing M[1] + add w9, w13, w20 // Add dest value + add w7, w9, w16 // Add constant 0xe8c7b756 + add w14, w7, w17 // Add aux function result + ror w14, w14, #20 // Rotate left s=12 bits + eor x6, x4, x11 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w5, w4, w14 // Add X parameter round 1 D=FF(D, A, B, C, 0xe8c7b756, s=12, M[1]) + and x8, x6, x5 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x9, x8, x11 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x16, #0x70db // Load lower half of constant 0x242070db + movk x16, #0x2420, lsl #16 // Load upper half of constant 0x242070db + add w7, w12, w3 // Add dest value + add w17, w7, w16 // Add constant 0x242070db + add w14, w17, w9 // Add aux function result + ror w14, w14, #15 // Rotate left s=17 bits + eor x6, x5, x4 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w8, w5, w14 // Add X parameter round 1 C=FF(C, D, A, B, 0x242070db, s=17, M[2]) + and x7, x6, x8 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x16, x7, x4 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x9, #0xceee // Load lower half of constant 0xc1bdceee + movk x9, #0xc1bd, lsl #16 // Load upper half of constant 0xc1bdceee + lsr x21, x3, #32 // Right shift high input value containing M[3] + add w14, w11, w21 // Add dest value + add w6, w14, w9 // Add constant 0xc1bdceee + add w7, w6, w16 // Add aux function result + ror w7, w7, #10 // Rotate left s=22 bits + eor x17, x8, x5 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w9, w8, w7 // Add X parameter round 1 B=FF(B, C, D, A, 0xc1bdceee, s=22, M[3]) + ldp x14, x7, [x1, #16] // Load 4 words of input data0 M[4]/0w + and x16, x17, x9 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x6, x16, x5 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x16, #0xfaf // Load lower half of constant 0xf57c0faf + movk x16, #0xf57c, lsl #16 // Load upper half of constant 0xf57c0faf + add w17, w4, w14 // Add dest value + add w16, w17, w16 // Add constant 0xf57c0faf + add w4, w16, w6 // Add aux function result + ror w4, w4, #25 // Rotate left s=7 bits + eor x16, x9, x8 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w17, w9, w4 // Add X parameter round 1 A=FF(A, B, C, D, 0xf57c0faf, s=7, M[4]) + and x16, x16, x17 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x6, x16, x8 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x4, #0xc62a // Load lower half of constant 0x4787c62a + movk x4, #0x4787, lsl #16 // Load upper half of constant 0x4787c62a + lsr x22, x14, #32 // Right shift high input value containing M[5] + add w16, w5, w22 // Add dest value + add w16, w16, w4 // Add constant 0x4787c62a + add w5, w16, w6 // Add aux function result + ror w5, w5, #20 // Rotate left s=12 bits + eor x4, x17, x9 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w19, w17, w5 // Add X parameter round 1 D=FF(D, A, B, C, 0x4787c62a, s=12, M[5]) + and x6, x4, x19 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x5, x6, x9 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x4, #0x4613 // Load lower half of constant 0xa8304613 + movk x4, #0xa830, lsl #16 // Load upper half of constant 0xa8304613 + add w6, w8, w7 // Add dest value + add w8, w6, w4 // Add constant 0xa8304613 + add w4, w8, w5 // Add aux function result + ror w4, w4, #15 // Rotate left s=17 bits + eor x6, x19, x17 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w8, w19, w4 // Add X parameter round 1 C=FF(C, D, A, B, 0xa8304613, s=17, M[6]) + and x5, x6, x8 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x4, x5, x17 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x6, #0x9501 // Load lower half of constant 0xfd469501 + movk x6, #0xfd46, lsl #16 // Load upper half of constant 0xfd469501 + lsr x23, x7, #32 // Right shift high input value containing M[7] + add w9, w9, w23 // Add dest value + add w5, w9, w6 // Add constant 0xfd469501 + add w9, w5, w4 // Add aux function result + ror w9, w9, #10 // Rotate left s=22 bits + eor x6, x8, x19 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w4, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0xfd469501, s=22, M[7]) + ldp x5, x16, [x1, #32] // Load 4 words of input data0 M[8]/0 + and x9, x6, x4 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x6, x9, x19 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x9, #0x98d8 // Load lower half of constant 0x698098d8 + movk x9, #0x6980, lsl #16 // Load upper half of constant 0x698098d8 + add w17, w17, w5 // Add dest value + add w9, w17, w9 // Add constant 0x698098d8 + add w17, w9, w6 // Add aux function result + ror w17, w17, #25 // Rotate left s=7 bits + eor x9, x4, x8 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w6, w4, w17 // Add X parameter round 1 A=FF(A, B, C, D, 0x698098d8, s=7, M[8]) + and x17, x9, x6 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x9, x17, x8 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x17, #0xf7af // Load lower half of constant 0x8b44f7af + movk x17, #0x8b44, lsl #16 // Load upper half of constant 0x8b44f7af + lsr x24, x5, #32 // Right shift high input value containing M[9] + add w19, w19, w24 // Add dest value + add w17, w19, w17 // Add constant 0x8b44f7af + add w19, w17, w9 // Add aux function result + ror w19, w19, #20 // Rotate left s=12 bits + eor x9, x6, x4 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w17, w6, w19 // Add X parameter round 1 D=FF(D, A, B, C, 0x8b44f7af, s=12, M[9]) + and x9, x9, x17 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x9, x9, x4 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x11, #0x5bb1 // Load lower half of constant 0xffff5bb1 + movk x11, #0xffff, lsl #16 // Load upper half of constant 0xffff5bb1 + add w8, w8, w16 // Add dest value + add w8, w8, w11 // Add constant 0xffff5bb1 + add w8, w8, w9 // Add aux function result + ror w8, w8, #15 // Rotate left s=17 bits + eor x9, x17, x6 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w8, w17, w8 // Add X parameter round 1 C=FF(C, D, A, B, 0xffff5bb1, s=17, M[10]) + and x9, x9, x8 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x9, x9, x6 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x11, #0xd7be // Load lower half of constant 0x895cd7be + movk x11, #0x895c, lsl #16 // Load upper half of constant 0x895cd7be + lsr x25, x16, #32 // Right shift high input value containing M[11] + add w4, w4, w25 // Add dest value + add w4, w4, w11 // Add constant 0x895cd7be + add w9, w4, w9 // Add aux function result + ror w9, w9, #10 // Rotate left s=22 bits + eor x4, x8, x17 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w9, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0x895cd7be, s=22, M[11]) + ldp x11, x12, [x1, #48] // Load 4 words of input data0 M[12]/0 + and x4, x4, x9 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x4, x4, x17 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x19, #0x1122 // Load lower half of constant 0x6b901122 + movk x19, #0x6b90, lsl #16 // Load upper half of constant 0x6b901122 + add w6, w6, w11 // Add dest value + add w6, w6, w19 // Add constant 0x6b901122 + add w4, w6, w4 // Add aux function result + ror w4, w4, #25 // Rotate left s=7 bits + eor x6, x9, x8 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w4, w9, w4 // Add X parameter round 1 A=FF(A, B, C, D, 0x6b901122, s=7, M[12]) + and x6, x6, x4 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x6, x6, x8 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x19, #0x7193 // Load lower half of constant 0xfd987193 + movk x19, #0xfd98, lsl #16 // Load upper half of constant 0xfd987193 + lsr x26, x11, #32 // Right shift high input value containing M[13] + add w17, w17, w26 // Add dest value + add w17, w17, w19 // Add constant 0xfd987193 + add w17, w17, w6 // Add aux function result + ror w17, w17, #20 // Rotate left s=12 bits + eor x6, x4, x9 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w17, w4, w17 // Add X parameter round 1 D=FF(D, A, B, C, 0xfd987193, s=12, M[13]) + and x6, x6, x17 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x6, x6, x9 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x13, #0x438e // Load lower half of constant 0xa679438e + movk x13, #0xa679, lsl #16 // Load upper half of constant 0xa679438e + add w8, w8, w12 // Add dest value + add w8, w8, w13 // Add constant 0xa679438e + add w8, w8, w6 // Add aux function result + ror w8, w8, #15 // Rotate left s=17 bits + eor x6, x17, x4 // Begin aux function round 1 F(x,y,z)=(((y^z)&x)^z) + add w8, w17, w8 // Add X parameter round 1 C=FF(C, D, A, B, 0xa679438e, s=17, M[14]) + and x6, x6, x8 // Continue aux function round 1 F(x,y,z)=(((y^z)&x)^z) + eor x6, x6, x4 // End aux function round 1 F(x,y,z)=(((y^z)&x)^z) + movz x13, #0x821 // Load lower half of constant 0x49b40821 + movk x13, #0x49b4, lsl #16 // Load upper half of constant 0x49b40821 + lsr x27, x12, #32 // Right shift high input value containing M[15] + add w9, w9, w27 // Add dest value + add w9, w9, w13 // Add constant 0x49b40821 + add w9, w9, w6 // Add aux function result + ror w9, w9, #10 // Rotate left s=22 bits + bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w9, w8, w9 // Add X parameter round 1 B=FF(B, C, D, A, 0x49b40821, s=22, M[15]) + and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x2562 // Load lower half of constant 0xf61e2562 + movk x13, #0xf61e, lsl #16 // Load upper half of constant 0xf61e2562 + add w4, w4, w20 // Add dest value + add w4, w4, w13 // Add constant 0xf61e2562 + add w4, w4, w6 // Add aux function result + ror w4, w4, #27 // Rotate left s=5 bits + bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xf61e2562, s=5, M[1]) + and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xb340 // Load lower half of constant 0xc040b340 + movk x13, #0xc040, lsl #16 // Load upper half of constant 0xc040b340 + add w17, w17, w7 // Add dest value + add w17, w17, w13 // Add constant 0xc040b340 + add w17, w17, w6 // Add aux function result + ror w17, w17, #23 // Rotate left s=9 bits + bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc040b340, s=9, M[6]) + and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x5a51 // Load lower half of constant 0x265e5a51 + movk x13, #0x265e, lsl #16 // Load upper half of constant 0x265e5a51 + add w8, w8, w25 // Add dest value + add w8, w8, w13 // Add constant 0x265e5a51 + add w8, w8, w6 // Add aux function result + ror w8, w8, #18 // Rotate left s=14 bits + bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x265e5a51, s=14, M[11]) + and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xc7aa // Load lower half of constant 0xe9b6c7aa + movk x13, #0xe9b6, lsl #16 // Load upper half of constant 0xe9b6c7aa + add w9, w9, w15 // Add dest value + add w9, w9, w13 // Add constant 0xe9b6c7aa + add w9, w9, w6 // Add aux function result + ror w9, w9, #12 // Rotate left s=20 bits + bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe9b6c7aa, s=20, M[0]) + and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x105d // Load lower half of constant 0xd62f105d + movk x13, #0xd62f, lsl #16 // Load upper half of constant 0xd62f105d + add w4, w4, w22 // Add dest value + add w4, w4, w13 // Add constant 0xd62f105d + add w4, w4, w6 // Add aux function result + ror w4, w4, #27 // Rotate left s=5 bits + bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xd62f105d, s=5, M[5]) + and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x1453 // Load lower half of constant 0x2441453 + movk x13, #0x244, lsl #16 // Load upper half of constant 0x2441453 + add w17, w17, w16 // Add dest value + add w17, w17, w13 // Add constant 0x2441453 + add w17, w17, w6 // Add aux function result + ror w17, w17, #23 // Rotate left s=9 bits + bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0x2441453, s=9, M[10]) + and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xe681 // Load lower half of constant 0xd8a1e681 + movk x13, #0xd8a1, lsl #16 // Load upper half of constant 0xd8a1e681 + add w8, w8, w27 // Add dest value + add w8, w8, w13 // Add constant 0xd8a1e681 + add w8, w8, w6 // Add aux function result + ror w8, w8, #18 // Rotate left s=14 bits + bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xd8a1e681, s=14, M[15]) + and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xfbc8 // Load lower half of constant 0xe7d3fbc8 + movk x13, #0xe7d3, lsl #16 // Load upper half of constant 0xe7d3fbc8 + add w9, w9, w14 // Add dest value + add w9, w9, w13 // Add constant 0xe7d3fbc8 + add w9, w9, w6 // Add aux function result + ror w9, w9, #12 // Rotate left s=20 bits + bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0xe7d3fbc8, s=20, M[4]) + and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xcde6 // Load lower half of constant 0x21e1cde6 + movk x13, #0x21e1, lsl #16 // Load upper half of constant 0x21e1cde6 + add w4, w4, w24 // Add dest value + add w4, w4, w13 // Add constant 0x21e1cde6 + add w4, w4, w6 // Add aux function result + ror w4, w4, #27 // Rotate left s=5 bits + bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0x21e1cde6, s=5, M[9]) + and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x7d6 // Load lower half of constant 0xc33707d6 + movk x13, #0xc337, lsl #16 // Load upper half of constant 0xc33707d6 + add w17, w17, w12 // Add dest value + add w17, w17, w13 // Add constant 0xc33707d6 + add w17, w17, w6 // Add aux function result + ror w17, w17, #23 // Rotate left s=9 bits + bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xc33707d6, s=9, M[14]) + and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xd87 // Load lower half of constant 0xf4d50d87 + movk x13, #0xf4d5, lsl #16 // Load upper half of constant 0xf4d50d87 + add w8, w8, w21 // Add dest value + add w8, w8, w13 // Add constant 0xf4d50d87 + add w8, w8, w6 // Add aux function result + ror w8, w8, #18 // Rotate left s=14 bits + bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0xf4d50d87, s=14, M[3]) + and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x14ed // Load lower half of constant 0x455a14ed + movk x13, #0x455a, lsl #16 // Load upper half of constant 0x455a14ed + add w9, w9, w5 // Add dest value + add w9, w9, w13 // Add constant 0x455a14ed + add w9, w9, w6 // Add aux function result + ror w9, w9, #12 // Rotate left s=20 bits + bic x6, x8, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0x455a14ed, s=20, M[8]) + and x13, x9, x17 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xe905 // Load lower half of constant 0xa9e3e905 + movk x13, #0xa9e3, lsl #16 // Load upper half of constant 0xa9e3e905 + add w4, w4, w26 // Add dest value + add w4, w4, w13 // Add constant 0xa9e3e905 + add w4, w4, w6 // Add aux function result + ror w4, w4, #27 // Rotate left s=5 bits + bic x6, x9, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w4, w9, w4 // Add X parameter round 2 A=GG(A, B, C, D, 0xa9e3e905, s=5, M[13]) + and x13, x4, x8 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0xa3f8 // Load lower half of constant 0xfcefa3f8 + movk x13, #0xfcef, lsl #16 // Load upper half of constant 0xfcefa3f8 + add w17, w17, w3 // Add dest value + add w17, w17, w13 // Add constant 0xfcefa3f8 + add w17, w17, w6 // Add aux function result + ror w17, w17, #23 // Rotate left s=9 bits + bic x6, x4, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w17, w4, w17 // Add X parameter round 2 D=GG(D, A, B, C, 0xfcefa3f8, s=9, M[2]) + and x13, x17, x9 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x2d9 // Load lower half of constant 0x676f02d9 + movk x13, #0x676f, lsl #16 // Load upper half of constant 0x676f02d9 + add w8, w8, w23 // Add dest value + add w8, w8, w13 // Add constant 0x676f02d9 + add w8, w8, w6 // Add aux function result + ror w8, w8, #18 // Rotate left s=14 bits + bic x6, x17, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + add w8, w17, w8 // Add X parameter round 2 C=GG(C, D, A, B, 0x676f02d9, s=14, M[7]) + and x13, x8, x4 // Aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + orr x6, x6, x13 // End aux function round 2 G(x,y,z)=((x&z)|(~z&y)) + movz x13, #0x4c8a // Load lower half of constant 0x8d2a4c8a + movk x13, #0x8d2a, lsl #16 // Load upper half of constant 0x8d2a4c8a + add w9, w9, w11 // Add dest value + add w9, w9, w13 // Add constant 0x8d2a4c8a + add w9, w9, w6 // Add aux function result + eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w9, w9, #12 // Rotate left s=20 bits + movz x10, #0x3942 // Load lower half of constant 0xfffa3942 + add w9, w8, w9 // Add X parameter round 2 B=GG(B, C, D, A, 0x8d2a4c8a, s=20, M[12]) + movk x10, #0xfffa, lsl #16 // Load upper half of constant 0xfffa3942 + add w4, w4, w22 // Add dest value + eor x6, x6, x9 // End aux function round 3 H(x,y,z)=(x^y^z) + add w4, w4, w10 // Add constant 0xfffa3942 + add w4, w4, w6 // Add aux function result + ror w4, w4, #28 // Rotate left s=4 bits + eor x6, x9, x8 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x10, #0xf681 // Load lower half of constant 0x8771f681 + add w4, w9, w4 // Add X parameter round 3 A=HH(A, B, C, D, 0xfffa3942, s=4, M[5]) + movk x10, #0x8771, lsl #16 // Load upper half of constant 0x8771f681 + add w17, w17, w5 // Add dest value + eor x6, x6, x4 // End aux function round 3 H(x,y,z)=(x^y^z) + add w17, w17, w10 // Add constant 0x8771f681 + add w17, w17, w6 // Add aux function result + eor x6, x4, x9 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w17, w17, #21 // Rotate left s=11 bits + movz x13, #0x6122 // Load lower half of constant 0x6d9d6122 + add w17, w4, w17 // Add X parameter round 3 D=HH(D, A, B, C, 0x8771f681, s=11, M[8]) + movk x13, #0x6d9d, lsl #16 // Load upper half of constant 0x6d9d6122 + add w8, w8, w25 // Add dest value + eor x6, x6, x17 // End aux function round 3 H(x,y,z)=(x^y^z) + add w8, w8, w13 // Add constant 0x6d9d6122 + add w8, w8, w6 // Add aux function result + ror w8, w8, #16 // Rotate left s=16 bits + eor x6, x17, x4 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x13, #0x380c // Load lower half of constant 0xfde5380c + add w8, w17, w8 // Add X parameter round 3 C=HH(C, D, A, B, 0x6d9d6122, s=16, M[11]) + movk x13, #0xfde5, lsl #16 // Load upper half of constant 0xfde5380c + add w9, w9, w12 // Add dest value + eor x6, x6, x8 // End aux function round 3 H(x,y,z)=(x^y^z) + add w9, w9, w13 // Add constant 0xfde5380c + add w9, w9, w6 // Add aux function result + eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w9, w9, #9 // Rotate left s=23 bits + movz x10, #0xea44 // Load lower half of constant 0xa4beea44 + add w9, w8, w9 // Add X parameter round 3 B=HH(B, C, D, A, 0xfde5380c, s=23, M[14]) + movk x10, #0xa4be, lsl #16 // Load upper half of constant 0xa4beea44 + add w4, w4, w20 // Add dest value + eor x6, x6, x9 // End aux function round 3 H(x,y,z)=(x^y^z) + add w4, w4, w10 // Add constant 0xa4beea44 + add w4, w4, w6 // Add aux function result + ror w4, w4, #28 // Rotate left s=4 bits + eor x6, x9, x8 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x10, #0xcfa9 // Load lower half of constant 0x4bdecfa9 + add w4, w9, w4 // Add X parameter round 3 A=HH(A, B, C, D, 0xa4beea44, s=4, M[1]) + movk x10, #0x4bde, lsl #16 // Load upper half of constant 0x4bdecfa9 + add w17, w17, w14 // Add dest value + eor x6, x6, x4 // End aux function round 3 H(x,y,z)=(x^y^z) + add w17, w17, w10 // Add constant 0x4bdecfa9 + add w17, w17, w6 // Add aux function result + eor x6, x4, x9 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w17, w17, #21 // Rotate left s=11 bits + movz x13, #0x4b60 // Load lower half of constant 0xf6bb4b60 + add w17, w4, w17 // Add X parameter round 3 D=HH(D, A, B, C, 0x4bdecfa9, s=11, M[4]) + movk x13, #0xf6bb, lsl #16 // Load upper half of constant 0xf6bb4b60 + add w8, w8, w23 // Add dest value + eor x6, x6, x17 // End aux function round 3 H(x,y,z)=(x^y^z) + add w8, w8, w13 // Add constant 0xf6bb4b60 + add w8, w8, w6 // Add aux function result + ror w8, w8, #16 // Rotate left s=16 bits + eor x6, x17, x4 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x13, #0xbc70 // Load lower half of constant 0xbebfbc70 + add w8, w17, w8 // Add X parameter round 3 C=HH(C, D, A, B, 0xf6bb4b60, s=16, M[7]) + movk x13, #0xbebf, lsl #16 // Load upper half of constant 0xbebfbc70 + add w9, w9, w16 // Add dest value + eor x6, x6, x8 // End aux function round 3 H(x,y,z)=(x^y^z) + add w9, w9, w13 // Add constant 0xbebfbc70 + add w9, w9, w6 // Add aux function result + eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w9, w9, #9 // Rotate left s=23 bits + movz x10, #0x7ec6 // Load lower half of constant 0x289b7ec6 + add w9, w8, w9 // Add X parameter round 3 B=HH(B, C, D, A, 0xbebfbc70, s=23, M[10]) + movk x10, #0x289b, lsl #16 // Load upper half of constant 0x289b7ec6 + add w4, w4, w26 // Add dest value + eor x6, x6, x9 // End aux function round 3 H(x,y,z)=(x^y^z) + add w4, w4, w10 // Add constant 0x289b7ec6 + add w4, w4, w6 // Add aux function result + ror w4, w4, #28 // Rotate left s=4 bits + eor x6, x9, x8 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x10, #0x27fa // Load lower half of constant 0xeaa127fa + add w4, w9, w4 // Add X parameter round 3 A=HH(A, B, C, D, 0x289b7ec6, s=4, M[13]) + movk x10, #0xeaa1, lsl #16 // Load upper half of constant 0xeaa127fa + add w17, w17, w15 // Add dest value + eor x6, x6, x4 // End aux function round 3 H(x,y,z)=(x^y^z) + add w17, w17, w10 // Add constant 0xeaa127fa + add w17, w17, w6 // Add aux function result + eor x6, x4, x9 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w17, w17, #21 // Rotate left s=11 bits + movz x13, #0x3085 // Load lower half of constant 0xd4ef3085 + add w17, w4, w17 // Add X parameter round 3 D=HH(D, A, B, C, 0xeaa127fa, s=11, M[0]) + movk x13, #0xd4ef, lsl #16 // Load upper half of constant 0xd4ef3085 + add w8, w8, w21 // Add dest value + eor x6, x6, x17 // End aux function round 3 H(x,y,z)=(x^y^z) + add w8, w8, w13 // Add constant 0xd4ef3085 + add w8, w8, w6 // Add aux function result + ror w8, w8, #16 // Rotate left s=16 bits + eor x6, x17, x4 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x13, #0x1d05 // Load lower half of constant 0x4881d05 + add w8, w17, w8 // Add X parameter round 3 C=HH(C, D, A, B, 0xd4ef3085, s=16, M[3]) + movk x13, #0x488, lsl #16 // Load upper half of constant 0x4881d05 + add w9, w9, w7 // Add dest value + eor x6, x6, x8 // End aux function round 3 H(x,y,z)=(x^y^z) + add w9, w9, w13 // Add constant 0x4881d05 + add w9, w9, w6 // Add aux function result + eor x6, x8, x17 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w9, w9, #9 // Rotate left s=23 bits + movz x10, #0xd039 // Load lower half of constant 0xd9d4d039 + add w9, w8, w9 // Add X parameter round 3 B=HH(B, C, D, A, 0x4881d05, s=23, M[6]) + movk x10, #0xd9d4, lsl #16 // Load upper half of constant 0xd9d4d039 + add w4, w4, w24 // Add dest value + eor x6, x6, x9 // End aux function round 3 H(x,y,z)=(x^y^z) + add w4, w4, w10 // Add constant 0xd9d4d039 + add w4, w4, w6 // Add aux function result + ror w4, w4, #28 // Rotate left s=4 bits + eor x6, x9, x8 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x10, #0x99e5 // Load lower half of constant 0xe6db99e5 + add w4, w9, w4 // Add X parameter round 3 A=HH(A, B, C, D, 0xd9d4d039, s=4, M[9]) + movk x10, #0xe6db, lsl #16 // Load upper half of constant 0xe6db99e5 + add w17, w17, w11 // Add dest value + eor x6, x6, x4 // End aux function round 3 H(x,y,z)=(x^y^z) + add w17, w17, w10 // Add constant 0xe6db99e5 + add w17, w17, w6 // Add aux function result + eor x6, x4, x9 // Begin aux function round 3 H(x,y,z)=(x^y^z) + ror w17, w17, #21 // Rotate left s=11 bits + movz x13, #0x7cf8 // Load lower half of constant 0x1fa27cf8 + add w17, w4, w17 // Add X parameter round 3 D=HH(D, A, B, C, 0xe6db99e5, s=11, M[12]) + movk x13, #0x1fa2, lsl #16 // Load upper half of constant 0x1fa27cf8 + add w8, w8, w27 // Add dest value + eor x6, x6, x17 // End aux function round 3 H(x,y,z)=(x^y^z) + add w8, w8, w13 // Add constant 0x1fa27cf8 + add w8, w8, w6 // Add aux function result + ror w8, w8, #16 // Rotate left s=16 bits + eor x6, x17, x4 // Begin aux function round 3 H(x,y,z)=(x^y^z) + movz x13, #0x5665 // Load lower half of constant 0xc4ac5665 + add w8, w17, w8 // Add X parameter round 3 C=HH(C, D, A, B, 0x1fa27cf8, s=16, M[15]) + movk x13, #0xc4ac, lsl #16 // Load upper half of constant 0xc4ac5665 + add w9, w9, w3 // Add dest value + eor x6, x6, x8 // End aux function round 3 H(x,y,z)=(x^y^z) + add w9, w9, w13 // Add constant 0xc4ac5665 + add w9, w9, w6 // Add aux function result + ror w9, w9, #9 // Rotate left s=23 bits + movz x6, #0x2244 // Load lower half of constant 0xf4292244 + movk x6, #0xf429, lsl #16 // Load upper half of constant 0xf4292244 + add w9, w8, w9 // Add X parameter round 3 B=HH(B, C, D, A, 0xc4ac5665, s=23, M[2]) + add w4, w4, w15 // Add dest value + orn x13, x9, x17 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w4, w4, w6 // Add constant 0xf4292244 + eor x6, x8, x13 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w4, w4, w6 // Add aux function result + ror w4, w4, #26 // Rotate left s=6 bits + movz x6, #0xff97 // Load lower half of constant 0x432aff97 + movk x6, #0x432a, lsl #16 // Load upper half of constant 0x432aff97 + add w4, w9, w4 // Add X parameter round 4 A=II(A, B, C, D, 0xf4292244, s=6, M[0]) + orn x10, x4, x8 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w17, w17, w23 // Add dest value + eor x10, x9, x10 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w17, w17, w6 // Add constant 0x432aff97 + add w6, w17, w10 // Add aux function result + ror w6, w6, #22 // Rotate left s=10 bits + movz x17, #0x23a7 // Load lower half of constant 0xab9423a7 + movk x17, #0xab94, lsl #16 // Load upper half of constant 0xab9423a7 + add w6, w4, w6 // Add X parameter round 4 D=II(D, A, B, C, 0x432aff97, s=10, M[7]) + add w8, w8, w12 // Add dest value + orn x10, x6, x9 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w8, w8, w17 // Add constant 0xab9423a7 + eor x17, x4, x10 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w8, w8, w17 // Add aux function result + ror w8, w8, #17 // Rotate left s=15 bits + movz x17, #0xa039 // Load lower half of constant 0xfc93a039 + movk x17, #0xfc93, lsl #16 // Load upper half of constant 0xfc93a039 + add w8, w6, w8 // Add X parameter round 4 C=II(C, D, A, B, 0xab9423a7, s=15, M[14]) + orn x13, x8, x4 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w9, w9, w22 // Add dest value + eor x13, x6, x13 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w9, w9, w17 // Add constant 0xfc93a039 + add w17, w9, w13 // Add aux function result + ror w17, w17, #11 // Rotate left s=21 bits + movz x9, #0x59c3 // Load lower half of constant 0x655b59c3 + movk x9, #0x655b, lsl #16 // Load upper half of constant 0x655b59c3 + add w17, w8, w17 // Add X parameter round 4 B=II(B, C, D, A, 0xfc93a039, s=21, M[5]) + add w4, w4, w11 // Add dest value + orn x13, x17, x6 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w9, w4, w9 // Add constant 0x655b59c3 + eor x4, x8, x13 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w9, w9, w4 // Add aux function result + ror w9, w9, #26 // Rotate left s=6 bits + movz x4, #0xcc92 // Load lower half of constant 0x8f0ccc92 + movk x4, #0x8f0c, lsl #16 // Load upper half of constant 0x8f0ccc92 + add w9, w17, w9 // Add X parameter round 4 A=II(A, B, C, D, 0x655b59c3, s=6, M[12]) + orn x10, x9, x8 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w6, w6, w21 // Add dest value + eor x10, x17, x10 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w4, w6, w4 // Add constant 0x8f0ccc92 + add w6, w4, w10 // Add aux function result + ror w6, w6, #22 // Rotate left s=10 bits + movz x4, #0xf47d // Load lower half of constant 0xffeff47d + movk x4, #0xffef, lsl #16 // Load upper half of constant 0xffeff47d + add w6, w9, w6 // Add X parameter round 4 D=II(D, A, B, C, 0x8f0ccc92, s=10, M[3]) + add w8, w8, w16 // Add dest value + orn x10, x6, x17 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w8, w8, w4 // Add constant 0xffeff47d + eor x4, x9, x10 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w8, w8, w4 // Add aux function result + ror w8, w8, #17 // Rotate left s=15 bits + movz x4, #0x5dd1 // Load lower half of constant 0x85845dd1 + movk x4, #0x8584, lsl #16 // Load upper half of constant 0x85845dd1 + add w8, w6, w8 // Add X parameter round 4 C=II(C, D, A, B, 0xffeff47d, s=15, M[10]) + orn x10, x8, x9 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w15, w17, w20 // Add dest value + eor x17, x6, x10 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w15, w15, w4 // Add constant 0x85845dd1 + add w4, w15, w17 // Add aux function result + ror w4, w4, #11 // Rotate left s=21 bits + movz x15, #0x7e4f // Load lower half of constant 0x6fa87e4f + movk x15, #0x6fa8, lsl #16 // Load upper half of constant 0x6fa87e4f + add w17, w8, w4 // Add X parameter round 4 B=II(B, C, D, A, 0x85845dd1, s=21, M[1]) + add w4, w9, w5 // Add dest value + orn x9, x17, x6 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w15, w4, w15 // Add constant 0x6fa87e4f + eor x4, x8, x9 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w9, w15, w4 // Add aux function result + ror w9, w9, #26 // Rotate left s=6 bits + movz x15, #0xe6e0 // Load lower half of constant 0xfe2ce6e0 + movk x15, #0xfe2c, lsl #16 // Load upper half of constant 0xfe2ce6e0 + add w4, w17, w9 // Add X parameter round 4 A=II(A, B, C, D, 0x6fa87e4f, s=6, M[8]) + orn x9, x4, x8 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w6, w6, w27 // Add dest value + eor x9, x17, x9 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w15, w6, w15 // Add constant 0xfe2ce6e0 + add w6, w15, w9 // Add aux function result + ror w6, w6, #22 // Rotate left s=10 bits + movz x9, #0x4314 // Load lower half of constant 0xa3014314 + movk x9, #0xa301, lsl #16 // Load upper half of constant 0xa3014314 + add w15, w4, w6 // Add X parameter round 4 D=II(D, A, B, C, 0xfe2ce6e0, s=10, M[15]) + add w6, w8, w7 // Add dest value + orn x7, x15, x17 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w8, w6, w9 // Add constant 0xa3014314 + eor x9, x4, x7 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w6, w8, w9 // Add aux function result + ror w6, w6, #17 // Rotate left s=15 bits + movz x7, #0x11a1 // Load lower half of constant 0x4e0811a1 + movk x7, #0x4e08, lsl #16 // Load upper half of constant 0x4e0811a1 + add w8, w15, w6 // Add X parameter round 4 C=II(C, D, A, B, 0xa3014314, s=15, M[6]) + orn x9, x8, x4 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w6, w17, w26 // Add dest value + eor x17, x15, x9 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w9, w6, w7 // Add constant 0x4e0811a1 + add w7, w9, w17 // Add aux function result + ror w7, w7, #11 // Rotate left s=21 bits + movz x6, #0x7e82 // Load lower half of constant 0xf7537e82 + movk x6, #0xf753, lsl #16 // Load upper half of constant 0xf7537e82 + add w9, w8, w7 // Add X parameter round 4 B=II(B, C, D, A, 0x4e0811a1, s=21, M[13]) + add w17, w4, w14 // Add dest value + orn x7, x9, x15 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w14, w17, w6 // Add constant 0xf7537e82 + eor x4, x8, x7 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w17, w14, w4 // Add aux function result + ror w17, w17, #26 // Rotate left s=6 bits + movz x6, #0xf235 // Load lower half of constant 0xbd3af235 + movk x6, #0xbd3a, lsl #16 // Load upper half of constant 0xbd3af235 + add w7, w9, w17 // Add X parameter round 4 A=II(A, B, C, D, 0xf7537e82, s=6, M[4]) + orn x14, x7, x8 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w4, w15, w25 // Add dest value + eor x17, x9, x14 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w15, w4, w6 // Add constant 0xbd3af235 + add w16, w15, w17 // Add aux function result + ror w16, w16, #22 // Rotate left s=10 bits + movz x14, #0xd2bb // Load lower half of constant 0x2ad7d2bb + movk x14, #0x2ad7, lsl #16 // Load upper half of constant 0x2ad7d2bb + add w4, w7, w16 // Add X parameter round 4 D=II(D, A, B, C, 0xbd3af235, s=10, M[11]) + add w6, w8, w3 // Add dest value + orn x15, x4, x9 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w17, w6, w14 // Add constant 0x2ad7d2bb + eor x16, x7, x15 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w8, w17, w16 // Add aux function result + ror w8, w8, #17 // Rotate left s=15 bits + movz x3, #0xd391 // Load lower half of constant 0xeb86d391 + movk x3, #0xeb86, lsl #16 // Load upper half of constant 0xeb86d391 + add w14, w4, w8 // Add X parameter round 4 C=II(C, D, A, B, 0x2ad7d2bb, s=15, M[2]) + orn x6, x14, x7 // Begin aux function round 4 I(x,y,z)=((~z|x)^y) + add w15, w9, w24 // Add dest value + eor x17, x4, x6 // End aux function round 4 I(x,y,z)=((~z|x)^y) + add w16, w15, w3 // Add constant 0xeb86d391 + add w8, w16, w17 // Add aux function result + ror w8, w8, #11 // Rotate left s=21 bits + ldp w6, w15, [x0] // Reload MD5 state->A and state->B + ldp w5, w9, [x0, #8] // Reload MD5 state->C and state->D + add w3, w14, w8 // Add X parameter round 4 B=II(B, C, D, A, 0xeb86d391, s=21, M[9]) + add w13, w4, w9 // Add result of MD5 rounds to state->D + add w12, w14, w5 // Add result of MD5 rounds to state->C + add w10, w7, w6 // Add result of MD5 rounds to state->A + add w11, w3, w15 // Add result of MD5 rounds to state->B + stp w12, w13, [x0, #8] // Store MD5 states C,D + stp w10, w11, [x0] // Store MD5 states A,B + add x1, x1, #64 // Increment data pointer + subs w2, w2, #1 // Decrement block counter + b.ne ossl_md5_blocks_loop + + ldp x21,x22,[sp,#16] + ldp x23,x24,[sp,#32] + ldp x25,x26,[sp,#48] + ldp x27,x28,[sp,#64] + ldp x19,x20,[sp],#80 + ret + +EOF + +# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, +# CONTEXT *context,DISPATCHER_CONTEXT *disp) + +print $code; + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/md5/build.info b/crypto/md5/build.info index 9a3253860..34f29faf7 100644 --- a/crypto/md5/build.info +++ b/crypto/md5/build.info @@ -4,6 +4,7 @@ $MD5ASM= IF[{- !$disabled{asm} -}] $MD5ASM_x86=md5-586.S $MD5ASM_x86_64=md5-x86_64.s + $MD5ASM_aarch64=md5-aarch64.s $MD5ASM_sparcv9=md5-sparcv9.S # Now that we have defined all the arch specific variables, use the @@ -35,6 +36,7 @@ DEFINE[../../providers/liblegacy.a]=$MD5DEF GENERATE[md5-586.S]=asm/md5-586.pl GENERATE[md5-x86_64.s]=asm/md5-x86_64.pl +GENERATE[md5-aarch64.s]=asm/md5-aarch64.pl GENERATE[md5-sparcv9.S]=asm/md5-sparcv9.pl INCLUDE[md5-sparcv9.o]=.. diff --git a/crypto/md5/md5_local.h b/crypto/md5/md5_local.h index 22a0e0f62..894567c3f 100644 --- a/crypto/md5/md5_local.h +++ b/crypto/md5/md5_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,8 @@ #ifdef MD5_ASM # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ - defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64) + defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || \ + defined(_M_X64) || defined(__aarch64__) # define md5_block_data_order ossl_md5_block_asm_data_order # elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64) # define md5_block_data_order ossl_md5_block_asm_data_order diff --git a/crypto/mem.c b/crypto/mem.c index f6cdcf5a4..3d67d9256 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "internal/cryptlib.h" #include "crypto/cryptlib.h" #include diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c index 6ba75486a..e1a319347 100644 --- a/crypto/mem_sec.c +++ b/crypto/mem_sec.c @@ -15,7 +15,7 @@ * For details on that implementation, see below (look for uppercase * "SECURE HEAP IMPLEMENTATION"). */ -#include "e_os.h" +#include "internal/e_os.h" #include #include diff --git a/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl b/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl new file mode 100644 index 000000000..b9083be1f --- /dev/null +++ b/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl @@ -0,0 +1,7378 @@ +#! /usr/bin/env perl +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +#======================================================================== +# Written by Xiaokang Qian for the OpenSSL project, +# derived from https://github.com/ARM-software/AArch64cryptolib, original +# author Samuel Lee . The module is, however, dual +# licensed under OpenSSL and SPDX BSD-3-Clause licenses depending on where you +# obtain it. +#======================================================================== +# +# Approach - We want to reload constants as we have plenty of spare ASIMD slots around crypto units for loading +# Unroll x8 in main loop, main loop to act on 8 16B blocks per iteration, and then do modulo of the accumulated +# intermediate hashesfrom the 8 blocks. +# +# ____________________________________________________ +# | | +# | PRE | +# |____________________________________________________| +# | | | | +# | CTR block 8k+13| AES block 8k+8 | GHASH block 8k+0 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+14| AES block 8k+9 | GHASH block 8k+1 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+15| AES block 8k+10| GHASH block 8k+2 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+16| AES block 8k+11| GHASH block 8k+3 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+17| AES block 8k+12| GHASH block 8k+4 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+18| AES block 8k+13| GHASH block 8k+5 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+19| AES block 8k+14| GHASH block 8k+6 | +# |________________|________________|__________________| +# | | | | +# | CTR block 8k+20| AES block 8k+15| GHASH block 8k+7 | +# |________________|____(mostly)____|__________________| +# | | +# | MODULO | +# |____________________________________________________| +# +# PRE: +# Ensure previous generated intermediate hash is aligned and merged with result for GHASH 4k+0 +# EXT low_acc, low_acc, low_acc, #8 +# EOR res_curr (8k+0), res_curr (4k+0), low_acc +# +# CTR block: +# Increment and byte reverse counter in scalar registers and transfer to SIMD registers +# REV ctr32, rev_ctr32 +# ORR ctr64, constctr96_top32, ctr32, LSL #32 +# INS ctr_next.d[0], constctr96_bottom64 // Keeping this in scalar registers to free up space in SIMD RF +# INS ctr_next.d[1], ctr64X +# ADD rev_ctr32, #1 +# +# AES block: +# Do AES encryption/decryption on CTR block X and EOR it with input block X. Take 256 bytes key below for example. +# Doing small trick here of loading input in scalar registers, EORing with last key and then transferring +# Given we are very constrained in our ASIMD registers this is quite important +# +# Encrypt: +# LDR input_low, [ input_ptr ], #8 +# LDR input_high, [ input_ptr ], #8 +# EOR input_low, k14_low +# EOR input_high, k14_high +# INS res_curr.d[0], input_low +# INS res_curr.d[1], input_high +# AESE ctr_curr, k0; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k1; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k2; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k3; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k4; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k5; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k6; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k7; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k8; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k9; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k10; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k11; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k12; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k13 +# EOR res_curr, res_curr, ctr_curr +# ST1 { res_curr.16b }, [ output_ptr ], #16 +# +# Decrypt: +# AESE ctr_curr, k0; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k1; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k2; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k3; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k4; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k5; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k6; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k7; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k8; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k9; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k10; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k11; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k12; AESMC ctr_curr, ctr_curr +# AESE ctr_curr, k13 +# LDR res_curr, [ input_ptr ], #16 +# EOR res_curr, res_curr, ctr_curr +# MOV output_low, res_curr.d[0] +# MOV output_high, res_curr.d[1] +# EOR output_low, k14_low +# EOR output_high, k14_high +# STP output_low, output_high, [ output_ptr ], #16 + +# GHASH block X: +# Do 128b karatsuba polynomial multiplication on block +# We only have 64b->128b polynomial multipliers, naively that means we need to do 4 64b multiplies to generate a 128b +# +# multiplication: +# Pmull(A,B) == (Pmull(Ah,Bh)<<128 | Pmull(Al,Bl)) ^ (Pmull(Ah,Bl) ^ Pmull(Al,Bh))<<64 +# +# The idea behind Karatsuba multiplication is that we can do just 3 64b multiplies: +# Pmull(A,B) == (Pmull(Ah,Bh)<<128 | Pmull(Al,Bl)) ^ (Pmull(Ah^Al,Bh^Bl) ^ Pmull(Ah,Bh) ^ Pmull(Al,Bl))<<64 +# +# There is some complication here because the bit order of GHASH's PMULL is reversed compared to elsewhere, so we are +# multiplying with "twisted" powers of H +# +# Note: We can PMULL directly into the acc_x in first GHASH of the loop +# Note: For scheduling big cores we want to split the processing to happen over two loop iterations - otherwise the critical +# path latency dominates the performance +# +# This has a knock on effect on register pressure, so we have to be a bit more clever with our temporary registers +# than indicated here +# REV64 res_curr, res_curr +# INS t_m.d[0], res_curr.d[1] +# EOR t_m.8B, t_m.8B, res_curr.8B +# PMULL2 t_h, res_curr, HX +# PMULL t_l, res_curr, HX +# PMULL t_m, t_m, HX_k +# EOR acc_h, acc_h, t_h +# EOR acc_l, acc_l, t_l +# EOR acc_m, acc_m, t_m +# +# MODULO: take the partial accumulators (~representing sum of 256b multiplication results), from GHASH and do modulo reduction on them +# There is some complication here because the bit order of GHASH's PMULL is reversed compared to elsewhere, so we are doing modulo +# with a reversed constant +# EOR3 acc_m, acc_m, acc_l, acc_h // Finish off karatsuba processing +# PMULL t_mod, acc_h, mod_constant +# EXT acc_h, acc_h, acc_h, #8 +# EOR3 acc_m, acc_m, t_mod, acc_h +# PMULL acc_h, acc_m, mod_constant +# EXT acc_m, acc_m, acc_m, #8 +# EOR3 acc_l, acc_l, acc_m, acc_h + +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate ) or +die "can't locate arm-xlate.pl"; + +die "only for 64 bit" if $flavour !~ /64/; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +$code=<<___; +#include "arm_arch.h" + +#if __ARM_MAX_ARCH__>=8 +___ +$code.=".arch armv8.2-a+crypto\n.text\n"; + +$input_ptr="x0"; #argument block +$bit_length="x1"; +$byte_length="x9"; +$output_ptr="x2"; +$current_tag="x3"; +$counter="x16"; +$constant_temp="x15"; +$modulo_constant="x10"; +$cc="x8"; +{ +my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7)); +my ($temp2_x,$temp3_x)=map("x$_",(13..14)); +my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15)); +my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15)); +my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7)); +my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7)); +my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15)); + +my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15)); +my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15)); +my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15)); + +my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19)); +my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19)); + +my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25)); +my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25)); +my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25)); +my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25)); + +my $t0="v16"; +my $t0d="d16"; + +my $t1="v29"; +my $t2=$res1; +my $t3=$t1; + +my $t4=$res0; +my $t5=$res2; +my $t6=$t0; + +my $t7=$res3; +my $t8=$res4; +my $t9=$res5; + +my $t10=$res6; +my $t11="v21"; +my $t12=$t1; + +my $rtmp_ctr="v30"; +my $rtmp_ctrq="q30"; +my $rctr_inc="v31"; +my $rctr_incd="d31"; + +my $mod_constantd=$t0d; +my $mod_constant=$t0; + +my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28)); +my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28)); +my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28)); +my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28)); +my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28)); +my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28)); +my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28)); +my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28)); +my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28)); +my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28)); +my $rk2q1="v28.1q"; +my $rk3q1="v26.1q"; +my $rk4v="v27"; + + +######################################################################################### +# size_t unroll8_eor3_aes_gcm_enc_128_kernel(const unsigned char *in, +# size_t len, +# unsigned char *out, +# const void *key, +# unsigned char ivec[16], +# u64 *Xi); +# +$code.=<<___; +.global unroll8_eor3_aes_gcm_enc_128_kernel +.type unroll8_eor3_aes_gcm_enc_128_kernel,%function +.align 4 +unroll8_eor3_aes_gcm_enc_128_kernel: + AARCH64_VALID_CALL_TARGET + cbz x1, .L128_enc_ret + stp d8, d9, [sp, #-80]! + lsr $byte_length, $bit_length, #3 + mov $counter, x4 + mov $cc, x5 + stp d10, d11, [sp, #16] + stp d12, d13, [sp, #32] + stp d14, d15, [sp, #48] + mov x5, #0xc200000000000000 + stp x5, xzr, [sp, #64] + add $modulo_constant, sp, #64 + + mov $constant_temp, #0x100000000 @ set up counter increment + movi $rctr_inc.16b, #0x0 + mov $rctr_inc.d[1], $constant_temp + mov $main_end_input_ptr, $byte_length + ld1 { $ctr0b}, [$counter] @ CTR block 0 + + sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 + + and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + + rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 + + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 + + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 + + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 + + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 + + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 + + ld1 { $acc_lb}, [$current_tag] + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 + + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + ldr $rk10q, [$cc, #160] @ load rk10 + + aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 + + aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 + add $main_end_input_ptr, $main_end_input_ptr, $input_ptr + aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 + + aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 + aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 + aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 + + add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + b.ge .L128_enc_tail @ handle tail + + ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 0, 1 - load plaintext + + ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 2, 3 - load plaintext + + ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext + + ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + + eor3 $res0b, $ctr_t0b, $ctr0b, $rk10 @ AES block 0 - result + rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 + + eor3 $res1b, $ctr_t1b, $ctr1b, $rk10 @ AES block 1 - result + stp $res0q, $res1q, [$output_ptr], #32 @ AES block 0, 1 - store result + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 + eor3 $res5b, $ctr_t5b, $ctr5b, $rk10 @ AES block 5 - result + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 + + eor3 $res2b, $ctr_t2b, $ctr2b, $rk10 @ AES block 2 - result + eor3 $res6b, $ctr_t6b, $ctr6b, $rk10 @ AES block 6 - result + eor3 $res4b, $ctr_t4b, $ctr4b, $rk10 @ AES block 4 - result + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 + + eor3 $res3b, $ctr_t3b, $ctr3b, $rk10 @ AES block 3 - result + eor3 $res7b, $ctr_t7b, $ctr7b,$rk10 @ AES block 7 - result + stp $res2q, $res3q, [$output_ptr], #32 @ AES block 2, 3 - store result + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 + stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result + + stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 + b.ge .L128_enc_prepretail @ do prepretail + +.L128_enc_main_loop: @ main loop start + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + rev64 $res1b, $res1b @ GHASH block 8k+1 + rev64 $res0b, $res0b @ GHASH block 8k + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) + rev64 $res3b, $res3b @ GHASH block 8k+3 + + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + + rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) + + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + rev64 $res2b, $res2b @ GHASH block 8k+2 + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h3l | h3h + ext $h4.16b, $h4.16b, $h4.16b, #8 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + + eor3 $acc_hb, $acc_hb, $t1.16b,$t2.16b @ GHASH block 8k+2, 8k+3 - high + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + + rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h1l | h1h + ext $h2.16b, $h2.16b, $h2.16b, #8 + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load plaintext + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load plaintext + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + + rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load plaintext + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 + + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + ldr $rk10q, [$cc, #160] @ load rk10 + + ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + + aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 + aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 + aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 + + ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load plaintext + rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 + + cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL + eor3 $res4b, $ctr_t4b, $ctr4b, $rk10 @ AES block 4 - result + aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 + + aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 + aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 + + eor3 $res2b, $ctr_t2b, $ctr2b, $rk10 @ AES block 8k+10 - result + + mov $ctr2.16b, $h3.16b @ CTR block 8k+18 + aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 + + eor3 $res7b, $ctr_t7b, $ctr7b, $rk10 @ AES block 7 - result + aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + + eor3 $res1b, $ctr_t1b, $ctr1b, $rk10 @ AES block 8k+9 - result + eor3 $res3b, $ctr_t3b, $ctr3b, $rk10 @ AES block 8k+11 - result + mov $ctr3.16b, $h4.16b @ CTR block 8k+19 + + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + eor3 $res5b, $ctr_t5b, $ctr5b, $rk10 @ AES block 5 - result + mov $ctr1.16b, $h2.16b @ CTR block 8k+17 + + eor3 $res0b, $ctr_t0b, $ctr0b, $rk10 @ AES block 8k+8 - result + mov $ctr0.16b, $h1.16b @ CTR block 8k+16 + stp $res0q, $res1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result + + stp $res2q, $res3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result + eor3 $res6b, $ctr_t6b, $ctr6b, $rk10 @ AES block 6 - result + + stp $res4q, $res5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + + stp $res6q, $res7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result + b.lt .L128_enc_main_loop + +.L128_enc_prepretail: @ PREPRETAIL + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + rev64 $res0b, $res0b @ GHASH block 8k + rev64 $res1b, $res1b @ GHASH block 8k+1 + + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h6k | h5k + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + rev64 $res3b, $res3b @ GHASH block 8k+3 + + rev64 $res2b, $res2b @ GHASH block 8k+2 + eor $res0b, $res0b, $acc_lb @ PRE 1 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + + rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) + rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) + + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + + rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) + + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h1l | h1h + ext $h2.16b, $h2.16b, $h2.16b, #8 + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + eor3 $acc_lb, $acc_lb, $acc_hb, $acc_mb @ MODULO - fold into low + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + + ldr $rk10q, [$cc, #160] @ load rk10 + aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 + aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 + + aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 + aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 + + aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 + aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 + + aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 + aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 +.L128_enc_tail: @ TAIL + + sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process + ldr $ctr_t0q, [$input_ptr], #16 @ AES block 8k+8 - load plaintext + + mov $t1.16b, $rk10 + ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + + eor3 $res1b, $ctr_t0b, $ctr0b, $t1.16b @ AES block 8k+8 - result + ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag + ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + ext $h7.16b, $h7.16b, $h7.16b, #8 + + ldp $h78kq, $h8q, [$current_tag, #192] @ load h8k | h7k + ext $h8.16b, $h8.16b, $h8.16b, #8 + cmp $main_end_input_ptr, #112 + b.gt .L128_enc_blocks_more_than_7 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + movi $acc_h.8b, #0 + + cmp $main_end_input_ptr, #96 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr2b + mov $ctr2b, $ctr1b + + movi $acc_l.8b, #0 + movi $acc_m.8b, #0 + b.gt .L128_enc_blocks_more_than_6 + + mov $ctr7b, $ctr6b + cmp $main_end_input_ptr, #80 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr1b + b.gt .L128_enc_blocks_more_than_5 + + cmp $main_end_input_ptr, #64 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr1b + b.gt .L128_enc_blocks_more_than_4 + + mov $ctr7b, $ctr6b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr1b + cmp $main_end_input_ptr, #48 + b.gt .L128_enc_blocks_more_than_3 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr1b + + cmp $main_end_input_ptr, #32 + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + b.gt .L128_enc_blocks_more_than_2 + + cmp $main_end_input_ptr, #16 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr1b + b.gt .L128_enc_blocks_more_than_1 + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b .L128_enc_blocks_less_than_1 +.L128_enc_blocks_more_than_7: @ blocks left > 7 + st1 { $res1b}, [$output_ptr], #16 @ AES final-7 block - store result + + rev64 $res0b, $res1b @ GHASH final-7 block + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-6 block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high + + ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + + eor3 $res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result + + pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low +.L128_enc_blocks_more_than_6: @ blocks left > 6 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-6 block - store result + + rev64 $res0b, $res1b @ GHASH final-6 block + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-5 block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid + + eor3 $res1b, $ctr_t1b, $ctr2b, $t1.16b @ AES final-5 block - result + pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid + pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high +.L128_enc_blocks_more_than_5: @ blocks left > 5 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-5 block - store result + + rev64 $res0b, $res1b @ GHASH final-5 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-4 block - load plaintext + pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid + + eor3 $res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result + pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid +.L128_enc_blocks_more_than_4: @ blocks left > 4 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-4 block - store result + + rev64 $res0b, $res1b @ GHASH final-4 block + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-3 block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid + + pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high + pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low + + eor3 $res1b, $ctr_t1b, $ctr4b, $t1.16b @ AES final-3 block - result + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid +.L128_enc_blocks_more_than_3: @ blocks left > 3 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result + + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + + rev64 $res0b, $res1b @ GHASH final-3 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + movi $t0.8b, #0 @ supress further partial tag feed in + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-2 block - load plaintext + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low + + eor3 $res1b, $ctr_t1b, $ctr5b, $t1.16b @ AES final-2 block - result + + pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid + pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high +.L128_enc_blocks_more_than_2: @ blocks left > 2 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result + + rev64 $res0b, $res1b @ GHASH final-2 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-1 block - load plaintext + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid + eor3 $res1b, $ctr_t1b, $ctr6b, $t1.16b @ AES final-1 block - result + + pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high + + pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low + pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low +.L128_enc_blocks_more_than_1: @ blocks left > 1 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result + + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + rev64 $res0b, $res1b @ GHASH final-1 block + ldr $ctr_t1q, [$input_ptr], #16 @ AES final block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + movi $t0.8b, #0 @ supress further partial tag feed in + ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid + eor3 $res1b, $ctr_t1b, $ctr7b, $t1.16b @ AES final block - result + + pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid + + pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low + pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low +.L128_enc_blocks_less_than_1: @ blocks left <= 1 + + rev32 $rtmp_ctr.16b, $rtmp_ctr.16b + str $rtmp_ctrq, [$counter] @ store the updated counter + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + sub $bit_length, $bit_length, #128 @ bit_length -= 128 + + neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) + + mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff + ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block + mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff + cmp $bit_length, #64 + + csel $temp2_x, $temp1_x, $temp0_x, lt + csel $temp3_x, $temp0_x, xzr, lt + + mov $ctr0.d[1], $temp3_x + mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block + + and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits + + rev64 $res0b, $res1b @ GHASH final block + + bif $res1b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing + st1 { $res1b}, [$output_ptr] @ store all 16B + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $t0.d[0], $res0.d[1] @ GHASH final block - mid + + eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + + pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid + + pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high + eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low + + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + st1 { $acc_l.16b }, [$current_tag] + mov x0, $byte_length + + ldp d10, d11, [sp, #16] + ldp d12, d13, [sp, #32] + ldp d14, d15, [sp, #48] + ldp d8, d9, [sp], #80 + ret + +.L128_enc_ret: + mov w0, #0x0 + ret +.size unroll8_eor3_aes_gcm_enc_128_kernel,.-unroll8_eor3_aes_gcm_enc_128_kernel +___ + +######################################################################################### +# size_t unroll8_eor3_aes_gcm_dec_128_kernel(const unsigned char *in, +# size_t len, +# unsigned char *out, +# u64 *Xi, +# unsigned char ivec[16], +# const void *key); +# +$code.=<<___; +.global unroll8_eor3_aes_gcm_dec_128_kernel +.type unroll8_eor3_aes_gcm_dec_128_kernel,%function +.align 4 +unroll8_eor3_aes_gcm_dec_128_kernel: + AARCH64_VALID_CALL_TARGET + cbz x1, .L128_dec_ret + stp d8, d9, [sp, #-80]! + lsr $byte_length, $bit_length, #3 + mov $counter, x4 + mov $cc, x5 + stp d10, d11, [sp, #16] + stp d12, d13, [sp, #32] + stp d14, d15, [sp, #48] + mov x5, #0xc200000000000000 + stp x5, xzr, [sp, #64] + add $modulo_constant, sp, #64 + + mov $main_end_input_ptr, $byte_length + ld1 { $ctr0b}, [$counter] @ CTR block 0 + + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 + + mov $constant_temp, #0x100000000 @ set up counter increment + movi $rctr_inc.16b, #0x0 + mov $rctr_inc.d[1], $constant_temp + ld1 { $acc_lb}, [$current_tag] + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + + rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 + + and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 + + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 + + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 + + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 + + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 + + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 + + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 + + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 + + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 + + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 + + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 + + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 + + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 + + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 + + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 + + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 + + add $main_end_input_ptr, $main_end_input_ptr, $input_ptr + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 + + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 + + aese $ctr0b, $rk9 @ AES block 0 - round 9 + aese $ctr1b, $rk9 @ AES block 1 - round 9 + aese $ctr6b, $rk9 @ AES block 6 - round 9 + + ldr $rk10q, [$cc, #160] @ load rk10 + aese $ctr4b, $rk9 @ AES block 4 - round 9 + aese $ctr3b, $rk9 @ AES block 3 - round 9 + + aese $ctr2b, $rk9 @ AES block 2 - round 9 + aese $ctr5b, $rk9 @ AES block 5 - round 9 + aese $ctr7b, $rk9 @ AES block 7 - round 9 + + add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + b.ge .L128_dec_tail @ handle tail + + ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 0, 1 - load ciphertext + + eor3 $ctr0b, $res0b, $ctr0b, $rk10 @ AES block 0 - result + eor3 $ctr1b, $res1b, $ctr1b, $rk10 @ AES block 1 - result + stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 0, 1 - store result + + rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 + ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 2, 3 - load ciphertext + + ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 4, 5 - load ciphertext + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 + ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 6, 7 - load ciphertext + + eor3 $ctr3b, $res3b, $ctr3b, $rk10 @ AES block 3 - result + eor3 $ctr2b, $res2b, $ctr2b, $rk10 @ AES block 2 - result + stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 2, 3 - store result + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 + + eor3 $ctr6b, $res6b, $ctr6b, $rk10 @ AES block 6 - result + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 + + eor3 $ctr4b, $res4b, $ctr4b, $rk10 @ AES block 4 - result + eor3 $ctr5b, $res5b, $ctr5b, $rk10 @ AES block 5 - result + stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 4, 5 - store result + + eor3 $ctr7b, $res7b, $ctr7b, $rk10 @ AES block 7 - result + stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 6, 7 - store result + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 + + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 + b.ge .L128_dec_prepretail @ do prepretail + +.L128_dec_main_loop: @ main loop start + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + + rev64 $res1b, $res1b @ GHASH block 8k+1 + rev64 $res0b, $res0b @ GHASH block 8k + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + + rev64 $res6b, $res6b @ GHASH block 8k+6 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + rev64 $res2b, $res2b @ GHASH block 8k+2 + rev64 $res4b, $res4b @ GHASH block 8k+4 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + rev64 $res3b, $res3b @ GHASH block 8k+3 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + rev64 $res5b, $res5b @ GHASH block 8k+5 + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + rev64 $res7b, $res7b @ GHASH block 8k+7 + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + + rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load ciphertext + + ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load ciphertext + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 + + ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load ciphertext + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load ciphertext + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + + aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 + aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 + ldr $rk10q, [$cc, #160] @ load rk10 + + aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 + + aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 + aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 + + aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 + aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 + eor3 $ctr1b, $res1b, $ctr1b, $rk10 @ AES block 8k+9 - result + + eor3 $ctr0b, $res0b, $ctr0b, $rk10 @ AES block 8k+8 - result + eor3 $ctr7b, $res7b, $ctr7b, $rk10 @ AES block 8k+15 - result + eor3 $ctr6b, $res6b, $ctr6b, $rk10 @ AES block 8k+14 - result + + eor3 $ctr2b, $res2b, $ctr2b, $rk10 @ AES block 8k+10 - result + stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result + mov $ctr1.16b, $h2.16b @ CTR block 8k+17 + + eor3 $ctr4b, $res4b, $ctr4b, $rk10 @ AES block 8k+12 - result + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + mov $ctr0.16b, $h1.16b @ CTR block 8k+16 + + eor3 $ctr3b, $res3b, $ctr3b, $rk10 @ AES block 8k+11 - result + cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL + stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result + + eor3 $ctr5b, $res5b, $ctr5b, $rk10 @ AES block 8k+13 - result + mov $ctr2.16b, $h3.16b @ CTR block 8k+18 + + stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 + + stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result + mov $ctr3.16b, $h4.16b @ CTR block 8k+19 + b.lt .L128_dec_main_loop + +.L128_dec_prepretail: @ PREPRETAIL + rev64 $res3b, $res3b @ GHASH block 8k+3 + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + rev64 $res0b, $res0b @ GHASH block 8k + + rev64 $res2b, $res2b @ GHASH block 8k+2 + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev64 $res1b, $res1b @ GHASH block 8k+1 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + rev64 $res5b, $res5b @ GHASH block 8k+5 + + rev64 $res4b, $res4b @ GHASH block 8k+4 + + rev64 $res6b, $res6b @ GHASH block 8k+6 + + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + rev64 $res7b, $res7b @ GHASH block 8k+7 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + ldr $rk10q, [$cc, #160] @ load rk10 + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + + aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 + + aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 + aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 + aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 + + aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 + aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 + aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 + +.L128_dec_tail: @ TAIL + + mov $t1.16b, $rk10 + sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process + + cmp $main_end_input_ptr, #112 + + ldp $h78kq, $h8q, [$current_tag, #192] @ load h8k | h7k + ext $h8.16b, $h8.16b, $h8.16b, #8 + ldr $res1q, [$input_ptr], #16 @ AES block 8k+8 - load ciphertext + + ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag + + ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + ext $h7.16b, $h7.16b, $h7.16b, #8 + + eor3 $res4b, $res1b, $ctr0b, $t1.16b @ AES block 8k+8 - result + b.gt .L128_dec_blocks_more_than_7 + + cmp $main_end_input_ptr, #96 + mov $ctr7b, $ctr6b + movi $acc_l.8b, #0 + + movi $acc_h.8b, #0 + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr2b + mov $ctr2b, $ctr1b + + movi $acc_m.8b, #0 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L128_dec_blocks_more_than_6 + + cmp $main_end_input_ptr, #80 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr1b + b.gt .L128_dec_blocks_more_than_5 + + cmp $main_end_input_ptr, #64 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr1b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L128_dec_blocks_more_than_4 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr1b + cmp $main_end_input_ptr, #48 + b.gt .L128_dec_blocks_more_than_3 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + cmp $main_end_input_ptr, #32 + + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + mov $ctr6b, $ctr1b + b.gt .L128_dec_blocks_more_than_2 + + cmp $main_end_input_ptr, #16 + + mov $ctr7b, $ctr1b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt L128_dec_blocks_more_than_1 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + b .L128_dec_blocks_less_than_1 +.L128_dec_blocks_more_than_7: @ blocks left > 7 + rev64 $res0b, $res1b @ GHASH final-7 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid + + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low + ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + ldr $res1q, [$input_ptr], #16 @ AES final-6 block - load ciphertext + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high + st1 { $res4b}, [$output_ptr], #16 @ AES final-7 block - store result + eor3 $res4b, $res1b, $ctr1b, $t1.16b @ AES final-6 block - result + + pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid +.L128_dec_blocks_more_than_6: @ blocks left > 6 + + rev64 $res0b, $res1b @ GHASH final-6 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid + + pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low + ldr $res1q, [$input_ptr], #16 @ AES final-5 block - load ciphertext + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-6 block - store result + pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid + eor3 $res4b, $res1b, $ctr2b, $t1.16b @ AES final-5 block - result +.L128_dec_blocks_more_than_5: @ blocks left > 5 + + rev64 $res0b, $res1b @ GHASH final-5 block + + ldr $res1q, [$input_ptr], #16 @ AES final-4 block - load ciphertext + st1 { $res4b}, [$output_ptr], #16 @ AES final-5 block - store result + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid + + eor3 $res4b, $res1b, $ctr3b, $t1.16b @ AES final-4 block - result + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid + pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid + pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high +.L128_dec_blocks_more_than_4: @ blocks left > 4 + + rev64 $res0b, $res1b @ GHASH final-4 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + ldr $res1q, [$input_ptr], #16 @ AES final-3 block - load ciphertext + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high + + pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high + + st1 { $res4b}, [$output_ptr], #16 @ AES final-4 block - store result + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid + + eor3 $res4b, $res1b, $ctr4b, $t1.16b @ AES final-3 block - result + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low + + pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid +.L128_dec_blocks_more_than_3: @ blocks left > 3 + + st1 { $res4b}, [$output_ptr], #16 @ AES final-3 block - store result + rev64 $res0b, $res1b @ GHASH final-3 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid + + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid + + ldr $res1q, [$input_ptr], #16 @ AES final-2 block - load ciphertext + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid + pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low + pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high + + movi $t0.8b, #0 @ supress further partial tag feed in + eor3 $res4b, $res1b, $ctr5b, $t1.16b @ AES final-2 block - result + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low + + pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid +.L128_dec_blocks_more_than_2: @ blocks left > 2 + + rev64 $res0b, $res1b @ GHASH final-2 block + + st1 { $res4b}, [$output_ptr], #16 @ AES final-2 block - store result + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + movi $t0.8b, #0 @ supress further partial tag feed in + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid + + pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low + + pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high + pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid + ldr $res1q, [$input_ptr], #16 @ AES final-1 block - load ciphertext + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low + + eor3 $res4b, $res1b, $ctr6b, $t1.16b @ AES final-1 block - result + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high +.L128_dec_blocks_more_than_1: @ blocks left > 1 + + st1 { $res4b}, [$output_ptr], #16 @ AES final-1 block - store result + rev64 $res0b, $res1b @ GHASH final-1 block + + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + movi $t0.8b, #0 @ supress further partial tag feed in + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid + + ldr $res1q, [$input_ptr], #16 @ AES final block - load ciphertext + pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid + eor3 $res4b, $res1b, $ctr7b, $t1.16b @ AES final block - result + + pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low + + pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid +.L128_dec_blocks_less_than_1: @ blocks left <= 1 + + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + sub $bit_length, $bit_length, #128 @ bit_length -= 128 + + neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) + + mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block + cmp $bit_length, #64 + mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff + + csel $temp2_x, $temp1_x, $temp0_x, lt + csel $temp3_x, $temp0_x, xzr, lt + + mov $ctr0.d[1], $temp3_x + mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored + + and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits + + rev64 $res0b, $res1b @ GHASH final block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high + ins $t0.d[0], $res0.d[1] @ GHASH final block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high + eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid + + bif $res4b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing + + pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid + st1 { $res4b}, [$output_ptr] @ store all 16B + + pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low + + eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low + + eor $t10.16b, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + eor $acc_mb, $acc_mb, $t10.16b @ MODULO - karatsuba tidy up + + eor3 $acc_mb, $acc_mb, $acc_hb, $t11.16b @ MODULO - fold into mid + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + eor3 $acc_lb, $acc_lb, $acc_mb, $acc_hb @ MODULO - fold into low + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + st1 { $acc_l.16b }, [$current_tag] + rev32 $rtmp_ctr.16b, $rtmp_ctr.16b + + str $rtmp_ctrq, [$counter] @ store the updated counter + + mov x0, $byte_length + + ldp d10, d11, [sp, #16] + ldp d12, d13, [sp, #32] + ldp d14, d15, [sp, #48] + ldp d8, d9, [sp], #80 + ret +.L128_dec_ret: + mov w0, #0x0 + ret +.size unroll8_eor3_aes_gcm_dec_128_kernel,.-unroll8_eor3_aes_gcm_dec_128_kernel +___ +} + +{ +my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7)); +my ($temp2_x,$temp3_x)=map("x$_",(13..14)); +my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15)); +my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15)); +my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7)); +my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7)); +my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15)); + +my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15)); +my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15)); +my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15)); + +my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19)); +my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19)); + +my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25)); +my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25)); +my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25)); +my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25)); + +my $t0="v16"; +my $t0d="d16"; + +my $t1="v29"; +my $t2=$res1; +my $t3=$t1; + +my $t4=$res0; +my $t5=$res2; +my $t6=$t0; + +my $t7=$res3; +my $t8=$res4; +my $t9=$res5; + +my $t10=$res6; +my $t11="v21"; +my $t12=$t1; + +my $rtmp_ctr="v30"; +my $rtmp_ctrq="q30"; +my $rctr_inc="v31"; +my $rctr_incd="d31"; + +my $mod_constantd=$t0d; +my $mod_constant=$t0; + +my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28)); +my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28)); +my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28)); +my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28)); +my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28)); +my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28)); +my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28)); +my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28)); +my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28)); +my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28)); +my $rk2q1="v28.1q"; +my $rk3q1="v26.1q"; +my $rk4v="v27"; + +######################################################################################### +# size_t unroll8_eor3_aes_gcm_enc_192_kernel(const unsigned char *in, +# size_t len, +# unsigned char *out, +# const void *key, +# unsigned char ivec[16], +# u64 *Xi); +# +$code.=<<___; +.global unroll8_eor3_aes_gcm_enc_192_kernel +.type unroll8_eor3_aes_gcm_enc_192_kernel,%function +.align 4 +unroll8_eor3_aes_gcm_enc_192_kernel: + AARCH64_VALID_CALL_TARGET + cbz x1, .L192_enc_ret + stp d8, d9, [sp, #-80]! + lsr $byte_length, $bit_length, #3 + mov $counter, x4 + mov $cc, x5 + stp d10, d11, [sp, #16] + stp d12, d13, [sp, #32] + stp d14, d15, [sp, #48] + mov x5, #0xc200000000000000 + stp x5, xzr, [sp, #64] + add $modulo_constant, sp, #64 + + mov $main_end_input_ptr, $byte_length + ld1 { $ctr0b}, [$counter] @ CTR block 0 + + mov $constant_temp, #0x100000000 @ set up counter increment + movi $rctr_inc.16b, #0x0 + mov $rctr_inc.d[1], $constant_temp + + rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 + sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 + + and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + add $main_end_input_ptr, $main_end_input_ptr, $input_ptr + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 + + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 + + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 + + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 + + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 + + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 + + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 + + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 + + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 + + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 + + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 + + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 + + add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 + + ld1 { $acc_lb}, [$current_tag] + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 + + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 + + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 + + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 14 - round 10 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 11 - round 10 + + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 9 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 13 - round 10 + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 12 - round 10 + + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 10 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 15 - round 10 + + aese $ctr6b, $rk11 @ AES block 14 - round 11 + aese $ctr3b, $rk11 @ AES block 11 - round 11 + + aese $ctr4b, $rk11 @ AES block 12 - round 11 + aese $ctr7b, $rk11 @ AES block 15 - round 11 + ldr $rk12q, [$cc, #192] @ load rk12 + + aese $ctr1b, $rk11 @ AES block 9 - round 11 + aese $ctr5b, $rk11 @ AES block 13 - round 11 + + aese $ctr2b, $rk11 @ AES block 10 - round 11 + aese $ctr0b, $rk11 @ AES block 8 - round 11 + b.ge .L192_enc_tail @ handle tail + + ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 0, 1 - load plaintext + + ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 2, 3 - load plaintext + + ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext + + ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext + + eor3 $res0b, $ctr_t0b, $ctr0b, $rk12 @ AES block 0 - result + rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 + + eor3 $res3b, $ctr_t3b, $ctr3b, $rk12 @ AES block 3 - result + eor3 $res1b, $ctr_t1b, $ctr1b, $rk12 @ AES block 1 - result + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 + eor3 $res4b, $ctr_t4b, $ctr4b, $rk12 @ AES block 4 - result + + eor3 $res5b, $ctr_t5b, $ctr5b, $rk12 @ AES block 5 - result + eor3 $res7b, $ctr_t7b, $ctr7b, $rk12 @ AES block 7 - result + stp $res0q, $res1q, [$output_ptr], #32 @ AES block 0, 1 - store result + + eor3 $res2b, $ctr_t2b, $ctr2b, $rk12 @ AES block 2 - result + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 + + stp $res2q, $res3q, [$output_ptr], #32 @ AES block 2, 3 - store result + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 + eor3 $res6b, $ctr_t6b, $ctr6b, $rk12 @ AES block 6 - result + + stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 + stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 + + b.ge .L192_enc_prepretail @ do prepretail + +.L192_enc_main_loop: @ main loop start + rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + rev64 $res2b, $res2b @ GHASH block 8k+2 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + rev64 $res0b, $res0b @ GHASH block 8k + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + + rev64 $res1b, $res1b @ GHASH block 8k+1 + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev64 $res3b, $res3b @ GHASH block 8k+3 + rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) + + rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 + + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load plaintext + + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 + + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + ldr $rk12q, [$cc, #192] @ load rk12 + ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load plaintext + + aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load plaintext + + ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load plaintext + aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + + rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 + + aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 + aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 + eor3 $res4b, $ctr_t4b, $ctr4b, $rk12 @ AES block 4 - result + + aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 + aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 + aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 + + rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 + eor3 $res7b, $ctr_t7b, $ctr7b, $rk12 @ AES block 7 - result + + eor3 $res2b, $ctr_t2b, $ctr2b, $rk12 @ AES block 8k+10 - result + eor3 $res0b, $ctr_t0b, $ctr0b, $rk12 @ AES block 8k+8 - result + mov $ctr2.16b, $h3.16b @ CTR block 8k+18 + + eor3 $res1b, $ctr_t1b, $ctr1b, $rk12 @ AES block 8k+9 - result + mov $ctr1.16b, $h2.16b @ CTR block 8k+17 + stp $res0q, $res1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + eor3 $res6b, $ctr_t6b, $ctr6b, $rk12 @ AES block 6 - result + mov $ctr0.16b, $h1.16b @ CTR block 8k+16 + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 + eor3 $res5b, $ctr_t5b, $ctr5b, $rk12 @ AES block 5 - result + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + + eor3 $res3b, $ctr_t3b, $ctr3b, $rk12 @ AES block 8k+11 - result + mov $ctr3.16b, $h4.16b @ CTR block 8k+19 + + stp $res2q, $res3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result + + stp $res4q, $res5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result + + cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL + stp $res6q, $res7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result + b.lt .L192_enc_main_loop + +.L192_enc_prepretail: @ PREPRETAIL + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + rev64 $res0b, $res0b @ GHASH block 8k + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + + rev64 $res3b, $res3b @ GHASH block 8k+3 + rev64 $res2b, $res2b @ GHASH block 8k+2 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + rev64 $res1b, $res1b @ GHASH block 8k+1 + + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) + rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ldr $rk12q, [$cc, #192] @ load rk12 + + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + + aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 + aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 + + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 + aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 + + aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 + aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 + aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 + +.L192_enc_tail: @ TAIL + + ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process + + ldr $ctr_t0q, [$input_ptr], #16 @ AES block 8k+8 - l3ad plaintext + + ldp $h78kq, $h8q, [$current_tag, #192] @ load h8k | h7k + ext $h8.16b, $h8.16b, $h8.16b, #8 + + mov $t1.16b, $rk12 + + ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + ext $h7.16b, $h7.16b, $h7.16b, #8 + cmp $main_end_input_ptr, #112 + + eor3 $res1b, $ctr_t0b, $ctr0b, $t1.16b @ AES block 8k+8 - result + ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag + b.gt .L192_enc_blocks_more_than_7 + + cmp $main_end_input_ptr, #96 + mov $ctr7b, $ctr6b + movi $acc_h.8b, #0 + + mov $ctr6b, $ctr5b + movi $acc_l.8b, #0 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr2b + + mov $ctr2b, $ctr1b + movi $acc_m.8b, #0 + b.gt .L192_enc_blocks_more_than_6 + + mov $ctr7b, $ctr6b + cmp $main_end_input_ptr, #80 + + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr3b + + mov $ctr3b, $ctr1b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L192_enc_blocks_more_than_5 + + cmp $main_end_input_ptr, #64 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr1b + b.gt .L192_enc_blocks_more_than_4 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr1b + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + cmp $main_end_input_ptr, #48 + b.gt .L192_enc_blocks_more_than_3 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr1b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + cmp $main_end_input_ptr, #32 + b.gt .L192_enc_blocks_more_than_2 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + cmp $main_end_input_ptr, #16 + mov $ctr7b, $ctr1b + b.gt .L192_enc_blocks_more_than_1 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + b .L192_enc_blocks_less_than_1 +.L192_enc_blocks_more_than_7: @ blocks left > 7 + st1 { $res1b}, [$output_ptr], #16 @ AES final-7 block - store result + + rev64 $res0b, $res1b @ GHASH final-7 block + ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-6 block - load plaintext + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high + + pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid + eor3 $res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result +.L192_enc_blocks_more_than_6: @ blocks left > 6 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-6 block - store result + + rev64 $res0b, $res1b @ GHASH final-6 block + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-5 block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid + + pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low + eor3 $res1b, $ctr_t1b, $ctr2b, $t1.16b @ AES final-5 block - result + + movi $t0.8b, #0 @ supress further partial tag feed in + pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid + + pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid +.L192_enc_blocks_more_than_5: @ blocks left > 5 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-5 block - store result + + rev64 $res0b, $res1b @ GHASH final-5 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-4 block - load plaintext + pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid + pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low + pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid + + eor3 $res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid +.L192_enc_blocks_more_than_4: @ blocks left > 4 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-4 block - store result + + rev64 $res0b, $res1b @ GHASH final-4 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-3 block - load plaintext + pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high + ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid + + pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low + + pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid + eor3 $res1b, $ctr_t1b, $ctr4b, $t1.16b @ AES final-3 block - result +.L192_enc_blocks_more_than_3: @ blocks left > 3 + + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result + + rev64 $res0b, $res1b @ GHASH final-3 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + movi $t0.8b, #0 @ supress further partial tag feed in + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-2 block - load plaintext + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid + + eor3 $res1b, $ctr_t1b, $ctr5b, $t1.16b @ AES final-2 block - result + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid + pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low + + pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high + pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high +.L192_enc_blocks_more_than_2: @ blocks left > 2 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result + + rev64 $res0b, $res1b @ GHASH final-2 block + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-1 block - load plaintext + ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid + + pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low + pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid + eor3 $res1b, $ctr_t1b, $ctr6b, $t1.16b @ AES final-1 block - result +.L192_enc_blocks_more_than_1: @ blocks left > 1 + + ldr $h2q, [$current_tag, #64] @ load h1l | h1h + ext $h2.16b, $h2.16b, $h2.16b, #8 + st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result + + rev64 $res0b, $res1b @ GHASH final-1 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid + pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low + pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final block - load plaintext + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid + + eor3 $res1b, $ctr_t1b, $ctr7b, $t1.16b @ AES final block - result + pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high +.L192_enc_blocks_less_than_1: @ blocks left <= 1 + + mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + sub $bit_length, $bit_length, #128 @ bit_length -= 128 + + neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) + + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block + cmp $bit_length, #64 + mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff + + csel $temp2_x, $temp1_x, $temp0_x, lt + csel $temp3_x, $temp0_x, xzr, lt + + mov $ctr0.d[1], $temp3_x + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + + ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored + mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block + + and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits + + rev64 $res0b, $res1b @ GHASH final block + bif $res1b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing + + st1 { $res1b}, [$output_ptr] @ store all 16B + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $t0.d[0], $res0.d[1] @ GHASH final block - mid + pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high + pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low + + eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid + + pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid + + eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + rev32 $rtmp_ctr.16b, $rtmp_ctr.16b + + str $rtmp_ctrq, [$counter] @ store the updated counter + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + st1 { $acc_l.16b }, [$current_tag] + + mov x0, $byte_length @ return sizes + + ldp d10, d11, [sp, #16] + ldp d12, d13, [sp, #32] + ldp d14, d15, [sp, #48] + ldp d8, d9, [sp], #80 + ret + +.L192_enc_ret: + mov w0, #0x0 + ret +.size unroll8_eor3_aes_gcm_enc_192_kernel,.-unroll8_eor3_aes_gcm_enc_192_kernel +___ + +######################################################################################### +# size_t unroll8_eor3_aes_gcm_dec_192_kernel(const unsigned char *in, +# size_t len, +# unsigned char *out, +# const void *key, +# unsigned char ivec[16], +# u64 *Xi); +# +$code.=<<___; +.global unroll8_eor3_aes_gcm_dec_192_kernel +.type unroll8_eor3_aes_gcm_dec_192_kernel,%function +.align 4 +unroll8_eor3_aes_gcm_dec_192_kernel: + AARCH64_VALID_CALL_TARGET + cbz x1, .L192_dec_ret + stp d8, d9, [sp, #-80]! + lsr $byte_length, $bit_length, #3 + mov $counter, x4 + mov $cc, x5 + stp d10, d11, [sp, #16] + stp d12, d13, [sp, #32] + stp d14, d15, [sp, #48] + mov x5, #0xc200000000000000 + stp x5, xzr, [sp, #64] + add $modulo_constant, sp, #64 + + mov $main_end_input_ptr, $byte_length + ld1 { $ctr0b}, [$counter] @ CTR block 0 + ld1 { $acc_lb}, [$current_tag] + + mov $constant_temp, #0x100000000 @ set up counter increment + movi $rctr_inc.16b, #0x0 + mov $rctr_inc.d[1], $constant_temp + + rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 + + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 + + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 + + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 + + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 + + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 + + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 + + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 + + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 + + sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 + + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 + + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 + and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 + + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 + + add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 + + ld1 { $acc_lb}, [$current_tag] + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 + add $main_end_input_ptr, $main_end_input_ptr, $input_ptr + + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 + + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 + + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 + + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 10 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 10 + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 10 + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 10 + + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 10 + ldr $rk12q, [$cc, #192] @ load rk12 + + aese $ctr0b, $rk11 @ AES block 0 - round 11 + aese $ctr1b, $rk11 @ AES block 1 - round 11 + aese $ctr4b, $rk11 @ AES block 4 - round 11 + + aese $ctr6b, $rk11 @ AES block 6 - round 11 + aese $ctr5b, $rk11 @ AES block 5 - round 11 + aese $ctr7b, $rk11 @ AES block 7 - round 11 + + aese $ctr2b, $rk11 @ AES block 2 - round 11 + aese $ctr3b, $rk11 @ AES block 3 - round 11 + b.ge .L192_dec_tail @ handle tail + + ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 0, 1 - load ciphertext + + ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 2, 3 - load ciphertext + + ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 4, 5 - load ciphertext + + eor3 $ctr1b, $res1b, $ctr1b, $rk12 @ AES block 1 - result + eor3 $ctr0b, $res0b, $ctr0b, $rk12 @ AES block 0 - result + stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 0, 1 - store result + + rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 + eor3 $ctr3b, $res3b, $ctr3b, $rk12 @ AES block 3 - result + + eor3 $ctr2b, $res2b, $ctr2b, $rk12 @ AES block 2 - result + stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 2, 3 - store result + ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 6, 7 - load ciphertext + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 + + eor3 $ctr4b, $res4b, $ctr4b, $rk12 @ AES block 4 - result + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 + + eor3 $ctr5b, $res5b, $ctr5b, $rk12 @ AES block 5 - result + stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 4, 5 - store result + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + + eor3 $ctr6b, $res6b, $ctr6b, $rk12 @ AES block 6 - result + eor3 $ctr7b, $res7b, $ctr7b, $rk12 @ AES block 7 - result + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 + stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 6, 7 - store result + b.ge .L192_dec_prepretail @ do prepretail + +.L192_dec_main_loop: @ main loop start + rev64 $res1b, $res1b @ GHASH block 8k+1 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + + rev64 $res0b, $res0b @ GHASH block 8k + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + rev64 $res4b, $res4b @ GHASH block 8k+4 + rev64 $res3b, $res3b @ GHASH block 8k+3 + + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + rev64 $res5b, $res5b @ GHASH block 8k+5 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + rev64 $res2b, $res2b @ GHASH block 8k+2 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + rev64 $res7b, $res7b @ GHASH block 8k+7 + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + rev64 $res6b, $res6b @ GHASH block 8k+6 + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 + + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load ciphertext + + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load ciphertext + + rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 + + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load ciphertext + + rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + ldr $rk12q, [$cc, #192] @ load rk12 + + ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load ciphertext + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + + aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 + + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 + aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 + + eor3 $ctr0b, $res0b, $ctr0b, $rk12 @ AES block 8k+8 - result + rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + + aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 + aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 + + aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 + aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + + eor3 $ctr1b, $res1b, $ctr1b, $rk12 @ AES block 8k+9 - result + stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result + eor3 $ctr3b, $res3b, $ctr3b, $rk12 @ AES block 8k+11 - result + + eor3 $ctr2b, $res2b, $ctr2b, $rk12 @ AES block 8k+10 - result + eor3 $ctr7b, $res7b, $ctr7b, $rk12 @ AES block 8k+15 - result + stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result + + eor3 $ctr5b, $res5b, $ctr5b, $rk12 @ AES block 8k+13 - result + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + mov $ctr3.16b, $h4.16b @ CTR block 8k+19 + + eor3 $ctr4b, $res4b, $ctr4b, $rk12 @ AES block 8k+12 - result + stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result + cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL + + eor3 $ctr6b, $res6b, $ctr6b, $rk12 @ AES block 8k+14 - result + stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result + mov $ctr0.16b, $h1.16b @ CTR block 8k+16 + + mov $ctr1.16b, $h2.16b @ CTR block 8k+17 + mov $ctr2.16b, $h3.16b @ CTR block 8k+18 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 + b.lt .L192_dec_main_loop + +.L192_dec_prepretail: @ PREPRETAIL + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + rev64 $res0b, $res0b @ GHASH block 8k + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + + rev64 $res3b, $res3b @ GHASH block 8k+3 + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + eor $res0b, $res0b, $acc_lb @ PRE 1 + rev64 $res2b, $res2b @ GHASH block 8k+2 + rev64 $res1b, $res1b @ GHASH block 8k+1 + + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + rev64 $res5b, $res5b @ GHASH block 8k+5 + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + + rev64 $res7b, $res7b @ GHASH block 8k+7 + + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + rev64 $res4b, $res4b @ GHASH block 8k+4 + + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + + rev64 $res6b, $res6b @ GHASH block 8k+6 + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ldr $rk12q, [$cc, #192] @ load rk12 + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + + aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 + + aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + + aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 + aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 + aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 + aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 + +.L192_dec_tail: @ TAIL + + sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process + + ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $res1q, [$input_ptr], #16 @ AES block 8k+8 - load ciphertext + + ldp $h78kq, $h8q, [$current_tag, #192] @ load h8k | h7k + ext $h8.16b, $h8.16b, $h8.16b, #8 + + mov $t1.16b, $rk12 + + ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + ext $h7.16b, $h7.16b, $h7.16b, #8 + ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag + + eor3 $res4b, $res1b, $ctr0b, $t1.16b @ AES block 8k+8 - result + cmp $main_end_input_ptr, #112 + b.gt .L192_dec_blocks_more_than_7 + + mov $ctr7b, $ctr6b + movi $acc_h.8b, #0 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr3b + + cmp $main_end_input_ptr, #96 + movi $acc_l.8b, #0 + mov $ctr3b, $ctr2b + + mov $ctr2b, $ctr1b + movi $acc_m.8b, #0 + b.gt .L192_dec_blocks_more_than_6 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr1b + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + cmp $main_end_input_ptr, #80 + b.gt .L192_dec_blocks_more_than_5 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr1b + cmp $main_end_input_ptr, #64 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L192_dec_blocks_more_than_4 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr1b + cmp $main_end_input_ptr, #48 + b.gt .L192_dec_blocks_more_than_3 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + cmp $main_end_input_ptr, #32 + + mov $ctr6b, $ctr1b + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + b.gt .L192_dec_blocks_more_than_2 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr7b, $ctr1b + cmp $main_end_input_ptr, #16 + b.gt .L192_dec_blocks_more_than_1 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + b .L192_dec_blocks_less_than_1 +.L192_dec_blocks_more_than_7: @ blocks left > 7 + rev64 $res0b, $res1b @ GHASH final-7 block + + ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high + ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid + ldr $res1q, [$input_ptr], #16 @ AES final-6 block - load ciphertext + + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-7 block - store result + + eor3 $res4b, $res1b, $ctr1b, $t1.16b @ AES final-6 block - result + + pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in +.L192_dec_blocks_more_than_6: @ blocks left > 6 + + rev64 $res0b, $res1b @ GHASH final-6 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ldr $res1q, [$input_ptr], #16 @ AES final-5 block - load ciphertext + ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high + + st1 { $res4b}, [$output_ptr], #16 @ AES final-6 block - store result + eor3 $res4b, $res1b, $ctr2b, $t1.16b @ AES final-5 block - result + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high + pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid + pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low +.L192_dec_blocks_more_than_5: @ blocks left > 5 + + rev64 $res0b, $res1b @ GHASH final-5 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid + pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high + + ldr $res1q, [$input_ptr], #16 @ AES final-4 block - load ciphertext + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high + pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low + + pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low + movi $t0.8b, #0 @ supress further partial tag feed in + st1 { $res4b}, [$output_ptr], #16 @ AES final-5 block - store result + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid + eor3 $res4b, $res1b, $ctr3b, $t1.16b @ AES final-4 block - result +.L192_dec_blocks_more_than_4: @ blocks left > 4 + + rev64 $res0b, $res1b @ GHASH final-4 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + movi $t0.8b, #0 @ supress further partial tag feed in + + ldr $res1q, [$input_ptr], #16 @ AES final-3 block - load ciphertext + ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid + pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low + + pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-4 block - store result + pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high + + eor3 $res4b, $res1b, $ctr4b, $t1.16b @ AES final-3 block - result + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high +.L192_dec_blocks_more_than_3: @ blocks left > 3 + + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + rev64 $res0b, $res1b @ GHASH final-3 block + ldr $res1q, [$input_ptr], #16 @ AES final-2 block - load ciphertext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid + pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high + movi $t0.8b, #0 @ supress further partial tag feed in + pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low + + st1 { $res4b}, [$output_ptr], #16 @ AES final-3 block - store result + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid + eor3 $res4b, $res1b, $ctr5b, $t1.16b @ AES final-2 block - result + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid + + pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid +.L192_dec_blocks_more_than_2: @ blocks left > 2 + + rev64 $res0b, $res1b @ GHASH final-2 block + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid + ldr $res1q, [$input_ptr], #16 @ AES final-1 block - load ciphertext + + pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high + pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low + + pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low + st1 { $res4b}, [$output_ptr], #16 @ AES final-2 block - store result + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid + eor3 $res4b, $res1b, $ctr6b, $t1.16b @ AES final-1 block - result +.L192_dec_blocks_more_than_1: @ blocks left > 1 + + rev64 $res0b, $res1b @ GHASH final-1 block + ldr $res1q, [$input_ptr], #16 @ AES final block - load ciphertext + ldr $h2q, [$current_tag, #64] @ load h1l | h1h + ext $h2.16b, $h2.16b, $h2.16b, #8 + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + movi $t0.8b, #0 @ supress further partial tag feed in + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + + pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low + ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-1 block - store result + + pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high + + eor3 $res4b, $res1b, $ctr7b, $t1.16b @ AES final block - result + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid + + pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high +.L192_dec_blocks_less_than_1: @ blocks left <= 1 + + rev32 $rtmp_ctr.16b, $rtmp_ctr.16b + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + sub $bit_length, $bit_length, #128 @ bit_length -= 128 + str $rtmp_ctrq, [$counter] @ store the updated counter + + neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) + mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff + + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff + lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block + cmp $bit_length, #64 + + csel $temp2_x, $temp1_x, $temp0_x, lt + csel $temp3_x, $temp0_x, xzr, lt + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + + mov $ctr0.d[1], $temp3_x + ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored + + mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block + + and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits + bif $res4b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing + + rev64 $res0b, $res1b @ GHASH final block + + st1 { $res4b}, [$output_ptr] @ store all 16B + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $t0.d[0], $res0.d[1] @ GHASH final block - mid + pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low + + eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid + pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high + eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low + + pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high + + eor $t10.16b, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + eor $acc_mb, $acc_mb, $t10.16b @ MODULO - karatsuba tidy up + + eor3 $acc_mb, $acc_mb, $acc_hb, $t11.16b @ MODULO - fold into mid + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + eor3 $acc_lb, $acc_lb, $acc_mb, $acc_hb @ MODULO - fold into low + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + st1 { $acc_l.16b }, [$current_tag] + + mov x0, $byte_length + + ldp d10, d11, [sp, #16] + ldp d12, d13, [sp, #32] + ldp d14, d15, [sp, #48] + ldp d8, d9, [sp], #80 + ret + +.L192_dec_ret: + mov w0, #0x0 + ret +.size unroll8_eor3_aes_gcm_dec_192_kernel,.-unroll8_eor3_aes_gcm_dec_192_kernel +___ +} + +{ + +my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7)); +my ($temp2_x,$temp3_x)=map("x$_",(13..14)); +my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15)); +my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15)); +my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7)); +my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7)); +my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15)); + +my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15)); +my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15)); +my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15)); + +my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19)); +my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19)); + +my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25)); +my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25)); +my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25)); +my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25)); + +my $t0="v16"; +my $t0d="d16"; + +my $t1="v29"; +my $t2=$res1; +my $t3=$t1; + +my $t4=$res0; +my $t5=$res2; +my $t6=$t0; + +my $t7=$res3; +my $t8=$res4; +my $t9=$res5; + +my $t10=$res6; +my $t11="v21"; +my $t12=$t1; + +my $rtmp_ctr="v30"; +my $rtmp_ctrq="q30"; +my $rctr_inc="v31"; +my $rctr_incd="d31"; + +my $mod_constantd=$t0d; +my $mod_constant=$t0; + +my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28)); +my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28)); +my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28)); +my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28)); +my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28)); +my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28)); +my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28)); +my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28)); +my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28)); +my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28)); +my $rk2q1="v28.1q"; +my $rk3q1="v26.1q"; +my $rk4v="v27"; +######################################################################################### +# size_t unroll8_eor3_aes_gcm_enc_256_kernel(const unsigned char *in, +# size_t len, +# unsigned char *out, +# const void *key, +# unsigned char ivec[16], +# u64 *Xi); +# +$code.=<<___; +.global unroll8_eor3_aes_gcm_enc_256_kernel +.type unroll8_eor3_aes_gcm_enc_256_kernel,%function +.align 4 +unroll8_eor3_aes_gcm_enc_256_kernel: + AARCH64_VALID_CALL_TARGET + cbz x1, .L256_enc_ret + stp d8, d9, [sp, #-80]! + lsr $byte_length, $bit_length, #3 + mov $counter, x4 + mov $cc, x5 + stp d10, d11, [sp, #16] + stp d12, d13, [sp, #32] + stp d14, d15, [sp, #48] + mov x5, #0xc200000000000000 + stp x5, xzr, [sp, #64] + add $modulo_constant, sp, #64 + + ld1 { $ctr0b}, [$counter] @ CTR block 0 + + mov $main_end_input_ptr, $byte_length + + mov $constant_temp, #0x100000000 @ set up counter increment + movi $rctr_inc.16b, #0x0 + mov $rctr_inc.d[1], $constant_temp + sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 + + and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + + add $main_end_input_ptr, $main_end_input_ptr, $input_ptr + + rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 + + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 + + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 + + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 + + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 + + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 + + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 + + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 + + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 + + ld1 { $acc_lb}, [$current_tag] + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 + + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 + + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 + + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 10 + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 10 + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 + + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 10 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 10 + + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 10 + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 10 + + aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 11 + ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 + aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 11 + + aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 11 + aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 11 + aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 11 + + aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 11 + aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 11 + aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 11 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 + ldr $rk14q, [$cc, #224] @ load rk14 + + aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 12 + aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 12 + aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 12 + + aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 12 + aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 12 + aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 12 + + aese $ctr2b, $rk13 @ AES block 2 - round 13 + aese $ctr1b, $rk13 @ AES block 1 - round 13 + aese $ctr4b, $rk13 @ AES block 4 - round 13 + + aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 12 + aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 12 + + aese $ctr0b, $rk13 @ AES block 0 - round 13 + aese $ctr5b, $rk13 @ AES block 5 - round 13 + + aese $ctr6b, $rk13 @ AES block 6 - round 13 + aese $ctr7b, $rk13 @ AES block 7 - round 13 + aese $ctr3b, $rk13 @ AES block 3 - round 13 + + add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + b.ge .L256_enc_tail @ handle tail + + ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 0, 1 - load plaintext + + ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 2, 3 - load plaintext + + eor3 $res0b, $ctr_t0b, $ctr0b, $rk14 @ AES block 0 - result + rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 + + eor3 $res1b, $ctr_t1b, $ctr1b, $rk14 @ AES block 1 - result + eor3 $res3b, $ctr_t3b, $ctr3b, $rk14 @ AES block 3 - result + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 + ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext + + ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext + eor3 $res2b, $ctr_t2b, $ctr2b, $rk14 @ AES block 2 - result + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 + stp $res0q, $res1q, [$output_ptr], #32 @ AES block 0, 1 - store result + + stp $res2q, $res3q, [$output_ptr], #32 @ AES block 2, 3 - store result + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 + + eor3 $res4b, $ctr_t4b, $ctr4b, $rk14 @ AES block 4 - result + + eor3 $res7b, $ctr_t7b, $ctr7b, $rk14 @ AES block 7 - result + eor3 $res6b, $ctr_t6b, $ctr6b, $rk14 @ AES block 6 - result + eor3 $res5b, $ctr_t5b, $ctr5b, $rk14 @ AES block 5 - result + + stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 + + stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 + b.ge .L256_enc_prepretail @ do prepretail + +.L256_enc_main_loop: @ main loop start + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + + rev64 $res3b, $res3b @ GHASH block 8k+3 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + rev64 $res1b, $res1b @ GHASH block 8k+1 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + rev64 $res0b, $res0b @ GHASH block 8k + + rev64 $res4b, $res4b @ GHASH block 8k+4 + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + eor $res0b, $res0b, $acc_lb @ PRE 1 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + rev64 $res6b, $res6b @ GHASH block 8k+6 + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + rev64 $res2b, $res2b @ GHASH block 8k+2 + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + rev64 $res5b, $res5b @ GHASH block 8k+5 + + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + rev64 $res7b, $res7b @ GHASH block 8k+7 + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + + ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 + rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 + + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load plaintext + aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 + + aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 + aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 + + aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 + aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 + + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 + + aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 + aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 + + aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 + aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 + rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 + aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + + aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 + ldr $rk14q, [$cc, #224] @ load rk14 + aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 + + ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load plaintext + aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 + aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 + ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext + + ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext + aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 + aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 + + rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 + aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 + + aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 + aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 + cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL + + eor3 $res2b, $ctr_t2b, $ctr2b, $rk14 @ AES block 8k+10 - result + rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 + + aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 + aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 + eor3 $res5b, $ctr_t5b, $ctr5b, $rk14 @ AES block 5 - result + + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 + + eor3 $res4b, $ctr_t4b, $ctr4b, $rk14 @ AES block 4 - result + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 + eor3 $res3b, $ctr_t3b, $ctr3b, $rk14 @ AES block 8k+11 - result + + mov $ctr3.16b, $h4.16b @ CTR block 8k+19 + eor3 $res1b, $ctr_t1b, $ctr1b, $rk14 @ AES block 8k+9 - result + eor3 $res0b, $ctr_t0b, $ctr0b, $rk14 @ AES block 8k+8 - result + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 + stp $res0q, $res1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result + mov $ctr2.16b, $h3.16b @ CTR block 8k+18 + + eor3 $res7b, $ctr_t7b, $ctr7b, $rk14 @ AES block 7 - result + eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low + stp $res2q, $res3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result + + eor3 $res6b, $ctr_t6b, $ctr6b, $rk14 @ AES block 6 - result + mov $ctr1.16b, $h2.16b @ CTR block 8k+17 + stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result + + stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result + mov $ctr0.16b, $h1.16b @ CTR block 8k+16 + b.lt .L256_enc_main_loop + +.L256_enc_prepretail: @ PREPRETAIL + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + rev64 $res2b, $res2b @ GHASH block 8k+2 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + rev64 $res5b, $res5b @ GHASH block 8k+5 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + rev64 $res0b, $res0b @ GHASH block 8k + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + + rev64 $res1b, $res1b @ GHASH block 8k+1 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + eor $res0b, $res0b, $acc_lb @ PRE 1 + + rev64 $res3b, $res3b @ GHASH block 8k+3 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + rev64 $res6b, $res6b @ GHASH block 8k+6 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + + rev64 $res4b, $res4b @ GHASH block 8k+4 + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + rev64 $res7b, $res7b @ GHASH block 8k+7 + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 + + ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 + aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 + + aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 + aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 + aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 + ldr $rk14q, [$cc, #224] @ load rk14 + + aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 + aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 + aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 + + aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 + aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 + aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 + aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 + + eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low + aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 + aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 + + aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 + aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 + aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 + + aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 + aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 +.L256_enc_tail: @ TAIL + + ldp $h78kq, $h8q, [$current_tag, #192] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process + + ldr $ctr_t0q, [$input_ptr], #16 @ AES block 8k+8 - load plaintext + + ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + + ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag + ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + ext $h7.16b, $h7.16b, $h7.16b, #8 + mov $t1.16b, $rk14 + + cmp $main_end_input_ptr, #112 + eor3 $res1b, $ctr_t0b, $ctr0b, $t1.16b @ AES block 8k+8 - result + b.gt .L256_enc_blocks_more_than_7 + + movi $acc_l.8b, #0 + mov $ctr7b, $ctr6b + movi $acc_h.8b, #0 + + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr3b + + mov $ctr3b, $ctr2b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr2b, $ctr1b + + movi $acc_m.8b, #0 + cmp $main_end_input_ptr, #96 + b.gt .L256_enc_blocks_more_than_6 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + cmp $main_end_input_ptr, #80 + + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr1b + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L256_enc_blocks_more_than_5 + + mov $ctr7b, $ctr6b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr4b + + cmp $main_end_input_ptr, #64 + mov $ctr4b, $ctr1b + b.gt .L256_enc_blocks_more_than_4 + + cmp $main_end_input_ptr, #48 + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr1b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L256_enc_blocks_more_than_3 + + cmp $main_end_input_ptr, #32 + mov $ctr7b, $ctr6b + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + mov $ctr6b, $ctr1b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + b.gt .L256_enc_blocks_more_than_2 + + mov $ctr7b, $ctr1b + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + cmp $main_end_input_ptr, #16 + b.gt .L256_enc_blocks_more_than_1 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + b .L256_enc_blocks_less_than_1 +.L256_enc_blocks_more_than_7: @ blocks left > 7 + st1 { $res1b}, [$output_ptr], #16 @ AES final-7 block - store result + + rev64 $res0b, $res1b @ GHASH final-7 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-6 block - load plaintext + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high + ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid + ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid + eor3 $res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result + + pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low +.L256_enc_blocks_more_than_6: @ blocks left > 6 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-6 block - store result + + rev64 $res0b, $res1b @ GHASH final-6 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low + ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid + pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-5 block - load plaintext + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid + + pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid + eor3 $res1b, $ctr_t1b, $ctr2b, $t1.16b @ AES final-5 block - result + + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high +.L256_enc_blocks_more_than_5: @ blocks left > 5 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-5 block - store result + + rev64 $res0b, $res1b @ GHASH final-5 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid + + pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-4 block - load plaintext + pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low + + pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid + eor3 $res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result +.L256_enc_blocks_more_than_4: @ blocks left > 4 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-4 block - store result + + rev64 $res0b, $res1b @ GHASH final-4 block + + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-3 block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid + pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high + + eor3 $res1b, $ctr_t1b, $ctr4b, $t1.16b @ AES final-3 block - result + pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low + + pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high +.L256_enc_blocks_more_than_3: @ blocks left > 3 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result + + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + rev64 $res0b, $res1b @ GHASH final-3 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid + pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-2 block - load plaintext + + pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid + pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low + + eor3 $res1b, $ctr_t1b, $ctr5b, $t1.16b @ AES final-2 block - result + movi $t0.8b, #0 @ supress further partial tag feed in + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low +.L256_enc_blocks_more_than_2: @ blocks left > 2 + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result + + rev64 $res0b, $res1b @ GHASH final-2 block + ldr $ctr_t1q, [$input_ptr], #16 @ AES final-1 block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high + eor3 $res1b, $ctr_t1b, $ctr6b, $t1.16b @ AES final-1 block - result + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high + + pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid + pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low +.L256_enc_blocks_more_than_1: @ blocks left > 1 + + st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result + + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + rev64 $res0b, $res1b @ GHASH final-1 block + ldr $ctr_t1q, [$input_ptr], #16 @ AES final block - load plaintext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + movi $t0.8b, #0 @ supress further partial tag feed in + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid + pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high + + eor3 $res1b, $ctr_t1b, $ctr7b, $t1.16b @ AES final block - result + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high + + pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid + + pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid +.L256_enc_blocks_less_than_1: @ blocks left <= 1 + + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + sub $bit_length, $bit_length, #128 @ bit_length -= 128 + + neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) + + mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block + cmp $bit_length, #64 + mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff + + csel $temp3_x, $temp0_x, xzr, lt + csel $temp2_x, $temp1_x, $temp0_x, lt + + mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + + ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored + mov $ctr0.d[1], $temp3_x + + and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits + + rev64 $res0b, $res1b @ GHASH final block + + rev32 $rtmp_ctr.16b, $rtmp_ctr.16b + bif $res1b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing + str $rtmp_ctrq, [$counter] @ store the updated counter + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + st1 { $res1b}, [$output_ptr] @ store all 16B + + ins $t0.d[0], $res0.d[1] @ GHASH final block - mid + pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high + pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high + eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low + + eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid + + pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid + + eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + + eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + st1 { $acc_l.16b }, [$current_tag] + mov x0, $byte_length @ return sizes + + ldp d10, d11, [sp, #16] + ldp d12, d13, [sp, #32] + ldp d14, d15, [sp, #48] + ldp d8, d9, [sp], #80 + ret + +.L256_enc_ret: + mov w0, #0x0 + ret +.size unroll8_eor3_aes_gcm_enc_256_kernel,.-unroll8_eor3_aes_gcm_enc_256_kernel +___ + +{ +######################################################################################### +# size_t unroll8_eor3_aes_gcm_dec_256_kernel(const unsigned char *in, +# size_t len, +# unsigned char *out, +# const void *key, +# unsigned char ivec[16], +# u64 *Xi); +# +$code.=<<___; +.global unroll8_eor3_aes_gcm_dec_256_kernel +.type unroll8_eor3_aes_gcm_dec_256_kernel,%function +.align 4 +unroll8_eor3_aes_gcm_dec_256_kernel: + AARCH64_VALID_CALL_TARGET + cbz x1, .L256_dec_ret + stp d8, d9, [sp, #-80]! + lsr $byte_length, $bit_length, #3 + mov $counter, x4 + mov $cc, x5 + stp d10, d11, [sp, #16] + stp d12, d13, [sp, #32] + stp d14, d15, [sp, #48] + mov x5, #0xc200000000000000 + stp x5, xzr, [sp, #64] + add $modulo_constant, sp, #64 + + ld1 { $ctr0b}, [$counter] @ CTR block 0 + + mov $constant_temp, #0x100000000 @ set up counter increment + movi $rctr_inc.16b, #0x0 + mov $rctr_inc.d[1], $constant_temp + mov $main_end_input_ptr, $byte_length + + sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 + + rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 + + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 + + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 + + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 + + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 + + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 + + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 + + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 + + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 + + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 + + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 + + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 + + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 + + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 + + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 + + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 + + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 + + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 + + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 + + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 + + and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 + + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 + + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 + + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 + + ld1 { $acc_lb}, [$current_tag] + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr + add $main_end_input_ptr, $main_end_input_ptr, $input_ptr + + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 + + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 + + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 + + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 10 + + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 10 + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 10 + + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 10 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 10 + ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 + + aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 + + aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 11 + aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 11 + aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 11 + + aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 11 + aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 11 + aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 11 + + aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 11 + ldr $rk14q, [$cc, #224] @ load rk14 + + aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 12 + aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 12 + aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 12 + + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 12 + aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 12 + + aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 12 + aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 12 + aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 12 + + aese $ctr5b, $rk13 @ AES block 5 - round 13 + aese $ctr1b, $rk13 @ AES block 1 - round 13 + aese $ctr2b, $rk13 @ AES block 2 - round 13 + + aese $ctr0b, $rk13 @ AES block 0 - round 13 + aese $ctr4b, $rk13 @ AES block 4 - round 13 + aese $ctr6b, $rk13 @ AES block 6 - round 13 + + aese $ctr3b, $rk13 @ AES block 3 - round 13 + aese $ctr7b, $rk13 @ AES block 7 - round 13 + b.ge .L256_dec_tail @ handle tail + + ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 0, 1 - load ciphertext + + ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 2, 3 - load ciphertext + + ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 4, 5 - load ciphertext + + ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 6, 7 - load ciphertext + cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks + + eor3 $ctr1b, $res1b, $ctr1b, $rk14 @ AES block 1 - result + eor3 $ctr0b, $res0b, $ctr0b, $rk14 @ AES block 0 - result + stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 0, 1 - store result + + rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 + eor3 $ctr3b, $res3b, $ctr3b, $rk14 @ AES block 3 - result + + eor3 $ctr5b, $res5b, $ctr5b, $rk14 @ AES block 5 - result + + eor3 $ctr4b, $res4b, $ctr4b, $rk14 @ AES block 4 - result + rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 + + eor3 $ctr2b, $res2b, $ctr2b, $rk14 @ AES block 2 - result + stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 2, 3 - store result + + rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 + + eor3 $ctr6b, $res6b, $ctr6b, $rk14 @ AES block 6 - result + + rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 + stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 4, 5 - store result + + eor3 $ctr7b, $res7b, $ctr7b, $rk14 @ AES block 7 - result + stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 6, 7 - store result + + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 + b.ge .L256_dec_prepretail @ do prepretail + +.L256_dec_main_loop: @ main loop start + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + rev64 $res1b, $res1b @ GHASH block 8k+1 + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + rev64 $res0b, $res0b @ GHASH block 8k + + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + rev64 $res4b, $res4b @ GHASH block 8k+4 + rev64 $res3b, $res3b @ GHASH block 8k+3 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + rev64 $res7b, $res7b @ GHASH block 8k+7 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + + eor $res0b, $res0b, $acc_lb @ PRE 1 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + rev64 $res2b, $res2b @ GHASH block 8k+2 + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + rev64 $res5b, $res5b @ GHASH block 8k+5 + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + rev64 $res6b, $res6b @ GHASH block 8k+6 + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + + ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load ciphertext + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 + aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 + ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 + + aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 + aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 + + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 + aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 + + ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load ciphertext + aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 + aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 + + aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 + aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 + aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 + + rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 + aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 + + ldr $rk14q, [$cc, #224] @ load rk14 + aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 + aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 + aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 + + ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load ciphertext + aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 + aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 + + ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load ciphertext + aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 + aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 + + rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 + eor3 $ctr2b, $res2b, $ctr2b, $rk14 @ AES block 8k+10 - result + eor3 $ctr1b, $res1b, $ctr1b, $rk14 @ AES block 8k+9 - result + + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 + + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 + + eor3 $ctr5b, $res5b, $ctr5b, $rk14 @ AES block 8k+13 - result + eor3 $ctr0b, $res0b, $ctr0b, $rk14 @ AES block 8k+8 - result + aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 + + stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result + mov $ctr0.16b, $h1.16b @ CTR block 8k+16 + eor3 $ctr4b, $res4b, $ctr4b, $rk14 @ AES block 8k+12 - result + + eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low + eor3 $ctr3b, $res3b, $ctr3b, $rk14 @ AES block 8k+11 - result + stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result + + mov $ctr3.16b, $h4.16b @ CTR block 8k+19 + mov $ctr2.16b, $h3.16b @ CTR block 8k+18 + aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 + + mov $ctr1.16b, $h2.16b @ CTR block 8k+17 + stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result + eor3 $ctr7b, $res7b, $ctr7b, $rk14 @ AES block 8k+15 - result + + eor3 $ctr6b, $res6b, $ctr6b, $rk14 @ AES block 8k+14 - result + rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 + + cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL + stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result + b.lt .L256_dec_main_loop + +.L256_dec_prepretail: @ PREPRETAIL + ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 + rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 + + rev64 $res4b, $res4b @ GHASH block 8k+4 + ldr $h56kq, [$current_tag, #144] @ load h6k | h5k + ldr $h78kq, [$current_tag, #192] @ load h8k | h7k + + rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 + rev64 $res0b, $res0b @ GHASH block 8k + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 + + ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 + ldr $h7q, [$current_tag, #176] @ load h7l | h7h + ext $h7.16b, $h7.16b, $h7.16b, #8 + ldr $h8q, [$current_tag, #208] @ load h8l | h8h + ext $h8.16b, $h8.16b, $h8.16b, #8 + rev64 $res1b, $res1b @ GHASH block 8k+1 + + rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 + rev64 $res2b, $res2b @ GHASH block 8k+2 + ldr $h5q, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + ldr $h6q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + + aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 + aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 + aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 + + aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 + aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 + aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 + + aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 + aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 + aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 + + ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 + aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 + eor $res0b, $res0b, $acc_lb @ PRE 1 + + aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 + aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 + aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 + + aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 + aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 + aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 + + pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high + trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low + + rev64 $res3b, $res3b @ GHASH block 8k+3 + pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low + + aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 + aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 + aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 + + aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 + aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high + + aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 + aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 + + aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 + rev64 $res6b, $res6b @ GHASH block 8k+6 + + aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 + aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 + aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 + + pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high + trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid + aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 + + ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 + aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 + pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high + + aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 + eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high + eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid + + aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 + pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low + aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 + + eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high + trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid + + pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid + pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low + eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low + + pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid + aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 + aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 + + eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 + + aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 + aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 + eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid + + eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 + aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 + + aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 + aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 + aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 + + aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 + pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid + aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 + + aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 + aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 + pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid + + aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 + aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 + ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + rev64 $res7b, $res7b @ GHASH block 8k+7 + rev64 $res5b, $res5b @ GHASH block 8k+5 + + eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid + + trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 + + aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 + aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 + + pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high + pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high + pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low + + trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid + pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low + trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 + pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high + aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 + + aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 + aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 + aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 + + ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 + pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low + aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 + + aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 + aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 + + aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 + aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 + eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high + + aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 + trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid + aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 + + aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 + aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 + aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 + + aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 + aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 + aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 + + aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 + aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 + eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 + aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 + eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 + aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 + pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid + + aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 + pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid + pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high + + pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid + pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid + pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low + + ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 + eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low + eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid + + aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 + aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 + aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 + + eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high + eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + + eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid + + aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 + aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 + aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 + + aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 + aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 + aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 + + eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + + aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 + aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 + ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 + + ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + + aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 + aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 + aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 + + pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 + + aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 + aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 + aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 + + aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 + aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 + + eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid + + aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 + aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 + aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 + aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 + + aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 + ldr $rk14q, [$cc, #224] @ load rk14 + aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 + + aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 + ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 + + aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 + aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 + aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 + + aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 + eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low + add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 + + aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 + aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 +.L256_dec_tail: @ TAIL + + ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag + sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process + cmp $main_end_input_ptr, #112 + + ldr $res1q, [$input_ptr], #16 @ AES block 8k+8 - load ciphertext + + ldp $h78kq, $h8q, [$current_tag, #192] @ load h8k | h7k + ext $h8.16b, $h8.16b, $h8.16b, #8 + mov $t1.16b, $rk14 + + ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h + ext $h5.16b, $h5.16b, $h5.16b, #8 + + eor3 $res4b, $res1b, $ctr0b, $t1.16b @ AES block 8k+8 - result + ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h + ext $h6.16b, $h6.16b, $h6.16b, #8 + ext $h7.16b, $h7.16b, $h7.16b, #8 + b.gt .L256_dec_blocks_more_than_7 + + mov $ctr7b, $ctr6b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr3b + movi $acc_l.8b, #0 + + movi $acc_h.8b, #0 + movi $acc_m.8b, #0 + mov $ctr3b, $ctr2b + + cmp $main_end_input_ptr, #96 + mov $ctr2b, $ctr1b + b.gt .L256_dec_blocks_more_than_6 + + mov $ctr7b, $ctr6b + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr4b + cmp $main_end_input_ptr, #80 + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr4b, $ctr3b + mov $ctr3b, $ctr1b + b.gt .L256_dec_blocks_more_than_5 + + cmp $main_end_input_ptr, #64 + mov $ctr7b, $ctr6b + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr6b, $ctr5b + + mov $ctr5b, $ctr4b + mov $ctr4b, $ctr1b + b.gt .L256_dec_blocks_more_than_4 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + cmp $main_end_input_ptr, #48 + + mov $ctr6b, $ctr5b + mov $ctr5b, $ctr1b + b.gt .L256_dec_blocks_more_than_3 + + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + mov $ctr7b, $ctr6b + + cmp $main_end_input_ptr, #32 + mov $ctr6b, $ctr1b + b.gt .L256_dec_blocks_more_than_2 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + + mov $ctr7b, $ctr1b + cmp $main_end_input_ptr, #16 + b.gt .L256_dec_blocks_more_than_1 + + sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + b .L256_dec_blocks_less_than_1 +.L256_dec_blocks_more_than_7: @ blocks left > 7 + rev64 $res0b, $res1b @ GHASH final-7 block + ldr $res1q, [$input_ptr], #16 @ AES final-6 block - load ciphertext + st1 { $res4b}, [$output_ptr], #16 @ AES final-7 block - store result + + ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid + eor3 $res4b, $res1b, $ctr1b, $t1.16b @ AES final-6 block - result + + pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low + pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid +.L256_dec_blocks_more_than_6: @ blocks left > 6 + + rev64 $res0b, $res1b @ GHASH final-6 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + ldr $res1q, [$input_ptr], #16 @ AES final-5 block - load ciphertext + movi $t0.8b, #0 @ supress further partial tag feed in + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-6 block - store result + pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high + + pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low + + eor3 $res4b, $res1b, $ctr2b, $t1.16b @ AES final-5 block - result + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid + + pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high +.L256_dec_blocks_more_than_5: @ blocks left > 5 + + rev64 $res0b, $res1b @ GHASH final-5 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high + ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid + + ldr $res1q, [$input_ptr], #16 @ AES final-4 block - load ciphertext + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-5 block - store result + + pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid + + pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high + eor3 $res4b, $res1b, $ctr3b, $t1.16b @ AES final-4 block - result + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid + movi $t0.8b, #0 @ supress further partial tag feed in +.L256_dec_blocks_more_than_4: @ blocks left > 4 + + rev64 $res0b, $res1b @ GHASH final-4 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid + ldr $res1q, [$input_ptr], #16 @ AES final-3 block - load ciphertext + + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low + pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high + + pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low + st1 { $res4b}, [$output_ptr], #16 @ AES final-4 block - store result + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid + eor3 $res4b, $res1b, $ctr4b, $t1.16b @ AES final-3 block - result +.L256_dec_blocks_more_than_3: @ blocks left > 3 + + ldr $h4q, [$current_tag, #112] @ load h4l | h4h + ext $h4.16b, $h4.16b, $h4.16b, #8 + rev64 $res0b, $res1b @ GHASH final-3 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + ldr $res1q, [$input_ptr], #16 @ AES final-2 block - load ciphertext + ldr $h34kq, [$current_tag, #96] @ load h4k | h3k + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid + st1 { $res4b}, [$output_ptr], #16 @ AES final-3 block - store result + + eor3 $res4b, $res1b, $ctr5b, $t1.16b @ AES final-2 block - result + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid + pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low + pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high + + movi $t0.8b, #0 @ supress further partial tag feed in + pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low + + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid +.L256_dec_blocks_more_than_2: @ blocks left > 2 + + rev64 $res0b, $res1b @ GHASH final-2 block + + ldr $h3q, [$current_tag, #80] @ load h3l | h3h + ext $h3.16b, $h3.16b, $h3.16b, #8 + ldr $res1q, [$input_ptr], #16 @ AES final-1 block - load ciphertext + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid + + pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low + st1 { $res4b}, [$output_ptr], #16 @ AES final-2 block - store result + eor3 $res4b, $res1b, $ctr6b, $t1.16b @ AES final-1 block - result + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low + movi $t0.8b, #0 @ supress further partial tag feed in + + pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid + pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high +.L256_dec_blocks_more_than_1: @ blocks left > 1 + + rev64 $res0b, $res1b @ GHASH final-1 block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid + ldr $h2q, [$current_tag, #64] @ load h2l | h2h + ext $h2.16b, $h2.16b, $h2.16b, #8 + + eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid + ldr $res1q, [$input_ptr], #16 @ AES final block - load ciphertext + st1 { $res4b}, [$output_ptr], #16 @ AES final-1 block - store result + + ldr $h12kq, [$current_tag, #48] @ load h2k | h1k + pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low + + ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid + + eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low + + eor3 $res4b, $res1b, $ctr7b, $t1.16b @ AES final block - result + pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high + + pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid + + movi $t0.8b, #0 @ supress further partial tag feed in + eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high + + eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid +.L256_dec_blocks_less_than_1: @ blocks left <= 1 + + ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored + mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + sub $bit_length, $bit_length, #128 @ bit_length -= 128 + rev32 $rtmp_ctr.16b, $rtmp_ctr.16b + str $rtmp_ctrq, [$counter] @ store the updated counter + + neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) + + and $bit_length, $bit_length, #127 @ bit_length %= 128 + + lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block + cmp $bit_length, #64 + mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff + + csel $temp3_x, $temp0_x, xzr, lt + csel $temp2_x, $temp1_x, $temp0_x, lt + + mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block + mov $ctr0.d[1], $temp3_x + + and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits + ldr $h1q, [$current_tag, #32] @ load h1l | h1h + ext $h1.16b, $h1.16b, $h1.16b, #8 + bif $res4b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing + + rev64 $res0b, $res1b @ GHASH final block + + eor $res0b, $res0b, $t0.16b @ feed in partial tag + + ins $t0.d[0], $res0.d[1] @ GHASH final block - mid + pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high + + eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid + + pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low + eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high + + pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid + + eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid + ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant + eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low + + pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid + eor $t10.16b, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up + + ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment + st1 { $res4b}, [$output_ptr] @ store all 16B + + eor $acc_mb, $acc_mb, $t10.16b @ MODULO - karatsuba tidy up + + eor $t11.16b, $acc_hb, $t11.16b @ MODULO - fold into mid + eor $acc_mb, $acc_mb, $t11.16b @ MODULO - fold into mid + + pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low + + ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment + eor $acc_lb, $acc_lb, $acc_hb @ MODULO - fold into low + + eor $acc_lb, $acc_lb, $acc_mb @ MODULO - fold into low + ext $acc_lb, $acc_lb, $acc_lb, #8 + rev64 $acc_lb, $acc_lb + st1 { $acc_l.16b }, [$current_tag] + mov x0, $byte_length + + ldp d10, d11, [sp, #16] + ldp d12, d13, [sp, #32] + ldp d14, d15, [sp, #48] + ldp d8, d9, [sp], #80 + ret + +.L256_dec_ret: + mov w0, #0x0 + ret +.size unroll8_eor3_aes_gcm_dec_256_kernel,.-unroll8_eor3_aes_gcm_dec_256_kernel +___ +} +} + +$code.=<<___; +.asciz "AES GCM module for ARMv8, SPDX BSD-3-Clause by " +.align 2 +#endif +___ + +{ + my %opcode = ( + "rax1" => 0xce608c00, "eor3" => 0xce000000, + "bcax" => 0xce200000, "xar" => 0xce800000 ); + + sub unsha3 { + my ($mnemonic,$arg)=@_; + + $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv#]([0-9\-]+))?)?/ + && + sprintf ".inst\t0x%08x\t//%s %s", + $opcode{$mnemonic}|$1|($2<<5)|($3<<16)|(eval($4)<<10), + $mnemonic,$arg; + } + sub unvmov { + my $arg=shift; + + $arg =~ m/q([0-9]+)#(lo|hi),\s*q([0-9]+)#(lo|hi)/o && + sprintf "ins v%d.d[%d],v%d.d[%d]",$1<8?$1:$1+8,($2 eq "lo")?0:1, + $3<8?$3:$3+8,($4 eq "lo")?0:1; + } + + foreach(split("\n",$code)) { + s/@\s/\/\//o; # old->new style commentary + s/\`([^\`]*)\`/eval($1)/ge; + + m/\bld1r\b/ and s/\.16b/.2d/g or + s/\b(eor3|rax1|xar|bcax)\s+(v.*)/unsha3($1,$2)/ge; + print $_,"\n"; + } +} + +close STDOUT or die "error closing STDOUT: $!"; # enforce flush diff --git a/crypto/modes/asm/aes-gcm-armv8_64.pl b/crypto/modes/asm/aes-gcm-armv8_64.pl index 3b9d5b651..c1065a01e 100755 --- a/crypto/modes/asm/aes-gcm-armv8_64.pl +++ b/crypto/modes/asm/aes-gcm-armv8_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -256,6 +256,7 @@ .type aes_gcm_enc_128_kernel,%function .align 4 aes_gcm_enc_128_kernel: + AARCH64_VALID_CALL_TARGET cbz x1, .L128_enc_ret stp x19, x20, [sp, #-112]! mov x16, x4 @@ -1089,6 +1090,7 @@ .type aes_gcm_dec_128_kernel,%function .align 4 aes_gcm_dec_128_kernel: + AARCH64_VALID_CALL_TARGET cbz x1, .L128_dec_ret stp x19, x20, [sp, #-112]! mov x16, x4 @@ -1973,6 +1975,7 @@ .type aes_gcm_enc_192_kernel,%function .align 4 aes_gcm_enc_192_kernel: + AARCH64_VALID_CALL_TARGET cbz x1, .L192_enc_ret stp x19, x20, [sp, #-112]! mov x16, x4 @@ -2858,6 +2861,7 @@ .type aes_gcm_dec_192_kernel,%function .align 4 aes_gcm_dec_192_kernel: + AARCH64_VALID_CALL_TARGET cbz x1, .L192_dec_ret stp x19, x20, [sp, #-112]! mov x16, x4 @@ -3797,6 +3801,7 @@ .type aes_gcm_enc_256_kernel,%function .align 4 aes_gcm_enc_256_kernel: + AARCH64_VALID_CALL_TARGET cbz x1, .L256_enc_ret stp x19, x20, [sp, #-112]! mov x16, x4 @@ -4729,6 +4734,7 @@ .type aes_gcm_dec_256_kernel,%function .align 4 aes_gcm_dec_256_kernel: + AARCH64_VALID_CALL_TARGET cbz x1, .L256_dec_ret stp x19, x20, [sp, #-112]! mov x16, x4 diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl new file mode 100644 index 000000000..122183b4f --- /dev/null +++ b/crypto/modes/asm/aes-gcm-avx512.pl @@ -0,0 +1,4975 @@ +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright (c) 2021, Intel Corporation. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# +# This implementation is based on the AES-GCM code (AVX512VAES + VPCLMULQDQ) +# from Intel(R) Multi-Buffer Crypto for IPsec Library v1.1 +# (https://github.com/intel/intel-ipsec-mb). +# Original author is Tomasz Kantecki . +# +# References: +# [1] Vinodh Gopal et. al. Optimized Galois-Counter-Mode Implementation on +# Intel Architecture Processors. August, 2010. +# [2] Erdinc Ozturk et. al. Enabling High-Performance Galois-Counter-Mode on +# Intel Architecture Processors. October, 2012. +# [3] Shay Gueron et. al. Intel Carry-Less Multiplication Instruction and its +# Usage for Computing the GCM Mode. May, 2010. +# +# +# December 2021 +# +# Initial release. +# +# GCM128_CONTEXT structure has storage for 16 hkeys only, but this +# implementation can use up to 48. To avoid extending the context size, +# precompute and store in the context first 16 hkeys only, and compute the rest +# on demand keeping them in the local frame. +# +#====================================================================== +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$win64 = 0; +$win64 = 1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); + +$avx512vaes = 0; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; +$dir = $1; +($xlate = "${dir}x86_64-xlate.pl" and -f $xlate) + or ($xlate = "${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) + or die "can't locate x86_64-xlate.pl"; + +if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1` =~ /GNU assembler version ([2-9]\.[0-9]+)/) { + $avx512vaes = ($1 >= 2.30); +} + +if (!$avx512vaes + && $win64 + && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) + && `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) +{ + $avx512vaes = ($1 == 2.13 && $2 >= 3) + ($1 >= 2.14); +} + +if (!$avx512vaes && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) { + $avx512vaes = ($2 >= 7.0); +} + +open OUT, "| \"$^X\" \"$xlate\" $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT = *OUT; + +#====================================================================== +if ($avx512vaes>0) { #<<< + +$code .= <<___; +.extern OPENSSL_ia32cap_P +.globl ossl_vaes_vpclmulqdq_capable +.type ossl_vaes_vpclmulqdq_capable,\@abi-omnipotent +.align 32 +ossl_vaes_vpclmulqdq_capable: + mov OPENSSL_ia32cap_P+8(%rip), %rcx + # avx512vpclmulqdq + avx512vaes + avx512vl + avx512bw + avx512dq + avx512f + mov \$`1<<42|1<<41|1<<31|1<<30|1<<17|1<<16`,%rdx + xor %eax,%eax + and %rdx,%rcx + cmp %rdx,%rcx + cmove %rcx,%rax + ret +.size ossl_vaes_vpclmulqdq_capable, .-ossl_vaes_vpclmulqdq_capable +___ + +# ; Mapping key length -> AES rounds count +my %aes_rounds = ( + 128 => 9, + 192 => 11, + 256 => 13); + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Code generation control switches +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +# ; ABI-aware zeroing of volatile registers in EPILOG(). +# ; Disabled due to performance reasons. +my $CLEAR_SCRATCH_REGISTERS = 0; + +# ; Zero HKeys storage from the stack if they are stored there +my $CLEAR_HKEYS_STORAGE_ON_EXIT = 1; + +# ; Enable / disable check of function arguments for null pointer +# ; Currently disabled, as this check is handled outside. +my $CHECK_FUNCTION_ARGUMENTS = 0; + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Global constants +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +# AES block size in bytes +my $AES_BLOCK_SIZE = 16; + +# Storage capacity in elements +my $HKEYS_STORAGE_CAPACITY = 48; +my $LOCAL_STORAGE_CAPACITY = 48; +my $HKEYS_CONTEXT_CAPACITY = 16; + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Stack frame definition +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +# (1) -> +64(Win)/+48(Lin)-byte space for pushed GPRs +# (2) -> +8-byte space for 16-byte alignment of XMM storage +# (3) -> Frame pointer (%RBP) +# (4) -> +160-byte XMM storage (Windows only, zero on Linux) +# (5) -> +48-byte space for 64-byte alignment of %RSP from p.8 +# (6) -> +768-byte LOCAL storage (optional, can be omitted in some functions) +# (7) -> +768-byte HKEYS storage +# (8) -> Stack pointer (%RSP) aligned on 64-byte boundary + +my $GP_STORAGE = $win64 ? 8 * 8 : 8 * 6; # ; space for saved non-volatile GP registers (pushed on stack) +my $XMM_STORAGE = $win64 ? (10 * 16) : 0; # ; space for saved XMM registers +my $HKEYS_STORAGE = ($HKEYS_STORAGE_CAPACITY * $AES_BLOCK_SIZE); # ; space for HKeys^i, i=1..48 +my $LOCAL_STORAGE = ($LOCAL_STORAGE_CAPACITY * $AES_BLOCK_SIZE); # ; space for up to 48 AES blocks + +my $STACK_HKEYS_OFFSET = 0; +my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE); + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Function arguments abstraction +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11); + +# ; This implementation follows the convention: for non-leaf functions (they +# ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from +# ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This +# ; helps to facilitate SEH handlers writing. +# +# ; Leaf functions here do not use more than 4 input arguments. +if ($win64) { + $arg1 = "%rcx"; + $arg2 = "%rdx"; + $arg3 = "%r8"; + $arg4 = "%r9"; + $arg5 = "`$GP_STORAGE + 8 + 8*5`(%rbp)"; # +8 - alignment bytes + $arg6 = "`$GP_STORAGE + 8 + 8*6`(%rbp)"; + $arg7 = "`$GP_STORAGE + 8 + 8*7`(%rbp)"; + $arg8 = "`$GP_STORAGE + 8 + 8*8`(%rbp)"; + $arg9 = "`$GP_STORAGE + 8 + 8*9`(%rbp)"; + $arg10 = "`$GP_STORAGE + 8 + 8*10`(%rbp)"; + $arg11 = "`$GP_STORAGE + 8 + 8*11`(%rbp)"; +} else { + $arg1 = "%rdi"; + $arg2 = "%rsi"; + $arg3 = "%rdx"; + $arg4 = "%rcx"; + $arg5 = "%r8"; + $arg6 = "%r9"; + $arg7 = "`$GP_STORAGE + 8*1`(%rbp)"; + $arg8 = "`$GP_STORAGE + 8*2`(%rbp)"; + $arg9 = "`$GP_STORAGE + 8*3`(%rbp)"; + $arg10 = "`$GP_STORAGE + 8*4`(%rbp)"; + $arg11 = "`$GP_STORAGE + 8*5`(%rbp)"; +} + +# ; Offsets in gcm128_context structure (see include/crypto/modes.h) +my $CTX_OFFSET_CurCount = (16 * 0); # ; (Yi) Current counter for generation of encryption key +my $CTX_OFFSET_PEncBlock = (16 * 1); # ; (repurposed EKi field) Partial block buffer +my $CTX_OFFSET_EK0 = (16 * 2); # ; (EK0) Encrypted Y0 counter (see gcm spec notation) +my $CTX_OFFSET_AadLen = (16 * 3); # ; (len.u[0]) Length of Hash which has been input +my $CTX_OFFSET_InLen = ((16 * 3) + 8); # ; (len.u[1]) Length of input data which will be encrypted or decrypted +my $CTX_OFFSET_AadHash = (16 * 4); # ; (Xi) Current hash +my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (allows 16 values) + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Helper functions +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +# ; Generates "random" local labels +sub random_string() { + my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); + my $length = 15; + my $str; + map { $str .= $chars[rand(33)] } 1 .. $length; + return $str; +} + +sub BYTE { + my ($reg) = @_; + if ($reg =~ /%r[abcd]x/i) { + $reg =~ s/%r([abcd])x/%${1}l/i; + } elsif ($reg =~ /%r[sdb][ip]/i) { + $reg =~ s/%r([sdb][ip])/%${1}l/i; + } elsif ($reg =~ /%r[0-9]{1,2}/i) { + $reg =~ s/%(r[0-9]{1,2})/%${1}b/i; + } else { + die "BYTE: unknown register: $reg\n"; + } + return $reg; +} + +sub WORD { + my ($reg) = @_; + if ($reg =~ /%r[abcdsdb][xip]/i) { + $reg =~ s/%r([abcdsdb])([xip])/%${1}${2}/i; + } elsif ($reg =~ /%r[0-9]{1,2}/) { + $reg =~ s/%(r[0-9]{1,2})/%${1}w/i; + } else { + die "WORD: unknown register: $reg\n"; + } + return $reg; +} + +sub DWORD { + my ($reg) = @_; + if ($reg =~ /%r[abcdsdb][xip]/i) { + $reg =~ s/%r([abcdsdb])([xip])/%e${1}${2}/i; + } elsif ($reg =~ /%r[0-9]{1,2}/i) { + $reg =~ s/%(r[0-9]{1,2})/%${1}d/i; + } else { + die "DWORD: unknown register: $reg\n"; + } + return $reg; +} + +sub XWORD { + my ($reg) = @_; + if ($reg =~ /%[xyz]mm/i) { + $reg =~ s/%[xyz]mm/%xmm/i; + } else { + die "XWORD: unknown register: $reg\n"; + } + return $reg; +} + +sub YWORD { + my ($reg) = @_; + if ($reg =~ /%[xyz]mm/i) { + $reg =~ s/%[xyz]mm/%ymm/i; + } else { + die "YWORD: unknown register: $reg\n"; + } + return $reg; +} + +sub ZWORD { + my ($reg) = @_; + if ($reg =~ /%[xyz]mm/i) { + $reg =~ s/%[xyz]mm/%zmm/i; + } else { + die "ZWORD: unknown register: $reg\n"; + } + return $reg; +} + +# ; Helper function to construct effective address based on two kinds of +# ; offsets: numerical or located in the register +sub EffectiveAddress { + my ($base, $offset, $displacement) = @_; + $displacement = 0 if (!$displacement); + + if ($offset =~ /^\d+\z/) { # numerical offset + return "`$offset + $displacement`($base)"; + } else { # offset resides in register + return "$displacement($base,$offset,1)"; + } +} + +# ; Provides memory location of corresponding HashKey power +sub HashKeyByIdx { + my ($idx, $base) = @_; + my $base_str = ($base eq "%rsp") ? "frame" : "context"; + + my $offset = &HashKeyOffsetByIdx($idx, $base_str); + return "$offset($base)"; +} + +# ; Provides offset (in bytes) of corresponding HashKey power from the highest key in the storage +sub HashKeyOffsetByIdx { + my ($idx, $base) = @_; + die "HashKeyOffsetByIdx: base should be either 'frame' or 'context'; base = $base" + if (($base ne "frame") && ($base ne "context")); + + my $offset_base; + my $offset_idx; + if ($base eq "frame") { # frame storage + die "HashKeyOffsetByIdx: idx out of bounds (1..48)! idx = $idx\n" if ($idx > $HKEYS_STORAGE_CAPACITY || $idx < 1); + $offset_base = $STACK_HKEYS_OFFSET; + $offset_idx = ($AES_BLOCK_SIZE * ($HKEYS_STORAGE_CAPACITY - $idx)); + } else { # context storage + die "HashKeyOffsetByIdx: idx out of bounds (1..16)! idx = $idx\n" if ($idx > $HKEYS_CONTEXT_CAPACITY || $idx < 1); + $offset_base = $CTX_OFFSET_HTable; + $offset_idx = ($AES_BLOCK_SIZE * ($HKEYS_CONTEXT_CAPACITY - $idx)); + } + return $offset_base + $offset_idx; +} + +# ; Creates local frame and does back up of non-volatile registers. +# ; Holds stack unwinding directives. +sub PROLOG { + my ($need_hkeys_stack_storage, $need_aes_stack_storage, $func_name) = @_; + + my $DYNAMIC_STACK_ALLOC_SIZE = 0; + my $DYNAMIC_STACK_ALLOC_ALIGNMENT_SPACE = $win64 ? 48 : 52; + + if ($need_hkeys_stack_storage) { + $DYNAMIC_STACK_ALLOC_SIZE += $HKEYS_STORAGE; + } + + if ($need_aes_stack_storage) { + if (!$need_hkeys_stack_storage) { + die "PROLOG: unsupported case - aes storage without hkeys one"; + } + $DYNAMIC_STACK_ALLOC_SIZE += $LOCAL_STORAGE; + } + + $code .= <<___; + push %rbx +.cfi_push %rbx +.L${func_name}_seh_push_rbx: + push %rbp +.cfi_push %rbp +.L${func_name}_seh_push_rbp: + push %r12 +.cfi_push %r12 +.L${func_name}_seh_push_r12: + push %r13 +.cfi_push %r13 +.L${func_name}_seh_push_r13: + push %r14 +.cfi_push %r14 +.L${func_name}_seh_push_r14: + push %r15 +.cfi_push %r15 +.L${func_name}_seh_push_r15: +___ + + if ($win64) { + $code .= <<___; + push %rdi +.L${func_name}_seh_push_rdi: + push %rsi +.L${func_name}_seh_push_rsi: + + sub \$`$XMM_STORAGE+8`,%rsp # +8 alignment +.L${func_name}_seh_allocstack_xmm: +___ + } + $code .= <<___; + # ; %rbp contains stack pointer right after GP regs pushed at stack + [8 + # ; bytes of alignment (Windows only)]. It serves as a frame pointer in SEH + # ; handlers. The requirement for a frame pointer is that its offset from + # ; RSP shall be multiple of 16, and not exceed 240 bytes. The frame pointer + # ; itself seems to be reasonable to use here, because later we do 64-byte stack + # ; alignment which gives us non-determinate offsets and complicates writing + # ; SEH handlers. + # + # ; It also serves as an anchor for retrieving stack arguments on both Linux + # ; and Windows. + lea `$XMM_STORAGE`(%rsp),%rbp +.cfi_def_cfa_register %rbp +.L${func_name}_seh_setfp: +___ + if ($win64) { + + # ; xmm6:xmm15 need to be preserved on Windows + foreach my $reg_idx (6 .. 15) { + my $xmm_reg_offset = ($reg_idx - 6) * 16; + $code .= <<___; + vmovdqu %xmm${reg_idx},$xmm_reg_offset(%rsp) +.L${func_name}_seh_save_xmm${reg_idx}: +___ + } + } + + $code .= <<___; +# Prolog ends here. Next stack allocation is treated as "dynamic". +.L${func_name}_seh_prolog_end: +___ + + if ($DYNAMIC_STACK_ALLOC_SIZE) { + $code .= <<___; + sub \$`$DYNAMIC_STACK_ALLOC_SIZE + $DYNAMIC_STACK_ALLOC_ALIGNMENT_SPACE`,%rsp + and \$(-64),%rsp +___ + } +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Restore register content for the caller. +# ;;; And cleanup stack. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub EPILOG { + my ($hkeys_storage_on_stack, $payload_len) = @_; + + my $rndsuffix = &random_string(); + + if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) { + + # ; There is no need in hkeys cleanup if payload len was small, i.e. no hkeys + # ; were stored in the local frame storage + $code .= <<___; + cmpq \$`16*16`,$payload_len + jbe .Lskip_hkeys_cleanup_${rndsuffix} + vpxor %xmm0,%xmm0,%xmm0 +___ + for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) { + $code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n"; + } + $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n"; + } + + if ($CLEAR_SCRATCH_REGISTERS) { + &clear_scratch_gps_asm(); + &clear_scratch_zmms_asm(); + } else { + $code .= "vzeroupper\n"; + } + + if ($win64) { + + # ; restore xmm15:xmm6 + for (my $reg_idx = 15; $reg_idx >= 6; $reg_idx--) { + my $xmm_reg_offset = -$XMM_STORAGE + ($reg_idx - 6) * 16; + $code .= <<___; + vmovdqu $xmm_reg_offset(%rbp),%xmm${reg_idx}, +___ + } + } + + if ($win64) { + + # Forming valid epilog for SEH with use of frame pointer. + # https://docs.microsoft.com/en-us/cpp/build/prolog-and-epilog?view=msvc-160#epilog-code + $code .= "lea 8(%rbp),%rsp\n"; + } else { + $code .= "lea (%rbp),%rsp\n"; + $code .= ".cfi_def_cfa_register %rsp\n"; + } + + if ($win64) { + $code .= <<___; + pop %rsi +.cfi_pop %rsi + pop %rdi +.cfi_pop %rdi +___ + } + $code .= <<___; + pop %r15 +.cfi_pop %r15 + pop %r14 +.cfi_pop %r14 + pop %r13 +.cfi_pop %r13 + pop %r12 +.cfi_pop %r12 + pop %rbp +.cfi_pop %rbp + pop %rbx +.cfi_pop %rbx +___ +} + +# ; Clears all scratch ZMM registers +# ; +# ; It should be called before restoring the XMM registers +# ; for Windows (XMM6-XMM15). +# ; +sub clear_scratch_zmms_asm { + + # ; On Linux, all ZMM registers are scratch registers + if (!$win64) { + $code .= "vzeroall\n"; + } else { + foreach my $i (0 .. 5) { + $code .= "vpxorq %xmm${i},%xmm${i},%xmm${i}\n"; + } + } + foreach my $i (16 .. 31) { + $code .= "vpxorq %xmm${i},%xmm${i},%xmm${i}\n"; + } +} + +# Clears all scratch GP registers +sub clear_scratch_gps_asm { + foreach my $reg ("%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11") { + $code .= "xor $reg,$reg\n"; + } + if (!$win64) { + foreach my $reg ("%rsi", "%rdi") { + $code .= "xor $reg,$reg\n"; + } + } +} + +sub precompute_hkeys_on_stack { + my $GCM128_CTX = $_[0]; + my $HKEYS_READY = $_[1]; + my $ZTMP0 = $_[2]; + my $ZTMP1 = $_[3]; + my $ZTMP2 = $_[4]; + my $ZTMP3 = $_[5]; + my $ZTMP4 = $_[6]; + my $ZTMP5 = $_[7]; + my $ZTMP6 = $_[8]; + my $HKEYS_RANGE = $_[9]; # ; "first16", "mid16", "all", "first32", "last32" + + die "precompute_hkeys_on_stack: Unexpected value of HKEYS_RANGE: $HKEYS_RANGE" + if ($HKEYS_RANGE ne "first16" + && $HKEYS_RANGE ne "mid16" + && $HKEYS_RANGE ne "all" + && $HKEYS_RANGE ne "first32" + && $HKEYS_RANGE ne "last32"); + + my $rndsuffix = &random_string(); + + $code .= <<___; + test $HKEYS_READY,$HKEYS_READY + jnz .L_skip_hkeys_precomputation_${rndsuffix} +___ + + if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") { + + # ; Fill the stack with the first 16 hkeys from the context + $code .= <<___; + # ; Move 16 hkeys from the context to stack + vmovdqu64 @{[HashKeyByIdx(4,$GCM128_CTX)]},$ZTMP0 + vmovdqu64 $ZTMP0,@{[HashKeyByIdx(4,"%rsp")]} + + vmovdqu64 @{[HashKeyByIdx(8,$GCM128_CTX)]},$ZTMP1 + vmovdqu64 $ZTMP1,@{[HashKeyByIdx(8,"%rsp")]} + + # ; broadcast HashKey^8 + vshufi64x2 \$0x00,$ZTMP1,$ZTMP1,$ZTMP1 + + vmovdqu64 @{[HashKeyByIdx(12,$GCM128_CTX)]},$ZTMP2 + vmovdqu64 $ZTMP2,@{[HashKeyByIdx(12,"%rsp")]} + + vmovdqu64 @{[HashKeyByIdx(16,$GCM128_CTX)]},$ZTMP3 + vmovdqu64 $ZTMP3,@{[HashKeyByIdx(16,"%rsp")]} +___ + } + + if ($HKEYS_RANGE eq "mid16" || $HKEYS_RANGE eq "last32") { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx(8,"%rsp")]},$ZTMP1 + + # ; broadcast HashKey^8 + vshufi64x2 \$0x00,$ZTMP1,$ZTMP1,$ZTMP1 + + vmovdqu64 @{[HashKeyByIdx(12,"%rsp")]},$ZTMP2 + vmovdqu64 @{[HashKeyByIdx(16,"%rsp")]},$ZTMP3 +___ + + } + + if ($HKEYS_RANGE eq "mid16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "last32" || $HKEYS_RANGE eq "all") { + + # ; Precompute hkeys^i, i=17..32 + my $i = 20; + foreach (1 .. int((32 - 16) / 8)) { + + # ;; compute HashKey^(4 + n), HashKey^(3 + n), ... HashKey^(1 + n) + &GHASH_MUL($ZTMP2, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6); + $code .= "vmovdqu64 $ZTMP2,@{[HashKeyByIdx($i,\"%rsp\")]}\n"; + $i += 4; + + # ;; compute HashKey^(8 + n), HashKey^(7 + n), ... HashKey^(5 + n) + &GHASH_MUL($ZTMP3, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6); + $code .= "vmovdqu64 $ZTMP3,@{[HashKeyByIdx($i,\"%rsp\")]}\n"; + $i += 4; + } + } + + if ($HKEYS_RANGE eq "last32" || $HKEYS_RANGE eq "all") { + + # ; Precompute hkeys^i, i=33..48 (HKEYS_STORAGE_CAPACITY = 48) + my $i = 36; + foreach (1 .. int((48 - 32) / 8)) { + + # ;; compute HashKey^(4 + n), HashKey^(3 + n), ... HashKey^(1 + n) + &GHASH_MUL($ZTMP2, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6); + $code .= "vmovdqu64 $ZTMP2,@{[HashKeyByIdx($i,\"%rsp\")]}\n"; + $i += 4; + + # ;; compute HashKey^(8 + n), HashKey^(7 + n), ... HashKey^(5 + n) + &GHASH_MUL($ZTMP3, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6); + $code .= "vmovdqu64 $ZTMP3,@{[HashKeyByIdx($i,\"%rsp\")]}\n"; + $i += 4; + } + } + + $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n"; +} + +# ;; ============================================================================= +# ;; Generic macro to produce code that executes $OPCODE instruction +# ;; on selected number of AES blocks (16 bytes long ) between 0 and 16. +# ;; All three operands of the instruction come from registers. +# ;; Note: if 3 blocks are left at the end instruction is produced to operate all +# ;; 4 blocks (full width of ZMM) +sub ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16 { + my $NUM_BLOCKS = $_[0]; # [in] numerical value, number of AES blocks (0 to 16) + my $OPCODE = $_[1]; # [in] instruction name + my @DST; + $DST[0] = $_[2]; # [out] destination ZMM register + $DST[1] = $_[3]; # [out] destination ZMM register + $DST[2] = $_[4]; # [out] destination ZMM register + $DST[3] = $_[5]; # [out] destination ZMM register + my @SRC1; + $SRC1[0] = $_[6]; # [in] source 1 ZMM register + $SRC1[1] = $_[7]; # [in] source 1 ZMM register + $SRC1[2] = $_[8]; # [in] source 1 ZMM register + $SRC1[3] = $_[9]; # [in] source 1 ZMM register + my @SRC2; + $SRC2[0] = $_[10]; # [in] source 2 ZMM register + $SRC2[1] = $_[11]; # [in] source 2 ZMM register + $SRC2[2] = $_[12]; # [in] source 2 ZMM register + $SRC2[3] = $_[13]; # [in] source 2 ZMM register + + die "ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16: num_blocks is out of bounds = $NUM_BLOCKS\n" + if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); + + my $reg_idx = 0; + my $blocks_left = $NUM_BLOCKS; + + foreach (1 .. ($NUM_BLOCKS / 4)) { + $code .= "$OPCODE $SRC2[$reg_idx],$SRC1[$reg_idx],$DST[$reg_idx]\n"; + $reg_idx++; + $blocks_left -= 4; + } + + my $DSTREG = $DST[$reg_idx]; + my $SRC1REG = $SRC1[$reg_idx]; + my $SRC2REG = $SRC2[$reg_idx]; + + if ($blocks_left == 1) { + $code .= "$OPCODE @{[XWORD($SRC2REG)]},@{[XWORD($SRC1REG)]},@{[XWORD($DSTREG)]}\n"; + } elsif ($blocks_left == 2) { + $code .= "$OPCODE @{[YWORD($SRC2REG)]},@{[YWORD($SRC1REG)]},@{[YWORD($DSTREG)]}\n"; + } elsif ($blocks_left == 3) { + $code .= "$OPCODE $SRC2REG,$SRC1REG,$DSTREG\n"; + } +} + +# ;; ============================================================================= +# ;; Loads specified number of AES blocks into ZMM registers using mask register +# ;; for the last loaded register (xmm, ymm or zmm). +# ;; Loads take place at 1 byte granularity. +sub ZMM_LOAD_MASKED_BLOCKS_0_16 { + my $NUM_BLOCKS = $_[0]; # [in] numerical value, number of AES blocks (0 to 16) + my $INP = $_[1]; # [in] input data pointer to read from + my $DATA_OFFSET = $_[2]; # [in] offset to the output pointer (GP or numerical) + my @DST; + $DST[0] = $_[3]; # [out] ZMM register with loaded data + $DST[1] = $_[4]; # [out] ZMM register with loaded data + $DST[2] = $_[5]; # [out] ZMM register with loaded data + $DST[3] = $_[6]; # [out] ZMM register with loaded data + my $MASK = $_[7]; # [in] mask register + + die "ZMM_LOAD_MASKED_BLOCKS_0_16: num_blocks is out of bounds = $NUM_BLOCKS\n" + if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); + + my $src_offset = 0; + my $dst_idx = 0; + my $blocks_left = $NUM_BLOCKS; + + if ($NUM_BLOCKS > 0) { + foreach (1 .. (int(($NUM_BLOCKS + 3) / 4) - 1)) { + $code .= "vmovdqu8 @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},$DST[$dst_idx]\n"; + $src_offset += 64; + $dst_idx++; + $blocks_left -= 4; + } + } + + my $DSTREG = $DST[$dst_idx]; + + if ($blocks_left == 1) { + $code .= "vmovdqu8 @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},@{[XWORD($DSTREG)]}\{$MASK\}{z}\n"; + } elsif ($blocks_left == 2) { + $code .= "vmovdqu8 @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},@{[YWORD($DSTREG)]}\{$MASK\}{z}\n"; + } elsif (($blocks_left == 3 || $blocks_left == 4)) { + $code .= "vmovdqu8 @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},$DSTREG\{$MASK\}{z}\n"; + } +} + +# ;; ============================================================================= +# ;; Stores specified number of AES blocks from ZMM registers with mask register +# ;; for the last loaded register (xmm, ymm or zmm). +# ;; Stores take place at 1 byte granularity. +sub ZMM_STORE_MASKED_BLOCKS_0_16 { + my $NUM_BLOCKS = $_[0]; # [in] numerical value, number of AES blocks (0 to 16) + my $OUTP = $_[1]; # [in] output data pointer to write to + my $DATA_OFFSET = $_[2]; # [in] offset to the output pointer (GP or numerical) + my @SRC; + $SRC[0] = $_[3]; # [in] ZMM register with data to store + $SRC[1] = $_[4]; # [in] ZMM register with data to store + $SRC[2] = $_[5]; # [in] ZMM register with data to store + $SRC[3] = $_[6]; # [in] ZMM register with data to store + my $MASK = $_[7]; # [in] mask register + + die "ZMM_STORE_MASKED_BLOCKS_0_16: num_blocks is out of bounds = $NUM_BLOCKS\n" + if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); + + my $dst_offset = 0; + my $src_idx = 0; + my $blocks_left = $NUM_BLOCKS; + + if ($NUM_BLOCKS > 0) { + foreach (1 .. (int(($NUM_BLOCKS + 3) / 4) - 1)) { + $code .= "vmovdqu8 $SRC[$src_idx],`$dst_offset`($OUTP,$DATA_OFFSET,1)\n"; + $dst_offset += 64; + $src_idx++; + $blocks_left -= 4; + } + } + + my $SRCREG = $SRC[$src_idx]; + + if ($blocks_left == 1) { + $code .= "vmovdqu8 @{[XWORD($SRCREG)]},`$dst_offset`($OUTP,$DATA_OFFSET,1){$MASK}\n"; + } elsif ($blocks_left == 2) { + $code .= "vmovdqu8 @{[YWORD($SRCREG)]},`$dst_offset`($OUTP,$DATA_OFFSET,1){$MASK}\n"; + } elsif ($blocks_left == 3 || $blocks_left == 4) { + $code .= "vmovdqu8 $SRCREG,`$dst_offset`($OUTP,$DATA_OFFSET,1){$MASK}\n"; + } +} + +# ;;; =========================================================================== +# ;;; Handles AES encryption rounds +# ;;; It handles special cases: the last and first rounds +# ;;; Optionally, it performs XOR with data after the last AES round. +# ;;; Uses NROUNDS parameter to check what needs to be done for the current round. +# ;;; If 3 blocks are trailing then operation on whole ZMM is performed (4 blocks). +sub ZMM_AESENC_ROUND_BLOCKS_0_16 { + my $L0B0_3 = $_[0]; # [in/out] zmm; blocks 0 to 3 + my $L0B4_7 = $_[1]; # [in/out] zmm; blocks 4 to 7 + my $L0B8_11 = $_[2]; # [in/out] zmm; blocks 8 to 11 + my $L0B12_15 = $_[3]; # [in/out] zmm; blocks 12 to 15 + my $KEY = $_[4]; # [in] zmm containing round key + my $ROUND = $_[5]; # [in] round number + my $D0_3 = $_[6]; # [in] zmm or no_data; plain/cipher text blocks 0-3 + my $D4_7 = $_[7]; # [in] zmm or no_data; plain/cipher text blocks 4-7 + my $D8_11 = $_[8]; # [in] zmm or no_data; plain/cipher text blocks 8-11 + my $D12_15 = $_[9]; # [in] zmm or no_data; plain/cipher text blocks 12-15 + my $NUMBL = $_[10]; # [in] number of blocks; numerical value + my $NROUNDS = $_[11]; # [in] number of rounds; numerical value + + # ;;; === first AES round + if ($ROUND < 1) { + + # ;; round 0 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUMBL, "vpxorq", $L0B0_3, $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3, + $L0B4_7, $L0B8_11, $L0B12_15, $KEY, $KEY, $KEY, $KEY); + } + + # ;;; === middle AES rounds + if ($ROUND >= 1 && $ROUND <= $NROUNDS) { + + # ;; rounds 1 to 9/11/13 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUMBL, "vaesenc", $L0B0_3, $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3, + $L0B4_7, $L0B8_11, $L0B12_15, $KEY, $KEY, $KEY, $KEY); + } + + # ;;; === last AES round + if ($ROUND > $NROUNDS) { + + # ;; the last round - mix enclast with text xor's + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUMBL, "vaesenclast", $L0B0_3, $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3, + $L0B4_7, $L0B8_11, $L0B12_15, $KEY, $KEY, $KEY, $KEY); + + # ;;; === XOR with data + if ( ($D0_3 ne "no_data") + && ($D4_7 ne "no_data") + && ($D8_11 ne "no_data") + && ($D12_15 ne "no_data")) + { + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUMBL, "vpxorq", $L0B0_3, $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3, + $L0B4_7, $L0B8_11, $L0B12_15, $D0_3, $D4_7, $D8_11, $D12_15); + } + } +} + +# ;;; Horizontal XOR - 4 x 128bits xored together +sub VHPXORI4x128 { + my $REG = $_[0]; # [in/out] ZMM with 4x128bits to xor; 128bit output + my $TMP = $_[1]; # [clobbered] ZMM temporary register + $code .= <<___; + vextracti64x4 \$1,$REG,@{[YWORD($TMP)]} + vpxorq @{[YWORD($TMP)]},@{[YWORD($REG)]},@{[YWORD($REG)]} + vextracti32x4 \$1,@{[YWORD($REG)]},@{[XWORD($TMP)]} + vpxorq @{[XWORD($TMP)]},@{[XWORD($REG)]},@{[XWORD($REG)]} +___ +} + +# ;;; AVX512 reduction macro +sub VCLMUL_REDUCE { + my $OUT = $_[0]; # [out] zmm/ymm/xmm: result (must not be $TMP1 or $HI128) + my $POLY = $_[1]; # [in] zmm/ymm/xmm: polynomial + my $HI128 = $_[2]; # [in] zmm/ymm/xmm: high 128b of hash to reduce + my $LO128 = $_[3]; # [in] zmm/ymm/xmm: low 128b of hash to reduce + my $TMP0 = $_[4]; # [in] zmm/ymm/xmm: temporary register + my $TMP1 = $_[5]; # [in] zmm/ymm/xmm: temporary register + + $code .= <<___; + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; first phase of the reduction + vpclmulqdq \$0x01,$LO128,$POLY,$TMP0 + vpslldq \$8,$TMP0,$TMP0 # ; shift-L 2 DWs + vpxorq $TMP0,$LO128,$TMP0 # ; first phase of the reduction complete + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; second phase of the reduction + vpclmulqdq \$0x00,$TMP0,$POLY,$TMP1 + vpsrldq \$4,$TMP1,$TMP1 # ; shift-R only 1-DW to obtain 2-DWs shift-R + vpclmulqdq \$0x10,$TMP0,$POLY,$OUT + vpslldq \$4,$OUT,$OUT # ; shift-L 1-DW to obtain result with no shifts + vpternlogq \$0x96,$HI128,$TMP1,$OUT # ; OUT/GHASH = OUT xor TMP1 xor HI128 + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +___ +} + +# ;; =========================================================================== +# ;; schoolbook multiply of 16 blocks (16 x 16 bytes) +# ;; - it is assumed that data read from $INPTR is already shuffled and +# ;; $INPTR address is 64 byte aligned +# ;; - there is an option to pass ready blocks through ZMM registers too. +# ;; 4 extra parameters need to be passed in such case and 21st ($ZTMP9) argument can be empty +sub GHASH_16 { + my $TYPE = $_[0]; # [in] ghash type: start (xor hash), mid, end (same as mid; no reduction), + # end_reduce (end with reduction), start_reduce + my $GH = $_[1]; # [in/out] ZMM ghash sum: high 128-bits + my $GM = $_[2]; # [in/out] ZMM ghash sum: middle 128-bits + my $GL = $_[3]; # [in/out] ZMM ghash sum: low 128-bits + my $INPTR = $_[4]; # [in] data input pointer + my $INOFF = $_[5]; # [in] data input offset + my $INDIS = $_[6]; # [in] data input displacement + my $HKPTR = $_[7]; # [in] hash key pointer + my $HKOFF = $_[8]; # [in] hash key offset (can be either numerical offset, or register containing offset) + my $HKDIS = $_[9]; # [in] hash key displacement + my $HASH = $_[10]; # [in/out] ZMM hash value in/out + my $ZTMP0 = $_[11]; # [clobbered] temporary ZMM + my $ZTMP1 = $_[12]; # [clobbered] temporary ZMM + my $ZTMP2 = $_[13]; # [clobbered] temporary ZMM + my $ZTMP3 = $_[14]; # [clobbered] temporary ZMM + my $ZTMP4 = $_[15]; # [clobbered] temporary ZMM + my $ZTMP5 = $_[16]; # [clobbered] temporary ZMM + my $ZTMP6 = $_[17]; # [clobbered] temporary ZMM + my $ZTMP7 = $_[18]; # [clobbered] temporary ZMM + my $ZTMP8 = $_[19]; # [clobbered] temporary ZMM + my $ZTMP9 = $_[20]; # [clobbered] temporary ZMM, can be empty if 4 extra parameters below are provided + my $DAT0 = $_[21]; # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused) + my $DAT1 = $_[22]; # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused) + my $DAT2 = $_[23]; # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused) + my $DAT3 = $_[24]; # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused) + + my $start_ghash = 0; + my $do_reduction = 0; + if ($TYPE eq "start") { + $start_ghash = 1; + } + + if ($TYPE eq "start_reduce") { + $start_ghash = 1; + $do_reduction = 1; + } + + if ($TYPE eq "end_reduce") { + $do_reduction = 1; + } + + # ;; ghash blocks 0-3 + if (scalar(@_) == 21) { + $code .= "vmovdqa64 @{[EffectiveAddress($INPTR,$INOFF,($INDIS+0*64))]},$ZTMP9\n"; + } else { + $ZTMP9 = $DAT0; + } + + if ($start_ghash != 0) { + $code .= "vpxorq $HASH,$ZTMP9,$ZTMP9\n"; + } + $code .= <<___; + vmovdqu64 @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+0*64))]},$ZTMP8 + vpclmulqdq \$0x11,$ZTMP8,$ZTMP9,$ZTMP0 # ; T0H = a1*b1 + vpclmulqdq \$0x00,$ZTMP8,$ZTMP9,$ZTMP1 # ; T0L = a0*b0 + vpclmulqdq \$0x01,$ZTMP8,$ZTMP9,$ZTMP2 # ; T0M1 = a1*b0 + vpclmulqdq \$0x10,$ZTMP8,$ZTMP9,$ZTMP3 # ; T0M2 = a0*b1 +___ + + # ;; ghash blocks 4-7 + if (scalar(@_) == 21) { + $code .= "vmovdqa64 @{[EffectiveAddress($INPTR,$INOFF,($INDIS+1*64))]},$ZTMP9\n"; + } else { + $ZTMP9 = $DAT1; + } + $code .= <<___; + vmovdqu64 @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+1*64))]},$ZTMP8 + vpclmulqdq \$0x11,$ZTMP8,$ZTMP9,$ZTMP4 # ; T1H = a1*b1 + vpclmulqdq \$0x00,$ZTMP8,$ZTMP9,$ZTMP5 # ; T1L = a0*b0 + vpclmulqdq \$0x01,$ZTMP8,$ZTMP9,$ZTMP6 # ; T1M1 = a1*b0 + vpclmulqdq \$0x10,$ZTMP8,$ZTMP9,$ZTMP7 # ; T1M2 = a0*b1 +___ + + # ;; update sums + if ($start_ghash != 0) { + $code .= <<___; + vpxorq $ZTMP6,$ZTMP2,$GM # ; GM = T0M1 + T1M1 + vpxorq $ZTMP4,$ZTMP0,$GH # ; GH = T0H + T1H + vpxorq $ZTMP5,$ZTMP1,$GL # ; GL = T0L + T1L + vpternlogq \$0x96,$ZTMP7,$ZTMP3,$GM # ; GM = T0M2 + T1M1 +___ + } else { # ;; mid, end, end_reduce + $code .= <<___; + vpternlogq \$0x96,$ZTMP6,$ZTMP2,$GM # ; GM += T0M1 + T1M1 + vpternlogq \$0x96,$ZTMP4,$ZTMP0,$GH # ; GH += T0H + T1H + vpternlogq \$0x96,$ZTMP5,$ZTMP1,$GL # ; GL += T0L + T1L + vpternlogq \$0x96,$ZTMP7,$ZTMP3,$GM # ; GM += T0M2 + T1M1 +___ + } + + # ;; ghash blocks 8-11 + if (scalar(@_) == 21) { + $code .= "vmovdqa64 @{[EffectiveAddress($INPTR,$INOFF,($INDIS+2*64))]},$ZTMP9\n"; + } else { + $ZTMP9 = $DAT2; + } + $code .= <<___; + vmovdqu64 @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+2*64))]},$ZTMP8 + vpclmulqdq \$0x11,$ZTMP8,$ZTMP9,$ZTMP0 # ; T0H = a1*b1 + vpclmulqdq \$0x00,$ZTMP8,$ZTMP9,$ZTMP1 # ; T0L = a0*b0 + vpclmulqdq \$0x01,$ZTMP8,$ZTMP9,$ZTMP2 # ; T0M1 = a1*b0 + vpclmulqdq \$0x10,$ZTMP8,$ZTMP9,$ZTMP3 # ; T0M2 = a0*b1 +___ + + # ;; ghash blocks 12-15 + if (scalar(@_) == 21) { + $code .= "vmovdqa64 @{[EffectiveAddress($INPTR,$INOFF,($INDIS+3*64))]},$ZTMP9\n"; + } else { + $ZTMP9 = $DAT3; + } + $code .= <<___; + vmovdqu64 @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+3*64))]},$ZTMP8 + vpclmulqdq \$0x11,$ZTMP8,$ZTMP9,$ZTMP4 # ; T1H = a1*b1 + vpclmulqdq \$0x00,$ZTMP8,$ZTMP9,$ZTMP5 # ; T1L = a0*b0 + vpclmulqdq \$0x01,$ZTMP8,$ZTMP9,$ZTMP6 # ; T1M1 = a1*b0 + vpclmulqdq \$0x10,$ZTMP8,$ZTMP9,$ZTMP7 # ; T1M2 = a0*b1 + # ;; update sums + vpternlogq \$0x96,$ZTMP6,$ZTMP2,$GM # ; GM += T0M1 + T1M1 + vpternlogq \$0x96,$ZTMP4,$ZTMP0,$GH # ; GH += T0H + T1H + vpternlogq \$0x96,$ZTMP5,$ZTMP1,$GL # ; GL += T0L + T1L + vpternlogq \$0x96,$ZTMP7,$ZTMP3,$GM # ; GM += T0M2 + T1M1 +___ + if ($do_reduction != 0) { + $code .= <<___; + # ;; integrate GM into GH and GL + vpsrldq \$8,$GM,$ZTMP0 + vpslldq \$8,$GM,$ZTMP1 + vpxorq $ZTMP0,$GH,$GH + vpxorq $ZTMP1,$GL,$GL +___ + + # ;; add GH and GL 128-bit words horizontally + &VHPXORI4x128($GH, $ZTMP0); + &VHPXORI4x128($GL, $ZTMP1); + + # ;; reduction + $code .= "vmovdqa64 POLY2(%rip),@{[XWORD($ZTMP2)]}\n"; + &VCLMUL_REDUCE(&XWORD($HASH), &XWORD($ZTMP2), &XWORD($GH), &XWORD($GL), &XWORD($ZTMP0), &XWORD($ZTMP1)); + } +} + +# ;; =========================================================================== +# ;; GHASH 1 to 16 blocks of cipher text +# ;; - performs reduction at the end +# ;; - it doesn't load the data and it assumed it is already loaded and shuffled +sub GHASH_1_TO_16 { + my $GCM128_CTX = $_[0]; # [in] pointer to expanded keys + my $GHASH = $_[1]; # [out] ghash output + my $T0H = $_[2]; # [clobbered] temporary ZMM + my $T0L = $_[3]; # [clobbered] temporary ZMM + my $T0M1 = $_[4]; # [clobbered] temporary ZMM + my $T0M2 = $_[5]; # [clobbered] temporary ZMM + my $T1H = $_[6]; # [clobbered] temporary ZMM + my $T1L = $_[7]; # [clobbered] temporary ZMM + my $T1M1 = $_[8]; # [clobbered] temporary ZMM + my $T1M2 = $_[9]; # [clobbered] temporary ZMM + my $HK = $_[10]; # [clobbered] temporary ZMM + my $AAD_HASH_IN = $_[11]; # [in] input hash value + my @CIPHER_IN; + $CIPHER_IN[0] = $_[12]; # [in] ZMM with cipher text blocks 0-3 + $CIPHER_IN[1] = $_[13]; # [in] ZMM with cipher text blocks 4-7 + $CIPHER_IN[2] = $_[14]; # [in] ZMM with cipher text blocks 8-11 + $CIPHER_IN[3] = $_[15]; # [in] ZMM with cipher text blocks 12-15 + my $NUM_BLOCKS = $_[16]; # [in] numerical value, number of blocks + my $GH = $_[17]; # [in] ZMM with hi product part + my $GM = $_[18]; # [in] ZMM with mid product part + my $GL = $_[19]; # [in] ZMM with lo product part + + die "GHASH_1_TO_16: num_blocks is out of bounds = $NUM_BLOCKS\n" if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); + + if (scalar(@_) == 17) { + $code .= "vpxorq $AAD_HASH_IN,$CIPHER_IN[0],$CIPHER_IN[0]\n"; + } + + if ($NUM_BLOCKS == 16) { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[0],$T0H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[0],$T0L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[0],$T0M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[0],$T0M2 # ; M2 = a0*b1 + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS-1*4, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[1],$T1H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[1],$T1L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[1],$T1M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[1],$T1M2 # ; M2 = a0*b1 + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS-2*4, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; L = a0*b0 + vpternlogq \$0x96,$T1H,$CIPHER_IN[0],$T0H + vpternlogq \$0x96,$T1L,$CIPHER_IN[1],$T0L + vpclmulqdq \$0x01,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; M2 = a0*b1 + vpternlogq \$0x96,$T1M1,$CIPHER_IN[0],$T0M1 + vpternlogq \$0x96,$T1M2,$CIPHER_IN[1],$T0M2 + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS-3*4, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[3],$T1H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[3],$T1L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[3],$T1M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[3],$T1M2 # ; M2 = a0*b1 + vpxorq $T1H,$T0H,$T1H + vpxorq $T1L,$T0L,$T1L + vpxorq $T1M1,$T0M1,$T1M1 + vpxorq $T1M2,$T0M2,$T1M2 +___ + } elsif ($NUM_BLOCKS >= 12) { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[0],$T0H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[0],$T0L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[0],$T0M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[0],$T0M2 # ; M2 = a0*b1 + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS-1*4, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[1],$T1H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[1],$T1L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[1],$T1M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[1],$T1M2 # ; M2 = a0*b1 + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS-2*4, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; L = a0*b0 + vpternlogq \$0x96,$T0H,$CIPHER_IN[0],$T1H + vpternlogq \$0x96,$T0L,$CIPHER_IN[1],$T1L + vpclmulqdq \$0x01,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; M2 = a0*b1 + vpternlogq \$0x96,$T0M1,$CIPHER_IN[0],$T1M1 + vpternlogq \$0x96,$T0M2,$CIPHER_IN[1],$T1M2 +___ + } elsif ($NUM_BLOCKS >= 8) { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[0],$T0H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[0],$T0L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[0],$T0M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[0],$T0M2 # ; M2 = a0*b1 + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS-1*4, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[1],$T1H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[1],$T1L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[1],$T1M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[1],$T1M2 # ; M2 = a0*b1 + vpxorq $T1H,$T0H,$T1H + vpxorq $T1L,$T0L,$T1L + vpxorq $T1M1,$T0M1,$T1M1 + vpxorq $T1M2,$T0M2,$T1M2 +___ + } elsif ($NUM_BLOCKS >= 4) { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK + vpclmulqdq \$0x11,$HK,$CIPHER_IN[0],$T1H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$CIPHER_IN[0],$T1L # ; L = a0*b0 + vpclmulqdq \$0x01,$HK,$CIPHER_IN[0],$T1M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$CIPHER_IN[0],$T1M2 # ; M2 = a0*b1 +___ + } + + # ;; T1H/L/M1/M2 - hold current product sums (provided $NUM_BLOCKS >= 4) + my $blocks_left = ($NUM_BLOCKS % 4); + if ($blocks_left > 0) { + + # ;; ===================================================== + # ;; There are 1, 2 or 3 blocks left to process. + # ;; It may also be that they are the only blocks to process. + + # ;; Set hash key and register index position for the remaining 1 to 3 blocks + my $reg_idx = ($NUM_BLOCKS / 4); + my $REG_IN = $CIPHER_IN[$reg_idx]; + + if ($blocks_left == 1) { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($blocks_left, $GCM128_CTX)]},@{[XWORD($HK)]} + vpclmulqdq \$0x01,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0M1)]} # ; M1 = a1*b0 + vpclmulqdq \$0x10,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0M2)]} # ; M2 = a0*b1 + vpclmulqdq \$0x11,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0H)]} # ; H = a1*b1 + vpclmulqdq \$0x00,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0L)]} # ; L = a0*b0 +___ + } elsif ($blocks_left == 2) { + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($blocks_left, $GCM128_CTX)]},@{[YWORD($HK)]} + vpclmulqdq \$0x01,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0M1)]} # ; M1 = a1*b0 + vpclmulqdq \$0x10,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0M2)]} # ; M2 = a0*b1 + vpclmulqdq \$0x11,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0H)]} # ; H = a1*b1 + vpclmulqdq \$0x00,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0L)]} # ; L = a0*b0 +___ + } else { # ; blocks_left == 3 + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx($blocks_left, $GCM128_CTX)]},@{[YWORD($HK)]} + vinserti64x2 \$2,@{[HashKeyByIdx($blocks_left-2, $GCM128_CTX)]},$HK,$HK + vpclmulqdq \$0x01,$HK,$REG_IN,$T0M1 # ; M1 = a1*b0 + vpclmulqdq \$0x10,$HK,$REG_IN,$T0M2 # ; M2 = a0*b1 + vpclmulqdq \$0x11,$HK,$REG_IN,$T0H # ; H = a1*b1 + vpclmulqdq \$0x00,$HK,$REG_IN,$T0L # ; L = a0*b0 +___ + } + + if (scalar(@_) == 20) { + + # ;; *** GH/GM/GL passed as arguments + if ($NUM_BLOCKS >= 4) { + $code .= <<___; + # ;; add ghash product sums from the first 4, 8 or 12 blocks + vpxorq $T1M1,$T0M1,$T0M1 + vpternlogq \$0x96,$T1M2,$GM,$T0M2 + vpternlogq \$0x96,$T1H,$GH,$T0H + vpternlogq \$0x96,$T1L,$GL,$T0L +___ + } else { + $code .= <<___; + vpxorq $GM,$T0M1,$T0M1 + vpxorq $GH,$T0H,$T0H + vpxorq $GL,$T0L,$T0L +___ + } + } else { + + # ;; *** GH/GM/GL NOT passed as arguments + if ($NUM_BLOCKS >= 4) { + $code .= <<___; + # ;; add ghash product sums from the first 4, 8 or 12 blocks + vpxorq $T1M1,$T0M1,$T0M1 + vpxorq $T1M2,$T0M2,$T0M2 + vpxorq $T1H,$T0H,$T0H + vpxorq $T1L,$T0L,$T0L +___ + } + } + $code .= <<___; + # ;; integrate TM into TH and TL + vpxorq $T0M2,$T0M1,$T0M1 + vpsrldq \$8,$T0M1,$T1M1 + vpslldq \$8,$T0M1,$T1M2 + vpxorq $T1M1,$T0H,$T0H + vpxorq $T1M2,$T0L,$T0L +___ + } else { + + # ;; ===================================================== + # ;; number of blocks is 4, 8, 12 or 16 + # ;; T1H/L/M1/M2 include product sums not T0H/L/M1/M2 + if (scalar(@_) == 20) { + $code .= <<___; + # ;; *** GH/GM/GL passed as arguments + vpxorq $GM,$T1M1,$T1M1 + vpxorq $GH,$T1H,$T1H + vpxorq $GL,$T1L,$T1L +___ + } + $code .= <<___; + # ;; integrate TM into TH and TL + vpxorq $T1M2,$T1M1,$T1M1 + vpsrldq \$8,$T1M1,$T0M1 + vpslldq \$8,$T1M1,$T0M2 + vpxorq $T0M1,$T1H,$T0H + vpxorq $T0M2,$T1L,$T0L +___ + } + + # ;; add TH and TL 128-bit words horizontally + &VHPXORI4x128($T0H, $T1M1); + &VHPXORI4x128($T0L, $T1M2); + + # ;; reduction + $code .= "vmovdqa64 POLY2(%rip),@{[XWORD($HK)]}\n"; + &VCLMUL_REDUCE( + @{[XWORD($GHASH)]}, + @{[XWORD($HK)]}, + @{[XWORD($T0H)]}, + @{[XWORD($T0L)]}, + @{[XWORD($T0M1)]}, + @{[XWORD($T0M2)]}); +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; GHASH_MUL MACRO to implement: Data*HashKey mod (x^128 + x^127 + x^126 +x^121 + 1) +# ;; Input: A and B (128-bits each, bit-reflected) +# ;; Output: C = A*B*x mod poly, (i.e. >>1 ) +# ;; To compute GH = GH*HashKey mod poly, give HK = HashKey<<1 mod poly as input +# ;; GH = GH * HK * x mod poly which is equivalent to GH*HashKey mod poly. +# ;; +# ;; Refer to [3] for more detals. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub GHASH_MUL { + my $GH = $_[0]; #; [in/out] xmm/ymm/zmm with multiply operand(s) (128-bits) + my $HK = $_[1]; #; [in] xmm/ymm/zmm with hash key value(s) (128-bits) + my $T1 = $_[2]; #; [clobbered] xmm/ymm/zmm + my $T2 = $_[3]; #; [clobbered] xmm/ymm/zmm + my $T3 = $_[4]; #; [clobbered] xmm/ymm/zmm + + $code .= <<___; + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + vpclmulqdq \$0x11,$HK,$GH,$T1 # ; $T1 = a1*b1 + vpclmulqdq \$0x00,$HK,$GH,$T2 # ; $T2 = a0*b0 + vpclmulqdq \$0x01,$HK,$GH,$T3 # ; $T3 = a1*b0 + vpclmulqdq \$0x10,$HK,$GH,$GH # ; $GH = a0*b1 + vpxorq $T3,$GH,$GH + + vpsrldq \$8,$GH,$T3 # ; shift-R $GH 2 DWs + vpslldq \$8,$GH,$GH # ; shift-L $GH 2 DWs + vpxorq $T3,$T1,$T1 + vpxorq $T2,$GH,$GH + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;first phase of the reduction + vmovdqu64 POLY2(%rip),$T3 + + vpclmulqdq \$0x01,$GH,$T3,$T2 + vpslldq \$8,$T2,$T2 # ; shift-L $T2 2 DWs + vpxorq $T2,$GH,$GH # ; first phase of the reduction complete + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;second phase of the reduction + vpclmulqdq \$0x00,$GH,$T3,$T2 + vpsrldq \$4,$T2,$T2 # ; shift-R only 1-DW to obtain 2-DWs shift-R + vpclmulqdq \$0x10,$GH,$T3,$GH + vpslldq \$4,$GH,$GH # ; Shift-L 1-DW to obtain result with no shifts + # ; second phase of the reduction complete, the result is in $GH + vpternlogq \$0x96,$T2,$T1,$GH # ; GH = GH xor T1 xor T2 + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +___ +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; PRECOMPUTE computes HashKey_i +sub PRECOMPUTE { + my $GCM128_CTX = $_[0]; #; [in/out] context pointer, hkeys content updated + my $HK = $_[1]; #; [in] xmm, hash key + my $T1 = $_[2]; #; [clobbered] xmm + my $T2 = $_[3]; #; [clobbered] xmm + my $T3 = $_[4]; #; [clobbered] xmm + my $T4 = $_[5]; #; [clobbered] xmm + my $T5 = $_[6]; #; [clobbered] xmm + my $T6 = $_[7]; #; [clobbered] xmm + + my $ZT1 = &ZWORD($T1); + my $ZT2 = &ZWORD($T2); + my $ZT3 = &ZWORD($T3); + my $ZT4 = &ZWORD($T4); + my $ZT5 = &ZWORD($T5); + my $ZT6 = &ZWORD($T6); + + my $YT1 = &YWORD($T1); + my $YT2 = &YWORD($T2); + my $YT3 = &YWORD($T3); + my $YT4 = &YWORD($T4); + my $YT5 = &YWORD($T5); + my $YT6 = &YWORD($T6); + + $code .= <<___; + vshufi32x4 \$0x00,@{[YWORD($HK)]},@{[YWORD($HK)]},$YT5 + vmovdqa $YT5,$YT4 +___ + + # ;; calculate HashKey^2<<1 mod poly + &GHASH_MUL($YT4, $YT5, $YT1, $YT2, $YT3); + + $code .= <<___; + vmovdqu64 $T4,@{[HashKeyByIdx(2,$GCM128_CTX)]} + vinserti64x2 \$1,$HK,$YT4,$YT5 + vmovdqa64 $YT5,$YT6 # ;; YT6 = HashKey | HashKey^2 +___ + + # ;; use 2x128-bit computation + # ;; calculate HashKey^4<<1 mod poly, HashKey^3<<1 mod poly + &GHASH_MUL($YT5, $YT4, $YT1, $YT2, $YT3); # ;; YT5 = HashKey^3 | HashKey^4 + + $code .= <<___; + vmovdqu64 $YT5,@{[HashKeyByIdx(4,$GCM128_CTX)]} + + vinserti64x4 \$1,$YT6,$ZT5,$ZT5 # ;; ZT5 = YT6 | YT5 + + # ;; switch to 4x128-bit computations now + vshufi64x2 \$0x00,$ZT5,$ZT5,$ZT4 # ;; broadcast HashKey^4 across all ZT4 + vmovdqa64 $ZT5,$ZT6 # ;; save HashKey^4 to HashKey^1 in ZT6 +___ + + # ;; calculate HashKey^5<<1 mod poly, HashKey^6<<1 mod poly, ... HashKey^8<<1 mod poly + &GHASH_MUL($ZT5, $ZT4, $ZT1, $ZT2, $ZT3); + $code .= <<___; + vmovdqu64 $ZT5,@{[HashKeyByIdx(8,$GCM128_CTX)]} # ;; HashKey^8 to HashKey^5 in ZT5 now + vshufi64x2 \$0x00,$ZT5,$ZT5,$ZT4 # ;; broadcast HashKey^8 across all ZT4 +___ + + # ;; calculate HashKey^9<<1 mod poly, HashKey^10<<1 mod poly, ... HashKey^16<<1 mod poly + # ;; use HashKey^8 as multiplier against ZT6 and ZT5 - this allows deeper ooo execution + + # ;; compute HashKey^(12), HashKey^(11), ... HashKey^(9) + &GHASH_MUL($ZT6, $ZT4, $ZT1, $ZT2, $ZT3); + $code .= "vmovdqu64 $ZT6,@{[HashKeyByIdx(12,$GCM128_CTX)]}\n"; + + # ;; compute HashKey^(16), HashKey^(15), ... HashKey^(13) + &GHASH_MUL($ZT5, $ZT4, $ZT1, $ZT2, $ZT3); + $code .= "vmovdqu64 $ZT5,@{[HashKeyByIdx(16,$GCM128_CTX)]}\n"; + + # ; Hkeys 17..48 will be precomputed somewhere else as context can hold only 16 hkeys +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; READ_SMALL_DATA_INPUT +# ;; Packs xmm register with data when data input is less or equal to 16 bytes +# ;; Returns 0 if data has length 0 +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub READ_SMALL_DATA_INPUT { + my $OUTPUT = $_[0]; # [out] xmm register + my $INPUT = $_[1]; # [in] buffer pointer to read from + my $LENGTH = $_[2]; # [in] number of bytes to read + my $TMP1 = $_[3]; # [clobbered] + my $TMP2 = $_[4]; # [clobbered] + my $MASK = $_[5]; # [out] k1 to k7 register to store the partial block mask + + $code .= <<___; + mov \$16,@{[DWORD($TMP2)]} + lea byte_len_to_mask_table(%rip),$TMP1 + cmp $TMP2,$LENGTH + cmovc $LENGTH,$TMP2 +___ + if ($win64) { + $code .= <<___; + add $TMP2,$TMP1 + add $TMP2,$TMP1 + kmovw ($TMP1),$MASK +___ + } else { + $code .= "kmovw ($TMP1,$TMP2,2),$MASK\n"; + } + $code .= "vmovdqu8 ($INPUT),${OUTPUT}{$MASK}{z}\n"; +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# CALC_AAD_HASH: Calculates the hash of the data which will not be encrypted. +# Input: The input data (A_IN), that data's length (A_LEN), and the hash key (HASH_KEY). +# Output: The hash of the data (AAD_HASH). +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub CALC_AAD_HASH { + my $A_IN = $_[0]; # [in] AAD text pointer + my $A_LEN = $_[1]; # [in] AAD length + my $AAD_HASH = $_[2]; # [in/out] xmm ghash value + my $GCM128_CTX = $_[3]; # [in] pointer to context + my $ZT0 = $_[4]; # [clobbered] ZMM register + my $ZT1 = $_[5]; # [clobbered] ZMM register + my $ZT2 = $_[6]; # [clobbered] ZMM register + my $ZT3 = $_[7]; # [clobbered] ZMM register + my $ZT4 = $_[8]; # [clobbered] ZMM register + my $ZT5 = $_[9]; # [clobbered] ZMM register + my $ZT6 = $_[10]; # [clobbered] ZMM register + my $ZT7 = $_[11]; # [clobbered] ZMM register + my $ZT8 = $_[12]; # [clobbered] ZMM register + my $ZT9 = $_[13]; # [clobbered] ZMM register + my $ZT10 = $_[14]; # [clobbered] ZMM register + my $ZT11 = $_[15]; # [clobbered] ZMM register + my $ZT12 = $_[16]; # [clobbered] ZMM register + my $ZT13 = $_[17]; # [clobbered] ZMM register + my $ZT14 = $_[18]; # [clobbered] ZMM register + my $ZT15 = $_[19]; # [clobbered] ZMM register + my $ZT16 = $_[20]; # [clobbered] ZMM register + my $T1 = $_[21]; # [clobbered] GP register + my $T2 = $_[22]; # [clobbered] GP register + my $T3 = $_[23]; # [clobbered] GP register + my $MASKREG = $_[24]; # [clobbered] mask register + + my $HKEYS_READY = "%rbx"; + + my $SHFMSK = $ZT13; + + my $rndsuffix = &random_string(); + + $code .= <<___; + mov $A_IN,$T1 # ; T1 = AAD + mov $A_LEN,$T2 # ; T2 = aadLen + or $T2,$T2 + jz .L_CALC_AAD_done_${rndsuffix} + + xor $HKEYS_READY,$HKEYS_READY + vmovdqa64 SHUF_MASK(%rip),$SHFMSK + +.L_get_AAD_loop48x16_${rndsuffix}: + cmp \$`(48*16)`,$T2 + jl .L_exit_AAD_loop48x16_${rndsuffix} +___ + + $code .= <<___; + vmovdqu64 `64*0`($T1),$ZT1 # ; Blocks 0-3 + vmovdqu64 `64*1`($T1),$ZT2 # ; Blocks 4-7 + vmovdqu64 `64*2`($T1),$ZT3 # ; Blocks 8-11 + vmovdqu64 `64*3`($T1),$ZT4 # ; Blocks 12-15 + vpshufb $SHFMSK,$ZT1,$ZT1 + vpshufb $SHFMSK,$ZT2,$ZT2 + vpshufb $SHFMSK,$ZT3,$ZT3 + vpshufb $SHFMSK,$ZT4,$ZT4 +___ + + &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZT0, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT14, "all"); + $code .= "mov \$1,$HKEYS_READY\n"; + + &GHASH_16( + "start", $ZT5, $ZT6, $ZT7, + "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp", + &HashKeyOffsetByIdx(48, "frame"), 0, "@{[ZWORD($AAD_HASH)]}", $ZT0, + $ZT8, $ZT9, $ZT10, $ZT11, + $ZT12, $ZT14, $ZT15, $ZT16, + "NO_ZMM", $ZT1, $ZT2, $ZT3, + $ZT4); + + $code .= <<___; + vmovdqu64 `16*16 + 64*0`($T1),$ZT1 # ; Blocks 16-19 + vmovdqu64 `16*16 + 64*1`($T1),$ZT2 # ; Blocks 20-23 + vmovdqu64 `16*16 + 64*2`($T1),$ZT3 # ; Blocks 24-27 + vmovdqu64 `16*16 + 64*3`($T1),$ZT4 # ; Blocks 28-31 + vpshufb $SHFMSK,$ZT1,$ZT1 + vpshufb $SHFMSK,$ZT2,$ZT2 + vpshufb $SHFMSK,$ZT3,$ZT3 + vpshufb $SHFMSK,$ZT4,$ZT4 +___ + + &GHASH_16( + "mid", $ZT5, $ZT6, $ZT7, + "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp", + &HashKeyOffsetByIdx(32, "frame"), 0, "NO_HASH_IN_OUT", $ZT0, + $ZT8, $ZT9, $ZT10, $ZT11, + $ZT12, $ZT14, $ZT15, $ZT16, + "NO_ZMM", $ZT1, $ZT2, $ZT3, + $ZT4); + + $code .= <<___; + vmovdqu64 `32*16 + 64*0`($T1),$ZT1 # ; Blocks 32-35 + vmovdqu64 `32*16 + 64*1`($T1),$ZT2 # ; Blocks 36-39 + vmovdqu64 `32*16 + 64*2`($T1),$ZT3 # ; Blocks 40-43 + vmovdqu64 `32*16 + 64*3`($T1),$ZT4 # ; Blocks 44-47 + vpshufb $SHFMSK,$ZT1,$ZT1 + vpshufb $SHFMSK,$ZT2,$ZT2 + vpshufb $SHFMSK,$ZT3,$ZT3 + vpshufb $SHFMSK,$ZT4,$ZT4 +___ + + &GHASH_16( + "end_reduce", $ZT5, $ZT6, $ZT7, + "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp", + &HashKeyOffsetByIdx(16, "frame"), 0, &ZWORD($AAD_HASH), $ZT0, + $ZT8, $ZT9, $ZT10, $ZT11, + $ZT12, $ZT14, $ZT15, $ZT16, + "NO_ZMM", $ZT1, $ZT2, $ZT3, + $ZT4); + + $code .= <<___; + sub \$`(48*16)`,$T2 + je .L_CALC_AAD_done_${rndsuffix} + + add \$`(48*16)`,$T1 + jmp .L_get_AAD_loop48x16_${rndsuffix} + +.L_exit_AAD_loop48x16_${rndsuffix}: + # ; Less than 48x16 bytes remaining + cmp \$`(32*16)`,$T2 + jl .L_less_than_32x16_${rndsuffix} +___ + + $code .= <<___; + # ; Get next 16 blocks + vmovdqu64 `64*0`($T1),$ZT1 + vmovdqu64 `64*1`($T1),$ZT2 + vmovdqu64 `64*2`($T1),$ZT3 + vmovdqu64 `64*3`($T1),$ZT4 + vpshufb $SHFMSK,$ZT1,$ZT1 + vpshufb $SHFMSK,$ZT2,$ZT2 + vpshufb $SHFMSK,$ZT3,$ZT3 + vpshufb $SHFMSK,$ZT4,$ZT4 +___ + + &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZT0, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT14, "first32"); + $code .= "mov \$1,$HKEYS_READY\n"; + + &GHASH_16( + "start", $ZT5, $ZT6, $ZT7, + "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp", + &HashKeyOffsetByIdx(32, "frame"), 0, &ZWORD($AAD_HASH), $ZT0, + $ZT8, $ZT9, $ZT10, $ZT11, + $ZT12, $ZT14, $ZT15, $ZT16, + "NO_ZMM", $ZT1, $ZT2, $ZT3, + $ZT4); + + $code .= <<___; + vmovdqu64 `16*16 + 64*0`($T1),$ZT1 + vmovdqu64 `16*16 + 64*1`($T1),$ZT2 + vmovdqu64 `16*16 + 64*2`($T1),$ZT3 + vmovdqu64 `16*16 + 64*3`($T1),$ZT4 + vpshufb $SHFMSK,$ZT1,$ZT1 + vpshufb $SHFMSK,$ZT2,$ZT2 + vpshufb $SHFMSK,$ZT3,$ZT3 + vpshufb $SHFMSK,$ZT4,$ZT4 +___ + + &GHASH_16( + "end_reduce", $ZT5, $ZT6, $ZT7, + "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp", + &HashKeyOffsetByIdx(16, "frame"), 0, &ZWORD($AAD_HASH), $ZT0, + $ZT8, $ZT9, $ZT10, $ZT11, + $ZT12, $ZT14, $ZT15, $ZT16, + "NO_ZMM", $ZT1, $ZT2, $ZT3, + $ZT4); + + $code .= <<___; + sub \$`(32*16)`,$T2 + je .L_CALC_AAD_done_${rndsuffix} + + add \$`(32*16)`,$T1 + jmp .L_less_than_16x16_${rndsuffix} + +.L_less_than_32x16_${rndsuffix}: + cmp \$`(16*16)`,$T2 + jl .L_less_than_16x16_${rndsuffix} + # ; Get next 16 blocks + vmovdqu64 `64*0`($T1),$ZT1 + vmovdqu64 `64*1`($T1),$ZT2 + vmovdqu64 `64*2`($T1),$ZT3 + vmovdqu64 `64*3`($T1),$ZT4 + vpshufb $SHFMSK,$ZT1,$ZT1 + vpshufb $SHFMSK,$ZT2,$ZT2 + vpshufb $SHFMSK,$ZT3,$ZT3 + vpshufb $SHFMSK,$ZT4,$ZT4 +___ + + # ; This code path does not use more than 16 hkeys, so they can be taken from the context + # ; (not from the stack storage) + &GHASH_16( + "start_reduce", $ZT5, $ZT6, $ZT7, + "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", $GCM128_CTX, + &HashKeyOffsetByIdx(16, "context"), 0, &ZWORD($AAD_HASH), $ZT0, + $ZT8, $ZT9, $ZT10, $ZT11, + $ZT12, $ZT14, $ZT15, $ZT16, + "NO_ZMM", $ZT1, $ZT2, $ZT3, + $ZT4); + + $code .= <<___; + sub \$`(16*16)`,$T2 + je .L_CALC_AAD_done_${rndsuffix} + + add \$`(16*16)`,$T1 + # ; Less than 16x16 bytes remaining +.L_less_than_16x16_${rndsuffix}: + # ;; prep mask source address + lea byte64_len_to_mask_table(%rip),$T3 + lea ($T3,$T2,8),$T3 + + # ;; calculate number of blocks to ghash (including partial bytes) + add \$15,@{[DWORD($T2)]} + shr \$4,@{[DWORD($T2)]} + cmp \$2,@{[DWORD($T2)]} + jb .L_AAD_blocks_1_${rndsuffix} + je .L_AAD_blocks_2_${rndsuffix} + cmp \$4,@{[DWORD($T2)]} + jb .L_AAD_blocks_3_${rndsuffix} + je .L_AAD_blocks_4_${rndsuffix} + cmp \$6,@{[DWORD($T2)]} + jb .L_AAD_blocks_5_${rndsuffix} + je .L_AAD_blocks_6_${rndsuffix} + cmp \$8,@{[DWORD($T2)]} + jb .L_AAD_blocks_7_${rndsuffix} + je .L_AAD_blocks_8_${rndsuffix} + cmp \$10,@{[DWORD($T2)]} + jb .L_AAD_blocks_9_${rndsuffix} + je .L_AAD_blocks_10_${rndsuffix} + cmp \$12,@{[DWORD($T2)]} + jb .L_AAD_blocks_11_${rndsuffix} + je .L_AAD_blocks_12_${rndsuffix} + cmp \$14,@{[DWORD($T2)]} + jb .L_AAD_blocks_13_${rndsuffix} + je .L_AAD_blocks_14_${rndsuffix} + cmp \$15,@{[DWORD($T2)]} + je .L_AAD_blocks_15_${rndsuffix} +___ + + # ;; fall through for 16 blocks + + # ;; The flow of each of these cases is identical: + # ;; - load blocks plain text + # ;; - shuffle loaded blocks + # ;; - xor in current hash value into block 0 + # ;; - perform up multiplications with ghash keys + # ;; - jump to reduction code + + for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) { + $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n"; + if ($aad_blocks > 12) { + $code .= "sub \$`12*16*8`, $T3\n"; + } elsif ($aad_blocks > 8) { + $code .= "sub \$`8*16*8`, $T3\n"; + } elsif ($aad_blocks > 4) { + $code .= "sub \$`4*16*8`, $T3\n"; + } + $code .= "kmovq ($T3),$MASKREG\n"; + + &ZMM_LOAD_MASKED_BLOCKS_0_16($aad_blocks, $T1, 0, $ZT1, $ZT2, $ZT3, $ZT4, $MASKREG); + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16($aad_blocks, "vpshufb", $ZT1, $ZT2, $ZT3, $ZT4, + $ZT1, $ZT2, $ZT3, $ZT4, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); + + &GHASH_1_TO_16($GCM128_CTX, &ZWORD($AAD_HASH), + $ZT0, $ZT5, $ZT6, $ZT7, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, &ZWORD($AAD_HASH), $ZT1, $ZT2, $ZT3, $ZT4, $aad_blocks); + + if ($aad_blocks > 1) { + + # ;; fall through to CALC_AAD_done in 1 block case + $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n"; + } + + } + $code .= ".L_CALC_AAD_done_${rndsuffix}:\n"; + + # ;; result in AAD_HASH +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; PARTIAL_BLOCK +# ;; Handles encryption/decryption and the tag partial blocks between +# ;; update calls. +# ;; Requires the input data be at least 1 byte long. +# ;; Output: +# ;; A cipher/plain of the first partial block (CIPH_PLAIN_OUT), +# ;; AAD_HASH and updated GCM128_CTX +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub PARTIAL_BLOCK { + my $GCM128_CTX = $_[0]; # [in] key pointer + my $PBLOCK_LEN = $_[1]; # [in] partial block length + my $CIPH_PLAIN_OUT = $_[2]; # [in] output buffer + my $PLAIN_CIPH_IN = $_[3]; # [in] input buffer + my $PLAIN_CIPH_LEN = $_[4]; # [in] buffer length + my $DATA_OFFSET = $_[5]; # [out] data offset (gets set) + my $AAD_HASH = $_[6]; # [out] updated GHASH value + my $ENC_DEC = $_[7]; # [in] cipher direction + my $GPTMP0 = $_[8]; # [clobbered] GP temporary register + my $GPTMP1 = $_[9]; # [clobbered] GP temporary register + my $GPTMP2 = $_[10]; # [clobbered] GP temporary register + my $ZTMP0 = $_[11]; # [clobbered] ZMM temporary register + my $ZTMP1 = $_[12]; # [clobbered] ZMM temporary register + my $ZTMP2 = $_[13]; # [clobbered] ZMM temporary register + my $ZTMP3 = $_[14]; # [clobbered] ZMM temporary register + my $ZTMP4 = $_[15]; # [clobbered] ZMM temporary register + my $ZTMP5 = $_[16]; # [clobbered] ZMM temporary register + my $ZTMP6 = $_[17]; # [clobbered] ZMM temporary register + my $ZTMP7 = $_[18]; # [clobbered] ZMM temporary register + my $MASKREG = $_[19]; # [clobbered] mask temporary register + + my $XTMP0 = &XWORD($ZTMP0); + my $XTMP1 = &XWORD($ZTMP1); + my $XTMP2 = &XWORD($ZTMP2); + my $XTMP3 = &XWORD($ZTMP3); + my $XTMP4 = &XWORD($ZTMP4); + my $XTMP5 = &XWORD($ZTMP5); + my $XTMP6 = &XWORD($ZTMP6); + my $XTMP7 = &XWORD($ZTMP7); + + my $LENGTH = $DATA_OFFSET; + my $IA0 = $GPTMP1; + my $IA1 = $GPTMP2; + my $IA2 = $GPTMP0; + + my $rndsuffix = &random_string(); + + $code .= <<___; + # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero + mov ($PBLOCK_LEN),$LENGTH + or $LENGTH,$LENGTH + je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks +___ + + &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG); + + $code .= <<___; + # ;; XTMP1 = my_ctx_data.partial_block_enc_key + vmovdqu64 $CTX_OFFSET_PEncBlock($GCM128_CTX),$XTMP1 + vmovdqu64 @{[HashKeyByIdx(1,$GCM128_CTX)]},$XTMP2 + + # ;; adjust the shuffle mask pointer to be able to shift right $LENGTH bytes + # ;; (16 - $LENGTH) is the number of bytes in plaintext mod 16) + lea SHIFT_MASK(%rip),$IA0 + add $LENGTH,$IA0 + vmovdqu64 ($IA0),$XTMP3 # ; shift right shuffle mask + vpshufb $XTMP3,$XTMP1,$XTMP1 +___ + + if ($ENC_DEC eq "DEC") { + $code .= <<___; + # ;; keep copy of cipher text in $XTMP4 + vmovdqa64 $XTMP0,$XTMP4 +___ + } + $code .= <<___; + vpxorq $XTMP0,$XTMP1,$XTMP1 # ; Ciphertext XOR E(K, Yn) + # ;; Set $IA1 to be the amount of data left in CIPH_PLAIN_IN after filling the block + # ;; Determine if partial block is not being filled and shift mask accordingly +___ + if ($win64) { + $code .= <<___; + mov $PLAIN_CIPH_LEN,$IA1 + add $LENGTH,$IA1 +___ + } else { + $code .= "lea ($PLAIN_CIPH_LEN, $LENGTH, 1),$IA1\n"; + } + $code .= <<___; + sub \$16,$IA1 + jge .L_no_extra_mask_${rndsuffix} + sub $IA1,$IA0 +.L_no_extra_mask_${rndsuffix}: + # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1 + # ;; - mask out bottom $LENGTH bytes of $XTMP1 + # ;; sizeof(SHIFT_MASK) == 16 bytes + vmovdqu64 16($IA0),$XTMP0 + vpand $XTMP0,$XTMP1,$XTMP1 +___ + + if ($ENC_DEC eq "DEC") { + $code .= <<___; + vpand $XTMP0,$XTMP4,$XTMP4 + vpshufb SHUF_MASK(%rip),$XTMP4,$XTMP4 + vpshufb $XTMP3,$XTMP4,$XTMP4 + vpxorq $XTMP4,$AAD_HASH,$AAD_HASH +___ + } else { + $code .= <<___; + vpshufb SHUF_MASK(%rip),$XTMP1,$XTMP1 + vpshufb $XTMP3,$XTMP1,$XTMP1 + vpxorq $XTMP1,$AAD_HASH,$AAD_HASH +___ + } + $code .= <<___; + cmp \$0,$IA1 + jl .L_partial_incomplete_${rndsuffix} +___ + + # ;; GHASH computation for the last <16 Byte block + &GHASH_MUL($AAD_HASH, $XTMP2, $XTMP5, $XTMP6, $XTMP7); + + $code .= <<___; + movq \$0, ($PBLOCK_LEN) + # ;; Set $LENGTH to be the number of bytes to write out + mov $LENGTH,$IA0 + mov \$16,$LENGTH + sub $IA0,$LENGTH + jmp .L_enc_dec_done_${rndsuffix} + +.L_partial_incomplete_${rndsuffix}: +___ + if ($win64) { + $code .= <<___; + mov $PLAIN_CIPH_LEN,$IA0 + add $IA0,($PBLOCK_LEN) +___ + } else { + $code .= "add $PLAIN_CIPH_LEN,($PBLOCK_LEN)\n"; + } + $code .= <<___; + mov $PLAIN_CIPH_LEN,$LENGTH + +.L_enc_dec_done_${rndsuffix}: + # ;; output encrypted Bytes + + lea byte_len_to_mask_table(%rip),$IA0 + kmovw ($IA0,$LENGTH,2),$MASKREG + vmovdqu64 $AAD_HASH,$CTX_OFFSET_AadHash($GCM128_CTX) +___ + + if ($ENC_DEC eq "ENC") { + $code .= <<___; + # ;; shuffle XTMP1 back to output as ciphertext + vpshufb SHUF_MASK(%rip),$XTMP1,$XTMP1 + vpshufb $XTMP3,$XTMP1,$XTMP1 +___ + } + $code .= <<___; + mov $CIPH_PLAIN_OUT,$IA0 + vmovdqu8 $XTMP1,($IA0){$MASKREG} +.L_partial_block_done_${rndsuffix}: +___ +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; Ciphers 1 to 16 blocks and prepares them for later GHASH compute operation +sub INITIAL_BLOCKS_PARTIAL_CIPHER { + my $AES_KEYS = $_[0]; # [in] key pointer + my $GCM128_CTX = $_[1]; # [in] context pointer + my $CIPH_PLAIN_OUT = $_[2]; # [in] text output pointer + my $PLAIN_CIPH_IN = $_[3]; # [in] text input pointer + my $LENGTH = $_[4]; # [in/clobbered] length in bytes + my $DATA_OFFSET = $_[5]; # [in/out] current data offset (updated) + my $NUM_BLOCKS = $_[6]; # [in] can only be 1, 2, 3, 4, 5, ..., 15 or 16 (not 0) + my $CTR = $_[7]; # [in/out] current counter value + my $ENC_DEC = $_[8]; # [in] cipher direction (ENC/DEC) + my $DAT0 = $_[9]; # [out] ZMM with cipher text shuffled for GHASH + my $DAT1 = $_[10]; # [out] ZMM with cipher text shuffled for GHASH + my $DAT2 = $_[11]; # [out] ZMM with cipher text shuffled for GHASH + my $DAT3 = $_[12]; # [out] ZMM with cipher text shuffled for GHASH + my $LAST_CIPHER_BLK = $_[13]; # [out] XMM to put ciphered counter block partially xor'ed with text + my $LAST_GHASH_BLK = $_[14]; # [out] XMM to put last cipher text block shuffled for GHASH + my $CTR0 = $_[15]; # [clobbered] ZMM temporary + my $CTR1 = $_[16]; # [clobbered] ZMM temporary + my $CTR2 = $_[17]; # [clobbered] ZMM temporary + my $CTR3 = $_[18]; # [clobbered] ZMM temporary + my $ZT1 = $_[19]; # [clobbered] ZMM temporary + my $IA0 = $_[20]; # [clobbered] GP temporary + my $IA1 = $_[21]; # [clobbered] GP temporary + my $MASKREG = $_[22]; # [clobbered] mask register + my $SHUFMASK = $_[23]; # [out] ZMM loaded with BE/LE shuffle mask + + if ($NUM_BLOCKS == 1) { + $code .= "vmovdqa64 SHUF_MASK(%rip),@{[XWORD($SHUFMASK)]}\n"; + } elsif ($NUM_BLOCKS == 2) { + $code .= "vmovdqa64 SHUF_MASK(%rip),@{[YWORD($SHUFMASK)]}\n"; + } else { + $code .= "vmovdqa64 SHUF_MASK(%rip),$SHUFMASK\n"; + } + + # ;; prepare AES counter blocks + if ($NUM_BLOCKS == 1) { + $code .= "vpaddd ONE(%rip),$CTR,@{[XWORD($CTR0)]}\n"; + } elsif ($NUM_BLOCKS == 2) { + $code .= <<___; + vshufi64x2 \$0,@{[YWORD($CTR)]},@{[YWORD($CTR)]},@{[YWORD($CTR0)]} + vpaddd ddq_add_1234(%rip),@{[YWORD($CTR0)]},@{[YWORD($CTR0)]} +___ + } else { + $code .= <<___; + vshufi64x2 \$0,@{[ZWORD($CTR)]},@{[ZWORD($CTR)]},@{[ZWORD($CTR)]} + vpaddd ddq_add_1234(%rip),@{[ZWORD($CTR)]},$CTR0 +___ + if ($NUM_BLOCKS > 4) { + $code .= "vpaddd ddq_add_5678(%rip),@{[ZWORD($CTR)]},$CTR1\n"; + } + if ($NUM_BLOCKS > 8) { + $code .= "vpaddd ddq_add_8888(%rip),$CTR0,$CTR2\n"; + } + if ($NUM_BLOCKS > 12) { + $code .= "vpaddd ddq_add_8888(%rip),$CTR1,$CTR3\n"; + } + } + + # ;; get load/store mask + $code .= <<___; + lea byte64_len_to_mask_table(%rip),$IA0 + mov $LENGTH,$IA1 +___ + if ($NUM_BLOCKS > 12) { + $code .= "sub \$`3*64`,$IA1\n"; + } elsif ($NUM_BLOCKS > 8) { + $code .= "sub \$`2*64`,$IA1\n"; + } elsif ($NUM_BLOCKS > 4) { + $code .= "sub \$`1*64`,$IA1\n"; + } + $code .= "kmovq ($IA0,$IA1,8),$MASKREG\n"; + + # ;; extract new counter value + # ;; shuffle the counters for AES rounds + if ($NUM_BLOCKS <= 4) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 1)`,$CTR0,$CTR\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 5)`,$CTR1,$CTR\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 9)`,$CTR2,$CTR\n"; + } else { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 13)`,$CTR3,$CTR\n"; + } + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpshufb", $CTR0, $CTR1, $CTR2, $CTR3, $CTR0, + $CTR1, $CTR2, $CTR3, $SHUFMASK, $SHUFMASK, $SHUFMASK, $SHUFMASK); + + # ;; load plain/cipher text + &ZMM_LOAD_MASKED_BLOCKS_0_16($NUM_BLOCKS, $PLAIN_CIPH_IN, $DATA_OFFSET, $DAT0, $DAT1, $DAT2, $DAT3, $MASKREG); + + # ;; AES rounds and XOR with plain/cipher text + foreach my $j (0 .. ($NROUNDS + 1)) { + $code .= "vbroadcastf64x2 `($j * 16)`($AES_KEYS),$ZT1\n"; + &ZMM_AESENC_ROUND_BLOCKS_0_16($CTR0, $CTR1, $CTR2, $CTR3, $ZT1, $j, + $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $NROUNDS); + } + + # ;; retrieve the last cipher counter block (partially XOR'ed with text) + # ;; - this is needed for partial block cases + if ($NUM_BLOCKS <= 4) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 1)`,$CTR0,$LAST_CIPHER_BLK\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 5)`,$CTR1,$LAST_CIPHER_BLK\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 9)`,$CTR2,$LAST_CIPHER_BLK\n"; + } else { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 13)`,$CTR3,$LAST_CIPHER_BLK\n"; + } + + # ;; write cipher/plain text back to output and + $code .= "mov $CIPH_PLAIN_OUT,$IA0\n"; + &ZMM_STORE_MASKED_BLOCKS_0_16($NUM_BLOCKS, $IA0, $DATA_OFFSET, $CTR0, $CTR1, $CTR2, $CTR3, $MASKREG); + + # ;; zero bytes outside the mask before hashing + if ($NUM_BLOCKS <= 4) { + $code .= "vmovdqu8 $CTR0,${CTR0}{$MASKREG}{z}\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vmovdqu8 $CTR1,${CTR1}{$MASKREG}{z}\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vmovdqu8 $CTR2,${CTR2}{$MASKREG}{z}\n"; + } else { + $code .= "vmovdqu8 $CTR3,${CTR3}{$MASKREG}{z}\n"; + } + + # ;; Shuffle the cipher text blocks for hashing part + # ;; ZT5 and ZT6 are expected outputs with blocks for hashing + if ($ENC_DEC eq "DEC") { + + # ;; Decrypt case + # ;; - cipher blocks are in ZT5 & ZT6 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpshufb", $DAT0, $DAT1, $DAT2, $DAT3, $DAT0, + $DAT1, $DAT2, $DAT3, $SHUFMASK, $SHUFMASK, $SHUFMASK, $SHUFMASK); + } else { + + # ;; Encrypt case + # ;; - cipher blocks are in CTR0-CTR3 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpshufb", $DAT0, $DAT1, $DAT2, $DAT3, $CTR0, + $CTR1, $CTR2, $CTR3, $SHUFMASK, $SHUFMASK, $SHUFMASK, $SHUFMASK); + } + + # ;; Extract the last block for partials and multi_call cases + if ($NUM_BLOCKS <= 4) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-1)`,$DAT0,$LAST_GHASH_BLK\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-5)`,$DAT1,$LAST_GHASH_BLK\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-9)`,$DAT2,$LAST_GHASH_BLK\n"; + } else { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-13)`,$DAT3,$LAST_GHASH_BLK\n"; + } + +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; Computes GHASH on 1 to 16 blocks +sub INITIAL_BLOCKS_PARTIAL_GHASH { + my $AES_KEYS = $_[0]; # [in] key pointer + my $GCM128_CTX = $_[1]; # [in] context pointer + my $LENGTH = $_[2]; # [in/clobbered] length in bytes + my $NUM_BLOCKS = $_[3]; # [in] can only be 1, 2, 3, 4, 5, ..., 15 or 16 (not 0) + my $HASH_IN_OUT = $_[4]; # [in/out] XMM ghash in/out value + my $ENC_DEC = $_[5]; # [in] cipher direction (ENC/DEC) + my $DAT0 = $_[6]; # [in] ZMM with cipher text shuffled for GHASH + my $DAT1 = $_[7]; # [in] ZMM with cipher text shuffled for GHASH + my $DAT2 = $_[8]; # [in] ZMM with cipher text shuffled for GHASH + my $DAT3 = $_[9]; # [in] ZMM with cipher text shuffled for GHASH + my $LAST_CIPHER_BLK = $_[10]; # [in] XMM with ciphered counter block partially xor'ed with text + my $LAST_GHASH_BLK = $_[11]; # [in] XMM with last cipher text block shuffled for GHASH + my $ZT0 = $_[12]; # [clobbered] ZMM temporary + my $ZT1 = $_[13]; # [clobbered] ZMM temporary + my $ZT2 = $_[14]; # [clobbered] ZMM temporary + my $ZT3 = $_[15]; # [clobbered] ZMM temporary + my $ZT4 = $_[16]; # [clobbered] ZMM temporary + my $ZT5 = $_[17]; # [clobbered] ZMM temporary + my $ZT6 = $_[18]; # [clobbered] ZMM temporary + my $ZT7 = $_[19]; # [clobbered] ZMM temporary + my $ZT8 = $_[20]; # [clobbered] ZMM temporary + my $PBLOCK_LEN = $_[21]; # [in] partial block length + my $GH = $_[22]; # [in] ZMM with hi product part + my $GM = $_[23]; # [in] ZMM with mid prodcut part + my $GL = $_[24]; # [in] ZMM with lo product part + + my $rndsuffix = &random_string(); + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; - Hash all but the last partial block of data + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + # ;; update data offset + if ($NUM_BLOCKS > 1) { + + # ;; The final block of data may be <16B + $code .= "sub \$16 * ($NUM_BLOCKS - 1),$LENGTH\n"; + } + + if ($NUM_BLOCKS < 16) { + $code .= <<___; + # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16. + # ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256. + cmp \$16,$LENGTH + jl .L_small_initial_partial_block_${rndsuffix} + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; Handle a full length final block - encrypt and hash all blocks + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + sub \$16,$LENGTH + movq \$0,($PBLOCK_LEN) +___ + + # ;; Hash all of the data + if (scalar(@_) == 22) { + + # ;; start GHASH compute + &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, + $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS); + } elsif (scalar(@_) == 25) { + + # ;; continue GHASH compute + &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, + $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL); + } + $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n"; + } + + $code .= <<___; +.L_small_initial_partial_block_${rndsuffix}: + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; Handle ghash for a <16B final block + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + # ;; As it's an init / update / finalize series we need to leave the + # ;; last block if it's less than a full block of data. + + mov $LENGTH,($PBLOCK_LEN) + vmovdqu64 $LAST_CIPHER_BLK,$CTX_OFFSET_PEncBlock($GCM128_CTX) +___ + + my $k = ($NUM_BLOCKS - 1); + my $last_block_to_hash = 1; + if (($NUM_BLOCKS > $last_block_to_hash)) { + + # ;; ZT12-ZT20 - temporary registers + if (scalar(@_) == 22) { + + # ;; start GHASH compute + &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, + $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $k); + } elsif (scalar(@_) == 25) { + + # ;; continue GHASH compute + &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, + $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $k, $GH, $GM, $GL); + } + + # ;; just fall through no jmp needed + } else { + + if (scalar(@_) == 25) { + $code .= <<___; + # ;; Reduction is required in this case. + # ;; Integrate GM into GH and GL. + vpsrldq \$8,$GM,$ZT0 + vpslldq \$8,$GM,$ZT1 + vpxorq $ZT0,$GH,$GH + vpxorq $ZT1,$GL,$GL +___ + + # ;; Add GH and GL 128-bit words horizontally + &VHPXORI4x128($GH, $ZT0); + &VHPXORI4x128($GL, $ZT1); + + # ;; 256-bit to 128-bit reduction + $code .= "vmovdqa64 POLY2(%rip),@{[XWORD($ZT0)]}\n"; + &VCLMUL_REDUCE(&XWORD($HASH_IN_OUT), &XWORD($ZT0), &XWORD($GH), &XWORD($GL), &XWORD($ZT1), &XWORD($ZT2)); + } + $code .= <<___; + # ;; Record that a reduction is not needed - + # ;; In this case no hashes are computed because there + # ;; is only one initial block and it is < 16B in length. + # ;; We only need to check if a reduction is needed if + # ;; initial_blocks == 1 and init/update/final is being used. + # ;; In this case we may just have a partial block, and that + # ;; gets hashed in finalize. + + # ;; The hash should end up in HASH_IN_OUT. + # ;; The only way we should get here is if there is + # ;; a partial block of data, so xor that into the hash. + vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT + # ;; The result is in $HASH_IN_OUT + jmp .L_after_reduction_${rndsuffix} +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; After GHASH reduction + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + + $code .= ".L_small_initial_compute_done_${rndsuffix}:\n"; + + # ;; If using init/update/finalize, we need to xor any partial block data + # ;; into the hash. + if ($NUM_BLOCKS > 1) { + + # ;; NOTE: for $NUM_BLOCKS = 0 the xor never takes place + if ($NUM_BLOCKS != 16) { + $code .= <<___; + # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero + or $LENGTH,$LENGTH + je .L_after_reduction_${rndsuffix} +___ + } + $code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n"; + } + + $code .= ".L_after_reduction_${rndsuffix}:\n"; + + # ;; Final hash is now in HASH_IN_OUT +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; INITIAL_BLOCKS_PARTIAL macro with support for a partial final block. +# ;; It may look similar to INITIAL_BLOCKS but its usage is different: +# ;; - first encrypts/decrypts required number of blocks and then +# ;; ghashes these blocks +# ;; - Small packets or left over data chunks (<256 bytes) +# ;; - Remaining data chunks below 256 bytes (multi buffer code) +# ;; +# ;; num_initial_blocks is expected to include the partial final block +# ;; in the count. +sub INITIAL_BLOCKS_PARTIAL { + my $AES_KEYS = $_[0]; # [in] key pointer + my $GCM128_CTX = $_[1]; # [in] context pointer + my $CIPH_PLAIN_OUT = $_[2]; # [in] text output pointer + my $PLAIN_CIPH_IN = $_[3]; # [in] text input pointer + my $LENGTH = $_[4]; # [in/clobbered] length in bytes + my $DATA_OFFSET = $_[5]; # [in/out] current data offset (updated) + my $NUM_BLOCKS = $_[6]; # [in] can only be 1, 2, 3, 4, 5, ..., 15 or 16 (not 0) + my $CTR = $_[7]; # [in/out] current counter value + my $HASH_IN_OUT = $_[8]; # [in/out] XMM ghash in/out value + my $ENC_DEC = $_[9]; # [in] cipher direction (ENC/DEC) + my $CTR0 = $_[10]; # [clobbered] ZMM temporary + my $CTR1 = $_[11]; # [clobbered] ZMM temporary + my $CTR2 = $_[12]; # [clobbered] ZMM temporary + my $CTR3 = $_[13]; # [clobbered] ZMM temporary + my $DAT0 = $_[14]; # [clobbered] ZMM temporary + my $DAT1 = $_[15]; # [clobbered] ZMM temporary + my $DAT2 = $_[16]; # [clobbered] ZMM temporary + my $DAT3 = $_[17]; # [clobbered] ZMM temporary + my $LAST_CIPHER_BLK = $_[18]; # [clobbered] ZMM temporary + my $LAST_GHASH_BLK = $_[19]; # [clobbered] ZMM temporary + my $ZT0 = $_[20]; # [clobbered] ZMM temporary + my $ZT1 = $_[21]; # [clobbered] ZMM temporary + my $ZT2 = $_[22]; # [clobbered] ZMM temporary + my $ZT3 = $_[23]; # [clobbered] ZMM temporary + my $ZT4 = $_[24]; # [clobbered] ZMM temporary + my $IA0 = $_[25]; # [clobbered] GP temporary + my $IA1 = $_[26]; # [clobbered] GP temporary + my $MASKREG = $_[27]; # [clobbered] mask register + my $SHUFMASK = $_[28]; # [clobbered] ZMM for BE/LE shuffle mask + my $PBLOCK_LEN = $_[29]; # [in] partial block length + + &INITIAL_BLOCKS_PARTIAL_CIPHER( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, + $LENGTH, $DATA_OFFSET, $NUM_BLOCKS, $CTR, + $ENC_DEC, $DAT0, $DAT1, $DAT2, + $DAT3, &XWORD($LAST_CIPHER_BLK), &XWORD($LAST_GHASH_BLK), $CTR0, + $CTR1, $CTR2, $CTR3, $ZT0, + $IA0, $IA1, $MASKREG, $SHUFMASK); + + &INITIAL_BLOCKS_PARTIAL_GHASH($AES_KEYS, $GCM128_CTX, $LENGTH, $NUM_BLOCKS, $HASH_IN_OUT, $ENC_DEC, $DAT0, + $DAT1, $DAT2, $DAT3, &XWORD($LAST_CIPHER_BLK), + &XWORD($LAST_GHASH_BLK), $CTR0, $CTR1, $CTR2, $CTR3, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, $PBLOCK_LEN); +} + +# ;; =========================================================================== +# ;; Stitched GHASH of 16 blocks (with reduction) with encryption of N blocks +# ;; followed with GHASH of the N blocks. +sub GHASH_16_ENCRYPT_N_GHASH_N { + my $AES_KEYS = $_[0]; # [in] key pointer + my $GCM128_CTX = $_[1]; # [in] context pointer + my $CIPH_PLAIN_OUT = $_[2]; # [in] pointer to output buffer + my $PLAIN_CIPH_IN = $_[3]; # [in] pointer to input buffer + my $DATA_OFFSET = $_[4]; # [in] data offset + my $LENGTH = $_[5]; # [in] data length + my $CTR_BE = $_[6]; # [in/out] ZMM counter blocks (last 4) in big-endian + my $CTR_CHECK = $_[7]; # [in/out] GP with 8-bit counter for overflow check + my $HASHKEY_OFFSET = $_[8]; # [in] numerical offset for the highest hash key + # (can be in form of register or numerical value) + my $GHASHIN_BLK_OFFSET = $_[9]; # [in] numerical offset for GHASH blocks in + my $SHFMSK = $_[10]; # [in] ZMM with byte swap mask for pshufb + my $B00_03 = $_[11]; # [clobbered] temporary ZMM + my $B04_07 = $_[12]; # [clobbered] temporary ZMM + my $B08_11 = $_[13]; # [clobbered] temporary ZMM + my $B12_15 = $_[14]; # [clobbered] temporary ZMM + my $GH1H_UNUSED = $_[15]; # [clobbered] temporary ZMM + my $GH1L = $_[16]; # [clobbered] temporary ZMM + my $GH1M = $_[17]; # [clobbered] temporary ZMM + my $GH1T = $_[18]; # [clobbered] temporary ZMM + my $GH2H = $_[19]; # [clobbered] temporary ZMM + my $GH2L = $_[20]; # [clobbered] temporary ZMM + my $GH2M = $_[21]; # [clobbered] temporary ZMM + my $GH2T = $_[22]; # [clobbered] temporary ZMM + my $GH3H = $_[23]; # [clobbered] temporary ZMM + my $GH3L = $_[24]; # [clobbered] temporary ZMM + my $GH3M = $_[25]; # [clobbered] temporary ZMM + my $GH3T = $_[26]; # [clobbered] temporary ZMM + my $AESKEY1 = $_[27]; # [clobbered] temporary ZMM + my $AESKEY2 = $_[28]; # [clobbered] temporary ZMM + my $GHKEY1 = $_[29]; # [clobbered] temporary ZMM + my $GHKEY2 = $_[30]; # [clobbered] temporary ZMM + my $GHDAT1 = $_[31]; # [clobbered] temporary ZMM + my $GHDAT2 = $_[32]; # [clobbered] temporary ZMM + my $ZT01 = $_[33]; # [clobbered] temporary ZMM + my $ADDBE_4x4 = $_[34]; # [in] ZMM with 4x128bits 4 in big-endian + my $ADDBE_1234 = $_[35]; # [in] ZMM with 4x128bits 1, 2, 3 and 4 in big-endian + my $GHASH_TYPE = $_[36]; # [in] "start", "start_reduce", "mid", "end_reduce" + my $TO_REDUCE_L = $_[37]; # [in] ZMM for low 4x128-bit GHASH sum + my $TO_REDUCE_H = $_[38]; # [in] ZMM for hi 4x128-bit GHASH sum + my $TO_REDUCE_M = $_[39]; # [in] ZMM for medium 4x128-bit GHASH sum + my $ENC_DEC = $_[40]; # [in] cipher direction + my $HASH_IN_OUT = $_[41]; # [in/out] XMM ghash in/out value + my $IA0 = $_[42]; # [clobbered] GP temporary + my $IA1 = $_[43]; # [clobbered] GP temporary + my $MASKREG = $_[44]; # [clobbered] mask register + my $NUM_BLOCKS = $_[45]; # [in] numerical value with number of blocks to be encrypted/ghashed (1 to 16) + my $PBLOCK_LEN = $_[46]; # [in] partial block length + + die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n" + if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); + + my $rndsuffix = &random_string(); + + my $GH1H = $HASH_IN_OUT; + + # ; this is to avoid additional move in do_reduction case + + my $LAST_GHASH_BLK = $GH1L; + my $LAST_CIPHER_BLK = $GH1T; + + my $RED_POLY = $GH2T; + my $RED_P1 = $GH2L; + my $RED_T1 = $GH2H; + my $RED_T2 = $GH2M; + + my $DATA1 = $GH3H; + my $DATA2 = $GH3L; + my $DATA3 = $GH3M; + my $DATA4 = $GH3T; + + # ;; do reduction after the 16 blocks ? + my $do_reduction = 0; + + # ;; is 16 block chunk a start? + my $is_start = 0; + + if ($GHASH_TYPE eq "start_reduce") { + $is_start = 1; + $do_reduction = 1; + } + + if ($GHASH_TYPE eq "start") { + $is_start = 1; + } + + if ($GHASH_TYPE eq "end_reduce") { + $do_reduction = 1; + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; - get load/store mask + # ;; - load plain/cipher text + # ;; get load/store mask + $code .= <<___; + lea byte64_len_to_mask_table(%rip),$IA0 + mov $LENGTH,$IA1 +___ + if ($NUM_BLOCKS > 12) { + $code .= "sub \$`3*64`,$IA1\n"; + } elsif ($NUM_BLOCKS > 8) { + $code .= "sub \$`2*64`,$IA1\n"; + } elsif ($NUM_BLOCKS > 4) { + $code .= "sub \$`1*64`,$IA1\n"; + } + $code .= "kmovq ($IA0,$IA1,8),$MASKREG\n"; + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; prepare counter blocks + + $code .= <<___; + cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]} + jae .L_16_blocks_overflow_${rndsuffix} +___ + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE, + $B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4); + $code .= <<___; + jmp .L_16_blocks_ok_${rndsuffix} + +.L_16_blocks_overflow_${rndsuffix}: + vpshufb $SHFMSK,$CTR_BE,$CTR_BE + vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 +___ + if ($NUM_BLOCKS > 4) { + $code .= <<___; + vmovdqa64 ddq_add_4444(%rip),$B12_15 + vpaddd $B12_15,$B00_03,$B04_07 +___ + } + if ($NUM_BLOCKS > 8) { + $code .= "vpaddd $B12_15,$B04_07,$B08_11\n"; + } + if ($NUM_BLOCKS > 12) { + $code .= "vpaddd $B12_15,$B08_11,$B12_15\n"; + } + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); + $code .= <<___; +.L_16_blocks_ok_${rndsuffix}: + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; - pre-load constants + # ;; - add current hash into the 1st block + vbroadcastf64x2 `(16 * 0)`($AES_KEYS),$AESKEY1 +___ + if ($is_start != 0) { + $code .= "vpxorq `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$HASH_IN_OUT,$GHDAT1\n"; + } else { + $code .= "vmovdqa64 `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$GHDAT1\n"; + } + + $code .= "vmovdqu64 @{[EffectiveAddress(\"%rsp\",$HASHKEY_OFFSET,0*64)]},$GHKEY1\n"; + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; save counter for the next round + # ;; increment counter overflow check register + if ($NUM_BLOCKS <= 4) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 1)`,$B00_03,@{[XWORD($CTR_BE)]}\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 5)`,$B04_07,@{[XWORD($CTR_BE)]}\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 9)`,$B08_11,@{[XWORD($CTR_BE)]}\n"; + } else { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 13)`,$B12_15,@{[XWORD($CTR_BE)]}\n"; + } + $code .= "vshufi64x2 \$0b00000000,$CTR_BE,$CTR_BE,$CTR_BE\n"; + + $code .= <<___; + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; pre-load constants + vbroadcastf64x2 `(16 * 1)`($AES_KEYS),$AESKEY2 + vmovdqu64 @{[EffectiveAddress("%rsp",$HASHKEY_OFFSET,1*64)]},$GHKEY2 + vmovdqa64 `$GHASHIN_BLK_OFFSET + (1*64)`(%rsp),$GHDAT2 +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; stitch AES rounds with GHASH + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 0 - ARK + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpxorq", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 2)`($AES_KEYS),$AESKEY1\n"; + + $code .= <<___; + # ;;================================================== + # ;; GHASH 4 blocks (15 to 12) + vpclmulqdq \$0x11,$GHKEY1,$GHDAT1,$GH1H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY1,$GHDAT1,$GH1L # ; a0*b0 + vpclmulqdq \$0x01,$GHKEY1,$GHDAT1,$GH1M # ; a1*b0 + vpclmulqdq \$0x10,$GHKEY1,$GHDAT1,$GH1T # ; a0*b1 + vmovdqu64 @{[EffectiveAddress("%rsp",$HASHKEY_OFFSET,2*64)]},$GHKEY1 + vmovdqa64 `$GHASHIN_BLK_OFFSET + (2*64)`(%rsp),$GHDAT1 +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 1 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + $code .= "vbroadcastf64x2 `(16 * 3)`($AES_KEYS),$AESKEY2\n"; + + $code .= <<___; + # ;; ================================================= + # ;; GHASH 4 blocks (11 to 8) + vpclmulqdq \$0x10,$GHKEY2,$GHDAT2,$GH2M # ; a0*b1 + vpclmulqdq \$0x01,$GHKEY2,$GHDAT2,$GH2T # ; a1*b0 + vpclmulqdq \$0x11,$GHKEY2,$GHDAT2,$GH2H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY2,$GHDAT2,$GH2L # ; a0*b0 + vmovdqu64 @{[EffectiveAddress("%rsp",$HASHKEY_OFFSET,3*64)]},$GHKEY2 + vmovdqa64 `$GHASHIN_BLK_OFFSET + (3*64)`(%rsp),$GHDAT2 +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 2 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 4)`($AES_KEYS),$AESKEY1\n"; + + $code .= <<___; + # ;; ================================================= + # ;; GHASH 4 blocks (7 to 4) + vpclmulqdq \$0x10,$GHKEY1,$GHDAT1,$GH3M # ; a0*b1 + vpclmulqdq \$0x01,$GHKEY1,$GHDAT1,$GH3T # ; a1*b0 + vpclmulqdq \$0x11,$GHKEY1,$GHDAT1,$GH3H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY1,$GHDAT1,$GH3L # ; a0*b0 +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds 3 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + $code .= "vbroadcastf64x2 `(16 * 5)`($AES_KEYS),$AESKEY2\n"; + + $code .= <<___; + # ;; ================================================= + # ;; Gather (XOR) GHASH for 12 blocks + vpternlogq \$0x96,$GH3H,$GH2H,$GH1H + vpternlogq \$0x96,$GH3L,$GH2L,$GH1L + vpternlogq \$0x96,$GH3T,$GH2T,$GH1T + vpternlogq \$0x96,$GH3M,$GH2M,$GH1M +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds 4 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 6)`($AES_KEYS),$AESKEY1\n"; + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; load plain/cipher text + &ZMM_LOAD_MASKED_BLOCKS_0_16($NUM_BLOCKS, $PLAIN_CIPH_IN, $DATA_OFFSET, $DATA1, $DATA2, $DATA3, $DATA4, $MASKREG); + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds 5 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + $code .= "vbroadcastf64x2 `(16 * 7)`($AES_KEYS),$AESKEY2\n"; + + $code .= <<___; + # ;; ================================================= + # ;; GHASH 4 blocks (3 to 0) + vpclmulqdq \$0x10,$GHKEY2,$GHDAT2,$GH2M # ; a0*b1 + vpclmulqdq \$0x01,$GHKEY2,$GHDAT2,$GH2T # ; a1*b0 + vpclmulqdq \$0x11,$GHKEY2,$GHDAT2,$GH2H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY2,$GHDAT2,$GH2L # ; a0*b0 +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 6 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 8)`($AES_KEYS),$AESKEY1\n"; + + # ;; ================================================= + # ;; gather GHASH in GH1L (low), GH1H (high), GH1M (mid) + # ;; - add GH2[MTLH] to GH1[MTLH] + $code .= "vpternlogq \$0x96,$GH2T,$GH1T,$GH1M\n"; + if ($do_reduction != 0) { + + if ($is_start != 0) { + $code .= "vpxorq $GH2M,$GH1M,$GH1M\n"; + } else { + $code .= <<___; + vpternlogq \$0x96,$GH2H,$TO_REDUCE_H,$GH1H + vpternlogq \$0x96,$GH2L,$TO_REDUCE_L,$GH1L + vpternlogq \$0x96,$GH2M,$TO_REDUCE_M,$GH1M +___ + } + + } else { + + # ;; Update H/M/L hash sums if not carrying reduction + if ($is_start != 0) { + $code .= <<___; + vpxorq $GH2H,$GH1H,$TO_REDUCE_H + vpxorq $GH2L,$GH1L,$TO_REDUCE_L + vpxorq $GH2M,$GH1M,$TO_REDUCE_M +___ + } else { + $code .= <<___; + vpternlogq \$0x96,$GH2H,$GH1H,$TO_REDUCE_H + vpternlogq \$0x96,$GH2L,$GH1L,$TO_REDUCE_L + vpternlogq \$0x96,$GH2M,$GH1M,$TO_REDUCE_M +___ + } + + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 7 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + $code .= "vbroadcastf64x2 `(16 * 9)`($AES_KEYS),$AESKEY2\n"; + + # ;; ================================================= + # ;; prepare mid sum for adding to high & low + # ;; load polynomial constant for reduction + if ($do_reduction != 0) { + $code .= <<___; + vpsrldq \$8,$GH1M,$GH2M + vpslldq \$8,$GH1M,$GH1M + + vmovdqa64 POLY2(%rip),@{[XWORD($RED_POLY)]} +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 8 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 10)`($AES_KEYS),$AESKEY1\n"; + + # ;; ================================================= + # ;; Add mid product to high and low + if ($do_reduction != 0) { + if ($is_start != 0) { + $code .= <<___; + vpternlogq \$0x96,$GH2M,$GH2H,$GH1H # ; TH = TH1 + TH2 + TM>>64 + vpternlogq \$0x96,$GH1M,$GH2L,$GH1L # ; TL = TL1 + TL2 + TM<<64 +___ + } else { + $code .= <<___; + vpxorq $GH2M,$GH1H,$GH1H # ; TH = TH1 + TM>>64 + vpxorq $GH1M,$GH1L,$GH1L # ; TL = TL1 + TM<<64 +___ + } + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 9 + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + + # ;; ================================================= + # ;; horizontal xor of low and high 4x128 + if ($do_reduction != 0) { + &VHPXORI4x128($GH1H, $GH2H); + &VHPXORI4x128($GH1L, $GH2L); + } + + if (($NROUNDS >= 11)) { + $code .= "vbroadcastf64x2 `(16 * 11)`($AES_KEYS),$AESKEY2\n"; + } + + # ;; ================================================= + # ;; first phase of reduction + if ($do_reduction != 0) { + $code .= <<___; + vpclmulqdq \$0x01,@{[XWORD($GH1L)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_P1)]} + vpslldq \$8,@{[XWORD($RED_P1)]},@{[XWORD($RED_P1)]} # ; shift-L 2 DWs + vpxorq @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]} # ; first phase of the reduct +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds up to 11 (AES192) or 13 (AES256) + # ;; AES128 is done + if (($NROUNDS >= 11)) { + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 12)`($AES_KEYS),$AESKEY1\n"; + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + if (($NROUNDS == 13)) { + $code .= "vbroadcastf64x2 `(16 * 13)`($AES_KEYS),$AESKEY2\n"; + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + $code .= "vbroadcastf64x2 `(16 * 14)`($AES_KEYS),$AESKEY1\n"; + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2); + } + } + + # ;; ================================================= + # ;; second phase of the reduction + if ($do_reduction != 0) { + $code .= <<___; + vpclmulqdq \$0x00,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T1)]} + vpsrldq \$4,@{[XWORD($RED_T1)]},@{[XWORD($RED_T1)]} # ; shift-R 1-DW to obtain 2-DWs shift-R + vpclmulqdq \$0x10,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T2)]} + vpslldq \$4,@{[XWORD($RED_T2)]},@{[XWORD($RED_T2)]} # ; shift-L 1-DW for result without shifts + # ;; GH1H = GH1H + RED_T1 + RED_T2 + vpternlogq \$0x96,@{[XWORD($RED_T1)]},@{[XWORD($RED_T2)]},@{[XWORD($GH1H)]} +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; the last AES round + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vaesenclast", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1); + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; XOR against plain/cipher text + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpxorq", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $DATA1, $DATA2, $DATA3, $DATA4); + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; retrieve the last cipher counter block (partially XOR'ed with text) + # ;; - this is needed for partial block cases + if ($NUM_BLOCKS <= 4) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 1)`,$B00_03,@{[XWORD($LAST_CIPHER_BLK)]}\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 5)`,$B04_07,@{[XWORD($LAST_CIPHER_BLK)]}\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 9)`,$B08_11,@{[XWORD($LAST_CIPHER_BLK)]}\n"; + } else { + $code .= "vextracti32x4 \$`($NUM_BLOCKS - 13)`,$B12_15,@{[XWORD($LAST_CIPHER_BLK)]}\n"; + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; store cipher/plain text + $code .= "mov $CIPH_PLAIN_OUT,$IA0\n"; + &ZMM_STORE_MASKED_BLOCKS_0_16($NUM_BLOCKS, $IA0, $DATA_OFFSET, $B00_03, $B04_07, $B08_11, $B12_15, $MASKREG); + + # ;; ================================================= + # ;; shuffle cipher text blocks for GHASH computation + if ($ENC_DEC eq "ENC") { + + # ;; zero bytes outside the mask before hashing + if ($NUM_BLOCKS <= 4) { + $code .= "vmovdqu8 $B00_03,${B00_03}{$MASKREG}{z}\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vmovdqu8 $B04_07,${B04_07}{$MASKREG}{z}\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vmovdqu8 $B08_11,${B08_11}{$MASKREG}{z}\n"; + } else { + $code .= "vmovdqu8 $B12_15,${B12_15}{$MASKREG}{z}\n"; + } + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpshufb", $DATA1, $DATA2, $DATA3, $DATA4, $B00_03, + $B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); + } else { + + # ;; zero bytes outside the mask before hashing + if ($NUM_BLOCKS <= 4) { + $code .= "vmovdqu8 $DATA1,${DATA1}{$MASKREG}{z}\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vmovdqu8 $DATA2,${DATA2}{$MASKREG}{z}\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vmovdqu8 $DATA3,${DATA3}{$MASKREG}{z}\n"; + } else { + $code .= "vmovdqu8 $DATA4,${DATA4}{$MASKREG}{z}\n"; + } + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpshufb", $DATA1, $DATA2, $DATA3, $DATA4, $DATA1, + $DATA2, $DATA3, $DATA4, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); + } + + # ;; ================================================= + # ;; Extract the last block for partial / multi_call cases + if ($NUM_BLOCKS <= 4) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-1)`,$DATA1,@{[XWORD($LAST_GHASH_BLK)]}\n"; + } elsif ($NUM_BLOCKS <= 8) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-5)`,$DATA2,@{[XWORD($LAST_GHASH_BLK)]}\n"; + } elsif ($NUM_BLOCKS <= 12) { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-9)`,$DATA3,@{[XWORD($LAST_GHASH_BLK)]}\n"; + } else { + $code .= "vextracti32x4 \$`($NUM_BLOCKS-13)`,$DATA4,@{[XWORD($LAST_GHASH_BLK)]}\n"; + } + + if ($do_reduction != 0) { + + # ;; GH1H holds reduced hash value + # ;; - normally do "vmovdqa64 &XWORD($GH1H), &XWORD($HASH_IN_OUT)" + # ;; - register rename trick obsoletes the above move + } + + # ;; ================================================= + # ;; GHASH last N blocks + # ;; - current hash value in HASH_IN_OUT or + # ;; product parts in TO_REDUCE_H/M/L + # ;; - DATA1-DATA4 include blocks for GHASH + + if ($do_reduction == 0) { + &INITIAL_BLOCKS_PARTIAL_GHASH( + $AES_KEYS, $GCM128_CTX, $LENGTH, $NUM_BLOCKS, + &XWORD($HASH_IN_OUT), $ENC_DEC, $DATA1, $DATA2, + $DATA3, $DATA4, &XWORD($LAST_CIPHER_BLK), &XWORD($LAST_GHASH_BLK), + $B00_03, $B04_07, $B08_11, $B12_15, + $GHDAT1, $GHDAT2, $AESKEY1, $AESKEY2, + $GHKEY1, $PBLOCK_LEN, $TO_REDUCE_H, $TO_REDUCE_M, + $TO_REDUCE_L); + } else { + &INITIAL_BLOCKS_PARTIAL_GHASH( + $AES_KEYS, $GCM128_CTX, $LENGTH, $NUM_BLOCKS, + &XWORD($HASH_IN_OUT), $ENC_DEC, $DATA1, $DATA2, + $DATA3, $DATA4, &XWORD($LAST_CIPHER_BLK), &XWORD($LAST_GHASH_BLK), + $B00_03, $B04_07, $B08_11, $B12_15, + $GHDAT1, $GHDAT2, $AESKEY1, $AESKEY2, + $GHKEY1, $PBLOCK_LEN); + } +} + +# ;; =========================================================================== +# ;; =========================================================================== +# ;; Stitched GHASH of 16 blocks (with reduction) with encryption of N blocks +# ;; followed with GHASH of the N blocks. +sub GCM_ENC_DEC_LAST { + my $AES_KEYS = $_[0]; # [in] key pointer + my $GCM128_CTX = $_[1]; # [in] context pointer + my $CIPH_PLAIN_OUT = $_[2]; # [in] pointer to output buffer + my $PLAIN_CIPH_IN = $_[3]; # [in] pointer to input buffer + my $DATA_OFFSET = $_[4]; # [in] data offset + my $LENGTH = $_[5]; # [in/clobbered] data length + my $CTR_BE = $_[6]; # [in/out] ZMM counter blocks (last 4) in big-endian + my $CTR_CHECK = $_[7]; # [in/out] GP with 8-bit counter for overflow check + my $HASHKEY_OFFSET = $_[8]; # [in] numerical offset for the highest hash key + # (can be register or numerical offset) + my $GHASHIN_BLK_OFFSET = $_[9]; # [in] numerical offset for GHASH blocks in + my $SHFMSK = $_[10]; # [in] ZMM with byte swap mask for pshufb + my $ZT00 = $_[11]; # [clobbered] temporary ZMM + my $ZT01 = $_[12]; # [clobbered] temporary ZMM + my $ZT02 = $_[13]; # [clobbered] temporary ZMM + my $ZT03 = $_[14]; # [clobbered] temporary ZMM + my $ZT04 = $_[15]; # [clobbered] temporary ZMM + my $ZT05 = $_[16]; # [clobbered] temporary ZMM + my $ZT06 = $_[17]; # [clobbered] temporary ZMM + my $ZT07 = $_[18]; # [clobbered] temporary ZMM + my $ZT08 = $_[19]; # [clobbered] temporary ZMM + my $ZT09 = $_[20]; # [clobbered] temporary ZMM + my $ZT10 = $_[21]; # [clobbered] temporary ZMM + my $ZT11 = $_[22]; # [clobbered] temporary ZMM + my $ZT12 = $_[23]; # [clobbered] temporary ZMM + my $ZT13 = $_[24]; # [clobbered] temporary ZMM + my $ZT14 = $_[25]; # [clobbered] temporary ZMM + my $ZT15 = $_[26]; # [clobbered] temporary ZMM + my $ZT16 = $_[27]; # [clobbered] temporary ZMM + my $ZT17 = $_[28]; # [clobbered] temporary ZMM + my $ZT18 = $_[29]; # [clobbered] temporary ZMM + my $ZT19 = $_[30]; # [clobbered] temporary ZMM + my $ZT20 = $_[31]; # [clobbered] temporary ZMM + my $ZT21 = $_[32]; # [clobbered] temporary ZMM + my $ZT22 = $_[33]; # [clobbered] temporary ZMM + my $ADDBE_4x4 = $_[34]; # [in] ZMM with 4x128bits 4 in big-endian + my $ADDBE_1234 = $_[35]; # [in] ZMM with 4x128bits 1, 2, 3 and 4 in big-endian + my $GHASH_TYPE = $_[36]; # [in] "start", "start_reduce", "mid", "end_reduce" + my $TO_REDUCE_L = $_[37]; # [in] ZMM for low 4x128-bit GHASH sum + my $TO_REDUCE_H = $_[38]; # [in] ZMM for hi 4x128-bit GHASH sum + my $TO_REDUCE_M = $_[39]; # [in] ZMM for medium 4x128-bit GHASH sum + my $ENC_DEC = $_[40]; # [in] cipher direction + my $HASH_IN_OUT = $_[41]; # [in/out] XMM ghash in/out value + my $IA0 = $_[42]; # [clobbered] GP temporary + my $IA1 = $_[43]; # [clobbered] GP temporary + my $MASKREG = $_[44]; # [clobbered] mask register + my $PBLOCK_LEN = $_[45]; # [in] partial block length + + my $rndsuffix = &random_string(); + + $code .= <<___; + mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]} + add \$15,@{[DWORD($IA0)]} + shr \$4,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_0_${rndsuffix} + + cmp \$8,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_8_${rndsuffix} + jb .L_last_num_blocks_is_7_1_${rndsuffix} + + + cmp \$12,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_12_${rndsuffix} + jb .L_last_num_blocks_is_11_9_${rndsuffix} + + # ;; 16, 15, 14 or 13 + cmp \$15,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_15_${rndsuffix} + ja .L_last_num_blocks_is_16_${rndsuffix} + cmp \$14,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_14_${rndsuffix} + jmp .L_last_num_blocks_is_13_${rndsuffix} + +.L_last_num_blocks_is_11_9_${rndsuffix}: + # ;; 11, 10 or 9 + cmp \$10,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_10_${rndsuffix} + ja .L_last_num_blocks_is_11_${rndsuffix} + jmp .L_last_num_blocks_is_9_${rndsuffix} + +.L_last_num_blocks_is_7_1_${rndsuffix}: + cmp \$4,@{[DWORD($IA0)]} + je .L_last_num_blocks_is_4_${rndsuffix} + jb .L_last_num_blocks_is_3_1_${rndsuffix} + # ;; 7, 6 or 5 + cmp \$6,@{[DWORD($IA0)]} + ja .L_last_num_blocks_is_7_${rndsuffix} + je .L_last_num_blocks_is_6_${rndsuffix} + jmp .L_last_num_blocks_is_5_${rndsuffix} + +.L_last_num_blocks_is_3_1_${rndsuffix}: + # ;; 3, 2 or 1 + cmp \$2,@{[DWORD($IA0)]} + ja .L_last_num_blocks_is_3_${rndsuffix} + je .L_last_num_blocks_is_2_${rndsuffix} +___ + + # ;; fall through for `jmp .L_last_num_blocks_is_1` + + # ;; Use rep to generate different block size variants + # ;; - one block size has to be the first one + for my $num_blocks (1 .. 16) { + $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; + &GHASH_16_ENCRYPT_N_GHASH_N( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, + $LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET, + $SHFMSK, $ZT00, $ZT01, $ZT02, $ZT03, + $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, + $ZT09, $ZT10, $ZT11, $ZT12, $ZT13, + $ZT14, $ZT15, $ZT16, $ZT17, $ZT18, + $ZT19, $ZT20, $ZT21, $ZT22, $ADDBE_4x4, + $ADDBE_1234, $GHASH_TYPE, $TO_REDUCE_L, $TO_REDUCE_H, $TO_REDUCE_M, + $ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG, + $num_blocks, $PBLOCK_LEN); + + $code .= "jmp .L_last_blocks_done_${rndsuffix}\n"; + } + + $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n"; + + # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction + # ;; - convert mid into end_reduce + # ;; - convert start into start_reduce + if ($GHASH_TYPE eq "mid") { + $GHASH_TYPE = "end_reduce"; + } + if ($GHASH_TYPE eq "start") { + $GHASH_TYPE = "start_reduce"; + } + + &GHASH_16($GHASH_TYPE, $TO_REDUCE_H, $TO_REDUCE_M, $TO_REDUCE_L, "%rsp", + $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01, + $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09); + + $code .= ".L_last_blocks_done_${rndsuffix}:\n"; +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;; Main GCM macro stitching cipher with GHASH +# ;; - operates on single stream +# ;; - encrypts 16 blocks at a time +# ;; - ghash the 16 previously encrypted ciphertext blocks +# ;; - no partial block or multi_call handling here +sub GHASH_16_ENCRYPT_16_PARALLEL { + my $AES_KEYS = $_[0]; # [in] key pointer + my $CIPH_PLAIN_OUT = $_[1]; # [in] pointer to output buffer + my $PLAIN_CIPH_IN = $_[2]; # [in] pointer to input buffer + my $DATA_OFFSET = $_[3]; # [in] data offset + my $CTR_BE = $_[4]; # [in/out] ZMM counter blocks (last 4) in big-endian + my $CTR_CHECK = $_[5]; # [in/out] GP with 8-bit counter for overflow check + my $HASHKEY_OFFSET = $_[6]; # [in] numerical offset for the highest hash key (hash key index value) + my $AESOUT_BLK_OFFSET = $_[7]; # [in] numerical offset for AES-CTR out + my $GHASHIN_BLK_OFFSET = $_[8]; # [in] numerical offset for GHASH blocks in + my $SHFMSK = $_[9]; # [in] ZMM with byte swap mask for pshufb + my $ZT1 = $_[10]; # [clobbered] temporary ZMM (cipher) + my $ZT2 = $_[11]; # [clobbered] temporary ZMM (cipher) + my $ZT3 = $_[12]; # [clobbered] temporary ZMM (cipher) + my $ZT4 = $_[13]; # [clobbered] temporary ZMM (cipher) + my $ZT5 = $_[14]; # [clobbered/out] temporary ZMM or GHASH OUT (final_reduction) + my $ZT6 = $_[15]; # [clobbered] temporary ZMM (cipher) + my $ZT7 = $_[16]; # [clobbered] temporary ZMM (cipher) + my $ZT8 = $_[17]; # [clobbered] temporary ZMM (cipher) + my $ZT9 = $_[18]; # [clobbered] temporary ZMM (cipher) + my $ZT10 = $_[19]; # [clobbered] temporary ZMM (ghash) + my $ZT11 = $_[20]; # [clobbered] temporary ZMM (ghash) + my $ZT12 = $_[21]; # [clobbered] temporary ZMM (ghash) + my $ZT13 = $_[22]; # [clobbered] temporary ZMM (ghash) + my $ZT14 = $_[23]; # [clobbered] temporary ZMM (ghash) + my $ZT15 = $_[24]; # [clobbered] temporary ZMM (ghash) + my $ZT16 = $_[25]; # [clobbered] temporary ZMM (ghash) + my $ZT17 = $_[26]; # [clobbered] temporary ZMM (ghash) + my $ZT18 = $_[27]; # [clobbered] temporary ZMM (ghash) + my $ZT19 = $_[28]; # [clobbered] temporary ZMM + my $ZT20 = $_[29]; # [clobbered] temporary ZMM + my $ZT21 = $_[30]; # [clobbered] temporary ZMM + my $ZT22 = $_[31]; # [clobbered] temporary ZMM + my $ZT23 = $_[32]; # [clobbered] temporary ZMM + my $ADDBE_4x4 = $_[33]; # [in] ZMM with 4x128bits 4 in big-endian + my $ADDBE_1234 = $_[34]; # [in] ZMM with 4x128bits 1, 2, 3 and 4 in big-endian + my $TO_REDUCE_L = $_[35]; # [in/out] ZMM for low 4x128-bit GHASH sum + my $TO_REDUCE_H = $_[36]; # [in/out] ZMM for hi 4x128-bit GHASH sum + my $TO_REDUCE_M = $_[37]; # [in/out] ZMM for medium 4x128-bit GHASH sum + my $DO_REDUCTION = $_[38]; # [in] "no_reduction", "final_reduction", "first_time" + my $ENC_DEC = $_[39]; # [in] cipher direction + my $DATA_DISPL = $_[40]; # [in] fixed numerical data displacement/offset + my $GHASH_IN = $_[41]; # [in] current GHASH value or "no_ghash_in" + my $IA0 = $_[42]; # [clobbered] temporary GPR + + my $B00_03 = $ZT1; + my $B04_07 = $ZT2; + my $B08_11 = $ZT3; + my $B12_15 = $ZT4; + + my $GH1H = $ZT5; + + # ; @note: do not change this mapping + my $GH1L = $ZT6; + my $GH1M = $ZT7; + my $GH1T = $ZT8; + + my $GH2H = $ZT9; + my $GH2L = $ZT10; + my $GH2M = $ZT11; + my $GH2T = $ZT12; + + my $RED_POLY = $GH2T; + my $RED_P1 = $GH2L; + my $RED_T1 = $GH2H; + my $RED_T2 = $GH2M; + + my $GH3H = $ZT13; + my $GH3L = $ZT14; + my $GH3M = $ZT15; + my $GH3T = $ZT16; + + my $DATA1 = $ZT13; + my $DATA2 = $ZT14; + my $DATA3 = $ZT15; + my $DATA4 = $ZT16; + + my $AESKEY1 = $ZT17; + my $AESKEY2 = $ZT18; + + my $GHKEY1 = $ZT19; + my $GHKEY2 = $ZT20; + my $GHDAT1 = $ZT21; + my $GHDAT2 = $ZT22; + + my $rndsuffix = &random_string(); + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; prepare counter blocks + + $code .= <<___; + cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} + jae .L_16_blocks_overflow_${rndsuffix} + vpaddd $ADDBE_1234,$CTR_BE,$B00_03 + vpaddd $ADDBE_4x4,$B00_03,$B04_07 + vpaddd $ADDBE_4x4,$B04_07,$B08_11 + vpaddd $ADDBE_4x4,$B08_11,$B12_15 + jmp .L_16_blocks_ok_${rndsuffix} +.L_16_blocks_overflow_${rndsuffix}: + vpshufb $SHFMSK,$CTR_BE,$CTR_BE + vmovdqa64 ddq_add_4444(%rip),$B12_15 + vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 + vpaddd $B12_15,$B00_03,$B04_07 + vpaddd $B12_15,$B04_07,$B08_11 + vpaddd $B12_15,$B08_11,$B12_15 + vpshufb $SHFMSK,$B00_03,$B00_03 + vpshufb $SHFMSK,$B04_07,$B04_07 + vpshufb $SHFMSK,$B08_11,$B08_11 + vpshufb $SHFMSK,$B12_15,$B12_15 +.L_16_blocks_ok_${rndsuffix}: +___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; pre-load constants + $code .= "vbroadcastf64x2 `(16 * 0)`($AES_KEYS),$AESKEY1\n"; + if ($GHASH_IN ne "no_ghash_in") { + $code .= "vpxorq `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$GHASH_IN,$GHDAT1\n"; + } else { + $code .= "vmovdqa64 `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$GHDAT1\n"; + } + + $code .= <<___; + vmovdqu64 @{[HashKeyByIdx(($HASHKEY_OFFSET - (0*4)),"%rsp")]},$GHKEY1 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; save counter for the next round + # ;; increment counter overflow check register + vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR_BE + addb \$16,@{[BYTE($CTR_CHECK)]} + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; pre-load constants + vbroadcastf64x2 `(16 * 1)`($AES_KEYS),$AESKEY2 + vmovdqu64 @{[HashKeyByIdx(($HASHKEY_OFFSET - (1*4)),"%rsp")]},$GHKEY2 + vmovdqa64 `$GHASHIN_BLK_OFFSET + (1*64)`(%rsp),$GHDAT2 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; stitch AES rounds with GHASH + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 0 - ARK + + vpxorq $AESKEY1,$B00_03,$B00_03 + vpxorq $AESKEY1,$B04_07,$B04_07 + vpxorq $AESKEY1,$B08_11,$B08_11 + vpxorq $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 2)`($AES_KEYS),$AESKEY1 + + # ;;================================================== + # ;; GHASH 4 blocks (15 to 12) + vpclmulqdq \$0x11,$GHKEY1,$GHDAT1,$GH1H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY1,$GHDAT1,$GH1L # ; a0*b0 + vpclmulqdq \$0x01,$GHKEY1,$GHDAT1,$GH1M # ; a1*b0 + vpclmulqdq \$0x10,$GHKEY1,$GHDAT1,$GH1T # ; a0*b1 + vmovdqu64 @{[HashKeyByIdx(($HASHKEY_OFFSET - (2*4)),"%rsp")]},$GHKEY1 + vmovdqa64 `$GHASHIN_BLK_OFFSET + (2*64)`(%rsp),$GHDAT1 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 1 + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 3)`($AES_KEYS),$AESKEY2 + + # ;; ================================================= + # ;; GHASH 4 blocks (11 to 8) + vpclmulqdq \$0x10,$GHKEY2,$GHDAT2,$GH2M # ; a0*b1 + vpclmulqdq \$0x01,$GHKEY2,$GHDAT2,$GH2T # ; a1*b0 + vpclmulqdq \$0x11,$GHKEY2,$GHDAT2,$GH2H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY2,$GHDAT2,$GH2L # ; a0*b0 + vmovdqu64 @{[HashKeyByIdx(($HASHKEY_OFFSET - (3*4)),"%rsp")]},$GHKEY2 + vmovdqa64 `$GHASHIN_BLK_OFFSET + (3*64)`(%rsp),$GHDAT2 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 2 + vaesenc $AESKEY1,$B00_03,$B00_03 + vaesenc $AESKEY1,$B04_07,$B04_07 + vaesenc $AESKEY1,$B08_11,$B08_11 + vaesenc $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 4)`($AES_KEYS),$AESKEY1 + + # ;; ================================================= + # ;; GHASH 4 blocks (7 to 4) + vpclmulqdq \$0x10,$GHKEY1,$GHDAT1,$GH3M # ; a0*b1 + vpclmulqdq \$0x01,$GHKEY1,$GHDAT1,$GH3T # ; a1*b0 + vpclmulqdq \$0x11,$GHKEY1,$GHDAT1,$GH3H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY1,$GHDAT1,$GH3L # ; a0*b0 + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds 3 + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 5)`($AES_KEYS),$AESKEY2 + + # ;; ================================================= + # ;; Gather (XOR) GHASH for 12 blocks + vpternlogq \$0x96,$GH3H,$GH2H,$GH1H + vpternlogq \$0x96,$GH3L,$GH2L,$GH1L + vpternlogq \$0x96,$GH3T,$GH2T,$GH1T + vpternlogq \$0x96,$GH3M,$GH2M,$GH1M + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds 4 + vaesenc $AESKEY1,$B00_03,$B00_03 + vaesenc $AESKEY1,$B04_07,$B04_07 + vaesenc $AESKEY1,$B08_11,$B08_11 + vaesenc $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 6)`($AES_KEYS),$AESKEY1 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; load plain/cipher text (recycle GH3xx registers) + vmovdqu8 `$DATA_DISPL + (0 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA1 + vmovdqu8 `$DATA_DISPL + (1 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA2 + vmovdqu8 `$DATA_DISPL + (2 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA3 + vmovdqu8 `$DATA_DISPL + (3 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA4 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds 5 + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 7)`($AES_KEYS),$AESKEY2 + + # ;; ================================================= + # ;; GHASH 4 blocks (3 to 0) + vpclmulqdq \$0x10,$GHKEY2,$GHDAT2,$GH2M # ; a0*b1 + vpclmulqdq \$0x01,$GHKEY2,$GHDAT2,$GH2T # ; a1*b0 + vpclmulqdq \$0x11,$GHKEY2,$GHDAT2,$GH2H # ; a1*b1 + vpclmulqdq \$0x00,$GHKEY2,$GHDAT2,$GH2L # ; a0*b0 + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 6 + vaesenc $AESKEY1,$B00_03,$B00_03 + vaesenc $AESKEY1,$B04_07,$B04_07 + vaesenc $AESKEY1,$B08_11,$B08_11 + vaesenc $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 8)`($AES_KEYS),$AESKEY1 +___ + + # ;; ================================================= + # ;; gather GHASH in GH1L (low) and GH1H (high) + if ($DO_REDUCTION eq "first_time") { + $code .= <<___; + vpternlogq \$0x96,$GH2T,$GH1T,$GH1M # ; TM + vpxorq $GH2M,$GH1M,$TO_REDUCE_M # ; TM + vpxorq $GH2H,$GH1H,$TO_REDUCE_H # ; TH + vpxorq $GH2L,$GH1L,$TO_REDUCE_L # ; TL +___ + } + if ($DO_REDUCTION eq "no_reduction") { + $code .= <<___; + vpternlogq \$0x96,$GH2T,$GH1T,$GH1M # ; TM + vpternlogq \$0x96,$GH2M,$GH1M,$TO_REDUCE_M # ; TM + vpternlogq \$0x96,$GH2H,$GH1H,$TO_REDUCE_H # ; TH + vpternlogq \$0x96,$GH2L,$GH1L,$TO_REDUCE_L # ; TL +___ + } + if ($DO_REDUCTION eq "final_reduction") { + $code .= <<___; + # ;; phase 1: add mid products together + # ;; also load polynomial constant for reduction + vpternlogq \$0x96,$GH2T,$GH1T,$GH1M # ; TM + vpternlogq \$0x96,$GH2M,$TO_REDUCE_M,$GH1M + + vpsrldq \$8,$GH1M,$GH2M + vpslldq \$8,$GH1M,$GH1M + + vmovdqa64 POLY2(%rip),@{[XWORD($RED_POLY)]} +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 7 + $code .= <<___; + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 9)`($AES_KEYS),$AESKEY2 +___ + + # ;; ================================================= + # ;; Add mid product to high and low + if ($DO_REDUCTION eq "final_reduction") { + $code .= <<___; + vpternlogq \$0x96,$GH2M,$GH2H,$GH1H # ; TH = TH1 + TH2 + TM>>64 + vpxorq $TO_REDUCE_H,$GH1H,$GH1H + vpternlogq \$0x96,$GH1M,$GH2L,$GH1L # ; TL = TL1 + TL2 + TM<<64 + vpxorq $TO_REDUCE_L,$GH1L,$GH1L +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 8 + $code .= <<___; + vaesenc $AESKEY1,$B00_03,$B00_03 + vaesenc $AESKEY1,$B04_07,$B04_07 + vaesenc $AESKEY1,$B08_11,$B08_11 + vaesenc $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 10)`($AES_KEYS),$AESKEY1 +___ + + # ;; ================================================= + # ;; horizontal xor of low and high 4x128 + if ($DO_REDUCTION eq "final_reduction") { + &VHPXORI4x128($GH1H, $GH2H); + &VHPXORI4x128($GH1L, $GH2L); + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES round 9 + $code .= <<___; + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 +___ + if (($NROUNDS >= 11)) { + $code .= "vbroadcastf64x2 `(16 * 11)`($AES_KEYS),$AESKEY2\n"; + } + + # ;; ================================================= + # ;; first phase of reduction + if ($DO_REDUCTION eq "final_reduction") { + $code .= <<___; + vpclmulqdq \$0x01,@{[XWORD($GH1L)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_P1)]} + vpslldq \$8,@{[XWORD($RED_P1)]},@{[XWORD($RED_P1)]} # ; shift-L 2 DWs + vpxorq @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]} # ; first phase of the reduct +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; AES rounds up to 11 (AES192) or 13 (AES256) + # ;; AES128 is done + if (($NROUNDS >= 11)) { + $code .= <<___; + vaesenc $AESKEY1,$B00_03,$B00_03 + vaesenc $AESKEY1,$B04_07,$B04_07 + vaesenc $AESKEY1,$B08_11,$B08_11 + vaesenc $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 12)`($AES_KEYS),$AESKEY1 + + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 +___ + if (($NROUNDS == 13)) { + $code .= <<___; + vbroadcastf64x2 `(16 * 13)`($AES_KEYS),$AESKEY2 + + vaesenc $AESKEY1,$B00_03,$B00_03 + vaesenc $AESKEY1,$B04_07,$B04_07 + vaesenc $AESKEY1,$B08_11,$B08_11 + vaesenc $AESKEY1,$B12_15,$B12_15 + vbroadcastf64x2 `(16 * 14)`($AES_KEYS),$AESKEY1 + + vaesenc $AESKEY2,$B00_03,$B00_03 + vaesenc $AESKEY2,$B04_07,$B04_07 + vaesenc $AESKEY2,$B08_11,$B08_11 + vaesenc $AESKEY2,$B12_15,$B12_15 +___ + } + } + + # ;; ================================================= + # ;; second phase of the reduction + if ($DO_REDUCTION eq "final_reduction") { + $code .= <<___; + vpclmulqdq \$0x00,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T1)]} + vpsrldq \$4,@{[XWORD($RED_T1)]},@{[XWORD($RED_T1)]} # ; shift-R 1-DW to obtain 2-DWs shift-R + vpclmulqdq \$0x10,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T2)]} + vpslldq \$4,@{[XWORD($RED_T2)]},@{[XWORD($RED_T2)]} # ; shift-L 1-DW for result without shifts + # ;; GH1H = GH1H x RED_T1 x RED_T2 + vpternlogq \$0x96,@{[XWORD($RED_T1)]},@{[XWORD($RED_T2)]},@{[XWORD($GH1H)]} +___ + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; the last AES round + $code .= <<___; + vaesenclast $AESKEY1,$B00_03,$B00_03 + vaesenclast $AESKEY1,$B04_07,$B04_07 + vaesenclast $AESKEY1,$B08_11,$B08_11 + vaesenclast $AESKEY1,$B12_15,$B12_15 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; XOR against plain/cipher text + vpxorq $DATA1,$B00_03,$B00_03 + vpxorq $DATA2,$B04_07,$B04_07 + vpxorq $DATA3,$B08_11,$B08_11 + vpxorq $DATA4,$B12_15,$B12_15 + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; store cipher/plain text + mov $CIPH_PLAIN_OUT,$IA0 + vmovdqu8 $B00_03,`$DATA_DISPL + (0 * 64)`($IA0,$DATA_OFFSET,1) + vmovdqu8 $B04_07,`$DATA_DISPL + (1 * 64)`($IA0,$DATA_OFFSET,1) + vmovdqu8 $B08_11,`$DATA_DISPL + (2 * 64)`($IA0,$DATA_OFFSET,1) + vmovdqu8 $B12_15,`$DATA_DISPL + (3 * 64)`($IA0,$DATA_OFFSET,1) +___ + + # ;; ================================================= + # ;; shuffle cipher text blocks for GHASH computation + if ($ENC_DEC eq "ENC") { + $code .= <<___; + vpshufb $SHFMSK,$B00_03,$B00_03 + vpshufb $SHFMSK,$B04_07,$B04_07 + vpshufb $SHFMSK,$B08_11,$B08_11 + vpshufb $SHFMSK,$B12_15,$B12_15 +___ + } else { + $code .= <<___; + vpshufb $SHFMSK,$DATA1,$B00_03 + vpshufb $SHFMSK,$DATA2,$B04_07 + vpshufb $SHFMSK,$DATA3,$B08_11 + vpshufb $SHFMSK,$DATA4,$B12_15 +___ + } + + # ;; ================================================= + # ;; store shuffled cipher text for ghashing + $code .= <<___; + vmovdqa64 $B00_03,`$AESOUT_BLK_OFFSET + (0*64)`(%rsp) + vmovdqa64 $B04_07,`$AESOUT_BLK_OFFSET + (1*64)`(%rsp) + vmovdqa64 $B08_11,`$AESOUT_BLK_OFFSET + (2*64)`(%rsp) + vmovdqa64 $B12_15,`$AESOUT_BLK_OFFSET + (3*64)`(%rsp) +___ +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Encryption of a single block +sub ENCRYPT_SINGLE_BLOCK { + my $AES_KEY = $_[0]; # ; [in] + my $XMM0 = $_[1]; # ; [in/out] + my $GPR1 = $_[2]; # ; [clobbered] + + my $rndsuffix = &random_string(); + + $code .= <<___; + # ; load number of rounds from AES_KEY structure (offset in bytes is + # ; size of the |rd_key| buffer) + mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]} + cmp \$9,@{[DWORD($GPR1)]} + je .Laes_128_${rndsuffix} + cmp \$11,@{[DWORD($GPR1)]} + je .Laes_192_${rndsuffix} + cmp \$13,@{[DWORD($GPR1)]} + je .Laes_256_${rndsuffix} + jmp .Lexit_aes_${rndsuffix} +___ + for my $keylen (sort keys %aes_rounds) { + my $nr = $aes_rounds{$keylen}; + $code .= <<___; +.align 32 +.Laes_${keylen}_${rndsuffix}: +___ + $code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n"; + for (my $i = 1; $i <= $nr; $i++) { + $code .= "vaesenc `16*$i`($AES_KEY),$XMM0,$XMM0\n\n"; + } + $code .= <<___; + vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0 + jmp .Lexit_aes_${rndsuffix} +___ + } + $code .= ".Lexit_aes_${rndsuffix}:\n\n"; +} + +sub CALC_J0 { + my $GCM128_CTX = $_[0]; #; [in] Pointer to GCM context + my $IV = $_[1]; #; [in] Pointer to IV + my $IV_LEN = $_[2]; #; [in] IV length + my $J0 = $_[3]; #; [out] XMM reg to contain J0 + my $ZT0 = $_[4]; #; [clobbered] ZMM register + my $ZT1 = $_[5]; #; [clobbered] ZMM register + my $ZT2 = $_[6]; #; [clobbered] ZMM register + my $ZT3 = $_[7]; #; [clobbered] ZMM register + my $ZT4 = $_[8]; #; [clobbered] ZMM register + my $ZT5 = $_[9]; #; [clobbered] ZMM register + my $ZT6 = $_[10]; #; [clobbered] ZMM register + my $ZT7 = $_[11]; #; [clobbered] ZMM register + my $ZT8 = $_[12]; #; [clobbered] ZMM register + my $ZT9 = $_[13]; #; [clobbered] ZMM register + my $ZT10 = $_[14]; #; [clobbered] ZMM register + my $ZT11 = $_[15]; #; [clobbered] ZMM register + my $ZT12 = $_[16]; #; [clobbered] ZMM register + my $ZT13 = $_[17]; #; [clobbered] ZMM register + my $ZT14 = $_[18]; #; [clobbered] ZMM register + my $ZT15 = $_[19]; #; [clobbered] ZMM register + my $ZT16 = $_[20]; #; [clobbered] ZMM register + my $T1 = $_[21]; #; [clobbered] GP register + my $T2 = $_[22]; #; [clobbered] GP register + my $T3 = $_[23]; #; [clobbered] GP register + my $MASKREG = $_[24]; #; [clobbered] mask register + + # ;; J0 = GHASH(IV || 0s+64 || len(IV)64) + # ;; s = 16 * RoundUp(len(IV)/16) - len(IV) */ + + # ;; Calculate GHASH of (IV || 0s) + $code .= "vpxor $J0,$J0,$J0\n"; + &CALC_AAD_HASH($IV, $IV_LEN, $J0, $GCM128_CTX, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, + $ZT5, $ZT6, $ZT7, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT13, $ZT14, $ZT15, $ZT16, $T1, $T2, $T3, $MASKREG); + + # ;; Calculate GHASH of last 16-byte block (0 || len(IV)64) + $code .= <<___; + mov $IV_LEN,$T1 + shl \$3,$T1 # ; IV length in bits + vmovq $T1,@{[XWORD($ZT2)]} + + # ;; Might need shuffle of ZT2 + vpxorq $J0,@{[XWORD($ZT2)]},$J0 + + vmovdqu64 @{[HashKeyByIdx(1,$GCM128_CTX)]},@{[XWORD($ZT0)]} +___ + &GHASH_MUL($J0, @{[XWORD($ZT0)]}, @{[XWORD($ZT1)]}, @{[XWORD($ZT2)]}, @{[XWORD($ZT3)]}); + + $code .= "vpshufb SHUF_MASK(%rip),$J0,$J0 # ; perform a 16Byte swap\n"; +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; GCM_INIT_IV performs an initialization of gcm128_ctx struct to prepare for +# ;;; encoding/decoding. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub GCM_INIT_IV { + my $AES_KEYS = $_[0]; # [in] AES key schedule + my $GCM128_CTX = $_[1]; # [in/out] GCM context + my $IV = $_[2]; # [in] IV pointer + my $IV_LEN = $_[3]; # [in] IV length + my $GPR1 = $_[4]; # [clobbered] GP register + my $GPR2 = $_[5]; # [clobbered] GP register + my $GPR3 = $_[6]; # [clobbered] GP register + my $MASKREG = $_[7]; # [clobbered] mask register + my $CUR_COUNT = $_[8]; # [out] XMM with current counter + my $ZT0 = $_[9]; # [clobbered] ZMM register + my $ZT1 = $_[10]; # [clobbered] ZMM register + my $ZT2 = $_[11]; # [clobbered] ZMM register + my $ZT3 = $_[12]; # [clobbered] ZMM register + my $ZT4 = $_[13]; # [clobbered] ZMM register + my $ZT5 = $_[14]; # [clobbered] ZMM register + my $ZT6 = $_[15]; # [clobbered] ZMM register + my $ZT7 = $_[16]; # [clobbered] ZMM register + my $ZT8 = $_[17]; # [clobbered] ZMM register + my $ZT9 = $_[18]; # [clobbered] ZMM register + my $ZT10 = $_[19]; # [clobbered] ZMM register + my $ZT11 = $_[20]; # [clobbered] ZMM register + my $ZT12 = $_[21]; # [clobbered] ZMM register + my $ZT13 = $_[22]; # [clobbered] ZMM register + my $ZT14 = $_[23]; # [clobbered] ZMM register + my $ZT15 = $_[24]; # [clobbered] ZMM register + my $ZT16 = $_[25]; # [clobbered] ZMM register + + my $ZT0x = $ZT0; + $ZT0x =~ s/zmm/xmm/; + + $code .= <<___; + cmp \$12,$IV_LEN + je iv_len_12_init_IV +___ + + # ;; IV is different than 12 bytes + &CALC_J0($GCM128_CTX, $IV, $IV_LEN, $CUR_COUNT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, $ZT5, $ZT6, $ZT7, + $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT13, $ZT14, $ZT15, $ZT16, $GPR1, $GPR2, $GPR3, $MASKREG); + $code .= <<___; + jmp skip_iv_len_12_init_IV +iv_len_12_init_IV: # ;; IV is 12 bytes + # ;; read 12 IV bytes and pad with 0x00000001 + vmovdqu8 ONEf(%rip),$CUR_COUNT + mov $IV,$GPR2 + mov \$0x0000000000000fff,@{[DWORD($GPR1)]} + kmovq $GPR1,$MASKREG + vmovdqu8 ($GPR2),${CUR_COUNT}{$MASKREG} # ; ctr = IV | 0x1 +skip_iv_len_12_init_IV: + vmovdqu $CUR_COUNT,$ZT0x +___ + &ENCRYPT_SINGLE_BLOCK($AES_KEYS, "$ZT0x", "$GPR1"); # ; E(K, Y0) + $code .= <<___; + vmovdqu $ZT0x,`$CTX_OFFSET_EK0`($GCM128_CTX) # ; save EK0 for finalization stage + + # ;; store IV as counter in LE format + vpshufb SHUF_MASK(%rip),$CUR_COUNT,$CUR_COUNT + vmovdqu $CUR_COUNT,`$CTX_OFFSET_CurCount`($GCM128_CTX) # ; save current counter Yi +___ +} + +sub GCM_UPDATE_AAD { + my $GCM128_CTX = $_[0]; # [in] GCM context pointer + my $A_IN = $_[1]; # [in] AAD pointer + my $A_LEN = $_[2]; # [in] AAD length in bytes + my $GPR1 = $_[3]; # [clobbered] GP register + my $GPR2 = $_[4]; # [clobbered] GP register + my $GPR3 = $_[5]; # [clobbered] GP register + my $MASKREG = $_[6]; # [clobbered] mask register + my $AAD_HASH = $_[7]; # [out] XMM for AAD_HASH value + my $ZT0 = $_[8]; # [clobbered] ZMM register + my $ZT1 = $_[9]; # [clobbered] ZMM register + my $ZT2 = $_[10]; # [clobbered] ZMM register + my $ZT3 = $_[11]; # [clobbered] ZMM register + my $ZT4 = $_[12]; # [clobbered] ZMM register + my $ZT5 = $_[13]; # [clobbered] ZMM register + my $ZT6 = $_[14]; # [clobbered] ZMM register + my $ZT7 = $_[15]; # [clobbered] ZMM register + my $ZT8 = $_[16]; # [clobbered] ZMM register + my $ZT9 = $_[17]; # [clobbered] ZMM register + my $ZT10 = $_[18]; # [clobbered] ZMM register + my $ZT11 = $_[19]; # [clobbered] ZMM register + my $ZT12 = $_[20]; # [clobbered] ZMM register + my $ZT13 = $_[21]; # [clobbered] ZMM register + my $ZT14 = $_[22]; # [clobbered] ZMM register + my $ZT15 = $_[23]; # [clobbered] ZMM register + my $ZT16 = $_[24]; # [clobbered] ZMM register + + # ; load current hash + $code .= "vmovdqu64 $CTX_OFFSET_AadHash($GCM128_CTX),$AAD_HASH\n"; + + &CALC_AAD_HASH($A_IN, $A_LEN, $AAD_HASH, $GCM128_CTX, $ZT0, $ZT1, $ZT2, + $ZT3, $ZT4, $ZT5, $ZT6, $ZT7, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT13, + $ZT14, $ZT15, $ZT16, $GPR1, $GPR2, $GPR3, $MASKREG); + + # ; load current hash + $code .= "vmovdqu64 $AAD_HASH,$CTX_OFFSET_AadHash($GCM128_CTX)\n"; +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Cipher and ghash of payloads shorter than 256 bytes +# ;;; - number of blocks in the message comes as argument +# ;;; - depending on the number of blocks an optimized variant of +# ;;; INITIAL_BLOCKS_PARTIAL is invoked +sub GCM_ENC_DEC_SMALL { + my $AES_KEYS = $_[0]; # [in] key pointer + my $GCM128_CTX = $_[1]; # [in] context pointer + my $CIPH_PLAIN_OUT = $_[2]; # [in] output buffer + my $PLAIN_CIPH_IN = $_[3]; # [in] input buffer + my $PLAIN_CIPH_LEN = $_[4]; # [in] buffer length + my $ENC_DEC = $_[5]; # [in] cipher direction + my $DATA_OFFSET = $_[6]; # [in] data offset + my $LENGTH = $_[7]; # [in] data length + my $NUM_BLOCKS = $_[8]; # [in] number of blocks to process 1 to 16 + my $CTR = $_[9]; # [in/out] XMM counter block + my $HASH_IN_OUT = $_[10]; # [in/out] XMM GHASH value + my $ZTMP0 = $_[11]; # [clobbered] ZMM register + my $ZTMP1 = $_[12]; # [clobbered] ZMM register + my $ZTMP2 = $_[13]; # [clobbered] ZMM register + my $ZTMP3 = $_[14]; # [clobbered] ZMM register + my $ZTMP4 = $_[15]; # [clobbered] ZMM register + my $ZTMP5 = $_[16]; # [clobbered] ZMM register + my $ZTMP6 = $_[17]; # [clobbered] ZMM register + my $ZTMP7 = $_[18]; # [clobbered] ZMM register + my $ZTMP8 = $_[19]; # [clobbered] ZMM register + my $ZTMP9 = $_[20]; # [clobbered] ZMM register + my $ZTMP10 = $_[21]; # [clobbered] ZMM register + my $ZTMP11 = $_[22]; # [clobbered] ZMM register + my $ZTMP12 = $_[23]; # [clobbered] ZMM register + my $ZTMP13 = $_[24]; # [clobbered] ZMM register + my $ZTMP14 = $_[25]; # [clobbered] ZMM register + my $IA0 = $_[26]; # [clobbered] GP register + my $IA1 = $_[27]; # [clobbered] GP register + my $MASKREG = $_[28]; # [clobbered] mask register + my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask + my $PBLOCK_LEN = $_[30]; # [in] partial block length + + my $rndsuffix = &random_string(); + + $code .= <<___; + cmp \$8,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_8_${rndsuffix} + jl .L_small_initial_num_blocks_is_7_1_${rndsuffix} + + + cmp \$12,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_12_${rndsuffix} + jl .L_small_initial_num_blocks_is_11_9_${rndsuffix} + + # ;; 16, 15, 14 or 13 + cmp \$16,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_16_${rndsuffix} + cmp \$15,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_15_${rndsuffix} + cmp \$14,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_14_${rndsuffix} + jmp .L_small_initial_num_blocks_is_13_${rndsuffix} + +.L_small_initial_num_blocks_is_11_9_${rndsuffix}: + # ;; 11, 10 or 9 + cmp \$11,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_11_${rndsuffix} + cmp \$10,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_10_${rndsuffix} + jmp .L_small_initial_num_blocks_is_9_${rndsuffix} + +.L_small_initial_num_blocks_is_7_1_${rndsuffix}: + cmp \$4,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_4_${rndsuffix} + jl .L_small_initial_num_blocks_is_3_1_${rndsuffix} + # ;; 7, 6 or 5 + cmp \$7,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_7_${rndsuffix} + cmp \$6,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_6_${rndsuffix} + jmp .L_small_initial_num_blocks_is_5_${rndsuffix} + +.L_small_initial_num_blocks_is_3_1_${rndsuffix}: + # ;; 3, 2 or 1 + cmp \$3,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_3_${rndsuffix} + cmp \$2,$NUM_BLOCKS + je .L_small_initial_num_blocks_is_2_${rndsuffix} + + # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed + + # ;; Generation of different block size variants + # ;; - one block size has to be the first one +___ + + for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) { + $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; + &INITIAL_BLOCKS_PARTIAL( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET, + $num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN); + + if ($num_blocks != 16) { + $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n"; + } + } + + $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n"; +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ; GCM_ENC_DEC Encrypts/Decrypts given data. Assumes that the passed gcm128_context +# ; struct has been initialized by GCM_INIT_IV +# ; Requires the input data be at least 1 byte long because of READ_SMALL_INPUT_DATA. +# ; Clobbers rax, r10-r15, and zmm0-zmm31, k1 +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub GCM_ENC_DEC { + my $AES_KEYS = $_[0]; # [in] AES Key schedule + my $GCM128_CTX = $_[1]; # [in] context pointer + my $PBLOCK_LEN = $_[2]; # [in] length of partial block at the moment of previous update + my $PLAIN_CIPH_IN = $_[3]; # [in] input buffer pointer + my $PLAIN_CIPH_LEN = $_[4]; # [in] buffer length + my $CIPH_PLAIN_OUT = $_[5]; # [in] output buffer pointer + my $ENC_DEC = $_[6]; # [in] cipher direction + + my $IA0 = "%r10"; + my $IA1 = "%r12"; + my $IA2 = "%r13"; + my $IA3 = "%r15"; + my $IA4 = "%r11"; + my $IA5 = "%rax"; + my $IA6 = "%rbx"; + my $IA7 = "%r14"; + + my $LENGTH = $win64 ? $IA2 : $PLAIN_CIPH_LEN; + + my $CTR_CHECK = $IA3; + my $DATA_OFFSET = $IA4; + my $HASHK_PTR = $IA6; + + my $HKEYS_READY = $IA7; + + my $CTR_BLOCKz = "%zmm2"; + my $CTR_BLOCKx = "%xmm2"; + + # ; hardcoded in GCM_INIT + + my $AAD_HASHz = "%zmm14"; + my $AAD_HASHx = "%xmm14"; + + # ; hardcoded in GCM_COMPLETE + + my $ZTMP0 = "%zmm0"; + my $ZTMP1 = "%zmm3"; + my $ZTMP2 = "%zmm4"; + my $ZTMP3 = "%zmm5"; + my $ZTMP4 = "%zmm6"; + my $ZTMP5 = "%zmm7"; + my $ZTMP6 = "%zmm10"; + my $ZTMP7 = "%zmm11"; + my $ZTMP8 = "%zmm12"; + my $ZTMP9 = "%zmm13"; + my $ZTMP10 = "%zmm15"; + my $ZTMP11 = "%zmm16"; + my $ZTMP12 = "%zmm17"; + + my $ZTMP13 = "%zmm19"; + my $ZTMP14 = "%zmm20"; + my $ZTMP15 = "%zmm21"; + my $ZTMP16 = "%zmm30"; + my $ZTMP17 = "%zmm31"; + my $ZTMP18 = "%zmm1"; + my $ZTMP19 = "%zmm18"; + my $ZTMP20 = "%zmm8"; + my $ZTMP21 = "%zmm22"; + my $ZTMP22 = "%zmm23"; + + my $GH = "%zmm24"; + my $GL = "%zmm25"; + my $GM = "%zmm26"; + my $SHUF_MASK = "%zmm29"; + + # ; Unused in the small packet path + my $ADDBE_4x4 = "%zmm27"; + my $ADDBE_1234 = "%zmm28"; + + my $MASKREG = "%k1"; + + my $rndsuffix = &random_string(); + + # ;; reduction every 48 blocks, depth 32 blocks + # ;; @note 48 blocks is the maximum capacity of the stack frame + my $big_loop_nblocks = 48; + my $big_loop_depth = 32; + + # ;;; Macro flow depending on packet size + # ;;; - LENGTH <= 16 blocks + # ;;; - cipher followed by hashing (reduction) + # ;;; - 16 blocks < LENGTH < 32 blocks + # ;;; - cipher 16 blocks + # ;;; - cipher N blocks & hash 16 blocks, hash N blocks (reduction) + # ;;; - 32 blocks < LENGTH < 48 blocks + # ;;; - cipher 2 x 16 blocks + # ;;; - hash 16 blocks + # ;;; - cipher N blocks & hash 16 blocks, hash N blocks (reduction) + # ;;; - LENGTH >= 48 blocks + # ;;; - cipher 2 x 16 blocks + # ;;; - while (data_to_cipher >= 48 blocks): + # ;;; - cipher 16 blocks & hash 16 blocks + # ;;; - cipher 16 blocks & hash 16 blocks + # ;;; - cipher 16 blocks & hash 16 blocks (reduction) + # ;;; - if (data_to_cipher >= 32 blocks): + # ;;; - cipher 16 blocks & hash 16 blocks + # ;;; - cipher 16 blocks & hash 16 blocks + # ;;; - hash 16 blocks (reduction) + # ;;; - cipher N blocks & hash 16 blocks, hash N blocks (reduction) + # ;;; - elif (data_to_cipher >= 16 blocks): + # ;;; - cipher 16 blocks & hash 16 blocks + # ;;; - hash 16 blocks + # ;;; - cipher N blocks & hash 16 blocks, hash N blocks (reduction) + # ;;; - else: + # ;;; - hash 16 blocks + # ;;; - cipher N blocks & hash 16 blocks, hash N blocks (reduction) + + if ($win64) { + $code .= "cmpq \$0,$PLAIN_CIPH_LEN\n"; + } else { + $code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n"; + } + $code .= "je .L_enc_dec_done_${rndsuffix}\n"; + + # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in + # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc' + + $code .= "xor $HKEYS_READY, $HKEYS_READY\n"; + $code .= "vmovdqu64 `$CTX_OFFSET_AadHash`($GCM128_CTX),$AAD_HASHx\n"; + + # ;; Used for the update flow - if there was a previous partial + # ;; block fill the remaining bytes here. + &PARTIAL_BLOCK( + $GCM128_CTX, $PBLOCK_LEN, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, + $DATA_OFFSET, $AAD_HASHx, $ENC_DEC, $IA0, $IA1, + $IA2, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, + $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $MASKREG); + + $code .= "vmovdqu64 `$CTX_OFFSET_CurCount`($GCM128_CTX),$CTR_BLOCKx\n"; + + # ;; Save the amount of data left to process in $LENGTH + # ;; NOTE: PLAIN_CIPH_LEN is a register on linux; + if ($win64) { + $code .= "mov $PLAIN_CIPH_LEN,$LENGTH\n"; + } + + # ;; There may be no more data if it was consumed in the partial block. + $code .= <<___; + sub $DATA_OFFSET,$LENGTH + je .L_enc_dec_done_${rndsuffix} +___ + + $code .= <<___; + cmp \$`(16 * 16)`,$LENGTH + jbe .L_message_below_equal_16_blocks_${rndsuffix} + + vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK + vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4 + vmovdqa64 ddq_addbe_1234(%rip),$ADDBE_1234 + + # ;; start the pipeline + # ;; - 32 blocks aes-ctr + # ;; - 16 blocks ghash + aes-ctr + + # ;; set up CTR_CHECK + vmovd $CTR_BLOCKx,@{[DWORD($CTR_CHECK)]} + and \$255,@{[DWORD($CTR_CHECK)]} + # ;; in LE format after init, convert to BE + vshufi64x2 \$0,$CTR_BLOCKz,$CTR_BLOCKz,$CTR_BLOCKz + vpshufb $SHUF_MASK,$CTR_BLOCKz,$CTR_BLOCKz +___ + + # ;; ==== AES-CTR - first 16 blocks + my $aesout_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + my $data_in_out_offset = 0; + &INITIAL_BLOCKS_16( + $PLAIN_CIPH_IN, $CIPH_PLAIN_OUT, $AES_KEYS, $DATA_OFFSET, "no_ghash", $CTR_BLOCKz, + $CTR_CHECK, $ADDBE_4x4, $ADDBE_1234, $ZTMP0, $ZTMP1, $ZTMP2, + $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, + $SHUF_MASK, $ENC_DEC, $aesout_offset, $data_in_out_offset, $IA0); + + &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + "first16"); + + $code .= <<___; + cmp \$`(32 * 16)`,$LENGTH + jb .L_message_below_32_blocks_${rndsuffix} +___ + + # ;; ==== AES-CTR - next 16 blocks + $aesout_offset = ($STACK_LOCAL_OFFSET + (16 * 16)); + $data_in_out_offset = (16 * 16); + &INITIAL_BLOCKS_16( + $PLAIN_CIPH_IN, $CIPH_PLAIN_OUT, $AES_KEYS, $DATA_OFFSET, "no_ghash", $CTR_BLOCKz, + $CTR_CHECK, $ADDBE_4x4, $ADDBE_1234, $ZTMP0, $ZTMP1, $ZTMP2, + $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, + $SHUF_MASK, $ENC_DEC, $aesout_offset, $data_in_out_offset, $IA0); + + &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + "last32"); + $code .= "mov \$1,$HKEYS_READY\n"; + + $code .= <<___; + add \$`(32 * 16)`,$DATA_OFFSET + sub \$`(32 * 16)`,$LENGTH + + cmp \$`($big_loop_nblocks * 16)`,$LENGTH + jb .L_no_more_big_nblocks_${rndsuffix} +___ + + # ;; ==== + # ;; ==== AES-CTR + GHASH - 48 blocks loop + # ;; ==== + $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n"; + + # ;; ==== AES-CTR + GHASH - 16 blocks, start + $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); + $data_in_out_offset = (0 * 16); + my $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + &GHASH_16_ENCRYPT_16_PARALLEL( + $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $CTR_BLOCKz, $CTR_CHECK, + 48, $aesout_offset, $ghashin_offset, $SHUF_MASK, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, $ZTMP19, + $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, $GL, + $GH, $GM, "first_time", $ENC_DEC, $data_in_out_offset, $AAD_HASHz, + $IA0); + + # ;; ==== AES-CTR + GHASH - 16 blocks, no reduction + $aesout_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + $data_in_out_offset = (16 * 16); + $ghashin_offset = ($STACK_LOCAL_OFFSET + (16 * 16)); + &GHASH_16_ENCRYPT_16_PARALLEL( + $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $CTR_BLOCKz, $CTR_CHECK, + 32, $aesout_offset, $ghashin_offset, $SHUF_MASK, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, $ZTMP19, + $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, $GL, + $GH, $GM, "no_reduction", $ENC_DEC, $data_in_out_offset, "no_ghash_in", + $IA0); + + # ;; ==== AES-CTR + GHASH - 16 blocks, reduction + $aesout_offset = ($STACK_LOCAL_OFFSET + (16 * 16)); + $data_in_out_offset = (32 * 16); + $ghashin_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); + &GHASH_16_ENCRYPT_16_PARALLEL( + $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $CTR_BLOCKz, $CTR_CHECK, + 16, $aesout_offset, $ghashin_offset, $SHUF_MASK, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, $ZTMP19, + $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, $GL, + $GH, $GM, "final_reduction", $ENC_DEC, $data_in_out_offset, "no_ghash_in", + $IA0); + + # ;; === xor cipher block 0 with GHASH (ZT4) + $code .= <<___; + vmovdqa64 $ZTMP4,$AAD_HASHz + + add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET + sub \$`($big_loop_nblocks * 16)`,$LENGTH + cmp \$`($big_loop_nblocks * 16)`,$LENGTH + jae .L_encrypt_big_nblocks_${rndsuffix} + +.L_no_more_big_nblocks_${rndsuffix}: + + cmp \$`(32 * 16)`,$LENGTH + jae .L_encrypt_32_blocks_${rndsuffix} + + cmp \$`(16 * 16)`,$LENGTH + jae .L_encrypt_16_blocks_${rndsuffix} +___ + + # ;; ===================================================== + # ;; ===================================================== + # ;; ==== GHASH 1 x 16 blocks + # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks + # ;; ==== then GHASH N blocks + $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n"; + + # ;; calculate offset to the right hash key + $code .= <<___; +mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]} +and \$~15,@{[DWORD($IA0)]} +mov \$`@{[HashKeyOffsetByIdx(32,"frame")]}`,@{[DWORD($HASHK_PTR)]} +sub @{[DWORD($IA0)]},@{[DWORD($HASHK_PTR)]} +___ + + # ;; ==== GHASH 32 blocks and follow with reduction + &GHASH_16("start", $GH, $GM, $GL, "%rsp", $STACK_LOCAL_OFFSET, (0 * 16), + "%rsp", $HASHK_PTR, 0, $AAD_HASHz, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, $ZTMP9); + + # ;; ==== GHASH 1 x 16 blocks with reduction + cipher and ghash on the reminder + $ghashin_offset = ($STACK_LOCAL_OFFSET + (16 * 16)); + $code .= "add \$`(16 * 16)`,@{[DWORD($HASHK_PTR)]}\n"; + &GCM_ENC_DEC_LAST( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $LENGTH, + $CTR_BLOCKz, $CTR_CHECK, $HASHK_PTR, $ghashin_offset, $SHUF_MASK, $ZTMP0, + $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + $ZTMP7, $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, + $ZTMP13, $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, + $ZTMP19, $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, + "mid", $GL, $GH, $GM, $ENC_DEC, $AAD_HASHz, + $IA0, $IA5, $MASKREG, $PBLOCK_LEN); + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; + $code .= "jmp .L_ghash_done_${rndsuffix}\n"; + + # ;; ===================================================== + # ;; ===================================================== + # ;; ==== GHASH & encrypt 1 x 16 blocks + # ;; ==== GHASH & encrypt 1 x 16 blocks + # ;; ==== GHASH 1 x 16 blocks (reduction) + # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks + # ;; ==== then GHASH N blocks + $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n"; + + # ;; ==== AES-CTR + GHASH - 16 blocks, start + $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); + $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + $data_in_out_offset = (0 * 16); + &GHASH_16_ENCRYPT_16_PARALLEL( + $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $CTR_BLOCKz, $CTR_CHECK, + 48, $aesout_offset, $ghashin_offset, $SHUF_MASK, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, $ZTMP19, + $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, $GL, + $GH, $GM, "first_time", $ENC_DEC, $data_in_out_offset, $AAD_HASHz, + $IA0); + + # ;; ==== AES-CTR + GHASH - 16 blocks, no reduction + $aesout_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + $ghashin_offset = ($STACK_LOCAL_OFFSET + (16 * 16)); + $data_in_out_offset = (16 * 16); + &GHASH_16_ENCRYPT_16_PARALLEL( + $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $CTR_BLOCKz, $CTR_CHECK, + 32, $aesout_offset, $ghashin_offset, $SHUF_MASK, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, $ZTMP19, + $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, $GL, + $GH, $GM, "no_reduction", $ENC_DEC, $data_in_out_offset, "no_ghash_in", + $IA0); + + # ;; ==== GHASH 16 blocks with reduction + &GHASH_16( + "end_reduce", $GH, $GM, $GL, "%rsp", $STACK_LOCAL_OFFSET, (32 * 16), + "%rsp", &HashKeyOffsetByIdx(16, "frame"), + 0, $AAD_HASHz, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, $ZTMP9); + + # ;; ==== GHASH 1 x 16 blocks with reduction + cipher and ghash on the reminder + $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + $code .= <<___; + sub \$`(32 * 16)`,$LENGTH + add \$`(32 * 16)`,$DATA_OFFSET +___ + + # ;; calculate offset to the right hash key + $code .= "mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}\n"; + $code .= <<___; + and \$~15,@{[DWORD($IA0)]} + mov \$`@{[HashKeyOffsetByIdx(16,"frame")]}`,@{[DWORD($HASHK_PTR)]} + sub @{[DWORD($IA0)]},@{[DWORD($HASHK_PTR)]} +___ + &GCM_ENC_DEC_LAST( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $LENGTH, + $CTR_BLOCKz, $CTR_CHECK, $HASHK_PTR, $ghashin_offset, $SHUF_MASK, $ZTMP0, + $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + $ZTMP7, $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, + $ZTMP13, $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, + $ZTMP19, $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, + "start", $GL, $GH, $GM, $ENC_DEC, $AAD_HASHz, + $IA0, $IA5, $MASKREG, $PBLOCK_LEN); + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; + $code .= "jmp .L_ghash_done_${rndsuffix}\n"; + + # ;; ===================================================== + # ;; ===================================================== + # ;; ==== GHASH & encrypt 16 blocks (done before) + # ;; ==== GHASH 1 x 16 blocks + # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks + # ;; ==== then GHASH N blocks + $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n"; + + # ;; ==== AES-CTR + GHASH - 16 blocks, start + $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); + $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + $data_in_out_offset = (0 * 16); + &GHASH_16_ENCRYPT_16_PARALLEL( + $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $CTR_BLOCKz, $CTR_CHECK, + 48, $aesout_offset, $ghashin_offset, $SHUF_MASK, $ZTMP0, $ZTMP1, + $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, + $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, $ZTMP13, + $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, $ZTMP19, + $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, $GL, + $GH, $GM, "first_time", $ENC_DEC, $data_in_out_offset, $AAD_HASHz, + $IA0); + + # ;; ==== GHASH 1 x 16 blocks + &GHASH_16( + "mid", $GH, $GM, $GL, "%rsp", $STACK_LOCAL_OFFSET, (16 * 16), + "%rsp", &HashKeyOffsetByIdx(32, "frame"), + 0, "no_hash_input", $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, $ZTMP9); + + # ;; ==== GHASH 1 x 16 blocks with reduction + cipher and ghash on the reminder + $ghashin_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); + $code .= <<___; + sub \$`(16 * 16)`,$LENGTH + add \$`(16 * 16)`,$DATA_OFFSET +___ + &GCM_ENC_DEC_LAST( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, + $DATA_OFFSET, $LENGTH, $CTR_BLOCKz, $CTR_CHECK, + &HashKeyOffsetByIdx(16, "frame"), $ghashin_offset, $SHUF_MASK, $ZTMP0, + $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, + $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, + $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, + $ZTMP13, $ZTMP14, $ZTMP15, $ZTMP16, + $ZTMP17, $ZTMP18, $ZTMP19, $ZTMP20, + $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, + "end_reduce", $GL, $GH, $GM, + $ENC_DEC, $AAD_HASHz, $IA0, $IA5, + $MASKREG, $PBLOCK_LEN); + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; + $code .= <<___; + jmp .L_ghash_done_${rndsuffix} + +.L_message_below_32_blocks_${rndsuffix}: + # ;; 32 > number of blocks > 16 + + sub \$`(16 * 16)`,$LENGTH + add \$`(16 * 16)`,$DATA_OFFSET +___ + $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16)); + + # ;; calculate offset to the right hash key + $code .= "mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}\n"; + + &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + "mid16"); + $code .= "mov \$1,$HKEYS_READY\n"; + + $code .= <<___; +and \$~15,@{[DWORD($IA0)]} +mov \$`@{[HashKeyOffsetByIdx(16,"frame")]}`,@{[DWORD($HASHK_PTR)]} +sub @{[DWORD($IA0)]},@{[DWORD($HASHK_PTR)]} +___ + + &GCM_ENC_DEC_LAST( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $LENGTH, + $CTR_BLOCKz, $CTR_CHECK, $HASHK_PTR, $ghashin_offset, $SHUF_MASK, $ZTMP0, + $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + $ZTMP7, $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, + $ZTMP13, $ZTMP14, $ZTMP15, $ZTMP16, $ZTMP17, $ZTMP18, + $ZTMP19, $ZTMP20, $ZTMP21, $ZTMP22, $ADDBE_4x4, $ADDBE_1234, + "start", $GL, $GH, $GM, $ENC_DEC, $AAD_HASHz, + $IA0, $IA5, $MASKREG, $PBLOCK_LEN); + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; + $code .= <<___; + jmp .L_ghash_done_${rndsuffix} + +.L_message_below_equal_16_blocks_${rndsuffix}: + # ;; Determine how many blocks to process + # ;; - process one additional block if there is a partial block + mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]} + add \$15,@{[DWORD($IA1)]} + shr \$4, @{[DWORD($IA1)]} # ; $IA1 can be in the range from 0 to 16 +___ + &GCM_ENC_DEC_SMALL( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $ENC_DEC, + $DATA_OFFSET, $LENGTH, $IA1, $CTR_BLOCKx, $AAD_HASHx, $ZTMP0, + $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, + $ZTMP7, $ZTMP8, $ZTMP9, $ZTMP10, $ZTMP11, $ZTMP12, + $ZTMP13, $ZTMP14, $IA0, $IA3, $MASKREG, $SHUF_MASK, + $PBLOCK_LEN); + + # ;; fall through to exit + + $code .= ".L_ghash_done_${rndsuffix}:\n"; + + # ;; save the last counter block + $code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n"; + $code .= <<___; + vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX) +.L_enc_dec_done_${rndsuffix}: +___ +} + +# ;;; =========================================================================== +# ;;; Encrypt/decrypt the initial 16 blocks +sub INITIAL_BLOCKS_16 { + my $IN = $_[0]; # [in] input buffer + my $OUT = $_[1]; # [in] output buffer + my $AES_KEYS = $_[2]; # [in] pointer to expanded keys + my $DATA_OFFSET = $_[3]; # [in] data offset + my $GHASH = $_[4]; # [in] ZMM with AAD (low 128 bits) + my $CTR = $_[5]; # [in] ZMM with CTR BE blocks 4x128 bits + my $CTR_CHECK = $_[6]; # [in/out] GPR with counter overflow check + my $ADDBE_4x4 = $_[7]; # [in] ZMM 4x128bits with value 4 (big endian) + my $ADDBE_1234 = $_[8]; # [in] ZMM 4x128bits with values 1, 2, 3 & 4 (big endian) + my $T0 = $_[9]; # [clobered] temporary ZMM register + my $T1 = $_[10]; # [clobered] temporary ZMM register + my $T2 = $_[11]; # [clobered] temporary ZMM register + my $T3 = $_[12]; # [clobered] temporary ZMM register + my $T4 = $_[13]; # [clobered] temporary ZMM register + my $T5 = $_[14]; # [clobered] temporary ZMM register + my $T6 = $_[15]; # [clobered] temporary ZMM register + my $T7 = $_[16]; # [clobered] temporary ZMM register + my $T8 = $_[17]; # [clobered] temporary ZMM register + my $SHUF_MASK = $_[18]; # [in] ZMM with BE/LE shuffle mask + my $ENC_DEC = $_[19]; # [in] ENC (encrypt) or DEC (decrypt) selector + my $BLK_OFFSET = $_[20]; # [in] stack frame offset to ciphered blocks + my $DATA_DISPL = $_[21]; # [in] fixed numerical data displacement/offset + my $IA0 = $_[22]; # [clobered] temporary GP register + + my $B00_03 = $T5; + my $B04_07 = $T6; + my $B08_11 = $T7; + my $B12_15 = $T8; + + my $rndsuffix = &random_string(); + + my $stack_offset = $BLK_OFFSET; + $code .= <<___; + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; prepare counter blocks + + cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} + jae .L_next_16_overflow_${rndsuffix} + vpaddd $ADDBE_1234,$CTR,$B00_03 + vpaddd $ADDBE_4x4,$B00_03,$B04_07 + vpaddd $ADDBE_4x4,$B04_07,$B08_11 + vpaddd $ADDBE_4x4,$B08_11,$B12_15 + jmp .L_next_16_ok_${rndsuffix} +.L_next_16_overflow_${rndsuffix}: + vpshufb $SHUF_MASK,$CTR,$CTR + vmovdqa64 ddq_add_4444(%rip),$B12_15 + vpaddd ddq_add_1234(%rip),$CTR,$B00_03 + vpaddd $B12_15,$B00_03,$B04_07 + vpaddd $B12_15,$B04_07,$B08_11 + vpaddd $B12_15,$B08_11,$B12_15 + vpshufb $SHUF_MASK,$B00_03,$B00_03 + vpshufb $SHUF_MASK,$B04_07,$B04_07 + vpshufb $SHUF_MASK,$B08_11,$B08_11 + vpshufb $SHUF_MASK,$B12_15,$B12_15 +.L_next_16_ok_${rndsuffix}: + vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR + addb \$16,@{[BYTE($CTR_CHECK)]} + # ;; === load 16 blocks of data + vmovdqu8 `$DATA_DISPL + (64*0)`($IN,$DATA_OFFSET,1),$T0 + vmovdqu8 `$DATA_DISPL + (64*1)`($IN,$DATA_OFFSET,1),$T1 + vmovdqu8 `$DATA_DISPL + (64*2)`($IN,$DATA_OFFSET,1),$T2 + vmovdqu8 `$DATA_DISPL + (64*3)`($IN,$DATA_OFFSET,1),$T3 + + # ;; move to AES encryption rounds + vbroadcastf64x2 `(16*0)`($AES_KEYS),$T4 + vpxorq $T4,$B00_03,$B00_03 + vpxorq $T4,$B04_07,$B04_07 + vpxorq $T4,$B08_11,$B08_11 + vpxorq $T4,$B12_15,$B12_15 +___ + foreach (1 .. ($NROUNDS)) { + $code .= <<___; + vbroadcastf64x2 `(16*$_)`($AES_KEYS),$T4 + vaesenc $T4,$B00_03,$B00_03 + vaesenc $T4,$B04_07,$B04_07 + vaesenc $T4,$B08_11,$B08_11 + vaesenc $T4,$B12_15,$B12_15 +___ + } + $code .= <<___; + vbroadcastf64x2 `(16*($NROUNDS+1))`($AES_KEYS),$T4 + vaesenclast $T4,$B00_03,$B00_03 + vaesenclast $T4,$B04_07,$B04_07 + vaesenclast $T4,$B08_11,$B08_11 + vaesenclast $T4,$B12_15,$B12_15 + + # ;; xor against text + vpxorq $T0,$B00_03,$B00_03 + vpxorq $T1,$B04_07,$B04_07 + vpxorq $T2,$B08_11,$B08_11 + vpxorq $T3,$B12_15,$B12_15 + + # ;; store + mov $OUT, $IA0 + vmovdqu8 $B00_03,`$DATA_DISPL + (64*0)`($IA0,$DATA_OFFSET,1) + vmovdqu8 $B04_07,`$DATA_DISPL + (64*1)`($IA0,$DATA_OFFSET,1) + vmovdqu8 $B08_11,`$DATA_DISPL + (64*2)`($IA0,$DATA_OFFSET,1) + vmovdqu8 $B12_15,`$DATA_DISPL + (64*3)`($IA0,$DATA_OFFSET,1) +___ + if ($ENC_DEC eq "DEC") { + $code .= <<___; + # ;; decryption - cipher text needs to go to GHASH phase + vpshufb $SHUF_MASK,$T0,$B00_03 + vpshufb $SHUF_MASK,$T1,$B04_07 + vpshufb $SHUF_MASK,$T2,$B08_11 + vpshufb $SHUF_MASK,$T3,$B12_15 +___ + } else { + $code .= <<___; + # ;; encryption + vpshufb $SHUF_MASK,$B00_03,$B00_03 + vpshufb $SHUF_MASK,$B04_07,$B04_07 + vpshufb $SHUF_MASK,$B08_11,$B08_11 + vpshufb $SHUF_MASK,$B12_15,$B12_15 +___ + } + + if ($GHASH ne "no_ghash") { + $code .= <<___; + # ;; === xor cipher block 0 with GHASH for the next GHASH round + vpxorq $GHASH,$B00_03,$B00_03 +___ + } + $code .= <<___; + vmovdqa64 $B00_03,`$stack_offset + (0 * 64)`(%rsp) + vmovdqa64 $B04_07,`$stack_offset + (1 * 64)`(%rsp) + vmovdqa64 $B08_11,`$stack_offset + (2 * 64)`(%rsp) + vmovdqa64 $B12_15,`$stack_offset + (3 * 64)`(%rsp) +___ +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ; GCM_COMPLETE Finishes ghash calculation +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +sub GCM_COMPLETE { + my $GCM128_CTX = $_[0]; + my $PBLOCK_LEN = $_[1]; + + my $rndsuffix = &random_string(); + + $code .= <<___; + vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2 + vmovdqu $CTX_OFFSET_EK0($GCM128_CTX),%xmm3 # ; xmm3 = E(K,Y0) +___ + + $code .= <<___; + vmovdqu `$CTX_OFFSET_AadHash`($GCM128_CTX),%xmm4 + + # ;; Process the final partial block. + cmp \$0,$PBLOCK_LEN + je .L_partial_done_${rndsuffix} +___ + + # ;GHASH computation for the last <16 Byte block + &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17"); + + $code .= <<___; +.L_partial_done_${rndsuffix}: + vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5 + vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C) + vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits + + vpxor %xmm5,%xmm4,%xmm4 +___ + + &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17"); + + $code .= <<___; + vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap + vpxor %xmm4,%xmm3,%xmm3 + +.L_return_T_${rndsuffix}: + vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX) +___ +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;;; Functions definitions +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +$code .= ".text\n"; +{ + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;void ossl_aes_gcm_init_avx512 / + # ; (const void *aes_keys, + # ; void *gcm128ctx) + # ; + # ; Precomputes hashkey table for GHASH optimization. + # ; Leaf function (does not allocate stack space, does not use non-volatile registers). + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + $code .= <<___; +.globl ossl_aes_gcm_init_avx512 +.type ossl_aes_gcm_init_avx512,\@abi-omnipotent +.align 32 +ossl_aes_gcm_init_avx512: +.cfi_startproc + endbranch +___ + if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check aes_keys != NULL + test $arg1,$arg1 + jz .Labort_init + + # ;; Check gcm128ctx != NULL + test $arg2,$arg2 + jz .Labort_init +___ + } + $code .= "vpxorq %xmm16,%xmm16,%xmm16\n"; + &ENCRYPT_SINGLE_BLOCK("$arg1", "%xmm16", "%rax"); # ; xmm16 = HashKey + $code .= <<___; + vpshufb SHUF_MASK(%rip),%xmm16,%xmm16 + # ;;; PRECOMPUTATION of HashKey<<1 mod poly from the HashKey ;;; + vmovdqa64 %xmm16,%xmm2 + vpsllq \$1,%xmm16,%xmm16 + vpsrlq \$63,%xmm2,%xmm2 + vmovdqa %xmm2,%xmm1 + vpslldq \$8,%xmm2,%xmm2 + vpsrldq \$8,%xmm1,%xmm1 + vporq %xmm2,%xmm16,%xmm16 + # ;reduction + vpshufd \$0b00100100,%xmm1,%xmm2 + vpcmpeqd TWOONE(%rip),%xmm2,%xmm2 + vpand POLY(%rip),%xmm2,%xmm2 + vpxorq %xmm2,%xmm16,%xmm16 # ; xmm16 holds the HashKey<<1 mod poly + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + vmovdqu64 %xmm16,@{[HashKeyByIdx(1,$arg2)]} # ; store HashKey<<1 mod poly +___ + &PRECOMPUTE("$arg2", "%xmm16", "%xmm0", "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5"); + if ($CLEAR_SCRATCH_REGISTERS) { + &clear_scratch_gps_asm(); + &clear_scratch_zmms_asm(); + } else { + $code .= "vzeroupper\n"; + } + $code .= <<___; +.Labort_init: +ret +.cfi_endproc +.size ossl_aes_gcm_init_avx512, .-ossl_aes_gcm_init_avx512 +___ +} + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;void ossl_aes_gcm_setiv_avx512 +# ; (const void *aes_keys, +# ; void *gcm128ctx, +# ; const unsigned char *iv, +# ; size_t ivlen) +# ; +# ; Computes E(K,Y0) for finalization, updates current counter Yi in gcm128_context structure. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +$code .= <<___; +.globl ossl_aes_gcm_setiv_avx512 +.type ossl_aes_gcm_setiv_avx512,\@abi-omnipotent +.align 32 +ossl_aes_gcm_setiv_avx512: +.cfi_startproc +.Lsetiv_seh_begin: + endbranch +___ +if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check aes_keys != NULL + test $arg1,$arg1 + jz .Labort_setiv + + # ;; Check gcm128ctx != NULL + test $arg2,$arg2 + jz .Labort_setiv + + # ;; Check iv != NULL + test $arg3,$arg3 + jz .Labort_setiv + + # ;; Check ivlen != 0 + test $arg4,$arg4 + jz .Labort_setiv +___ +} + +# ; NOTE: code before PROLOG() must not modify any registers +&PROLOG( + 1, # allocate stack space for hkeys + 0, # do not allocate stack space for AES blocks + "setiv"); +&GCM_INIT_IV( + "$arg1", "$arg2", "$arg3", "$arg4", "%r10", "%r11", "%r12", "%k1", "%xmm2", "%zmm1", + "%zmm11", "%zmm3", "%zmm4", "%zmm5", "%zmm6", "%zmm7", "%zmm8", "%zmm9", "%zmm10", "%zmm12", + "%zmm13", "%zmm15", "%zmm16", "%zmm17", "%zmm18", "%zmm19"); +&EPILOG( + 1, # hkeys were allocated + $arg4); +$code .= <<___; +.Labort_setiv: +ret +.Lsetiv_seh_end: +.cfi_endproc +.size ossl_aes_gcm_setiv_avx512, .-ossl_aes_gcm_setiv_avx512 +___ + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;void ossl_aes_gcm_update_aad_avx512 +# ; (unsigned char *gcm128ctx, +# ; const unsigned char *aad, +# ; size_t aadlen) +# ; +# ; Updates AAD hash in gcm128_context structure. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +$code .= <<___; +.globl ossl_aes_gcm_update_aad_avx512 +.type ossl_aes_gcm_update_aad_avx512,\@abi-omnipotent +.align 32 +ossl_aes_gcm_update_aad_avx512: +.cfi_startproc +.Lghash_seh_begin: + endbranch +___ +if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check gcm128ctx != NULL + test $arg1,$arg1 + jz .Lexit_update_aad + + # ;; Check aad != NULL + test $arg2,$arg2 + jz .Lexit_update_aad + + # ;; Check aadlen != 0 + test $arg3,$arg3 + jz .Lexit_update_aad +___ +} + +# ; NOTE: code before PROLOG() must not modify any registers +&PROLOG( + 1, # allocate stack space for hkeys, + 0, # do not allocate stack space for AES blocks + "ghash"); +&GCM_UPDATE_AAD( + "$arg1", "$arg2", "$arg3", "%r10", "%r11", "%r12", "%k1", "%xmm14", "%zmm1", "%zmm11", + "%zmm3", "%zmm4", "%zmm5", "%zmm6", "%zmm7", "%zmm8", "%zmm9", "%zmm10", "%zmm12", "%zmm13", + "%zmm15", "%zmm16", "%zmm17", "%zmm18", "%zmm19"); +&EPILOG( + 1, # hkeys were allocated + $arg3); +$code .= <<___; +.Lexit_update_aad: +ret +.Lghash_seh_end: +.cfi_endproc +.size ossl_aes_gcm_update_aad_avx512, .-ossl_aes_gcm_update_aad_avx512 +___ + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;void ossl_aes_gcm_encrypt_avx512 +# ; (const void* aes_keys, +# ; void *gcm128ctx, +# ; unsigned int *pblocklen, +# ; const unsigned char *in, +# ; size_t len, +# ; unsigned char *out); +# ; +# ; Performs encryption of data |in| of len |len|, and stores the output in |out|. +# ; Stores encrypted partial block (if any) in gcm128ctx and its length in |pblocklen|. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +$code .= <<___; +.globl ossl_aes_gcm_encrypt_avx512 +.type ossl_aes_gcm_encrypt_avx512,\@abi-omnipotent +.align 32 +ossl_aes_gcm_encrypt_avx512: +.cfi_startproc +.Lencrypt_seh_begin: + endbranch +___ + +# ; NOTE: code before PROLOG() must not modify any registers +&PROLOG( + 1, # allocate stack space for hkeys + 1, # allocate stack space for AES blocks + "encrypt"); +if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check aes_keys != NULL + test $arg1,$arg1 + jz .Lexit_gcm_encrypt + + # ;; Check gcm128ctx != NULL + test $arg2,$arg2 + jz .Lexit_gcm_encrypt + + # ;; Check pblocklen != NULL + test $arg3,$arg3 + jz .Lexit_gcm_encrypt + + # ;; Check in != NULL + test $arg4,$arg4 + jz .Lexit_gcm_encrypt + + # ;; Check if len != 0 + cmp \$0,$arg5 + jz .Lexit_gcm_encrypt + + # ;; Check out != NULL + cmp \$0,$arg6 + jz .Lexit_gcm_encrypt +___ +} +$code .= <<___; + # ; load number of rounds from AES_KEY structure (offset in bytes is + # ; size of the |rd_key| buffer) + mov `4*15*4`($arg1),%eax + cmp \$9,%eax + je .Laes_gcm_encrypt_128_avx512 + cmp \$11,%eax + je .Laes_gcm_encrypt_192_avx512 + cmp \$13,%eax + je .Laes_gcm_encrypt_256_avx512 + xor %eax,%eax + jmp .Lexit_gcm_encrypt +___ +for my $keylen (sort keys %aes_rounds) { + $NROUNDS = $aes_rounds{$keylen}; + $code .= <<___; +.align 32 +.Laes_gcm_encrypt_${keylen}_avx512: +___ + &GCM_ENC_DEC("$arg1", "$arg2", "$arg3", "$arg4", "$arg5", "$arg6", "ENC"); + $code .= "jmp .Lexit_gcm_encrypt\n"; +} +$code .= ".Lexit_gcm_encrypt:\n"; +&EPILOG(1, $arg5); +$code .= <<___; +ret +.Lencrypt_seh_end: +.cfi_endproc +.size ossl_aes_gcm_encrypt_avx512, .-ossl_aes_gcm_encrypt_avx512 +___ + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;void ossl_aes_gcm_decrypt_avx512 +# ; (const void* keys, +# ; void *gcm128ctx, +# ; unsigned int *pblocklen, +# ; const unsigned char *in, +# ; size_t len, +# ; unsigned char *out); +# ; +# ; Performs decryption of data |in| of len |len|, and stores the output in |out|. +# ; Stores decrypted partial block (if any) in gcm128ctx and its length in |pblocklen|. +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +$code .= <<___; +.globl ossl_aes_gcm_decrypt_avx512 +.type ossl_aes_gcm_decrypt_avx512,\@abi-omnipotent +.align 32 +ossl_aes_gcm_decrypt_avx512: +.cfi_startproc +.Ldecrypt_seh_begin: + endbranch +___ + +# ; NOTE: code before PROLOG() must not modify any registers +&PROLOG( + 1, # allocate stack space for hkeys + 1, # allocate stack space for AES blocks + "decrypt"); +if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check keys != NULL + test $arg1,$arg1 + jz .Lexit_gcm_decrypt + + # ;; Check gcm128ctx != NULL + test $arg2,$arg2 + jz .Lexit_gcm_decrypt + + # ;; Check pblocklen != NULL + test $arg3,$arg3 + jz .Lexit_gcm_decrypt + + # ;; Check in != NULL + test $arg4,$arg4 + jz .Lexit_gcm_decrypt + + # ;; Check if len != 0 + cmp \$0,$arg5 + jz .Lexit_gcm_decrypt + + # ;; Check out != NULL + cmp \$0,$arg6 + jz .Lexit_gcm_decrypt +___ +} +$code .= <<___; + # ; load number of rounds from AES_KEY structure (offset in bytes is + # ; size of the |rd_key| buffer) + mov `4*15*4`($arg1),%eax + cmp \$9,%eax + je .Laes_gcm_decrypt_128_avx512 + cmp \$11,%eax + je .Laes_gcm_decrypt_192_avx512 + cmp \$13,%eax + je .Laes_gcm_decrypt_256_avx512 + xor %eax,%eax + jmp .Lexit_gcm_decrypt +___ +for my $keylen (sort keys %aes_rounds) { + $NROUNDS = $aes_rounds{$keylen}; + $code .= <<___; +.align 32 +.Laes_gcm_decrypt_${keylen}_avx512: +___ + &GCM_ENC_DEC("$arg1", "$arg2", "$arg3", "$arg4", "$arg5", "$arg6", "DEC"); + $code .= "jmp .Lexit_gcm_decrypt\n"; +} +$code .= ".Lexit_gcm_decrypt:\n"; +&EPILOG(1, $arg5); +$code .= <<___; +ret +.Ldecrypt_seh_end: +.cfi_endproc +.size ossl_aes_gcm_decrypt_avx512, .-ossl_aes_gcm_decrypt_avx512 +___ + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;void ossl_aes_gcm_finalize_vaes_avx512 +# ; (void *gcm128ctx, +# ; unsigned int pblocklen); +# ; +# ; Finalizes encryption / decryption +# ; Leaf function (does not allocate stack space, does not use non-volatile registers). +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +$code .= <<___; +.globl ossl_aes_gcm_finalize_avx512 +.type ossl_aes_gcm_finalize_avx512,\@abi-omnipotent +.align 32 +ossl_aes_gcm_finalize_avx512: +.cfi_startproc + endbranch +___ +if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check gcm128ctx != NULL + test $arg1,$arg1 + jz .Labort_finalize +___ +} + +&GCM_COMPLETE("$arg1", "$arg2"); + +$code .= <<___; +.Labort_finalize: +ret +.cfi_endproc +.size ossl_aes_gcm_finalize_avx512, .-ossl_aes_gcm_finalize_avx512 +___ + +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +# ;void ossl_gcm_gmult_avx512(u64 Xi[2], +# ; const void* gcm128ctx) +# ; +# ; Leaf function (does not allocate stack space, does not use non-volatile registers). +# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +$code .= <<___; +.globl ossl_gcm_gmult_avx512 +.hidden ossl_gcm_gmult_avx512 +.type ossl_gcm_gmult_avx512,\@abi-omnipotent +.align 32 +ossl_gcm_gmult_avx512: +.cfi_startproc + endbranch +___ +if ($CHECK_FUNCTION_ARGUMENTS) { + $code .= <<___; + # ;; Check Xi != NULL + test $arg1,$arg1 + jz .Labort_gmult + + # ;; Check gcm128ctx != NULL + test $arg2,$arg2 + jz .Labort_gmult +___ +} +$code .= "vmovdqu64 ($arg1),%xmm1\n"; +$code .= "vmovdqu64 @{[HashKeyByIdx(1,$arg2)]},%xmm2\n"; + +&GHASH_MUL("%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5"); + +$code .= "vmovdqu64 %xmm1,($arg1)\n"; +if ($CLEAR_SCRATCH_REGISTERS) { + &clear_scratch_gps_asm(); + &clear_scratch_zmms_asm(); +} else { + $code .= "vzeroupper\n"; +} +$code .= <<___; +.Labort_gmult: +ret +.cfi_endproc +.size ossl_gcm_gmult_avx512, .-ossl_gcm_gmult_avx512 +___ + +if ($win64) { + + # Add unwind metadata for SEH. + + # See https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc-160 + my $UWOP_PUSH_NONVOL = 0; + my $UWOP_ALLOC_LARGE = 1; + my $UWOP_SET_FPREG = 3; + my $UWOP_SAVE_XMM128 = 8; + my %UWOP_REG_NUMBER = ( + rax => 0, + rcx => 1, + rdx => 2, + rbx => 3, + rsp => 4, + rbp => 5, + rsi => 6, + rdi => 7, + map(("r$_" => $_), (8 .. 15))); + + $code .= <<___; +.section .pdata +.align 4 + .rva .Lsetiv_seh_begin + .rva .Lsetiv_seh_end + .rva .Lsetiv_seh_info + + .rva .Lghash_seh_begin + .rva .Lghash_seh_end + .rva .Lghash_seh_info + + .rva .Lencrypt_seh_begin + .rva .Lencrypt_seh_end + .rva .Lencrypt_seh_info + + .rva .Ldecrypt_seh_begin + .rva .Ldecrypt_seh_end + .rva .Ldecrypt_seh_info + +.section .xdata +___ + + foreach my $func_name ("setiv", "ghash", "encrypt", "decrypt") { + $code .= <<___; +.align 8 +.L${func_name}_seh_info: + .byte 1 # version 1, no flags + .byte .L${func_name}_seh_prolog_end-.L${func_name}_seh_begin + .byte 31 # num_slots = 1*8 + 2 + 1 + 2*10 + # FR = rbp; Offset from RSP = $XMM_STORAGE scaled on 16 + .byte @{[$UWOP_REG_NUMBER{rbp} | (($XMM_STORAGE / 16 ) << 4)]} +___ + + # Metadata for %xmm15-%xmm6 + # Occupy 2 slots each + for (my $reg_idx = 15; $reg_idx >= 6; $reg_idx--) { + + # Scaled-by-16 stack offset + my $xmm_reg_offset = ($reg_idx - 6); + $code .= <<___; + .byte .L${func_name}_seh_save_xmm${reg_idx}-.L${func_name}_seh_begin + .byte @{[$UWOP_SAVE_XMM128 | (${reg_idx} << 4)]} + .value $xmm_reg_offset +___ + } + + $code .= <<___; + # Frame pointer (occupy 1 slot) + .byte .L${func_name}_seh_setfp-.L${func_name}_seh_begin + .byte $UWOP_SET_FPREG + + # Occupy 2 slots, as stack allocation < 512K, but > 128 bytes + .byte .L${func_name}_seh_allocstack_xmm-.L${func_name}_seh_begin + .byte $UWOP_ALLOC_LARGE + .value `($XMM_STORAGE + 8) / 8` +___ + + # Metadata for GPR regs + # Occupy 1 slot each + foreach my $reg ("rsi", "rdi", "r15", "r14", "r13", "r12", "rbp", "rbx") { + $code .= <<___; + .byte .L${func_name}_seh_push_${reg}-.L${func_name}_seh_begin + .byte @{[$UWOP_PUSH_NONVOL | ($UWOP_REG_NUMBER{$reg} << 4)]} +___ + } + } +} + +$code .= <<___; +.data +.align 16 +POLY: .quad 0x0000000000000001, 0xC200000000000000 + +.align 64 +POLY2: + .quad 0x00000001C2000000, 0xC200000000000000 + .quad 0x00000001C2000000, 0xC200000000000000 + .quad 0x00000001C2000000, 0xC200000000000000 + .quad 0x00000001C2000000, 0xC200000000000000 + +.align 16 +TWOONE: .quad 0x0000000000000001, 0x0000000100000000 + +# ;;; Order of these constants should not change. +# ;;; More specifically, ALL_F should follow SHIFT_MASK, and ZERO should follow ALL_F +.align 64 +SHUF_MASK: + .quad 0x08090A0B0C0D0E0F, 0x0001020304050607 + .quad 0x08090A0B0C0D0E0F, 0x0001020304050607 + .quad 0x08090A0B0C0D0E0F, 0x0001020304050607 + .quad 0x08090A0B0C0D0E0F, 0x0001020304050607 + +.align 16 +SHIFT_MASK: + .quad 0x0706050403020100, 0x0f0e0d0c0b0a0908 + +ALL_F: + .quad 0xffffffffffffffff, 0xffffffffffffffff + +ZERO: + .quad 0x0000000000000000, 0x0000000000000000 + +.align 16 +ONE: + .quad 0x0000000000000001, 0x0000000000000000 + +.align 16 +ONEf: + .quad 0x0000000000000000, 0x0100000000000000 + +.align 64 +ddq_add_1234: + .quad 0x0000000000000001, 0x0000000000000000 + .quad 0x0000000000000002, 0x0000000000000000 + .quad 0x0000000000000003, 0x0000000000000000 + .quad 0x0000000000000004, 0x0000000000000000 + +.align 64 +ddq_add_5678: + .quad 0x0000000000000005, 0x0000000000000000 + .quad 0x0000000000000006, 0x0000000000000000 + .quad 0x0000000000000007, 0x0000000000000000 + .quad 0x0000000000000008, 0x0000000000000000 + +.align 64 +ddq_add_4444: + .quad 0x0000000000000004, 0x0000000000000000 + .quad 0x0000000000000004, 0x0000000000000000 + .quad 0x0000000000000004, 0x0000000000000000 + .quad 0x0000000000000004, 0x0000000000000000 + +.align 64 +ddq_add_8888: + .quad 0x0000000000000008, 0x0000000000000000 + .quad 0x0000000000000008, 0x0000000000000000 + .quad 0x0000000000000008, 0x0000000000000000 + .quad 0x0000000000000008, 0x0000000000000000 + +.align 64 +ddq_addbe_1234: + .quad 0x0000000000000000, 0x0100000000000000 + .quad 0x0000000000000000, 0x0200000000000000 + .quad 0x0000000000000000, 0x0300000000000000 + .quad 0x0000000000000000, 0x0400000000000000 + +.align 64 +ddq_addbe_4444: + .quad 0x0000000000000000, 0x0400000000000000 + .quad 0x0000000000000000, 0x0400000000000000 + .quad 0x0000000000000000, 0x0400000000000000 + .quad 0x0000000000000000, 0x0400000000000000 + +.align 64 +byte_len_to_mask_table: + .value 0x0000, 0x0001, 0x0003, 0x0007 + .value 0x000f, 0x001f, 0x003f, 0x007f + .value 0x00ff, 0x01ff, 0x03ff, 0x07ff + .value 0x0fff, 0x1fff, 0x3fff, 0x7fff + .value 0xffff + +.align 64 +byte64_len_to_mask_table: + .quad 0x0000000000000000, 0x0000000000000001 + .quad 0x0000000000000003, 0x0000000000000007 + .quad 0x000000000000000f, 0x000000000000001f + .quad 0x000000000000003f, 0x000000000000007f + .quad 0x00000000000000ff, 0x00000000000001ff + .quad 0x00000000000003ff, 0x00000000000007ff + .quad 0x0000000000000fff, 0x0000000000001fff + .quad 0x0000000000003fff, 0x0000000000007fff + .quad 0x000000000000ffff, 0x000000000001ffff + .quad 0x000000000003ffff, 0x000000000007ffff + .quad 0x00000000000fffff, 0x00000000001fffff + .quad 0x00000000003fffff, 0x00000000007fffff + .quad 0x0000000000ffffff, 0x0000000001ffffff + .quad 0x0000000003ffffff, 0x0000000007ffffff + .quad 0x000000000fffffff, 0x000000001fffffff + .quad 0x000000003fffffff, 0x000000007fffffff + .quad 0x00000000ffffffff, 0x00000001ffffffff + .quad 0x00000003ffffffff, 0x00000007ffffffff + .quad 0x0000000fffffffff, 0x0000001fffffffff + .quad 0x0000003fffffffff, 0x0000007fffffffff + .quad 0x000000ffffffffff, 0x000001ffffffffff + .quad 0x000003ffffffffff, 0x000007ffffffffff + .quad 0x00000fffffffffff, 0x00001fffffffffff + .quad 0x00003fffffffffff, 0x00007fffffffffff + .quad 0x0000ffffffffffff, 0x0001ffffffffffff + .quad 0x0003ffffffffffff, 0x0007ffffffffffff + .quad 0x000fffffffffffff, 0x001fffffffffffff + .quad 0x003fffffffffffff, 0x007fffffffffffff + .quad 0x00ffffffffffffff, 0x01ffffffffffffff + .quad 0x03ffffffffffffff, 0x07ffffffffffffff + .quad 0x0fffffffffffffff, 0x1fffffffffffffff + .quad 0x3fffffffffffffff, 0x7fffffffffffffff + .quad 0xffffffffffffffff +___ + +} else { +# Fallback for old assembler +$code .= <<___; +.text +.globl ossl_vaes_vpclmulqdq_capable +.type ossl_vaes_vpclmulqdq_capable,\@abi-omnipotent +ossl_vaes_vpclmulqdq_capable: + xor %eax,%eax + ret +.size ossl_vaes_vpclmulqdq_capable, .-ossl_vaes_vpclmulqdq_capable + +.globl ossl_aes_gcm_init_avx512 +.globl ossl_aes_gcm_setiv_avx512 +.globl ossl_aes_gcm_update_aad_avx512 +.globl ossl_aes_gcm_encrypt_avx512 +.globl ossl_aes_gcm_decrypt_avx512 +.globl ossl_aes_gcm_finalize_avx512 +.globl ossl_gcm_gmult_avx512 + +.type ossl_aes_gcm_init_avx512,\@abi-omnipotent +ossl_aes_gcm_init_avx512: +ossl_aes_gcm_setiv_avx512: +ossl_aes_gcm_update_aad_avx512: +ossl_aes_gcm_encrypt_avx512: +ossl_aes_gcm_decrypt_avx512: +ossl_aes_gcm_finalize_avx512: +ossl_gcm_gmult_avx512: + .byte 0x0f,0x0b # ud2 + ret +.size ossl_aes_gcm_init_avx512, .-ossl_aes_gcm_init_avx512 +___ +} + +$code =~ s/\`([^\`]*)\`/eval $1/gem; +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl new file mode 100644 index 000000000..e8a215027 --- /dev/null +++ b/crypto/modes/asm/aes-gcm-ppc.pl @@ -0,0 +1,1438 @@ +#! /usr/bin/env perl +# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2021- IBM Inc. All rights reserved +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +#=================================================================================== +# Written by Danny Tsen for OpenSSL Project, +# +# GHASH is based on the Karatsuba multiplication method. +# +# Xi xor X1 +# +# X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H = +# (X1.h * H4.h + xX.l * H4.l + X1 * H4) + +# (X2.h * H3.h + X2.l * H3.l + X2 * H3) + +# (X3.h * H2.h + X3.l * H2.l + X3 * H2) + +# (X4.h * H.h + X4.l * H.l + X4 * H) +# +# Xi = v0 +# H Poly = v2 +# Hash keys = v3 - v14 +# ( H.l, H, H.h) +# ( H^2.l, H^2, H^2.h) +# ( H^3.l, H^3, H^3.h) +# ( H^4.l, H^4, H^4.h) +# +# v30 is IV +# v31 - counter 1 +# +# AES used, +# vs0 - vs14 for round keys +# v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted) +# +# This implementation uses stitched AES-GCM approach to improve overall performance. +# AES is implemented with 8x blocks and GHASH is using 2 4x blocks. +# +# Current large block (16384 bytes) performance per second with 128 bit key -- +# +# Encrypt Decrypt +# Power10[le] (3.5GHz) 5.32G 5.26G +# +# =================================================================================== +# +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +if ($flavour =~ /64/) { + $SIZE_T=8; + $LRSAVE=2*$SIZE_T; + $STU="stdu"; + $POP="ld"; + $PUSH="std"; + $UCMP="cmpld"; + $SHRI="srdi"; +} elsif ($flavour =~ /32/) { + $SIZE_T=4; + $LRSAVE=$SIZE_T; + $STU="stwu"; + $POP="lwz"; + $PUSH="stw"; + $UCMP="cmplw"; + $SHRI="srwi"; +} else { die "nonsense $flavour"; } + +$sp="r1"; +$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +die "can't locate ppc-xlate.pl"; + +open STDOUT,"| $^X $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; + +$code=<<___; +.machine "any" +.text + +# 4x loops +# v15 - v18 - input states +# vs1 - vs9 - round keys +# +.macro Loop_aes_middle4x + xxlor 19+32, 1, 1 + xxlor 20+32, 2, 2 + xxlor 21+32, 3, 3 + xxlor 22+32, 4, 4 + + vcipher 15, 15, 19 + vcipher 16, 16, 19 + vcipher 17, 17, 19 + vcipher 18, 18, 19 + + vcipher 15, 15, 20 + vcipher 16, 16, 20 + vcipher 17, 17, 20 + vcipher 18, 18, 20 + + vcipher 15, 15, 21 + vcipher 16, 16, 21 + vcipher 17, 17, 21 + vcipher 18, 18, 21 + + vcipher 15, 15, 22 + vcipher 16, 16, 22 + vcipher 17, 17, 22 + vcipher 18, 18, 22 + + xxlor 19+32, 5, 5 + xxlor 20+32, 6, 6 + xxlor 21+32, 7, 7 + xxlor 22+32, 8, 8 + + vcipher 15, 15, 19 + vcipher 16, 16, 19 + vcipher 17, 17, 19 + vcipher 18, 18, 19 + + vcipher 15, 15, 20 + vcipher 16, 16, 20 + vcipher 17, 17, 20 + vcipher 18, 18, 20 + + vcipher 15, 15, 21 + vcipher 16, 16, 21 + vcipher 17, 17, 21 + vcipher 18, 18, 21 + + vcipher 15, 15, 22 + vcipher 16, 16, 22 + vcipher 17, 17, 22 + vcipher 18, 18, 22 + + xxlor 23+32, 9, 9 + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 +.endm + +# 8x loops +# v15 - v22 - input states +# vs1 - vs9 - round keys +# +.macro Loop_aes_middle8x + xxlor 23+32, 1, 1 + xxlor 24+32, 2, 2 + xxlor 25+32, 3, 3 + xxlor 26+32, 4, 4 + + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 + + vcipher 15, 15, 24 + vcipher 16, 16, 24 + vcipher 17, 17, 24 + vcipher 18, 18, 24 + vcipher 19, 19, 24 + vcipher 20, 20, 24 + vcipher 21, 21, 24 + vcipher 22, 22, 24 + + vcipher 15, 15, 25 + vcipher 16, 16, 25 + vcipher 17, 17, 25 + vcipher 18, 18, 25 + vcipher 19, 19, 25 + vcipher 20, 20, 25 + vcipher 21, 21, 25 + vcipher 22, 22, 25 + + vcipher 15, 15, 26 + vcipher 16, 16, 26 + vcipher 17, 17, 26 + vcipher 18, 18, 26 + vcipher 19, 19, 26 + vcipher 20, 20, 26 + vcipher 21, 21, 26 + vcipher 22, 22, 26 + + xxlor 23+32, 5, 5 + xxlor 24+32, 6, 6 + xxlor 25+32, 7, 7 + xxlor 26+32, 8, 8 + + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 + + vcipher 15, 15, 24 + vcipher 16, 16, 24 + vcipher 17, 17, 24 + vcipher 18, 18, 24 + vcipher 19, 19, 24 + vcipher 20, 20, 24 + vcipher 21, 21, 24 + vcipher 22, 22, 24 + + vcipher 15, 15, 25 + vcipher 16, 16, 25 + vcipher 17, 17, 25 + vcipher 18, 18, 25 + vcipher 19, 19, 25 + vcipher 20, 20, 25 + vcipher 21, 21, 25 + vcipher 22, 22, 25 + + vcipher 15, 15, 26 + vcipher 16, 16, 26 + vcipher 17, 17, 26 + vcipher 18, 18, 26 + vcipher 19, 19, 26 + vcipher 20, 20, 26 + vcipher 21, 21, 26 + vcipher 22, 22, 26 + + xxlor 23+32, 9, 9 + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 +.endm + +# +# Compute 4x hash values based on Karatsuba method. +# +ppc_aes_gcm_ghash: + vxor 15, 15, 0 + + xxlxor 29, 29, 29 + + vpmsumd 23, 12, 15 # H4.L * X.L + vpmsumd 24, 9, 16 + vpmsumd 25, 6, 17 + vpmsumd 26, 3, 18 + + vxor 23, 23, 24 + vxor 23, 23, 25 + vxor 23, 23, 26 # L + + vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L + vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L + vpmsumd 26, 7, 17 + vpmsumd 27, 4, 18 + + vxor 24, 24, 25 + vxor 24, 24, 26 + vxor 24, 24, 27 # M + + # sum hash and reduction with H Poly + vpmsumd 28, 23, 2 # reduction + + xxlor 29+32, 29, 29 + vsldoi 26, 24, 29, 8 # mL + vsldoi 29, 29, 24, 8 # mH + vxor 23, 23, 26 # mL + L + + vsldoi 23, 23, 23, 8 # swap + vxor 23, 23, 28 + + vpmsumd 24, 14, 15 # H4.H * X.H + vpmsumd 25, 11, 16 + vpmsumd 26, 8, 17 + vpmsumd 27, 5, 18 + + vxor 24, 24, 25 + vxor 24, 24, 26 + vxor 24, 24, 27 + + vxor 24, 24, 29 + + # sum hash and reduction with H Poly + vsldoi 27, 23, 23, 8 # swap + vpmsumd 23, 23, 2 + vxor 27, 27, 24 + vxor 23, 23, 27 + + xxlor 32, 23+32, 23+32 # update hash + + blr + +# +# Combine two 4x ghash +# v15 - v22 - input blocks +# +.macro ppc_aes_gcm_ghash2_4x + # first 4x hash + vxor 15, 15, 0 # Xi + X + + xxlxor 29, 29, 29 + + vpmsumd 23, 12, 15 # H4.L * X.L + vpmsumd 24, 9, 16 + vpmsumd 25, 6, 17 + vpmsumd 26, 3, 18 + + vxor 23, 23, 24 + vxor 23, 23, 25 + vxor 23, 23, 26 # L + + vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L + vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L + vpmsumd 26, 7, 17 + vpmsumd 27, 4, 18 + + vxor 24, 24, 25 + vxor 24, 24, 26 + + # sum hash and reduction with H Poly + vpmsumd 28, 23, 2 # reduction + + xxlor 29+32, 29, 29 + + vxor 24, 24, 27 # M + vsldoi 26, 24, 29, 8 # mL + vsldoi 29, 29, 24, 8 # mH + vxor 23, 23, 26 # mL + L + + vsldoi 23, 23, 23, 8 # swap + vxor 23, 23, 28 + + vpmsumd 24, 14, 15 # H4.H * X.H + vpmsumd 25, 11, 16 + vpmsumd 26, 8, 17 + vpmsumd 27, 5, 18 + + vxor 24, 24, 25 + vxor 24, 24, 26 + vxor 24, 24, 27 # H + + vxor 24, 24, 29 # H + mH + + # sum hash and reduction with H Poly + vsldoi 27, 23, 23, 8 # swap + vpmsumd 23, 23, 2 + vxor 27, 27, 24 + vxor 27, 23, 27 # 1st Xi + + # 2nd 4x hash + vpmsumd 24, 9, 20 + vpmsumd 25, 6, 21 + vpmsumd 26, 3, 22 + vxor 19, 19, 27 # Xi + X + vpmsumd 23, 12, 19 # H4.L * X.L + + vxor 23, 23, 24 + vxor 23, 23, 25 + vxor 23, 23, 26 # L + + vpmsumd 24, 13, 19 # H4.L * X.H + H4.H * X.L + vpmsumd 25, 10, 20 # H3.L * X1.H + H3.H * X1.L + vpmsumd 26, 7, 21 + vpmsumd 27, 4, 22 + + vxor 24, 24, 25 + vxor 24, 24, 26 + + # sum hash and reduction with H Poly + vpmsumd 28, 23, 2 # reduction + + xxlor 29+32, 29, 29 + + vxor 24, 24, 27 # M + vsldoi 26, 24, 29, 8 # mL + vsldoi 29, 29, 24, 8 # mH + vxor 23, 23, 26 # mL + L + + vsldoi 23, 23, 23, 8 # swap + vxor 23, 23, 28 + + vpmsumd 24, 14, 19 # H4.H * X.H + vpmsumd 25, 11, 20 + vpmsumd 26, 8, 21 + vpmsumd 27, 5, 22 + + vxor 24, 24, 25 + vxor 24, 24, 26 + vxor 24, 24, 27 # H + + vxor 24, 24, 29 # H + mH + + # sum hash and reduction with H Poly + vsldoi 27, 23, 23, 8 # swap + vpmsumd 23, 23, 2 + vxor 27, 27, 24 + vxor 23, 23, 27 + + xxlor 32, 23+32, 23+32 # update hash + +.endm + +# +# Compute update single hash +# +.macro ppc_update_hash_1x + vxor 28, 28, 0 + + vxor 19, 19, 19 + + vpmsumd 22, 3, 28 # L + vpmsumd 23, 4, 28 # M + vpmsumd 24, 5, 28 # H + + vpmsumd 27, 22, 2 # reduction + + vsldoi 25, 23, 19, 8 # mL + vsldoi 26, 19, 23, 8 # mH + vxor 22, 22, 25 # LL + LL + vxor 24, 24, 26 # HH + HH + + vsldoi 22, 22, 22, 8 # swap + vxor 22, 22, 27 + + vsldoi 20, 22, 22, 8 # swap + vpmsumd 22, 22, 2 # reduction + vxor 20, 20, 24 + vxor 22, 22, 20 + + vmr 0, 22 # update hash + +.endm + +# +# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len, +# const AES_KEY *key, unsigned char iv[16], +# void *Xip); +# +# r3 - inp +# r4 - out +# r5 - len +# r6 - AES round keys +# r7 - iv +# r8 - Xi, HPoli, hash keys +# +.global ppc_aes_gcm_encrypt +.align 5 +ppc_aes_gcm_encrypt: +_ppc_aes_gcm_encrypt: + + stdu 1,-512(1) + mflr 0 + + std 14,112(1) + std 15,120(1) + std 16,128(1) + std 17,136(1) + std 18,144(1) + std 19,152(1) + std 20,160(1) + std 21,168(1) + li 9, 256 + stvx 20, 9, 1 + addi 9, 9, 16 + stvx 21, 9, 1 + addi 9, 9, 16 + stvx 22, 9, 1 + addi 9, 9, 16 + stvx 23, 9, 1 + addi 9, 9, 16 + stvx 24, 9, 1 + addi 9, 9, 16 + stvx 25, 9, 1 + addi 9, 9, 16 + stvx 26, 9, 1 + addi 9, 9, 16 + stvx 27, 9, 1 + addi 9, 9, 16 + stvx 28, 9, 1 + addi 9, 9, 16 + stvx 29, 9, 1 + addi 9, 9, 16 + stvx 30, 9, 1 + addi 9, 9, 16 + stvx 31, 9, 1 + std 0, 528(1) + + # Load Xi + lxvb16x 32, 0, 8 # load Xi + + # load Hash - h^4, h^3, h^2, h + li 10, 32 + lxvd2x 2+32, 10, 8 # H Poli + li 10, 48 + lxvd2x 3+32, 10, 8 # Hl + li 10, 64 + lxvd2x 4+32, 10, 8 # H + li 10, 80 + lxvd2x 5+32, 10, 8 # Hh + + li 10, 96 + lxvd2x 6+32, 10, 8 # H^2l + li 10, 112 + lxvd2x 7+32, 10, 8 # H^2 + li 10, 128 + lxvd2x 8+32, 10, 8 # H^2h + + li 10, 144 + lxvd2x 9+32, 10, 8 # H^3l + li 10, 160 + lxvd2x 10+32, 10, 8 # H^3 + li 10, 176 + lxvd2x 11+32, 10, 8 # H^3h + + li 10, 192 + lxvd2x 12+32, 10, 8 # H^4l + li 10, 208 + lxvd2x 13+32, 10, 8 # H^4 + li 10, 224 + lxvd2x 14+32, 10, 8 # H^4h + + # initialize ICB: GHASH( IV ), IV - r7 + lxvb16x 30+32, 0, 7 # load IV - v30 + + mr 12, 5 # length + li 11, 0 # block index + + # counter 1 + vxor 31, 31, 31 + vspltisb 22, 1 + vsldoi 31, 31, 22,1 # counter 1 + + # load round key to VSR + lxv 0, 0(6) + lxv 1, 0x10(6) + lxv 2, 0x20(6) + lxv 3, 0x30(6) + lxv 4, 0x40(6) + lxv 5, 0x50(6) + lxv 6, 0x60(6) + lxv 7, 0x70(6) + lxv 8, 0x80(6) + lxv 9, 0x90(6) + lxv 10, 0xa0(6) + + # load rounds - 10 (128), 12 (192), 14 (256) + lwz 9,240(6) + + # + # vxor state, state, w # addroundkey + xxlor 32+29, 0, 0 + vxor 15, 30, 29 # IV + round key - add round key 0 + + cmpdi 9, 10 + beq Loop_aes_gcm_8x + + # load 2 more round keys (v11, v12) + lxv 11, 0xb0(6) + lxv 12, 0xc0(6) + + cmpdi 9, 12 + beq Loop_aes_gcm_8x + + # load 2 more round keys (v11, v12, v13, v14) + lxv 13, 0xd0(6) + lxv 14, 0xe0(6) + cmpdi 9, 14 + beq Loop_aes_gcm_8x + + b aes_gcm_out + +.align 5 +Loop_aes_gcm_8x: + mr 14, 3 + mr 9, 4 + + # n blocks + li 10, 128 + divdu 10, 5, 10 # n 128 bytes-blocks + cmpdi 10, 0 + beq Loop_last_block + + vaddudm 30, 30, 31 # IV + counter + vxor 16, 30, 29 + vaddudm 30, 30, 31 + vxor 17, 30, 29 + vaddudm 30, 30, 31 + vxor 18, 30, 29 + vaddudm 30, 30, 31 + vxor 19, 30, 29 + vaddudm 30, 30, 31 + vxor 20, 30, 29 + vaddudm 30, 30, 31 + vxor 21, 30, 29 + vaddudm 30, 30, 31 + vxor 22, 30, 29 + + mtctr 10 + + li 15, 16 + li 16, 32 + li 17, 48 + li 18, 64 + li 19, 80 + li 20, 96 + li 21, 112 + + lwz 10, 240(6) + +Loop_8x_block: + + lxvb16x 15, 0, 14 # load block + lxvb16x 16, 15, 14 # load block + lxvb16x 17, 16, 14 # load block + lxvb16x 18, 17, 14 # load block + lxvb16x 19, 18, 14 # load block + lxvb16x 20, 19, 14 # load block + lxvb16x 21, 20, 14 # load block + lxvb16x 22, 21, 14 # load block + addi 14, 14, 128 + + Loop_aes_middle8x + + xxlor 23+32, 10, 10 + + cmpdi 10, 10 + beq Do_next_ghash + + # 192 bits + xxlor 24+32, 11, 11 + + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 + + vcipher 15, 15, 24 + vcipher 16, 16, 24 + vcipher 17, 17, 24 + vcipher 18, 18, 24 + vcipher 19, 19, 24 + vcipher 20, 20, 24 + vcipher 21, 21, 24 + vcipher 22, 22, 24 + + xxlor 23+32, 12, 12 + + cmpdi 10, 12 + beq Do_next_ghash + + # 256 bits + xxlor 24+32, 13, 13 + + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 + + vcipher 15, 15, 24 + vcipher 16, 16, 24 + vcipher 17, 17, 24 + vcipher 18, 18, 24 + vcipher 19, 19, 24 + vcipher 20, 20, 24 + vcipher 21, 21, 24 + vcipher 22, 22, 24 + + xxlor 23+32, 14, 14 + + cmpdi 10, 14 + beq Do_next_ghash + b aes_gcm_out + +Do_next_ghash: + + # + # last round + vcipherlast 15, 15, 23 + vcipherlast 16, 16, 23 + + xxlxor 47, 47, 15 + stxvb16x 47, 0, 9 # store output + xxlxor 48, 48, 16 + stxvb16x 48, 15, 9 # store output + + vcipherlast 17, 17, 23 + vcipherlast 18, 18, 23 + + xxlxor 49, 49, 17 + stxvb16x 49, 16, 9 # store output + xxlxor 50, 50, 18 + stxvb16x 50, 17, 9 # store output + + vcipherlast 19, 19, 23 + vcipherlast 20, 20, 23 + + xxlxor 51, 51, 19 + stxvb16x 51, 18, 9 # store output + xxlxor 52, 52, 20 + stxvb16x 52, 19, 9 # store output + + vcipherlast 21, 21, 23 + vcipherlast 22, 22, 23 + + xxlxor 53, 53, 21 + stxvb16x 53, 20, 9 # store output + xxlxor 54, 54, 22 + stxvb16x 54, 21, 9 # store output + + addi 9, 9, 128 + + # ghash here + ppc_aes_gcm_ghash2_4x + + xxlor 27+32, 0, 0 + vaddudm 30, 30, 31 # IV + counter + vmr 29, 30 + vxor 15, 30, 27 # add round key + vaddudm 30, 30, 31 + vxor 16, 30, 27 + vaddudm 30, 30, 31 + vxor 17, 30, 27 + vaddudm 30, 30, 31 + vxor 18, 30, 27 + vaddudm 30, 30, 31 + vxor 19, 30, 27 + vaddudm 30, 30, 31 + vxor 20, 30, 27 + vaddudm 30, 30, 31 + vxor 21, 30, 27 + vaddudm 30, 30, 31 + vxor 22, 30, 27 + + addi 12, 12, -128 + addi 11, 11, 128 + + bdnz Loop_8x_block + + vmr 30, 29 + +Loop_last_block: + cmpdi 12, 0 + beq aes_gcm_out + + # loop last few blocks + li 10, 16 + divdu 10, 12, 10 + + mtctr 10 + + lwz 10, 240(6) + + cmpdi 12, 16 + blt Final_block + +.macro Loop_aes_middle_1x + xxlor 19+32, 1, 1 + xxlor 20+32, 2, 2 + xxlor 21+32, 3, 3 + xxlor 22+32, 4, 4 + + vcipher 15, 15, 19 + vcipher 15, 15, 20 + vcipher 15, 15, 21 + vcipher 15, 15, 22 + + xxlor 19+32, 5, 5 + xxlor 20+32, 6, 6 + xxlor 21+32, 7, 7 + xxlor 22+32, 8, 8 + + vcipher 15, 15, 19 + vcipher 15, 15, 20 + vcipher 15, 15, 21 + vcipher 15, 15, 22 + + xxlor 19+32, 9, 9 + vcipher 15, 15, 19 +.endm + +Next_rem_block: + lxvb16x 15, 0, 14 # load block + + Loop_aes_middle_1x + + xxlor 23+32, 10, 10 + + cmpdi 10, 10 + beq Do_next_1x + + # 192 bits + xxlor 24+32, 11, 11 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 12, 12 + + cmpdi 10, 12 + beq Do_next_1x + + # 256 bits + xxlor 24+32, 13, 13 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 14, 14 + + cmpdi 10, 14 + beq Do_next_1x + +Do_next_1x: + vcipherlast 15, 15, 23 + + xxlxor 47, 47, 15 + stxvb16x 47, 0, 9 # store output + addi 14, 14, 16 + addi 9, 9, 16 + + vmr 28, 15 + ppc_update_hash_1x + + addi 12, 12, -16 + addi 11, 11, 16 + xxlor 19+32, 0, 0 + vaddudm 30, 30, 31 # IV + counter + vxor 15, 30, 19 # add round key + + bdnz Next_rem_block + + cmpdi 12, 0 + beq aes_gcm_out + +Final_block: + Loop_aes_middle_1x + + xxlor 23+32, 10, 10 + + cmpdi 10, 10 + beq Do_final_1x + + # 192 bits + xxlor 24+32, 11, 11 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 12, 12 + + cmpdi 10, 12 + beq Do_final_1x + + # 256 bits + xxlor 24+32, 13, 13 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 14, 14 + + cmpdi 10, 14 + beq Do_final_1x + +Do_final_1x: + vcipherlast 15, 15, 23 + + lxvb16x 15, 0, 14 # load last block + xxlxor 47, 47, 15 + + # create partial block mask + li 15, 16 + sub 15, 15, 12 # index to the mask + + vspltisb 16, -1 # first 16 bytes - 0xffff...ff + vspltisb 17, 0 # second 16 bytes - 0x0000...00 + li 10, 192 + stvx 16, 10, 1 + addi 10, 10, 16 + stvx 17, 10, 1 + + addi 10, 1, 192 + lxvb16x 16, 15, 10 # load partial block mask + xxland 47, 47, 16 + + vmr 28, 15 + ppc_update_hash_1x + + # * should store only the remaining bytes. + bl Write_partial_block + + b aes_gcm_out + +# +# Write partial block +# r9 - output +# r12 - remaining bytes +# v15 - partial input data +# +Write_partial_block: + li 10, 192 + stxvb16x 15+32, 10, 1 # last block + + #add 10, 9, 11 # Output + addi 10, 9, -1 + addi 16, 1, 191 + + mtctr 12 # remaining bytes + li 15, 0 + +Write_last_byte: + lbzu 14, 1(16) + stbu 14, 1(10) + bdnz Write_last_byte + blr + +aes_gcm_out: + # out = state + stxvb16x 32, 0, 8 # write out Xi + add 3, 11, 12 # return count + + li 9, 256 + lvx 20, 9, 1 + addi 9, 9, 16 + lvx 21, 9, 1 + addi 9, 9, 16 + lvx 22, 9, 1 + addi 9, 9, 16 + lvx 23, 9, 1 + addi 9, 9, 16 + lvx 24, 9, 1 + addi 9, 9, 16 + lvx 25, 9, 1 + addi 9, 9, 16 + lvx 26, 9, 1 + addi 9, 9, 16 + lvx 27, 9, 1 + addi 9, 9, 16 + lvx 28, 9, 1 + addi 9, 9, 16 + lvx 29, 9, 1 + addi 9, 9, 16 + lvx 30, 9, 1 + addi 9, 9, 16 + lvx 31, 9, 1 + + ld 0, 528(1) + ld 14,112(1) + ld 15,120(1) + ld 16,128(1) + ld 17,136(1) + ld 18,144(1) + ld 19,152(1) + ld 20,160(1) + ld 21,168(1) + + mtlr 0 + addi 1, 1, 512 + blr + +# +# 8x Decrypt +# +.global ppc_aes_gcm_decrypt +.align 5 +ppc_aes_gcm_decrypt: +_ppc_aes_gcm_decrypt: + + stdu 1,-512(1) + mflr 0 + + std 14,112(1) + std 15,120(1) + std 16,128(1) + std 17,136(1) + std 18,144(1) + std 19,152(1) + std 20,160(1) + std 21,168(1) + li 9, 256 + stvx 20, 9, 1 + addi 9, 9, 16 + stvx 21, 9, 1 + addi 9, 9, 16 + stvx 22, 9, 1 + addi 9, 9, 16 + stvx 23, 9, 1 + addi 9, 9, 16 + stvx 24, 9, 1 + addi 9, 9, 16 + stvx 25, 9, 1 + addi 9, 9, 16 + stvx 26, 9, 1 + addi 9, 9, 16 + stvx 27, 9, 1 + addi 9, 9, 16 + stvx 28, 9, 1 + addi 9, 9, 16 + stvx 29, 9, 1 + addi 9, 9, 16 + stvx 30, 9, 1 + addi 9, 9, 16 + stvx 31, 9, 1 + std 0, 528(1) + + # Load Xi + lxvb16x 32, 0, 8 # load Xi + + # load Hash - h^4, h^3, h^2, h + li 10, 32 + lxvd2x 2+32, 10, 8 # H Poli + li 10, 48 + lxvd2x 3+32, 10, 8 # Hl + li 10, 64 + lxvd2x 4+32, 10, 8 # H + li 10, 80 + lxvd2x 5+32, 10, 8 # Hh + + li 10, 96 + lxvd2x 6+32, 10, 8 # H^2l + li 10, 112 + lxvd2x 7+32, 10, 8 # H^2 + li 10, 128 + lxvd2x 8+32, 10, 8 # H^2h + + li 10, 144 + lxvd2x 9+32, 10, 8 # H^3l + li 10, 160 + lxvd2x 10+32, 10, 8 # H^3 + li 10, 176 + lxvd2x 11+32, 10, 8 # H^3h + + li 10, 192 + lxvd2x 12+32, 10, 8 # H^4l + li 10, 208 + lxvd2x 13+32, 10, 8 # H^4 + li 10, 224 + lxvd2x 14+32, 10, 8 # H^4h + + # initialize ICB: GHASH( IV ), IV - r7 + lxvb16x 30+32, 0, 7 # load IV - v30 + + mr 12, 5 # length + li 11, 0 # block index + + # counter 1 + vxor 31, 31, 31 + vspltisb 22, 1 + vsldoi 31, 31, 22,1 # counter 1 + + # load round key to VSR + lxv 0, 0(6) + lxv 1, 0x10(6) + lxv 2, 0x20(6) + lxv 3, 0x30(6) + lxv 4, 0x40(6) + lxv 5, 0x50(6) + lxv 6, 0x60(6) + lxv 7, 0x70(6) + lxv 8, 0x80(6) + lxv 9, 0x90(6) + lxv 10, 0xa0(6) + + # load rounds - 10 (128), 12 (192), 14 (256) + lwz 9,240(6) + + # + # vxor state, state, w # addroundkey + xxlor 32+29, 0, 0 + vxor 15, 30, 29 # IV + round key - add round key 0 + + cmpdi 9, 10 + beq Loop_aes_gcm_8x_dec + + # load 2 more round keys (v11, v12) + lxv 11, 0xb0(6) + lxv 12, 0xc0(6) + + cmpdi 9, 12 + beq Loop_aes_gcm_8x_dec + + # load 2 more round keys (v11, v12, v13, v14) + lxv 13, 0xd0(6) + lxv 14, 0xe0(6) + cmpdi 9, 14 + beq Loop_aes_gcm_8x_dec + + b aes_gcm_out + +.align 5 +Loop_aes_gcm_8x_dec: + mr 14, 3 + mr 9, 4 + + # n blocks + li 10, 128 + divdu 10, 5, 10 # n 128 bytes-blocks + cmpdi 10, 0 + beq Loop_last_block_dec + + vaddudm 30, 30, 31 # IV + counter + vxor 16, 30, 29 + vaddudm 30, 30, 31 + vxor 17, 30, 29 + vaddudm 30, 30, 31 + vxor 18, 30, 29 + vaddudm 30, 30, 31 + vxor 19, 30, 29 + vaddudm 30, 30, 31 + vxor 20, 30, 29 + vaddudm 30, 30, 31 + vxor 21, 30, 29 + vaddudm 30, 30, 31 + vxor 22, 30, 29 + + mtctr 10 + + li 15, 16 + li 16, 32 + li 17, 48 + li 18, 64 + li 19, 80 + li 20, 96 + li 21, 112 + + lwz 10, 240(6) + +Loop_8x_block_dec: + + lxvb16x 15, 0, 14 # load block + lxvb16x 16, 15, 14 # load block + lxvb16x 17, 16, 14 # load block + lxvb16x 18, 17, 14 # load block + lxvb16x 19, 18, 14 # load block + lxvb16x 20, 19, 14 # load block + lxvb16x 21, 20, 14 # load block + lxvb16x 22, 21, 14 # load block + addi 14, 14, 128 + + Loop_aes_middle8x + + xxlor 23+32, 10, 10 + + cmpdi 10, 10 + beq Do_last_aes_dec + + # 192 bits + xxlor 24+32, 11, 11 + + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 + + vcipher 15, 15, 24 + vcipher 16, 16, 24 + vcipher 17, 17, 24 + vcipher 18, 18, 24 + vcipher 19, 19, 24 + vcipher 20, 20, 24 + vcipher 21, 21, 24 + vcipher 22, 22, 24 + + xxlor 23+32, 12, 12 + + cmpdi 10, 12 + beq Do_last_aes_dec + + # 256 bits + xxlor 24+32, 13, 13 + + vcipher 15, 15, 23 + vcipher 16, 16, 23 + vcipher 17, 17, 23 + vcipher 18, 18, 23 + vcipher 19, 19, 23 + vcipher 20, 20, 23 + vcipher 21, 21, 23 + vcipher 22, 22, 23 + + vcipher 15, 15, 24 + vcipher 16, 16, 24 + vcipher 17, 17, 24 + vcipher 18, 18, 24 + vcipher 19, 19, 24 + vcipher 20, 20, 24 + vcipher 21, 21, 24 + vcipher 22, 22, 24 + + xxlor 23+32, 14, 14 + + cmpdi 10, 14 + beq Do_last_aes_dec + b aes_gcm_out + +Do_last_aes_dec: + + # + # last round + vcipherlast 15, 15, 23 + vcipherlast 16, 16, 23 + + xxlxor 47, 47, 15 + stxvb16x 47, 0, 9 # store output + xxlxor 48, 48, 16 + stxvb16x 48, 15, 9 # store output + + vcipherlast 17, 17, 23 + vcipherlast 18, 18, 23 + + xxlxor 49, 49, 17 + stxvb16x 49, 16, 9 # store output + xxlxor 50, 50, 18 + stxvb16x 50, 17, 9 # store output + + vcipherlast 19, 19, 23 + vcipherlast 20, 20, 23 + + xxlxor 51, 51, 19 + stxvb16x 51, 18, 9 # store output + xxlxor 52, 52, 20 + stxvb16x 52, 19, 9 # store output + + vcipherlast 21, 21, 23 + vcipherlast 22, 22, 23 + + xxlxor 53, 53, 21 + stxvb16x 53, 20, 9 # store output + xxlxor 54, 54, 22 + stxvb16x 54, 21, 9 # store output + + addi 9, 9, 128 + + xxlor 15+32, 15, 15 + xxlor 16+32, 16, 16 + xxlor 17+32, 17, 17 + xxlor 18+32, 18, 18 + xxlor 19+32, 19, 19 + xxlor 20+32, 20, 20 + xxlor 21+32, 21, 21 + xxlor 22+32, 22, 22 + + # ghash here + ppc_aes_gcm_ghash2_4x + + xxlor 27+32, 0, 0 + vaddudm 30, 30, 31 # IV + counter + vmr 29, 30 + vxor 15, 30, 27 # add round key + vaddudm 30, 30, 31 + vxor 16, 30, 27 + vaddudm 30, 30, 31 + vxor 17, 30, 27 + vaddudm 30, 30, 31 + vxor 18, 30, 27 + vaddudm 30, 30, 31 + vxor 19, 30, 27 + vaddudm 30, 30, 31 + vxor 20, 30, 27 + vaddudm 30, 30, 31 + vxor 21, 30, 27 + vaddudm 30, 30, 31 + vxor 22, 30, 27 + addi 12, 12, -128 + addi 11, 11, 128 + + bdnz Loop_8x_block_dec + + vmr 30, 29 + +Loop_last_block_dec: + cmpdi 12, 0 + beq aes_gcm_out + + # loop last few blocks + li 10, 16 + divdu 10, 12, 10 + + mtctr 10 + + lwz 10,240(6) + + cmpdi 12, 16 + blt Final_block_dec + +Next_rem_block_dec: + lxvb16x 15, 0, 14 # load block + + Loop_aes_middle_1x + + xxlor 23+32, 10, 10 + + cmpdi 10, 10 + beq Do_next_1x_dec + + # 192 bits + xxlor 24+32, 11, 11 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 12, 12 + + cmpdi 10, 12 + beq Do_next_1x_dec + + # 256 bits + xxlor 24+32, 13, 13 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 14, 14 + + cmpdi 10, 14 + beq Do_next_1x_dec + +Do_next_1x_dec: + vcipherlast 15, 15, 23 + + xxlxor 47, 47, 15 + stxvb16x 47, 0, 9 # store output + addi 14, 14, 16 + addi 9, 9, 16 + + xxlor 28+32, 15, 15 + ppc_update_hash_1x + + addi 12, 12, -16 + addi 11, 11, 16 + xxlor 19+32, 0, 0 + vaddudm 30, 30, 31 # IV + counter + vxor 15, 30, 19 # add round key + + bdnz Next_rem_block_dec + + cmpdi 12, 0 + beq aes_gcm_out + +Final_block_dec: + Loop_aes_middle_1x + + xxlor 23+32, 10, 10 + + cmpdi 10, 10 + beq Do_final_1x_dec + + # 192 bits + xxlor 24+32, 11, 11 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 12, 12 + + cmpdi 10, 12 + beq Do_final_1x_dec + + # 256 bits + xxlor 24+32, 13, 13 + + vcipher 15, 15, 23 + vcipher 15, 15, 24 + + xxlor 23+32, 14, 14 + + cmpdi 10, 14 + beq Do_final_1x_dec + +Do_final_1x_dec: + vcipherlast 15, 15, 23 + + lxvb16x 15, 0, 14 # load block + xxlxor 47, 47, 15 + + # create partial block mask + li 15, 16 + sub 15, 15, 12 # index to the mask + + vspltisb 16, -1 # first 16 bytes - 0xffff...ff + vspltisb 17, 0 # second 16 bytes - 0x0000...00 + li 10, 192 + stvx 16, 10, 1 + addi 10, 10, 16 + stvx 17, 10, 1 + + addi 10, 1, 192 + lxvb16x 16, 15, 10 # load block mask + xxland 47, 47, 16 + + xxlor 28+32, 15, 15 + ppc_update_hash_1x + + # * should store only the remaining bytes. + bl Write_partial_block + + b aes_gcm_out + + +___ + +foreach (split("\n",$code)) { + s/\`([^\`]*)\`/eval $1/geo; + + if ($flavour =~ /le$/o) { # little-endian + s/le\?//o or + s/be\?/#be#/o; + } else { + s/le\?/#le#/o or + s/be\?//o; + } + print $_,"\n"; +} + +close STDOUT or die "error closing STDOUT: $!"; # enforce flush diff --git a/crypto/modes/asm/ghash-riscv64.pl b/crypto/modes/asm/ghash-riscv64.pl new file mode 100644 index 000000000..6f2a1384d --- /dev/null +++ b/crypto/modes/asm/ghash-riscv64.pl @@ -0,0 +1,298 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$output and open STDOUT,">$output"; + +my @regs = map("x$_",(0..31)); +my @regaliases = ('zero','ra','sp','gp','tp','t0','t1','t2','s0','s1', + map("a$_",(0..7)), + map("s$_",(2..11)), + map("t$_",(3..6)) +); + +my %reglookup; +@reglookup{@regs} = @regs; +@reglookup{@regaliases} = @regs; + +# Takes a register name, possibly an alias, and converts it to a register index +# from 0 to 31 +sub read_reg { + my $reg = lc shift; + if (!exists($reglookup{$reg})) { + die("Unknown register ".$reg); + } + my $regstr = $reglookup{$reg}; + if (!($regstr =~ /^x([0-9]+)$/)) { + die("Could not process register ".$reg); + } + return $1; +} + +sub rv64_rev8 { + # Encoding for rev8 rd, rs instruction on RV64 + # XXXXXXXXXXXXX_ rs _XXX_ rd _XXXXXXX + my $template = 0b011010111000_00000_101_00000_0010011; + my $rd = read_reg shift; + my $rs = read_reg shift; + + return ".word ".($template | ($rs << 15) | ($rd << 7)); +} + +sub rv64_clmul { + # Encoding for clmul rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0000101_00000_00000_001_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +sub rv64_clmulh { + # Encoding for clmulh rd, rs1, rs2 instruction on RV64 + # XXXXXXX_ rs2 _ rs1 _XXX_ rd _XXXXXXX + my $template = 0b0000101_00000_00000_011_00000_0110011; + my $rd = read_reg shift; + my $rs1 = read_reg shift; + my $rs2 = read_reg shift; + + return ".word ".($template | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7)); +} + +################################################################################ +# gcm_init_clmul_rv64i_zbb_zbc(u128 Htable[16], const u64 Xi[2]) +# Initialization function for clmul-based implementation of GMULT +# This function is used in tandem with gcm_gmult_clmul_rv64i_zbb_zbc +################################################################################ +{ +my ($Haddr,$Xi,$TEMP) = ("a0","a1","a2"); + +$code .= <<___; +.text +.balign 16 +.globl gcm_init_clmul_rv64i_zbb_zbc +.type gcm_init_clmul_rv64i_zbb_zbc,\@function +# Initialize clmul-based implementation of galois field multiplication routine. +# gcm_init_clmul_rv64i_zbb_zbc(ctx->Htable, ctx->H.u) +gcm_init_clmul_rv64i_zbb_zbc: + # argument 0 = ctx->Htable (store H here) + # argument 1 = H.u[] (2x 64-bit words) [H_high64, H_low64] + + # Simply store [H_high64, H_low64] for later + ld $TEMP,0($Xi) + sd $TEMP,0($Haddr) + ld $TEMP,8($Xi) + sd $TEMP,8($Haddr) + + ret + +___ + +} + +################################################################################ +# gcm_gmult_clmul_rv64i_zbb_zbc(u64 Xi[2], const u128 Htable[16]) +# Compute GMULT (X*H mod f) using the Zbc (clmul) and Zbb (basic bit manip) +# extensions, and the Modified Barrett Reduction technique +################################################################################ +{ +my ($Xi,$Haddr,$A1,$A0,$B1,$B0,$C1,$C0,$D1,$D0,$E1,$E0,$TEMP,$TEMP2,$qp_low) = + ("a0","a1","a2","a3","a4","a5","a6","a7","t0","t1","t2","t3","t4","t5","t6"); + +$code .= <<___; +.text +.balign 16 +.globl gcm_gmult_clmul_rv64i_zbb_zbc +.type gcm_gmult_clmul_rv64i_zbb_zbc,\@function +# static void gcm_gmult_clmul_rv64i_zbb_zbc(u64 Xi[2], const u128 Htable[16]) +# Computes product of X*H mod f +gcm_gmult_clmul_rv64i_zbb_zbc: + + # Load X and H (H is saved previously in gcm_init_clmul_rv64i_zbb_zbc) + ld $A1,0($Xi) + ld $A0,8($Xi) + + ld $B1,0($Haddr) + ld $B0,8($Haddr) + + li $qp_low,0xe100000000000000 + + # Perform Katratsuba Multiplication to generate a 255-bit intermediate + # A = [A1:A0] + # B = [B1:B0] + # Let: + # [C1:C0] = A1*B1 + # [D1:D0] = A0*B0 + # [E1:E0] = (A0+A1)*(B0+B1) + # Then: + # A*B = [C1:C0+C1+D1+E1:D1+C0+D0+E0:D0] + + @{[rv64_rev8 $A1, $A1]} + @{[rv64_clmul $C0,$A1,$B1]} + @{[rv64_clmulh $C1,$A1,$B1]} + + @{[rv64_rev8 $A0,$A0]} + @{[rv64_clmul $D0,$A0,$B0]} + @{[rv64_clmulh $D1,$A0,$B0]} + + xor $TEMP,$A0,$A1 + xor $TEMP2,$B0,$B1 + + @{[rv64_clmul $E0,$TEMP,$TEMP2]} + @{[rv64_clmulh $E1,$TEMP,$TEMP2]} + + # 0th term is just C1 + + # Construct term 1 in E1 (E1 only appears in dword 1) + xor $E1,$E1,$D1 + xor $E1,$E1,$C1 + xor $E1,$E1,$C0 + + # Term 1 is E1 + + # Construct term 2 in E0 (E0 only appears in dword 2) + xor $E0,$E0,$D0 + xor $E0,$E0,$C0 + xor $E0,$E0,$D1 + + # Term 2 is E0 + + # final term is just D0 + + # X*H is now stored in [C1,E1,E0,D0] + + # Left-justify + slli $C1,$C1,1 + # Or in the high bit of E1 + srli $TEMP,$E1,63 + or $C1,$C1,$TEMP + + slli $E1,$E1,1 + # Or in the high bit of E0 + srli $TEMP2,$E0,63 + or $E1,$E1,$TEMP2 + + slli $E0,$E0,1 + # Or in the high bit of D0 + srli $TEMP,$D0,63 + or $E0,$E0,$TEMP + + slli $D0,$D0,1 + + # Barrett Reduction + # c = [E0, D0] + # We want the top 128 bits of the result of c*f + # We'll get this by computing the low-half (most significant 128 bits in + # the reflected domain) of clmul(c,fs)<<1 first, then + # xor in c to complete the calculation + + # AA = [AA1:AA0] = [E0,D0] = c + # BB = [BB1:BB0] = [qp_low,0] + # [CC1:CC0] = AA1*BB1 + # [DD1:DD0] = AA0*BB0 + # [EE1:EE0] = (AA0+AA1)*(BB0+BB1) + # Then: + # AA*BB = [CC1:CC0+CC1+DD1+EE1:DD1+CC0+DD0+EE0:DD0] + # We only need CC0,DD1,DD0,EE0 to compute the low 128 bits of c * qp_low +___ + +my ($CC0,$EE0,$AA1,$AA0,$BB1) = ($A0,$B1,$E0,$D0,$qp_low); + +$code .= <<___; + + @{[rv64_clmul $CC0,$AA1,$BB1]} + #clmul DD0,AA0,BB0 # BB0 is 0, so DD0 = 0 + #clmulh DD1,AA0,BB0 # BB0 is 0, so DD1 = 0 + xor $TEMP,$AA0,$AA1 + #xor TEMP2,BB0,BB1 # TEMP2 = BB1 = qp_low + @{[rv64_clmul $EE0,$TEMP,$BB1]} + + # Result is [N/A:N/A:DD1+CC0+DD0+EE0:DD0] + # Simplifying: [CC0+EE0:0] + xor $TEMP2,$CC0,$EE0 + # Shift left by 1 to correct for bit reflection + slli $TEMP2,$TEMP2,1 + + # xor into c = [E0,D0] + # Note that only E0 is affected + xor $E0,$E0,$TEMP2 + + # Now, q = [E0,D0] + + # The final step is to compute clmul(q,[qp_low:0])<<1 + # The leftmost 128 bits are the reduced result. + # Once again, we use Karatsuba multiplication, but many of the terms + # simplify or cancel out. + # AA = [AA1:AA0] = [E0,D0] = c + # BB = [BB1:BB0] = [qp_low,0] + # [CC1:CC0] = AA1*BB1 + # [DD1:DD0] = AA0*BB0 + # [EE1:EE0] = (AA0+AA1)*(BB0+BB1) + # Then: + # AA*BB = [CC1:CC0+CC1+DD1+EE1:DD1+CC0+DD0+EE0:DD0] + # We need CC1,CC0,DD0,DD1,EE1,EE0 to compute the leftmost 128 bits of AA*BB + +___ + +my ($AA1,$AA0,$BB1,$CC1,$CC0,$EE1,$EE0) = ($E0,$D0,$qp_low,$A0,$A1,$C0,$B0); + +$code .= <<___; + + @{[rv64_clmul $CC0,$AA1,$BB1]} + @{[rv64_clmulh $CC1,$AA1,$BB1]} + + #clmul DD0,AA0,BB0 # BB0 = 0 so DD0 = 0 + #clmulh DD1,AA0,BB0 # BB0 = 0 so DD1 = 0 + + xor $TEMP,$AA0,$AA1 + #xor TEMP2,BB0,BB1 # BB0 = 0 to TEMP2 == BB1 == qp_low + + @{[rv64_clmul $EE0,$TEMP,$BB1]} + @{[rv64_clmulh $EE1,$TEMP,$BB1]} + + # Need the DD1+CC0+DD0+EE0 term to shift its leftmost bit into the + # intermediate result. + # This is just CC0+EE0, store it in TEMP + xor $TEMP,$CC0,$EE0 + + # Result is [CC1:CC0+CC1+EE1:(a single bit)]<<1 + # Combine into [CC1:CC0] + xor $CC0,$CC0,$CC1 + xor $CC0,$CC0,$EE1 + + # Shift 128-bit quantity, xor in [C1,E1] and store + slli $CC1,$CC1,1 + srli $TEMP2,$CC0,63 + or $CC1,$CC1,$TEMP2 + # xor in C1 + xor $CC1,$CC1,$C1 + @{[rv64_rev8 $CC1,$CC1]} + + slli $CC0,$CC0,1 + srli $TEMP,$TEMP,63 + or $CC0,$CC0,$TEMP + # xor in E1 + xor $CC0,$CC0,$E1 + @{[rv64_rev8 $CC0,$CC0]} + sd $CC1,0(a0) + sd $CC0,8(a0) + + ret +___ + +} + +print $code; + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/modes/asm/ghash-s390x.pl b/crypto/modes/asm/ghash-s390x.pl index ba9c5b4a4..9e746d55a 100644 --- a/crypto/modes/asm/ghash-s390x.pl +++ b/crypto/modes/asm/ghash-s390x.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -90,25 +90,6 @@ .align 32 gcm_gmult_4bit: ___ -$code.=<<___ if(!$softonly && 0); # hardware is slow for single block... - larl %r1,OPENSSL_s390xcap_P - lghi %r0,0 - lg %r1,S390X_KIMD+8(%r1) # load second word of kimd capabilities - # vector - tmhh %r1,0x4000 # check for function 65 - jz .Lsoft_gmult - stg %r0,16($sp) # arrange 16 bytes of zero input - stg %r0,24($sp) - lghi %r0,S390X_GHASH # function 65 - la %r1,0($Xi) # H lies right after Xi in gcm128_context - la $inp,16($sp) - lghi $len,16 - .long 0xb93e0004 # kimd %r0,$inp - brc 1,.-4 # pay attention to "partial completion" - br %r14 -.align 32 -.Lsoft_gmult: -___ $code.=<<___; stm${g} %r6,%r14,6*$SIZE_T($sp) @@ -132,10 +113,21 @@ # vector tmhh %r0,0x4000 # check for function 65 jz .Lsoft_ghash + # Do not assume this function is called from a gcm128_context. + # This is not true, e.g., for AES-GCM-SIV. + # Parameter Block: + # Chaining Value (XI) 128byte + # Key (Htable[8]) 128byte + lmg %r0,%r1,0($Xi) + stmg %r0,%r1,8($sp) + lmg %r0,%r1,8*16($Htbl) + stmg %r0,%r1,24($sp) + la %r1,8($sp) lghi %r0,S390X_GHASH # function 65 - la %r1,0($Xi) # H lies right after Xi in gcm128_context .long 0xb93e0004 # kimd %r0,$inp brc 1,.-4 # pay attention to "partial completion" + lmg %r0,%r1,8($sp) + stmg %r0,%r1,0($Xi) br %r14 .align 32 .Lsoft_ghash: diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl index b1d35d25b..6d26ab0fd 100644 --- a/crypto/modes/asm/ghashv8-armx.pl +++ b/crypto/modes/asm/ghashv8-armx.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -107,6 +107,11 @@ .type gcm_init_v8,%function .align 4 gcm_init_v8: +___ +$code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET +___ +$code.=<<___; vld1.64 {$t1},[x1] @ load input H vmov.i8 $xC2,#0xe1 vshl.i64 $xC2,$xC2,#57 @ 0xc2.0 @@ -153,6 +158,7 @@ ___ if ($flavour =~ /64/) { my ($t3,$Yl,$Ym,$Yh) = map("q$_",(4..7)); +my ($H3,$H34k,$H4,$H5,$H56k,$H6,$H7,$H78k,$H8) = map("q$_",(15..23)); $code.=<<___; @ calculate H^3 and H^4 @@ -187,15 +193,103 @@ vpmull.p64 $Yl,$Yl,$xC2 veor $t2,$t2,$Xh veor $t3,$t3,$Yh - veor $H, $Xl,$t2 @ H^3 - veor $H2,$Yl,$t3 @ H^4 + veor $H3, $Xl,$t2 @ H^3 + veor $H4,$Yl,$t3 @ H^4 + + vext.8 $t0,$H3, $H3,#8 @ Karatsuba pre-processing + vext.8 $t1,$H4,$H4,#8 + vext.8 $t2,$H2,$H2,#8 + veor $t0,$t0,$H3 + veor $t1,$t1,$H4 + veor $t2,$t2,$H2 + vext.8 $H34k,$t0,$t1,#8 @ pack Karatsuba pre-processed + vst1.64 {$H3-$H4},[x0],#48 @ store Htable[3..5] + + @ calculate H^5 and H^6 + vpmull.p64 $Xl,$H2, $H3 + vpmull.p64 $Yl,$H3,$H3 + vpmull2.p64 $Xh,$H2, $H3 + vpmull2.p64 $Yh,$H3,$H3 + vpmull.p64 $Xm,$t0,$t2 + vpmull.p64 $Ym,$t0,$t0 - vext.8 $t0,$H, $H,#8 @ Karatsuba pre-processing - vext.8 $t1,$H2,$H2,#8 - veor $t0,$t0,$H - veor $t1,$t1,$H2 - vext.8 $Hhl,$t0,$t1,#8 @ pack Karatsuba pre-processed - vst1.64 {$H-$H2},[x0] @ store Htable[3..5] + vext.8 $t0,$Xl,$Xh,#8 @ Karatsuba post-processing + vext.8 $t1,$Yl,$Yh,#8 + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t0 + veor $t3,$Yl,$Yh + veor $Ym,$Ym,$t1 + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase + veor $Ym,$Ym,$t3 + vpmull.p64 $t3,$Yl,$xC2 + + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Yh#lo,$Ym#hi + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + vmov $Ym#hi,$Yl#lo + veor $Xl,$Xm,$t2 + veor $Yl,$Ym,$t3 + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase + vext.8 $t3,$Yl,$Yl,#8 + vpmull.p64 $Xl,$Xl,$xC2 + vpmull.p64 $Yl,$Yl,$xC2 + veor $t2,$t2,$Xh + veor $t3,$t3,$Yh + veor $H5,$Xl,$t2 @ H^5 + veor $H6,$Yl,$t3 @ H^6 + + vext.8 $t0,$H5, $H5,#8 @ Karatsuba pre-processing + vext.8 $t1,$H6,$H6,#8 + vext.8 $t2,$H2,$H2,#8 + veor $t0,$t0,$H5 + veor $t1,$t1,$H6 + veor $t2,$t2,$H2 + vext.8 $H56k,$t0,$t1,#8 @ pack Karatsuba pre-processed + vst1.64 {$H5-$H6},[x0],#48 @ store Htable[6..8] + + @ calculate H^7 and H^8 + vpmull.p64 $Xl,$H2,$H5 + vpmull.p64 $Yl,$H2,$H6 + vpmull2.p64 $Xh,$H2,$H5 + vpmull2.p64 $Yh,$H2,$H6 + vpmull.p64 $Xm,$t0,$t2 + vpmull.p64 $Ym,$t1,$t2 + + vext.8 $t0,$Xl,$Xh,#8 @ Karatsuba post-processing + vext.8 $t1,$Yl,$Yh,#8 + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t0 + veor $t3,$Yl,$Yh + veor $Ym,$Ym,$t1 + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase + veor $Ym,$Ym,$t3 + vpmull.p64 $t3,$Yl,$xC2 + + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Yh#lo,$Ym#hi + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + vmov $Ym#hi,$Yl#lo + veor $Xl,$Xm,$t2 + veor $Yl,$Ym,$t3 + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase + vext.8 $t3,$Yl,$Yl,#8 + vpmull.p64 $Xl,$Xl,$xC2 + vpmull.p64 $Yl,$Yl,$xC2 + veor $t2,$t2,$Xh + veor $t3,$t3,$Yh + veor $H7,$Xl,$t2 @ H^7 + veor $H8,$Yl,$t3 @ H^8 + + vext.8 $t0,$H7,$H7,#8 @ Karatsuba pre-processing + vext.8 $t1,$H8,$H8,#8 + veor $t0,$t0,$H7 + veor $t1,$t1,$H8 + vext.8 $H78k,$t0,$t1,#8 @ pack Karatsuba pre-processed + vst1.64 {$H7-$H8},[x0] @ store Htable[9..11] ___ } $code.=<<___; @@ -214,6 +308,11 @@ .type gcm_gmult_v8,%function .align 4 gcm_gmult_v8: +___ +$code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET +___ +$code.=<<___; vld1.64 {$t1},[$Xi] @ load Xi vmov.i8 $xC2,#0xe1 vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ... @@ -268,6 +367,7 @@ gcm_ghash_v8: ___ $code.=<<___ if ($flavour =~ /64/); + AARCH64_VALID_CALL_TARGET cmp $len,#64 b.hs .Lgcm_ghash_v8_4x ___ @@ -744,6 +844,9 @@ s/\.[uisp]?64//o and s/\.16b/\.2d/go; s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o; + # Switch preprocessor checks to aarch64 versions. + s/__ARME([BL])__/__AARCH64E$1__/go; + print $_,"\n"; } } else { ######## 32-bit code diff --git a/crypto/modes/build.info b/crypto/modes/build.info index f3558fa1a..e926e4030 100644 --- a/crypto/modes/build.info +++ b/crypto/modes/build.info @@ -4,7 +4,7 @@ $MODESASM= IF[{- !$disabled{asm} -}] $MODESASM_x86=ghash-x86.S $MODESDEF_x86=GHASH_ASM - $MODESASM_x86_64=ghash-x86_64.s aesni-gcm-x86_64.s + $MODESASM_x86_64=ghash-x86_64.s aesni-gcm-x86_64.s aes-gcm-avx512.s $MODESDEF_x86_64=GHASH_ASM # ghash-ia64.s doesn't work on VMS @@ -24,7 +24,7 @@ IF[{- !$disabled{asm} -}] $MODESASM_armv4=ghash-armv4.S ghashv8-armx.S $MODESDEF_armv4=GHASH_ASM - $MODESASM_aarch64=ghashv8-armx.S aes-gcm-armv8_64.S + $MODESASM_aarch64=ghashv8-armx.S aes-gcm-armv8_64.S aes-gcm-armv8-unroll8_64.S $MODESDEF_aarch64= $MODESASM_parisc11=ghash-parisc.s @@ -33,6 +33,9 @@ IF[{- !$disabled{asm} -}] $MODESDEF_parisc20_64=$MODESDEF_parisc11 $MODESASM_ppc32=ghashp8-ppc.s + IF[{- $target{sys_id} ne "AIX" -}] + $MODESASM_ppc32=ghashp8-ppc.s aes-gcm-ppc.s + ENDIF $MODESDEF_ppc32= $MODESASM_ppc64=$MODESASM_ppc32 $MODESDEF_ppc64=$MODESDEF_ppc32 @@ -40,6 +43,9 @@ IF[{- !$disabled{asm} -}] $MODESASM_c64xplus=ghash-c64xplus.s $MODESDEF_c64xplus=GHASH_ASM + $MODESASM_riscv64=ghash-riscv64.s + $MODESDEF_riscv64=GHASH_ASM + # Now that we have defined all the arch specific variables, use the # appropriate one, and define the appropriate macros IF[$MODESASM_{- $target{asm_arch} -}] @@ -66,17 +72,22 @@ GENERATE[ghash-ia64.s]=asm/ghash-ia64.pl GENERATE[ghash-x86.S]=asm/ghash-x86.pl GENERATE[ghash-x86_64.s]=asm/ghash-x86_64.pl GENERATE[aesni-gcm-x86_64.s]=asm/aesni-gcm-x86_64.pl +GENERATE[aes-gcm-avx512.s]=asm/aes-gcm-avx512.pl GENERATE[ghash-sparcv9.S]=asm/ghash-sparcv9.pl INCLUDE[ghash-sparcv9.o]=.. GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl +GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl INCLUDE[ghash-armv4.o]=.. GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl INCLUDE[ghashv8-armx.o]=.. GENERATE[aes-gcm-armv8_64.S]=asm/aes-gcm-armv8_64.pl INCLUDE[aes-gcm-armv8_64.o]=.. +GENERATE[aes-gcm-armv8-unroll8_64.S]=asm/aes-gcm-armv8-unroll8_64.pl +INCLUDE[aes-gcm-armv8-unroll8_64.o]=.. GENERATE[ghash-s390x.S]=asm/ghash-s390x.pl INCLUDE[ghash-s390x.o]=.. GENERATE[ghash-c64xplus.S]=asm/ghash-c64xplus.pl +GENERATE[ghash-riscv64.s]=asm/ghash-riscv64.pl diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index e7e719fc0..39994eeb9 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,6 +27,11 @@ typedef size_t size_t_aX; # define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v) #endif +/* RISC-V uses C implementation of gmult as a fallback. */ +#if defined(__riscv) +# define INCLUDE_C_GMULT_4BIT +#endif + #define PACK(s) ((size_t)(s)<<(sizeof(size_t)*8-16)) #define REDUCE1BIT(V) do { \ if (sizeof(size_t)==8) { \ @@ -42,6 +47,9 @@ typedef size_t size_t_aX; } while(0) /*- + * + * NOTE: TABLE_BITS and all non-4bit implmentations have been removed in 3.1. + * * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should * never be set to 8. 8 is effectively reserved for testing purposes. * TABLE_BITS>1 are lookup-table-driven implementations referred to as @@ -75,150 +83,8 @@ typedef size_t size_t_aX; * * Value of 1 is not appropriate for performance reasons. */ -#if TABLE_BITS==8 - -static void gcm_init_8bit(u128 Htable[256], u64 H[2]) -{ - int i, j; - u128 V; - - Htable[0].hi = 0; - Htable[0].lo = 0; - V.hi = H[0]; - V.lo = H[1]; - - for (Htable[128] = V, i = 64; i > 0; i >>= 1) { - REDUCE1BIT(V); - Htable[i] = V; - } - - for (i = 2; i < 256; i <<= 1) { - u128 *Hi = Htable + i, H0 = *Hi; - for (j = 1; j < i; ++j) { - Hi[j].hi = H0.hi ^ Htable[j].hi; - Hi[j].lo = H0.lo ^ Htable[j].lo; - } - } -} - -static void gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256]) -{ - u128 Z = { 0, 0 }; - const u8 *xi = (const u8 *)Xi + 15; - size_t rem, n = *xi; - DECLARE_IS_ENDIAN; - static const size_t rem_8bit[256] = { - PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246), - PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E), - PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56), - PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E), - PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66), - PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E), - PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076), - PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E), - PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06), - PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E), - PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416), - PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E), - PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626), - PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E), - PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836), - PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E), - PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6), - PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE), - PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6), - PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE), - PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6), - PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE), - PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6), - PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE), - PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86), - PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E), - PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496), - PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E), - PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6), - PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE), - PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6), - PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE), - PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346), - PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E), - PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56), - PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E), - PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66), - PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E), - PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176), - PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E), - PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06), - PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E), - PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516), - PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E), - PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726), - PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E), - PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936), - PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E), - PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6), - PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE), - PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6), - PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE), - PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6), - PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE), - PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6), - PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE), - PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86), - PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E), - PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596), - PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E), - PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6), - PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE), - PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6), - PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE) - }; - - while (1) { - Z.hi ^= Htable[n].hi; - Z.lo ^= Htable[n].lo; - - if ((u8 *)Xi == xi) - break; - - n = *(--xi); - - rem = (size_t)Z.lo & 0xff; - Z.lo = (Z.hi << 56) | (Z.lo >> 8); - Z.hi = (Z.hi >> 8); - if (sizeof(size_t) == 8) - Z.hi ^= rem_8bit[rem]; - else - Z.hi ^= (u64)rem_8bit[rem] << 32; - } - if (IS_LITTLE_ENDIAN) { -# ifdef BSWAP8 - Xi[0] = BSWAP8(Z.hi); - Xi[1] = BSWAP8(Z.lo); -# else - u8 *p = (u8 *)Xi; - u32 v; - v = (u32)(Z.hi >> 32); - PUTU32(p, v); - v = (u32)(Z.hi); - PUTU32(p + 4, v); - v = (u32)(Z.lo >> 32); - PUTU32(p + 8, v); - v = (u32)(Z.lo); - PUTU32(p + 12, v); -# endif - } else { - Xi[0] = Z.hi; - Xi[1] = Z.lo; - } -} - -# define GCM_MUL(ctx) gcm_gmult_8bit(ctx->Xi.u,ctx->Htable) - -#elif TABLE_BITS==4 - -static void gcm_init_4bit(u128 Htable[16], u64 H[2]) +static void gcm_init_4bit(u128 Htable[16], const u64 H[2]) { u128 V; # if defined(OPENSSL_SMALL_FOOTPRINT) @@ -289,7 +155,7 @@ static void gcm_init_4bit(u128 Htable[16], u64 H[2]) # endif } -# ifndef GHASH_ASM +# if !defined(GHASH_ASM) || defined(INCLUDE_C_GMULT_4BIT) static const size_t rem_4bit[16] = { PACK(0x0000), PACK(0x1C20), PACK(0x3840), PACK(0x2460), PACK(0x7080), PACK(0x6CA0), PACK(0x48C0), PACK(0x54E0), @@ -364,6 +230,9 @@ static void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]) } } +# endif + +# if !defined(GHASH_ASM) # if !defined(OPENSSL_SMALL_FOOTPRINT) /* * Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for @@ -380,7 +249,6 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], size_t rem, nlo, nhi; DECLARE_IS_ENDIAN; -# if 1 do { cnt = 15; nlo = ((const u8 *)Xi)[15]; @@ -422,100 +290,6 @@ static void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], Z.hi ^= Htable[nlo].hi; Z.lo ^= Htable[nlo].lo; } -# else - /* - * Extra 256+16 bytes per-key plus 512 bytes shared tables - * [should] give ~50% improvement... One could have PACK()-ed - * the rem_8bit even here, but the priority is to minimize - * cache footprint... - */ - u128 Hshr4[16]; /* Htable shifted right by 4 bits */ - u8 Hshl4[16]; /* Htable shifted left by 4 bits */ - static const unsigned short rem_8bit[256] = { - 0x0000, 0x01C2, 0x0384, 0x0246, 0x0708, 0x06CA, 0x048C, 0x054E, - 0x0E10, 0x0FD2, 0x0D94, 0x0C56, 0x0918, 0x08DA, 0x0A9C, 0x0B5E, - 0x1C20, 0x1DE2, 0x1FA4, 0x1E66, 0x1B28, 0x1AEA, 0x18AC, 0x196E, - 0x1230, 0x13F2, 0x11B4, 0x1076, 0x1538, 0x14FA, 0x16BC, 0x177E, - 0x3840, 0x3982, 0x3BC4, 0x3A06, 0x3F48, 0x3E8A, 0x3CCC, 0x3D0E, - 0x3650, 0x3792, 0x35D4, 0x3416, 0x3158, 0x309A, 0x32DC, 0x331E, - 0x2460, 0x25A2, 0x27E4, 0x2626, 0x2368, 0x22AA, 0x20EC, 0x212E, - 0x2A70, 0x2BB2, 0x29F4, 0x2836, 0x2D78, 0x2CBA, 0x2EFC, 0x2F3E, - 0x7080, 0x7142, 0x7304, 0x72C6, 0x7788, 0x764A, 0x740C, 0x75CE, - 0x7E90, 0x7F52, 0x7D14, 0x7CD6, 0x7998, 0x785A, 0x7A1C, 0x7BDE, - 0x6CA0, 0x6D62, 0x6F24, 0x6EE6, 0x6BA8, 0x6A6A, 0x682C, 0x69EE, - 0x62B0, 0x6372, 0x6134, 0x60F6, 0x65B8, 0x647A, 0x663C, 0x67FE, - 0x48C0, 0x4902, 0x4B44, 0x4A86, 0x4FC8, 0x4E0A, 0x4C4C, 0x4D8E, - 0x46D0, 0x4712, 0x4554, 0x4496, 0x41D8, 0x401A, 0x425C, 0x439E, - 0x54E0, 0x5522, 0x5764, 0x56A6, 0x53E8, 0x522A, 0x506C, 0x51AE, - 0x5AF0, 0x5B32, 0x5974, 0x58B6, 0x5DF8, 0x5C3A, 0x5E7C, 0x5FBE, - 0xE100, 0xE0C2, 0xE284, 0xE346, 0xE608, 0xE7CA, 0xE58C, 0xE44E, - 0xEF10, 0xEED2, 0xEC94, 0xED56, 0xE818, 0xE9DA, 0xEB9C, 0xEA5E, - 0xFD20, 0xFCE2, 0xFEA4, 0xFF66, 0xFA28, 0xFBEA, 0xF9AC, 0xF86E, - 0xF330, 0xF2F2, 0xF0B4, 0xF176, 0xF438, 0xF5FA, 0xF7BC, 0xF67E, - 0xD940, 0xD882, 0xDAC4, 0xDB06, 0xDE48, 0xDF8A, 0xDDCC, 0xDC0E, - 0xD750, 0xD692, 0xD4D4, 0xD516, 0xD058, 0xD19A, 0xD3DC, 0xD21E, - 0xC560, 0xC4A2, 0xC6E4, 0xC726, 0xC268, 0xC3AA, 0xC1EC, 0xC02E, - 0xCB70, 0xCAB2, 0xC8F4, 0xC936, 0xCC78, 0xCDBA, 0xCFFC, 0xCE3E, - 0x9180, 0x9042, 0x9204, 0x93C6, 0x9688, 0x974A, 0x950C, 0x94CE, - 0x9F90, 0x9E52, 0x9C14, 0x9DD6, 0x9898, 0x995A, 0x9B1C, 0x9ADE, - 0x8DA0, 0x8C62, 0x8E24, 0x8FE6, 0x8AA8, 0x8B6A, 0x892C, 0x88EE, - 0x83B0, 0x8272, 0x8034, 0x81F6, 0x84B8, 0x857A, 0x873C, 0x86FE, - 0xA9C0, 0xA802, 0xAA44, 0xAB86, 0xAEC8, 0xAF0A, 0xAD4C, 0xAC8E, - 0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E, - 0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE, - 0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE - }; - /* - * This pre-processing phase slows down procedure by approximately - * same time as it makes each loop spin faster. In other words - * single block performance is approximately same as straightforward - * "4-bit" implementation, and then it goes only faster... - */ - for (cnt = 0; cnt < 16; ++cnt) { - Z.hi = Htable[cnt].hi; - Z.lo = Htable[cnt].lo; - Hshr4[cnt].lo = (Z.hi << 60) | (Z.lo >> 4); - Hshr4[cnt].hi = (Z.hi >> 4); - Hshl4[cnt] = (u8)(Z.lo << 4); - } - - do { - for (Z.lo = 0, Z.hi = 0, cnt = 15; cnt; --cnt) { - nlo = ((const u8 *)Xi)[cnt]; - nlo ^= inp[cnt]; - nhi = nlo >> 4; - nlo &= 0xf; - - Z.hi ^= Htable[nlo].hi; - Z.lo ^= Htable[nlo].lo; - - rem = (size_t)Z.lo & 0xff; - - Z.lo = (Z.hi << 56) | (Z.lo >> 8); - Z.hi = (Z.hi >> 8); - - Z.hi ^= Hshr4[nhi].hi; - Z.lo ^= Hshr4[nhi].lo; - Z.hi ^= (u64)rem_8bit[rem ^ Hshl4[nhi]] << 48; - } - - nlo = ((const u8 *)Xi)[0]; - nlo ^= inp[0]; - nhi = nlo >> 4; - nlo &= 0xf; - - Z.hi ^= Htable[nlo].hi; - Z.lo ^= Htable[nlo].lo; - - rem = (size_t)Z.lo & 0xf; - - Z.lo = (Z.hi << 60) | (Z.lo >> 4); - Z.hi = (Z.hi >> 4); - - Z.hi ^= Htable[nhi].hi; - Z.lo ^= Htable[nhi].lo; - Z.hi ^= ((u64)rem_8bit[rem << 4]) << 48; -# endif if (IS_LITTLE_ENDIAN) { # ifdef BSWAP8 @@ -546,9 +320,9 @@ void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len); # endif -# define GCM_MUL(ctx) gcm_gmult_4bit(ctx->Xi.u,ctx->Htable) +# define GCM_MUL(ctx) ctx->funcs.gmult(ctx->Xi.u,ctx->Htable) # if defined(GHASH_ASM) || !defined(OPENSSL_SMALL_FOOTPRINT) -# define GHASH(ctx,in,len) gcm_ghash_4bit((ctx)->Xi.u,(ctx)->Htable,in,len) +# define GHASH(ctx,in,len) ctx->funcs.ghash((ctx)->Xi.u,(ctx)->Htable,in,len) /* * GHASH_CHUNK is "stride parameter" missioned to mitigate cache trashing * effect. In other words idea is to hash data while it's still in L1 cache @@ -557,77 +331,12 @@ void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp, # define GHASH_CHUNK (3*1024) # endif -#else /* TABLE_BITS */ - -static void gcm_gmult_1bit(u64 Xi[2], const u64 H[2]) -{ - u128 V, Z = { 0, 0 }; - long X; - int i, j; - const long *xi = (const long *)Xi; - DECLARE_IS_ENDIAN; - - V.hi = H[0]; /* H is in host byte order, no byte swapping */ - V.lo = H[1]; - - for (j = 0; j < 16 / sizeof(long); ++j) { - if (IS_LITTLE_ENDIAN) { - if (sizeof(long) == 8) { -# ifdef BSWAP8 - X = (long)(BSWAP8(xi[j])); -# else - const u8 *p = (const u8 *)(xi + j); - X = (long)((u64)GETU32(p) << 32 | GETU32(p + 4)); -# endif - } else { - const u8 *p = (const u8 *)(xi + j); - X = (long)GETU32(p); - } - } else - X = xi[j]; - - for (i = 0; i < 8 * sizeof(long); ++i, X <<= 1) { - u64 M = (u64)(X >> (8 * sizeof(long) - 1)); - Z.hi ^= V.hi & M; - Z.lo ^= V.lo & M; - - REDUCE1BIT(V); - } - } - - if (IS_LITTLE_ENDIAN) { -# ifdef BSWAP8 - Xi[0] = BSWAP8(Z.hi); - Xi[1] = BSWAP8(Z.lo); -# else - u8 *p = (u8 *)Xi; - u32 v; - v = (u32)(Z.hi >> 32); - PUTU32(p, v); - v = (u32)(Z.hi); - PUTU32(p + 4, v); - v = (u32)(Z.lo >> 32); - PUTU32(p + 8, v); - v = (u32)(Z.lo); - PUTU32(p + 12, v); -# endif - } else { - Xi[0] = Z.hi; - Xi[1] = Z.lo; - } -} - -# define GCM_MUL(ctx) gcm_gmult_1bit(ctx->Xi.u,ctx->H.u) - -#endif - -#if TABLE_BITS==4 && (defined(GHASH_ASM) || defined(OPENSSL_CPUID_OBJ)) +#if (defined(GHASH_ASM) || defined(OPENSSL_CPUID_OBJ)) # if !defined(I386_ONLY) && \ (defined(__i386) || defined(__i386__) || \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64)) # define GHASH_ASM_X86_OR_64 -# define GCM_FUNCREF_4BIT void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]); void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]); @@ -659,7 +368,6 @@ void gcm_ghash_4bit_x86(u64 Xi[2], const u128 Htable[16], const u8 *inp, # include "arm_arch.h" # if __ARM_MAX_ARCH__>=7 # define GHASH_ASM_ARM -# define GCM_FUNCREF_4BIT # define PMULL_CAPABLE (OPENSSL_armcap_P & ARMV8_PMULL) # if defined(__arm__) || defined(__arm) # define NEON_CAPABLE (OPENSSL_armcap_P & ARMV7_NEON) @@ -676,7 +384,6 @@ void gcm_ghash_v8(u64 Xi[2], const u128 Htable[16], const u8 *inp, # elif defined(__sparc__) || defined(__sparc) # include "crypto/sparc_arch.h" # define GHASH_ASM_SPARC -# define GCM_FUNCREF_4BIT void gcm_init_vis3(u128 Htable[16], const u64 Xi[2]); void gcm_gmult_vis3(u64 Xi[2], const u128 Htable[16]); void gcm_ghash_vis3(u64 Xi[2], const u128 Htable[16], const u8 *inp, @@ -684,142 +391,160 @@ void gcm_ghash_vis3(u64 Xi[2], const u128 Htable[16], const u8 *inp, # elif defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC)) # include "crypto/ppc_arch.h" # define GHASH_ASM_PPC -# define GCM_FUNCREF_4BIT void gcm_init_p8(u128 Htable[16], const u64 Xi[2]); void gcm_gmult_p8(u64 Xi[2], const u128 Htable[16]); void gcm_ghash_p8(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len); -# endif -#endif - -#ifdef GCM_FUNCREF_4BIT -# undef GCM_MUL -# define GCM_MUL(ctx) (*gcm_gmult_p)(ctx->Xi.u,ctx->Htable) -# ifdef GHASH +# elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 +# include "crypto/riscv_arch.h" +# define GHASH_ASM_RISCV # undef GHASH -# define GHASH(ctx,in,len) (*gcm_ghash_p)(ctx->Xi.u,ctx->Htable,in,len) +void gcm_init_clmul_rv64i_zbb_zbc(u128 Htable[16], const u64 Xi[2]); +void gcm_gmult_clmul_rv64i_zbb_zbc(u64 Xi[2], const u128 Htable[16]); # endif #endif -void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) +static void gcm_get_funcs(struct gcm_funcs_st *ctx) { - DECLARE_IS_ENDIAN; - - memset(ctx, 0, sizeof(*ctx)); - ctx->block = block; - ctx->key = key; - - (*block) (ctx->H.c, ctx->H.c, key); - - if (IS_LITTLE_ENDIAN) { - /* H is stored in host byte order */ -#ifdef BSWAP8 - ctx->H.u[0] = BSWAP8(ctx->H.u[0]); - ctx->H.u[1] = BSWAP8(ctx->H.u[1]); + /* set defaults -- overridden below as needed */ + ctx->ginit = gcm_init_4bit; +#if !defined(GHASH_ASM) || defined(INCLUDE_C_GMULT_4BIT) + ctx->gmult = gcm_gmult_4bit; #else - u8 *p = ctx->H.c; - u64 hi, lo; - hi = (u64)GETU32(p) << 32 | GETU32(p + 4); - lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12); - ctx->H.u[0] = hi; - ctx->H.u[1] = lo; + ctx->gmult = NULL; #endif - } -#if TABLE_BITS==8 - gcm_init_8bit(ctx->Htable, ctx->H.u); -#elif TABLE_BITS==4 -# if defined(GHASH) -# define CTX__GHASH(f) (ctx->ghash = (f)) -# else -# define CTX__GHASH(f) (ctx->ghash = NULL) -# endif -# if defined(GHASH_ASM_X86_OR_64) -# if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2) +#if !defined(GHASH_ASM) && !defined(OPENSSL_SMALL_FOOTPRINT) + ctx->ghash = gcm_ghash_4bit; +#else + ctx->ghash = NULL; +#endif + +#if defined(GHASH_ASM_X86_OR_64) +# if !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2) + /* x86_64 */ if (OPENSSL_ia32cap_P[1] & (1 << 1)) { /* check PCLMULQDQ bit */ if (((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */ - gcm_init_avx(ctx->Htable, ctx->H.u); + ctx->ginit = gcm_init_avx; ctx->gmult = gcm_gmult_avx; - CTX__GHASH(gcm_ghash_avx); + ctx->ghash = gcm_ghash_avx; } else { - gcm_init_clmul(ctx->Htable, ctx->H.u); + ctx->ginit = gcm_init_clmul; ctx->gmult = gcm_gmult_clmul; - CTX__GHASH(gcm_ghash_clmul); + ctx->ghash = gcm_ghash_clmul; } return; } -# endif - gcm_init_4bit(ctx->Htable, ctx->H.u); -# if defined(GHASH_ASM_X86) /* x86 only */ -# if defined(OPENSSL_IA32_SSE2) +# endif +# if defined(GHASH_ASM_X86) + /* x86 only */ +# if defined(OPENSSL_IA32_SSE2) if (OPENSSL_ia32cap_P[0] & (1 << 25)) { /* check SSE bit */ -# else - if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */ -# endif ctx->gmult = gcm_gmult_4bit_mmx; - CTX__GHASH(gcm_ghash_4bit_mmx); - } else { - ctx->gmult = gcm_gmult_4bit_x86; - CTX__GHASH(gcm_ghash_4bit_x86); + ctx->ghash = gcm_ghash_4bit_mmx; + return; } # else - ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); + if (OPENSSL_ia32cap_P[0] & (1 << 23)) { /* check MMX bit */ + ctx->gmult = gcm_gmult_4bit_mmx; + ctx->ghash = gcm_ghash_4bit_mmx; + return; + } # endif -# elif defined(GHASH_ASM_ARM) -# ifdef PMULL_CAPABLE + ctx->gmult = gcm_gmult_4bit_x86; + ctx->ghash = gcm_ghash_4bit_x86; + return; +# else + /* x86_64 fallback defaults */ + ctx->gmult = gcm_gmult_4bit; + ctx->ghash = gcm_ghash_4bit; + return; +# endif +#elif defined(GHASH_ASM_ARM) + /* ARM defaults */ + ctx->gmult = gcm_gmult_4bit; + ctx->ghash = gcm_ghash_4bit; +# ifdef PMULL_CAPABLE if (PMULL_CAPABLE) { - gcm_init_v8(ctx->Htable, ctx->H.u); + ctx->ginit = (gcm_init_fn)gcm_init_v8; ctx->gmult = gcm_gmult_v8; - CTX__GHASH(gcm_ghash_v8); - } else -# endif -# ifdef NEON_CAPABLE + ctx->ghash = gcm_ghash_v8; + } +# elif defined(NEON_CAPABLE) if (NEON_CAPABLE) { - gcm_init_neon(ctx->Htable, ctx->H.u); + ctx->ginit = gcm_init_neon; ctx->gmult = gcm_gmult_neon; - CTX__GHASH(gcm_ghash_neon); - } else -# endif - { - gcm_init_4bit(ctx->Htable, ctx->H.u); - ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); + ctx->ghash = gcm_ghash_neon; } -# elif defined(GHASH_ASM_SPARC) +# endif + return; +#elif defined(GHASH_ASM_SPARC) + /* SPARC defaults */ + ctx->gmult = gcm_gmult_4bit; + ctx->ghash = gcm_ghash_4bit; if (OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3) { - gcm_init_vis3(ctx->Htable, ctx->H.u); + ctx->ginit = gcm_init_vis3; ctx->gmult = gcm_gmult_vis3; - CTX__GHASH(gcm_ghash_vis3); - } else { - gcm_init_4bit(ctx->Htable, ctx->H.u); - ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); + ctx->ghash = gcm_ghash_vis3; } -# elif defined(GHASH_ASM_PPC) + return; +#elif defined(GHASH_ASM_PPC) + /* PowerPC does not define GHASH_ASM; defaults set above */ if (OPENSSL_ppccap_P & PPC_CRYPTO207) { - gcm_init_p8(ctx->Htable, ctx->H.u); + ctx->ginit = gcm_init_p8; ctx->gmult = gcm_gmult_p8; - CTX__GHASH(gcm_ghash_p8); - } else { - gcm_init_4bit(ctx->Htable, ctx->H.u); - ctx->gmult = gcm_gmult_4bit; - CTX__GHASH(gcm_ghash_4bit); + ctx->ghash = gcm_ghash_p8; } -# else - gcm_init_4bit(ctx->Htable, ctx->H.u); -# endif -# undef CTX__GHASH + return; +#elif defined(GHASH_ASM_RISCV) && __riscv_xlen == 64 + /* RISCV defaults; gmult already set above */ + ctx->ghash = NULL; + if (RISCV_HAS_ZBB() && RISCV_HAS_ZBC()) { + ctx->ginit = gcm_init_clmul_rv64i_zbb_zbc; + ctx->gmult = gcm_gmult_clmul_rv64i_zbb_zbc; + } + return; +#elif defined(GHASH_ASM) + /* all other architectures use the generic names */ + ctx->gmult = gcm_gmult_4bit; + ctx->ghash = gcm_ghash_4bit; + return; #endif } +void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block) +{ + DECLARE_IS_ENDIAN; + + memset(ctx, 0, sizeof(*ctx)); + ctx->block = block; + ctx->key = key; + + (*block) (ctx->H.c, ctx->H.c, key); + + if (IS_LITTLE_ENDIAN) { + /* H is stored in host byte order */ +#ifdef BSWAP8 + ctx->H.u[0] = BSWAP8(ctx->H.u[0]); + ctx->H.u[1] = BSWAP8(ctx->H.u[1]); +#else + u8 *p = ctx->H.c; + u64 hi, lo; + hi = (u64)GETU32(p) << 32 | GETU32(p + 4); + lo = (u64)GETU32(p + 8) << 32 | GETU32(p + 12); + ctx->H.u[0] = hi; + ctx->H.u[1] = lo; +#endif + } + + gcm_get_funcs(&ctx->funcs); + ctx->funcs.ginit(ctx->Htable, ctx->H.u); +} + void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, size_t len) { DECLARE_IS_ENDIAN; unsigned int ctr; -#ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -#endif ctx->len.u[0] = 0; /* AAD length */ ctx->len.u[1] = 0; /* message length */ @@ -908,13 +633,6 @@ int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad, size_t i; unsigned int n; u64 alen = ctx->len.u[0]; -#ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH - void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], - const u8 *inp, size_t len) = ctx->ghash; -# endif -#endif if (ctx->len.u[1]) return -2; @@ -973,13 +691,6 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, u64 mlen = ctx->len.u[1]; block128_f block = ctx->block; void *key = ctx->key; -#ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) - void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], - const u8 *inp, size_t len) = ctx->ghash; -# endif -#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1205,13 +916,6 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, u64 mlen = ctx->len.u[1]; block128_f block = ctx->block; void *key = ctx->key; -#ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) - void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], - const u8 *inp, size_t len) = ctx->ghash; -# endif -#endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1447,13 +1151,6 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, size_t i; u64 mlen = ctx->len.u[1]; void *key = ctx->key; -# ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH - void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], - const u8 *inp, size_t len) = ctx->ghash; -# endif -# endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1608,13 +1305,6 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, size_t i; u64 mlen = ctx->len.u[1]; void *key = ctx->key; -# ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# ifdef GHASH - void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], - const u8 *inp, size_t len) = ctx->ghash; -# endif -# endif mlen += len; if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len)) @@ -1770,13 +1460,6 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, DECLARE_IS_ENDIAN; u64 alen = ctx->len.u[0] << 3; u64 clen = ctx->len.u[1] << 3; -#ifdef GCM_FUNCREF_4BIT - void (*gcm_gmult_p) (u64 Xi[2], const u128 Htable[16]) = ctx->gmult; -# if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) - void (*gcm_ghash_p) (u64 Xi[2], const u128 Htable[16], - const u8 *inp, size_t len) = ctx->ghash; -# endif -#endif #if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT) u128 bitlen; diff --git a/crypto/o_dir.c b/crypto/o_dir.c index 6857a2e17..d7f5d64d0 100644 --- a/crypto/o_dir.c +++ b/crypto/o_dir.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include /* diff --git a/crypto/o_fopen.c b/crypto/o_fopen.c index 8095fffbe..337985c62 100644 --- a/crypto/o_fopen.c +++ b/crypto/o_fopen.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,7 +11,7 @@ /* * Following definition aliases fopen to fopen64 on above mentioned * platforms. This makes it possible to open and sequentially access files - * larger than 2GB from 32-bit application. It does not allow to traverse + * larger than 2GB from 32-bit application. It does not allow one to traverse * them beyond 2GB with fseek/ftell, but on the other hand *no* 32-bit * platform permits that, not with fseek/ftell. Not to mention that breaking * 2GB limit for seeking would require surgery to *our* API. But sequential @@ -25,7 +25,7 @@ # endif # endif -#include "e_os.h" +#include "internal/e_os.h" #include "internal/cryptlib.h" #if !defined(OPENSSL_NO_STDIO) diff --git a/crypto/o_init.c b/crypto/o_init.c index a0b4256f7..faa67071a 100644 --- a/crypto/o_init.c +++ b/crypto/o_init.c @@ -1,5 +1,5 @@ /* - * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include /* diff --git a/crypto/o_str.c b/crypto/o_str.c index 7fa487dd5..3354ce092 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index 791f2b011..1efa0345f 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -19,7 +19,7 @@ #include "internal/thread_once.h" #include "crypto/lhash.h" #include "obj_local.h" -#include "e_os.h" +#include "internal/e_os.h" /* * I use the ex_data stuff to manage the identifiers for the obj_name_types diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 01cde00e9..f45e34a63 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -11,6 +11,8 @@ #include "crypto/ctype.h" #include #include "internal/cryptlib.h" +#include "internal/thread_once.h" +#include "internal/tsan_assist.h" #include #include #include "crypto/objects.h" @@ -21,6 +23,14 @@ /* obj_dat.h is generated from objects.h by obj_dat.pl */ #include "obj_dat.h" +/* + * If we don't have suitable TSAN support, we'll use a lock for generation of + * new NIDs. This will be slower of course. + */ +#ifndef tsan_ld_acq +# define OBJ_USE_LOCK_FOR_NEW_NID +#endif + DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, sn); DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, ln); DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj); @@ -35,8 +45,71 @@ struct added_obj_st { ASN1_OBJECT *obj; }; -static int new_nid = NUM_NID; static LHASH_OF(ADDED_OBJ) *added = NULL; +static CRYPTO_RWLOCK *ossl_obj_lock = NULL; +#ifdef OBJ_USE_LOCK_FOR_NEW_NID +static CRYPTO_RWLOCK *ossl_obj_nid_lock = NULL; +#endif + +static CRYPTO_ONCE ossl_obj_lock_init = CRYPTO_ONCE_STATIC_INIT; + +static ossl_inline void objs_free_locks(void) +{ + CRYPTO_THREAD_lock_free(ossl_obj_lock); + ossl_obj_lock = NULL; +#ifdef OBJ_USE_LOCK_FOR_NEW_NID + CRYPTO_THREAD_lock_free(ossl_obj_nid_lock); + ossl_obj_nid_lock = NULL; +#endif +} + +DEFINE_RUN_ONCE_STATIC(obj_lock_initialise) +{ + /* Make sure we've loaded config before checking for any "added" objects */ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + + ossl_obj_lock = CRYPTO_THREAD_lock_new(); + if (ossl_obj_lock == NULL) + return 0; + +#ifdef OBJ_USE_LOCK_FOR_NEW_NID + ossl_obj_nid_lock = CRYPTO_THREAD_lock_new(); + if (ossl_obj_nid_lock == NULL) { + objs_free_locks(); + return 0; + } +#endif + return 1; +} + +static ossl_inline int ossl_init_added_lock(void) +{ + return RUN_ONCE(&ossl_obj_lock_init, obj_lock_initialise); +} + +static ossl_inline int ossl_obj_write_lock(int lock) +{ + if (!lock) + return 1; + if (!ossl_init_added_lock()) + return 0; + return CRYPTO_THREAD_write_lock(ossl_obj_lock); +} + +static ossl_inline int ossl_obj_read_lock(int lock) +{ + if (!lock) + return 1; + if (!ossl_init_added_lock()) + return 0; + return CRYPTO_THREAD_read_lock(ossl_obj_lock); +} + +static ossl_inline void ossl_obj_unlock(int lock) +{ + if (lock) + CRYPTO_THREAD_unlock(ossl_obj_lock); +} static int sn_cmp(const ASN1_OBJECT *const *a, const unsigned int *b) { @@ -123,14 +196,6 @@ static int added_obj_cmp(const ADDED_OBJ *ca, const ADDED_OBJ *cb) } } -static int init_added(void) -{ - if (added != NULL) - return 1; - added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp); - return added != NULL; -} - static void cleanup1_doall(ADDED_OBJ *a) { a->obj->nid = 0; @@ -152,47 +217,69 @@ static void cleanup3_doall(ADDED_OBJ *a) void ossl_obj_cleanup_int(void) { - if (added == NULL) - return; - lh_ADDED_OBJ_set_down_load(added, 0); - lh_ADDED_OBJ_doall(added, cleanup1_doall); /* zero counters */ - lh_ADDED_OBJ_doall(added, cleanup2_doall); /* set counters */ - lh_ADDED_OBJ_doall(added, cleanup3_doall); /* free objects */ - lh_ADDED_OBJ_free(added); - added = NULL; + if (added != NULL) { + lh_ADDED_OBJ_set_down_load(added, 0); + lh_ADDED_OBJ_doall(added, cleanup1_doall); /* zero counters */ + lh_ADDED_OBJ_doall(added, cleanup2_doall); /* set counters */ + lh_ADDED_OBJ_doall(added, cleanup3_doall); /* free objects */ + lh_ADDED_OBJ_free(added); + added = NULL; + } + objs_free_locks(); } int OBJ_new_nid(int num) { +#ifdef OBJ_USE_LOCK_FOR_NEW_NID + static int new_nid = NUM_NID; int i; + if (!CRYPTO_THREAD_write_lock(ossl_obj_nid_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); + return NID_undef; + } i = new_nid; new_nid += num; + CRYPTO_THREAD_unlock(ossl_obj_nid_lock); return i; +#else + static TSAN_QUALIFIER int new_nid = NUM_NID; + + return tsan_add(&new_nid, num); +#endif } -int OBJ_add_object(const ASN1_OBJECT *obj) +static int ossl_obj_add_object(const ASN1_OBJECT *obj, int lock) { - ASN1_OBJECT *o; + ASN1_OBJECT *o = NULL; ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop; int i; - if (added == NULL) - if (!init_added()) - return 0; if ((o = OBJ_dup(obj)) == NULL) - goto err; - if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) + return NID_undef; + if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL + || (o->length != 0 + && obj->data != NULL + && (ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) + || (o->sn != NULL + && (ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) + || (o->ln != NULL + && (ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); goto err2; - if ((o->length != 0) && (obj->data != NULL)) - if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) - goto err2; - if (o->sn != NULL) - if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) - goto err2; - if (o->ln != NULL) - if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) - goto err2; + } + + if (!ossl_obj_write_lock(lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); + goto err2; + } + if (added == NULL) { + added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp); + if (added == NULL) { + ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); + goto err; + } + } for (i = ADDED_DATA; i <= ADDED_NID; i++) { if (ao[i] != NULL) { @@ -207,10 +294,12 @@ int OBJ_add_object(const ASN1_OBJECT *obj) ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA); + ossl_obj_unlock(lock); return o->nid; - err2: - ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); + err: + ossl_obj_unlock(lock); + err2: for (i = ADDED_DATA; i <= ADDED_NID; i++) OPENSSL_free(ao[i]); ASN1_OBJECT_free(o); @@ -219,27 +308,24 @@ int OBJ_add_object(const ASN1_OBJECT *obj) ASN1_OBJECT *OBJ_nid2obj(int n) { - ADDED_OBJ ad, *adp; + ADDED_OBJ ad, *adp = NULL; ASN1_OBJECT ob; - if ((n >= 0) && (n < NUM_NID)) { - if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; - } - return (ASN1_OBJECT *)&(nid_objs[n]); - } - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - - if (added == NULL) + if (n == NID_undef) return NULL; + if (n >= 0 && n < NUM_NID && nid_objs[n].nid != NID_undef) + return (ASN1_OBJECT *)&(nid_objs[n]); ad.type = ADDED_NID; ad.obj = &ob; ob.nid = n; - adp = lh_ADDED_OBJ_retrieve(added, &ad); + if (!ossl_obj_read_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NULL; + } + if (added != NULL) + adp = lh_ADDED_OBJ_retrieve(added, &ad); + ossl_obj_unlock(1); if (adp != NULL) return adp->obj; @@ -249,62 +335,16 @@ ASN1_OBJECT *OBJ_nid2obj(int n) const char *OBJ_nid2sn(int n) { - ADDED_OBJ ad, *adp; - ASN1_OBJECT ob; - - if ((n >= 0) && (n < NUM_NID)) { - if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; - } - return nid_objs[n].sn; - } - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - - if (added == NULL) - return NULL; + ASN1_OBJECT *ob = OBJ_nid2obj(n); - ad.type = ADDED_NID; - ad.obj = &ob; - ob.nid = n; - adp = lh_ADDED_OBJ_retrieve(added, &ad); - if (adp != NULL) - return adp->obj->sn; - - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; + return ob == NULL ? NULL : ob->sn; } const char *OBJ_nid2ln(int n) { - ADDED_OBJ ad, *adp; - ASN1_OBJECT ob; - - if ((n >= 0) && (n < NUM_NID)) { - if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) { - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; - } - return nid_objs[n].ln; - } - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - - if (added == NULL) - return NULL; + ASN1_OBJECT *ob = OBJ_nid2obj(n); - ad.type = ADDED_NID; - ad.obj = &ob; - ob.nid = n; - adp = lh_ADDED_OBJ_retrieve(added, &ad); - if (adp != NULL) - return adp->obj->ln; - - ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_NID); - return NULL; + return ob == NULL ? NULL : ob->ln; } static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) @@ -323,33 +363,35 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj); -int OBJ_obj2nid(const ASN1_OBJECT *a) +static int ossl_obj_obj2nid(const ASN1_OBJECT *a, const int lock) { + int nid = NID_undef; const unsigned int *op; ADDED_OBJ ad, *adp; if (a == NULL) return NID_undef; - if (a->nid != 0) + if (a->nid != NID_undef) return a->nid; - if (a->length == 0) return NID_undef; - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); - + op = OBJ_bsearch_obj(&a, obj_objs, NUM_OBJ); + if (op != NULL) + return nid_objs[*op].nid; + if (!ossl_obj_read_lock(lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NID_undef; + } if (added != NULL) { ad.type = ADDED_DATA; - ad.obj = (ASN1_OBJECT *)a; /* XXX: ugly but harmless */ + ad.obj = (ASN1_OBJECT *)a; /* casting away const is harmless here */ adp = lh_ADDED_OBJ_retrieve(added, &ad); if (adp != NULL) - return adp->obj->nid; + nid = adp->obj->nid; } - op = OBJ_bsearch_obj(&a, obj_objs, NUM_OBJ); - if (op == NULL) - return NID_undef; - return nid_objs[*op].nid; + ossl_obj_unlock(lock); + return nid; } /* @@ -358,20 +400,20 @@ int OBJ_obj2nid(const ASN1_OBJECT *a) * into an object: unlike OBJ_txt2nid it can be used with any objects, not * just registered ones. */ - ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) { int nid = NID_undef; - ASN1_OBJECT *op; + ASN1_OBJECT *op = NULL; unsigned char *buf; unsigned char *p; const unsigned char *cp; int i, j; if (!no_name) { - if (((nid = OBJ_sn2nid(s)) != NID_undef) || - ((nid = OBJ_ln2nid(s)) != NID_undef)) + if ((nid = OBJ_sn2nid(s)) != NID_undef || + (nid = OBJ_ln2nid(s)) != NID_undef) { return OBJ_nid2obj(nid); + } if (!ossl_isdigit(*s)) { ERR_raise(ERR_LIB_OBJ, OBJ_R_UNKNOWN_OBJECT_NAME); return NULL; @@ -380,13 +422,9 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) /* Work out size of content octets */ i = a2d_ASN1_OBJECT(NULL, 0, s, -1); - if (i <= 0) { - /* Don't clear the error */ - /* - * ERR_clear_error(); - */ + if (i <= 0) return NULL; - } + /* Work out total size */ j = ASN1_object_size(0, i, V_ASN1_OBJECT); if (j < 0) @@ -416,24 +454,23 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) unsigned long l; const unsigned char *p; char tbuf[DECIMAL_SIZE(i) + DECIMAL_SIZE(l) + 2]; + const char *s; /* Ensure that, at every state, |buf| is NUL-terminated. */ - if (buf && buf_len > 0) + if (buf != NULL && buf_len > 0) buf[0] = '\0'; - if ((a == NULL) || (a->data == NULL)) + if (a == NULL || a->data == NULL) return 0; if (!no_name && (nid = OBJ_obj2nid(a)) != NID_undef) { - const char *s; s = OBJ_nid2ln(nid); if (s == NULL) s = OBJ_nid2sn(nid); - if (s) { - if (buf) + if (s != NULL) { + if (buf != NULL) OPENSSL_strlcpy(buf, s, buf_len); - n = strlen(s); - return n; + return (int)strlen(s); } } @@ -545,11 +582,13 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) int OBJ_txt2nid(const char *s) { - ASN1_OBJECT *obj; - int nid; - obj = OBJ_txt2obj(s, 0); - nid = OBJ_obj2nid(obj); - ASN1_OBJECT_free(obj); + ASN1_OBJECT *obj = OBJ_txt2obj(s, 0); + int nid = NID_undef; + + if (obj != NULL) { + nid = OBJ_obj2nid(obj); + ASN1_OBJECT_free(obj); + } return nid; } @@ -559,22 +598,25 @@ int OBJ_ln2nid(const char *s) const ASN1_OBJECT *oo = &o; ADDED_OBJ ad, *adp; const unsigned int *op; - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + int nid = NID_undef; o.ln = s; + op = OBJ_bsearch_ln(&oo, ln_objs, NUM_LN); + if (op != NULL) + return nid_objs[*op].nid; + if (!ossl_obj_read_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NID_undef; + } if (added != NULL) { ad.type = ADDED_LNAME; ad.obj = &o; adp = lh_ADDED_OBJ_retrieve(added, &ad); if (adp != NULL) - return adp->obj->nid; + nid = adp->obj->nid; } - op = OBJ_bsearch_ln(&oo, ln_objs, NUM_LN); - if (op == NULL) - return NID_undef; - return nid_objs[*op].nid; + ossl_obj_unlock(1); + return nid; } int OBJ_sn2nid(const char *s) @@ -583,22 +625,25 @@ int OBJ_sn2nid(const char *s) const ASN1_OBJECT *oo = &o; ADDED_OBJ ad, *adp; const unsigned int *op; - - /* Make sure we've loaded config before checking for any "added" objects */ - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); + int nid = NID_undef; o.sn = s; + op = OBJ_bsearch_sn(&oo, sn_objs, NUM_SN); + if (op != NULL) + return nid_objs[*op].nid; + if (!ossl_obj_read_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return NID_undef; + } if (added != NULL) { ad.type = ADDED_SNAME; ad.obj = &o; adp = lh_ADDED_OBJ_retrieve(added, &ad); if (adp != NULL) - return adp->obj->nid; + nid = adp->obj->nid; } - op = OBJ_bsearch_sn(&oo, sn_objs, NUM_SN); - if (op == NULL) - return NID_undef; - return nid_objs[*op].nid; + ossl_obj_unlock(1); + return nid; } const void *OBJ_bsearch_(const void *key, const void *base, int num, int size, @@ -698,16 +743,21 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) if ((sn != NULL && OBJ_sn2nid(sn) != NID_undef) || (ln != NULL && OBJ_ln2nid(ln) != NID_undef)) { ERR_raise(ERR_LIB_OBJ, OBJ_R_OID_EXISTS); - return 0; + goto err; } /* Convert numerical OID string to an ASN1_OBJECT structure */ tmpoid = OBJ_txt2obj(oid, 1); if (tmpoid == NULL) + goto err; + + if (!ossl_obj_write_lock(1)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); return 0; + } /* If NID is not NID_undef then object already exists */ - if (OBJ_obj2nid(tmpoid) != NID_undef) { + if (ossl_obj_obj2nid(tmpoid, 0) != NID_undef) { ERR_raise(ERR_LIB_OBJ, OBJ_R_OID_EXISTS); goto err; } @@ -719,12 +769,13 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) tmpoid->sn = (char *)sn; tmpoid->ln = (char *)ln; - ok = OBJ_add_object(tmpoid); + ok = ossl_obj_add_object(tmpoid, 0); tmpoid->sn = NULL; tmpoid->ln = NULL; err: + ossl_obj_unlock(1); ASN1_OBJECT_free(tmpoid); return ok; } @@ -742,3 +793,13 @@ const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) return NULL; return obj->data; } + +int OBJ_add_object(const ASN1_OBJECT *obj) +{ + return ossl_obj_add_object(obj, 1); +} + +int OBJ_obj2nid(const ASN1_OBJECT *a) +{ + return ossl_obj_obj2nid(a, 1); +} diff --git a/crypto/objects/obj_local.h b/crypto/objects/obj_local.h index 4436b799f..68dcd8d24 100644 --- a/crypto/objects/obj_local.h +++ b/crypto/objects/obj_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,6 @@ typedef struct name_funcs_st NAME_FUNCS; DEFINE_STACK_OF(NAME_FUNCS) -DEFINE_LHASH_OF(OBJ_NAME); +DEFINE_LHASH_OF_EX(OBJ_NAME); typedef struct added_obj_st ADDED_OBJ; -DEFINE_LHASH_OF(ADDED_OBJ); +DEFINE_LHASH_OF_EX(ADDED_OBJ); diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c index da1035112..8660de200 100644 --- a/crypto/objects/obj_xref.c +++ b/crypto/objects/obj_xref.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,9 +10,11 @@ #include #include "obj_xref.h" #include "internal/nelem.h" +#include "internal/thread_once.h" #include static STACK_OF(nid_triple) *sig_app, *sigx_app; +static CRYPTO_RWLOCK *sig_lock; static int sig_cmp(const nid_triple *a, const nid_triple *b) { @@ -32,62 +34,112 @@ DECLARE_OBJ_BSEARCH_CMP_FN(const nid_triple *, const nid_triple *, sigx); static int sigx_cmp(const nid_triple *const *a, const nid_triple *const *b) { int ret; + ret = (*a)->hash_id - (*b)->hash_id; - if (ret) + /* The "b" side of the comparison carries the algorithms already + * registered. A NID_undef for 'hash_id' there means that the + * signature algorithm doesn't need a digest to operate OK. In + * such case, any hash_id/digest algorithm on the test side (a), + * incl. NID_undef, is acceptable. signature algorithm NID + * (pkey_id) must match in any case. + */ + if ((ret != 0) && ((*b)->hash_id != NID_undef)) return ret; return (*a)->pkey_id - (*b)->pkey_id; } IMPLEMENT_OBJ_BSEARCH_CMP_FN(const nid_triple *, const nid_triple *, sigx); -int OBJ_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid) +static CRYPTO_ONCE sig_init = CRYPTO_ONCE_STATIC_INIT; + +DEFINE_RUN_ONCE_STATIC(o_sig_init) +{ + sig_lock = CRYPTO_THREAD_lock_new(); + return sig_lock != NULL; +} + +static ossl_inline int obj_sig_init(void) +{ + return RUN_ONCE(&sig_init, o_sig_init); +} + +static int ossl_obj_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid, + int lock) { nid_triple tmp; - const nid_triple *rv = NULL; - tmp.sign_id = signid; + const nid_triple *rv; + int idx; - if (sig_app != NULL) { - int idx = sk_nid_triple_find(sig_app, &tmp); - rv = sk_nid_triple_value(sig_app, idx); - } -#ifndef OBJ_XREF_TEST2 + if (signid == NID_undef) + return 0; + + tmp.sign_id = signid; + rv = OBJ_bsearch_sig(&tmp, sigoid_srt, OSSL_NELEM(sigoid_srt)); if (rv == NULL) { - rv = OBJ_bsearch_sig(&tmp, sigoid_srt, OSSL_NELEM(sigoid_srt)); + if (!obj_sig_init()) + return 0; + if (lock && !CRYPTO_THREAD_read_lock(sig_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return 0; + } + if (sig_app != NULL) { + idx = sk_nid_triple_find(sig_app, &tmp); + if (idx >= 0) + rv = sk_nid_triple_value(sig_app, idx); + } + if (lock) + CRYPTO_THREAD_unlock(sig_lock); + if (rv == NULL) + return 0; } -#endif - if (rv == NULL) - return 0; - if (pdig_nid) + + if (pdig_nid != NULL) *pdig_nid = rv->hash_id; - if (ppkey_nid) + if (ppkey_nid != NULL) *ppkey_nid = rv->pkey_id; return 1; } +int OBJ_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid) +{ + return ossl_obj_find_sigid_algs(signid, pdig_nid, ppkey_nid, 1); +} + int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid) { nid_triple tmp; const nid_triple *t = &tmp; - const nid_triple **rv = NULL; + const nid_triple **rv; + int idx; + + /* permitting searches for sig algs without digest: */ + if (pkey_nid == NID_undef) + return 0; tmp.hash_id = dig_nid; tmp.pkey_id = pkey_nid; - if (sigx_app) { - int idx = sk_nid_triple_find(sigx_app, &tmp); - if (idx >= 0) { - t = sk_nid_triple_value(sigx_app, idx); - rv = &t; - } - } -#ifndef OBJ_XREF_TEST2 + rv = OBJ_bsearch_sigx(&t, sigoid_srt_xref, OSSL_NELEM(sigoid_srt_xref)); if (rv == NULL) { - rv = OBJ_bsearch_sigx(&t, sigoid_srt_xref, OSSL_NELEM(sigoid_srt_xref)); + if (!obj_sig_init()) + return 0; + if (!CRYPTO_THREAD_read_lock(sig_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_READ_LOCK); + return 0; + } + if (sigx_app != NULL) { + idx = sk_nid_triple_find(sigx_app, &tmp); + if (idx >= 0) { + t = sk_nid_triple_value(sigx_app, idx); + rv = &t; + } + } + CRYPTO_THREAD_unlock(sig_lock); + if (rv == NULL) + return 0; } -#endif - if (rv == NULL) - return 0; - if (psignid) + + if (psignid != NULL) *psignid = (*rv)->sign_id; return 1; } @@ -95,14 +147,14 @@ int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid) int OBJ_add_sigid(int signid, int dig_id, int pkey_id) { nid_triple *ntr; - if (sig_app == NULL) - sig_app = sk_nid_triple_new(sig_sk_cmp); - if (sig_app == NULL) + int dnid = NID_undef, pnid = NID_undef, ret = 0; + + if (signid == NID_undef || pkey_id == NID_undef) return 0; - if (sigx_app == NULL) - sigx_app = sk_nid_triple_new(sigx_cmp); - if (sigx_app == NULL) + + if (!obj_sig_init()) return 0; + if ((ntr = OPENSSL_malloc(sizeof(*ntr))) == NULL) { ERR_raise(ERR_LIB_OBJ, ERR_R_MALLOC_FAILURE); return 0; @@ -111,18 +163,49 @@ int OBJ_add_sigid(int signid, int dig_id, int pkey_id) ntr->hash_id = dig_id; ntr->pkey_id = pkey_id; - if (!sk_nid_triple_push(sig_app, ntr)) { + if (!CRYPTO_THREAD_write_lock(sig_lock)) { + ERR_raise(ERR_LIB_OBJ, ERR_R_UNABLE_TO_GET_WRITE_LOCK); OPENSSL_free(ntr); return 0; } - if (!sk_nid_triple_push(sigx_app, ntr)) - return 0; + /* Check that the entry doesn't exist or exists as desired */ + if (ossl_obj_find_sigid_algs(signid, &dnid, &pnid, 0)) { + ret = dnid == dig_id && pnid == pkey_id; + goto err; + } + + if (sig_app == NULL) { + sig_app = sk_nid_triple_new(sig_sk_cmp); + if (sig_app == NULL) + goto err; + } + if (sigx_app == NULL) { + sigx_app = sk_nid_triple_new(sigx_cmp); + if (sigx_app == NULL) + goto err; + } + + /* + * Better might be to find where to insert the element and insert it there. + * This would avoid the sorting steps below. + */ + if (!sk_nid_triple_push(sig_app, ntr)) + goto err; + if (!sk_nid_triple_push(sigx_app, ntr)) { + ntr = NULL; /* This is referenced by sig_app still */ + goto err; + } sk_nid_triple_sort(sig_app); sk_nid_triple_sort(sigx_app); - return 1; + ntr = NULL; + ret = 1; + err: + OPENSSL_free(ntr); + CRYPTO_THREAD_unlock(sig_lock); + return ret; } static void sid_free(nid_triple *tt) @@ -133,7 +216,9 @@ static void sid_free(nid_triple *tt) void OBJ_sigid_free(void) { sk_nid_triple_pop_free(sig_app, sid_free); - sig_app = NULL; sk_nid_triple_free(sigx_app); + CRYPTO_THREAD_lock_free(sig_lock); + sig_app = NULL; sigx_app = NULL; + sig_lock = NULL; } diff --git a/crypto/param_build.c b/crypto/param_build.c index 51c8681f3..4fc6c0319 100644 --- a/crypto/param_build.c +++ b/crypto/param_build.c @@ -78,8 +78,10 @@ static int param_push_num(OSSL_PARAM_BLD *bld, const char *key, { OSSL_PARAM_BLD_DEF *pd = param_push(bld, key, size, size, type, 0); - if (pd == NULL) + if (pd == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); return 0; + } if (size > sizeof(pd->num)) { ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES); return 0; diff --git a/crypto/param_build_set.c b/crypto/param_build_set.c index 8b570ded9..e26ce1550 100644 --- a/crypto/param_build_set.c +++ b/crypto/param_build_set.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -73,8 +73,10 @@ int ossl_param_build_set_bn_pad(OSSL_PARAM_BLD *bld, OSSL_PARAM *p, return OSSL_PARAM_BLD_push_BN_pad(bld, key, bn, sz); p = OSSL_PARAM_locate(p, key); if (p != NULL) { - if (sz > p->data_size) + if (sz > p->data_size) { + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER); return 0; + } p->data_size = sz; return OSSL_PARAM_set_BN(p, bn); } diff --git a/crypto/params.c b/crypto/params.c index 5fd1e0028..e046d6408 100644 --- a/crypto/params.c +++ b/crypto/params.c @@ -10,10 +10,32 @@ #include #include +#include #include "internal/thread_once.h" #include "internal/numbers.h" #include "internal/endian.h" +/* Shortcuts for raising errors that are widely used */ +#define err_unsigned_negative \ + ERR_raise(ERR_LIB_CRYPTO, \ + CRYPTO_R_PARAM_UNSIGNED_INTEGER_NEGATIVE_VALUE_UNSUPPORTED) +#define err_out_of_range \ + ERR_raise(ERR_LIB_CRYPTO, \ + CRYPTO_R_PARAM_VALUE_TOO_LARGE_FOR_DESTINATION) +#define err_inexact \ + ERR_raise(ERR_LIB_CRYPTO, \ + CRYPTO_R_PARAM_CANNOT_BE_REPRESENTED_EXACTLY) +#define err_not_integer \ + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PARAM_NOT_INTEGER_TYPE) +#define err_too_small \ + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER) +#define err_bad_type \ + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PARAM_OF_INCOMPATIBLE_TYPE) +#define err_null_argument \ + ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER) +#define err_unsupported_real \ + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_PARAM_UNSUPPORTED_FLOATING_POINT_FORMAT) + /* * Return the number of bits in the mantissa of a double. This is used to * shift a larger integral value to determine if it will exactly fit into a @@ -107,8 +129,10 @@ static int copy_integer(unsigned char *dest, size_t dest_len, * Shortening a signed value must retain the correct sign. * Avoiding this kind of thing: -253 = 0xff03 -> 0x03 = 3 */ - || (signed_int && ((pad ^ src[n]) & 0x80) != 0)) + || (signed_int && ((pad ^ src[n]) & 0x80) != 0)) { + err_out_of_range; return 0; + } memcpy(dest, src + n, dest_len); } } else /* IS_LITTLE_ENDIAN */ { @@ -123,8 +147,10 @@ static int copy_integer(unsigned char *dest, size_t dest_len, * Shortening a signed value must retain the correct sign. * Avoiding this kind of thing: 130 = 0x0082 -> 0x82 = -126 */ - || (signed_int && ((pad ^ src[dest_len - 1]) & 0x80) != 0)) + || (signed_int && ((pad ^ src[dest_len - 1]) & 0x80) != 0)) { + err_out_of_range; return 0; + } memcpy(dest, src, dest_len); } } @@ -150,8 +176,10 @@ static int signed_from_unsigned(void *dest, size_t dest_len, static int unsigned_from_signed(void *dest, size_t dest_len, const void *src, size_t src_len) { - if (is_negative(src, src_len)) + if (is_negative(src, src_len)) { + err_unsigned_negative; return 0; + } return copy_integer(dest, dest_len, src, src_len, 0, 0); } @@ -169,6 +197,7 @@ static int general_get_int(const OSSL_PARAM *p, void *val, size_t val_size) return signed_from_signed(val, val_size, p->data, p->data_size); if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) return signed_from_unsigned(val, val_size, p->data, p->data_size); + err_not_integer; return 0; } @@ -184,6 +213,8 @@ static int general_set_int(OSSL_PARAM *p, void *val, size_t val_size) r = signed_from_signed(p->data, p->data_size, val, val_size); else if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) r = unsigned_from_signed(p->data, p->data_size, val, val_size); + else + err_not_integer; p->return_size = r ? p->data_size : val_size; return r; } @@ -195,6 +226,7 @@ static int general_get_uint(const OSSL_PARAM *p, void *val, size_t val_size) return unsigned_from_signed(val, val_size, p->data, p->data_size); if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) return unsigned_from_unsigned(val, val_size, p->data, p->data_size); + err_not_integer; return 0; } @@ -210,6 +242,8 @@ static int general_set_uint(OSSL_PARAM *p, void *val, size_t val_size) r = signed_from_unsigned(p->data, p->data_size, val, val_size); else if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) r = unsigned_from_unsigned(p->data, p->data_size, val, val_size); + else + err_not_integer; p->return_size = r ? p->data_size : val_size; return r; } @@ -344,8 +378,10 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val) { double d; - if (val == NULL || p == NULL ) + if (val == NULL || p == NULL) { + err_null_argument; return 0; + } if (p->data_type == OSSL_PARAM_INTEGER) { #ifndef OPENSSL_SMALL_FOOTPRINT @@ -361,6 +397,7 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val) *val = (int32_t)i64; return 1; } + err_out_of_range; return 0; } #endif @@ -378,6 +415,7 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val) *val = (int32_t)u32; return 1; } + err_out_of_range; return 0; case sizeof(uint64_t): u64 = *(const uint64_t *)p->data; @@ -385,6 +423,7 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val) *val = (int32_t)u64; return 1; } + err_out_of_range; return 0; } #endif @@ -398,16 +437,25 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val) *val = (int32_t)d; return 1; } - break; + err_out_of_range; + return 0; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } int OSSL_PARAM_set_int32(OSSL_PARAM *p, int32_t val) { - if (p == NULL) + uint32_t u32; + unsigned int shift; + + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; if (p->data_type == OSSL_PARAM_INTEGER) { #ifndef OPENSSL_SMALL_FOOTPRINT @@ -447,10 +495,21 @@ int OSSL_PARAM_set_int32(OSSL_PARAM *p, int32_t val) return 1; switch (p->data_size) { case sizeof(double): + shift = real_shift(); + if (shift < 8 * sizeof(val) - 1) { + u32 = val < 0 ? -val : val; + if ((u32 >> shift) != 0) { + err_inexact; + return 0; + } + } *(double *)p->data = (double)val; return 1; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } @@ -464,8 +523,10 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val) { double d; - if (val == NULL || p == NULL) + if (val == NULL || p == NULL) { + err_null_argument; return 0; + } if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { #ifndef OPENSSL_SMALL_FOOTPRINT @@ -481,6 +542,7 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val) *val = (uint32_t)u64; return 1; } + err_out_of_range; return 0; } #endif @@ -497,6 +559,7 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val) *val = i32; return 1; } + err_unsigned_negative; return 0; case sizeof(int64_t): i64 = *(const int64_t *)p->data; @@ -504,6 +567,10 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val) *val = (uint32_t)i64; return 1; } + if (i64 < 0) + err_unsigned_negative; + else + err_out_of_range; return 0; } #endif @@ -516,16 +583,24 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val) *val = (uint32_t)d; return 1; } - break; + err_inexact; + return 0; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } int OSSL_PARAM_set_uint32(OSSL_PARAM *p, uint32_t val) { - if (p == NULL) + unsigned int shift; + + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { @@ -555,6 +630,7 @@ int OSSL_PARAM_set_uint32(OSSL_PARAM *p, uint32_t val) *(int32_t *)p->data = (int32_t)val; return 1; } + err_out_of_range; return 0; case sizeof(int64_t): p->return_size = sizeof(int64_t); @@ -569,10 +645,18 @@ int OSSL_PARAM_set_uint32(OSSL_PARAM *p, uint32_t val) return 1; switch (p->data_size) { case sizeof(double): + shift = real_shift(); + if (shift < 8 * sizeof(val) && (val >> shift) != 0) { + err_inexact; + return 0; + } *(double *)p->data = (double)val; return 1; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } @@ -586,8 +670,10 @@ int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val) { double d; - if (val == NULL || p == NULL ) + if (val == NULL || p == NULL) { + err_null_argument; return 0; + } if (p->data_type == OSSL_PARAM_INTEGER) { #ifndef OPENSSL_SMALL_FOOTPRINT @@ -615,6 +701,7 @@ int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val) *val = (int64_t)u64; return 1; } + err_out_of_range; return 0; } #endif @@ -634,9 +721,13 @@ int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val) *val = (int64_t)d; return 1; } - break; + err_inexact; + return 0; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } @@ -644,8 +735,10 @@ int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val) { uint64_t u64; - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; if (p->data_type == OSSL_PARAM_INTEGER) { #ifndef OPENSSL_SMALL_FOOTPRINT @@ -659,6 +752,7 @@ int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val) *(int32_t *)p->data = (int32_t)val; return 1; } + err_out_of_range; return 0; case sizeof(int64_t): *(int64_t *)p->data = val; @@ -678,6 +772,7 @@ int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val) *(uint32_t *)p->data = (uint32_t)val; return 1; } + err_out_of_range; return 0; case sizeof(uint64_t): *(uint64_t *)p->data = (uint64_t)val; @@ -696,9 +791,13 @@ int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val) *(double *)p->data = (double)val; return 1; } - break; + err_inexact; + return 0; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } @@ -711,8 +810,10 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val) { double d; - if (val == NULL || p == NULL) + if (val == NULL || p == NULL) { + err_null_argument; return 0; + } if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { #ifndef OPENSSL_SMALL_FOOTPRINT @@ -738,6 +839,7 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val) *val = (uint64_t)i32; return 1; } + err_unsigned_negative; return 0; case sizeof(int64_t): i64 = *(const int64_t *)p->data; @@ -745,6 +847,7 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val) *val = (uint64_t)i64; return 1; } + err_unsigned_negative; return 0; } #endif @@ -764,16 +867,22 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val) *val = (uint64_t)d; return 1; } - break; + err_inexact; + return 0; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } int OSSL_PARAM_set_uint64(OSSL_PARAM *p, uint64_t val) { - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { @@ -788,6 +897,7 @@ int OSSL_PARAM_set_uint64(OSSL_PARAM *p, uint64_t val) *(uint32_t *)p->data = (uint32_t)val; return 1; } + err_out_of_range; return 0; case sizeof(uint64_t): *(uint64_t *)p->data = val; @@ -807,12 +917,14 @@ int OSSL_PARAM_set_uint64(OSSL_PARAM *p, uint64_t val) *(int32_t *)p->data = (int32_t)val; return 1; } + err_out_of_range; return 0; case sizeof(int64_t): if (val <= INT64_MAX) { *(int64_t *)p->data = (int64_t)val; return 1; } + err_out_of_range; return 0; } #endif @@ -825,9 +937,13 @@ int OSSL_PARAM_set_uint64(OSSL_PARAM *p, uint64_t val) *(double *)p->data = (double)val; return 1; } - break; + err_inexact; + return 0; } + err_unsupported_real; + return 0; } + err_bad_type; return 0; } @@ -904,16 +1020,21 @@ int OSSL_PARAM_get_BN(const OSSL_PARAM *p, BIGNUM **val) { BIGNUM *b; - if (val == NULL - || p == NULL - || p->data_type != OSSL_PARAM_UNSIGNED_INTEGER) + if (val == NULL || p == NULL) { + err_null_argument; return 0; + } + if (p->data_type != OSSL_PARAM_UNSIGNED_INTEGER) { + err_bad_type; + return 0; + } b = BN_native2bn(p->data, (int)p->data_size, *val); if (b != NULL) { *val = b; return 1; } + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); return 0; } @@ -921,15 +1042,25 @@ int OSSL_PARAM_set_BN(OSSL_PARAM *p, const BIGNUM *val) { size_t bytes; - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; - if (val == NULL || p->data_type != OSSL_PARAM_UNSIGNED_INTEGER) + if (val == NULL) { + err_null_argument; + return 0; + } + if (p->data_type != OSSL_PARAM_UNSIGNED_INTEGER) { + err_bad_type; return 0; + } /* For the moment, only positive values are permitted */ - if (BN_is_negative(val)) + if (BN_is_negative(val)) { + err_unsigned_negative; return 0; + } bytes = (size_t)BN_num_bytes(val); /* We make sure that at least one byte is used, so zero is properly set */ @@ -941,8 +1072,12 @@ int OSSL_PARAM_set_BN(OSSL_PARAM *p, const BIGNUM *val) return 1; if (p->data_size >= bytes) { p->return_size = p->data_size; - return BN_bn2nativepad(val, p->data, p->data_size) >= 0; + if (BN_bn2nativepad(val, p->data, p->data_size) >= 0) + return 1; + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_INTEGER_OVERFLOW); + return 0; } + err_too_small; return 0; } @@ -958,8 +1093,10 @@ int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val) int64_t i64; uint64_t u64; - if (val == NULL || p == NULL) + if (val == NULL || p == NULL) { + err_null_argument; return 0; + } if (p->data_type == OSSL_PARAM_REAL) { switch (p->data_size) { @@ -967,6 +1104,8 @@ int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val) *val = *(const double *)p->data; return 1; } + err_unsupported_real; + return 0; } else if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { switch (p->data_size) { case sizeof(uint32_t): @@ -978,7 +1117,8 @@ int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val) *val = (double)u64; return 1; } - break; + err_inexact; + return 0; } } else if (p->data_type == OSSL_PARAM_INTEGER) { switch (p->data_size) { @@ -992,16 +1132,20 @@ int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val) *val = 0.0 + i64; return 1; } - break; + err_inexact; + return 0; } } + err_bad_type; return 0; } int OSSL_PARAM_set_double(OSSL_PARAM *p, double val) { - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; if (p->data_type == OSSL_PARAM_REAL) { @@ -1013,11 +1157,16 @@ int OSSL_PARAM_set_double(OSSL_PARAM *p, double val) *(double *)p->data = val; return 1; } - } else if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER - && val == (uint64_t)val) { + err_unsupported_real; + return 0; + } else if (p->data_type == OSSL_PARAM_UNSIGNED_INTEGER) { p->return_size = sizeof(double); if (p->data == NULL) return 1; + if (val != (uint64_t)val) { + err_inexact; + return 0; + } switch (p->data_size) { case sizeof(uint32_t): if (val >= 0 && val <= UINT32_MAX) { @@ -1025,7 +1174,8 @@ int OSSL_PARAM_set_double(OSSL_PARAM *p, double val) *(uint32_t *)p->data = (uint32_t)val; return 1; } - break; + err_out_of_range; + return 0; case sizeof(uint64_t): if (val >= 0 /* @@ -1038,11 +1188,17 @@ int OSSL_PARAM_set_double(OSSL_PARAM *p, double val) *(uint64_t *)p->data = (uint64_t)val; return 1; } - break; } - } else if (p->data_type == OSSL_PARAM_INTEGER && val == (int64_t)val) { + err_out_of_range; + return 0; + } + } else if (p->data_type == OSSL_PARAM_INTEGER) { p->return_size = sizeof(double); if (p->data == NULL) return 1; + if (val != (int64_t)val) { + err_inexact; + return 0; + } switch (p->data_size) { case sizeof(int32_t): if (val >= INT32_MIN && val <= INT32_MAX) { @@ -1050,7 +1206,8 @@ int OSSL_PARAM_set_double(OSSL_PARAM *p, double val) *(int32_t *)p->data = (int32_t)val; return 1; } - break; + err_out_of_range; + return 0; case sizeof(int64_t): if (val >= INT64_MIN /* @@ -1063,9 +1220,11 @@ int OSSL_PARAM_set_double(OSSL_PARAM *p, double val) *(int64_t *)p->data = (int64_t)val; return 1; } - break; + err_out_of_range; + return 0; } } + err_bad_type; return 0; } @@ -1080,8 +1239,14 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, { size_t sz, alloc_sz; - if ((val == NULL && used_len == NULL) || p == NULL || p->data_type != type) + if ((val == NULL && used_len == NULL) || p == NULL) { + err_null_argument; + return 0; + } + if (p->data_type != type) { + err_bad_type; return 0; + } sz = p->data_size; /* @@ -1093,8 +1258,10 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, if (used_len != NULL) *used_len = sz; - if (p->data == NULL) + if (p->data == NULL) { + err_null_argument; return 0; + } if (val == NULL) return 1; @@ -1102,14 +1269,18 @@ static int get_string_internal(const OSSL_PARAM *p, void **val, if (*val == NULL) { char *const q = OPENSSL_malloc(alloc_sz); - if (q == NULL) + if (q == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_MALLOC_FAILURE); return 0; + } *val = q; *max_len = alloc_sz; } - if (*max_len < sz) + if (*max_len < sz) { + err_too_small; return 0; + } memcpy(*val, p->data, sz); return 1; } @@ -1136,8 +1307,10 @@ int OSSL_PARAM_get_utf8_string(const OSSL_PARAM *p, char **val, size_t max_len) return 0; if (data_length >= max_len) data_length = OPENSSL_strnlen(p->data, data_length); - if (data_length >= max_len) + if (data_length >= max_len) { + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_NO_SPACE_FOR_TERMINATING_NULL); return 0; /* No space for a terminating NUL byte */ + } (*val)[data_length] = '\0'; return ret; @@ -1156,8 +1329,14 @@ static int set_string_internal(OSSL_PARAM *p, const void *val, size_t len, p->return_size = len; if (p->data == NULL) return 1; - if (p->data_type != type || p->data_size < len) + if (p->data_type != type) { + err_bad_type; return 0; + } + if (p->data_size < len) { + err_too_small; + return 0; + } memcpy(p->data, val, len); /* If possible within the size of p->data, add a NUL terminator byte */ @@ -1168,24 +1347,32 @@ static int set_string_internal(OSSL_PARAM *p, const void *val, size_t len, int OSSL_PARAM_set_utf8_string(OSSL_PARAM *p, const char *val) { - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; - if (val == NULL) + if (val == NULL) { + err_null_argument; return 0; + } return set_string_internal(p, val, strlen(val), OSSL_PARAM_UTF8_STRING); } int OSSL_PARAM_set_octet_string(OSSL_PARAM *p, const void *val, size_t len) { - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; - if (val == NULL) + if (val == NULL) { + err_null_argument; return 0; + } return set_string_internal(p, val, len, OSSL_PARAM_OCTET_STRING); } @@ -1206,8 +1393,14 @@ OSSL_PARAM OSSL_PARAM_construct_octet_string(const char *key, void *buf, static int get_ptr_internal(const OSSL_PARAM *p, const void **val, size_t *used_len, unsigned int type) { - if (val == NULL || p == NULL || p->data_type != type) + if (val == NULL || p == NULL) { + err_null_argument; + return 0; + } + if (p->data_type != type) { + err_bad_type; return 0; + } if (used_len != NULL) *used_len = p->data_size; *val = *(const void **)p->data; @@ -1229,8 +1422,10 @@ static int set_ptr_internal(OSSL_PARAM *p, const void *val, unsigned int type, size_t len) { p->return_size = len; - if (p->data_type != type) + if (p->data_type != type) { + err_bad_type; return 0; + } if (p->data != NULL) *(const void **)p->data = val; return 1; @@ -1238,8 +1433,10 @@ static int set_ptr_internal(OSSL_PARAM *p, const void *val, int OSSL_PARAM_set_utf8_ptr(OSSL_PARAM *p, const char *val) { - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; return set_ptr_internal(p, val, OSSL_PARAM_UTF8_PTR, val == NULL ? 0 : strlen(val)); @@ -1248,8 +1445,10 @@ int OSSL_PARAM_set_utf8_ptr(OSSL_PARAM *p, const char *val) int OSSL_PARAM_set_octet_ptr(OSSL_PARAM *p, const void *val, size_t used_len) { - if (p == NULL) + if (p == NULL) { + err_null_argument; return 0; + } p->return_size = 0; return set_ptr_internal(p, val, OSSL_PARAM_OCTET_PTR, used_len); } @@ -1276,8 +1475,14 @@ OSSL_PARAM OSSL_PARAM_construct_end(void) static int get_string_ptr_internal(const OSSL_PARAM *p, const void **val, size_t *used_len, unsigned int type) { - if (val == NULL || p == NULL || p->data_type != type) + if (val == NULL || p == NULL) { + err_null_argument; + return 0; + } + if (p->data_type != type) { + err_bad_type; return 0; + } if (used_len != NULL) *used_len = p->data_size; *val = p->data; @@ -1286,14 +1491,25 @@ static int get_string_ptr_internal(const OSSL_PARAM *p, const void **val, int OSSL_PARAM_get_utf8_string_ptr(const OSSL_PARAM *p, const char **val) { - return OSSL_PARAM_get_utf8_ptr(p, val) - || get_string_ptr_internal(p, (const void **)val, NULL, - OSSL_PARAM_UTF8_STRING); + int rv; + + ERR_set_mark(); + rv = OSSL_PARAM_get_utf8_ptr(p, val); + ERR_pop_to_mark(); + + return rv || get_string_ptr_internal(p, (const void **)val, NULL, + OSSL_PARAM_UTF8_STRING); } int OSSL_PARAM_get_octet_string_ptr(const OSSL_PARAM *p, const void **val, size_t *used_len) { - return OSSL_PARAM_get_octet_ptr(p, val, used_len) - || get_string_ptr_internal(p, val, used_len, OSSL_PARAM_OCTET_STRING); + int rv; + + ERR_set_mark(); + rv = OSSL_PARAM_get_octet_ptr(p, val, used_len); + ERR_pop_to_mark(); + + return rv || get_string_ptr_internal(p, val, used_len, + OSSL_PARAM_OCTET_STRING); } diff --git a/crypto/params_dup.c b/crypto/params_dup.c index bc1546fc5..fd4764a7c 100644 --- a/crypto/params_dup.c +++ b/crypto/params_dup.c @@ -105,8 +105,10 @@ OSSL_PARAM *OSSL_PARAM_dup(const OSSL_PARAM *src) OSSL_PARAM *last, *dst; int param_count = 1; /* Include terminator in the count */ - if (src == NULL) + if (src == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); return NULL; + } memset(buf, 0, sizeof(buf)); @@ -154,8 +156,10 @@ OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2) size_t list1_sz = 0, list2_sz = 0; int diff; - if (p1 == NULL && p2 == NULL) + if (p1 == NULL && p2 == NULL) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER); return NULL; + } /* Copy p1 to list1 */ if (p1 != NULL) { @@ -170,8 +174,10 @@ OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *p1, const OSSL_PARAM *p2) list2[list2_sz++] = p; } list2[list2_sz] = NULL; - if (list1_sz == 0 && list2_sz == 0) + if (list1_sz == 0 && list2_sz == 0) { + ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_NO_PARAMS_TO_MERGE); return NULL; + } /* Sort the 2 lists */ qsort(list1, list1_sz, sizeof(OSSL_PARAM *), compare_params); diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 3e76852c6..75a8bb3c1 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index a90885905..6648beae4 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -22,6 +22,7 @@ ################################################################ my $arch = sub { if ($flavour =~ /linux/) { ".arch\t".join(',',@_); } + elsif ($flavour =~ /win64/) { ".arch\t".join(',',@_); } else { ""; } }; my $fpu = sub { @@ -37,6 +38,7 @@ }; my $hidden = sub { if ($flavour =~ /ios/) { ".private_extern\t".join(',',@_); } + elsif ($flavour =~ /win64/) { ""; } else { ".hidden\t".join(',',@_); } }; my $comm = sub { @@ -85,6 +87,15 @@ "#endif"; } } + elsif ($flavour =~ /win64/) { if (join(',',@_) =~ /(\w+),%function/) { + # See https://sourceware.org/binutils/docs/as/Pseudo-Ops.html + # Per https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#coff-symbol-table, + # the type for functions is 0x20, or 32. + ".def $1\n". + " .type 32\n". + ".endef"; + } + } else { ""; } }; my $size = sub { diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl index 2ee444045..249435f56 100755 --- a/crypto/perlasm/ppc-xlate.pl +++ b/crypto/perlasm/ppc-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -293,6 +293,14 @@ sub vsxmem_op { $dm = oct($dm) if ($dm =~ /^0/); " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($dm<<8)|(10<<3)|7; }; +my $vxxlor = sub { # xxlor + my ($f, $vrt, $vra, $vrb) = @_; + " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|6; +}; +my $vxxlorc = sub { # xxlor + my ($f, $vrt, $vra, $vrb) = @_; + " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|1; +}; # PowerISA 2.07 stuff sub vcrypto_op { @@ -377,6 +385,15 @@ sub vfour_vsr { }; my $vmsumudm = sub { vfour_vsr(@_, 35); }; +# PowerISA 3.1 stuff +my $brd = sub { + my ($f, $ra, $rs) = @_; + " .long ".sprintf "0x%X",(31<<26)|($rs<<21)|($ra<<16)|(187<<1); +}; +my $vsrq = sub { vcrypto_op(@_, 517); }; + + + while($line=<>) { $line =~ s|[#!;].*$||; # get rid of asm-style comments... diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl index 1830b2556..359670a2d 100755 --- a/crypto/perlasm/x86_64-xlate.pl +++ b/crypto/perlasm/x86_64-xlate.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -811,7 +811,7 @@ } last; }; - /\.rva|\.long|\.quad/ + /\.rva|\.long|\.quad|\.byte/ && do { $$line =~ s/([_a-z][_a-z0-9]*)/$globals{$1} or $1/gei; $$line =~ s/\.L/$decor/g; last; diff --git a/crypto/pkcs7/bio_pk7.c b/crypto/pkcs7/bio_pk7.c index 414f0da1c..5503b95f7 100644 --- a/crypto/pkcs7/bio_pk7.c +++ b/crypto/pkcs7/bio_pk7.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,11 +11,6 @@ #include #include -#if !defined(OPENSSL_SYS_VXWORKS) -# include -#endif -#include - /* Streaming encode support for PKCS#7 */ BIO *BIO_new_PKCS7(BIO *out, PKCS7 *p7) diff --git a/crypto/pkcs7/pk7_asn1.c b/crypto/pkcs7/pk7_asn1.c index 1cd867721..5a08f8dbc 100644 --- a/crypto/pkcs7/pk7_asn1.c +++ b/crypto/pkcs7/pk7_asn1.c @@ -1,5 +1,5 @@ /* - * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -41,7 +41,7 @@ static int pk7_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_STREAM_PRE: if (PKCS7_stream(&sarg->boundary, *pp7) <= 0) return 0; - /* fall thru */ + /* fall through */ case ASN1_OP_DETACHED_PRE: sarg->ndef_bio = PKCS7_dataInit(*pp7, sarg->out); if (!sarg->ndef_bio) diff --git a/crypto/poly1305/asm/poly1305-armv8.pl b/crypto/poly1305/asm/poly1305-armv8.pl index 113a2151b..985347c08 100755 --- a/crypto/poly1305/asm/poly1305-armv8.pl +++ b/crypto/poly1305/asm/poly1305-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -72,6 +72,7 @@ .type poly1305_init,%function .align 5 poly1305_init: + AARCH64_VALID_CALL_TARGET cmp $inp,xzr stp xzr,xzr,[$ctx] // zero hash value stp xzr,xzr,[$ctx,#16] // [along with is_base2_26] @@ -85,7 +86,7 @@ ldp $r0,$r1,[$inp] // load key mov $s1,#0xfffffffc0fffffff movk $s1,#0x0fff,lsl#48 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev $r0,$r0 // flip bytes rev $r1,$r1 #endif @@ -119,6 +120,9 @@ .align 5 poly1305_blocks: .Lpoly1305_blocks: + // The symbol .Lpoly1305_blocks is not a .globl symbol + // but a pointer to it is returned by poly1305_init + AARCH64_VALID_CALL_TARGET ands $len,$len,#-16 b.eq .Lno_data @@ -132,7 +136,7 @@ .Loop: ldp $t0,$t1,[$inp],#16 // load input sub $len,$len,#16 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev $t0,$t0 rev $t1,$t1 #endif @@ -184,6 +188,9 @@ .align 5 poly1305_emit: .Lpoly1305_emit: + // The symbol .poly1305_emit is not a .globl symbol + // but a pointer to it is returned by poly1305_init + AARCH64_VALID_CALL_TARGET ldp $h0,$h1,[$ctx] // load hash base 2^64 ldr $h2,[$ctx,#16] ldp $t0,$t1,[$nonce] // load nonce @@ -197,13 +204,13 @@ csel $h0,$h0,$d0,eq csel $h1,$h1,$d1,eq -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror $t0,$t0,#32 // flip nonce words ror $t1,$t1,#32 #endif adds $h0,$h0,$t0 // accumulate nonce adc $h1,$h1,$t1 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev $h0,$h0 // flip output bytes rev $h1,$h1 #endif @@ -291,13 +298,16 @@ .align 5 poly1305_blocks_neon: .Lpoly1305_blocks_neon: + // The symbol .Lpoly1305_blocks_neon is not a .globl symbol + // but a pointer to it is returned by poly1305_init + AARCH64_VALID_CALL_TARGET ldr $is_base2_26,[$ctx,#24] cmp $len,#128 b.hs .Lblocks_neon cbz $is_base2_26,.Lpoly1305_blocks .Lblocks_neon: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-80]! add x29,sp,#0 @@ -335,7 +345,7 @@ adcs $h1,$h1,xzr adc $h2,$h2,xzr -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev $d0,$d0 rev $d1,$d1 #endif @@ -381,7 +391,7 @@ ldp $d0,$d1,[$inp],#16 // load input sub $len,$len,#16 add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev $d0,$d0 rev $d1,$d1 #endif @@ -466,7 +476,7 @@ lsl $padbit,$padbit,#24 add x15,$ctx,#48 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x8,x8 rev x12,x12 rev x9,x9 @@ -502,7 +512,7 @@ ld1 {$S2,$R3,$S3,$R4},[x15],#64 ld1 {$S4},[x15] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x8,x8 rev x12,x12 rev x9,x9 @@ -563,7 +573,7 @@ umull $ACC1,$IN23_0,${R1}[2] ldp x9,x13,[$in2],#48 umull $ACC0,$IN23_0,${R0}[2] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x8,x8 rev x12,x12 rev x9,x9 @@ -628,7 +638,7 @@ umlal $ACC4,$IN01_2,${R2}[0] umlal $ACC1,$IN01_2,${S4}[0] umlal $ACC2,$IN01_2,${R0}[0] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x8,x8 rev x12,x12 rev x9,x9 @@ -867,7 +877,7 @@ .Lno_data_neon: ldr x29,[sp],#80 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size poly1305_blocks_neon,.-poly1305_blocks_neon @@ -875,6 +885,9 @@ .align 5 poly1305_emit_neon: .Lpoly1305_emit_neon: + // The symbol .Lpoly1305_emit_neon is not a .globl symbol + // but a pointer to it is returned by poly1305_init + AARCH64_VALID_CALL_TARGET ldr $is_base2_26,[$ctx,#24] cbz $is_base2_26,poly1305_emit @@ -909,13 +922,13 @@ csel $h0,$h0,$d0,eq csel $h1,$h1,$d1,eq -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror $t0,$t0,#32 // flip nonce words ror $t1,$t1,#32 #endif adds $h0,$h0,$t0 // accumulate nonce adc $h1,$h1,$t1 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev $h0,$h0 // flip output bytes rev $h1,$h1 #endif diff --git a/crypto/ppccap.c b/crypto/ppccap.c index 8bcfed25e..e22056716 100644 --- a/crypto/ppccap.c +++ b/crypto/ppccap.c @@ -1,5 +1,5 @@ /* - * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -45,6 +45,7 @@ void OPENSSL_ppc64_probe(void); void OPENSSL_altivec_probe(void); void OPENSSL_crypto207_probe(void); void OPENSSL_madd300_probe(void); +void OPENSSL_brd31_probe(void); long OPENSSL_rdtsc_mftb(void); long OPENSSL_rdtsc_mfspr268(void); @@ -117,16 +118,21 @@ static unsigned long getauxval(unsigned long key) #endif /* I wish was universally available */ -#define HWCAP 16 /* AT_HWCAP */ +#ifndef AT_HWCAP +# define AT_HWCAP 16 /* AT_HWCAP */ +#endif #define HWCAP_PPC64 (1U << 30) #define HWCAP_ALTIVEC (1U << 28) #define HWCAP_FPU (1U << 27) #define HWCAP_POWER6_EXT (1U << 9) #define HWCAP_VSX (1U << 7) -#define HWCAP2 26 /* AT_HWCAP2 */ +#ifndef AT_HWCAP2 +# define AT_HWCAP2 26 /* AT_HWCAP2 */ +#endif #define HWCAP_VEC_CRYPTO (1U << 25) #define HWCAP_ARCH_3_00 (1U << 23) +#define HWCAP_ARCH_3_1 (1U << 18) # if defined(__GNUC__) && __GNUC__>=2 __attribute__ ((constructor)) @@ -187,6 +193,9 @@ void OPENSSL_cpuid_setup(void) if (__power_set(0xffffffffU<<17)) /* POWER9 and later */ OPENSSL_ppccap_P |= PPC_MADD300; + if (__power_set(0xffffffffU<<18)) /* POWER10 and later */ + OPENSSL_ppccap_P |= PPC_BRD31; + return; # endif #endif @@ -215,8 +224,8 @@ void OPENSSL_cpuid_setup(void) #ifdef OSSL_IMPLEMENT_GETAUXVAL { - unsigned long hwcap = getauxval(HWCAP); - unsigned long hwcap2 = getauxval(HWCAP2); + unsigned long hwcap = getauxval(AT_HWCAP); + unsigned long hwcap2 = getauxval(AT_HWCAP2); if (hwcap & HWCAP_FPU) { OPENSSL_ppccap_P |= PPC_FPU; @@ -242,6 +251,10 @@ void OPENSSL_cpuid_setup(void) if (hwcap2 & HWCAP_ARCH_3_00) { OPENSSL_ppccap_P |= PPC_MADD300; } + + if (hwcap2 & HWCAP_ARCH_3_1) { + OPENSSL_ppccap_P |= PPC_BRD31; + } } #endif diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl index c6555df5d..2814e72f5 100755 --- a/crypto/ppccpuid.pl +++ b/crypto/ppccpuid.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -81,6 +81,17 @@ .long 0 .byte 0,12,0x14,0,0,0,0,0 +.globl .OPENSSL_brd31_probe +.align 4 +.OPENSSL_brd31_probe: + xor r0,r0,r0 + brd r3,r0 + blr + .long 0 + .byte 0,12,0x14,0,0,0,0,0 +.size .OPENSSL_brd31_probe,.-.OPENSSL_brd31_probe + + .globl .OPENSSL_wipe_cpu .align 4 .OPENSSL_wipe_cpu: diff --git a/crypto/property/defn_cache.c b/crypto/property/defn_cache.c index b43f2d247..eb68a55aa 100644 --- a/crypto/property/defn_cache.c +++ b/crypto/property/defn_cache.c @@ -15,6 +15,7 @@ #include "internal/property.h" #include "internal/core.h" #include "property_local.h" +#include "crypto/context.h" /* * Implement a property definition cache. @@ -28,7 +29,7 @@ typedef struct { char body[1]; } PROPERTY_DEFN_ELEM; -DEFINE_LHASH_OF(PROPERTY_DEFN_ELEM); +DEFINE_LHASH_OF_EX(PROPERTY_DEFN_ELEM); static unsigned long property_defn_hash(const PROPERTY_DEFN_ELEM *a) { @@ -47,7 +48,7 @@ static void property_defn_free(PROPERTY_DEFN_ELEM *elem) OPENSSL_free(elem); } -static void property_defns_free(void *vproperty_defns) +void ossl_property_defns_free(void *vproperty_defns) { LHASH_OF(PROPERTY_DEFN_ELEM) *property_defns = vproperty_defns; @@ -58,25 +59,18 @@ static void property_defns_free(void *vproperty_defns) } } -static void *property_defns_new(OSSL_LIB_CTX *ctx) { +void *ossl_property_defns_new(OSSL_LIB_CTX *ctx) { return lh_PROPERTY_DEFN_ELEM_new(&property_defn_hash, &property_defn_cmp); } -static const OSSL_LIB_CTX_METHOD property_defns_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - property_defns_new, - property_defns_free, -}; - OSSL_PROPERTY_LIST *ossl_prop_defn_get(OSSL_LIB_CTX *ctx, const char *prop) { PROPERTY_DEFN_ELEM elem, *r; LHASH_OF(PROPERTY_DEFN_ELEM) *property_defns; property_defns = ossl_lib_ctx_get_data(ctx, - OSSL_LIB_CTX_PROPERTY_DEFN_INDEX, - &property_defns_method); - if (property_defns == NULL || !ossl_lib_ctx_read_lock(ctx)) + OSSL_LIB_CTX_PROPERTY_DEFN_INDEX); + if (!ossl_assert(property_defns != NULL) || !ossl_lib_ctx_read_lock(ctx)) return NULL; elem.prop = prop; @@ -101,8 +95,7 @@ int ossl_prop_defn_set(OSSL_LIB_CTX *ctx, const char *prop, int res = 1; property_defns = ossl_lib_ctx_get_data(ctx, - OSSL_LIB_CTX_PROPERTY_DEFN_INDEX, - &property_defns_method); + OSSL_LIB_CTX_PROPERTY_DEFN_INDEX); if (property_defns == NULL) return 0; diff --git a/crypto/property/property.c b/crypto/property/property.c index 844c25cee..7794c84a4 100644 --- a/crypto/property/property.c +++ b/crypto/property/property.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -23,6 +23,7 @@ #include "crypto/lhash.h" #include "crypto/sparse_array.h" #include "property_local.h" +#include "crypto/context.h" /* * The number of elements in the query cache before we initiate a flush. @@ -52,7 +53,7 @@ typedef struct { char body[1]; } QUERY; -DEFINE_LHASH_OF(QUERY); +DEFINE_LHASH_OF_EX(QUERY); typedef struct { int nid; @@ -107,7 +108,7 @@ static void ossl_method_cache_flush_alg(OSSL_METHOD_STORE *store, static void ossl_method_cache_flush(OSSL_METHOD_STORE *store, int nid); /* Global properties are stored per library context */ -static void ossl_ctx_global_properties_free(void *vglobp) +void ossl_ctx_global_properties_free(void *vglobp) { OSSL_GLOBAL_PROPERTIES *globp = vglobp; @@ -117,17 +118,11 @@ static void ossl_ctx_global_properties_free(void *vglobp) } } -static void *ossl_ctx_global_properties_new(OSSL_LIB_CTX *ctx) +void *ossl_ctx_global_properties_new(OSSL_LIB_CTX *ctx) { return OPENSSL_zalloc(sizeof(OSSL_GLOBAL_PROPERTIES)); } -static const OSSL_LIB_CTX_METHOD ossl_ctx_global_properties_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - ossl_ctx_global_properties_new, - ossl_ctx_global_properties_free, -}; - OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, int loadconfig) { @@ -137,8 +132,7 @@ OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) return NULL; #endif - globp = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, - &ossl_ctx_global_properties_method); + globp = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES); return globp != NULL ? &globp->list : NULL; } @@ -147,8 +141,7 @@ OSSL_PROPERTY_LIST **ossl_ctx_global_properties(OSSL_LIB_CTX *libctx, int ossl_global_properties_no_mirrored(OSSL_LIB_CTX *libctx) { OSSL_GLOBAL_PROPERTIES *globp - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, - &ossl_ctx_global_properties_method); + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES); return globp != NULL && globp->no_mirrored ? 1 : 0; } @@ -156,8 +149,7 @@ int ossl_global_properties_no_mirrored(OSSL_LIB_CTX *libctx) void ossl_global_properties_stop_mirroring(OSSL_LIB_CTX *libctx) { OSSL_GLOBAL_PROPERTIES *globp - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES, - &ossl_ctx_global_properties_method); + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_GLOBAL_PROPERTIES); if (globp != NULL) globp->no_mirrored = 1; @@ -510,13 +502,14 @@ int ossl_method_store_fetch(OSSL_METHOD_STORE *store, int ret = 0; int j, best = -1, score, optional; -#ifndef FIPS_MODULE - if (!OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) + if (nid <= 0 || method == NULL || store == NULL) return 0; -#endif - if (nid <= 0 || method == NULL || store == NULL) +#ifndef FIPS_MODULE + if (ossl_lib_ctx_is_default(store->ctx) + && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) return 0; +#endif /* This only needs to be a read lock, because the query won't create anything */ if (!ossl_property_read_lock(store)) diff --git a/crypto/property/property_local.h b/crypto/property/property_local.h index 797fb3bf5..2cb62bae9 100644 --- a/crypto/property/property_local.h +++ b/crypto/property/property_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/property/property_parse.c b/crypto/property/property_parse.c index ca2bd3338..b2bf3cd63 100644 --- a/crypto/property/property_parse.c +++ b/crypto/property/property_parse.c @@ -17,7 +17,7 @@ #include "crypto/ctype.h" #include "internal/nelem.h" #include "property_local.h" -#include "e_os.h" +#include "internal/e_os.h" DEFINE_STACK_OF(OSSL_PROPERTY_DEFINITION) diff --git a/crypto/property/property_string.c b/crypto/property/property_string.c index ef87a6a78..e06f47a6b 100644 --- a/crypto/property/property_string.c +++ b/crypto/property/property_string.c @@ -13,6 +13,7 @@ #include #include "crypto/lhash.h" #include "property_local.h" +#include "crypto/context.h" /* * Property strings are a consolidation of all strings seen by the property @@ -31,7 +32,7 @@ typedef struct { char body[1]; } PROPERTY_STRING; -DEFINE_LHASH_OF(PROPERTY_STRING); +DEFINE_LHASH_OF_EX(PROPERTY_STRING); typedef LHASH_OF(PROPERTY_STRING) PROP_TABLE; typedef struct { @@ -40,6 +41,10 @@ typedef struct { PROP_TABLE *prop_values; OSSL_PROPERTY_IDX prop_name_idx; OSSL_PROPERTY_IDX prop_value_idx; +#ifndef OPENSSL_SMALL_FOOTPRINT + STACK_OF(OPENSSL_CSTRING) *prop_namelist; + STACK_OF(OPENSSL_CSTRING) *prop_valuelist; +#endif } PROPERTY_STRING_DATA; static unsigned long property_hash(const PROPERTY_STRING *a) @@ -68,7 +73,7 @@ static void property_table_free(PROP_TABLE **pt) } } -static void property_string_data_free(void *vpropdata) +void ossl_property_string_data_free(void *vpropdata) { PROPERTY_STRING_DATA *propdata = vpropdata; @@ -78,44 +83,44 @@ static void property_string_data_free(void *vpropdata) CRYPTO_THREAD_lock_free(propdata->lock); property_table_free(&propdata->prop_names); property_table_free(&propdata->prop_values); +#ifndef OPENSSL_SMALL_FOOTPRINT + sk_OPENSSL_CSTRING_free(propdata->prop_namelist); + sk_OPENSSL_CSTRING_free(propdata->prop_valuelist); + propdata->prop_namelist = propdata->prop_valuelist = NULL; +#endif propdata->prop_name_idx = propdata->prop_value_idx = 0; OPENSSL_free(propdata); } -static void *property_string_data_new(OSSL_LIB_CTX *ctx) { +void *ossl_property_string_data_new(OSSL_LIB_CTX *ctx) { PROPERTY_STRING_DATA *propdata = OPENSSL_zalloc(sizeof(*propdata)); if (propdata == NULL) return NULL; propdata->lock = CRYPTO_THREAD_lock_new(); - if (propdata->lock == NULL) - goto err; - propdata->prop_names = lh_PROPERTY_STRING_new(&property_hash, &property_cmp); - if (propdata->prop_names == NULL) - goto err; - propdata->prop_values = lh_PROPERTY_STRING_new(&property_hash, &property_cmp); - if (propdata->prop_values == NULL) - goto err; - +#ifndef OPENSSL_SMALL_FOOTPRINT + propdata->prop_namelist = sk_OPENSSL_CSTRING_new_null(); + propdata->prop_valuelist = sk_OPENSSL_CSTRING_new_null(); +#endif + if (propdata->lock == NULL +#ifndef OPENSSL_SMALL_FOOTPRINT + || propdata->prop_namelist == NULL + || propdata->prop_valuelist == NULL +#endif + || propdata->prop_names == NULL + || propdata->prop_values == NULL) { + ossl_property_string_data_free(propdata); + return NULL; + } return propdata; - -err: - property_string_data_free(propdata); - return NULL; } -static const OSSL_LIB_CTX_METHOD property_string_data_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - property_string_data_new, - property_string_data_free, -}; - static PROPERTY_STRING *new_property_string(const char *s, OSSL_PROPERTY_IDX *pidx) { @@ -134,40 +139,66 @@ static PROPERTY_STRING *new_property_string(const char *s, return ps; } -static OSSL_PROPERTY_IDX ossl_property_string(CRYPTO_RWLOCK *lock, - PROP_TABLE *t, - OSSL_PROPERTY_IDX *pidx, - const char *s) +static OSSL_PROPERTY_IDX ossl_property_string(OSSL_LIB_CTX *ctx, int name, + int create, const char *s) { PROPERTY_STRING p, *ps, *ps_new; + PROP_TABLE *t; + OSSL_PROPERTY_IDX *pidx; + PROPERTY_STRING_DATA *propdata + = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX); + + if (propdata == NULL) + return 0; + t = name ? propdata->prop_names : propdata->prop_values; p.s = s; - if (!CRYPTO_THREAD_read_lock(lock)) { + if (!CRYPTO_THREAD_read_lock(propdata->lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); return 0; } ps = lh_PROPERTY_STRING_retrieve(t, &p); - if (ps == NULL && pidx != NULL) { - CRYPTO_THREAD_unlock(lock); - if (!CRYPTO_THREAD_write_lock(lock)) { + if (ps == NULL && create) { + CRYPTO_THREAD_unlock(propdata->lock); + if (!CRYPTO_THREAD_write_lock(propdata->lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_WRITE_LOCK); return 0; } + pidx = name ? &propdata->prop_name_idx : &propdata->prop_value_idx; ps = lh_PROPERTY_STRING_retrieve(t, &p); if (ps == NULL && (ps_new = new_property_string(s, pidx)) != NULL) { +#ifndef OPENSSL_SMALL_FOOTPRINT + STACK_OF(OPENSSL_CSTRING) *slist; + + slist = name ? propdata->prop_namelist : propdata->prop_valuelist; + if (sk_OPENSSL_CSTRING_push(slist, ps_new->s) <= 0) { + property_free(ps_new); + CRYPTO_THREAD_unlock(propdata->lock); + return 0; + } +#endif lh_PROPERTY_STRING_insert(t, ps_new); if (lh_PROPERTY_STRING_error(t)) { + /*- + * Undo the previous push which means also decrementing the + * index and freeing the allocated storage. + */ +#ifndef OPENSSL_SMALL_FOOTPRINT + sk_OPENSSL_CSTRING_pop(slist); +#endif property_free(ps_new); - CRYPTO_THREAD_unlock(lock); + --*pidx; + CRYPTO_THREAD_unlock(propdata->lock); return 0; } ps = ps_new; } } - CRYPTO_THREAD_unlock(lock); + CRYPTO_THREAD_unlock(propdata->lock); return ps != NULL ? ps->idx : 0; } +#ifdef OPENSSL_SMALL_FOOTPRINT struct find_str_st { const char *str; OSSL_PROPERTY_IDX idx; @@ -180,45 +211,47 @@ static void find_str_fn(PROPERTY_STRING *prop, void *vfindstr) if (prop->idx == findstr->idx) findstr->str = prop->s; } +#endif static const char *ossl_property_str(int name, OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) { - struct find_str_st findstr; + const char *r; PROPERTY_STRING_DATA *propdata - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, - &property_string_data_method); + = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX); if (propdata == NULL) return NULL; - findstr.str = NULL; - findstr.idx = idx; - if (!CRYPTO_THREAD_read_lock(propdata->lock)) { ERR_raise(ERR_LIB_CRYPTO, ERR_R_UNABLE_TO_GET_READ_LOCK); return NULL; } - lh_PROPERTY_STRING_doall_arg(name ? propdata->prop_names - : propdata->prop_values, - find_str_fn, &findstr); +#ifdef OPENSSL_SMALL_FOOTPRINT + { + struct find_str_st findstr; + + findstr.str = NULL; + findstr.idx = idx; + + lh_PROPERTY_STRING_doall_arg(name ? propdata->prop_names + : propdata->prop_values, + find_str_fn, &findstr); + r = findstr.str; + } +#else + r = sk_OPENSSL_CSTRING_value(name ? propdata->prop_namelist + : propdata->prop_valuelist, idx - 1); +#endif CRYPTO_THREAD_unlock(propdata->lock); - return findstr.str; + return r; } OSSL_PROPERTY_IDX ossl_property_name(OSSL_LIB_CTX *ctx, const char *s, int create) { - PROPERTY_STRING_DATA *propdata - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, - &property_string_data_method); - - if (propdata == NULL) - return 0; - return ossl_property_string(propdata->lock, propdata->prop_names, - create ? &propdata->prop_name_idx : NULL, - s); + return ossl_property_string(ctx, 1, create, s); } const char *ossl_property_name_str(OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) @@ -229,15 +262,7 @@ const char *ossl_property_name_str(OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) OSSL_PROPERTY_IDX ossl_property_value(OSSL_LIB_CTX *ctx, const char *s, int create) { - PROPERTY_STRING_DATA *propdata - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_PROPERTY_STRING_INDEX, - &property_string_data_method); - - if (propdata == NULL) - return 0; - return ossl_property_string(propdata->lock, propdata->prop_values, - create ? &propdata->prop_value_idx : NULL, - s); + return ossl_property_string(ctx, 0, create, s); } const char *ossl_property_value_str(OSSL_LIB_CTX *ctx, OSSL_PROPERTY_IDX idx) diff --git a/crypto/provider_child.c b/crypto/provider_child.c index 861bcb035..2e6dac6d9 100644 --- a/crypto/provider_child.c +++ b/crypto/provider_child.c @@ -16,6 +16,7 @@ #include "internal/provider.h" #include "internal/cryptlib.h" #include "crypto/evp.h" +#include "crypto/context.h" DEFINE_STACK_OF(OSSL_PROVIDER) @@ -33,12 +34,12 @@ struct child_prov_globals { OSSL_FUNC_provider_free_fn *c_prov_free; }; -static void *child_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) +void *ossl_child_prov_ctx_new(OSSL_LIB_CTX *libctx) { return OPENSSL_zalloc(sizeof(struct child_prov_globals)); } -static void child_prov_ossl_ctx_free(void *vgbl) +void ossl_child_prov_ctx_free(void *vgbl) { struct child_prov_globals *gbl = vgbl; @@ -46,12 +47,6 @@ static void child_prov_ossl_ctx_free(void *vgbl) OPENSSL_free(gbl); } -static const OSSL_LIB_CTX_METHOD child_prov_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_LOW_PRIORITY, - child_prov_ossl_ctx_new, - child_prov_ossl_ctx_free, -}; - static OSSL_provider_init_fn ossl_child_provider_init; static int ossl_child_provider_init(const OSSL_CORE_HANDLE *handle, @@ -84,8 +79,7 @@ static int ossl_child_provider_init(const OSSL_CORE_HANDLE *handle, */ ctx = (OSSL_LIB_CTX *)c_get_libctx(handle); - gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return 0; @@ -103,8 +97,7 @@ static int provider_create_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) OSSL_PROVIDER *cprov; int ret = 0; - gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return 0; @@ -168,8 +161,7 @@ static int provider_remove_child_cb(const OSSL_CORE_HANDLE *prov, void *cbdata) const char *provname; OSSL_PROVIDER *cprov; - gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return 0; @@ -205,8 +197,7 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, if (ctx == NULL) return 0; - gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + gbl = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return 0; @@ -273,8 +264,7 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx) { struct child_prov_globals *gbl - = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return; @@ -299,8 +289,7 @@ int ossl_provider_up_ref_parent(OSSL_PROVIDER *prov, int activate) const OSSL_CORE_HANDLE *parent_handle; gbl = ossl_lib_ctx_get_data(ossl_provider_libctx(prov), - OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return 0; @@ -316,8 +305,7 @@ int ossl_provider_free_parent(OSSL_PROVIDER *prov, int deactivate) const OSSL_CORE_HANDLE *parent_handle; gbl = ossl_lib_ctx_get_data(ossl_provider_libctx(prov), - OSSL_LIB_CTX_CHILD_PROVIDER_INDEX, - &child_prov_ossl_ctx_method); + OSSL_LIB_CTX_CHILD_PROVIDER_INDEX); if (gbl == NULL) return 0; diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c index c13c887c3..058fb5883 100644 --- a/crypto/provider_conf.c +++ b/crypto/provider_conf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ #include "internal/provider.h" #include "internal/cryptlib.h" #include "provider_local.h" +#include "crypto/context.h" DEFINE_STACK_OF(OSSL_PROVIDER) @@ -26,7 +27,7 @@ typedef struct { STACK_OF(OSSL_PROVIDER) *activated_providers; } PROVIDER_CONF_GLOBAL; -static void *prov_conf_ossl_ctx_new(OSSL_LIB_CTX *libctx) +void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *libctx) { PROVIDER_CONF_GLOBAL *pcgbl = OPENSSL_zalloc(sizeof(*pcgbl)); @@ -42,7 +43,7 @@ static void *prov_conf_ossl_ctx_new(OSSL_LIB_CTX *libctx) return pcgbl; } -static void prov_conf_ossl_ctx_free(void *vpcgbl) +void ossl_prov_conf_ctx_free(void *vpcgbl) { PROVIDER_CONF_GLOBAL *pcgbl = vpcgbl; @@ -54,13 +55,6 @@ static void prov_conf_ossl_ctx_free(void *vpcgbl) OPENSSL_free(pcgbl); } -static const OSSL_LIB_CTX_METHOD provider_conf_ossl_ctx_method = { - /* Must be freed before the provider store is freed */ - OSSL_LIB_CTX_METHOD_PRIORITY_2, - prov_conf_ossl_ctx_new, - prov_conf_ossl_ctx_free, -}; - static const char *skip_dot(const char *name) { const char *p = strchr(name, '.'); @@ -136,13 +130,85 @@ static int prov_already_activated(const char *name, return 0; } +static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + const char *value, const char *path, + int soft, const CONF *cnf) +{ + PROVIDER_CONF_GLOBAL *pcgbl + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX); + OSSL_PROVIDER *prov = NULL, *actual = NULL; + int ok = 0; + + if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + return 0; + } + if (!prov_already_activated(name, pcgbl->activated_providers)) { + /* + * There is an attempt to activate a provider, so we should disable + * loading of fallbacks. Otherwise a misconfiguration could mean the + * intended provider does not get loaded. Subsequent fetches could + * then fallback to the default provider - which may be the wrong + * thing. + */ + if (!ossl_provider_disable_fallback_loading(libctx)) { + CRYPTO_THREAD_unlock(pcgbl->lock); + ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); + return 0; + } + prov = ossl_provider_find(libctx, name, 1); + if (prov == NULL) + prov = ossl_provider_new(libctx, name, NULL, 1); + if (prov == NULL) { + CRYPTO_THREAD_unlock(pcgbl->lock); + if (soft) + ERR_clear_error(); + return 0; + } + + if (path != NULL) + ossl_provider_set_module_path(prov, path); + + ok = provider_conf_params(prov, NULL, NULL, value, cnf); + + if (ok) { + if (!ossl_provider_activate(prov, 1, 0)) { + ok = 0; + } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { + ossl_provider_deactivate(prov, 1); + ok = 0; + } else if (actual != prov + && !ossl_provider_activate(actual, 1, 0)) { + ossl_provider_free(actual); + ok = 0; + } else { + if (pcgbl->activated_providers == NULL) + pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); + if (pcgbl->activated_providers == NULL + || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, + actual)) { + ossl_provider_deactivate(actual, 1); + ossl_provider_free(actual); + ok = 0; + } else { + ok = 1; + } + } + } + if (!ok) + ossl_provider_free(prov); + } + CRYPTO_THREAD_unlock(pcgbl->lock); + + return ok; +} + static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, const char *value, const CONF *cnf) { int i; STACK_OF(CONF_VALUE) *ecmds; int soft = 0; - OSSL_PROVIDER *prov = NULL, *actual = NULL; const char *path = NULL; long activate = 0; int ok = 0; @@ -182,70 +248,7 @@ static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, } if (activate) { - PROVIDER_CONF_GLOBAL *pcgbl - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, - &provider_conf_ossl_ctx_method); - - if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); - return 0; - } - if (!prov_already_activated(name, pcgbl->activated_providers)) { - /* - * There is an attempt to activate a provider, so we should disable - * loading of fallbacks. Otherwise a misconfiguration could mean the - * intended provider does not get loaded. Subsequent fetches could - * then fallback to the default provider - which may be the wrong - * thing. - */ - if (!ossl_provider_disable_fallback_loading(libctx)) { - CRYPTO_THREAD_unlock(pcgbl->lock); - ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); - return 0; - } - prov = ossl_provider_find(libctx, name, 1); - if (prov == NULL) - prov = ossl_provider_new(libctx, name, NULL, 1); - if (prov == NULL) { - CRYPTO_THREAD_unlock(pcgbl->lock); - if (soft) - ERR_clear_error(); - return 0; - } - - if (path != NULL) - ossl_provider_set_module_path(prov, path); - - ok = provider_conf_params(prov, NULL, NULL, value, cnf); - - if (ok) { - if (!ossl_provider_activate(prov, 1, 0)) { - ok = 0; - } else if (!ossl_provider_add_to_store(prov, &actual, 0)) { - ossl_provider_deactivate(prov, 1); - ok = 0; - } else if (actual != prov - && !ossl_provider_activate(actual, 1, 0)) { - ossl_provider_free(actual); - ok = 0; - } else { - if (pcgbl->activated_providers == NULL) - pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null(); - if (pcgbl->activated_providers == NULL - || !sk_OSSL_PROVIDER_push(pcgbl->activated_providers, - actual)) { - ossl_provider_deactivate(actual, 1); - ossl_provider_free(actual); - ok = 0; - } else { - ok = 1; - } - } - } - if (!ok) - ossl_provider_free(prov); - } - CRYPTO_THREAD_unlock(pcgbl->lock); + ok = provider_conf_activate(libctx, name, value, path, soft, cnf); } else { OSSL_PROVIDER_INFO entry; diff --git a/crypto/provider_core.c b/crypto/provider_core.c index 7a1232812..c6925b402 100644 --- a/crypto/provider_core.c +++ b/crypto/provider_core.c @@ -29,6 +29,7 @@ #include "internal/bio.h" #include "internal/core.h" #include "provider_local.h" +#include "crypto/context.h" #ifndef FIPS_MODULE # include #endif @@ -72,7 +73,7 @@ * The locks available are: * * The provider flag_lock: Used to control updates to the various provider - * "flags" (flag_initialized, flag_activated, flag_fallback) and associated + * "flags" (flag_initialized and flag_activated) and associated * "counts" (activatecnt). * * The provider refcnt_lock: Only ever used to control updates to the provider @@ -142,7 +143,6 @@ struct ossl_provider_st { /* Flag bits */ unsigned int flag_initialized:1; unsigned int flag_activated:1; - unsigned int flag_fallback:1; /* Can be used as fallback */ /* Getting and setting the flags require synchronization */ CRYPTO_RWLOCK *flag_lock; @@ -283,7 +283,7 @@ void ossl_provider_info_clear(OSSL_PROVIDER_INFO *info) sk_INFOPAIR_pop_free(info->parameters, infopair_free); } -static void provider_store_free(void *vstore) +void ossl_provider_store_free(void *vstore) { struct provider_store_st *store = vstore; size_t i; @@ -305,7 +305,7 @@ static void provider_store_free(void *vstore) OPENSSL_free(store); } -static void *provider_store_new(OSSL_LIB_CTX *ctx) +void *ossl_provider_store_new(OSSL_LIB_CTX *ctx) { struct provider_store_st *store = OPENSSL_zalloc(sizeof(*store)); @@ -316,7 +316,7 @@ static void *provider_store_new(OSSL_LIB_CTX *ctx) || (store->child_cbs = sk_OSSL_PROVIDER_CHILD_CB_new_null()) == NULL #endif || (store->lock = CRYPTO_THREAD_lock_new()) == NULL) { - provider_store_free(store); + ossl_provider_store_free(store); return NULL; } store->libctx = ctx; @@ -325,19 +325,11 @@ static void *provider_store_new(OSSL_LIB_CTX *ctx) return store; } -static const OSSL_LIB_CTX_METHOD provider_store_method = { - /* Needs to be freed before the child provider data is freed */ - OSSL_LIB_CTX_METHOD_PRIORITY_1, - provider_store_new, - provider_store_free, -}; - static struct provider_store_st *get_provider_store(OSSL_LIB_CTX *libctx) { struct provider_store_st *store = NULL; - store = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_STORE_INDEX, - &provider_store_method); + store = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_STORE_INDEX); if (store == NULL) ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); return store; @@ -1486,16 +1478,6 @@ int OSSL_PROVIDER_available(OSSL_LIB_CTX *libctx, const char *name) return available; } -/* Setters of Provider Object data */ -int ossl_provider_set_fallback(OSSL_PROVIDER *prov) -{ - if (prov == NULL) - return 0; - - prov->flag_fallback = 1; - return 1; -} - /* Getters of Provider Object data */ const char *ossl_provider_name(const OSSL_PROVIDER *prov) { diff --git a/crypto/punycode.c b/crypto/punycode.c index 2de32dc18..4d9a6d7d8 100644 --- a/crypto/punycode.c +++ b/crypto/punycode.c @@ -12,6 +12,8 @@ #include #include #include "crypto/punycode.h" +#include "internal/cryptlib.h" +#include "internal/packet.h" /* for WPACKET */ static const unsigned int base = 36; static const unsigned int tmin = 1; @@ -239,12 +241,12 @@ static int codepoint2utf8(unsigned char *out, unsigned long utf) /*- * Return values: - * 1 - ok, *outlen contains valid buf length - * 0 - ok but buf was too short, *outlen contains valid buf length - * -1 - bad string passed + * 1 - ok + * 0 - ok but buf was too short + * -1 - bad string passed or other error */ -int ossl_a2ulabel(const char *in, char *out, size_t *outlen) +int ossl_a2ulabel(const char *in, char *out, size_t outlen) { /*- * Domain name has some parts consisting of ASCII chars joined with dot. @@ -252,63 +254,61 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) * If it does not start with xn--, it becomes U-label as is. * Otherwise we try to decode it. */ - char *outptr = out; const char *inptr = in; - size_t size = 0, maxsize; int result = 1; - unsigned int i, j; + unsigned int i; unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */ + WPACKET pkt; - if (out == NULL) { - result = 0; - maxsize = 0; - } else { - maxsize = *outlen; - } + /* Internal API, so should not fail */ + if (!ossl_assert(out != NULL)) + return -1; -#define PUSHC(c) \ - do \ - if (size++ < maxsize) \ - *outptr++ = c; \ - else \ - result = 0; \ - while (0) + if (!WPACKET_init_static_len(&pkt, (unsigned char *)out, outlen, 0)) + return -1; while (1) { char *tmpptr = strchr(inptr, '.'); size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr); if (strncmp(inptr, "xn--", 4) != 0) { - for (i = 0; i < delta + 1; i++) - PUSHC(inptr[i]); + if (!WPACKET_memcpy(&pkt, inptr, delta)) + result = 0; } else { unsigned int bufsize = LABEL_BUF_SIZE; - if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) - return -1; + if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) { + result = -1; + goto end; + } for (i = 0; i < bufsize; i++) { unsigned char seed[6]; size_t utfsize = codepoint2utf8(seed, buf[i]); - if (utfsize == 0) - return -1; + if (utfsize == 0) { + result = -1; + goto end; + } - for (j = 0; j < utfsize; j++) - PUSHC(seed[j]); + if (!WPACKET_memcpy(&pkt, seed, utfsize)) + result = 0; } - - PUSHC(tmpptr != NULL ? '.' : '\0'); } if (tmpptr == NULL) break; + if (!WPACKET_put_bytes_u8(&pkt, '.')) + result = 0; + inptr = tmpptr + 1; } -#undef PUSHC - *outlen = size; + if (!WPACKET_put_bytes_u8(&pkt, '\0')) + result = 0; + end: + WPACKET_cleanup(&pkt); return result; } @@ -325,7 +325,7 @@ int ossl_a2ucompare(const char *a, const char *u) char a_ulabel[LABEL_BUF_SIZE + 1]; size_t a_size = sizeof(a_ulabel); - if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) + if (ossl_a2ulabel(a, a_ulabel, a_size) <= 0) return -1; return strcmp(a_ulabel, u) != 0; diff --git a/crypto/rand/rand_deprecated.c b/crypto/rand/rand_deprecated.c index dd69f1beb..bd870013f 100644 --- a/crypto/rand/rand_deprecated.c +++ b/crypto/rand/rand_deprecated.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include +#include "internal/e_os.h" #include #include diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index f341d915d..b186ec7f2 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -18,6 +18,7 @@ #include "crypto/rand.h" #include "crypto/cryptlib.h" #include "rand_local.h" +#include "crypto/context.h" #ifndef FIPS_MODULE # include @@ -28,7 +29,7 @@ # include # include "crypto/rand_pool.h" # include "prov/seeding.h" -# include "e_os.h" +# include "internal/e_os.h" # ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ @@ -435,7 +436,7 @@ typedef struct rand_global_st { * Initialize the OSSL_LIB_CTX global DRBGs on first use. * Returns the allocated global data on success or NULL on failure. */ -static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) +void *ossl_rand_ctx_new(OSSL_LIB_CTX *libctx) { RAND_GLOBAL *dgbl = OPENSSL_zalloc(sizeof(*dgbl)); @@ -492,16 +493,9 @@ void ossl_rand_ctx_free(void *vdgbl) OPENSSL_free(dgbl); } -static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_PRIORITY_2, - rand_ossl_ctx_new, - ossl_rand_ctx_free, -}; - static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_INDEX, - &rand_drbg_ossl_ctx_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_INDEX); } static void rand_delete_thread_state(void *arg) @@ -727,6 +721,34 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx) return rand; } +int RAND_set0_public(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand) +{ + RAND_GLOBAL *dgbl = rand_get_global(ctx); + EVP_RAND_CTX *old; + int r; + + if (dgbl == NULL) + return 0; + old = CRYPTO_THREAD_get_local(&dgbl->public); + if ((r = CRYPTO_THREAD_set_local(&dgbl->public, rand)) > 0) + EVP_RAND_CTX_free(old); + return r; +} + +int RAND_set0_private(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand) +{ + RAND_GLOBAL *dgbl = rand_get_global(ctx); + EVP_RAND_CTX *old; + int r; + + if (dgbl == NULL) + return 0; + old = CRYPTO_THREAD_get_local(&dgbl->private); + if ((r = CRYPTO_THREAD_set_local(&dgbl->private, rand)) > 0) + EVP_RAND_CTX_free(old); + return r; +} + #ifndef FIPS_MODULE static int random_set_string(char **p, const char *s) { diff --git a/crypto/rc2/rc2_local.h b/crypto/rc2/rc2_local.h index 8faa7b840..e23bacd19 100644 --- a/crypto/rc2/rc2_local.h +++ b/crypto/rc2/rc2_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,19 +20,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c))))<<24L; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<<16L; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c)))); \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c))))<<24L; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<<16L; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c)))); \ } \ } @@ -49,19 +49,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \ } \ } @@ -72,19 +72,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c))))<<24; \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c))))<<24; \ } \ } @@ -94,19 +94,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \ } \ } diff --git a/crypto/rc5/rc5_local.h b/crypto/rc5/rc5_local.h index df7df608d..014fb1045 100644 --- a/crypto/rc5/rc5_local.h +++ b/crypto/rc5/rc5_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,19 +22,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c))))<<24L; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<<16L; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<< 8L; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c)))); \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c))))<<24L; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<<16L; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<< 8L; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c)))); \ } \ } @@ -51,19 +51,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1) )&0xff); \ } \ } @@ -74,19 +74,19 @@ l1=l2=0; \ switch (n) { \ case 8: l2 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 7: l2|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 6: l2|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 5: l2|=((unsigned long)(*(--(c))))<<24; \ - /* fall thru */ \ + /* fall through */ \ case 4: l1 =((unsigned long)(*(--(c)))) ; \ - /* fall thru */ \ + /* fall through */ \ case 3: l1|=((unsigned long)(*(--(c))))<< 8; \ - /* fall thru */ \ + /* fall through */ \ case 2: l1|=((unsigned long)(*(--(c))))<<16; \ - /* fall thru */ \ + /* fall through */ \ case 1: l1|=((unsigned long)(*(--(c))))<<24; \ } \ } @@ -96,19 +96,19 @@ c+=n; \ switch (n) { \ case 8: *(--(c))=(unsigned char)(((l2) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 7: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 6: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 5: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 4: *(--(c))=(unsigned char)(((l1) )&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 3: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 2: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \ - /* fall thru */ \ + /* fall through */ \ case 1: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \ } \ } diff --git a/crypto/riscv32cpuid.pl b/crypto/riscv32cpuid.pl new file mode 100644 index 000000000..20694e7de --- /dev/null +++ b/crypto/riscv32cpuid.pl @@ -0,0 +1,88 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$output and open STDOUT,">$output"; + +{ +my ($in_a,$in_b,$len,$x,$temp1,$temp2) = ('a0','a1','a2','t0','t1','t2'); +$code.=<<___; +################################################################################ +# int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len) +################################################################################ +.text +.balign 16 +.globl CRYPTO_memcmp +.type CRYPTO_memcmp,\@function +CRYPTO_memcmp: + li $x,0 + beqz $len,2f # len == 0 +1: + lbu $temp1,0($in_a) + lbu $temp2,0($in_b) + addi $in_a,$in_a,1 + addi $in_b,$in_b,1 + addi $len,$len,-1 + xor $temp1,$temp1,$temp2 + or $x,$x,$temp1 + bgtz $len,1b +2: + mv a0,$x + ret +___ +} +{ +my ($ptr,$len,$temp1,$temp2) = ('a0','a1','t0','t1'); +$code.=<<___; +################################################################################ +# void OPENSSL_cleanse(void *ptr, size_t len) +################################################################################ +.text +.balign 16 +.globl OPENSSL_cleanse +.type OPENSSL_cleanse,\@function +OPENSSL_cleanse: + beqz $len,2f # len == 0, return + srli $temp1,$len,4 + bnez $temp1,3f # len > 15 + +1: # Store <= 15 individual bytes + sb x0,0($ptr) + addi $ptr,$ptr,1 + addi $len,$len,-1 + bnez $len,1b +2: + ret + +3: # Store individual bytes until we are aligned + andi $temp1,$ptr,0x3 + beqz $temp1,4f + sb x0,0($ptr) + addi $ptr,$ptr,1 + addi $len,$len,-1 + j 3b + +4: # Store aligned words + li $temp2,4 +4: + sw x0,0($ptr) + addi $ptr,$ptr,4 + addi $len,$len,-4 + bge $len,$temp2,4b # if len>=4 loop + bnez $len,1b # if len<4 and len != 0, store remaining bytes + ret +___ +} + +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/riscv64cpuid.pl b/crypto/riscv64cpuid.pl new file mode 100644 index 000000000..675e9b611 --- /dev/null +++ b/crypto/riscv64cpuid.pl @@ -0,0 +1,89 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$output and open STDOUT,">$output"; + +{ +my ($in_a,$in_b,$len,$x,$temp1,$temp2) = ('a0','a1','a2','t0','t1','t2'); +$code.=<<___; +################################################################################ +# int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len) +################################################################################ +.text +.balign 16 +.globl CRYPTO_memcmp +.type CRYPTO_memcmp,\@function +CRYPTO_memcmp: + li $x,0 + beqz $len,2f # len == 0 +1: + lbu $temp1,0($in_a) + lbu $temp2,0($in_b) + addi $in_a,$in_a,1 + addi $in_b,$in_b,1 + addi $len,$len,-1 + xor $temp1,$temp1,$temp2 + or $x,$x,$temp1 + bgtz $len,1b +2: + mv a0,$x + ret +___ +} +{ +my ($ptr,$len,$temp1,$temp2) = ('a0','a1','t0','t1'); +$code.=<<___; +################################################################################ +# void OPENSSL_cleanse(void *ptr, size_t len) +################################################################################ +.text +.balign 16 +.globl OPENSSL_cleanse +.type OPENSSL_cleanse,\@function +OPENSSL_cleanse: + beqz $len,2f # len == 0, return + srli $temp1,$len,4 + bnez $temp1,3f # len > 15 + +1: # Store <= 15 individual bytes + sb x0,0($ptr) + addi $ptr,$ptr,1 + addi $len,$len,-1 + bnez $len,1b +2: + ret + +3: # Store individual bytes until we are aligned + andi $temp1,$ptr,0x7 + beqz $temp1,4f + sb x0,0($ptr) + addi $ptr,$ptr,1 + addi $len,$len,-1 + j 3b + +4: # Store aligned dwords + li $temp2,8 +4: + sd x0,0($ptr) + addi $ptr,$ptr,8 + addi $len,$len,-8 + bge $len,$temp2,4b # if len>=8 loop + bnez $len,1b # if len<8 and len != 0, store remaining bytes + ret +___ +} + + +print $code; +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/riscvcap.c b/crypto/riscvcap.c new file mode 100644 index 000000000..1cbfb4a57 --- /dev/null +++ b/crypto/riscvcap.c @@ -0,0 +1,86 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include "internal/cryptlib.h" + +#define OPENSSL_RISCVCAP_IMPL +#include "crypto/riscv_arch.h" + +static void parse_env(const char *envstr); +static void strtoupper(char *str); + +uint32_t OPENSSL_rdtsc(void) +{ + return 0; +} + +size_t OPENSSL_instrument_bus(unsigned int *out, size_t cnt) +{ + return 0; +} + +size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max) +{ + return 0; +} + +static void strtoupper(char *str) +{ + for (char *x = str; *x; ++x) + *x = toupper(*x); +} + +/* parse_env() parses a RISC-V architecture string. An example of such a string + * is "rv64gc_zba_zbb_zbc_zbs". Currently, the rv64gc part is ignored + * and we simply search for "_[extension]" in the arch string to see if we + * should enable a given extension. + */ +#define BUFLEN 256 +static void parse_env(const char *envstr) +{ + char envstrupper[BUFLEN]; + char buf[BUFLEN]; + + /* Convert env str to all uppercase */ + OPENSSL_strlcpy(envstrupper, envstr, sizeof(envstrupper)); + strtoupper(envstrupper); + + for (size_t i = 0; i < kRISCVNumCaps; ++i) { + /* Prefix capability with underscore in preparation for search */ + BIO_snprintf(buf, BUFLEN, "_%s", RISCV_capabilities[i].name); + if (strstr(envstrupper, buf) != NULL) { + /* Match, set relevant bit in OPENSSL_riscvcap_P[] */ + OPENSSL_riscvcap_P[RISCV_capabilities[i].index] |= + (1 << RISCV_capabilities[i].bit_offset); + } + } +} + +# if defined(__GNUC__) && __GNUC__>=2 +__attribute__ ((constructor)) +# endif +void OPENSSL_cpuid_setup(void) +{ + char *e; + static int trigger = 0; + + if (trigger != 0) + return; + trigger = 1; + + if ((e = getenv("OPENSSL_riscvcap"))) { + parse_env(e); + return; + } +} diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 61ec53d42..e69a98d11 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) const EVP_MD *sigmd, *mgf1md; EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); int saltlen; + int saltlenMax = -1; if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) return NULL; @@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) return NULL; if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) return NULL; - if (saltlen == -1) { + if (saltlen == RSA_PSS_SALTLEN_DIGEST) { saltlen = EVP_MD_get_size(sigmd); - } else if (saltlen == -2 || saltlen == -3) { + } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { + /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", + * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in + * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where + * hLen is the length of the hash function output block (in bytes)." + * + * Provide a way to use at most the digest length, so that the default + * does not violate FIPS 186-4. */ + saltlen = RSA_PSS_SALTLEN_MAX; + saltlenMax = EVP_MD_get_size(sigmd); + } + if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2; if ((EVP_PKEY_get_bits(pk) & 0x7) == 1) saltlen--; if (saltlen < 0) return NULL; + if (saltlenMax >= 0 && saltlen > saltlenMax) + saltlen = saltlenMax; } return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen); diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 449097b8b..9588a7596 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -1105,7 +1105,7 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen) if (ret <= 0) return ret; - /* Ownership is supposed to be transfered to the callee. */ + /* Ownership is supposed to be transferred to the callee. */ OPENSSL_free(label); return 1; } diff --git a/crypto/rsa/rsa_mp.c b/crypto/rsa/rsa_mp.c index f827c0a2f..ba042ed18 100644 --- a/crypto/rsa/rsa_mp.c +++ b/crypto/rsa/rsa_mp.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 BaishanCloud. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 33874bfef..bb46ec64c 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, * -1 sLen == hLen * -2 salt length is autorecovered from signature * -3 salt length is maximized + * -4 salt length is autorecovered from signature * -N reserved */ if (sLen == RSA_PSS_SALTLEN_DIGEST) { sLen = hLen; - } else if (sLen < RSA_PSS_SALTLEN_MAX) { + } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); goto err; } @@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED); goto err; } - if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) { + if (sLen != RSA_PSS_SALTLEN_AUTO + && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX + && (maskedDBLen - i) != sLen) { ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, "expected: %d retrieved: %d", sLen, maskedDBLen - i); @@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, int hLen, maskedDBLen, MSBits, emLen; unsigned char *H, *salt = NULL, *p; EVP_MD_CTX *ctx = NULL; + int sLenMax = -1; if (mgf1Hash == NULL) mgf1Hash = Hash; @@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, * -1 sLen == hLen * -2 salt length is maximized * -3 same as above (on signing) + * -4 salt length is min(hLen, maximum salt length) * -N reserved */ + /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection + * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the + * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of + * the hash function output block (in bytes)." + * + * Provide a way to use at most the digest length, so that the default does + * not violate FIPS 186-4. */ if (sLen == RSA_PSS_SALTLEN_DIGEST) { sLen = hLen; - } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) { + } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN + || sLen == RSA_PSS_SALTLEN_AUTO) { sLen = RSA_PSS_SALTLEN_MAX; - } else if (sLen < RSA_PSS_SALTLEN_MAX) { + } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { + sLen = RSA_PSS_SALTLEN_MAX; + sLenMax = hLen; + } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); goto err; } @@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, } if (sLen == RSA_PSS_SALTLEN_MAX) { sLen = emLen - hLen - 2; + if (sLenMax >= 0 && sLen > sLenMax) + sLen = sLenMax; } else if (sLen > emLen - hLen - 2) { ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); goto err; diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 5745513c2..05fb16242 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c index ea38ff8f0..59f0f3ef4 100644 --- a/crypto/s390xcap.c +++ b/crypto/s390xcap.c @@ -670,6 +670,12 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) 0ULL}, }; + /*- + * z16 (2022) - z/Architecture POP + * Implements MSA and MSA1-9 (same as z15). + */ + static const struct OPENSSL_s390xcap_st z16 = z15; + char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1]; int rc, off, i, n; @@ -724,6 +730,7 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) else if TOK_CPU(z13) else if TOK_CPU(z14) else if TOK_CPU(z15) + else if TOK_CPU(z16) /* whitespace(ignored) or invalid tokens */ else { diff --git a/crypto/self_test_core.c b/crypto/self_test_core.c index dad4be208..f31fce57c 100644 --- a/crypto/self_test_core.c +++ b/crypto/self_test_core.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,7 @@ #include #include #include "internal/cryptlib.h" +#include "crypto/context.h" typedef struct self_test_cb_st { @@ -32,7 +33,7 @@ struct ossl_self_test_st }; #ifndef FIPS_MODULE -static void *self_test_set_callback_new(OSSL_LIB_CTX *ctx) +void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *ctx) { SELF_TEST_CB *stcb; @@ -40,21 +41,14 @@ static void *self_test_set_callback_new(OSSL_LIB_CTX *ctx) return stcb; } -static void self_test_set_callback_free(void *stcb) +void ossl_self_test_set_callback_free(void *stcb) { OPENSSL_free(stcb); } -static const OSSL_LIB_CTX_METHOD self_test_set_callback_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - self_test_set_callback_new, - self_test_set_callback_free, -}; - static SELF_TEST_CB *get_self_test_callback(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_SELF_TEST_CB_INDEX, - &self_test_set_callback_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_SELF_TEST_CB_INDEX); } void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb, diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl index 65102e7c2..ab7aa713a 100755 --- a/crypto/sha/asm/keccak1600-armv8.pl +++ b/crypto/sha/asm/keccak1600-armv8.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -80,6 +80,8 @@ [ 18, 2, 61, 56, 14 ]); $code.=<<___; +#include "arm_arch.h" + .text .align 8 // strategic alignment and padding that allows to use @@ -124,8 +126,8 @@ .type KeccakF1600_int,%function .align 5 KeccakF1600_int: + AARCH64_SIGN_LINK_REGISTER adr $C[2],iotas - .inst 0xd503233f // paciasp stp $C[2],x30,[sp,#16] // 32 bytes on top are mine b .Loop .align 4 @@ -297,14 +299,14 @@ bne .Loop ldr x30,[sp,#24] - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size KeccakF1600_int,.-KeccakF1600_int .type KeccakF1600,%function .align 5 KeccakF1600: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -354,7 +356,7 @@ ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#128 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size KeccakF1600,.-KeccakF1600 @@ -362,7 +364,7 @@ .type SHA3_absorb,%function .align 5 SHA3_absorb: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -460,7 +462,7 @@ ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#128 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size SHA3_absorb,.-SHA3_absorb ___ @@ -471,7 +473,7 @@ .type SHA3_squeeze,%function .align 5 SHA3_squeeze: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-48]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -534,7 +536,7 @@ ldp x19,x20,[sp,#16] ldp x21,x22,[sp,#32] ldp x29,x30,[sp],#48 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size SHA3_squeeze,.-SHA3_squeeze ___ @@ -653,7 +655,7 @@ .type KeccakF1600_cext,%function .align 5 KeccakF1600_cext: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-80]! add x29,sp,#0 stp d8,d9,[sp,#16] // per ABI requirement @@ -686,7 +688,7 @@ ldp d12,d13,[sp,#48] ldp d14,d15,[sp,#64] ldr x29,[sp],#80 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size KeccakF1600_cext,.-KeccakF1600_cext ___ @@ -699,7 +701,7 @@ .type SHA3_absorb_cext,%function .align 5 SHA3_absorb_cext: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-80]! add x29,sp,#0 stp d8,d9,[sp,#16] // per ABI requirement @@ -771,7 +773,7 @@ ldp d12,d13,[sp,#48] ldp d14,d15,[sp,#64] ldp x29,x30,[sp],#80 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size SHA3_absorb_cext,.-SHA3_absorb_cext ___ @@ -783,7 +785,7 @@ .type SHA3_squeeze_cext,%function .align 5 SHA3_squeeze_cext: - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! add x29,sp,#0 mov x9,$ctx @@ -839,7 +841,7 @@ .Lsqueeze_done_ce: ldr x29,[sp],#16 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size SHA3_squeeze_cext,.-SHA3_squeeze_cext ___ diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl index 83f8d8ef3..6ab347cef 100755 --- a/crypto/sha/asm/keccak1600-ppc64.pl +++ b/crypto/sha/asm/keccak1600-ppc64.pl @@ -1,5 +1,5 @@ #!/usr/bin/env perl -# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -51,6 +51,16 @@ $PUSH ="std"; } else { die "nonsense $flavour"; } +$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; + +if ($LITTLE_ENDIAN) { + $DWORD_LE_LOAD = "ldu r0,8(r3)"; + $LE_LOAD_SIZE = "8"; +} else { + $DWORD_LE_LOAD = "bl dword_le_load"; + $LE_LOAD_SIZE = "1"; +} + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or @@ -384,7 +394,9 @@ .byte 0,12,4,1,0x80,18,1,0 .long 0 .size KeccakF1600,.-KeccakF1600 - +___ +if (!$LITTLE_ENDIAN) { +$code.=<<___; .type dword_le_load,\@function .align 5 dword_le_load: @@ -408,7 +420,10 @@ .byte 0,12,0x14,0,0,0,1,0 .long 0 .size dword_le_load,.-dword_le_load +___ +} +$code.=<<___; .globl SHA3_absorb .type SHA3_absorb,\@function .align 5 @@ -436,7 +451,7 @@ $PUSH r0,`$FRAME+$LRSAVE`($sp) bl PICmeup - subi r4,r4,1 ; prepare for lbzu + subi r4,r4,$LE_LOAD_SIZE ; prepare for ldu or lbzu subi r12,r12,8 ; prepare for ldu $PUSH r3,`$LOCALS+0*$SIZE_T`($sp) ; save A[][] @@ -487,79 +502,79 @@ srwi r5,r5,3 $PUSH r4,`$LOCALS+2*$SIZE_T`($sp) ; save len mtctr r5 - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][0],$A[0][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][1],$A[0][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][2],$A[0][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][3],$A[0][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[0][4],$A[0][4],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][0],$A[1][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][1],$A[1][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][2],$A[1][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][3],$A[1][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[1][4],$A[1][4],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][0],$A[2][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][1],$A[2][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][2],$A[2][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][3],$A[2][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[2][4],$A[2][4],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[3][0],$A[3][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[3][1],$A[3][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[3][2],$A[3][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[3][3],$A[3][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[3][4],$A[3][4],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[4][0],$A[4][0],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[4][1],$A[4][1],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[4][2],$A[4][2],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[4][3],$A[4][3],r0 bdz .Lprocess_block - bl dword_le_load ; *inp++ + $DWORD_LE_LOAD ; *inp++ xor $A[4][4],$A[4][4],r0 .Lprocess_block: diff --git a/crypto/sha/asm/sha1-armv8.pl b/crypto/sha/asm/sha1-armv8.pl index cdea8845a..26b1dba6f 100644 --- a/crypto/sha/asm/sha1-armv8.pl +++ b/crypto/sha/asm/sha1-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -175,8 +175,8 @@ sub BODY_20_39 { } $code.=<<___; +#include "arm_arch.h" #ifndef __KERNEL__ -# include "arm_arch.h" .extern OPENSSL_armcap_P .hidden OPENSSL_armcap_P #endif @@ -187,11 +187,13 @@ sub BODY_20_39 { .type sha1_block_data_order,%function .align 6 sha1_block_data_order: + AARCH64_VALID_CALL_TARGET adrp x16,OPENSSL_armcap_P ldr w16,[x16,#:lo12:OPENSSL_armcap_P] tst w16,#ARMV8_SHA1 b.ne .Lv8_entry + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-96]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -253,6 +255,7 @@ sub BODY_20_39 { .align 6 sha1_block_armv8: .Lv8_entry: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 diff --git a/crypto/sha/asm/sha512-armv8.pl b/crypto/sha/asm/sha512-armv8.pl index 6bcff0b7d..ae10d4a33 100644 --- a/crypto/sha/asm/sha512-armv8.pl +++ b/crypto/sha/asm/sha512-armv8.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -190,8 +190,8 @@ sub BODY_00_xx { } $code.=<<___; +#include "arm_arch.h" #ifndef __KERNEL__ -# include "arm_arch.h" .extern OPENSSL_armcap_P .hidden OPENSSL_armcap_P #endif @@ -202,6 +202,7 @@ sub BODY_00_xx { .type $func,%function .align 6 $func: + AARCH64_VALID_CALL_TARGET #ifndef __KERNEL__ adrp x16,OPENSSL_armcap_P ldr w16,[x16,#:lo12:OPENSSL_armcap_P] @@ -218,7 +219,7 @@ sub BODY_00_xx { ___ $code.=<<___; #endif - .inst 0xd503233f // paciasp + AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -280,7 +281,7 @@ sub BODY_00_xx { ldp x25,x26,[x29,#64] ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#128 - .inst 0xd50323bf // autiasp + AARCH64_VALIDATE_LINK_REGISTER ret .size $func,.-$func @@ -370,6 +371,7 @@ sub BODY_00_xx { .align 6 sha256_block_armv8: .Lv8_entry: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -632,7 +634,9 @@ () .type sha256_block_neon,%function .align 4 sha256_block_neon: + AARCH64_VALID_CALL_TARGET .Lneon_entry: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later stp x29, x30, [sp, #-16]! mov x29, sp sub sp,sp,#16*4 @@ -743,6 +747,7 @@ () .align 6 sha512_block_armv8: .Lv8_entry: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later stp x29,x30,[sp,#-16]! add x29,sp,#0 diff --git a/crypto/sha/asm/sha512-ia64.pl b/crypto/sha/asm/sha512-ia64.pl index e147f2682..178cc149d 100755 --- a/crypto/sha/asm/sha512-ia64.pl +++ b/crypto/sha/asm/sha512-ia64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/crypto/sha/build.info b/crypto/sha/build.info index d61f7de9b..556a658d8 100644 --- a/crypto/sha/build.info +++ b/crypto/sha/build.info @@ -153,6 +153,7 @@ INCLUDE[sha256-armv8.o]=.. GENERATE[sha512-armv8.S]=asm/sha512-armv8.pl INCLUDE[sha512-armv8.o]=.. GENERATE[keccak1600-armv8.S]=asm/keccak1600-armv8.pl +INCLUDE[keccak1600-armv8.o]=.. GENERATE[sha1-s390x.S]=asm/sha1-s390x.pl INCLUDE[sha1-s390x.o]=.. diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c index 5845c3893..996ef1005 100644 --- a/crypto/sha/sha256.c +++ b/crypto/sha/sha256.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -129,18 +129,63 @@ static const SHA_LONG K256[64] = { 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL }; +# ifndef PEDANTIC +# if defined(__GNUC__) && __GNUC__>=2 && \ + !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +# if defined(__riscv_zknh) +# define Sigma0(x) ({ MD32_REG_T ret; \ + asm ("sha256sum0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define Sigma1(x) ({ MD32_REG_T ret; \ + asm ("sha256sum1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define sigma0(x) ({ MD32_REG_T ret; \ + asm ("sha256sig0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define sigma1(x) ({ MD32_REG_T ret; \ + asm ("sha256sig1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# endif +# if defined(__riscv_zbt) || defined(__riscv_zpn) +# define Ch(x,y,z) ({ MD32_REG_T ret; \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ + : "=r"(ret) \ + : "r"(x), "r"(y), "r"(z)); ret; }) +# define Maj(x,y,z) ({ MD32_REG_T ret; \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ + : "=r"(ret) \ + : "r"(x^z), "r"(y), "r"(x)); ret; }) +# endif +# endif +# endif + /* * FIPS specification refers to right rotations, while our ROTATE macro * is left one. This is why you might notice that rotation coefficients * differ from those observed in FIPS document by 32-N... */ -# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) -# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) -# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) -# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) - -# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +# ifndef Sigma0 +# define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10)) +# endif +# ifndef Sigma1 +# define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7)) +# endif +# ifndef sigma0 +# define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) +# endif +# ifndef sigma1 +# define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) +# endif +# ifndef Ch +# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +# endif +# ifndef Maj +# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +# endif # ifdef OPENSSL_SMALL_FOOTPRINT diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c index ff035c469..9d44eb28e 100644 --- a/crypto/sha/sha512.c +++ b/crypto/sha/sha512.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -432,6 +432,103 @@ static const SHA_LONG64 K512[80] = { : "=r"(ret) \ : "r"(*((const SHA_LONG64 *)(&(x))))); ret; }) # endif +# elif (defined(__riscv_zbkb) || defined(__riscv_zbb)) && __riscv_xlen == 32 +# define PULL64(x) ({ SHA_LONG64 ret; \ + unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("rev8 %0, %1" \ + : "=r"(r[0]) \ + : "r" (p[1])); \ + asm ("rev8 %0, %1" \ + : "=r"(r[1]) \ + : "r" (p[0])); ret; }) +# elif (defined(__riscv_zbkb) || defined(__riscv_zbb)) && __riscv_xlen == 64 +# define PULL64(x) ({ SHA_LONG64 ret; \ + asm ("rev8 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# endif +# if defined(__riscv_zknh) && __riscv_xlen == 32 +# define Sigma0(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sum0r %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sum0r %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# define Sigma1(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sum1r %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sum1r %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# define sigma0(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sig0l %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sig0h %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# define sigma1(x) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *p = (const unsigned int *)(&(x)); \ + asm ("sha512sig1l %0, %1, %2" \ + : "=r"(r[0]) \ + : "r" (p[0]), "r" (p[1])); \ + asm ("sha512sig1h %0, %2, %1" \ + : "=r"(r[1]) \ + : "r" (p[0]), "r" (p[1])); ret; }) +# elif defined(__riscv_zknh) && __riscv_xlen == 64 +# define Sigma0(x) ({ SHA_LONG64 ret; \ + asm ("sha512sum0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define Sigma1(x) ({ SHA_LONG64 ret; \ + asm ("sha512sum1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define sigma0(x) ({ SHA_LONG64 ret; \ + asm ("sha512sig0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define sigma1(x) ({ SHA_LONG64 ret; \ + asm ("sha512sig1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# endif +# if (defined(__riscv_zbt) || defined(__riscv_zpn)) && __riscv_xlen == 32 +# define Ch(x,y,z) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *xp = (const unsigned int *)(&(x)); \ + const unsigned int *yp = (const unsigned int *)(&(y)); \ + const unsigned int *zp = (const unsigned int *)(&(z)); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[0]) \ + : "r"(xp[0]), "r"(yp[0]), "r"(zp[0])); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[1]) \ + : "r"(xp[1]), "r"(yp[1]), "r"(zp[1])); ret; }) +# define Maj(x,y,z) ({ SHA_LONG64 ret; unsigned int *r = (unsigned int *)(&(ret)); \ + const unsigned int *xp = (const unsigned int *)(&(x)); \ + const unsigned int *yp = (const unsigned int *)(&(y)); \ + const unsigned int *zp = (const unsigned int *)(&(z)); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[0]) \ + : "r"(xp[0]^zp[0]), "r"(yp[0]), "r"(zp[0])); \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3\n\t" \ + : "=r"(r[1]) \ + : "r"(xp[1]^zp[1]), "r"(yp[1]), "r"(zp[1])); ret; }) +# elif (defined(__riscv_zbt) || defined(__riscv_zpn)) && __riscv_xlen == 64 +# define Ch(x,y,z) ({ SHA_LONG64 ret; \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ + : "=r"(ret) \ + : "r"(x), "r"(y), "r"(z)); ret; }) +# define Maj(x,y,z) ({ SHA_LONG64 ret; \ + asm (".insn r4 0x33, 1, 0x3, %0, %2, %1, %3"\ + : "=r"(ret) \ + : "r"(x^z), "r"(y), "r"(x)); ret; }) # endif # elif defined(_MSC_VER) # if defined(_WIN64) /* applies to both IA-64 and AMD64 */ @@ -472,12 +569,24 @@ static SHA_LONG64 __fastcall __pull64be(const void *x) # ifndef ROTR # define ROTR(x,s) (((x)>>s) | (x)<<(64-s)) # endif -# define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) -# define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) -# define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) -# define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) -# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +# ifndef Sigma0 +# define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) +# endif +# ifndef Sigma1 +# define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) +# endif +# ifndef sigma0 +# define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) +# endif +# ifndef sigma1 +# define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) +# endif +# ifndef Ch +# define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) +# endif +# ifndef Maj +# define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +# endif # if defined(__i386) || defined(__i386__) || defined(_M_IX86) /* diff --git a/crypto/siphash/siphash.c b/crypto/siphash/siphash.c index 57f61c1db..e2be3ca59 100644 --- a/crypto/siphash/siphash.c +++ b/crypto/siphash/siphash.c @@ -210,22 +210,22 @@ int SipHash_Final(SIPHASH *ctx, unsigned char *out, size_t outlen) switch (ctx->len) { case 7: b |= ((uint64_t)ctx->leavings[6]) << 48; - /* fall thru */ + /* fall through */ case 6: b |= ((uint64_t)ctx->leavings[5]) << 40; - /* fall thru */ + /* fall through */ case 5: b |= ((uint64_t)ctx->leavings[4]) << 32; - /* fall thru */ + /* fall through */ case 4: b |= ((uint64_t)ctx->leavings[3]) << 24; - /* fall thru */ + /* fall through */ case 3: b |= ((uint64_t)ctx->leavings[2]) << 16; - /* fall thru */ + /* fall through */ case 2: b |= ((uint64_t)ctx->leavings[1]) << 8; - /* fall thru */ + /* fall through */ case 1: b |= ((uint64_t)ctx->leavings[0]); case 0: diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index 5861f420f..88c67edfd 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -17,7 +17,6 @@ #include "internal/numbers.h" #include #include -#include #include #include diff --git a/crypto/sm3/asm/sm3-armv8.pl b/crypto/sm3/asm/sm3-armv8.pl new file mode 100644 index 000000000..729ca4fb3 --- /dev/null +++ b/crypto/sm3/asm/sm3-armv8.pl @@ -0,0 +1,281 @@ +#! /usr/bin/env perl +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# This module implements support for Armv8 SM3 instructions + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT=*OUT; + +# Message expanding: +# Wj <- P1(W[j-16]^W[j-9]^(W[j-3]<<<15))^(W[j-13]<<<7)^W[j-6] +# Input: s0, s1, s2, s3 +# s0 = w0 | w1 | w2 | w3 +# s1 = w4 | w5 | w6 | w7 +# s2 = w8 | w9 | w10 | w11 +# s3 = w12 | w13 | w14 | w15 +# Output: s4 +sub msg_exp () { +my $s0 = shift; +my $s1 = shift; +my $s2 = shift; +my $s3 = shift; +my $s4 = shift; +my $vtmp1 = shift; +my $vtmp2 = shift; +$code.=<<___; + // s4 = w7 | w8 | w9 | w10 + ext $s4.16b, $s1.16b, $s2.16b, #12 + // vtmp1 = w3 | w4 | w5 | w6 + ext $vtmp1.16b, $s0.16b, $s1.16b, #12 + // vtmp2 = w10 | w11 | w12 | w13 + ext $vtmp2.16b, $s2.16b, $s3.16b, #8 + sm3partw1 $s4.4s, $s0.4s, $s3.4s + sm3partw2 $s4.4s, $vtmp2.4s, $vtmp1.4s +___ +} + +# A round of compresson function +# Input: +# ab - choose instruction among sm3tt1a, sm3tt1b, sm3tt2a, sm3tt2b +# vstate0 - vstate1, store digest status(A - H) +# vconst0 - vconst1, interleaved used to store Tj <<< j +# vtmp - temporary register +# vw - for sm3tt1ab, vw = s0 eor s1 +# s0 - for sm3tt2ab, just be s0 +# i, choose wj' or wj from vw +sub round () { +my $ab = shift; +my $vstate0 = shift; +my $vstate1 = shift; +my $vconst0 = shift; +my $vconst1 = shift; +my $vtmp = shift; +my $vw = shift; +my $s0 = shift; +my $i = shift; +$code.=<<___; + sm3ss1 $vtmp.4s, $vstate0.4s, $vconst0.4s, $vstate1.4s + shl $vconst1.4s, $vconst0.4s, #1 + sri $vconst1.4s, $vconst0.4s, #31 + sm3tt1$ab $vstate0.4s, $vtmp.4s, $vw.4s[$i] + sm3tt2$ab $vstate1.4s, $vtmp.4s, $s0.4s[$i] +___ +} + +sub qround () { +my $ab = shift; +my $vstate0 = shift; +my $vstate1 = shift; +my $vconst0 = shift; +my $vconst1 = shift; +my $vtmp1 = shift; +my $vtmp2 = shift; +my $s0 = shift; +my $s1 = shift; +my $s2 = shift; +my $s3 = shift; +my $s4 = shift; + if($s4) { + &msg_exp($s0, $s1, $s2, $s3, $s4, $vtmp1, $vtmp2); + } +$code.=<<___; + eor $vtmp1.16b, $s0.16b, $s1.16b +___ + &round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2, + $vtmp1, $s0, 0); + &round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2, + $vtmp1, $s0, 1); + &round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2, + $vtmp1, $s0, 2); + &round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2, + $vtmp1, $s0, 3); +} + +$code=<<___; +#include "arm_arch.h" +.arch armv8.2-a +.text +___ + +{{{ +my ($pstate,$pdata,$num)=("x0","x1","w2"); +my ($state1,$state2)=("v5","v6"); +my ($sconst1, $sconst2)=("s16","s17"); +my ($vconst1, $vconst2)=("v16","v17"); +my ($s0,$s1,$s2,$s3,$s4)=map("v$_",(0..4)); +my ($bkstate1,$bkstate2)=("v18","v19"); +my ($vconst_tmp1,$vconst_tmp2)=("v20","v21"); +my ($vtmp1,$vtmp2)=("v22","v23"); +my $constaddr="x8"; +# void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num) +$code.=<<___; +.globl ossl_hwsm3_block_data_order +.type ossl_hwsm3_block_data_order,%function +.align 5 +ossl_hwsm3_block_data_order: + AARCH64_VALID_CALL_TARGET + // load state + ld1 {$state1.4s-$state2.4s}, [$pstate] + rev64 $state1.4s, $state1.4s + rev64 $state2.4s, $state2.4s + ext $state1.16b, $state1.16b, $state1.16b, #8 + ext $state2.16b, $state2.16b, $state2.16b, #8 + + adr $constaddr, .Tj + ldp $sconst1, $sconst2, [$constaddr] + +.Loop: + // load input + ld1 {$s0.16b-$s3.16b}, [$pdata], #64 + sub $num, $num, #1 + + mov $bkstate1.16b, $state1.16b + mov $bkstate2.16b, $state2.16b + +#ifndef __ARMEB__ + rev32 $s0.16b, $s0.16b + rev32 $s1.16b, $s1.16b + rev32 $s2.16b, $s2.16b + rev32 $s3.16b, $s3.16b +#endif + + ext $vconst_tmp1.16b, $vconst1.16b, $vconst1.16b, #4 +___ + &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s0,$s1,$s2,$s3,$s4); + &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s1,$s2,$s3,$s4,$s0); + &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s2,$s3,$s4,$s0,$s1); + &qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s3,$s4,$s0,$s1,$s2); + +$code.=<<___; + ext $vconst_tmp1.16b, $vconst2.16b, $vconst2.16b, #4 +___ + + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s4,$s0,$s1,$s2,$s3); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s0,$s1,$s2,$s3,$s4); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s1,$s2,$s3,$s4,$s0); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s2,$s3,$s4,$s0,$s1); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s3,$s4,$s0,$s1,$s2); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s4,$s0,$s1,$s2,$s3); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s0,$s1,$s2,$s3,$s4); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s1,$s2,$s3,$s4,$s0); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s2,$s3,$s4,$s0,$s1); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s3,$s4); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s4,$s0); + &qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2, + $s0,$s1); + +$code.=<<___; + eor $state1.16b, $state1.16b, $bkstate1.16b + eor $state2.16b, $state2.16b, $bkstate2.16b + + // any remained blocks? + cbnz $num, .Loop + + // save state + rev64 $state1.4s, $state1.4s + rev64 $state2.4s, $state2.4s + ext $state1.16b, $state1.16b, $state1.16b, #8 + ext $state2.16b, $state2.16b, $state2.16b, #8 + st1 {$state1.4s-$state2.4s}, [$pstate] + ret +.size ossl_hwsm3_block_data_order,.-ossl_hwsm3_block_data_order + +.align 3 +.Tj: +.word 0x79cc4519, 0x9d8a7a87 +___ +}}} + +######################################### +my %sm3partopcode = ( + "sm3partw1" => 0xce60C000, + "sm3partw2" => 0xce60C400); + +my %sm3ss1opcode = ( + "sm3ss1" => 0xce400000); + +my %sm3ttopcode = ( + "sm3tt1a" => 0xce408000, + "sm3tt1b" => 0xce408400, + "sm3tt2a" => 0xce408800, + "sm3tt2b" => 0xce408C00); + +sub unsm3part { + my ($mnemonic,$arg)=@_; + + $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o + && + sprintf ".inst\t0x%08x\t//%s %s", + $sm3partopcode{$mnemonic}|$1|($2<<5)|($3<<16), + $mnemonic,$arg; +} + +sub unsm3ss1 { + my ($mnemonic,$arg)=@_; + + $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o + && + sprintf ".inst\t0x%08x\t//%s %s", + $sm3ss1opcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10), + $mnemonic,$arg; +} + +sub unsm3tt { + my ($mnemonic,$arg)=@_; + + $arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*\[([0-3])\]/o + && + sprintf ".inst\t0x%08x\t//%s %s", + $sm3ttopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<12), + $mnemonic,$arg; +} + +open SELF,$0; +while() { + next if (/^#!/); + last if (!s/^#/\/\// and !/^$/); + print; +} +close SELF; + +foreach(split("\n",$code)) { + s/\`([^\`]*)\`/eval($1)/ge; + + s/\b(sm3partw[1-2])\s+([qv].*)/unsm3part($1,$2)/ge; + s/\b(sm3ss1)\s+([qv].*)/unsm3ss1($1,$2)/ge; + s/\b(sm3tt[1-2][a-b])\s+([qv].*)/unsm3tt($1,$2)/ge; + print $_,"\n"; +} + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/sm3/build.info b/crypto/sm3/build.info index eca68216f..2fa54a4a8 100644 --- a/crypto/sm3/build.info +++ b/crypto/sm3/build.info @@ -1,5 +1,22 @@ LIBS=../../libcrypto IF[{- !$disabled{sm3} -}] - SOURCE[../../libcrypto]=sm3.c legacy_sm3.c -ENDIF \ No newline at end of file + IF[{- !$disabled{asm} -}] + $SM3ASM_aarch64=sm3-armv8.S + $SM3DEF_aarch64=OPENSSL_SM3_ASM + + # Now that we have defined all the arch specific variables, use the + # appropriate ones, and define the appropriate macros + IF[$SM3ASM_{- $target{asm_arch} -}] + $SM3ASM=$SM3ASM_{- $target{asm_arch} -} + $SM3DEF=$SM3DEF_{- $target{asm_arch} -} + ENDIF + ENDIF + + SOURCE[../../libcrypto]=sm3.c legacy_sm3.c $SM3ASM + DEFINE[../../libcrypto]=$SM3DEF + + GENERATE[sm3-armv8.S]=asm/sm3-armv8.pl + INCLUDE[sm3-armv8.o]=.. +ENDIF + diff --git a/crypto/sm3/sm3_local.h b/crypto/sm3/sm3_local.h index 6daeb878a..cb5a187a1 100644 --- a/crypto/sm3/sm3_local.h +++ b/crypto/sm3/sm3_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -32,15 +32,49 @@ ll=(c)->G; (void)HOST_l2c(ll, (s)); \ ll=(c)->H; (void)HOST_l2c(ll, (s)); \ } while (0) -#define HASH_BLOCK_DATA_ORDER ossl_sm3_block_data_order + +#if defined(OPENSSL_SM3_ASM) +# if defined(__aarch64__) +# include "crypto/arm_arch.h" +# define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3) +void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num); +# endif +#endif + +#if defined(HWSM3_CAPABLE) +# define HASH_BLOCK_DATA_ORDER (HWSM3_CAPABLE ? ossl_hwsm3_block_data_order \ + : ossl_sm3_block_data_order) +#else +# define HASH_BLOCK_DATA_ORDER ossl_sm3_block_data_order +#endif void ossl_sm3_block_data_order(SM3_CTX *c, const void *p, size_t num); void ossl_sm3_transform(SM3_CTX *c, const unsigned char *data); #include "crypto/md32_common.h" -#define P0(X) (X ^ ROTATE(X, 9) ^ ROTATE(X, 17)) -#define P1(X) (X ^ ROTATE(X, 15) ^ ROTATE(X, 23)) +#ifndef PEDANTIC +# if defined(__GNUC__) && __GNUC__>=2 && \ + !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +# if defined(__riscv_zksh) +# define P0(x) ({ MD32_REG_T ret; \ + asm ("sm3p0 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# define P1(x) ({ MD32_REG_T ret; \ + asm ("sm3p1 %0, %1" \ + : "=r"(ret) \ + : "r"(x)); ret; }) +# endif +# endif +#endif + +#ifndef P0 +# define P0(X) (X ^ ROTATE(X, 9) ^ ROTATE(X, 17)) +#endif +#ifndef P1 +# define P1(X) (X ^ ROTATE(X, 15) ^ ROTATE(X, 23)) +#endif #define FF0(X,Y,Z) (X ^ Y ^ Z) #define GG0(X,Y,Z) (X ^ Y ^ Z) diff --git a/crypto/sm4/asm/sm4-armv8.pl b/crypto/sm4/asm/sm4-armv8.pl new file mode 100755 index 000000000..7358a6e6a --- /dev/null +++ b/crypto/sm4/asm/sm4-armv8.pl @@ -0,0 +1,635 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# This module implements support for SM4 hw support on aarch64 +# Oct 2021 +# + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT=*OUT; + +$prefix="sm4_v8"; +my @rks=map("v$_",(0..7)); + +sub rev32() { +my $dst = shift; +my $src = shift; +$code.=<<___; +#ifndef __ARMEB__ + rev32 $dst.16b,$src.16b +#endif +___ +} + +sub enc_blk () { +my $data = shift; +$code.=<<___; + sm4e $data.4s,@rks[0].4s + sm4e $data.4s,@rks[1].4s + sm4e $data.4s,@rks[2].4s + sm4e $data.4s,@rks[3].4s + sm4e $data.4s,@rks[4].4s + sm4e $data.4s,@rks[5].4s + sm4e $data.4s,@rks[6].4s + sm4e $data.4s,@rks[7].4s + rev64 $data.4S,$data.4S + ext $data.16b,$data.16b,$data.16b,#8 +___ +} + +sub enc_4blks () { +my $data0 = shift; +my $data1 = shift; +my $data2 = shift; +my $data3 = shift; +$code.=<<___; + sm4e $data0.4s,@rks[0].4s + sm4e $data1.4s,@rks[0].4s + sm4e $data2.4s,@rks[0].4s + sm4e $data3.4s,@rks[0].4s + + sm4e $data0.4s,@rks[1].4s + sm4e $data1.4s,@rks[1].4s + sm4e $data2.4s,@rks[1].4s + sm4e $data3.4s,@rks[1].4s + + sm4e $data0.4s,@rks[2].4s + sm4e $data1.4s,@rks[2].4s + sm4e $data2.4s,@rks[2].4s + sm4e $data3.4s,@rks[2].4s + + sm4e $data0.4s,@rks[3].4s + sm4e $data1.4s,@rks[3].4s + sm4e $data2.4s,@rks[3].4s + sm4e $data3.4s,@rks[3].4s + + sm4e $data0.4s,@rks[4].4s + sm4e $data1.4s,@rks[4].4s + sm4e $data2.4s,@rks[4].4s + sm4e $data3.4s,@rks[4].4s + + sm4e $data0.4s,@rks[5].4s + sm4e $data1.4s,@rks[5].4s + sm4e $data2.4s,@rks[5].4s + sm4e $data3.4s,@rks[5].4s + + sm4e $data0.4s,@rks[6].4s + sm4e $data1.4s,@rks[6].4s + sm4e $data2.4s,@rks[6].4s + sm4e $data3.4s,@rks[6].4s + + sm4e $data0.4s,@rks[7].4s + rev64 $data0.4S,$data0.4S + sm4e $data1.4s,@rks[7].4s + ext $data0.16b,$data0.16b,$data0.16b,#8 + rev64 $data1.4S,$data1.4S + sm4e $data2.4s,@rks[7].4s + ext $data1.16b,$data1.16b,$data1.16b,#8 + rev64 $data2.4S,$data2.4S + sm4e $data3.4s,@rks[7].4s + ext $data2.16b,$data2.16b,$data2.16b,#8 + rev64 $data3.4S,$data3.4S + ext $data3.16b,$data3.16b,$data3.16b,#8 +___ +} + +$code=<<___; +#include "arm_arch.h" +.arch armv8-a+crypto +.text +___ + +{{{ +$code.=<<___; +.align 6 +.Lck: + .long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269 + .long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9 + .long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249 + .long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9 + .long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229 + .long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299 + .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 + .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 +.Lfk: + .long 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc +___ +}}} + +{{{ +my ($key,$keys)=("x0","x1"); +my ($tmp)=("x2"); +my ($key0,$key1,$key2,$key3,$key4,$key5,$key6,$key7)=map("v$_",(0..7)); +my ($const0,$const1,$const2,$const3,$const4,$const5,$const6,$const7)=map("v$_",(16..23)); +my ($fkconst) = ("v24"); +$code.=<<___; +.globl ${prefix}_set_encrypt_key +.type ${prefix}_set_encrypt_key,%function +.align 5 +${prefix}_set_encrypt_key: + AARCH64_VALID_CALL_TARGET + ld1 {$key0.4s},[$key] + adr $tmp,.Lfk + ld1 {$fkconst.4s},[$tmp] + adr $tmp,.Lck + ld1 {$const0.4s,$const1.4s,$const2.4s,$const3.4s},[$tmp],64 +___ + &rev32($key0, $key0); +$code.=<<___; + ld1 {$const4.4s,$const5.4s,$const6.4s,$const7.4s},[$tmp] + eor $key0.16b,$key0.16b,$fkconst.16b; + sm4ekey $key0.4S,$key0.4S,$const0.4S + sm4ekey $key1.4S,$key0.4S,$const1.4S + sm4ekey $key2.4S,$key1.4S,$const2.4S + sm4ekey $key3.4S,$key2.4S,$const3.4S + sm4ekey $key4.4S,$key3.4S,$const4.4S + st1 {$key0.4s,$key1.4s,$key2.4s,$key3.4s},[$keys],64 + sm4ekey $key5.4S,$key4.4S,$const5.4S + sm4ekey $key6.4S,$key5.4S,$const6.4S + sm4ekey $key7.4S,$key6.4S,$const7.4S + st1 {$key4.4s,$key5.4s,$key6.4s,$key7.4s},[$keys] + ret +.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key +___ +}}} + +{{{ +my ($key,$keys)=("x0","x1"); +my ($tmp)=("x2"); +my ($key7,$key6,$key5,$key4,$key3,$key2,$key1,$key0)=map("v$_",(0..7)); +my ($const0,$const1,$const2,$const3,$const4,$const5,$const6,$const7)=map("v$_",(16..23)); +my ($fkconst) = ("v24"); +$code.=<<___; +.globl ${prefix}_set_decrypt_key +.type ${prefix}_set_decrypt_key,%function +.align 5 +${prefix}_set_decrypt_key: + AARCH64_VALID_CALL_TARGET + ld1 {$key0.4s},[$key] + adr $tmp,.Lfk + ld1 {$fkconst.4s},[$tmp] + adr $tmp, .Lck + ld1 {$const0.4s,$const1.4s,$const2.4s,$const3.4s},[$tmp],64 +___ + &rev32($key0, $key0); +$code.=<<___; + ld1 {$const4.4s,$const5.4s,$const6.4s,$const7.4s},[$tmp] + eor $key0.16b, $key0.16b,$fkconst.16b; + sm4ekey $key0.4S,$key0.4S,$const0.4S + sm4ekey $key1.4S,$key0.4S,$const1.4S + sm4ekey $key2.4S,$key1.4S,$const2.4S + rev64 $key0.4s,$key0.4s + rev64 $key1.4s,$key1.4s + ext $key0.16b,$key0.16b,$key0.16b,#8 + ext $key1.16b,$key1.16b,$key1.16b,#8 + sm4ekey $key3.4S,$key2.4S,$const3.4S + sm4ekey $key4.4S,$key3.4S,$const4.4S + rev64 $key2.4s,$key2.4s + rev64 $key3.4s,$key3.4s + ext $key2.16b,$key2.16b,$key2.16b,#8 + ext $key3.16b,$key3.16b,$key3.16b,#8 + sm4ekey $key5.4S,$key4.4S,$const5.4S + sm4ekey $key6.4S,$key5.4S,$const6.4S + rev64 $key4.4s,$key4.4s + rev64 $key5.4s,$key5.4s + ext $key4.16b,$key4.16b,$key4.16b,#8 + ext $key5.16b,$key5.16b,$key5.16b,#8 + sm4ekey $key7.4S,$key6.4S,$const7.4S + rev64 $key6.4s, $key6.4s + rev64 $key7.4s, $key7.4s + ext $key6.16b,$key6.16b,$key6.16b,#8 + ext $key7.16b,$key7.16b,$key7.16b,#8 + st1 {$key7.4s,$key6.4s,$key5.4s,$key4.4s},[$keys],64 + st1 {$key3.4s,$key2.4s,$key1.4s,$key0.4s},[$keys] + ret +.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key +___ +}}} + +{{{ +sub gen_block () { +my $dir = shift; +my ($inp,$out,$rk)=map("x$_",(0..2)); +my ($data)=("v16"); +$code.=<<___; +.globl ${prefix}_${dir}crypt +.type ${prefix}_${dir}crypt,%function +.align 5 +${prefix}_${dir}crypt: + AARCH64_VALID_CALL_TARGET + ld1 {$data.4s},[$inp] + ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],64 + ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] +___ + &rev32($data,$data); + &enc_blk($data); + &rev32($data,$data); +$code.=<<___; + st1 {$data.4s},[$out] + ret +.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt +___ +} + +&gen_block("en"); +&gen_block("de"); +}}} + +{{{ +my ($inp,$out,$len,$rk)=map("x$_",(0..3)); +my ($enc) = ("w4"); +my @dat=map("v$_",(16..23)); +$code.=<<___; +.globl ${prefix}_ecb_encrypt +.type ${prefix}_ecb_encrypt,%function +.align 5 +${prefix}_ecb_encrypt: + AARCH64_VALID_CALL_TARGET + ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],#64 + ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] +1: + cmp $len,#64 + b.lt 1f + ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64 + cmp $len,#128 + b.lt 2f + ld1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp],#64 + // 8 blocks +___ + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); + &rev32(@dat[4],@dat[4]); + &rev32(@dat[5],@dat[5]); + &rev32(@dat[6],@dat[6]); + &rev32(@dat[7],@dat[7]); + &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); + &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); + &rev32(@dat[4],@dat[4]); + &rev32(@dat[5],@dat[5]); +$code.=<<___; + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 +___ + &rev32(@dat[6],@dat[6]); + &rev32(@dat[7],@dat[7]); +$code.=<<___; + st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64 + subs $len,$len,#128 + b.gt 1b + ret + // 4 blocks +2: +___ + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); + &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); +$code.=<<___; + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 + subs $len,$len,#64 + b.gt 1b +1: + subs $len,$len,#16 + b.lt 1f + ld1 {@dat[0].4s},[$inp],#16 +___ + &rev32(@dat[0],@dat[0]); + &enc_blk(@dat[0]); + &rev32(@dat[0],@dat[0]); +$code.=<<___; + st1 {@dat[0].4s},[$out],#16 + b.ne 1b +1: + ret +.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt +___ +}}} + +{{{ +my ($inp,$out,$len,$rk,$ivp)=map("x$_",(0..4)); +my ($enc) = ("w5"); +my @dat=map("v$_",(16..23)); +my @in=map("v$_",(24..31)); +my ($ivec) = ("v8"); +$code.=<<___; +.globl ${prefix}_cbc_encrypt +.type ${prefix}_cbc_encrypt,%function +.align 5 +${prefix}_cbc_encrypt: + AARCH64_VALID_CALL_TARGET + stp d8,d9,[sp, #-16]! + + ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],#64 + ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] + ld1 {$ivec.4s},[$ivp] + cmp $enc,#0 + b.eq .Ldec +1: + cmp $len, #64 + b.lt 1f + ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64 + eor @dat[0].16b,@dat[0].16b,$ivec.16b +___ + &rev32(@dat[1],@dat[1]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); + &enc_blk(@dat[0]); +$code.=<<___; + eor @dat[1].16b,@dat[1].16b,@dat[0].16b +___ + &enc_blk(@dat[1]); + &rev32(@dat[0],@dat[0]); +$code.=<<___; + eor @dat[2].16b,@dat[2].16b,@dat[1].16b +___ + &enc_blk(@dat[2]); + &rev32(@dat[1],@dat[1]); +$code.=<<___; + eor @dat[3].16b,@dat[3].16b,@dat[2].16b +___ + &enc_blk(@dat[3]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); +$code.=<<___; + mov $ivec.16b,@dat[3].16b + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 + subs $len,$len,#64 + b.ne 1b +1: + subs $len,$len,#16 + b.lt 3f + ld1 {@dat[0].4s},[$inp],#16 + eor $ivec.16b,$ivec.16b,@dat[0].16b +___ + &rev32($ivec,$ivec); + &enc_blk($ivec); + &rev32($ivec,$ivec); +$code.=<<___; + st1 {$ivec.16b},[$out],#16 + b.ne 1b + b 3f +.Ldec: +1: + cmp $len, #64 + b.lt 1f + ld1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp] + ld1 {@in[0].4s,@in[1].4s,@in[2].4s,@in[3].4s},[$inp],#64 + cmp $len,#128 + b.lt 2f + // 8 blocks mode + ld1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp] + ld1 {@in[4].4s,@in[5].4s,@in[6].4s,@in[7].4s},[$inp],#64 +___ + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],$dat[3]); + &rev32(@dat[4],@dat[4]); + &rev32(@dat[5],@dat[5]); + &rev32(@dat[6],@dat[6]); + &rev32(@dat[7],$dat[7]); + &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); + &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); + &rev32(@dat[4],@dat[4]); + &rev32(@dat[5],@dat[5]); + &rev32(@dat[6],@dat[6]); + &rev32(@dat[7],@dat[7]); +$code.=<<___; + eor @dat[0].16b,@dat[0].16b,$ivec.16b + eor @dat[1].16b,@dat[1].16b,@in[0].16b + eor @dat[2].16b,@dat[2].16b,@in[1].16b + mov $ivec.16b,@in[7].16b + eor @dat[3].16b,$dat[3].16b,@in[2].16b + eor @dat[4].16b,$dat[4].16b,@in[3].16b + eor @dat[5].16b,$dat[5].16b,@in[4].16b + eor @dat[6].16b,$dat[6].16b,@in[5].16b + eor @dat[7].16b,$dat[7].16b,@in[6].16b + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 + st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64 + subs $len,$len,128 + b.gt 1b + b 3f + // 4 blocks mode +2: +___ + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],$dat[3]); + &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); +$code.=<<___; + eor @dat[0].16b,@dat[0].16b,$ivec.16b + eor @dat[1].16b,@dat[1].16b,@in[0].16b + mov $ivec.16b,@in[3].16b + eor @dat[2].16b,@dat[2].16b,@in[1].16b + eor @dat[3].16b,$dat[3].16b,@in[2].16b + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 + subs $len,$len,#64 + b.gt 1b +1: + subs $len,$len,#16 + b.lt 3f + ld1 {@dat[0].4s},[$inp],#16 + mov @in[0].16b,@dat[0].16b +___ + &rev32(@dat[0],@dat[0]); + &enc_blk(@dat[0]); + &rev32(@dat[0],@dat[0]); +$code.=<<___; + eor @dat[0].16b,@dat[0].16b,$ivec.16b + mov $ivec.16b,@in[0].16b + st1 {@dat[0].16b},[$out],#16 + b.ne 1b +3: + // save back IV + st1 {$ivec.16b},[$ivp] + ldp d8,d9,[sp],#16 + ret +.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt +___ +}}} + +{{{ +my ($inp,$out,$len,$rk,$ivp)=map("x$_",(0..4)); +my ($ctr)=("w5"); +my @dat=map("v$_",(16..23)); +my @in=map("v$_",(24..31)); +my ($ivec)=("v8"); +$code.=<<___; +.globl ${prefix}_ctr32_encrypt_blocks +.type ${prefix}_ctr32_encrypt_blocks,%function +.align 5 +${prefix}_ctr32_encrypt_blocks: + AARCH64_VALID_CALL_TARGET + stp d8,d9,[sp, #-16]! + + ld1 {$ivec.4s},[$ivp] + ld1 {@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],64 + ld1 {@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk] +___ + &rev32($ivec,$ivec); +$code.=<<___; + mov $ctr,$ivec.s[3] +1: + cmp $len,#4 + b.lt 1f + ld1 {@in[0].4s,@in[1].4s,@in[2].4s,@in[3].4s},[$inp],#64 + mov @dat[0].16b,$ivec.16b + mov @dat[1].16b,$ivec.16b + mov @dat[2].16b,$ivec.16b + mov @dat[3].16b,$ivec.16b + add $ctr,$ctr,#1 + mov $dat[1].s[3],$ctr + add $ctr,$ctr,#1 + mov @dat[2].s[3],$ctr + add $ctr,$ctr,#1 + mov @dat[3].s[3],$ctr + cmp $len,#8 + b.lt 2f + ld1 {@in[4].4s,@in[5].4s,@in[6].4s,@in[7].4s},[$inp],#64 + mov @dat[4].16b,$ivec.16b + mov @dat[5].16b,$ivec.16b + mov @dat[6].16b,$ivec.16b + mov @dat[7].16b,$ivec.16b + add $ctr,$ctr,#1 + mov $dat[4].s[3],$ctr + add $ctr,$ctr,#1 + mov @dat[5].s[3],$ctr + add $ctr,$ctr,#1 + mov @dat[6].s[3],$ctr + add $ctr,$ctr,#1 + mov @dat[7].s[3],$ctr +___ + &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); + &enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); + &rev32(@dat[4],@dat[4]); + &rev32(@dat[5],@dat[5]); + &rev32(@dat[6],@dat[6]); + &rev32(@dat[7],@dat[7]); +$code.=<<___; + eor @dat[0].16b,@dat[0].16b,@in[0].16b + eor @dat[1].16b,@dat[1].16b,@in[1].16b + eor @dat[2].16b,@dat[2].16b,@in[2].16b + eor @dat[3].16b,@dat[3].16b,@in[3].16b + eor @dat[4].16b,@dat[4].16b,@in[4].16b + eor @dat[5].16b,@dat[5].16b,@in[5].16b + eor @dat[6].16b,@dat[6].16b,@in[6].16b + eor @dat[7].16b,@dat[7].16b,@in[7].16b + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 + st1 {@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64 + subs $len,$len,#8 + b.eq 3f + add $ctr,$ctr,#1 + mov $ivec.s[3],$ctr + b 1b +2: +___ + &enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]); + &rev32(@dat[0],@dat[0]); + &rev32(@dat[1],@dat[1]); + &rev32(@dat[2],@dat[2]); + &rev32(@dat[3],@dat[3]); +$code.=<<___; + eor @dat[0].16b,@dat[0].16b,@in[0].16b + eor @dat[1].16b,@dat[1].16b,@in[1].16b + eor @dat[2].16b,@dat[2].16b,@in[2].16b + eor @dat[3].16b,@dat[3].16b,@in[3].16b + st1 {@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64 + subs $len,$len,#4 + b.eq 3f + add $ctr,$ctr,#1 + mov $ivec.s[3],$ctr + b 1b +1: + subs $len,$len,#1 + b.lt 3f + mov $dat[0].16b,$ivec.16b + ld1 {@in[0].4s},[$inp],#16 +___ + &enc_blk(@dat[0]); + &rev32(@dat[0],@dat[0]); +$code.=<<___; + eor $dat[0].16b,$dat[0].16b,@in[0].16b + st1 {$dat[0].4s},[$out],#16 + b.eq 3f + add $ctr,$ctr,#1 + mov $ivec.s[3],$ctr + b 1b +3: + ldp d8,d9,[sp],#16 + ret +.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks +___ +}}} +######################################## +{ my %opcode = ( + "sm4e" => 0xcec08400, + "sm4ekey" => 0xce60c800); + + sub unsm4 { + my ($mnemonic,$arg)=@_; + + $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv]([0-9]+))?/o + && + sprintf ".inst\t0x%08x\t//%s %s", + $opcode{$mnemonic}|$1|($2<<5)|($3<<16), + $mnemonic,$arg; + } +} + +open SELF,$0; +while() { + next if (/^#!/); + last if (!s/^#/\/\// and !/^$/); + print; +} +close SELF; + +foreach(split("\n",$code)) { + s/\`([^\`]*)\`/eval($1)/ge; + + s/\b(sm4\w+)\s+([qv].*)/unsm4($1,$2)/ge; + print $_,"\n"; +} + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/sm4/asm/vpsm4-armv8.pl b/crypto/sm4/asm/vpsm4-armv8.pl new file mode 100755 index 000000000..edb6b04c9 --- /dev/null +++ b/crypto/sm4/asm/vpsm4-armv8.pl @@ -0,0 +1,1118 @@ +#! /usr/bin/env perl +# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# This module implements SM4 with ASIMD on aarch64 +# +# Feb 2022 +# + +# $output is the last argument if it looks like a file (it has an extension) +# $flavour is the first argument if it doesn't look like a file +$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; +$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour \"$output\"" + or die "can't call $xlate: $!"; +*STDOUT=*OUT; + +$prefix="vpsm4"; +my @vtmp=map("v$_",(0..3)); +my @data=map("v$_",(4..7)); +my @datax=map("v$_",(8..11)); +my ($rk0,$rk1)=("v12","v13"); +my ($rka,$rkb)=("v14","v15"); +my @vtmpx=map("v$_",(12..15)); +my @sbox=map("v$_",(16..31)); +my ($inp,$outp,$blocks,$rks)=("x0","x1","w2","x3"); +my ($tmpw,$tmp,$wtmp0,$wtmp1,$wtmp2)=("w6","x6","w7","w8","w9"); +my ($ptr,$counter)=("x10","w11"); +my ($word0,$word1,$word2,$word3)=("w12","w13","w14","w15"); + +sub rev32() { + my $dst = shift; + my $src = shift; + + if ($src and ("$src" ne "$dst")) { +$code.=<<___; +#ifndef __AARCH64EB__ + rev32 $dst.16b,$src.16b +#else + mov $dst.16b,$src.16b +#endif +___ + } else { +$code.=<<___; +#ifndef __AARCH64EB__ + rev32 $dst.16b,$dst.16b +#endif +___ + } +} + +sub transpose() { + my ($dat0,$dat1,$dat2,$dat3,$vt0,$vt1,$vt2,$vt3) = @_; + +$code.=<<___; + zip1 $vt0.4s,$dat0.4s,$dat1.4s + zip2 $vt1.4s,$dat0.4s,$dat1.4s + zip1 $vt2.4s,$dat2.4s,$dat3.4s + zip2 $vt3.4s,$dat2.4s,$dat3.4s + zip1 $dat0.2d,$vt0.2d,$vt2.2d + zip2 $dat1.2d,$vt0.2d,$vt2.2d + zip1 $dat2.2d,$vt1.2d,$vt3.2d + zip2 $dat3.2d,$vt1.2d,$vt3.2d +___ +} + +# sbox operations for 4-lane of words +sub sbox() { + my $dat = shift; + +$code.=<<___; + movi @vtmp[0].16b,#64 + movi @vtmp[1].16b,#128 + movi @vtmp[2].16b,#192 + sub @vtmp[0].16b,$dat.16b,@vtmp[0].16b + sub @vtmp[1].16b,$dat.16b,@vtmp[1].16b + sub @vtmp[2].16b,$dat.16b,@vtmp[2].16b + tbl $dat.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$dat.16b + tbl @vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b + tbl @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b + tbl @vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b + add @vtmp[0].2d,@vtmp[0].2d,@vtmp[1].2d + add @vtmp[2].2d,@vtmp[2].2d,$dat.2d + add $dat.2d,@vtmp[0].2d,@vtmp[2].2d + + ushr @vtmp[0].4s,$dat.4s,32-2 + sli @vtmp[0].4s,$dat.4s,2 + ushr @vtmp[2].4s,$dat.4s,32-10 + eor @vtmp[1].16b,@vtmp[0].16b,$dat.16b + sli @vtmp[2].4s,$dat.4s,10 + eor @vtmp[1].16b,@vtmp[2].16b,$vtmp[1].16b + ushr @vtmp[0].4s,$dat.4s,32-18 + sli @vtmp[0].4s,$dat.4s,18 + ushr @vtmp[2].4s,$dat.4s,32-24 + eor @vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b + sli @vtmp[2].4s,$dat.4s,24 + eor $dat.16b,@vtmp[2].16b,@vtmp[1].16b +___ +} + +# sbox operation for 8-lane of words +sub sbox_double() { + my $dat = shift; + my $datx = shift; + +$code.=<<___; + movi @vtmp[3].16b,#64 + sub @vtmp[0].16b,$dat.16b,@vtmp[3].16b + sub @vtmp[1].16b,@vtmp[0].16b,@vtmp[3].16b + sub @vtmp[2].16b,@vtmp[1].16b,@vtmp[3].16b + tbl $dat.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$dat.16b + tbl @vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b + tbl @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b + tbl @vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b + add @vtmp[1].2d,@vtmp[0].2d,@vtmp[1].2d + add $dat.2d,@vtmp[2].2d,$dat.2d + add $dat.2d,@vtmp[1].2d,$dat.2d + + sub @vtmp[0].16b,$datx.16b,@vtmp[3].16b + sub @vtmp[1].16b,@vtmp[0].16b,@vtmp[3].16b + sub @vtmp[2].16b,@vtmp[1].16b,@vtmp[3].16b + tbl $datx.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$datx.16b + tbl @vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b + tbl @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b + tbl @vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b + add @vtmp[1].2d,@vtmp[0].2d,@vtmp[1].2d + add $datx.2d,@vtmp[2].2d,$datx.2d + add $datx.2d,@vtmp[1].2d,$datx.2d + + ushr @vtmp[0].4s,$dat.4s,32-2 + sli @vtmp[0].4s,$dat.4s,2 + ushr @vtmp[2].4s,$datx.4s,32-2 + eor @vtmp[1].16b,@vtmp[0].16b,$dat.16b + sli @vtmp[2].4s,$datx.4s,2 + + ushr @vtmp[0].4s,$dat.4s,32-10 + eor @vtmp[3].16b,@vtmp[2].16b,$datx.16b + sli @vtmp[0].4s,$dat.4s,10 + ushr @vtmp[2].4s,$datx.4s,32-10 + eor @vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b + sli @vtmp[2].4s,$datx.4s,10 + + ushr @vtmp[0].4s,$dat.4s,32-18 + eor @vtmp[3].16b,@vtmp[2].16b,$vtmp[3].16b + sli @vtmp[0].4s,$dat.4s,18 + ushr @vtmp[2].4s,$datx.4s,32-18 + eor @vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b + sli @vtmp[2].4s,$datx.4s,18 + + ushr @vtmp[0].4s,$dat.4s,32-24 + eor @vtmp[3].16b,@vtmp[2].16b,$vtmp[3].16b + sli @vtmp[0].4s,$dat.4s,24 + ushr @vtmp[2].4s,$datx.4s,32-24 + eor $dat.16b,@vtmp[0].16b,@vtmp[1].16b + sli @vtmp[2].4s,$datx.4s,24 + eor $datx.16b,@vtmp[2].16b,@vtmp[3].16b +___ +} + +# sbox operation for one single word +sub sbox_1word () { + my $word = shift; + +$code.=<<___; + movi @vtmp[1].16b,#64 + movi @vtmp[2].16b,#128 + movi @vtmp[3].16b,#192 + mov @vtmp[0].s[0],$word + + sub @vtmp[1].16b,@vtmp[0].16b,@vtmp[1].16b + sub @vtmp[2].16b,@vtmp[0].16b,@vtmp[2].16b + sub @vtmp[3].16b,@vtmp[0].16b,@vtmp[3].16b + + tbl @vtmp[0].16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},@vtmp[0].16b + tbl @vtmp[1].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[1].16b + tbl @vtmp[2].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[2].16b + tbl @vtmp[3].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[3].16b + + mov $word,@vtmp[0].s[0] + mov $wtmp0,@vtmp[1].s[0] + mov $wtmp2,@vtmp[2].s[0] + add $wtmp0,$word,$wtmp0 + mov $word,@vtmp[3].s[0] + add $wtmp0,$wtmp0,$wtmp2 + add $wtmp0,$wtmp0,$word + + eor $word,$wtmp0,$wtmp0,ror #32-2 + eor $word,$word,$wtmp0,ror #32-10 + eor $word,$word,$wtmp0,ror #32-18 + eor $word,$word,$wtmp0,ror #32-24 +___ +} + +# sm4 for one block of data, in scalar registers word0/word1/word2/word3 +sub sm4_1blk () { + my $kptr = shift; + +$code.=<<___; + ldp $wtmp0,$wtmp1,[$kptr],8 + // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) + eor $tmpw,$word2,$word3 + eor $wtmp2,$wtmp0,$word1 + eor $tmpw,$tmpw,$wtmp2 +___ + &sbox_1word($tmpw); +$code.=<<___; + eor $word0,$word0,$tmpw + // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) + eor $tmpw,$word2,$word3 + eor $wtmp2,$word0,$wtmp1 + eor $tmpw,$tmpw,$wtmp2 +___ + &sbox_1word($tmpw); +$code.=<<___; + ldp $wtmp0,$wtmp1,[$kptr],8 + eor $word1,$word1,$tmpw + // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) + eor $tmpw,$word0,$word1 + eor $wtmp2,$wtmp0,$word3 + eor $tmpw,$tmpw,$wtmp2 +___ + &sbox_1word($tmpw); +$code.=<<___; + eor $word2,$word2,$tmpw + // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) + eor $tmpw,$word0,$word1 + eor $wtmp2,$word2,$wtmp1 + eor $tmpw,$tmpw,$wtmp2 +___ + &sbox_1word($tmpw); +$code.=<<___; + eor $word3,$word3,$tmpw +___ +} + +# sm4 for 4-lanes of data, in neon registers data0/data1/data2/data3 +sub sm4_4blks () { + my $kptr = shift; + +$code.=<<___; + ldp $wtmp0,$wtmp1,[$kptr],8 + dup $rk0.4s,$wtmp0 + dup $rk1.4s,$wtmp1 + + // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) + eor $rka.16b,@data[2].16b,@data[3].16b + eor $rk0.16b,@data[1].16b,$rk0.16b + eor $rk0.16b,$rka.16b,$rk0.16b +___ + &sbox($rk0); +$code.=<<___; + eor @data[0].16b,@data[0].16b,$rk0.16b + + // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) + eor $rka.16b,$rka.16b,@data[0].16b + eor $rk1.16b,$rka.16b,$rk1.16b +___ + &sbox($rk1); +$code.=<<___; + ldp $wtmp0,$wtmp1,[$kptr],8 + eor @data[1].16b,@data[1].16b,$rk1.16b + + dup $rk0.4s,$wtmp0 + dup $rk1.4s,$wtmp1 + + // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) + eor $rka.16b,@data[0].16b,@data[1].16b + eor $rk0.16b,@data[3].16b,$rk0.16b + eor $rk0.16b,$rka.16b,$rk0.16b +___ + &sbox($rk0); +$code.=<<___; + eor @data[2].16b,@data[2].16b,$rk0.16b + + // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) + eor $rka.16b,$rka.16b,@data[2].16b + eor $rk1.16b,$rka.16b,$rk1.16b +___ + &sbox($rk1); +$code.=<<___; + eor @data[3].16b,@data[3].16b,$rk1.16b +___ +} + +# sm4 for 8 lanes of data, in neon registers +# data0/data1/data2/data3 datax0/datax1/datax2/datax3 +sub sm4_8blks () { + my $kptr = shift; + +$code.=<<___; + ldp $wtmp0,$wtmp1,[$kptr],8 + // B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0) + dup $rk0.4s,$wtmp0 + eor $rka.16b,@data[2].16b,@data[3].16b + eor $rkb.16b,@datax[2].16b,@datax[3].16b + eor @vtmp[0].16b,@data[1].16b,$rk0.16b + eor @vtmp[1].16b,@datax[1].16b,$rk0.16b + eor $rk0.16b,$rka.16b,@vtmp[0].16b + eor $rk1.16b,$rkb.16b,@vtmp[1].16b +___ + &sbox_double($rk0,$rk1); +$code.=<<___; + eor @data[0].16b,@data[0].16b,$rk0.16b + eor @datax[0].16b,@datax[0].16b,$rk1.16b + + // B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1) + dup $rk1.4s,$wtmp1 + eor $rka.16b,$rka.16b,@data[0].16b + eor $rkb.16b,$rkb.16b,@datax[0].16b + eor $rk0.16b,$rka.16b,$rk1.16b + eor $rk1.16b,$rkb.16b,$rk1.16b +___ + &sbox_double($rk0,$rk1); +$code.=<<___; + ldp $wtmp0,$wtmp1,[$kptr],8 + eor @data[1].16b,@data[1].16b,$rk0.16b + eor @datax[1].16b,@datax[1].16b,$rk1.16b + + // B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2) + dup $rk0.4s,$wtmp0 + eor $rka.16b,@data[0].16b,@data[1].16b + eor $rkb.16b,@datax[0].16b,@datax[1].16b + eor @vtmp[0].16b,@data[3].16b,$rk0.16b + eor @vtmp[1].16b,@datax[3].16b,$rk0.16b + eor $rk0.16b,$rka.16b,@vtmp[0].16b + eor $rk1.16b,$rkb.16b,@vtmp[1].16b +___ + &sbox_double($rk0,$rk1); +$code.=<<___; + eor @data[2].16b,@data[2].16b,$rk0.16b + eor @datax[2].16b,@datax[2].16b,$rk1.16b + + // B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3) + dup $rk1.4s,$wtmp1 + eor $rka.16b,$rka.16b,@data[2].16b + eor $rkb.16b,$rkb.16b,@datax[2].16b + eor $rk0.16b,$rka.16b,$rk1.16b + eor $rk1.16b,$rkb.16b,$rk1.16b +___ + &sbox_double($rk0,$rk1); +$code.=<<___; + eor @data[3].16b,@data[3].16b,$rk0.16b + eor @datax[3].16b,@datax[3].16b,$rk1.16b +___ +} + +sub encrypt_1blk_norev() { + my $dat = shift; + +$code.=<<___; + mov $ptr,$rks + mov $counter,#8 + mov $word0,$dat.s[0] + mov $word1,$dat.s[1] + mov $word2,$dat.s[2] + mov $word3,$dat.s[3] +10: +___ + &sm4_1blk($ptr); +$code.=<<___; + subs $counter,$counter,#1 + b.ne 10b + mov $dat.s[0],$word3 + mov $dat.s[1],$word2 + mov $dat.s[2],$word1 + mov $dat.s[3],$word0 +___ +} + +sub encrypt_1blk() { + my $dat = shift; + + &encrypt_1blk_norev($dat); + &rev32($dat,$dat); +} + +sub encrypt_4blks() { +$code.=<<___; + mov $ptr,$rks + mov $counter,#8 +10: +___ + &sm4_4blks($ptr); +$code.=<<___; + subs $counter,$counter,#1 + b.ne 10b +___ + &rev32(@vtmp[3],@data[0]); + &rev32(@vtmp[2],@data[1]); + &rev32(@vtmp[1],@data[2]); + &rev32(@vtmp[0],@data[3]); +} + +sub encrypt_8blks() { +$code.=<<___; + mov $ptr,$rks + mov $counter,#8 +10: +___ + &sm4_8blks($ptr); +$code.=<<___; + subs $counter,$counter,#1 + b.ne 10b +___ + &rev32(@vtmp[3],@data[0]); + &rev32(@vtmp[2],@data[1]); + &rev32(@vtmp[1],@data[2]); + &rev32(@vtmp[0],@data[3]); + &rev32(@data[3],@datax[0]); + &rev32(@data[2],@datax[1]); + &rev32(@data[1],@datax[2]); + &rev32(@data[0],@datax[3]); +} + +sub load_sbox () { + my $data = shift; + +$code.=<<___; + adr $ptr,.Lsbox + ld1 {@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},[$ptr],#64 + ld1 {@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},[$ptr],#64 + ld1 {@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},[$ptr],#64 + ld1 {@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},[$ptr] +___ +} + +$code=<<___; +#include "arm_arch.h" +.arch armv8-a +.text + +.type _vpsm4_consts,%object +.align 7 +_vpsm4_consts: +.Lsbox: + .byte 0xD6,0x90,0xE9,0xFE,0xCC,0xE1,0x3D,0xB7,0x16,0xB6,0x14,0xC2,0x28,0xFB,0x2C,0x05 + .byte 0x2B,0x67,0x9A,0x76,0x2A,0xBE,0x04,0xC3,0xAA,0x44,0x13,0x26,0x49,0x86,0x06,0x99 + .byte 0x9C,0x42,0x50,0xF4,0x91,0xEF,0x98,0x7A,0x33,0x54,0x0B,0x43,0xED,0xCF,0xAC,0x62 + .byte 0xE4,0xB3,0x1C,0xA9,0xC9,0x08,0xE8,0x95,0x80,0xDF,0x94,0xFA,0x75,0x8F,0x3F,0xA6 + .byte 0x47,0x07,0xA7,0xFC,0xF3,0x73,0x17,0xBA,0x83,0x59,0x3C,0x19,0xE6,0x85,0x4F,0xA8 + .byte 0x68,0x6B,0x81,0xB2,0x71,0x64,0xDA,0x8B,0xF8,0xEB,0x0F,0x4B,0x70,0x56,0x9D,0x35 + .byte 0x1E,0x24,0x0E,0x5E,0x63,0x58,0xD1,0xA2,0x25,0x22,0x7C,0x3B,0x01,0x21,0x78,0x87 + .byte 0xD4,0x00,0x46,0x57,0x9F,0xD3,0x27,0x52,0x4C,0x36,0x02,0xE7,0xA0,0xC4,0xC8,0x9E + .byte 0xEA,0xBF,0x8A,0xD2,0x40,0xC7,0x38,0xB5,0xA3,0xF7,0xF2,0xCE,0xF9,0x61,0x15,0xA1 + .byte 0xE0,0xAE,0x5D,0xA4,0x9B,0x34,0x1A,0x55,0xAD,0x93,0x32,0x30,0xF5,0x8C,0xB1,0xE3 + .byte 0x1D,0xF6,0xE2,0x2E,0x82,0x66,0xCA,0x60,0xC0,0x29,0x23,0xAB,0x0D,0x53,0x4E,0x6F + .byte 0xD5,0xDB,0x37,0x45,0xDE,0xFD,0x8E,0x2F,0x03,0xFF,0x6A,0x72,0x6D,0x6C,0x5B,0x51 + .byte 0x8D,0x1B,0xAF,0x92,0xBB,0xDD,0xBC,0x7F,0x11,0xD9,0x5C,0x41,0x1F,0x10,0x5A,0xD8 + .byte 0x0A,0xC1,0x31,0x88,0xA5,0xCD,0x7B,0xBD,0x2D,0x74,0xD0,0x12,0xB8,0xE5,0xB4,0xB0 + .byte 0x89,0x69,0x97,0x4A,0x0C,0x96,0x77,0x7E,0x65,0xB9,0xF1,0x09,0xC5,0x6E,0xC6,0x84 + .byte 0x18,0xF0,0x7D,0xEC,0x3A,0xDC,0x4D,0x20,0x79,0xEE,0x5F,0x3E,0xD7,0xCB,0x39,0x48 +.Lck: + .long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269 + .long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9 + .long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249 + .long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9 + .long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229 + .long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299 + .long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209 + .long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279 +.Lfk: + .dword 0x56aa3350a3b1bac6,0xb27022dc677d9197 +.Lshuffles: + .dword 0x0B0A090807060504,0x030201000F0E0D0C + +.size _vpsm4_consts,.-_vpsm4_consts +___ + +{{{ +my ($key,$keys,$enc)=("x0","x1","w2"); +my ($pointer,$schedules,$wtmp,$roundkey)=("x5","x6","w7","w8"); +my ($vkey,$vfk,$vmap)=("v5","v6","v7"); +$code.=<<___; +.type _vpsm4_set_key,%function +.align 4 +_vpsm4_set_key: + AARCH64_VALID_CALL_TARGET + ld1 {$vkey.4s},[$key] +___ + &load_sbox(); + &rev32($vkey,$vkey); +$code.=<<___; + adr $pointer,.Lshuffles + ld1 {$vmap.2d},[$pointer] + adr $pointer,.Lfk + ld1 {$vfk.2d},[$pointer] + eor $vkey.16b,$vkey.16b,$vfk.16b + mov $schedules,#32 + adr $pointer,.Lck + movi @vtmp[0].16b,#64 + cbnz $enc,1f + add $keys,$keys,124 +1: + mov $wtmp,$vkey.s[1] + ldr $roundkey,[$pointer],#4 + eor $roundkey,$roundkey,$wtmp + mov $wtmp,$vkey.s[2] + eor $roundkey,$roundkey,$wtmp + mov $wtmp,$vkey.s[3] + eor $roundkey,$roundkey,$wtmp + // sbox lookup + mov @data[0].s[0],$roundkey + tbl @vtmp[1].16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},@data[0].16b + sub @data[0].16b,@data[0].16b,@vtmp[0].16b + tbx @vtmp[1].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@data[0].16b + sub @data[0].16b,@data[0].16b,@vtmp[0].16b + tbx @vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@data[0].16b + sub @data[0].16b,@data[0].16b,@vtmp[0].16b + tbx @vtmp[1].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@data[0].16b + mov $wtmp,@vtmp[1].s[0] + eor $roundkey,$wtmp,$wtmp,ror #19 + eor $roundkey,$roundkey,$wtmp,ror #9 + mov $wtmp,$vkey.s[0] + eor $roundkey,$roundkey,$wtmp + mov $vkey.s[0],$roundkey + cbz $enc,2f + str $roundkey,[$keys],#4 + b 3f +2: + str $roundkey,[$keys],#-4 +3: + tbl $vkey.16b,{$vkey.16b},$vmap.16b + subs $schedules,$schedules,#1 + b.ne 1b + ret +.size _vpsm4_set_key,.-_vpsm4_set_key +___ +}}} + + +{{{ +$code.=<<___; +.type _vpsm4_enc_4blks,%function +.align 4 +_vpsm4_enc_4blks: + AARCH64_VALID_CALL_TARGET +___ + &encrypt_4blks(); +$code.=<<___; + ret +.size _vpsm4_enc_4blks,.-_vpsm4_enc_4blks +___ +}}} + +{{{ +$code.=<<___; +.type _vpsm4_enc_8blks,%function +.align 4 +_vpsm4_enc_8blks: + AARCH64_VALID_CALL_TARGET +___ + &encrypt_8blks(); +$code.=<<___; + ret +.size _vpsm4_enc_8blks,.-_vpsm4_enc_8blks +___ +}}} + + +{{{ +my ($key,$keys)=("x0","x1"); +$code.=<<___; +.globl ${prefix}_set_encrypt_key +.type ${prefix}_set_encrypt_key,%function +.align 5 +${prefix}_set_encrypt_key: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + mov w2,1 + bl _vpsm4_set_key + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key +___ +}}} + +{{{ +my ($key,$keys)=("x0","x1"); +$code.=<<___; +.globl ${prefix}_set_decrypt_key +.type ${prefix}_set_decrypt_key,%function +.align 5 +${prefix}_set_decrypt_key: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + mov w2,0 + bl _vpsm4_set_key + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key +___ +}}} + +{{{ +sub gen_block () { + my $dir = shift; + my ($inp,$outp,$rk)=map("x$_",(0..2)); + +$code.=<<___; +.globl ${prefix}_${dir}crypt +.type ${prefix}_${dir}crypt,%function +.align 5 +${prefix}_${dir}crypt: + AARCH64_VALID_CALL_TARGET + ld1 {@data[0].4s},[$inp] +___ + &load_sbox(); + &rev32(@data[0],@data[0]); +$code.=<<___; + mov $rks,x2 +___ + &encrypt_1blk(@data[0]); +$code.=<<___; + st1 {@data[0].4s},[$outp] + ret +.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt +___ +} +&gen_block("en"); +&gen_block("de"); +}}} + +{{{ +my ($enc) = ("w4"); +my @dat=map("v$_",(16..23)); + +$code.=<<___; +.globl ${prefix}_ecb_encrypt +.type ${prefix}_ecb_encrypt,%function +.align 5 +${prefix}_ecb_encrypt: + AARCH64_SIGN_LINK_REGISTER + // convert length into blocks + lsr x2,x2,4 + stp d8,d9,[sp,#-80]! + stp d10,d11,[sp,#16] + stp d12,d13,[sp,#32] + stp d14,d15,[sp,#48] + stp x29,x30,[sp,#64] +___ + &load_sbox(); +$code.=<<___; +.Lecb_8_blocks_process: + cmp $blocks,#8 + b.lt .Lecb_4_blocks_process + ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 + ld4 {@datax[0].4s,$datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); + &rev32(@datax[0],@datax[0]); + &rev32(@datax[1],@datax[1]); + &rev32(@datax[2],@datax[2]); + &rev32(@datax[3],@datax[3]); +$code.=<<___; + bl _vpsm4_enc_8blks + st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 + st4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 + subs $blocks,$blocks,#8 + b.gt .Lecb_8_blocks_process + b 100f +.Lecb_4_blocks_process: + cmp $blocks,#4 + b.lt 1f + ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); +$code.=<<___; + bl _vpsm4_enc_4blks + st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 + sub $blocks,$blocks,#4 +1: + // process last block + cmp $blocks,#1 + b.lt 100f + b.gt 1f + ld1 {@data[0].4s},[$inp] +___ + &rev32(@data[0],@data[0]); + &encrypt_1blk(@data[0]); +$code.=<<___; + st1 {@data[0].4s},[$outp] + b 100f +1: // process last 2 blocks + ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp],#16 + ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$inp],#16 + cmp $blocks,#2 + b.gt 1f +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); +$code.=<<___; + bl _vpsm4_enc_4blks + st4 {@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16 + st4 {@vtmp[0].s-@vtmp[3].s}[1],[$outp] + b 100f +1: // process last 3 blocks + ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$inp],#16 +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); +$code.=<<___; + bl _vpsm4_enc_4blks + st4 {@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16 + st4 {@vtmp[0].s-@vtmp[3].s}[1],[$outp],#16 + st4 {@vtmp[0].s-@vtmp[3].s}[2],[$outp] +100: + ldp d10,d11,[sp,#16] + ldp d12,d13,[sp,#32] + ldp d14,d15,[sp,#48] + ldp x29,x30,[sp,#64] + ldp d8,d9,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt +___ +}}} + +{{{ +my ($len,$ivp,$enc)=("x2","x4","w5"); +my $ivec0=("v3"); +my $ivec1=("v15"); + +$code.=<<___; +.globl ${prefix}_cbc_encrypt +.type ${prefix}_cbc_encrypt,%function +.align 5 +${prefix}_cbc_encrypt: + AARCH64_VALID_CALL_TARGET + lsr $len,$len,4 +___ + &load_sbox(); +$code.=<<___; + cbz $enc,.Ldec + ld1 {$ivec0.4s},[$ivp] +.Lcbc_4_blocks_enc: + cmp $blocks,#4 + b.lt 1f + ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 + eor @data[0].16b,@data[0].16b,$ivec0.16b +___ + &rev32(@data[1],@data[1]); + &rev32(@data[0],@data[0]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); + &encrypt_1blk_norev(@data[0]); +$code.=<<___; + eor @data[1].16b,@data[1].16b,@data[0].16b +___ + &encrypt_1blk_norev(@data[1]); + &rev32(@data[0],@data[0]); + +$code.=<<___; + eor @data[2].16b,@data[2].16b,@data[1].16b +___ + &encrypt_1blk_norev(@data[2]); + &rev32(@data[1],@data[1]); +$code.=<<___; + eor @data[3].16b,@data[3].16b,@data[2].16b +___ + &encrypt_1blk_norev(@data[3]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); +$code.=<<___; + orr $ivec0.16b,@data[3].16b,@data[3].16b + st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 + subs $blocks,$blocks,#4 + b.ne .Lcbc_4_blocks_enc + b 2f +1: + subs $blocks,$blocks,#1 + b.lt 2f + ld1 {@data[0].4s},[$inp],#16 + eor $ivec0.16b,$ivec0.16b,@data[0].16b +___ + &rev32($ivec0,$ivec0); + &encrypt_1blk($ivec0); +$code.=<<___; + st1 {$ivec0.4s},[$outp],#16 + b 1b +2: + // save back IV + st1 {$ivec0.4s},[$ivp] + ret + +.Ldec: + // decryption mode starts + AARCH64_SIGN_LINK_REGISTER + stp d8,d9,[sp,#-80]! + stp d10,d11,[sp,#16] + stp d12,d13,[sp,#32] + stp d14,d15,[sp,#48] + stp x29,x30,[sp,#64] +.Lcbc_8_blocks_dec: + cmp $blocks,#8 + b.lt 1f + ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp] + add $ptr,$inp,#64 + ld4 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$ptr] +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],$data[3]); + &rev32(@datax[0],@datax[0]); + &rev32(@datax[1],@datax[1]); + &rev32(@datax[2],@datax[2]); + &rev32(@datax[3],$datax[3]); +$code.=<<___; + bl _vpsm4_enc_8blks +___ + &transpose(@vtmp,@datax); + &transpose(@data,@datax); +$code.=<<___; + ld1 {$ivec1.4s},[$ivp] + ld1 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 + // note ivec1 and vtmpx[3] are resuing the same register + // care needs to be taken to avoid conflict + eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b + ld1 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 + eor @vtmp[1].16b,@vtmp[1].16b,@datax[0].16b + eor @vtmp[2].16b,@vtmp[2].16b,@datax[1].16b + eor @vtmp[3].16b,$vtmp[3].16b,@datax[2].16b + // save back IV + st1 {$vtmpx[3].4s}, [$ivp] + eor @data[0].16b,@data[0].16b,$datax[3].16b + eor @data[1].16b,@data[1].16b,@vtmpx[0].16b + eor @data[2].16b,@data[2].16b,@vtmpx[1].16b + eor @data[3].16b,$data[3].16b,@vtmpx[2].16b + st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 + st1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 + subs $blocks,$blocks,#8 + b.gt .Lcbc_8_blocks_dec + b.eq 100f +1: + ld1 {$ivec1.4s},[$ivp] +.Lcbc_4_blocks_dec: + cmp $blocks,#4 + b.lt 1f + ld4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp] +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],$data[3]); +$code.=<<___; + bl _vpsm4_enc_4blks + ld1 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64 +___ + &transpose(@vtmp,@datax); +$code.=<<___; + eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b + eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b + orr $ivec1.16b,@data[3].16b,@data[3].16b + eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b + eor @vtmp[3].16b,$vtmp[3].16b,@data[2].16b + st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 + subs $blocks,$blocks,#4 + b.gt .Lcbc_4_blocks_dec + // save back IV + st1 {@data[3].4s}, [$ivp] + b 100f +1: // last block + subs $blocks,$blocks,#1 + b.lt 100f + b.gt 1f + ld1 {@data[0].4s},[$inp],#16 + // save back IV + st1 {$data[0].4s}, [$ivp] +___ + &rev32(@datax[0],@data[0]); + &encrypt_1blk(@datax[0]); +$code.=<<___; + eor @datax[0].16b,@datax[0].16b,$ivec1.16b + st1 {@datax[0].4s},[$outp],#16 + b 100f +1: // last two blocks + ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp] + add $ptr,$inp,#16 + ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$ptr],#16 + subs $blocks,$blocks,1 + b.gt 1f +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); +$code.=<<___; + bl _vpsm4_enc_4blks + ld1 {@data[0].4s,@data[1].4s},[$inp],#32 +___ + &transpose(@vtmp,@datax); +$code.=<<___; + eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b + eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b + st1 {@vtmp[0].4s,@vtmp[1].4s},[$outp],#32 + // save back IV + st1 {@data[1].4s}, [$ivp] + b 100f +1: // last 3 blocks + ld4 {@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$ptr] +___ + &rev32(@data[0],@data[0]); + &rev32(@data[1],@data[1]); + &rev32(@data[2],@data[2]); + &rev32(@data[3],@data[3]); +$code.=<<___; + bl _vpsm4_enc_4blks + ld1 {@data[0].4s,@data[1].4s,@data[2].4s},[$inp],#48 +___ + &transpose(@vtmp,@datax); +$code.=<<___; + eor @vtmp[0].16b,@vtmp[0].16b,$ivec1.16b + eor @vtmp[1].16b,@vtmp[1].16b,@data[0].16b + eor @vtmp[2].16b,@vtmp[2].16b,@data[1].16b + st1 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48 + // save back IV + st1 {@data[2].4s}, [$ivp] +100: + ldp d10,d11,[sp,#16] + ldp d12,d13,[sp,#32] + ldp d14,d15,[sp,#48] + ldp x29,x30,[sp,#64] + ldp d8,d9,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt +___ +}}} + +{{{ +my ($ivp)=("x4"); +my ($ctr)=("w5"); +my $ivec=("v3"); + +$code.=<<___; +.globl ${prefix}_ctr32_encrypt_blocks +.type ${prefix}_ctr32_encrypt_blocks,%function +.align 5 +${prefix}_ctr32_encrypt_blocks: + AARCH64_VALID_CALL_TARGET + ld1 {$ivec.4s},[$ivp] +___ + &rev32($ivec,$ivec); + &load_sbox(); +$code.=<<___; + cmp $blocks,#1 + b.ne 1f + // fast processing for one single block without + // context saving overhead +___ + &encrypt_1blk($ivec); +$code.=<<___; + ld1 {@data[0].4s},[$inp] + eor @data[0].16b,@data[0].16b,$ivec.16b + st1 {@data[0].4s},[$outp] + ret +1: + AARCH64_SIGN_LINK_REGISTER + stp d8,d9,[sp,#-80]! + stp d10,d11,[sp,#16] + stp d12,d13,[sp,#32] + stp d14,d15,[sp,#48] + stp x29,x30,[sp,#64] + mov $word0,$ivec.s[0] + mov $word1,$ivec.s[1] + mov $word2,$ivec.s[2] + mov $ctr,$ivec.s[3] +.Lctr32_4_blocks_process: + cmp $blocks,#4 + b.lt 1f + dup @data[0].4s,$word0 + dup @data[1].4s,$word1 + dup @data[2].4s,$word2 + mov @data[3].s[0],$ctr + add $ctr,$ctr,#1 + mov $data[3].s[1],$ctr + add $ctr,$ctr,#1 + mov @data[3].s[2],$ctr + add $ctr,$ctr,#1 + mov @data[3].s[3],$ctr + add $ctr,$ctr,#1 + cmp $blocks,#8 + b.ge .Lctr32_8_blocks_process + bl _vpsm4_enc_4blks + ld4 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 + eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b + eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b + eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b + eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b + st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 + subs $blocks,$blocks,#4 + b.ne .Lctr32_4_blocks_process + b 100f +.Lctr32_8_blocks_process: + dup @datax[0].4s,$word0 + dup @datax[1].4s,$word1 + dup @datax[2].4s,$word2 + mov @datax[3].s[0],$ctr + add $ctr,$ctr,#1 + mov $datax[3].s[1],$ctr + add $ctr,$ctr,#1 + mov @datax[3].s[2],$ctr + add $ctr,$ctr,#1 + mov @datax[3].s[3],$ctr + add $ctr,$ctr,#1 + bl _vpsm4_enc_8blks + ld4 {@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64 + ld4 {@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64 + eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b + eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b + eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b + eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b + eor @data[0].16b,@data[0].16b,@datax[0].16b + eor @data[1].16b,@data[1].16b,@datax[1].16b + eor @data[2].16b,@data[2].16b,@datax[2].16b + eor @data[3].16b,@data[3].16b,@datax[3].16b + st4 {@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64 + st4 {@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64 + subs $blocks,$blocks,#8 + b.ne .Lctr32_4_blocks_process + b 100f +1: // last block processing + subs $blocks,$blocks,#1 + b.lt 100f + b.gt 1f + mov $ivec.s[0],$word0 + mov $ivec.s[1],$word1 + mov $ivec.s[2],$word2 + mov $ivec.s[3],$ctr +___ + &encrypt_1blk($ivec); +$code.=<<___; + ld1 {@data[0].4s},[$inp] + eor @data[0].16b,@data[0].16b,$ivec.16b + st1 {@data[0].4s},[$outp] + b 100f +1: // last 2 blocks processing + dup @data[0].4s,$word0 + dup @data[1].4s,$word1 + dup @data[2].4s,$word2 + mov @data[3].s[0],$ctr + add $ctr,$ctr,#1 + mov @data[3].s[1],$ctr + subs $blocks,$blocks,#1 + b.ne 1f + bl _vpsm4_enc_4blks + ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16 + ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16 + eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b + eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b + eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b + eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b + st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16 + st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16 + b 100f +1: // last 3 blocks processing + add $ctr,$ctr,#1 + mov @data[3].s[2],$ctr + bl _vpsm4_enc_4blks + ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16 + ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16 + ld4 {@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[2],[$inp],#16 + eor @vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b + eor @vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b + eor @vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b + eor @vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b + st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16 + st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16 + st4 {@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[2],[$outp],#16 +100: + ldp d10,d11,[sp,#16] + ldp d12,d13,[sp,#32] + ldp d14,d15,[sp,#48] + ldp x29,x30,[sp,#64] + ldp d8,d9,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks +___ +}}} +######################################## +open SELF,$0; +while() { + next if (/^#!/); + last if (!s/^#/\/\// and !/^$/); + print; +} +close SELF; + +foreach(split("\n",$code)) { + s/\`([^\`]*)\`/eval($1)/ge; + print $_,"\n"; +} + +close STDOUT or die "error closing STDOUT: $!"; diff --git a/crypto/sm4/build.info b/crypto/sm4/build.info index b65a7d149..75a215ab8 100644 --- a/crypto/sm4/build.info +++ b/crypto/sm4/build.info @@ -1,4 +1,34 @@ LIBS=../../libcrypto -SOURCE[../../libcrypto]=\ - sm4.c +IF[{- !$disabled{asm} -}] + $SM4DEF_aarch64=SM4_ASM VPSM4_ASM + $SM4ASM_aarch64=sm4-armv8.S vpsm4-armv8.S + + # Now that we have defined all the arch specific variables, use the + # appropriate one, and define the appropriate macros + IF[$SM4ASM_{- $target{asm_arch} -}] + $SM4ASM=$SM4ASM_{- $target{asm_arch} -} + $SM4DEF=$SM4DEF_{- $target{asm_arch} -} + ENDIF +ENDIF + +SOURCE[../../libcrypto]= $SM4ASM sm4.c + + +# Implementations are now spread across several libraries, so the defines +# need to be applied to all affected libraries and modules. +DEFINE[../../libcrypto]=$SM4DEF +DEFINE[../../providers/libfips.a]=$SM4DEF +DEFINE[../../providers/libdefault.a]=$SM4DEF +# We only need to include the SM4DEF stuff in the legacy provider when it's a +# separate module and it's dynamically linked with libcrypto. Otherwise, it +# already gets everything that the static libcrypto.a has, and doesn't need it +# added again. +IF[{- !$disabled{module} && !$disabled{shared} -}] + DEFINE[../providers/liblegacy.a]=$SM4DEF +ENDIF + +GENERATE[sm4-armv8.S]=asm/sm4-armv8.pl +GENERATE[vpsm4-armv8.S]=asm/vpsm4-armv8.pl +INCLUDE[sm4-armv8.o]=.. +INCLUDE[vpsm4-armv8.o]=.. diff --git a/crypto/sm4/sm4.c b/crypto/sm4/sm4.c index 1e11ee650..4c58c25fa 100644 --- a/crypto/sm4/sm4.c +++ b/crypto/sm4/sm4.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2017 Ribose Inc. All Rights Reserved. * Ported from Ribose contributions from Botan. * @@ -40,7 +40,7 @@ static const uint8_t SM4_S[256] = { /* * SM4_SBOX_T[j] == L(SM4_SBOX[j]). */ -static const uint32_t SM4_SBOX_T[256] = { +static const uint32_t SM4_SBOX_T0[256] = { 0x8ED55B5B, 0xD0924242, 0x4DEAA7A7, 0x06FDFBFB, 0xFCCF3333, 0x65E28787, 0xC93DF4F4, 0x6BB5DEDE, 0x4E165858, 0x6EB4DADA, 0x44145050, 0xCAC10B0B, 0x8828A0A0, 0x17F8EFEF, 0x9C2CB0B0, 0x11051414, 0x872BACAC, 0xFB669D9D, @@ -85,6 +85,141 @@ static const uint32_t SM4_SBOX_T[256] = { 0x794C3535, 0xA0208080, 0x9D78E5E5, 0x56EDBBBB, 0x235E7D7D, 0xC63EF8F8, 0x8BD45F5F, 0xE7C82F2F, 0xDD39E4E4, 0x68492121 }; +static uint32_t SM4_SBOX_T1[256] = { + 0x5B8ED55B, 0x42D09242, 0xA74DEAA7, 0xFB06FDFB, 0x33FCCF33, 0x8765E287, + 0xF4C93DF4, 0xDE6BB5DE, 0x584E1658, 0xDA6EB4DA, 0x50441450, 0x0BCAC10B, + 0xA08828A0, 0xEF17F8EF, 0xB09C2CB0, 0x14110514, 0xAC872BAC, 0x9DFB669D, + 0x6AF2986A, 0xD9AE77D9, 0xA8822AA8, 0xFA46BCFA, 0x10140410, 0x0FCFC00F, + 0xAA02A8AA, 0x11544511, 0x4C5F134C, 0x98BE2698, 0x256D4825, 0x1A9E841A, + 0x181E0618, 0x66FD9B66, 0x72EC9E72, 0x094A4309, 0x41105141, 0xD324F7D3, + 0x46D59346, 0xBF53ECBF, 0x62F89A62, 0xE9927BE9, 0xCCFF33CC, 0x51045551, + 0x2C270B2C, 0x0D4F420D, 0xB759EEB7, 0x3FF3CC3F, 0xB21CAEB2, 0x89EA6389, + 0x9374E793, 0xCE7FB1CE, 0x706C1C70, 0xA60DABA6, 0x27EDCA27, 0x20280820, + 0xA348EBA3, 0x56C19756, 0x02808202, 0x7FA3DC7F, 0x52C49652, 0xEB12F9EB, + 0xD5A174D5, 0x3EB38D3E, 0xFCC33FFC, 0x9A3EA49A, 0x1D5B461D, 0x1C1B071C, + 0x9E3BA59E, 0xF30CFFF3, 0xCF3FF0CF, 0xCDBF72CD, 0x5C4B175C, 0xEA52B8EA, + 0x0E8F810E, 0x653D5865, 0xF0CC3CF0, 0x647D1964, 0x9B7EE59B, 0x16918716, + 0x3D734E3D, 0xA208AAA2, 0xA1C869A1, 0xADC76AAD, 0x06858306, 0xCA7AB0CA, + 0xC5B570C5, 0x91F46591, 0x6BB2D96B, 0x2EA7892E, 0xE318FBE3, 0xAF47E8AF, + 0x3C330F3C, 0x2D674A2D, 0xC1B071C1, 0x590E5759, 0x76E99F76, 0xD4E135D4, + 0x78661E78, 0x90B42490, 0x38360E38, 0x79265F79, 0x8DEF628D, 0x61385961, + 0x4795D247, 0x8A2AA08A, 0x94B12594, 0x88AA2288, 0xF18C7DF1, 0xECD73BEC, + 0x04050104, 0x84A52184, 0xE19879E1, 0x1E9B851E, 0x5384D753, 0x00000000, + 0x195E4719, 0x5D0B565D, 0x7EE39D7E, 0x4F9FD04F, 0x9CBB279C, 0x491A5349, + 0x317C4D31, 0xD8EE36D8, 0x080A0208, 0x9F7BE49F, 0x8220A282, 0x13D4C713, + 0x23E8CB23, 0x7AE69C7A, 0xAB42E9AB, 0xFE43BDFE, 0x2AA2882A, 0x4B9AD14B, + 0x01404101, 0x1FDBC41F, 0xE0D838E0, 0xD661B7D6, 0x8E2FA18E, 0xDF2BF4DF, + 0xCB3AF1CB, 0x3BF6CD3B, 0xE71DFAE7, 0x85E56085, 0x54411554, 0x8625A386, + 0x8360E383, 0xBA16ACBA, 0x75295C75, 0x9234A692, 0x6EF7996E, 0xD0E434D0, + 0x68721A68, 0x55015455, 0xB619AFB6, 0x4EDF914E, 0xC8FA32C8, 0xC0F030C0, + 0xD721F6D7, 0x32BC8E32, 0xC675B3C6, 0x8F6FE08F, 0x74691D74, 0xDB2EF5DB, + 0x8B6AE18B, 0xB8962EB8, 0x0A8A800A, 0x99FE6799, 0x2BE2C92B, 0x81E06181, + 0x03C0C303, 0xA48D29A4, 0x8CAF238C, 0xAE07A9AE, 0x34390D34, 0x4D1F524D, + 0x39764F39, 0xBDD36EBD, 0x5781D657, 0x6FB7D86F, 0xDCEB37DC, 0x15514415, + 0x7BA6DD7B, 0xF709FEF7, 0x3AB68C3A, 0xBC932FBC, 0x0C0F030C, 0xFF03FCFF, + 0xA9C26BA9, 0xC9BA73C9, 0xB5D96CB5, 0xB1DC6DB1, 0x6D375A6D, 0x45155045, + 0x36B98F36, 0x6C771B6C, 0xBE13ADBE, 0x4ADA904A, 0xEE57B9EE, 0x77A9DE77, + 0xF24CBEF2, 0xFD837EFD, 0x44551144, 0x67BDDA67, 0x712C5D71, 0x05454005, + 0x7C631F7C, 0x40501040, 0x69325B69, 0x63B8DB63, 0x28220A28, 0x07C5C207, + 0xC4F531C4, 0x22A88A22, 0x9631A796, 0x37F9CE37, 0xED977AED, 0xF649BFF6, + 0xB4992DB4, 0xD1A475D1, 0x4390D343, 0x485A1248, 0xE258BAE2, 0x9771E697, + 0xD264B6D2, 0xC270B2C2, 0x26AD8B26, 0xA5CD68A5, 0x5ECB955E, 0x29624B29, + 0x303C0C30, 0x5ACE945A, 0xDDAB76DD, 0xF9867FF9, 0x95F16495, 0xE65DBBE6, + 0xC735F2C7, 0x242D0924, 0x17D1C617, 0xB9D66FB9, 0x1BDEC51B, 0x12948612, + 0x60781860, 0xC330F3C3, 0xF5897CF5, 0xB35CEFB3, 0xE8D23AE8, 0x73ACDF73, + 0x35794C35, 0x80A02080, 0xE59D78E5, 0xBB56EDBB, 0x7D235E7D, 0xF8C63EF8, + 0x5F8BD45F, 0x2FE7C82F, 0xE4DD39E4, 0x21684921}; + +static uint32_t SM4_SBOX_T2[256] = { + 0x5B5B8ED5, 0x4242D092, 0xA7A74DEA, 0xFBFB06FD, 0x3333FCCF, 0x878765E2, + 0xF4F4C93D, 0xDEDE6BB5, 0x58584E16, 0xDADA6EB4, 0x50504414, 0x0B0BCAC1, + 0xA0A08828, 0xEFEF17F8, 0xB0B09C2C, 0x14141105, 0xACAC872B, 0x9D9DFB66, + 0x6A6AF298, 0xD9D9AE77, 0xA8A8822A, 0xFAFA46BC, 0x10101404, 0x0F0FCFC0, + 0xAAAA02A8, 0x11115445, 0x4C4C5F13, 0x9898BE26, 0x25256D48, 0x1A1A9E84, + 0x18181E06, 0x6666FD9B, 0x7272EC9E, 0x09094A43, 0x41411051, 0xD3D324F7, + 0x4646D593, 0xBFBF53EC, 0x6262F89A, 0xE9E9927B, 0xCCCCFF33, 0x51510455, + 0x2C2C270B, 0x0D0D4F42, 0xB7B759EE, 0x3F3FF3CC, 0xB2B21CAE, 0x8989EA63, + 0x939374E7, 0xCECE7FB1, 0x70706C1C, 0xA6A60DAB, 0x2727EDCA, 0x20202808, + 0xA3A348EB, 0x5656C197, 0x02028082, 0x7F7FA3DC, 0x5252C496, 0xEBEB12F9, + 0xD5D5A174, 0x3E3EB38D, 0xFCFCC33F, 0x9A9A3EA4, 0x1D1D5B46, 0x1C1C1B07, + 0x9E9E3BA5, 0xF3F30CFF, 0xCFCF3FF0, 0xCDCDBF72, 0x5C5C4B17, 0xEAEA52B8, + 0x0E0E8F81, 0x65653D58, 0xF0F0CC3C, 0x64647D19, 0x9B9B7EE5, 0x16169187, + 0x3D3D734E, 0xA2A208AA, 0xA1A1C869, 0xADADC76A, 0x06068583, 0xCACA7AB0, + 0xC5C5B570, 0x9191F465, 0x6B6BB2D9, 0x2E2EA789, 0xE3E318FB, 0xAFAF47E8, + 0x3C3C330F, 0x2D2D674A, 0xC1C1B071, 0x59590E57, 0x7676E99F, 0xD4D4E135, + 0x7878661E, 0x9090B424, 0x3838360E, 0x7979265F, 0x8D8DEF62, 0x61613859, + 0x474795D2, 0x8A8A2AA0, 0x9494B125, 0x8888AA22, 0xF1F18C7D, 0xECECD73B, + 0x04040501, 0x8484A521, 0xE1E19879, 0x1E1E9B85, 0x535384D7, 0x00000000, + 0x19195E47, 0x5D5D0B56, 0x7E7EE39D, 0x4F4F9FD0, 0x9C9CBB27, 0x49491A53, + 0x31317C4D, 0xD8D8EE36, 0x08080A02, 0x9F9F7BE4, 0x828220A2, 0x1313D4C7, + 0x2323E8CB, 0x7A7AE69C, 0xABAB42E9, 0xFEFE43BD, 0x2A2AA288, 0x4B4B9AD1, + 0x01014041, 0x1F1FDBC4, 0xE0E0D838, 0xD6D661B7, 0x8E8E2FA1, 0xDFDF2BF4, + 0xCBCB3AF1, 0x3B3BF6CD, 0xE7E71DFA, 0x8585E560, 0x54544115, 0x868625A3, + 0x838360E3, 0xBABA16AC, 0x7575295C, 0x929234A6, 0x6E6EF799, 0xD0D0E434, + 0x6868721A, 0x55550154, 0xB6B619AF, 0x4E4EDF91, 0xC8C8FA32, 0xC0C0F030, + 0xD7D721F6, 0x3232BC8E, 0xC6C675B3, 0x8F8F6FE0, 0x7474691D, 0xDBDB2EF5, + 0x8B8B6AE1, 0xB8B8962E, 0x0A0A8A80, 0x9999FE67, 0x2B2BE2C9, 0x8181E061, + 0x0303C0C3, 0xA4A48D29, 0x8C8CAF23, 0xAEAE07A9, 0x3434390D, 0x4D4D1F52, + 0x3939764F, 0xBDBDD36E, 0x575781D6, 0x6F6FB7D8, 0xDCDCEB37, 0x15155144, + 0x7B7BA6DD, 0xF7F709FE, 0x3A3AB68C, 0xBCBC932F, 0x0C0C0F03, 0xFFFF03FC, + 0xA9A9C26B, 0xC9C9BA73, 0xB5B5D96C, 0xB1B1DC6D, 0x6D6D375A, 0x45451550, + 0x3636B98F, 0x6C6C771B, 0xBEBE13AD, 0x4A4ADA90, 0xEEEE57B9, 0x7777A9DE, + 0xF2F24CBE, 0xFDFD837E, 0x44445511, 0x6767BDDA, 0x71712C5D, 0x05054540, + 0x7C7C631F, 0x40405010, 0x6969325B, 0x6363B8DB, 0x2828220A, 0x0707C5C2, + 0xC4C4F531, 0x2222A88A, 0x969631A7, 0x3737F9CE, 0xEDED977A, 0xF6F649BF, + 0xB4B4992D, 0xD1D1A475, 0x434390D3, 0x48485A12, 0xE2E258BA, 0x979771E6, + 0xD2D264B6, 0xC2C270B2, 0x2626AD8B, 0xA5A5CD68, 0x5E5ECB95, 0x2929624B, + 0x30303C0C, 0x5A5ACE94, 0xDDDDAB76, 0xF9F9867F, 0x9595F164, 0xE6E65DBB, + 0xC7C735F2, 0x24242D09, 0x1717D1C6, 0xB9B9D66F, 0x1B1BDEC5, 0x12129486, + 0x60607818, 0xC3C330F3, 0xF5F5897C, 0xB3B35CEF, 0xE8E8D23A, 0x7373ACDF, + 0x3535794C, 0x8080A020, 0xE5E59D78, 0xBBBB56ED, 0x7D7D235E, 0xF8F8C63E, + 0x5F5F8BD4, 0x2F2FE7C8, 0xE4E4DD39, 0x21216849}; + +static uint32_t SM4_SBOX_T3[256] = { + 0xD55B5B8E, 0x924242D0, 0xEAA7A74D, 0xFDFBFB06, 0xCF3333FC, 0xE2878765, + 0x3DF4F4C9, 0xB5DEDE6B, 0x1658584E, 0xB4DADA6E, 0x14505044, 0xC10B0BCA, + 0x28A0A088, 0xF8EFEF17, 0x2CB0B09C, 0x05141411, 0x2BACAC87, 0x669D9DFB, + 0x986A6AF2, 0x77D9D9AE, 0x2AA8A882, 0xBCFAFA46, 0x04101014, 0xC00F0FCF, + 0xA8AAAA02, 0x45111154, 0x134C4C5F, 0x269898BE, 0x4825256D, 0x841A1A9E, + 0x0618181E, 0x9B6666FD, 0x9E7272EC, 0x4309094A, 0x51414110, 0xF7D3D324, + 0x934646D5, 0xECBFBF53, 0x9A6262F8, 0x7BE9E992, 0x33CCCCFF, 0x55515104, + 0x0B2C2C27, 0x420D0D4F, 0xEEB7B759, 0xCC3F3FF3, 0xAEB2B21C, 0x638989EA, + 0xE7939374, 0xB1CECE7F, 0x1C70706C, 0xABA6A60D, 0xCA2727ED, 0x08202028, + 0xEBA3A348, 0x975656C1, 0x82020280, 0xDC7F7FA3, 0x965252C4, 0xF9EBEB12, + 0x74D5D5A1, 0x8D3E3EB3, 0x3FFCFCC3, 0xA49A9A3E, 0x461D1D5B, 0x071C1C1B, + 0xA59E9E3B, 0xFFF3F30C, 0xF0CFCF3F, 0x72CDCDBF, 0x175C5C4B, 0xB8EAEA52, + 0x810E0E8F, 0x5865653D, 0x3CF0F0CC, 0x1964647D, 0xE59B9B7E, 0x87161691, + 0x4E3D3D73, 0xAAA2A208, 0x69A1A1C8, 0x6AADADC7, 0x83060685, 0xB0CACA7A, + 0x70C5C5B5, 0x659191F4, 0xD96B6BB2, 0x892E2EA7, 0xFBE3E318, 0xE8AFAF47, + 0x0F3C3C33, 0x4A2D2D67, 0x71C1C1B0, 0x5759590E, 0x9F7676E9, 0x35D4D4E1, + 0x1E787866, 0x249090B4, 0x0E383836, 0x5F797926, 0x628D8DEF, 0x59616138, + 0xD2474795, 0xA08A8A2A, 0x259494B1, 0x228888AA, 0x7DF1F18C, 0x3BECECD7, + 0x01040405, 0x218484A5, 0x79E1E198, 0x851E1E9B, 0xD7535384, 0x00000000, + 0x4719195E, 0x565D5D0B, 0x9D7E7EE3, 0xD04F4F9F, 0x279C9CBB, 0x5349491A, + 0x4D31317C, 0x36D8D8EE, 0x0208080A, 0xE49F9F7B, 0xA2828220, 0xC71313D4, + 0xCB2323E8, 0x9C7A7AE6, 0xE9ABAB42, 0xBDFEFE43, 0x882A2AA2, 0xD14B4B9A, + 0x41010140, 0xC41F1FDB, 0x38E0E0D8, 0xB7D6D661, 0xA18E8E2F, 0xF4DFDF2B, + 0xF1CBCB3A, 0xCD3B3BF6, 0xFAE7E71D, 0x608585E5, 0x15545441, 0xA3868625, + 0xE3838360, 0xACBABA16, 0x5C757529, 0xA6929234, 0x996E6EF7, 0x34D0D0E4, + 0x1A686872, 0x54555501, 0xAFB6B619, 0x914E4EDF, 0x32C8C8FA, 0x30C0C0F0, + 0xF6D7D721, 0x8E3232BC, 0xB3C6C675, 0xE08F8F6F, 0x1D747469, 0xF5DBDB2E, + 0xE18B8B6A, 0x2EB8B896, 0x800A0A8A, 0x679999FE, 0xC92B2BE2, 0x618181E0, + 0xC30303C0, 0x29A4A48D, 0x238C8CAF, 0xA9AEAE07, 0x0D343439, 0x524D4D1F, + 0x4F393976, 0x6EBDBDD3, 0xD6575781, 0xD86F6FB7, 0x37DCDCEB, 0x44151551, + 0xDD7B7BA6, 0xFEF7F709, 0x8C3A3AB6, 0x2FBCBC93, 0x030C0C0F, 0xFCFFFF03, + 0x6BA9A9C2, 0x73C9C9BA, 0x6CB5B5D9, 0x6DB1B1DC, 0x5A6D6D37, 0x50454515, + 0x8F3636B9, 0x1B6C6C77, 0xADBEBE13, 0x904A4ADA, 0xB9EEEE57, 0xDE7777A9, + 0xBEF2F24C, 0x7EFDFD83, 0x11444455, 0xDA6767BD, 0x5D71712C, 0x40050545, + 0x1F7C7C63, 0x10404050, 0x5B696932, 0xDB6363B8, 0x0A282822, 0xC20707C5, + 0x31C4C4F5, 0x8A2222A8, 0xA7969631, 0xCE3737F9, 0x7AEDED97, 0xBFF6F649, + 0x2DB4B499, 0x75D1D1A4, 0xD3434390, 0x1248485A, 0xBAE2E258, 0xE6979771, + 0xB6D2D264, 0xB2C2C270, 0x8B2626AD, 0x68A5A5CD, 0x955E5ECB, 0x4B292962, + 0x0C30303C, 0x945A5ACE, 0x76DDDDAB, 0x7FF9F986, 0x649595F1, 0xBBE6E65D, + 0xF2C7C735, 0x0924242D, 0xC61717D1, 0x6FB9B9D6, 0xC51B1BDE, 0x86121294, + 0x18606078, 0xF3C3C330, 0x7CF5F589, 0xEFB3B35C, 0x3AE8E8D2, 0xDF7373AC, + 0x4C353579, 0x208080A0, 0x78E5E59D, 0xEDBBBB56, 0x5E7D7D23, 0x3EF8F8C6, + 0xD45F5F8B, 0xC82F2FE7, 0x39E4E4DD, 0x49212168}; + static ossl_inline uint32_t rotl(uint32_t a, uint8_t n) { return (a << n) | (a >> (32 - n)); @@ -106,7 +241,7 @@ static ossl_inline void store_u32_be(uint32_t v, uint8_t *b) b[3] = (uint8_t)(v); } -static ossl_inline uint32_t SM4_T_slow(uint32_t X) +static ossl_inline uint32_t SM4_T_non_lin_sub(uint32_t X) { uint32_t t = 0; @@ -115,6 +250,13 @@ static ossl_inline uint32_t SM4_T_slow(uint32_t X) t |= ((uint32_t)SM4_S[(uint8_t)(X >> 8)]) << 8; t |= SM4_S[(uint8_t)X]; + return t; +} + +static ossl_inline uint32_t SM4_T_slow(uint32_t X) +{ + uint32_t t = SM4_T_non_lin_sub(X); + /* * L linear transform */ @@ -123,10 +265,17 @@ static ossl_inline uint32_t SM4_T_slow(uint32_t X) static ossl_inline uint32_t SM4_T(uint32_t X) { - return SM4_SBOX_T[(uint8_t)(X >> 24)] ^ - rotl(SM4_SBOX_T[(uint8_t)(X >> 16)], 24) ^ - rotl(SM4_SBOX_T[(uint8_t)(X >> 8)], 16) ^ - rotl(SM4_SBOX_T[(uint8_t)X], 8); + return SM4_SBOX_T0[(uint8_t)(X >> 24)] ^ + SM4_SBOX_T1[(uint8_t)(X >> 16)] ^ + SM4_SBOX_T2[(uint8_t)(X >> 8)] ^ + SM4_SBOX_T3[(uint8_t)X]; +} + +static ossl_inline uint32_t SM4_key_sub(uint32_t X) +{ + uint32_t t = SM4_T_non_lin_sub(X); + + return t ^ rotl(t, 13) ^ rotl(t, 23); } int ossl_sm4_set_key(const uint8_t *key, SM4_KEY *ks) @@ -159,18 +308,15 @@ int ossl_sm4_set_key(const uint8_t *key, SM4_KEY *ks) K[2] = load_u32_be(key, 2) ^ FK[2]; K[3] = load_u32_be(key, 3) ^ FK[3]; - for (i = 0; i != SM4_KEY_SCHEDULE; ++i) { - uint32_t X = K[(i + 1) % 4] ^ K[(i + 2) % 4] ^ K[(i + 3) % 4] ^ CK[i]; - uint32_t t = 0; - - t |= ((uint32_t)SM4_S[(uint8_t)(X >> 24)]) << 24; - t |= ((uint32_t)SM4_S[(uint8_t)(X >> 16)]) << 16; - t |= ((uint32_t)SM4_S[(uint8_t)(X >> 8)]) << 8; - t |= SM4_S[(uint8_t)X]; - - t = t ^ rotl(t, 13) ^ rotl(t, 23); - K[i % 4] ^= t; - ks->rk[i] = K[i % 4]; + for (i = 0; i < SM4_KEY_SCHEDULE; i = i + 4) { + K[0] ^= SM4_key_sub(K[1] ^ K[2] ^ K[3] ^ CK[i]); + K[1] ^= SM4_key_sub(K[2] ^ K[3] ^ K[0] ^ CK[i + 1]); + K[2] ^= SM4_key_sub(K[3] ^ K[0] ^ K[1] ^ CK[i + 2]); + K[3] ^= SM4_key_sub(K[0] ^ K[1] ^ K[2] ^ CK[i + 3]); + ks->rk[i ] = K[0]; + ks->rk[i + 1] = K[1]; + ks->rk[i + 2] = K[2]; + ks->rk[i + 3] = K[3]; } return 1; diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index 5ff927862..f6e482123 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -14,7 +14,7 @@ /* We need to use some STORE deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED -#include "e_os.h" +#include "internal/e_os.h" #include #include @@ -114,13 +114,17 @@ OSSL_STORE_open_ex(const char *uri, OSSL_LIB_CTX *libctx, const char *propq, scheme = schemes[i]; OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme); #ifndef OPENSSL_NO_DEPRECATED_3_0 + ERR_set_mark(); if ((loader = ossl_store_get0_loader_int(scheme)) != NULL) { + ERR_clear_last_mark(); no_loader_found = 0; if (loader->open_ex != NULL) loader_ctx = loader->open_ex(loader, uri, libctx, propq, ui_method, ui_data); else loader_ctx = loader->open(loader, uri, ui_method, ui_data); + } else { + ERR_pop_to_mark(); } #endif if (loader == NULL @@ -623,7 +627,7 @@ OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl) } /* - * Functions to try to extract data from a OSSL_STORE_INFO. + * Functions to try to extract data from an OSSL_STORE_INFO. */ int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO *info) { diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 8f817fd51..fcf8e6c24 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -114,7 +114,7 @@ struct ossl_store_loader_st { OSSL_FUNC_store_close_fn *p_close; OSSL_FUNC_store_export_object_fn *p_export_object; }; -DEFINE_LHASH_OF(OSSL_STORE_LOADER); +DEFINE_LHASH_OF_EX(OSSL_STORE_LOADER); const OSSL_STORE_LOADER *ossl_store_get0_loader_int(const char *scheme); void ossl_store_destroy_loaders_int(void); @@ -168,9 +168,6 @@ int ossl_store_file_detach_pem_bio_int(OSSL_STORE_LOADER_CTX *ctx); OSSL_STORE_LOADER *ossl_store_loader_fetch(OSSL_LIB_CTX *libctx, const char *scheme, const char *properties); -OSSL_STORE_LOADER *ossl_store_loader_fetch_by_number(OSSL_LIB_CTX *libctx, - int scheme_id, - const char *properties); /* Standard function to handle the result from OSSL_FUNC_store_load() */ struct ossl_load_result_data_st { diff --git a/crypto/store/store_meth.c b/crypto/store/store_meth.c index a5b0d1b09..ab1016853 100644 --- a/crypto/store/store_meth.c +++ b/crypto/store/store_meth.c @@ -14,6 +14,7 @@ #include "internal/property.h" #include "internal/provider.h" #include "store_local.h" +#include "crypto/context.h" int OSSL_STORE_LOADER_up_ref(OSSL_STORE_LOADER *loader) { @@ -68,25 +69,6 @@ static void free_loader(void *method) OSSL_STORE_LOADER_free(method); } -/* Permanent loader method store, constructor and destructor */ -static void loader_store_free(void *vstore) -{ - ossl_method_store_free(vstore); -} - -static void *loader_store_new(OSSL_LIB_CTX *ctx) -{ - return ossl_method_store_new(ctx); -} - - -static const OSSL_LIB_CTX_METHOD loader_store_method = { - /* We want loader_store to be cleaned up before the provider store */ - OSSL_LIB_CTX_METHOD_PRIORITY_2, - loader_store_new, - loader_store_free, -}; - /* Data to be passed through ossl_method_construct() */ struct loader_data_st { OSSL_LIB_CTX *libctx; @@ -123,8 +105,7 @@ static void *get_tmp_loader_store(void *data) /* Get the permanent loader store */ static OSSL_METHOD_STORE *get_loader_store(OSSL_LIB_CTX *libctx) { - return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX, - &loader_store_method); + return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_STORE_LOADER_STORE_INDEX); } static int reserve_loader_store(void *store, void *data) @@ -297,39 +278,28 @@ static void destruct_loader(void *method, void *data) /* Fetching support. Can fetch by numeric identity or by scheme */ static OSSL_STORE_LOADER * -inner_loader_fetch(struct loader_data_st *methdata, int id, +inner_loader_fetch(struct loader_data_st *methdata, const char *scheme, const char *properties) { OSSL_METHOD_STORE *store = get_loader_store(methdata->libctx); OSSL_NAMEMAP *namemap = ossl_namemap_stored(methdata->libctx); const char *const propq = properties != NULL ? properties : ""; void *method = NULL; - int unsupported = 0; + int unsupported, id; if (store == NULL || namemap == NULL) { ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_PASSED_INVALID_ARGUMENT); return NULL; } - /* - * If we have been passed both an id and a scheme, we have an - * internal programming error. - */ - if (!ossl_assert(id == 0 || scheme == NULL)) { - ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_INTERNAL_ERROR); - return NULL; - } - /* If we haven't received a name id yet, try to get one for the name */ - if (id == 0 && scheme != NULL) - id = ossl_namemap_name2num(namemap, scheme); + id = scheme != NULL ? ossl_namemap_name2num(namemap, scheme) : 0; /* * If we haven't found the name yet, chances are that the algorithm to * be fetched is unsupported. */ - if (id == 0) - unsupported = 1; + unsupported = id == 0; if (id == 0 || !ossl_method_store_cache_get(store, NULL, id, propq, &method)) { @@ -400,21 +370,7 @@ OSSL_STORE_LOADER *OSSL_STORE_LOADER_fetch(OSSL_LIB_CTX *libctx, methdata.libctx = libctx; methdata.tmp_store = NULL; - method = inner_loader_fetch(&methdata, 0, scheme, properties); - dealloc_tmp_loader_store(methdata.tmp_store); - return method; -} - -OSSL_STORE_LOADER *ossl_store_loader_fetch_by_number(OSSL_LIB_CTX *libctx, - int scheme_id, - const char *properties) -{ - struct loader_data_st methdata; - void *method; - - methdata.libctx = libctx; - methdata.tmp_store = NULL; - method = inner_loader_fetch(&methdata, scheme_id, NULL, properties); + method = inner_loader_fetch(&methdata, scheme, properties); dealloc_tmp_loader_store(methdata.tmp_store); return method; } @@ -510,7 +466,7 @@ void OSSL_STORE_LOADER_do_all_provided(OSSL_LIB_CTX *libctx, methdata.libctx = libctx; methdata.tmp_store = NULL; - (void)inner_loader_fetch(&methdata, 0, NULL, NULL /* properties */); + (void)inner_loader_fetch(&methdata, NULL, NULL /* properties */); data.user_fn = user_fn; data.user_arg = user_arg; diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 96d311990..ca436b361 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include diff --git a/crypto/threads_lib.c b/crypto/threads_lib.c index 0c7162392..985959925 100644 --- a/crypto/threads_lib.c +++ b/crypto/threads_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,8 @@ */ #include -#ifndef OPENSSL_NO_DEPRECATED_3_0 +#ifdef OPENSSL_SYS_UNIX +# ifndef OPENSSL_NO_DEPRECATED_3_0 void OPENSSL_fork_prepare(void) { @@ -22,4 +23,5 @@ void OPENSSL_fork_child(void) { } +# endif #endif diff --git a/crypto/trace.c b/crypto/trace.c index 3df9b5a51..dc308d819 100644 --- a/crypto/trace.c +++ b/crypto/trace.c @@ -137,8 +137,9 @@ static const struct trace_category_st TRACE_CATEGORY_(STORE), TRACE_CATEGORY_(DECODER), TRACE_CATEGORY_(ENCODER), - TRACE_CATEGORY_(REF_COUNT) -}; + TRACE_CATEGORY_(REF_COUNT), + TRACE_CATEGORY_(HTTP), +}; /* KEEP THIS LIST IN SYNC with #define OSSL_TRACE_CATEGORY_... in trace.h */ const char *OSSL_trace_get_category_name(int num) { diff --git a/crypto/ts/ts_local.h b/crypto/ts/ts_local.h index 4dcb7af96..3265c762c 100644 --- a/crypto/ts/ts_local.h +++ b/crypto/ts/ts_local.h @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -110,7 +110,7 @@ struct TS_resp_ctx { ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ - unsigned clock_precision_digits; /* fraction of seconds in time stamp + unsigned clock_precision_digits; /* fraction of seconds in timestamp * token. */ unsigned flags; /* Optional info, see values above. */ /* Callback functions. */ diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 8937bb2d6..46c0af1bc 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 792a27ce5..de8b07509 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -278,7 +278,7 @@ int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token) } /*- - * Verifies whether the 'token' contains a valid time stamp token + * Verifies whether the 'token' contains a valid timestamp token * with regards to the settings of the context. Only those checks are * carried out that are specified in the context: * - Verifies the signature of the TS_TST_INFO. diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 8007f2f70..544415e5b 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index cb40c7737..1bc397a84 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -16,7 +16,7 @@ # include #endif -#include "e_os.h" +#include "internal/e_os.h" #include "internal/cryptlib.h" #include #include diff --git a/crypto/x509/by_store.c b/crypto/x509/by_store.c index 050735ce3..5ff1ea0a4 100644 --- a/crypto/x509/by_store.c +++ b/crypto/x509/by_store.c @@ -27,7 +27,7 @@ static int cache_objects(X509_LOOKUP *lctx, const char *uri, /* * We try to set the criterion, but don't care if it was valid or not. - * For a OSSL_STORE, it merely serves as an optimization, the expectation + * For an OSSL_STORE, it merely serves as an optimization, the expectation * being that if the criterion couldn't be used, we will get *everything* * from the container that the URI represents rather than the subset that * the criterion indicates, so the biggest harm is that we cache more diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c index 60dfd1e32..ed71e2202 100644 --- a/crypto/x509/pcy_map.c +++ b/crypto/x509/pcy_map.c @@ -1,5 +1,5 @@ /* - * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 95ee5f519..46311377f 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -50,7 +50,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, { long l; int ret = 0, i; - char *m = NULL, mlch = ' '; + char mlch = ' '; int nmindent = 0, printok = 0; EVP_PKEY *pkey = NULL; const char *neg; @@ -217,7 +217,6 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, } ret = 1; err: - OPENSSL_free(m); return ret; } diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c index 0de281f66..71bb76c48 100644 --- a/crypto/x509/v3_ist.c +++ b/crypto/x509/v3_ist.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,7 @@ /* * Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE) - * This extention is required to obtain the status of a qualified certificate at Russian Federation. + * This extension is required to obtain the status of a qualified certificate at Russian Federation. * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5 * Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/ */ diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c index a51354e7f..c6112a5d3 100644 --- a/crypto/x509/v3_ncons.c +++ b/crypto/x509/v3_ncons.c @@ -432,7 +432,7 @@ int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc) ne = X509_NAME_get_entry(nm, i); cn = X509_NAME_ENTRY_get_data(ne); - /* Only process attributes that look like host names */ + /* Only process attributes that look like hostnames */ if ((r = cn2dnsid(cn, &idval, &idlen)) != X509_V_OK) return r; if (idlen == 0) @@ -640,7 +640,7 @@ static int nc_email_eai(ASN1_TYPE *emltype, ASN1_IA5STRING *base) const char *emlptr; const char *emlat; char ulabel[256]; - size_t size = sizeof(ulabel) - 1; + size_t size = sizeof(ulabel); int ret = X509_V_OK; size_t emlhostlen; @@ -667,18 +667,16 @@ static int nc_email_eai(ASN1_TYPE *emltype, ASN1_IA5STRING *base) goto end; } - memset(ulabel, 0, sizeof(ulabel)); /* Special case: initial '.' is RHS match */ if (*baseptr == '.') { ulabel[0] = '.'; - size -= 1; - if (ossl_a2ulabel(baseptr, ulabel + 1, &size) <= 0) { + if (ossl_a2ulabel(baseptr, ulabel + 1, size - 1) <= 0) { ret = X509_V_ERR_UNSPECIFIED; goto end; } if ((size_t)eml->length > strlen(ulabel)) { - emlptr += eml->length - (strlen(ulabel)); + emlptr += eml->length - strlen(ulabel); /* X509_V_OK */ if (ia5ncasecmp(ulabel, emlptr, strlen(ulabel)) == 0) goto end; @@ -687,7 +685,7 @@ static int nc_email_eai(ASN1_TYPE *emltype, ASN1_IA5STRING *base) goto end; } - if (ossl_a2ulabel(baseptr, ulabel, &size) <= 0) { + if (ossl_a2ulabel(baseptr, ulabel, size) <= 0) { ret = X509_V_ERR_UNSPECIFIED; goto end; } diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c index a6ebbd5f9..fc5ed284a 100644 --- a/crypto/x509/v3_purp.c +++ b/crypto/x509/v3_purp.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -868,7 +868,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) return 0; - /* Only time stamp key usage is permitted and it's required. */ + /* Only timestamp key usage is permitted and it's required. */ if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) return 0; diff --git a/crypto/x509/v3_sxnet.c b/crypto/x509/v3_sxnet.c index ca46dc1a5..5ac3bab35 100644 --- a/crypto/x509/v3_sxnet.c +++ b/crypto/x509/v3_sxnet.c @@ -180,8 +180,6 @@ int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, if ((id = SXNETID_new()) == NULL) goto err; - if (userlen == -1) - userlen = strlen(user); if (!ASN1_OCTET_STRING_set(id->user, (const unsigned char *)user, userlen)) goto err; diff --git a/crypto/x509/v3_tlsf.c b/crypto/x509/v3_tlsf.c index 3a457fa57..a1446bc07 100644 --- a/crypto/x509/v3_tlsf.c +++ b/crypto/x509/v3_tlsf.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "internal/cryptlib.h" #include #include diff --git a/crypto/x509/v3_utf8.c b/crypto/x509/v3_utf8.c index 1c4f79c4c..51cfbf01c 100644 --- a/crypto/x509/v3_utf8.c +++ b/crypto/x509/v3_utf8.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,7 +16,7 @@ /* * Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String) - * This extention is required to obtain the status of a qualified certificate at Russian Federation. + * This extension is required to obtain the status of a qualified certificate at Russian Federation. * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5 * Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/ */ diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c index 6e4ef26ed..f144dabab 100644 --- a/crypto/x509/v3_utl.c +++ b/crypto/x509/v3_utl.c @@ -9,7 +9,7 @@ /* X509 v3 extension utilities */ -#include "e_os.h" +#include "internal/e_os.h" #include "internal/cryptlib.h" #include #include @@ -47,7 +47,7 @@ static int x509v3_add_len_value(const char *name, const char *value, if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL) goto err; if (value != NULL) { - /* We don't allow embeded NUL characters */ + /* We don't allow embedded NUL characters */ if (memchr(value, 0, vallen) != NULL) goto err; tvalue = OPENSSL_strndup(value, vallen); diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index 62ae7d6b8..adbd676fc 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index 9ae0dc5de..85a7c8ae5 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c index fd98ad692..afb2b49d6 100644 --- a/crypto/x509/x_crl.c +++ b/crypto/x509/x_crl.c @@ -172,7 +172,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ASN1_INTEGER_free(crl->crl_number); ASN1_INTEGER_free(crl->base_crl_number); sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); - /* fall thru */ + /* fall through */ case ASN1_OP_NEW_POST: crl->idp = NULL; diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c index b290075c8..724564178 100644 --- a/crypto/x509/x_pubkey.c +++ b/crypto/x509/x_pubkey.c @@ -170,7 +170,7 @@ static int x509_pubkey_ex_d2i_ex(ASN1_VALUE **pval, /* * Try to decode with legacy method first. This ensures that engines - * aren't overriden by providers. + * aren't overridden by providers. */ if ((ret = x509_pubkey_decode(&pubkey->pkey, pubkey)) == -1) { /* -1 indicates a fatal error, like malloc failure */ diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c index 293d4be71..fc07c9097 100644 --- a/crypto/x509/x_req.c +++ b/crypto/x509/x_req.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -53,7 +53,7 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, switch (operation) { case ASN1_OP_D2I_PRE: ASN1_OCTET_STRING_free(ret->distinguishing_id); - /* fall thru */ + /* fall through */ case ASN1_OP_NEW_POST: ret->distinguishing_id = NULL; break; diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c index 010578b19..429af13e1 100644 --- a/crypto/x509/x_x509.c +++ b/crypto/x509/x_x509.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -55,7 +55,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, #endif ASN1_OCTET_STRING_free(ret->distinguishing_id); - /* fall thru */ + /* fall through */ case ASN1_OP_NEW_POST: ret->ex_cached = 0; diff --git a/demos/README.txt b/demos/README.txt index e10239173..cc72721fb 100644 --- a/demos/README.txt +++ b/demos/README.txt @@ -20,6 +20,12 @@ EVP_MD_stdin.c Compute a digest with data read from stdin EVP_MD_xof.c Compute a digest using the SHAKE256 XOF EVP_f_md.c Compute a digest using BIO and EVP_f_md +encrypt: +rsa_encrypt.c Encrypt and decrypt data using an RSA keypair. + +encode: +rsa_encode.c Encode and decode PEM-encoded RSA keys + kdf: hkdf.c Demonstration of HMAC based key derivation pbkdf2.c Demonstration of PBKDF2 password based key derivation @@ -48,3 +54,6 @@ signature: EVP_Signature_demo.c Compute and verify a signature from multiple buffers rsa_pss_direct.c Compute and verify an RSA-PSS signature from a hash rsa_pss_hash.c Compute and verify an RSA-PSS signature over a buffer + +sslecho: +main.c Simple SSL echo client/server. diff --git a/demos/encrypt/Makefile b/demos/encrypt/Makefile new file mode 100644 index 000000000..1735640b3 --- /dev/null +++ b/demos/encrypt/Makefile @@ -0,0 +1,20 @@ +# +# To run the demos when linked with a shared library (default): +# +# LD_LIBRARY_PATH=../.. ./rsa_encrypt + +CFLAGS = -I../../include -g +LDFLAGS = -L../.. +LDLIBS = -lcrypto + +all: rsa_encrypt + +%.o: %.c + $(CC) $(CFLAGS) -c $< + +rsa_encrypt_ec: rsa_encrypt.o + +test: ; + +clean: + $(RM) *.o rsa_encrypt diff --git a/demos/encrypt/rsa_encrypt.c b/demos/encrypt/rsa_encrypt.c new file mode 100644 index 000000000..040f0b506 --- /dev/null +++ b/demos/encrypt/rsa_encrypt.c @@ -0,0 +1,243 @@ +/*- + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * An example that uses EVP_PKEY_encrypt and EVP_PKEY_decrypt methods + * to encrypt and decrypt data using an RSA keypair. + * RSA encryption produces different encrypted output each time it is run, + * hence this is not a known answer test. + */ + +#include +#include +#include +#include +#include +#include +#include "rsa_encrypt.h" + +/* Input data to encrypt */ +static const unsigned char msg[] = + "To be, or not to be, that is the question,\n" + "Whether tis nobler in the minde to suffer\n" + "The slings and arrowes of outragious fortune,\n" + "Or to take Armes again in a sea of troubles"; + +/* + * For do_encrypt(), load an RSA public key from pub_key_der[]. + * For do_decrypt(), load an RSA private key from priv_key_der[]. + */ +static EVP_PKEY *get_key(OSSL_LIB_CTX *libctx, const char *propq, int public) +{ + OSSL_DECODER_CTX *dctx = NULL; + EVP_PKEY *pkey = NULL; + int selection; + const unsigned char *data; + size_t data_len; + + if (public) { + selection = EVP_PKEY_PUBLIC_KEY; + data = pub_key_der; + data_len = sizeof(pub_key_der); + } else { + selection = EVP_PKEY_KEYPAIR; + data = priv_key_der; + data_len = sizeof(priv_key_der); + } + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, "RSA", + selection, libctx, propq); + (void)OSSL_DECODER_from_data(dctx, &data, &data_len); + OSSL_DECODER_CTX_free(dctx); + return pkey; +} + +/* Set optional parameters for RSA OAEP Padding */ +static void set_optional_params(OSSL_PARAM *p, const char *propq) +{ + static unsigned char label[] = "label"; + + /* "pkcs1" is used by default if the padding mode is not set */ + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, + OSSL_PKEY_RSA_PAD_MODE_OAEP, 0); + /* No oaep_label is used if this is not set */ + *p++ = OSSL_PARAM_construct_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, + label, sizeof(label)); + /* "SHA1" is used if this is not set */ + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, + "SHA256", 0); + /* + * If a non default property query needs to be specified when fetching the + * OAEP digest then it needs to be specified here. + */ + if (propq != NULL) + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS, + (char *)propq, 0); + + /* + * OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST and + * OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS can also be optionally added + * here if the MGF1 digest differs from the OAEP digest. + */ + + *p = OSSL_PARAM_construct_end(); +} + +/* + * The length of the input data that can be encrypted is limited by the + * RSA key length minus some additional bytes that depends on the padding mode. + * + */ +static int do_encrypt(OSSL_LIB_CTX *libctx, + const unsigned char *in, size_t in_len, + unsigned char **out, size_t *out_len) +{ + int ret = 0, public = 1; + size_t buf_len = 0; + unsigned char *buf = NULL; + const char *propq = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pub_key = NULL; + OSSL_PARAM params[5]; + + /* Get public key */ + pub_key = get_key(libctx, propq, public); + if (pub_key == NULL) { + fprintf(stderr, "Get public key failed.\n"); + goto cleanup; + } + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pub_key, propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_pkey() failed.\n"); + goto cleanup; + } + set_optional_params(params, propq); + /* If no optional parameters are required then NULL can be passed */ + if (EVP_PKEY_encrypt_init_ex(ctx, params) <= 0) { + fprintf(stderr, "EVP_PKEY_encrypt_init_ex() failed.\n"); + goto cleanup; + } + /* Calculate the size required to hold the encrypted data */ + if (EVP_PKEY_encrypt(ctx, NULL, &buf_len, in, in_len) <= 0) { + fprintf(stderr, "EVP_PKEY_encrypt() failed.\n"); + goto cleanup; + } + buf = OPENSSL_zalloc(buf_len); + if (buf == NULL) { + fprintf(stderr, "Malloc failed.\n"); + goto cleanup; + } + if (EVP_PKEY_encrypt(ctx, buf, &buf_len, in, in_len) <= 0) { + fprintf(stderr, "EVP_PKEY_encrypt() failed.\n"); + goto cleanup; + } + *out_len = buf_len; + *out = buf; + fprintf(stdout, "Encrypted:\n"); + BIO_dump_indent_fp(stdout, buf, buf_len, 2); + fprintf(stdout, "\n"); + ret = 1; + +cleanup: + if (!ret) + OPENSSL_free(buf); + EVP_PKEY_free(pub_key); + EVP_PKEY_CTX_free(ctx); + return ret; +} + +static int do_decrypt(OSSL_LIB_CTX *libctx, const char *in, size_t in_len, + unsigned char **out, size_t *out_len) +{ + int ret = 0, public = 0; + size_t buf_len = 0; + unsigned char *buf = NULL; + const char *propq = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *priv_key = NULL; + OSSL_PARAM params[5]; + + /* Get private key */ + priv_key = get_key(libctx, propq, public); + if (priv_key == NULL) { + fprintf(stderr, "Get private key failed.\n"); + goto cleanup; + } + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, priv_key, propq); + if (ctx == NULL) { + fprintf(stderr, "EVP_PKEY_CTX_new_from_pkey() failed.\n"); + goto cleanup; + } + + /* The parameters used for encryption must also be used for decryption */ + set_optional_params(params, propq); + /* If no optional parameters are required then NULL can be passed */ + if (EVP_PKEY_decrypt_init_ex(ctx, params) <= 0) { + fprintf(stderr, "EVP_PKEY_decrypt_init_ex() failed.\n"); + goto cleanup; + } + /* Calculate the size required to hold the decrypted data */ + if (EVP_PKEY_decrypt(ctx, NULL, &buf_len, in, in_len) <= 0) { + fprintf(stderr, "EVP_PKEY_decrypt() failed.\n"); + goto cleanup; + } + buf = OPENSSL_zalloc(buf_len); + if (buf == NULL) { + fprintf(stderr, "Malloc failed.\n"); + goto cleanup; + } + if (EVP_PKEY_decrypt(ctx, buf, &buf_len, in, in_len) <= 0) { + fprintf(stderr, "EVP_PKEY_decrypt() failed.\n"); + goto cleanup; + } + *out_len = buf_len; + *out = buf; + fprintf(stdout, "Decrypted:\n"); + BIO_dump_indent_fp(stdout, buf, buf_len, 2); + fprintf(stdout, "\n"); + ret = 1; + +cleanup: + if (!ret) + OPENSSL_free(buf); + EVP_PKEY_free(priv_key); + EVP_PKEY_CTX_free(ctx); + return ret; +} + +int main(void) +{ + int ret = EXIT_FAILURE; + size_t msg_len = sizeof(msg) - 1; + size_t encrypted_len = 0, decrypted_len = 0; + unsigned char *encrypted = NULL, *decrypted = NULL; + OSSL_LIB_CTX *libctx = NULL; + + if (!do_encrypt(libctx, msg, msg_len, &encrypted, &encrypted_len)) { + fprintf(stderr, "encryption failed.\n"); + goto cleanup; + } + if (!do_decrypt(libctx, encrypted, encrypted_len, + &decrypted, &decrypted_len)) { + fprintf(stderr, "decryption failed.\n"); + goto cleanup; + } + if (CRYPTO_memcmp(msg, decrypted, decrypted_len) != 0) { + fprintf(stderr, "Decrypted data does not match expected value\n"); + goto cleanup; + } + ret = EXIT_SUCCESS; + +cleanup: + OPENSSL_free(decrypted); + OPENSSL_free(encrypted); + OSSL_LIB_CTX_free(libctx); + if (ret != EXIT_SUCCESS) + ERR_print_errors_fp(stderr); + return ret; +} diff --git a/demos/encrypt/rsa_encrypt.h b/demos/encrypt/rsa_encrypt.h new file mode 100644 index 000000000..06f86620f --- /dev/null +++ b/demos/encrypt/rsa_encrypt.h @@ -0,0 +1,141 @@ +/*- + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Private RSA key used for decryption */ +static const unsigned char priv_key_der[] = { + 0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, + 0xc2, 0x44, 0xbc, 0xcf, 0x5b, 0xca, 0xcd, 0x80, 0x77, 0xae, 0xf9, 0x7a, + 0x34, 0xbb, 0x37, 0x6f, 0x5c, 0x76, 0x4c, 0xe4, 0xbb, 0x0c, 0x1d, 0xe7, + 0xfe, 0x0f, 0xda, 0xcf, 0x8c, 0x56, 0x65, 0x72, 0x6e, 0x2c, 0xf9, 0xfd, + 0x87, 0x43, 0xeb, 0x4c, 0x26, 0xb1, 0xd3, 0xf0, 0x87, 0xb1, 0x18, 0x68, + 0x14, 0x7d, 0x3c, 0x2a, 0xfa, 0xc2, 0x5d, 0x70, 0x19, 0x11, 0x00, 0x2e, + 0xb3, 0x9c, 0x8e, 0x38, 0x08, 0xbe, 0xe3, 0xeb, 0x7d, 0x6e, 0xc7, 0x19, + 0xc6, 0x7f, 0x59, 0x48, 0x84, 0x1b, 0xe3, 0x27, 0x30, 0x46, 0x30, 0xd3, + 0xfc, 0xfc, 0xb3, 0x35, 0x75, 0xc4, 0x31, 0x1a, 0xc0, 0xc2, 0x4c, 0x0b, + 0xc7, 0x01, 0x95, 0xb2, 0xdc, 0x17, 0x77, 0x9b, 0x09, 0x15, 0x04, 0xbc, + 0xdb, 0x57, 0x0b, 0x26, 0xda, 0x59, 0x54, 0x0d, 0x6e, 0xb7, 0x89, 0xbc, + 0x53, 0x9d, 0x5f, 0x8c, 0xad, 0x86, 0x97, 0xd2, 0x48, 0x4f, 0x5c, 0x94, + 0xdd, 0x30, 0x2f, 0xcf, 0xfc, 0xde, 0x20, 0x31, 0x25, 0x9d, 0x29, 0x25, + 0x78, 0xb7, 0xd2, 0x5b, 0x5d, 0x99, 0x5b, 0x08, 0x12, 0x81, 0x79, 0x89, + 0xa0, 0xcf, 0x8f, 0x40, 0xb1, 0x77, 0x72, 0x3b, 0x13, 0xfc, 0x55, 0x43, + 0x70, 0x29, 0xd5, 0x41, 0xed, 0x31, 0x4b, 0x2d, 0x6c, 0x7d, 0xcf, 0x99, + 0x5f, 0xd1, 0x72, 0x9f, 0x8b, 0x32, 0x96, 0xde, 0x5d, 0x8b, 0x19, 0x77, + 0x75, 0xff, 0x09, 0xbf, 0x26, 0xe9, 0xd7, 0x3d, 0xc7, 0x1a, 0x81, 0xcf, + 0x05, 0x1b, 0x89, 0xbf, 0x45, 0x32, 0xbf, 0x5e, 0xc9, 0xe3, 0x5c, 0x33, + 0x4a, 0x72, 0x47, 0xf4, 0x24, 0xae, 0x9b, 0x38, 0x24, 0x76, 0x9a, 0xa2, + 0x9a, 0x50, 0x50, 0x49, 0xf5, 0x26, 0xb9, 0x55, 0xa6, 0x47, 0xc9, 0x14, + 0xa2, 0xca, 0xd4, 0xa8, 0x8a, 0x9f, 0xe9, 0x5a, 0x5a, 0x12, 0xaa, 0x30, + 0xd5, 0x78, 0x8b, 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, + 0x00, 0x22, 0x5d, 0xb9, 0x8e, 0xef, 0x1c, 0x91, 0xbd, 0x03, 0xaf, 0x1a, + 0xe8, 0x00, 0xf3, 0x0b, 0x8b, 0xf2, 0x2d, 0xe5, 0x4d, 0x63, 0x3f, 0x71, + 0xfc, 0xeb, 0xc7, 0x4f, 0x3c, 0x7f, 0x05, 0x7b, 0x9d, 0xc2, 0x1a, 0xc7, + 0xc0, 0x8f, 0x50, 0xb7, 0x0b, 0xba, 0x1e, 0xa4, 0x30, 0xfd, 0x38, 0x19, + 0x6a, 0xb4, 0x11, 0x31, 0x77, 0x22, 0xf4, 0x06, 0x46, 0x81, 0xd0, 0xad, + 0x99, 0x15, 0x62, 0x01, 0x10, 0xad, 0x8f, 0x63, 0x4f, 0x71, 0xd9, 0x8a, + 0x74, 0x27, 0x56, 0xb8, 0xeb, 0x28, 0x9f, 0xac, 0x4f, 0xee, 0xec, 0xc3, + 0xcf, 0x84, 0x86, 0x09, 0x87, 0xd0, 0x04, 0xfc, 0x70, 0xd0, 0x9f, 0xae, + 0x87, 0x38, 0xd5, 0xb1, 0x6f, 0x3a, 0x1b, 0x16, 0xa8, 0x00, 0xf3, 0xcc, + 0x6a, 0x42, 0x5d, 0x04, 0x16, 0x83, 0xf2, 0xe0, 0x79, 0x1d, 0xd8, 0x6f, + 0x0f, 0xb7, 0x34, 0xf4, 0x45, 0xb5, 0x1e, 0xc5, 0xb5, 0x78, 0xa7, 0xd3, + 0xa3, 0x23, 0x35, 0xbc, 0x7b, 0x01, 0x59, 0x7d, 0xee, 0xb9, 0x4f, 0xda, + 0x28, 0xad, 0x5d, 0x25, 0xab, 0x66, 0x6a, 0xb0, 0x61, 0xf6, 0x12, 0xa7, + 0xee, 0xd1, 0xe7, 0xb1, 0x8b, 0x91, 0x29, 0xba, 0xb5, 0xf8, 0x78, 0xc8, + 0x6b, 0x76, 0x67, 0x32, 0xe8, 0xf3, 0x4e, 0x59, 0xba, 0xc1, 0x44, 0xc0, + 0xec, 0x8d, 0x7c, 0x63, 0xb2, 0x6e, 0x0c, 0xb9, 0x33, 0x42, 0x0c, 0x8d, + 0xae, 0x4e, 0x54, 0xc8, 0x8a, 0xef, 0xf9, 0x47, 0xc8, 0x99, 0x84, 0xc8, + 0x46, 0xf6, 0xa6, 0x53, 0x59, 0xf8, 0x60, 0xe3, 0xd7, 0x1d, 0x10, 0x95, + 0xf5, 0x6d, 0xf4, 0xa3, 0x18, 0x40, 0xd7, 0x14, 0x04, 0xac, 0x8c, 0x69, + 0xd6, 0x14, 0xdc, 0xd8, 0xcc, 0xbc, 0x1c, 0xac, 0xd7, 0x21, 0x2b, 0x7e, + 0x29, 0x88, 0x06, 0xa0, 0xf4, 0x06, 0x08, 0x14, 0x04, 0x4d, 0x32, 0x33, + 0x84, 0x9c, 0x20, 0x8e, 0xcf, 0x02, 0x81, 0x81, 0x00, 0xf3, 0xf9, 0xbd, + 0xd5, 0x43, 0x6f, 0x27, 0x4a, 0x92, 0xd6, 0x18, 0x3d, 0x4b, 0xf1, 0x77, + 0x7c, 0xaf, 0xce, 0x01, 0x17, 0x98, 0xcb, 0xbe, 0x06, 0x86, 0x3a, 0x13, + 0x72, 0x4b, 0x7c, 0x81, 0x51, 0x24, 0x5d, 0xc3, 0xe9, 0xa2, 0x63, 0x1e, + 0x4a, 0xeb, 0x66, 0xae, 0x01, 0x5e, 0xa4, 0xa4, 0x74, 0x9e, 0xee, 0x32, + 0xe5, 0x59, 0x1b, 0x37, 0xef, 0x7d, 0xb3, 0x42, 0x8c, 0x93, 0x8b, 0xd3, + 0x1e, 0x83, 0x43, 0xb5, 0x88, 0x3e, 0x24, 0xeb, 0xdc, 0x92, 0x2d, 0xcc, + 0x9a, 0x9d, 0xf1, 0x7d, 0x16, 0x71, 0xcb, 0x25, 0x47, 0x36, 0xb0, 0xc4, + 0x6b, 0xc8, 0x53, 0x4a, 0x25, 0x80, 0x47, 0x77, 0xdb, 0x97, 0x13, 0x15, + 0x0f, 0x4a, 0xfa, 0x0c, 0x6c, 0x44, 0x13, 0x2f, 0xbc, 0x9a, 0x6b, 0x13, + 0x57, 0xfc, 0x42, 0xb9, 0xe9, 0xd3, 0x2e, 0xd2, 0x11, 0xf4, 0xc5, 0x84, + 0x55, 0xd2, 0xdf, 0x1d, 0xa7, 0x02, 0x81, 0x81, 0x00, 0xcb, 0xd7, 0xd6, + 0x9d, 0x71, 0xb3, 0x86, 0xbe, 0x68, 0xed, 0x67, 0xe1, 0x51, 0x92, 0x17, + 0x60, 0x58, 0xb3, 0x2a, 0x56, 0xfd, 0x18, 0xfb, 0x39, 0x4b, 0x14, 0xc6, + 0xf6, 0x67, 0x0e, 0x31, 0xe3, 0xb3, 0x2f, 0x1f, 0xec, 0x16, 0x1c, 0x23, + 0x2b, 0x60, 0x36, 0xd1, 0xcb, 0x4a, 0x03, 0x6a, 0x3a, 0x4c, 0x8c, 0xf2, + 0x73, 0x08, 0x23, 0x29, 0xda, 0xcb, 0xf7, 0xb6, 0x18, 0x97, 0xc6, 0xfe, + 0xd4, 0x40, 0x06, 0x87, 0x9d, 0x6e, 0xbb, 0x5d, 0x14, 0x44, 0xc8, 0x19, + 0xfa, 0x7f, 0x0c, 0xc5, 0x02, 0x92, 0x00, 0xbb, 0x2e, 0x4f, 0x50, 0xb0, + 0x71, 0x9f, 0xf3, 0x94, 0x12, 0xb8, 0x6c, 0x5f, 0xe1, 0x83, 0x7b, 0xbc, + 0x8c, 0x0a, 0x6f, 0x09, 0x6a, 0x35, 0x4f, 0xf9, 0xa4, 0x92, 0x93, 0xe3, + 0xad, 0x36, 0x25, 0x28, 0x90, 0x85, 0xd2, 0x9f, 0x86, 0xfd, 0xd9, 0xa8, + 0x61, 0xe9, 0xb2, 0xec, 0x1f, 0x02, 0x81, 0x81, 0x00, 0xdd, 0x1c, 0x52, + 0xda, 0x2b, 0xc2, 0x5a, 0x26, 0xb0, 0xcb, 0x0d, 0xae, 0xc7, 0xdb, 0xf0, + 0x41, 0x75, 0x87, 0x4a, 0xe0, 0x1a, 0xdf, 0x53, 0xb9, 0xcf, 0xfe, 0x64, + 0x4f, 0x6a, 0x70, 0x4d, 0x36, 0xbf, 0xb1, 0xa6, 0xf3, 0x5f, 0xf3, 0x5a, + 0xa9, 0xe5, 0x8b, 0xea, 0x59, 0x5d, 0x6f, 0xf3, 0x87, 0xa9, 0xde, 0x11, + 0x0c, 0x60, 0x64, 0x55, 0x9e, 0x5c, 0x1a, 0x91, 0x4e, 0x9c, 0x0d, 0xd5, + 0xe9, 0x4a, 0x67, 0x9b, 0xe6, 0xfd, 0x03, 0x33, 0x2b, 0x74, 0xe3, 0xc3, + 0x11, 0xc1, 0xe0, 0xf1, 0x4f, 0xdd, 0x13, 0x92, 0x16, 0x67, 0x4f, 0x6e, + 0xc4, 0x8c, 0x0a, 0x48, 0x21, 0x92, 0x8f, 0xb2, 0xe5, 0xb5, 0x96, 0x5a, + 0xb8, 0xc0, 0x67, 0xbb, 0xc8, 0x87, 0x2d, 0xa8, 0x4e, 0xd2, 0xd8, 0x05, + 0xf0, 0xf0, 0xb3, 0x7c, 0x90, 0x98, 0x8f, 0x4f, 0x5d, 0x6c, 0xab, 0x71, + 0x92, 0xe2, 0x88, 0xc8, 0xf3, 0x02, 0x81, 0x81, 0x00, 0x99, 0x27, 0x5a, + 0x00, 0x81, 0x65, 0x39, 0x5f, 0xe6, 0xc6, 0x38, 0xbe, 0x79, 0xe3, 0x21, + 0xdd, 0x29, 0xc7, 0xb3, 0x90, 0x18, 0x29, 0xa4, 0xd7, 0xaf, 0x29, 0xb5, + 0x33, 0x7c, 0xca, 0x95, 0x81, 0x57, 0x27, 0x98, 0xfc, 0x70, 0xc0, 0x43, + 0x4c, 0x5b, 0xc5, 0xd4, 0x6a, 0xc0, 0xf9, 0x3f, 0xde, 0xfd, 0x95, 0x08, + 0xb4, 0x94, 0xf0, 0x96, 0x89, 0xe5, 0xa6, 0x00, 0x13, 0x0a, 0x36, 0x61, + 0x50, 0x67, 0xaa, 0x80, 0x4a, 0x30, 0xe0, 0x65, 0x56, 0xcd, 0x36, 0xeb, + 0x0d, 0xe2, 0x57, 0x5d, 0xce, 0x48, 0x94, 0x74, 0x0e, 0x9f, 0x59, 0x28, + 0xb8, 0xb6, 0x4c, 0xf4, 0x7b, 0xfc, 0x44, 0xb0, 0xe5, 0x67, 0x3c, 0x98, + 0xb5, 0x3f, 0x41, 0x9d, 0xf9, 0x46, 0x85, 0x08, 0x34, 0x36, 0x4d, 0x17, + 0x4b, 0x14, 0xdb, 0x66, 0x56, 0xef, 0xb5, 0x08, 0x57, 0x0c, 0x73, 0x74, + 0xa7, 0xdc, 0x46, 0xaa, 0x51, 0x02, 0x81, 0x80, 0x1e, 0x50, 0x4c, 0xde, + 0x9c, 0x60, 0x6d, 0xd7, 0x31, 0xf6, 0xd8, 0x4f, 0xc2, 0x25, 0x7d, 0x83, + 0xb3, 0xe7, 0xed, 0x92, 0xe7, 0x28, 0x1e, 0xb3, 0x9b, 0xcb, 0xf2, 0x86, + 0xa4, 0x49, 0x45, 0x5e, 0xba, 0x1d, 0xdb, 0x21, 0x5d, 0xdf, 0xeb, 0x3c, + 0x5e, 0x01, 0xc6, 0x68, 0x25, 0x28, 0xe6, 0x1a, 0xbf, 0xc1, 0xa1, 0xc5, + 0x92, 0x0b, 0x08, 0x43, 0x0e, 0x5a, 0xa3, 0x85, 0x8a, 0x65, 0xb4, 0x54, + 0xa1, 0x4c, 0x20, 0xa2, 0x5a, 0x08, 0xf6, 0x90, 0x0d, 0x9a, 0xd7, 0x20, + 0xf1, 0x10, 0x66, 0x28, 0x4c, 0x22, 0x56, 0xa6, 0xb9, 0xff, 0xd0, 0x6a, + 0x62, 0x8c, 0x9f, 0xf8, 0x7c, 0xf4, 0xad, 0xd7, 0xe8, 0xf9, 0x87, 0x43, + 0xbf, 0x73, 0x5b, 0x04, 0xc7, 0xd0, 0x77, 0xcc, 0xe3, 0xbe, 0xda, 0xc2, + 0x07, 0xed, 0x8d, 0x2a, 0x15, 0x77, 0x1d, 0x53, 0x47, 0xe0, 0xa2, 0x11, + 0x41, 0x0d, 0xe2, 0xe7, +}; + +/* The matching public key used for encryption*/ +static const unsigned char pub_key_der[] = { + 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, + 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc2, 0x44, 0xbc, + 0xcf, 0x5b, 0xca, 0xcd, 0x80, 0x77, 0xae, 0xf9, 0x7a, 0x34, 0xbb, 0x37, + 0x6f, 0x5c, 0x76, 0x4c, 0xe4, 0xbb, 0x0c, 0x1d, 0xe7, 0xfe, 0x0f, 0xda, + 0xcf, 0x8c, 0x56, 0x65, 0x72, 0x6e, 0x2c, 0xf9, 0xfd, 0x87, 0x43, 0xeb, + 0x4c, 0x26, 0xb1, 0xd3, 0xf0, 0x87, 0xb1, 0x18, 0x68, 0x14, 0x7d, 0x3c, + 0x2a, 0xfa, 0xc2, 0x5d, 0x70, 0x19, 0x11, 0x00, 0x2e, 0xb3, 0x9c, 0x8e, + 0x38, 0x08, 0xbe, 0xe3, 0xeb, 0x7d, 0x6e, 0xc7, 0x19, 0xc6, 0x7f, 0x59, + 0x48, 0x84, 0x1b, 0xe3, 0x27, 0x30, 0x46, 0x30, 0xd3, 0xfc, 0xfc, 0xb3, + 0x35, 0x75, 0xc4, 0x31, 0x1a, 0xc0, 0xc2, 0x4c, 0x0b, 0xc7, 0x01, 0x95, + 0xb2, 0xdc, 0x17, 0x77, 0x9b, 0x09, 0x15, 0x04, 0xbc, 0xdb, 0x57, 0x0b, + 0x26, 0xda, 0x59, 0x54, 0x0d, 0x6e, 0xb7, 0x89, 0xbc, 0x53, 0x9d, 0x5f, + 0x8c, 0xad, 0x86, 0x97, 0xd2, 0x48, 0x4f, 0x5c, 0x94, 0xdd, 0x30, 0x2f, + 0xcf, 0xfc, 0xde, 0x20, 0x31, 0x25, 0x9d, 0x29, 0x25, 0x78, 0xb7, 0xd2, + 0x5b, 0x5d, 0x99, 0x5b, 0x08, 0x12, 0x81, 0x79, 0x89, 0xa0, 0xcf, 0x8f, + 0x40, 0xb1, 0x77, 0x72, 0x3b, 0x13, 0xfc, 0x55, 0x43, 0x70, 0x29, 0xd5, + 0x41, 0xed, 0x31, 0x4b, 0x2d, 0x6c, 0x7d, 0xcf, 0x99, 0x5f, 0xd1, 0x72, + 0x9f, 0x8b, 0x32, 0x96, 0xde, 0x5d, 0x8b, 0x19, 0x77, 0x75, 0xff, 0x09, + 0xbf, 0x26, 0xe9, 0xd7, 0x3d, 0xc7, 0x1a, 0x81, 0xcf, 0x05, 0x1b, 0x89, + 0xbf, 0x45, 0x32, 0xbf, 0x5e, 0xc9, 0xe3, 0x5c, 0x33, 0x4a, 0x72, 0x47, + 0xf4, 0x24, 0xae, 0x9b, 0x38, 0x24, 0x76, 0x9a, 0xa2, 0x9a, 0x50, 0x50, + 0x49, 0xf5, 0x26, 0xb9, 0x55, 0xa6, 0x47, 0xc9, 0x14, 0xa2, 0xca, 0xd4, + 0xa8, 0x8a, 0x9f, 0xe9, 0x5a, 0x5a, 0x12, 0xaa, 0x30, 0xd5, 0x78, 0x8b, + 0x39, 0x02, 0x03, 0x01, 0x00, 0x01, +}; diff --git a/demos/mac/cmac-aes256.c b/demos/mac/cmac-aes256.c index 6f4fd78b6..9b91a404a 100644 --- a/demos/mac/cmac-aes256.c +++ b/demos/mac/cmac-aes256.c @@ -72,7 +72,7 @@ int main(void) unsigned char *out = NULL; size_t out_len = 0; OSSL_PARAM params[4], *p = params; - char cipher_name[] = "aes256"; + char cipher_name[] = "AES-256-CBC"; library_context = OSSL_LIB_CTX_new(); if (library_context == NULL) { diff --git a/demos/mac/gmac.c b/demos/mac/gmac.c index bdaa9b1da..da757ae72 100644 --- a/demos/mac/gmac.c +++ b/demos/mac/gmac.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -85,7 +85,7 @@ int main(int argc, char **argv) goto end; } - /* GMAC requries a GCM mode cipher to be specified */ + /* GMAC requires a GCM mode cipher to be specified */ *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER, "AES-128-GCM", 0); diff --git a/demos/signature/EVP_DSA_Signature_demo.c b/demos/signature/EVP_DSA_Signature_demo.c new file mode 100644 index 000000000..ca41ef34d --- /dev/null +++ b/demos/signature/EVP_DSA_Signature_demo.c @@ -0,0 +1,317 @@ +/*- + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * An example that uses the EVP_PKEY*, EVP_DigestSign* and EVP_DigestVerify* + * methods to calculate public/private DSA keypair and to sign and verify + * two static buffers. + */ + +#include +#include +#include +#include +#include +#include + +/* + * This demonstration will calculate and verify a signature of data using + * the soliloquy from Hamlet scene 1 act 3 + */ + +static const char *hamlet_1 = + "To be, or not to be, that is the question,\n" + "Whether tis nobler in the minde to suffer\n" + "The slings and arrowes of outragious fortune,\n" + "Or to take Armes again in a sea of troubles,\n" +; +static const char *hamlet_2 = + "And by opposing, end them, to die to sleep;\n" + "No more, and by a sleep, to say we end\n" + "The heart-ache, and the thousand natural shocks\n" + "That flesh is heir to? tis a consumation\n" +; + +static const char ALG[] = "DSA"; +static const char DIGEST[] = "SHA256"; +static const int NUMBITS = 2048; +static const char * const PROPQUERY = NULL; + +static int generate_dsa_params(OSSL_LIB_CTX *libctx, + EVP_PKEY **p_params) +{ + int result = 0; + + EVP_PKEY_CTX *pkey_ctx = NULL; + EVP_PKEY *params = NULL; + + pkey_ctx = EVP_PKEY_CTX_new_from_name(libctx, ALG, PROPQUERY); + if (pkey_ctx == NULL) + goto end; + + if (EVP_PKEY_paramgen_init(pkey_ctx) <= 0) + goto end; + + if (EVP_PKEY_CTX_set_dsa_paramgen_bits(pkey_ctx, NUMBITS) <= 0) + goto end; + if (EVP_PKEY_paramgen(pkey_ctx, ¶ms) <= 0) + goto end; + if (params == NULL) + goto end; + + result = 1; +end: + if(result != 1) { + EVP_PKEY_free(params); + params = NULL; + } + EVP_PKEY_CTX_free(pkey_ctx); + *p_params = params; + fprintf(stdout, "Params:\n"); + EVP_PKEY_print_params_fp(stdout, params, 4, NULL); + fprintf(stdout, "\n"); + + return result; +} + +static int generate_dsa_key(OSSL_LIB_CTX *libctx, + EVP_PKEY *params, + EVP_PKEY **p_pkey) +{ + int result = 0; + + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; + + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, params, + NULL); + if (ctx == NULL) + goto end; + if (EVP_PKEY_keygen_init(ctx) <= 0) + goto end; + + if (EVP_PKEY_keygen(ctx, &pkey) <= 0) + goto end; + if (pkey == NULL) + goto end; + + result = 1; +end: + if(result != 1) { + EVP_PKEY_free(pkey); + pkey = NULL; + } + EVP_PKEY_CTX_free(ctx); + *p_pkey = pkey; + fprintf(stdout, "Generating public/private key pair:\n"); + EVP_PKEY_print_public_fp(stdout, pkey, 4, NULL); + fprintf(stdout, "\n"); + EVP_PKEY_print_private_fp(stdout, pkey, 4, NULL); + fprintf(stdout, "\n"); + EVP_PKEY_print_params_fp(stdout, pkey, 4, NULL); + fprintf(stdout, "\n"); + + return result; +} + +static int extract_public_key(const EVP_PKEY *pkey, + OSSL_PARAM **p_public_key) +{ + int result = 0; + OSSL_PARAM *public_key = NULL; + + if (EVP_PKEY_todata(pkey, EVP_PKEY_PUBLIC_KEY, &public_key) != 1) + goto end; + + result = 1; +end: + if (result != 1) { + OSSL_PARAM_free(public_key); + public_key = NULL; + } + *p_public_key = public_key; + + return result; +} + +static int extract_keypair(const EVP_PKEY *pkey, + OSSL_PARAM **p_keypair) +{ + int result = 0; + OSSL_PARAM *keypair = NULL; + + if (EVP_PKEY_todata(pkey, EVP_PKEY_KEYPAIR, &keypair) != 1) + goto end; + + result = 1; +end: + if (result != 1) { + OSSL_PARAM_free(keypair); + keypair = NULL; + } + *p_keypair = keypair; + + return result; +} + +static int demo_sign(OSSL_LIB_CTX *libctx, + size_t *p_sig_len, unsigned char **p_sig_value, + OSSL_PARAM keypair[]) +{ + int result = 0; + size_t sig_len = 0; + unsigned char *sig_value = NULL; + EVP_MD_CTX *ctx = NULL; + EVP_PKEY_CTX *pkey_ctx = NULL; + EVP_PKEY *pkey = NULL; + + pkey_ctx = EVP_PKEY_CTX_new_from_name(libctx, ALG, PROPQUERY); + if (pkey_ctx == NULL) + goto end; + if (EVP_PKEY_fromdata_init(pkey_ctx) != 1) + goto end; + if (EVP_PKEY_fromdata(pkey_ctx, &pkey, EVP_PKEY_KEYPAIR, keypair) != 1) + goto end; + + ctx = EVP_MD_CTX_create(); + if (ctx == NULL) + goto end; + + if (EVP_DigestSignInit_ex(ctx, NULL, DIGEST, libctx, NULL, pkey, NULL) != 1) + goto end; + + if (EVP_DigestSignUpdate(ctx, hamlet_1, sizeof(hamlet_1)) != 1) + goto end; + + if (EVP_DigestSignUpdate(ctx, hamlet_2, sizeof(hamlet_2)) != 1) + goto end; + + /* Calculate the signature size */ + if (EVP_DigestSignFinal(ctx, NULL, &sig_len) != 1) + goto end; + if (sig_len == 0) + goto end; + + sig_value = OPENSSL_malloc(sig_len); + if (sig_value == NULL) + goto end; + + /* Calculate the signature */ + if (EVP_DigestSignFinal(ctx, sig_value, &sig_len) != 1) + goto end; + + result = 1; +end: + EVP_MD_CTX_free(ctx); + if (result != 1) { + OPENSSL_free(sig_value); + sig_len = 0; + sig_value = NULL; + } + *p_sig_len = sig_len; + *p_sig_value = sig_value; + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(pkey_ctx); + + fprintf(stdout, "Generating signature:\n"); + BIO_dump_indent_fp(stdout, sig_value, sig_len, 2); + fprintf(stdout, "\n"); + return result; +} + +static int demo_verify(OSSL_LIB_CTX *libctx, + size_t sig_len, unsigned char *sig_value, + OSSL_PARAM public_key[]) +{ + int result = 0; + EVP_MD_CTX *ctx = NULL; + EVP_PKEY_CTX *pkey_ctx = NULL; + EVP_PKEY *pkey = NULL; + + pkey_ctx = EVP_PKEY_CTX_new_from_name(libctx, ALG, PROPQUERY); + if (pkey_ctx == NULL) + goto end; + if (EVP_PKEY_fromdata_init(pkey_ctx) != 1) + goto end; + if (EVP_PKEY_fromdata(pkey_ctx, &pkey, EVP_PKEY_PUBLIC_KEY, public_key) != 1) + goto end; + + ctx = EVP_MD_CTX_create(); + if(ctx == NULL) + goto end; + + if (EVP_DigestVerifyInit_ex(ctx, NULL, DIGEST, libctx, NULL, pkey, NULL) != 1) + goto end; + + if (EVP_DigestVerifyUpdate(ctx, hamlet_1, sizeof(hamlet_1)) != 1) + goto end; + + if (EVP_DigestVerifyUpdate(ctx, hamlet_2, sizeof(hamlet_2)) != 1) + goto end; + + if (EVP_DigestVerifyFinal(ctx, sig_value, sig_len) != 1) + goto end; + + result = 1; +end: + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(pkey_ctx); + EVP_MD_CTX_free(ctx); + return result; +} + +int main(void) +{ + int result = 0; + OSSL_LIB_CTX *libctx = NULL; + EVP_PKEY *params = NULL; + EVP_PKEY *pkey = NULL; + OSSL_PARAM *public_key = NULL; + OSSL_PARAM *keypair = NULL; + size_t sig_len = 0; + unsigned char *sig_value = NULL; + + libctx = OSSL_LIB_CTX_new(); + if (libctx == NULL) + goto end; + + if (generate_dsa_params(libctx, ¶ms) != 1) + goto end; + + if (generate_dsa_key(libctx, params, &pkey) != 1) + goto end; + + if (extract_public_key(pkey, &public_key) != 1) + goto end; + + if (extract_keypair(pkey, &keypair) != 1) + goto end; + + /* The signer signs with his private key, and distributes his public key */ + if (demo_sign(libctx, &sig_len, &sig_value, keypair) != 1) + goto end; + + /* A verifier uses the signers public key to verify the signature */ + if (demo_verify(libctx, sig_len, sig_value, public_key) != 1) + goto end; + + result = 1; +end: + if (result != 1) + ERR_print_errors_fp(stderr); + + OPENSSL_free(sig_value); + EVP_PKEY_free(params); + EVP_PKEY_free(pkey); + OSSL_PARAM_free(public_key); + OSSL_PARAM_free(keypair); + OSSL_LIB_CTX_free(libctx); + + return result ? 0 : 1; +} diff --git a/demos/signature/EVP_Signature_demo.c b/demos/signature/EVP_EC_Signature_demo.c similarity index 98% rename from demos/signature/EVP_Signature_demo.c rename to demos/signature/EVP_EC_Signature_demo.c index 123c95c26..80ea7f8ee 100644 --- a/demos/signature/EVP_Signature_demo.c +++ b/demos/signature/EVP_EC_Signature_demo.c @@ -1,5 +1,5 @@ /*- - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,7 @@ #include #include #include -#include "EVP_Signature_demo.h" +#include "EVP_EC_Signature_demo.h" /* * This demonstration will calculate and verify a signature of data using diff --git a/demos/signature/EVP_Signature_demo.h b/demos/signature/EVP_EC_Signature_demo.h similarity index 98% rename from demos/signature/EVP_Signature_demo.h rename to demos/signature/EVP_EC_Signature_demo.h index aef3e6078..08d533788 100644 --- a/demos/signature/EVP_Signature_demo.h +++ b/demos/signature/EVP_EC_Signature_demo.h @@ -1,5 +1,5 @@ /*- - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/demos/signature/Makefile b/demos/signature/Makefile index 563ec7799..394eef6d4 100644 --- a/demos/signature/Makefile +++ b/demos/signature/Makefile @@ -7,16 +7,17 @@ CFLAGS = -I../../include -g -Wall LDFLAGS = -L../.. LDLIBS = -lcrypto -all: EVP_Signature_demo rsa_pss_direct rsa_pss_hash +all: EVP_EC_Signature_demo EVP_DSA_Signature_demo rsa_pss_direct rsa_pss_hash %.o: %.c $(CC) $(CFLAGS) -c $< -EVP_Signature_demo: EVP_Signature_demo.o +EVP_EC_Signature_demo: EVP_EC_Signature_demo.o +EVP_DSA_Signature_demo: EVP_DSA_Signature_demo.o rsa_pss_direct: rsa_pss_direct.o rsa_pss_hash: rsa_pss_hash.o test: ; clean: - $(RM) *.o EVP_Signature_demo rsa_pss_direct rsa_pss_hash + $(RM) *.o EVP_EC_Signature_demo EVP_DSA_Signature_demo rsa_pss_direct rsa_pss_hash diff --git a/demos/sslecho/A-SSL-Docs.txt b/demos/sslecho/A-SSL-Docs.txt new file mode 100644 index 000000000..865960e4b --- /dev/null +++ b/demos/sslecho/A-SSL-Docs.txt @@ -0,0 +1,20 @@ +Useful Links: + +OpenSSL API Documentation: https://www.openssl.org/docs + +Github: https://github.com/openssl/openssl + +OpenSSL Wiki: https://wiki.openssl.org/index.php/Main_Page + +Original Simple Server: https://wiki.openssl.org/index.php/Simple_TLS_Server + +--------------------------------------------------------------- + +Generate self signed cert and key 'pem' files (good for 10 years): + +openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out cert.pem -keyout key.pem + +You can just hit carriage returns to accept the default values, except for "Common Name"; you +should enter 'localhost', or an actual hostname. + +The same keys can be used for both communicating instances; same or different machines. diff --git a/demos/sslecho/README.md b/demos/sslecho/README.md new file mode 100644 index 000000000..58f7ca072 --- /dev/null +++ b/demos/sslecho/README.md @@ -0,0 +1,26 @@ +OpenSSL Simple Echo Client/Server +================================= + +This project implements a simple echo client/server. + +It is a console application, with command line parameters determining the mode +of operation (client or server). Start it with no parameters to see usage. + +The server code was adapted from the Simple TLS Server on the OpenSSL Wiki. +The server code was modified to perform the echo function, and client code +was added to open a connection with the server and to send keyboard input +to the server. + +The new client code illustrates that: + +- Connection to the SSL server starts as a standard TCP 'connect'. +- Once connected with TCP, the client 'upgrades' to SSL using + SSL_connect(). +- When the SSL connection completes, data is sent and received using + SSL_write() and SSL_read(). +- Pretty simple. + +The cert.pem and key.pem files included are self signed certificates with the +"Common Name" of 'localhost'. + +Best to create the 'pem' files using an actual hostname. diff --git a/demos/sslecho/cert.pem b/demos/sslecho/cert.pem new file mode 100644 index 000000000..834d46285 --- /dev/null +++ b/demos/sslecho/cert.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFkzCCA3ugAwIBAgIUQJ8FQFwuVg1UlnIBam0+liL0RSQwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4X +DTIyMDIwMjE0MzgzNloXDTMyMDEzMTE0MzgzNlowWTELMAkGA1UEBhMCQVUxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEAyPZfTbR9lVvpHxIGRzpYb1gYFjPZ7yTXYZVKEqQLVxw/O2L32ufa +lODiYJr/pKu9++9T+JrmRnonYlyl0uFta3w4rMY9PzHsT7jIZJByoFdraNz1SnxF +1UaHjzF9fjIA0/n/ZGVJDZCCYulpcVkpW14oNG4tTW5IefYUH3GxmPZ5godhWEla +6OXl3+9xkGd5yXq1O4VZbsekcVcZlznuq7blmvs3UrjrEZ5xgmCd8kNzy/E9APKY +SSGx87/U9yyiz5GAphgSNTqAfEWqpzouMv+hUm/J5NuZCXbOPYbE7zfDDauspYiY +/wdGty9ZvDy5g+fFz8sZig1OWuHqvU8QGoIfVRCxjhX3+p0/KshGDBWjLHek+8Wh +IZHmuf1LgT+gOzN3dxxVEcphSiJX0eZ/OhBelowrdabEycm2WAk3qs/tUDMbWh6V +VSH22ODLX/cBrSAY2sk2EU8Mz5Mbm6gFTcJhqOBgVn5g8/3QCAhFG3xq/2LKZ+za +itAKbaeQqyAw5G/+oc7mKCjUqSKE92n6FKZRsJrB+vfy3AQYyqJevHcIf2nbBimX +vb4/rDed/gvSOVGIXIUiUlFHgg8DoVZqMrfJ+y/xwr+Ya+AX8n6J8EB2It3W4EEf +nmosupBcZPb6U2VrtpEe/199nPj2ZXQHGLLQfw8lYjvZDghCFiP0o8cCAwEAAaNT +MFEwHQYDVR0OBBYEFDClIPCiAkevl1qh188Ycjz5IZ/DMB8GA1UdIwQYMBaAFDCl +IPCiAkevl1qh188Ycjz5IZ/DMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggIBAGQm27D74xUm1X99GbDQpgJenUIu+Bszk8qXCsPfyyQZy4H6+70uXlkC +ASf/keQjrPzrco3rBelbtlCGqqWhsCznVplrjNIntBAkLD0fU3z92SjsMvHEcBDa +Nu6aXExN9gv85EBJHNnj16hqjo8Mk+ydNQ8BtcnZa4zi7GdVh29KbPuEzeoyRnXP +xh5yHUj5Bs6hEUbirhm1WLEK8bvfWykfEJiGOQO8MHAeYK1uPFXDmswgTwJFzZyA +6LSXYbmGOnCM8yAmVXHMnXXCKd+DQFyQ0KrXDiixyTinYFtrONBkNNt/7SnCjJt5 +H3LRTNuoZvvGmaS7GxbIMemBjLdrigKicVZunEPGFRTEL7K+spmSMnpAiITStxjR +70wHEe3M9IUbJximKaxvMhXhP0VSPJGOzgG304A2MqMS7UPBDzD/pz5c7gn7ILfM +LcxzStnQcbTqqmdpNVlMv31YpOk5nel5RY3UmwKbQkix6UAo/CJmC1Q3yLU8uG5O +6j7vS8t0wOYcVTAA845JU8C7V5yy6UeCB9F2oGDgVwCe6U8bzTIoCDnkzIKO7LlS +734KP+fNK9LatNzpPQWW+1SK4XEZBNLOMePwu560GLVzPgr9ji0z83E+0yAcWrAO +4gKT+/h3Ep1Ut73daskFAvNJFFt/5Rm+xZECHrxRkXqW1AN/2eXX +-----END CERTIFICATE----- diff --git a/demos/sslecho/key.pem b/demos/sslecho/key.pem new file mode 100644 index 000000000..75b86c3a3 --- /dev/null +++ b/demos/sslecho/key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDI9l9NtH2VW+kf +EgZHOlhvWBgWM9nvJNdhlUoSpAtXHD87Yvfa59qU4OJgmv+kq73771P4muZGeidi +XKXS4W1rfDisxj0/MexPuMhkkHKgV2to3PVKfEXVRoePMX1+MgDT+f9kZUkNkIJi +6WlxWSlbXig0bi1Nbkh59hQfcbGY9nmCh2FYSVro5eXf73GQZ3nJerU7hVlux6Rx +VxmXOe6rtuWa+zdSuOsRnnGCYJ3yQ3PL8T0A8phJIbHzv9T3LKLPkYCmGBI1OoB8 +RaqnOi4y/6FSb8nk25kJds49hsTvN8MNq6yliJj/B0a3L1m8PLmD58XPyxmKDU5a +4eq9TxAagh9VELGOFff6nT8qyEYMFaMsd6T7xaEhkea5/UuBP6A7M3d3HFURymFK +IlfR5n86EF6WjCt1psTJybZYCTeqz+1QMxtaHpVVIfbY4Mtf9wGtIBjayTYRTwzP +kxubqAVNwmGo4GBWfmDz/dAICEUbfGr/Yspn7NqK0Aptp5CrIDDkb/6hzuYoKNSp +IoT3afoUplGwmsH69/LcBBjKol68dwh/adsGKZe9vj+sN53+C9I5UYhchSJSUUeC +DwOhVmoyt8n7L/HCv5hr4BfyfonwQHYi3dbgQR+eaiy6kFxk9vpTZWu2kR7/X32c ++PZldAcYstB/DyViO9kOCEIWI/SjxwIDAQABAoICAH51SpODOGN8ar36gajgtjWa +oc2W41TxQfdOEkaYo+o1BDVCmeVOcOWufcV8w9HDoNGgUJ7oGm/O/mmPE2oYINq6 +WI+gT3os2B9yj+d4Xik32YcrQ8+TU/5ZW4RoCCgZHxxE/MkYU1gNz36ekpOZH8U3 +AuW7Txaih0j36MHAsZknwF67Ai6kOmjEAltgOX49Hw4CAXlq+FQVnQ0VWi0nb2Du +vp0/6BhN9N4pbhQ06C9C8uMq8tBd2CZs5aYU2NaRaAJl9SaPjyWfoqqQzEpe+iNt +aP6PCeTRqwOhlzZwUAyYck1v8jxYMK6KzZ0IVtd0/uhaOMgBbhjJNr1J3IUz81Ud +gwmU7UrifjtcGiMHNmHnIAJNcbm9sY27EvsyEHz3zf90VQL8wLpYflX9kX5v8soi +WPv6On+u7ARKofHfQKmP1BfJoGY651uyI1vqdpwUds9iQk3dZWUuBf1WRzywH4t/ +Vwz/h9cEW1Pd42cjukRCoPE1kLc9vHBUEADaaQG7Y5avuLIfDFzXEmwf9YokGRcy +ULUikhhFgiL4bOiQ4cj0/c3CLFAM98iq+z1pTlGFy5msjgUTg3ouUUbbPTaxaMS5 +yVeXelleQADdpj25MTGatBkGW4WC3DYopvvSy+DZ6XarJ6gYm+/cV+eoXddQYLUd +RAQqnQFqVPUIy2rlVuQBAoIBAQDlKILSqQNPZqou6lFgo4tbFLpzUFVAnmrEUhuJ +3v9ppseKncolZ3pcr10VwIzuQZliLLvUiZ8aB+TzMeuIRBm1PkXMpSRhPsVb2bGb +QrTzzPafB8uwVwvr3YzYeRXbpdabU9UpuQMk+lD+GEx5DfowdYJMtdIBOeQdjROi +7JZnHPfNwNheEakJpCgPbulQRfrXx4Fd+npWQprcvCYhg8vnqCHrGazy5g/2dnYF +NW7L2CNHdM74SJKl8gY/YcfEQSFcir6SFWUGPOiHsVdpKX9K0his6DoiV8QPH/S0 +RIKZuNIuOmiO8ATblYksrh8UuOQWi2kywE3bF3neMmNgwoRBAoIBAQDggGL0C9Ij +n+DHlkHujbziEwe1pLVSb4x2q5KmZwA4VWDGLARbK2ypx6/LJDsUCwK6ZFHh89DU +eW9Ze6fXMi8Fiv1N1DfawIu9+bU3BG5boiQMdAgYzSCUhwojo3KiIpvbzXCmSQd9 +1lJkbwxQFo2GuYZIX+QLyONhGBA1JdF0kBzIrrQWmza+wNj1emftFptZlwAW1+wm +KvZyzAZl3/5fj5/9oAMxlH489edbgRMF/cOmzpB4fIAkbzmvU97xXOzKWX+nPA6D +BTVkkruqESpq2pf06gGnlbCC5Tcf1QS+On+/LGr1frr/aeouRy8xHv5xgVCRcyh+ +nLwOP6W/KYYHAoIBAQCXgjtMkJYxrw0hy6ZWIIsIgyHrD9fty0+H0UmH1DpGXhBb +44s9Q7cxBHik4xPKivCgajcdhIf+q+2BpSW2iF/+5tc7QIxXBytxWPMGVgpRjtgX +uQ3A3yxwm6B9l0EOYg0L0VeEKGCd2CoodWRKPSWHWIn3sdbRHLdnmli7RXUDY7Gr +Ba+IMmDykOgzm/8CJeJ9O9iai/rKgWrmOjdzvTHZTd5vFCC2z8kKCLRrKTLB73sT +yXT1zvW2Zdgfm8R6Sx2Fk+3/o8mRYD/VRzklvFv+2f2ahEe7YQ+teFFPxmQawomk +KtXqe2Ka07lIIy9FgiC7jxzUgzR2gIUAlYwC81iBAoIBAC30Oc0oykf+hv1z1WUm +YD6KlK5q267XJJJ6BlfHh7UATQHjqrSay/Bo7qQPc4RjyJgsxtIQnXOQs+lGNZII +NLXWwIj44sIFXdVyUtTDNG/PXb+q1Kl2+69LgRjQcTudB/hTMjbnhgANKepjDMss +AqZMPZ98+WosIdcTHOY0Ko7InQu7LyPde7RKN17wQmu2j/Ajx6HlavJZIv9Wogyi +cChRdvdslJrGgZyq3UPOxP0Z972iVNJE8doDZnRsH5uaYOH+tfGein3pSAehPYbP +YrZirm40pEgQjQQONV1vtjvWL6YLSo2b9l0n6ga1DYTpij3jsYFEaEqafKgSATSD +JGsCggEAVnGMMovIgEADUAiwQzlYb5/gUjRJOetFpPW8R/3CZqFt3FTprNH0Q7Jb +be3PJCLONqYE8K84n66Ro5I/58oVcJ5QwCwZCmZ+Kk4u7j0RYR9kkpR6gWShSpfw +CkrSVNz0zn3l8GxIs11YO+ztBQG82StU+7PTZH9KGEQhytO3km+txC3EXih7Fn7R +Vb2rJ+2v6aSGjH+1n/GFP8YxKAxYk7jPwI5s4YMrn6TQPt4tgr4I0f7DDjjlVLEg +LMixBvYHG/8fXWtldf6Wwhl6UJ5G0LA4KxXRAJ68RX8cQNLG7mv66xogbLEMnrJr +DDFU5HazFnn1G0/rg2SnKHTRLV2E9g== +-----END PRIVATE KEY----- diff --git a/demos/sslecho/main.c b/demos/sslecho/main.c new file mode 100644 index 000000000..0233794c4 --- /dev/null +++ b/demos/sslecho/main.c @@ -0,0 +1,344 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include + +static const int server_port = 4433; + +typedef unsigned char bool; +#define true 1 +#define false 0 + +/* + * This flag won't be useful until both accept/read (TCP & SSL) methods + * can be called with a timeout. TBD. + */ +static volatile bool server_running = true; + +int create_socket(bool isServer) +{ + int s; + int optval = 1; + struct sockaddr_in addr; + + s = socket(AF_INET, SOCK_STREAM, 0); + if (s < 0) { + perror("Unable to create socket"); + exit(EXIT_FAILURE); + } + + if (isServer) { + addr.sin_family = AF_INET; + addr.sin_port = htons(server_port); + addr.sin_addr.s_addr = INADDR_ANY; + + /* Reuse the address; good for quick restarts */ + if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval)) + < 0) { + perror("setsockopt(SO_REUSEADDR) failed"); + exit(EXIT_FAILURE); + } + + if (bind(s, (struct sockaddr*) &addr, sizeof(addr)) < 0) { + perror("Unable to bind"); + exit(EXIT_FAILURE); + } + + if (listen(s, 1) < 0) { + perror("Unable to listen"); + exit(EXIT_FAILURE); + } + } + + return s; +} + +SSL_CTX* create_context(bool isServer) +{ + const SSL_METHOD *method; + SSL_CTX *ctx; + + if (isServer) + method = TLS_server_method(); + else + method = TLS_client_method(); + + ctx = SSL_CTX_new(method); + if (ctx == NULL) { + perror("Unable to create SSL context"); + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } + + return ctx; +} + +void configure_server_context(SSL_CTX *ctx) +{ + /* Set the key and cert */ + if (SSL_CTX_use_certificate_chain_file(ctx, "cert.pem") <= 0) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } + + if (SSL_CTX_use_PrivateKey_file(ctx, "key.pem", SSL_FILETYPE_PEM) <= 0) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } +} + +void configure_client_context(SSL_CTX *ctx) +{ + /* + * Configure the client to abort the handshake if certificate verification + * fails + */ + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + /* + * In a real application you would probably just use the default system certificate trust store and call: + * SSL_CTX_set_default_verify_paths(ctx); + * In this demo though we are using a self-signed certificate, so the client must trust it directly. + */ + if (!SSL_CTX_load_verify_locations(ctx, "cert.pem", NULL)) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } +} + +void usage() +{ + printf("Usage: sslecho s\n"); + printf(" --or--\n"); + printf(" sslecho c ip\n"); + printf(" c=client, s=server, ip=dotted ip of server\n"); + exit(1); +} + +int main(int argc, char **argv) +{ + bool isServer; + int result; + + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + + int server_skt = -1; + int client_skt = -1; + + /* used by getline relying on realloc, can't be statically allocated */ + char *txbuf = NULL; + size_t txcap = 0; + int txlen; + + char rxbuf[128]; + size_t rxcap = sizeof(rxbuf); + int rxlen; + + char *rem_server_ip = NULL; + + struct sockaddr_in addr; + unsigned int addr_len = sizeof(addr); + + /* Splash */ + printf("\nsslecho : Simple Echo Client/Server (OpenSSL 3.0.1-dev) : %s : %s\n\n", __DATE__, + __TIME__); + + /* Need to know if client or server */ + if (argc < 2) { + usage(); + /* NOTREACHED */ + } + isServer = (argv[1][0] == 's') ? true : false; + /* If client get remote server address (could be 127.0.0.1) */ + if (!isServer) { + if (argc != 3) { + usage(); + /* NOTREACHED */ + } + rem_server_ip = argv[2]; + } + + /* Create context used by both client and server */ + ssl_ctx = create_context(isServer); + + /* If server */ + if (isServer) { + + printf("We are the server on port: %d\n\n", server_port); + + /* Configure server context with appropriate key files */ + configure_server_context(ssl_ctx); + + /* Create server socket; will bind with server port and listen */ + server_skt = create_socket(true); + + /* + * Loop to accept clients. + * Need to implement timeouts on TCP & SSL connect/read functions + * before we can catch a CTRL-C and kill the server. + */ + while (server_running) { + /* Wait for TCP connection from client */ + client_skt = accept(server_skt, (struct sockaddr*) &addr, + &addr_len); + if (client_skt < 0) { + perror("Unable to accept"); + exit(EXIT_FAILURE); + } + + printf("Client TCP connection accepted\n"); + + /* Create server SSL structure using newly accepted client socket */ + ssl = SSL_new(ssl_ctx); + SSL_set_fd(ssl, client_skt); + + /* Wait for SSL connection from the client */ + if (SSL_accept(ssl) <= 0) { + ERR_print_errors_fp(stderr); + server_running = false; + } else { + + printf("Client SSL connection accepted\n\n"); + + /* Echo loop */ + while (true) { + /* Get message from client; will fail if client closes connection */ + if ((rxlen = SSL_read(ssl, rxbuf, rxcap)) <= 0) { + if (rxlen == 0) { + printf("Client closed connection\n"); + } + ERR_print_errors_fp(stderr); + break; + } + /* Insure null terminated input */ + rxbuf[rxlen] = 0; + /* Look for kill switch */ + if (strcmp(rxbuf, "kill\n") == 0) { + /* Terminate...with extreme prejudice */ + printf("Server received 'kill' command\n"); + server_running = false; + break; + } + /* Show received message */ + printf("Received: %s", rxbuf); + /* Echo it back */ + if (SSL_write(ssl, rxbuf, rxlen) <= 0) { + ERR_print_errors_fp(stderr); + } + } + } + if (server_running) { + /* Cleanup for next client */ + SSL_shutdown(ssl); + SSL_free(ssl); + close(client_skt); + } + } + printf("Server exiting...\n"); + } + /* Else client */ + else { + + printf("We are the client\n\n"); + + /* Configure client context so we verify the server correctly */ + configure_client_context(ssl_ctx); + + /* Create "bare" socket */ + client_skt = create_socket(false); + /* Set up connect address */ + addr.sin_family = AF_INET; + inet_pton(AF_INET, rem_server_ip, &addr.sin_addr.s_addr); + addr.sin_port = htons(server_port); + /* Do TCP connect with server */ + if (connect(client_skt, (struct sockaddr*) &addr, sizeof(addr)) != 0) { + perror("Unable to TCP connect to server"); + goto exit; + } else { + printf("TCP connection to server successful\n"); + } + + /* Create client SSL structure using dedicated client socket */ + ssl = SSL_new(ssl_ctx); + SSL_set_fd(ssl, client_skt); + /* Set hostname for SNI */ + SSL_set_tlsext_host_name(ssl, rem_server_ip); + /* Configure server hostname check */ + SSL_set1_host(ssl, rem_server_ip); + + /* Now do SSL connect with server */ + if (SSL_connect(ssl) == 1) { + + printf("SSL connection to server successful\n\n"); + + /* Loop to send input from keyboard */ + while (true) { + /* Get a line of input */ + txlen = getline(&txbuf, &txcap, stdin); + /* Exit loop on error */ + if (txlen < 0 || txbuf == NULL) { + break; + } + /* Exit loop if just a carriage return */ + if (txbuf[0] == '\n') { + break; + } + /* Send it to the server */ + if ((result = SSL_write(ssl, txbuf, txlen)) <= 0) { + printf("Server closed connection\n"); + ERR_print_errors_fp(stderr); + break; + } + + /* Wait for the echo */ + rxlen = SSL_read(ssl, rxbuf, rxcap); + if (rxlen <= 0) { + printf("Server closed connection\n"); + ERR_print_errors_fp(stderr); + break; + } else { + /* Show it */ + rxbuf[rxlen] = 0; + printf("Received: %s", rxbuf); + } + } + printf("Client exiting...\n"); + } else { + + printf("SSL connection to server failed\n\n"); + + ERR_print_errors_fp(stderr); + } + } + exit: + /* Close up */ + if (ssl != NULL) { + SSL_shutdown(ssl); + SSL_free(ssl); + } + SSL_CTX_free(ssl_ctx); + + if (client_skt != -1) + close(client_skt); + if (server_skt != -1) + close(server_skt); + + if (txbuf != NULL && txcap > 0) + free(txbuf); + + printf("sslecho exiting\n"); + + return 0; +} diff --git a/demos/sslecho/makefile b/demos/sslecho/makefile new file mode 100644 index 000000000..6e639917d --- /dev/null +++ b/demos/sslecho/makefile @@ -0,0 +1,12 @@ +PROG ?= sslecho + +all: $(PROG) + +# Debug version. +# +$(PROG): main.c + + $(CC) -O0 -g3 -W -Wall -I../../include -L../../ -o $(PROG) main.c -lssl -lcrypto + +clean: + rm -rf $(PROG) *.o *.obj diff --git a/dev/release-aux/README.md b/dev/release-aux/README.md index 01c5a2077..a0438f06b 100644 --- a/dev/release-aux/README.md +++ b/dev/release-aux/README.md @@ -1,4 +1,4 @@ -Auxilliary files for dev/release.sh +Auxillary files for dev/release.sh =================================== - release-state-fn.sh diff --git a/dev/release-aux/release-version-fn.sh b/dev/release-aux/release-version-fn.sh index b924fad8c..64a67c905 100644 --- a/dev/release-aux/release-version-fn.sh +++ b/dev/release-aux/release-version-fn.sh @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/dev/release.sh b/dev/release.sh index 6ea228649..a239e94b3 100755 --- a/dev/release.sh +++ b/dev/release.sh @@ -228,7 +228,7 @@ elif $force; then : else echo >&2 "Not in master or any recognised release branch" - echo >&2 "Please 'git checkout' an approprite branch" + echo >&2 "Please 'git checkout' an appropriate branch" exit 1 fi orig_HEAD=$(git rev-parse HEAD) @@ -373,7 +373,7 @@ for fixup in "$HERE/dev/release-aux"/fixup-*-release.pl; do perl -pi $fixup $file done -$VERBOSE "== Comitting updates and tagging" +$VERBOSE "== Committing updates and tagging" git add -u git commit $git_quiet -m "Prepare for release of $release_text"$'\n\nRelease: yes' if [ -n "$reviewers" ]; then diff --git a/doc/build.info b/doc/build.info index ec8778f2a..00dc15072 100644 --- a/doc/build.info +++ b/doc/build.info @@ -4145,6 +4145,10 @@ DEPEND[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod GENERATE[html/man7/EVP_CIPHER-IDEA.html]=man7/EVP_CIPHER-IDEA.pod DEPEND[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod GENERATE[man/man7/EVP_CIPHER-IDEA.7]=man7/EVP_CIPHER-IDEA.pod +DEPEND[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod +GENERATE[html/man7/EVP_CIPHER-NULL.html]=man7/EVP_CIPHER-NULL.pod +DEPEND[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod +GENERATE[man/man7/EVP_CIPHER-NULL.7]=man7/EVP_CIPHER-NULL.pod DEPEND[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod GENERATE[html/man7/EVP_CIPHER-RC2.html]=man7/EVP_CIPHER-RC2.pod DEPEND[man/man7/EVP_CIPHER-RC2.7]=man7/EVP_CIPHER-RC2.pod @@ -4289,6 +4293,10 @@ DEPEND[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod GENERATE[html/man7/EVP_MD-MDC2.html]=man7/EVP_MD-MDC2.pod DEPEND[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod GENERATE[man/man7/EVP_MD-MDC2.7]=man7/EVP_MD-MDC2.pod +DEPEND[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod +GENERATE[html/man7/EVP_MD-NULL.html]=man7/EVP_MD-NULL.pod +DEPEND[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod +GENERATE[man/man7/EVP_MD-NULL.7]=man7/EVP_MD-NULL.pod DEPEND[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod GENERATE[html/man7/EVP_MD-RIPEMD160.html]=man7/EVP_MD-RIPEMD160.pod DEPEND[man/man7/EVP_MD-RIPEMD160.7]=man7/EVP_MD-RIPEMD160.pod @@ -4619,6 +4627,7 @@ html/man7/EVP_CIPHER-CAST.html \ html/man7/EVP_CIPHER-CHACHA.html \ html/man7/EVP_CIPHER-DES.html \ html/man7/EVP_CIPHER-IDEA.html \ +html/man7/EVP_CIPHER-NULL.html \ html/man7/EVP_CIPHER-RC2.html \ html/man7/EVP_CIPHER-RC4.html \ html/man7/EVP_CIPHER-RC5.html \ @@ -4655,6 +4664,7 @@ html/man7/EVP_MD-MD4.html \ html/man7/EVP_MD-MD5-SHA1.html \ html/man7/EVP_MD-MD5.html \ html/man7/EVP_MD-MDC2.html \ +html/man7/EVP_MD-NULL.html \ html/man7/EVP_MD-RIPEMD160.html \ html/man7/EVP_MD-SHA1.html \ html/man7/EVP_MD-SHA2.html \ @@ -4743,6 +4753,7 @@ man/man7/EVP_CIPHER-CAST.7 \ man/man7/EVP_CIPHER-CHACHA.7 \ man/man7/EVP_CIPHER-DES.7 \ man/man7/EVP_CIPHER-IDEA.7 \ +man/man7/EVP_CIPHER-NULL.7 \ man/man7/EVP_CIPHER-RC2.7 \ man/man7/EVP_CIPHER-RC4.7 \ man/man7/EVP_CIPHER-RC5.7 \ @@ -4779,6 +4790,7 @@ man/man7/EVP_MD-MD4.7 \ man/man7/EVP_MD-MD5-SHA1.7 \ man/man7/EVP_MD-MD5.7 \ man/man7/EVP_MD-MDC2.7 \ +man/man7/EVP_MD-NULL.7 \ man/man7/EVP_MD-RIPEMD160.7 \ man/man7/EVP_MD-SHA1.7 \ man/man7/EVP_MD-SHA2.7 \ diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod index 90593ca46..acd7a4403 100644 --- a/doc/internal/man3/OPTIONS.pod +++ b/doc/internal/man3/OPTIONS.pod @@ -155,7 +155,7 @@ on multiple lines; each entry should use B, like this: {OPT_MORE_STR, 0, 0, "This flag is not really needed on Unix systems"}, {OPT_MORE_STR, 0, 0, - "(Unix and descendents for ths win!)"} + "(Unix and descendents for the win!)"} Each subsequent line will be indented the correct amount. @@ -333,7 +333,7 @@ things very differently. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod index b23d2ec0e..50ac64e8c 100644 --- a/doc/internal/man3/evp_generic_fetch.pod +++ b/doc/internal/man3/evp_generic_fetch.pod @@ -2,7 +2,7 @@ =head1 NAME -evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov +evp_generic_fetch, evp_generic_fetch_from_prov - generic algorithm fetchers and method creators for EVP =head1 SYNOPSIS @@ -20,15 +20,6 @@ evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov int (*up_ref_method)(void *), void (*free_method)(void *)); - void *evp_generic_fetch_by_number(OSSL_LIB_CTX *ctx, int operation_id, - int name_id, const char *properties, - void *(*new_method)(int name_id, - const OSSL_DISPATCH *fns, - OSSL_PROVIDER *prov, - void *method_data), - void *method_data, - int (*up_ref_method)(void *), - void (*free_method)(void *)); void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id, int name_id, const char *properties, void *(*new_method)(int name_id, @@ -46,14 +37,6 @@ I, I, I, and I and uses it to create an EVP method with the help of the functions I, I, and I. -evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(), -but takes a numeric I instead of a name. -I must always be nonzero; as a matter of fact, it being zero -is considered a programming error. -This is meant to be used when one method needs to fetch an associated -method, and is typically called from inside the given function -I. - evp_generic_fetch_from_prov() does the same thing as evp_generic_fetch(), but limits the search of methods to the provider given with I. This is meant to be used when one method needs to fetch an associated @@ -275,7 +258,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod index 7099e4496..c35940fdd 100644 --- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod +++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod @@ -96,7 +96,7 @@ L, L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_lib_ctx_get_data.pod b/doc/internal/man3/ossl_lib_ctx_get_data.pod index faedf7275..2780c7b91 100644 --- a/doc/internal/man3/ossl_lib_ctx_get_data.pod +++ b/doc/internal/man3/ossl_lib_ctx_get_data.pod @@ -11,14 +11,7 @@ ossl_lib_ctx_is_child #include #include "internal/cryptlib.h" - typedef struct ossl_lib_ctx_method { - int priority; - void *(*new_func)(OSSL_LIB_CTX *ctx); - void (*free_func)(void *); - } OSSL_LIB_CTX_METHOD; - - void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index, - const OSSL_LIB_CTX_METHOD *meth); + void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index); int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, ossl_lib_ctx_run_once_fn run_once_fn); @@ -28,38 +21,24 @@ ossl_lib_ctx_is_child =head1 DESCRIPTION -Internally, the OpenSSL library context B is implemented -as a B, which allows data from diverse parts of the -library to be added and removed dynamically. -Each such data item must have a corresponding CRYPTO_EX_DATA index -associated with it. Unlike normal CRYPTO_EX_DATA objects we use static indexes -to identify data items. These are mapped transparently to CRYPTO_EX_DATA dynamic -indexes internally to the implementation. -See the example further down to see how that's done. - -ossl_lib_ctx_get_data() is used to retrieve a pointer to the data in -the library context I associated with the given I. An -OSSL_LIB_CTX_METHOD must be defined and given in the I parameter. The index -for it should be defined in cryptlib.h. The functions through the method are -used to create or free items that are stored at that index whenever a library -context is created or freed, meaning that the code that use a data item of that -index doesn't have to worry about that, just use the data available. - -Deallocation of an index happens automatically when the library -context is freed. - -ossl_lib_ctx_run_once is used to run some initialisation routine I +ossl_lib_ctx_run_once() is used to run some initialisation routine I exactly once per library context I object. Each initialisation routine should be allocate a unique run once index in cryptlib.h. Any resources allocated via a run once initialisation routine can be cleaned up -using ossl_lib_ctx_onfree. This associates an "on free" routine I with +using ossl_lib_ctx_onfree(). This associates an "on free" routine I with the library context I. When I is freed all associated "on free" routines are called. ossl_lib_ctx_is_child() returns 1 if this library context is a child and 0 otherwise. +ossl_lib_ctx_get_data() allows different parts of the library to retrieve +pointers to structures used in diverse parts of the library. The lifetime of +these structures is managed by B. The different objects which can +be retrieved are specified with the given argument I. The valid values of +I are specified in cryptlib.h. + =head1 RETURN VALUES ossl_lib_ctx_get_data() returns a pointer on success, or NULL on @@ -67,51 +46,15 @@ failure. =head1 EXAMPLES -=head2 Initialization - -For a type C that should end up in the OpenSSL library context, a -small bit of initialization is needed, i.e. to associate a constructor -and a destructor to an index. - - typedef struct foo_st { - int i; - void *data; - } FOO; - - static void *foo_new(OSSL_LIB_CTX *ctx) - { - FOO *ptr = OPENSSL_zalloc(sizeof(*foo)); - if (ptr != NULL) - ptr->i = 42; - return ptr; - } - static void foo_free(void *ptr) - { - OPENSSL_free(ptr); - } - - /* - * Include a reference to this in the methods table in context.c - * OSSL_LIB_CTX_FOO_INDEX should be added to internal/cryptlib.h - * Priorities can be OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - * OSSL_LIB_CTX_METHOD_PRIORITY_1, OSSL_LIB_CTX_METHOD_PRIORITY_2, etc. - * Default priority is low (0). The higher the priority the earlier the - * method's destructor will be called when the library context is cleaned up. - */ - const OSSL_LIB_CTX_METHOD foo_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - foo_new, - foo_free - }; - =head2 Usage -To get and use the data stored in the library context, simply do this: +To obtain a pointer for an object managed by the library context, simply do +this: /* * ctx is received from a caller, */ - FOO *data = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_FOO_INDEX, &foo_method); + FOO *data = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_FOO_INDEX); =head2 Run Once @@ -144,7 +87,7 @@ L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_namemap_new.pod b/doc/internal/man3/ossl_namemap_new.pod index ff247e87b..4912c1186 100644 --- a/doc/internal/man3/ossl_namemap_new.pod +++ b/doc/internal/man3/ossl_namemap_new.pod @@ -3,7 +3,7 @@ =head1 NAME ossl_namemap_new, ossl_namemap_free, ossl_namemap_stored, ossl_namemap_empty, -ossl_namemap_add_name, ossl_namemap_add_name_n, ossl_namemap_add_names, +ossl_namemap_add_name, ossl_namemap_add_names, ossl_namemap_name2num, ossl_namemap_name2num_n, ossl_namemap_doall_names - internal number E-E name map @@ -19,8 +19,6 @@ ossl_namemap_doall_names int ossl_namemap_empty(OSSL_NAMEMAP *namemap); int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name); - int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - const char *name, size_t name_len); int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name); int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap, @@ -62,10 +60,9 @@ names already associated with that number. ossl_namemap_name2num() finds the number corresponding to the given I. -ossl_namemap_add_name_n() and ossl_namemap_name2num_n() do the same thing -as ossl_namemap_add_name() and ossl_namemap_name2num(), but take a string -length I as well, allowing the caller to use a fragment of -a string as a name. +ossl_namemap_name2num_n() does the same thing as +ossl_namemap_name2num(), but takes a string length I as well, +allowing the caller to use a fragment of a string as a name. ossl_namemap_doall_names() walks through all names associated with I in the given I and calls the function I for @@ -88,8 +85,8 @@ ossl_namemap_empty() returns 1 if the B is NULL or empty, 0 if it's not empty, or -1 on internal error (such as inability to lock). -ossl_namemap_add_name() and ossl_namemap_add_name_n() return the number -associated with the added string, or zero on error. +ossl_namemap_add_name() returns the number associated with the added +string, or zero on error. ossl_namemap_num2names() returns a pointer to a NULL-terminated list of pointers to the names corresponding to the given number, or NULL if @@ -119,7 +116,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod index 8bd5594c4..318351e4f 100644 --- a/doc/internal/man3/ossl_provider_new.pod +++ b/doc/internal/man3/ossl_provider_new.pod @@ -4,7 +4,7 @@ ossl_provider_find, ossl_provider_new, ossl_provider_up_ref, ossl_provider_free, -ossl_provider_set_fallback, ossl_provider_set_module_path, +ossl_provider_set_module_path, ossl_provider_add_parameter, ossl_provider_set_child, ossl_provider_get_parent, ossl_provider_up_ref_parent, ossl_provider_free_parent, ossl_provider_default_props_update, ossl_provider_get0_dispatch, @@ -35,7 +35,6 @@ ossl_provider_get_capabilities void ossl_provider_free(OSSL_PROVIDER *prov); /* Setters */ - int ossl_provider_set_fallback(OSSL_PROVIDER *prov); int ossl_provider_set_module_path(OSSL_PROVIDER *prov, const char *path); int ossl_provider_add_parameter(OSSL_PROVIDER *prov, const char *name, const char *value); @@ -159,11 +158,6 @@ to have fallen out of use and will be deinitialized (its I function is called), and the associated module will be unloaded if one was loaded, and I itself will be freed. -ossl_provider_set_fallback() marks an available provider I as -fallback. -Note that after this call, the provider object pointer that was -used can simply be dropped, but not freed. - ossl_provider_set_module_path() sets the module path to load the provider module given the provider object I. This will be used in preference to automatically trying to figure out @@ -350,7 +344,7 @@ ossl_provider_doall_activated() returns 1 if the callback was called for all activated providers. A return value of 0 means that the callback was not called for any activated providers. -ossl_provider_set_module_path(), ossl_provider_set_fallback(), +ossl_provider_set_module_path(), ossl_provider_activate(), ossl_provider_activate_leave_fallbacks() and ossl_provider_deactivate(), ossl_provider_add_to_store(), ossl_provider_default_props_update() return 1 on success, or 0 on error. diff --git a/doc/internal/man3/ossl_punycode_decode.pod b/doc/internal/man3/ossl_punycode_decode.pod index 652626159..b9e2f6488 100644 --- a/doc/internal/man3/ossl_punycode_decode.pod +++ b/doc/internal/man3/ossl_punycode_decode.pod @@ -12,18 +12,18 @@ ossl_punycode_decode, ossl_a2ulabel, ossl_a2ucompare int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, unsigned int *pDecoded, unsigned int *pout_length); - int ossl_a2ulabel(const char *in, char *out, size_t *outlen); + int ossl_a2ulabel(const char *in, char *out, size_t outlen); int ossl_a2ucompare(const char *a, const char *u); =head1 DESCRIPTION PUNYCODE encoding introduced in RFCs 3490-3492 is widely used for -representation of host names in ASCII-only format. Some specifications, -such as RFC 8398, require comparison of host names encoded in UTF-8 charset. +representation of hostnames in ASCII-only format. Some specifications, +such as RFC 8398, require comparison of hostnames encoded in UTF-8 charset. ossl_a2ulabel() decodes NUL-terminated hostname from PUNYCODE to UTF-8, -using a provided buffer for output. +using a provided buffer for output. The output buffer is NUL-terminated. ossl_a2ucompare() accepts two NUL-terminated hostnames, decodes the 1st from PUNYCODE to UTF-8 and compares it with the 2nd one as is. @@ -33,12 +33,11 @@ a hostname, with stripped PUNYCODE marker I. =head1 RETURN VALUES -ossl_a2ulabel() returns 1 on success, 0 on not enough buf passed, --1 on invalid PUNYCODE string passed. When valid string is provided, it sets the -I<*outlen> to the length of required buffer to perform correct decoding. +ossl_a2ulabel() returns 1 on success, 0 if the output buffer is too small and +-1 if an invalid PUNYCODE string is passed or another error occurs. ossl_a2ucompare() returns 1 on non-equal strings, 0 on equal strings, --1 when invalid PUNYCODE string passed. +-1 when an invalid PUNYCODE string is passed or another error occurs. ossl_punycode_decode() returns 1 on success, 0 on error. On success, *pout_length contains the number of codepoints decoded. @@ -49,7 +48,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man3/ossl_random_add_conf_module.pod b/doc/internal/man3/ossl_random_add_conf_module.pod index 6d4f5810d..f1fd22be1 100644 --- a/doc/internal/man3/ossl_random_add_conf_module.pod +++ b/doc/internal/man3/ossl_random_add_conf_module.pod @@ -15,7 +15,7 @@ ossl_random_add_conf_module - internal random configuration module ossl_random_add_conf_module() adds the random configuration module for providers. -This allows the type and parameters of the stardard setup of random number +This allows the type and parameters of the standard setup of random number generators to be configured with an OpenSSL L file. =head1 RETURN VALUES @@ -32,7 +32,7 @@ The functions described here were all added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man7/EVP_PKEY.pod b/doc/internal/man7/EVP_PKEY.pod index cc738b9c2..94511d76c 100644 --- a/doc/internal/man7/EVP_PKEY.pod +++ b/doc/internal/man7/EVP_PKEY.pod @@ -19,7 +19,7 @@ private/public key pairs, but has had other uses as well. =for comment "uses" could as well be "abuses"... -The private/public key pair that an B contains is refered to +The private/public key pair that an B contains is referred to as its "internal key" or "origin" (the reason for "origin" is explained further down, in L), and it can take one of the following forms: @@ -202,7 +202,7 @@ L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/internal/man7/deprecation.pod b/doc/internal/man7/deprecation.pod index 13a4b059a..88599283e 100644 --- a/doc/internal/man7/deprecation.pod +++ b/doc/internal/man7/deprecation.pod @@ -2,6 +2,7 @@ =head1 NAME +OPENSSL_NO_DEPRECATED_3_1, OSSL_DEPRECATEDIN_3_1, OPENSSL_NO_DEPRECATED_3_0, OSSL_DEPRECATEDIN_3_0, OPENSSL_NO_DEPRECATED_1_1_1, OSSL_DEPRECATEDIN_1_1_1, OPENSSL_NO_DEPRECATED_1_1_0, OSSL_DEPRECATEDIN_1_1_0, @@ -130,7 +131,7 @@ L =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 77e820914..ad87d180a 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -363,6 +363,7 @@ via the included subject name and public key. =item B<-out_trusted> I|I Trusted certificate(s) to use for validating the newly enrolled certificate. +During this verification, any certificate status checking is disabled. Multiple sources may be given, separated by commas and/or whitespace (where in the latter case the whole argument must be enclosed in "..."). @@ -1053,6 +1054,10 @@ although they usually contain hints that would be helpful for diagnostics. For assisting in such cases the CMP client offers a workaround via the B<-unprotected_errors> option, which allows accepting such negative messages. +If OpenSSL was built with trace support enabled +and the environment variable B includes B, +the request and response headers of HTTP transfers are printed. + =head1 EXAMPLES =head2 Simple examples using the default OpenSSL configuration file diff --git a/doc/man1/openssl-dhparam.pod.in b/doc/man1/openssl-dhparam.pod.in index d358ba95d..cdfc8995f 100644 --- a/doc/man1/openssl-dhparam.pod.in +++ b/doc/man1/openssl-dhparam.pod.in @@ -60,14 +60,13 @@ as the input filename. =item B<-dsaparam> If this option is used, DSA rather than DH parameters are read or created; -they are converted to DH format. Otherwise, "strong" primes (such +they are converted to DH format. Otherwise, safe primes (such that (p-1)/2 is also prime) will be used for DH parameter generation. -DH parameter generation with the B<-dsaparam> option is much faster, -and the recommended exponent length is shorter, which makes DH key -exchange more efficient. Beware that with such DSA-style DH -parameters, a fresh DH key should be created for each use to -avoid small-subgroup attacks that may be possible otherwise. +DH parameter generation with the B<-dsaparam> option is much faster. +Beware that with such DSA-style DH parameters, a fresh DH key should be +created for each use to avoid small-subgroup attacks that may be possible +otherwise. =item B<-check> @@ -126,7 +125,7 @@ The B<-C> option was removed in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index 97e2ae910..813b7ecc1 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -21,7 +21,9 @@ B [B<-quiet>] [B<-no_conditional_errors>] [B<-no_security_checks>] +[B<-ems_check>] [B<-self_test_onload>] +[B<-self_test_oninstall>] [B<-corrupt_desc> I] [B<-corrupt_type> I] [B<-config> I] @@ -164,6 +166,15 @@ fails as described above. Configure the module to not perform run-time security checks as described above. +Enabling the configuration option "no-fips-securitychecks" provides another way to +turn off the check at compile time. + +=item B<-ems_check> + +Configure the module to enable a run-time Extended Master Secret (EMS) check +when using the TLS1_PRF KDF algorithm. This check is disabled by default. +See RFC 7627 for information related to EMS. + =item B<-self_test_onload> Do not write the two fields related to the "test status indicator" and @@ -174,6 +185,14 @@ target machine. Once the self tests have run on the target machine the user could possibly then add the 2 fields into the configuration using some other mechanism. +This is the default. + +=item B<-self_test_oninstall> + +The converse of B<-self_test_oninstall>. The two fields related to the +"test status indicator" and "MAC status indicator" are written to the +output configuration file. + =item B<-quiet> Do not output pass/fail messages. Implies B<-noout>. @@ -209,6 +228,11 @@ test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignore For normal usage the base configuration file should use the default provider when generating the fips configuration file. +The B<-self_test_oninstall> option was added and the +B<-self_test_onload> option was made the default in OpenSSL 3.1. + +The command and all remaining options were added in OpenSSL 3.0. + =head1 EXAMPLES Calculate the mac of a FIPS module F and run a FIPS self test @@ -241,7 +265,7 @@ L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-genpkey.pod.in b/doc/man1/openssl-genpkey.pod.in index 181530670..57b1ffc7d 100644 --- a/doc/man1/openssl-genpkey.pod.in +++ b/doc/man1/openssl-genpkey.pod.in @@ -278,7 +278,7 @@ RFC5114 names "dh_1024_160", "dh_2048_224", "dh_2048_256". If this option is set, then the appropriate RFC5114 parameters are used instead of generating new parameters. The value I can be one of -1, 2 or 3 that are equivalant to using the option B with one of +1, 2 or 3 that are equivalent to using the option B with one of "dh_1024_160", "dh_2048_224" or "dh_2048_256". All other options will be ignored if this value is set. @@ -333,7 +333,7 @@ The B option must be B<"DH">. =item "default" Selects a default type based on the B. This is used by the -OpenSSL default provider to set the type for backwards compatability. +OpenSSL default provider to set the type for backwards compatibility. If B is B<"DH"> then B<"generator"> is used. If B is B<"DHX"> then B<"fips186_2"> is used. @@ -494,7 +494,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index c921e3b4a..b8ba2fc54 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -274,7 +274,7 @@ See L for details. =item B<-pass> I -the private key and certifiate file password source. +the private key and certificate file password source. For more information about the format of I see L. diff --git a/doc/man1/openssl-speed.pod.in b/doc/man1/openssl-speed.pod.in index 70ef38712..60568fe40 100644 --- a/doc/man1/openssl-speed.pod.in +++ b/doc/man1/openssl-speed.pod.in @@ -9,6 +9,7 @@ openssl-speed - test library performance B [B<-help>] +[B<-config> I] [B<-elapsed>] [B<-evp> I] [B<-hmac> I] @@ -23,6 +24,7 @@ B [B<-seconds> I] [B<-bytes> I] [B<-mr>] +[B<-mlock>] {- $OpenSSL::safe::opt_r_synopsis -} {- $OpenSSL::safe::opt_engine_synopsis -}{- $OpenSSL::safe::opt_provider_synopsis -} [I ...] @@ -39,6 +41,12 @@ This command is used to test the performance of cryptographic algorithms. Print out a usage message. +=item B<-config> I + +Specifies the configuration file to use. +Optional; for a description of the default value, +see L. + =item B<-elapsed> When calculating operations- or bytes-per-second, use wall-clock time @@ -108,6 +116,10 @@ int would be 2147483583 bytes. Produce the summary in a mechanical, machine-readable, format. +=item B<-mlock> + +Lock memory into RAM for more deterministic measurements. + {- $OpenSSL::safe::opt_r_item -} {- $OpenSSL::safe::opt_engine_item -} diff --git a/doc/man1/openssl-verification-options.pod b/doc/man1/openssl-verification-options.pod index 5fa3907c2..6888d5244 100644 --- a/doc/man1/openssl-verification-options.pod +++ b/doc/man1/openssl-verification-options.pod @@ -92,7 +92,7 @@ It does not have a negative trust attribute rejecting the given use. =item * It has a positive trust attribute accepting the given use -or (by default) one of the following compatibilty conditions apply: +or (by default) one of the following compatibility conditions apply: It is self-signed or the B<-partial_chain> option is given (which corresponds to the B flag being set). @@ -686,7 +686,7 @@ The checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod index 869e8e5ad..cca94a4fa 100644 --- a/doc/man1/openssl.pod +++ b/doc/man1/openssl.pod @@ -671,8 +671,8 @@ see L. Enable tracing output of OpenSSL library, by name. This output will only make sense if you know OpenSSL internals well. -Also, it might not give you any output at all, depending on how -OpenSSL was built. +Also, it might not give you any output at all +if OpenSSL was built without tracing support. The value is a comma separated list of names, with the following available: @@ -751,6 +751,10 @@ Traces encoder operations. Traces decrementing certain ASN.1 structure references. +=item B + +HTTP client diagnostics + =back =back diff --git a/doc/man3/ASN1_aux_cb.pod b/doc/man3/ASN1_aux_cb.pod index 12f7ddf82..1eb6b1d5b 100644 --- a/doc/man3/ASN1_aux_cb.pod +++ b/doc/man3/ASN1_aux_cb.pod @@ -3,7 +3,7 @@ =head1 NAME ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb -- ASN.1 auxilliary data +- ASN.1 auxiliary data =head1 SYNOPSIS @@ -45,7 +45,7 @@ ASN.1 data structures can be associated with an B object to supply additional information about the ASN.1 structure. An B structure is associated with the structure during the definition of the ASN.1 template. For example an B structure will be associated by using one of the various -ASN.1 template definition macros that supply auxilliary information such as +ASN.1 template definition macros that supply auxiliary information such as ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(), ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb(). @@ -274,7 +274,7 @@ B operation types were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASN1_item_sign.pod b/doc/man3/ASN1_item_sign.pod index 407268bf1..9db44ce49 100644 --- a/doc/man3/ASN1_item_sign.pod +++ b/doc/man3/ASN1_item_sign.pod @@ -62,7 +62,7 @@ I are ignored if they are NULL. ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of NULL for the I, I and I. -ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters +ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters contained in digest context I. ASN1_item_verify_ex() is used to verify the signature I of internal @@ -77,7 +77,7 @@ See EVP_PKEY_CTX_set1_id() for further info. ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of NULL for the I, I and I. -ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters +ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters contained in digest context I. @@ -216,7 +216,7 @@ ASN1_item_sign_ex() and ASN1_item_verify_ex() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_core.pod b/doc/man3/BIO_s_core.pod index fbcd0b5c9..780570fc8 100644 --- a/doc/man3/BIO_s_core.pod +++ b/doc/man3/BIO_s_core.pod @@ -22,7 +22,7 @@ libcrypto into a provider supply an OSSL_CORE_BIO parameter. This represents a BIO within libcrypto, but cannot be used directly by a provider. Instead it should be wrapped using a BIO_s_core(). -Once a BIO is contructed based on BIO_s_core(), the associated OSSL_CORE_BIO +Once a BIO is constructed based on BIO_s_core(), the associated OSSL_CORE_BIO object should be set on it using BIO_set_data(3). Note that the BIO will only operate correctly if it is associated with a library context constructed using OSSL_LIB_CTX_new_from_dispatch(3). To associate the BIO with a library context @@ -62,7 +62,7 @@ Create a core BIO and write some data to it: =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BN_cmp.pod b/doc/man3/BN_cmp.pod index f302818f2..d376eb9c6 100644 --- a/doc/man3/BN_cmp.pod +++ b/doc/man3/BN_cmp.pod @@ -2,7 +2,8 @@ =head1 NAME -BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd - BIGNUM comparison and test functions +BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd, BN_are_coprime +- BIGNUM comparison and test functions =head1 SYNOPSIS @@ -17,6 +18,8 @@ BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd - int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w); int BN_is_odd(const BIGNUM *a); + int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); + =head1 DESCRIPTION BN_cmp() compares the numbers I and I. BN_ucmp() compares their @@ -26,6 +29,10 @@ BN_is_zero(), BN_is_one(), BN_is_word() and BN_abs_is_word() test if I equals 0, 1, I, or EIE respectively. BN_is_odd() tests if I is odd. +BN_are_coprime() determines if B and B are coprime. +B is used internally for storing temporary variables. +The values of B and B and B must not be NULL. + =head1 RETURN VALUES BN_cmp() returns -1 if I E I, 0 if I == I and 1 if @@ -35,14 +42,19 @@ of I and I. BN_is_zero(), BN_is_one() BN_is_word(), BN_abs_is_word() and BN_is_odd() return 1 if the condition is true, 0 otherwise. +BN_are_coprime() returns 1 if the B's are coprime, otherwise it +returns 0. + =head1 HISTORY Prior to OpenSSL 1.1.0, BN_is_zero(), BN_is_one(), BN_is_word(), BN_abs_is_word() and BN_is_odd() were macros. +The function BN_are_coprime() was added in OpenSSL 3.1. + =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BN_rand.pod b/doc/man3/BN_rand.pod index aebad1e72..4ce4a0ee6 100644 --- a/doc/man3/BN_rand.pod +++ b/doc/man3/BN_rand.pod @@ -59,7 +59,7 @@ BN_rand() is the same as BN_rand_ex() except that the default library context is always used. BN_rand_range_ex() generates a cryptographically strong pseudo-random -number I, of security stength at least I bits, +number I, of security strength at least I bits, in the range 0 E= I E I using the random number generator for the library context associated with I. The parameter I may be NULL in which case the default library context is used. @@ -119,7 +119,7 @@ BN_priv_rand_range_ex() functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_EncryptedData_decrypt.pod b/doc/man3/CMS_EncryptedData_decrypt.pod index 17850a98a..3aa3f474f 100644 --- a/doc/man3/CMS_EncryptedData_decrypt.pod +++ b/doc/man3/CMS_EncryptedData_decrypt.pod @@ -21,10 +21,10 @@ to and I is an optional set of flags. I is used in the rare case where the encrypted content is detached. It will normally be set to NULL. -The following flags can be passed in the B parameter. +The following flags can be passed in the I parameter. -If the B flag is set MIME headers for type B are deleted -from the content. If the content is not of type B then an error is +If the B flag is set MIME headers for type C are deleted +from the content. If the content is not of type C then an error is returned. =head1 RETURN VALUES @@ -39,7 +39,7 @@ L, L =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_add0_cert.pod b/doc/man3/CMS_add0_cert.pod index 734db9f7b..8908ff2f1 100644 --- a/doc/man3/CMS_add0_cert.pod +++ b/doc/man3/CMS_add0_cert.pod @@ -20,6 +20,8 @@ CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_ge =head1 DESCRIPTION CMS_add0_cert() and CMS_add1_cert() add certificate I to I. +This is used by L and L and may be used before +calling L to help chain building in certificate validation. I must be of type signed data or (authenticated) enveloped data. For signed data, such a certificate can be used when signing or verifying to fill in the signer certificate or to provide an extra CA certificate @@ -29,7 +31,8 @@ CMS_get1_certs() returns all certificates in I. CMS_add0_crl() and CMS_add1_crl() add CRL I to I. I must be of type signed data or (authenticated) enveloped data. -For signed data, such a CRL may be used in certificate validation. +For signed data, such a CRL may be used in certificate validation +with L. It may be given both for inclusion when signing a CMS message and when verifying a signed CMS message. @@ -48,8 +51,7 @@ As the I<0> implies CMS_add0_cert() adds I internally to I and it must not be freed up after the call as opposed to CMS_add1_cert() where I must be freed up. -The same certificate or CRL must not be added to the same cms structure more -than once. +The same certificate must not be added to the same cms structure more than once. =head1 RETURN VALUES @@ -63,12 +65,12 @@ in practice is if the I type is invalid. =head1 SEE ALSO L, -L, +L, L, L, L =head1 COPYRIGHT -Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CMS_decrypt.pod b/doc/man3/CMS_decrypt.pod index 4f8d32fbb..75c33a91d 100644 --- a/doc/man3/CMS_decrypt.pod +++ b/doc/man3/CMS_decrypt.pod @@ -2,8 +2,9 @@ =head1 NAME -CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, CMS_decrypt_set1_pkey - decrypt -content from a CMS envelopedData structure +CMS_decrypt, CMS_decrypt_set1_pkey_and_peer, +CMS_decrypt_set1_pkey, CMS_decrypt_set1_password +- decrypt content from a CMS envelopedData structure =head1 SYNOPSIS @@ -14,23 +15,41 @@ content from a CMS envelopedData structure int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer); int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); + int CMS_decrypt_set1_password(CMS_ContentInfo *cms, + unsigned char *pass, ossl_ssize_t passlen); =head1 DESCRIPTION -CMS_decrypt() extracts and decrypts the content from a CMS EnvelopedData -or AuthEnvelopedData structure. B is the private key of the recipient, -B is the recipient's certificate, B is a BIO to write the content to -and B is an optional set of flags. - -The B parameter is used in the rare case where the encrypted content +CMS_decrypt() extracts the decrypted content from a CMS EnvelopedData +or AuthEnvelopedData structure. +It uses CMS_decrypt_set1_pkey() to decrypt the content +with the recipient private key I if I is not NULL. +In this case, it is recommended to provide the associated certificate +in I - see the NOTES below. +I is a BIO to write the content to and +I is an optional set of flags. +If I is NULL the function assumes that decryption was already done +(e.g., using CMS_decrypt_set1_pkey() or CMS_decrypt_set1_password()) and just +provides the content unless I, I, and I are NULL as well. +The I parameter is used in the rare case where the encrypted content is detached. It will normally be set to NULL. -CMS_decrypt_set1_pkey_and_peer() associates the private key B, the -corresponding certificate B and the originator certificate B with -the CMS_ContentInfo structure B. +CMS_decrypt_set1_pkey_and_peer() decrypts the CMS_ContentInfo structure I +using the private key I, the corresponding certificate I, which is +recommended to be supplied but may be NULL, +and the (optional) originator certificate I. +On success, it also records in I the decryption key I, and this +should be followed by C. +This call deallocates any decryption key stored in I. + +CMS_decrypt_set1_pkey() is the same as +CMS_decrypt_set1_pkey_and_peer() with I being NULL. -CMS_decrypt_set1_pkey() associates the private key B, corresponding -certificate B with the CMS_ContentInfo structure B. +CMS_decrypt_set1_password() decrypts the CMS_ContentInfo structure I +using the secret I of length I. +On success, it also records in I the decryption key used, and this +should be followed by C. +This call deallocates any decryption key stored in I. =head1 NOTES @@ -38,7 +57,7 @@ Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the CMS structure. -If B is set to NULL all possible recipients are tried. This case however +If I is set to NULL all possible recipients are tried. This case however is problematic. To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or not. If no recipient succeeds then a random symmetric key is used to decrypt @@ -54,26 +73,32 @@ open to attack. It is possible to determine the correct recipient key by other means (for example looking them up in a database) and setting them in the CMS structure -in advance using the CMS utility functions such as CMS_set1_pkey(). In this -case both B and B should be set to NULL. +in advance using the CMS utility functions such as CMS_set1_pkey(), +or use CMS_decrypt_set1_password() if the recipient has a symmetric key. +In these cases both I and I should be set to NULL. To process KEKRecipientInfo types CMS_set1_key() or CMS_RecipientInfo_set0_key() and CMS_RecipientInfo_decrypt() should be called before CMS_decrypt() and -B and B set to NULL. +I and I set to NULL. -The following flags can be passed in the B parameter. +The following flags can be passed in the I parameter. -If the B flag is set MIME headers for type B are deleted -from the content. If the content is not of type B then an error is +If the B flag is set MIME headers for type C are deleted +from the content. If the content is not of type C then an error is returned. =head1 RETURN VALUES -CMS_decrypt() returns either 1 for success or 0 for failure. -The error can be obtained from ERR_get_error(3) +CMS_decrypt(), CMS_decrypt_set1_pkey_and_peer(), +CMS_decrypt_set1_pkey(), and CMS_decrypt_set1_password() +return either 1 for success or 0 for failure. +The error can be obtained from ERR_get_error(3). =head1 BUGS +The B part of these function names is misleading +and should better read: B. + The lack of single pass processing and the need to hold all data in memory as mentioned in CMS_verify() also applies to CMS_decrypt(). @@ -83,11 +108,12 @@ L, L =head1 HISTORY -B was added in OpenSSL 3.0. +CMS_decrypt_set1_pkey_and_peer() and CMS_decrypt_set1_password() +were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod index f96d9a129..ce9aa9cf9 100644 --- a/doc/man3/CONF_modules_load_file.pod +++ b/doc/man3/CONF_modules_load_file.pod @@ -34,7 +34,7 @@ as determined by calling CONF_get1_default_config_file(). If B is NULL the standard OpenSSL application name B is used. The behaviour can be customized using B. Note that, the error suppressing -can be overriden by B as described in L. +can be overridden by B as described in L. CONF_modules_load_file() is the same as CONF_modules_load_file_ex() but has a NULL library context. @@ -154,7 +154,7 @@ L =head1 COPYRIGHT -Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DES_random_key.pod b/doc/man3/DES_random_key.pod index ff16961ea..e3f6506b1 100644 --- a/doc/man3/DES_random_key.pod +++ b/doc/man3/DES_random_key.pod @@ -323,7 +323,7 @@ on some platforms. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DH_get0_pqg.pod b/doc/man3/DH_get0_pqg.pod index 2afc35c77..ae8da4865 100644 --- a/doc/man3/DH_get0_pqg.pod +++ b/doc/man3/DH_get0_pqg.pod @@ -40,7 +40,7 @@ see L: All of the functions described on this page are deprecated. Applications should instead use L for any methods that -return a B. Refer to L for more infomation. +return a B. Refer to L for more information. A DH object contains the parameters I

, I and I. Note that the I parameter is optional. It also contains a public key (I) and @@ -141,7 +141,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_ASYM_CIPHER_free.pod b/doc/man3/EVP_ASYM_CIPHER_free.pod index c158ec1ae..0f9ac610b 100644 --- a/doc/man3/EVP_ASYM_CIPHER_free.pod +++ b/doc/man3/EVP_ASYM_CIPHER_free.pod @@ -102,7 +102,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 1953df3c5..11eef096c 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -4,8 +4,8 @@ EVP_MD_fetch, EVP_MD_up_ref, EVP_MD_free, EVP_MD_get_params, EVP_MD_gettable_params, -EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy, -EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, +EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_dup, +EVP_MD_CTX_copy, EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_params, EVP_MD_CTX_get_params, EVP_MD_settable_ctx_params, EVP_MD_gettable_ctx_params, EVP_MD_CTX_settable_params, EVP_MD_CTX_gettable_params, @@ -63,6 +63,7 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); + EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); @@ -292,6 +293,12 @@ It retrieves the digest value from I and places it in I-sized I. After calling this function no additional calls to EVP_DigestUpdate() can be made, but EVP_DigestInit_ex2() can be called to initialize a new operation. +=item EVP_MD_CTX_dup() + +Can be used to duplicate the message digest state from I. This is useful +to avoid multiple EVP_MD_fetch() calls or if large amounts of data are to be +hashed which only differ in the last few bytes. + =item EVP_MD_CTX_copy_ex() Can be used to copy the message digest state from I to I. This is @@ -590,6 +597,10 @@ EVP_MD_CTX_gettable_params() Return an array of constant Ls, or NULL if there is none to get. +=item EVP_MD_CTX_dup() + +Returns a new EVP_MD_CTX if successful or NULL on failure. + =item EVP_MD_CTX_copy_ex() Returns 1 if successful or 0 for failure. @@ -782,6 +793,8 @@ EVP_MD_CTX_get0_md() instead. EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated in OpenSSL 3.0. +EVP_MD_CTX_dup() was added in OpenSSL 3.1. + =head1 COPYRIGHT Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/EVP_DigestSignInit.pod b/doc/man3/EVP_DigestSignInit.pod index 7232e9786..cc77f07a8 100644 --- a/doc/man3/EVP_DigestSignInit.pod +++ b/doc/man3/EVP_DigestSignInit.pod @@ -18,7 +18,7 @@ EVP_DigestSignFinal, EVP_DigestSign - EVP signing functions int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen); - int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen); diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod index 55826fe16..c842853a5 100644 --- a/doc/man3/EVP_DigestVerifyInit.pod +++ b/doc/man3/EVP_DigestVerifyInit.pod @@ -18,7 +18,7 @@ EVP_DigestVerifyFinal, EVP_DigestVerify - EVP signature verification functions int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen); - int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen); =head1 DESCRIPTION diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 7d7db3c9f..a6de96f31 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -8,6 +8,8 @@ EVP_CIPHER_free, EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX_free, +EVP_CIPHER_CTX_dup, +EVP_CIPHER_CTX_copy, EVP_EncryptInit_ex, EVP_EncryptInit_ex2, EVP_EncryptUpdate, @@ -109,6 +111,8 @@ EVP_CIPHER_CTX_mode EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); + EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in); + int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, ENGINE *impl, const unsigned char *key, const unsigned char *iv); @@ -280,6 +284,16 @@ associated with it, including I itself. This function should be called afte all operations using a cipher are complete so sensitive information does not remain in memory. +=item EVP_CIPHER_CTX_dup() + +Can be used to duplicate the cipher state from I. This is useful +to avoid multiple EVP_MD_fetch() calls or if large amounts of data are to be +hashed which only differ in the last few bytes. + +=item EVP_CIPHER_CTX_copy() + +Can be used to copy the cipher state from I to I. + =item EVP_CIPHER_CTX_ctrl() I EVP_CIPHER_CTX_set_params() and @@ -665,7 +679,7 @@ Note that the block size for a cipher may be different to the block size for the underlying encryption/decryption primitive. For example AES in CTR mode has a block size of 1 (because it operates like a stream cipher), even though AES has a block size of 16. -Use EVP_CIPHER_get_block_size() to retreive the cached value. +Use EVP_CIPHER_get_block_size() to retrieve the cached value. =item "aead" (B) @@ -1183,6 +1197,10 @@ EVP_CIPHER_up_ref() returns 1 for success or 0 otherwise. EVP_CIPHER_CTX_new() returns a pointer to a newly created B for success and B for failure. +EVP_CIPHER_CTX_dup() returns a new EVP_MD_CTX if successful or NULL on failure. + +EVP_CIPHER_CTX_copy() returns 1 if successful or 0 for failure. + EVP_EncryptInit_ex2(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex() return 1 for success and 0 for failure. @@ -1725,6 +1743,8 @@ non-deprecated alias macro. The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0. +EVP_CIPHER_CTX_dup() was added in OpenSSL 3.1. + =head1 COPYRIGHT Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/EVP_KDF.pod b/doc/man3/EVP_KDF.pod index 3b4e2b79a..bbff6dd41 100644 --- a/doc/man3/EVP_KDF.pod +++ b/doc/man3/EVP_KDF.pod @@ -295,7 +295,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_KEM_free.pod b/doc/man3/EVP_KEM_free.pod index 575abc5f5..1b6390036 100644 --- a/doc/man3/EVP_KEM_free.pod +++ b/doc/man3/EVP_KEM_free.pod @@ -95,7 +95,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_KEYEXCH_free.pod b/doc/man3/EVP_KEYEXCH_free.pod index 272855ccb..6378178d1 100644 --- a/doc/man3/EVP_KEYEXCH_free.pod +++ b/doc/man3/EVP_KEYEXCH_free.pod @@ -101,7 +101,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_KEYMGMT.pod b/doc/man3/EVP_KEYMGMT.pod index f81fc9efb..da03286a9 100644 --- a/doc/man3/EVP_KEYMGMT.pod +++ b/doc/man3/EVP_KEYMGMT.pod @@ -123,7 +123,7 @@ otherwise 0. EVP_KEYMGMT_get0_name() returns the algorithm name, or NULL on error. -EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if +EVP_KEYMGMT_get0_description() returns a pointer to a description, or NULL if there isn't one. EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and @@ -140,7 +140,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index 13482ac5e..11140a63b 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -481,7 +481,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY2PKCS8.pod b/doc/man3/EVP_PKEY2PKCS8.pod index 290a3ba35..fda868381 100644 --- a/doc/man3/EVP_PKEY2PKCS8.pod +++ b/doc/man3/EVP_PKEY2PKCS8.pod @@ -21,7 +21,7 @@ EVP_PKEY2PKCS8() converts a private key I into a returned PKCS8 object. EVP_PKCS82PKEY_ex() converts a PKCS8 object I into a returned private key. It uses I and I when fetching algorithms. -EVP_PKCS82PKEY() is similiar to EVP_PKCS82PKEY_ex() but uses default values of +EVP_PKCS82PKEY() is similar to EVP_PKCS82PKEY_ex() but uses default values of NULL for the I and I. =head1 RETURN VALUES @@ -37,7 +37,7 @@ L, =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 3075eaafd..5596b8ccd 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I. EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I. As its name implies it is only supported for PSS padding. If this function is -not called then the maximum salt length is used when signing and auto detection -when verifying. Three special values are supported: +not called then the salt length is maximized up to the digest length when +signing and auto detection when verifying. Four special values are supported: =over 4 @@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the B block structure when verifying. When signing, it has the same meaning as B. +=item B + +causes the salt length to be automatically determined based on the B block +structure when verifying, like B. When signing, the salt +length is maximized up to a maximum of the digest length to comply with FIPS +186-4 section 5.5. + =back EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I. @@ -680,7 +687,7 @@ and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_CTX_set_params.pod b/doc/man3/EVP_PKEY_CTX_set_params.pod index c02151654..d3e5b33c1 100644 --- a/doc/man3/EVP_PKEY_CTX_set_params.pod +++ b/doc/man3/EVP_PKEY_CTX_set_params.pod @@ -84,7 +84,7 @@ All functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_derive.pod b/doc/man3/EVP_PKEY_derive.pod index d61bb5512..ec19afad5 100644 --- a/doc/man3/EVP_PKEY_derive.pod +++ b/doc/man3/EVP_PKEY_derive.pod @@ -32,7 +32,7 @@ EVP_PKEY_derive_set_peer_ex() sets the peer key: this will normally be a public key. The I will validate the public key if this value is non zero. -EVP_PKEY_derive_set_peer() is similiar to EVP_PKEY_derive_set_peer_ex() with +EVP_PKEY_derive_set_peer() is similar to EVP_PKEY_derive_set_peer_ex() with I set to 1. EVP_PKEY_derive() derives a shared secret using I. @@ -114,7 +114,7 @@ added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index b51e4c4de..8dd0fc543 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -60,7 +60,7 @@ is allocated by the method. EVP_PKEY_get_utf8_string_param() get a key I UTF8 string value into a buffer I of maximum size I associated with a name of -I. The maximum size must be large enough to accomodate the string +I. The maximum size must be large enough to accommodate the string value including a terminating NUL byte, or this function will fail. If I is not NULL, I<*out_len> is set to the length of the string not including the terminating NUL byte. The required buffer size not including diff --git a/doc/man3/EVP_PKEY_keygen.pod b/doc/man3/EVP_PKEY_keygen.pod index 433123618..13002311f 100644 --- a/doc/man3/EVP_PKEY_keygen.pod +++ b/doc/man3/EVP_PKEY_keygen.pod @@ -226,7 +226,7 @@ EVP_PKEY_Q_keygen() and EVP_PKEY_generate() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod index 0ea7062f0..63df1396e 100644 --- a/doc/man3/EVP_PKEY_new.pod +++ b/doc/man3/EVP_PKEY_new.pod @@ -62,7 +62,7 @@ see L: B is a generic structure to hold diverse types of asymmetric keys (also known as "key pairs"), and can be used for diverse operations, like signing, verifying signatures, key derivation, etc. The asymmetric keys -themselves are often refered to as the "internal key", and are handled by +themselves are often referred to as the "internal key", and are handled by backends, such as providers (through L) or Bs. Conceptually, an B internal key may hold a private key, a public @@ -210,7 +210,7 @@ previously implied to be disallowed. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_set1_encoded_public_key.pod b/doc/man3/EVP_PKEY_set1_encoded_public_key.pod index cf27919a2..b20c208f8 100644 --- a/doc/man3/EVP_PKEY_set1_encoded_public_key.pod +++ b/doc/man3/EVP_PKEY_set1_encoded_public_key.pod @@ -131,7 +131,7 @@ deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_todata.pod b/doc/man3/EVP_PKEY_todata.pod index dedfb1b0c..c28a867b7 100644 --- a/doc/man3/EVP_PKEY_todata.pod +++ b/doc/man3/EVP_PKEY_todata.pod @@ -23,7 +23,7 @@ I is described in L. L should be used to free the returned parameters in I<*params>. -EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback +EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback I that gets passed the value of I. See L for more information about the callback. Note that the L array that is passed to the callback is not persistent after the @@ -53,7 +53,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod index a4d72b704..fc3c5d2bb 100644 --- a/doc/man3/EVP_RAND.pod +++ b/doc/man3/EVP_RAND.pod @@ -3,7 +3,7 @@ =head1 NAME EVP_RAND, EVP_RAND_fetch, EVP_RAND_free, EVP_RAND_up_ref, EVP_RAND_CTX, -EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_instantiate, +EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_CTX_up_ref, EVP_RAND_instantiate, EVP_RAND_uninstantiate, EVP_RAND_generate, EVP_RAND_reseed, EVP_RAND_nonce, EVP_RAND_enable_locking, EVP_RAND_verify_zeroization, EVP_RAND_get_strength, EVP_RAND_get_state, @@ -30,6 +30,7 @@ EVP_RAND_STATE_ERROR - EVP RAND routines void EVP_RAND_free(EVP_RAND *rand); EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent); void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx); + int EVP_RAND_CTX_up_ref(EVP_RAND_CTX *ctx); EVP_RAND *EVP_RAND_CTX_get0_rand(EVP_RAND_CTX *ctx); int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]); int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]); @@ -364,6 +365,8 @@ B structure or NULL if an error occurred. EVP_RAND_CTX_free() does not return a value. +EVP_RAND_CTX_up_ref() returns 1 on success, 0 on error. + EVP_RAND_nonce() returns the length of the nonce. EVP_RAND_get_strength() returns the strength of the random number generator @@ -394,7 +397,7 @@ This functionality was added to OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SIGNATURE.pod b/doc/man3/EVP_SIGNATURE.pod index 600522085..7587a2f54 100644 --- a/doc/man3/EVP_SIGNATURE.pod +++ b/doc/man3/EVP_SIGNATURE.pod @@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_SignInit.pod b/doc/man3/EVP_SignInit.pod index 11832ff76..40d33e5be 100644 --- a/doc/man3/EVP_SignInit.pod +++ b/doc/man3/EVP_SignInit.pod @@ -102,7 +102,7 @@ The function EVP_SignFinal_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_VerifyInit.pod b/doc/man3/EVP_VerifyInit.pod index a6d5772c3..670ca474e 100644 --- a/doc/man3/EVP_VerifyInit.pod +++ b/doc/man3/EVP_VerifyInit.pod @@ -97,7 +97,7 @@ The function EVP_VerifyFinal_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod index 057590150..09cae9912 100644 --- a/doc/man3/EVP_aes_128_gcm.pod +++ b/doc/man3/EVP_aes_128_gcm.pod @@ -169,6 +169,13 @@ the XTS "tweak" value. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -183,7 +190,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_aria_128_gcm.pod b/doc/man3/EVP_aria_128_gcm.pod index 6471acb24..929136526 100644 --- a/doc/man3/EVP_aria_128_gcm.pod +++ b/doc/man3/EVP_aria_128_gcm.pod @@ -92,6 +92,13 @@ correctly, see the L section for details. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -106,7 +113,7 @@ L =head1 COPYRIGHT -Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_bf_cbc.pod b/doc/man3/EVP_bf_cbc.pod index 033856208..4df98f4bd 100644 --- a/doc/man3/EVP_bf_cbc.pod +++ b/doc/man3/EVP_bf_cbc.pod @@ -37,6 +37,13 @@ Blowfish encryption algorithm in CBC, CFB, ECB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -51,7 +58,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_blake2b512.pod b/doc/man3/EVP_blake2b512.pod index 649a29c98..98e1899f6 100644 --- a/doc/man3/EVP_blake2b512.pod +++ b/doc/man3/EVP_blake2b512.pod @@ -31,6 +31,17 @@ The BLAKE2b algorithm that produces a 512-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + +While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, +this implementation outputs a digest of a fixed length (the maximum length +supported), which is 512-bits for BLAKE2b and 256-bits for BLAKE2s. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -41,12 +52,6 @@ details of the B structure. RFC 7693. -=head1 NOTES - -While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, -this implementation outputs a digest of a fixed length (the maximum length -supported), which is 512-bits for BLAKE2b and 256-bits for BLAKE2s. - =head1 SEE ALSO L, @@ -54,7 +59,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_camellia_128_ecb.pod b/doc/man3/EVP_camellia_128_ecb.pod index 4a57f7951..a6b597156 100644 --- a/doc/man3/EVP_camellia_128_ecb.pod +++ b/doc/man3/EVP_camellia_128_ecb.pod @@ -75,6 +75,13 @@ Camellia for 128, 192 and 256 bit keys in the following modes: CBC, CFB with =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -89,7 +96,7 @@ L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_cast5_cbc.pod b/doc/man3/EVP_cast5_cbc.pod index e823a197f..85ff2ad01 100644 --- a/doc/man3/EVP_cast5_cbc.pod +++ b/doc/man3/EVP_cast5_cbc.pod @@ -37,6 +37,13 @@ CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -51,7 +58,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod index 060b1bfc2..28ab25bf7 100644 --- a/doc/man3/EVP_chacha20.pod +++ b/doc/man3/EVP_chacha20.pod @@ -40,6 +40,13 @@ L section for more information. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -54,7 +61,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_des_cbc.pod b/doc/man3/EVP_des_cbc.pod index fe9d5e6a0..501216cd6 100644 --- a/doc/man3/EVP_des_cbc.pod +++ b/doc/man3/EVP_des_cbc.pod @@ -85,6 +85,13 @@ Triple-DES key wrap according to RFC 3217 Section 3. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -99,7 +106,7 @@ L =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_desx_cbc.pod b/doc/man3/EVP_desx_cbc.pod index 01987bf28..fae827192 100644 --- a/doc/man3/EVP_desx_cbc.pod +++ b/doc/man3/EVP_desx_cbc.pod @@ -29,6 +29,11 @@ implementation. =back +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -43,7 +48,7 @@ L =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_idea_cbc.pod b/doc/man3/EVP_idea_cbc.pod index 2fa5a2925..5a9adaedc 100644 --- a/doc/man3/EVP_idea_cbc.pod +++ b/doc/man3/EVP_idea_cbc.pod @@ -35,6 +35,13 @@ The IDEA encryption algorithm in CBC, CFB, ECB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -49,7 +56,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md2.pod b/doc/man3/EVP_md2.pod index 420bb1545..0b473887e 100644 --- a/doc/man3/EVP_md2.pod +++ b/doc/man3/EVP_md2.pod @@ -24,6 +24,12 @@ The MD2 algorithm which produces a 128-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -43,7 +49,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md4.pod b/doc/man3/EVP_md4.pod index a3d3beaaf..baaff9e4e 100644 --- a/doc/man3/EVP_md4.pod +++ b/doc/man3/EVP_md4.pod @@ -25,6 +25,12 @@ The MD4 algorithm which produces a 128-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -44,7 +50,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_md5.pod b/doc/man3/EVP_md5.pod index 9d729601a..752fdd1f6 100644 --- a/doc/man3/EVP_md5.pod +++ b/doc/man3/EVP_md5.pod @@ -36,6 +36,12 @@ WARNING: this algorithm is not intended for non-SSL usage. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -54,7 +60,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_mdc2.pod b/doc/man3/EVP_mdc2.pod index 7ebed04c7..e9de6f3c5 100644 --- a/doc/man3/EVP_mdc2.pod +++ b/doc/man3/EVP_mdc2.pod @@ -26,6 +26,13 @@ The MDC-2DES algorithm of using MDC-2 with the DES block cipher. It produces a =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -44,7 +51,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc2_cbc.pod b/doc/man3/EVP_rc2_cbc.pod index e6111ff3a..bf4a13ba4 100644 --- a/doc/man3/EVP_rc2_cbc.pod +++ b/doc/man3/EVP_rc2_cbc.pod @@ -51,6 +51,13 @@ functions to set the key length and effective key length. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -65,7 +72,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc4.pod b/doc/man3/EVP_rc4.pod index 9deaab97f..f22e88a65 100644 --- a/doc/man3/EVP_rc4.pod +++ b/doc/man3/EVP_rc4.pod @@ -43,6 +43,13 @@ interface. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -57,7 +64,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_rc5_32_12_16_cbc.pod b/doc/man3/EVP_rc5_32_12_16_cbc.pod index 8ac23b4a9..c177b1845 100644 --- a/doc/man3/EVP_rc5_32_12_16_cbc.pod +++ b/doc/man3/EVP_rc5_32_12_16_cbc.pod @@ -56,6 +56,13 @@ is an int. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -71,7 +78,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_ripemd160.pod b/doc/man3/EVP_ripemd160.pod index e559b0344..6ad2d3e01 100644 --- a/doc/man3/EVP_ripemd160.pod +++ b/doc/man3/EVP_ripemd160.pod @@ -25,6 +25,13 @@ The RIPEMD-160 algorithm which produces a 160-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -43,7 +50,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_seed_cbc.pod b/doc/man3/EVP_seed_cbc.pod index eef7dd540..010607e57 100644 --- a/doc/man3/EVP_seed_cbc.pod +++ b/doc/man3/EVP_seed_cbc.pod @@ -37,6 +37,13 @@ The SEED encryption algorithm in CBC, CFB, ECB and OFB modes respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return an B structure that contains the @@ -51,7 +58,7 @@ L =head1 COPYRIGHT -Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha1.pod b/doc/man3/EVP_sha1.pod index f3e9e8d4f..264ddd1ad 100644 --- a/doc/man3/EVP_sha1.pod +++ b/doc/man3/EVP_sha1.pod @@ -25,6 +25,12 @@ The SHA-1 algorithm which produces a 160-bit output from a given input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -43,7 +49,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha224.pod b/doc/man3/EVP_sha224.pod index 97881b546..7a50cf9b6 100644 --- a/doc/man3/EVP_sha224.pod +++ b/doc/man3/EVP_sha224.pod @@ -45,6 +45,12 @@ their outputs are of the same size. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -63,7 +69,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sha3_224.pod b/doc/man3/EVP_sha3_224.pod index 4c349f55d..5bb9ae1b8 100644 --- a/doc/man3/EVP_sha3_224.pod +++ b/doc/man3/EVP_sha3_224.pod @@ -50,6 +50,12 @@ B provides that of 256 bits. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -68,7 +74,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_sm3.pod b/doc/man3/EVP_sm3.pod index 96997b112..4e8112dc0 100644 --- a/doc/man3/EVP_sm3.pod +++ b/doc/man3/EVP_sm3.pod @@ -24,6 +24,12 @@ The SM3 hash function. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -42,7 +48,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_sm4_cbc.pod b/doc/man3/EVP_sm4_cbc.pod index 51df4435b..b67ade549 100644 --- a/doc/man3/EVP_sm4_cbc.pod +++ b/doc/man3/EVP_sm4_cbc.pod @@ -41,6 +41,13 @@ respectively. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling these functions multiple times and should consider using +L instead. +See L for further information. + =head1 RETURN VALUES These functions return a B structure that contains the @@ -55,7 +62,7 @@ L =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Copyright 2017 Ribose Inc. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man3/EVP_whirlpool.pod b/doc/man3/EVP_whirlpool.pod index 3aaf1d50a..a9826e290 100644 --- a/doc/man3/EVP_whirlpool.pod +++ b/doc/man3/EVP_whirlpool.pod @@ -26,6 +26,12 @@ input. =back +=head1 NOTES + +Developers should be aware of the negative performance implications of +calling this function multiple times and should consider using +L instead. +See L for further information. =head1 RETURN VALUES @@ -45,7 +51,7 @@ L =head1 COPYRIGHT -Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod index 87a567242..5e3e4a6a9 100644 --- a/doc/man3/HMAC.pod +++ b/doc/man3/HMAC.pod @@ -163,7 +163,7 @@ OpenSSL before version 1.0.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index 94eb6cc58..b876e3cc7 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -142,6 +142,8 @@ These functions cannot return B because an B can represent both an internal, constant, OID and a dynamically-created one. The latter cannot be constant because it needs to be freed after use. +These functions were not thread safe in OpenSSL 3.0 and before. + =head1 RETURN VALUES OBJ_nid2obj() returns an B structure or B is an @@ -180,12 +182,6 @@ Create a new object directly: obj = OBJ_txt2obj("1.2.3.4", 1); -=head1 BUGS - -Neither OBJ_create() nor OBJ_add_sigid() do any locking and are thus not -thread safe. Moreover, none of the other functions should be called while -concurrent calls to these two functions are possible. - =head1 SEE ALSO L @@ -197,7 +193,7 @@ and should not be used. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OCSP_REQUEST_new.pod b/doc/man3/OCSP_REQUEST_new.pod index e34e591fe..867087d96 100644 --- a/doc/man3/OCSP_REQUEST_new.pod +++ b/doc/man3/OCSP_REQUEST_new.pod @@ -108,7 +108,7 @@ L =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index f4afddcde..bc5db7086 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -131,7 +131,7 @@ in L. If I contains B it ignores all certificates in I and in I, else it takes them as untrusted intermediate CA certificates and uses them for constructing the validation path for the signer certificate. -Certicate revocation status checks using CRLs is disabled during path validation +Certificate revocation status checks using CRLs is disabled during path validation if the signer certificate contains the B extension. After successful path validation the function returns success if the B flag is set. @@ -210,7 +210,7 @@ L =head1 COPYRIGHT -Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OCSP_sendreq_new.pod b/doc/man3/OCSP_sendreq_new.pod index 6e4c8110f..97e1ac4d3 100644 --- a/doc/man3/OCSP_sendreq_new.pod +++ b/doc/man3/OCSP_sendreq_new.pod @@ -40,7 +40,7 @@ These functions perform an OCSP POST request / response transfer over HTTP, using the HTTP request functions described in L. The function OCSP_sendreq_new() builds a complete B structure -with the B I to be used for requests and reponse, the URL path I, +with the B I to be used for requests and response, the URL path I, optionally the OCSP request I, and a response header maximum line length of I. If I is zero a default value of 4KiB is used. The I may be set to NULL and provided later using OCSP_REQ_CTX_set1_req() @@ -115,7 +115,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OPENSSL_LH_COMPFUNC.pod b/doc/man3/OPENSSL_LH_COMPFUNC.pod index d3bb272c4..ba128404b 100644 --- a/doc/man3/OPENSSL_LH_COMPFUNC.pod +++ b/doc/man3/OPENSSL_LH_COMPFUNC.pod @@ -2,7 +2,7 @@ =head1 NAME -LHASH, DECLARE_LHASH_OF, +LHASH, LHASH_OF, DEFINE_LHASH_OF_EX, DEFINE_LHASH_OF, OPENSSL_LH_COMPFUNC, OPENSSL_LH_HASHFUNC, OPENSSL_LH_DOALL_FUNC, LHASH_DOALL_ARG_FN_TYPE, IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN, @@ -20,7 +20,9 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error #include - DECLARE_LHASH_OF(TYPE); + LHASH_OF(TYPE) + + DEFINE_LHASH_OF_EX(TYPE); LHASH_OF(TYPE) *lh_TYPE_new(OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC compare); void lh_TYPE_free(LHASH_OF(TYPE) *table); @@ -54,6 +56,10 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error int OPENSSL_LH_error(OPENSSL_LHASH *lh); +The following macro is deprecated: + + DEFINE_LHASH_OF(TYPE); + =head1 DESCRIPTION This library implements type-checked dynamic hash tables. The hash @@ -61,6 +67,12 @@ table entries can be arbitrary structures. Usually they consist of key and value fields. In the description here, B> is used a placeholder for any of the OpenSSL datatypes, such as I. +To define a new type-checked dynamic hash table, use B(). +B() was previously used for this purpose, but is now +deprecated. The B() macro provides all functionality of +B() except for certain deprecated statistics functions (see +OPENSSL_LH_stats(3)). + B_new>() creates a new B(B>) structure to store arbitrary data entries, and specifies the 'hash' and 'compare' callbacks to be used in organising the table's entries. The I @@ -268,6 +280,9 @@ L In OpenSSL 1.0.0, the lhash interface was revamped for better type checking. +In OpenSSL 3.1, B() was introduced and B() +was deprecated. + =head1 COPYRIGHT Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OPENSSL_LH_stats.pod b/doc/man3/OPENSSL_LH_stats.pod index b86de52cb..5bc69674f 100644 --- a/doc/man3/OPENSSL_LH_stats.pod +++ b/doc/man3/OPENSSL_LH_stats.pod @@ -10,14 +10,19 @@ OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio - LHASH statistics #include - void OPENSSL_LH_stats(LHASH *table, FILE *out); void OPENSSL_LH_node_stats(LHASH *table, FILE *out); void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out); - void OPENSSL_LH_stats_bio(LHASH *table, BIO *out); void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out); void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out); +The following functions have been deprecated since OpenSSL 3.1, and can be +hidden entirely by defining B with a suitable version value, +see L: + + void OPENSSL_LH_stats(LHASH *table, FILE *out); + void OPENSSL_LH_stats_bio(LHASH *table, BIO *out); + =head1 DESCRIPTION The B structure records statistics about most aspects of @@ -43,6 +48,9 @@ record a miss. OPENSSL_LH_stats_bio(), OPENSSL_LH_node_stats_bio() and OPENSSL_LH_node_usage_stats_bio() are the same as the above, except that the output goes to a B. +OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() are deprecated and should no +longer be used. + =head1 RETURN VALUES These functions do not return values. @@ -53,6 +61,9 @@ These calls should be made under a read lock. Refer to L for more details about the locks required when using the LHASH data structure. +The functions OPENSSH_LH_stats() and OPENSSH_LH_stats_bio() were deprecated in +version 3.1. + =head1 SEE ALSO L, L diff --git a/doc/man3/OPENSSL_ia32cap.pod b/doc/man3/OPENSSL_ia32cap.pod index c6c1c0185..1882b69ac 100644 --- a/doc/man3/OPENSSL_ia32cap.pod +++ b/doc/man3/OPENSSL_ia32cap.pod @@ -129,7 +129,7 @@ Not available. =head1 COPYRIGHT -Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod index f40524115..2cddec5ea 100644 --- a/doc/man3/OPENSSL_s390xcap.pod +++ b/doc/man3/OPENSSL_s390xcap.pod @@ -34,8 +34,8 @@ There are three types of tokens: The name of a processor generation. A bit in the environment variable's mask is set to one if and only if the specified processor generation implements the corresponding instruction set extension. Possible values -are B, B, B, B, B, B, B, B -and B. +are B, B, B, B, B, B, B, B, +B, and B. =item :: @@ -189,7 +189,7 @@ Disables the KM-XTS-AES and the KIMD-SHAKE function codes: =head1 COPYRIGHT -Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 3c4e2d3f7..ef5d6c8b5 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -587,6 +587,7 @@ If the callback argument is not NULL it must point to a trust store. In this case the function checks that the newly enrolled certificate can be verified using this trust store and untrusted certificates from the I, which have been augmented by the list of extraCerts received. +During this verification, any certificate status checking is disabled. If the callback argument is NULL the function tries building an approximate chain as far as possible using the same untrusted certificates from the I, and if this fails it takes the received extraCerts as fallback. diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index b0d81c7c4..3df517677 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -163,7 +163,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_log_open.pod b/doc/man3/OSSL_CMP_log_open.pod index 9a55370e3..d348feeea 100644 --- a/doc/man3/OSSL_CMP_log_open.pod +++ b/doc/man3/OSSL_CMP_log_open.pod @@ -89,7 +89,7 @@ As long as neither if the two is used any logging output is ignored. OSSL_CMP_log_close() may be called when all activities are finished to flush any pending CMP-specific log output and deallocate related resources. -It may be called multiple times. It does get called at OpenSSL stutdown. +It may be called multiple times. It does get called at OpenSSL shutdown. OSSL_CMP_print_to_bio() prints the given component info, filename, line number, severity level, and log message or error queue message to the given I. @@ -114,7 +114,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_validate_msg.pod b/doc/man3/OSSL_CMP_validate_msg.pod index 44c901210..c4cc0a4e2 100644 --- a/doc/man3/OSSL_CMP_validate_msg.pod +++ b/doc/man3/OSSL_CMP_validate_msg.pod @@ -74,7 +74,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER.pod b/doc/man3/OSSL_DECODER.pod index 334f955e1..c58ebf462 100644 --- a/doc/man3/OSSL_DECODER.pod +++ b/doc/man3/OSSL_DECODER.pod @@ -116,7 +116,7 @@ multiple synonyms associated with it. In this case the first name from the algorithm definition is returned. Ownership of the returned string is retained by the I object and should not be freed by the caller. -OSSL_DECODER_get0_description() returns a pointer to a decription, or NULL if +OSSL_DECODER_get0_description() returns a pointer to a description, or NULL if there isn't one. OSSL_DECODER_names_do_all() returns 1 if the callback was called for all @@ -180,7 +180,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod index 213791404..4b4443777 100644 --- a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod +++ b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod @@ -41,7 +41,7 @@ them up, so all the caller has to do next is call functions like L. The caller may use the optional I, I, I and I to specify what the input is expected to contain. The I must reference an B variable -that will be set to the newly created B on succesfull decoding. +that will be set to the newly created B on successful decoding. The referenced variable must be initialized to NULL before calling the function. @@ -135,7 +135,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_from_bio.pod b/doc/man3/OSSL_DECODER_from_bio.pod index 5118dee9a..0cefeb2bf 100644 --- a/doc/man3/OSSL_DECODER_from_bio.pod +++ b/doc/man3/OSSL_DECODER_from_bio.pod @@ -42,8 +42,8 @@ except that the input is coming from the B I. =head1 RETURN VALUES -OSSL_DECODER_from_bio() and OSSL_DECODER_from_fp() return 1 on success, or 0 -on failure. +OSSL_DECODER_from_bio(), OSSL_DECODER_from_data() and OSSL_DECODER_from_fp() +return 1 on success, or 0 on failure. =head1 EXAMPLES @@ -110,7 +110,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ENCODER.pod b/doc/man3/OSSL_ENCODER.pod index cfabba2e1..d72715472 100644 --- a/doc/man3/OSSL_ENCODER.pod +++ b/doc/man3/OSSL_ENCODER.pod @@ -117,7 +117,7 @@ multiple synonyms associated with it. In this case the first name from the algorithm definition is returned. Ownership of the returned string is retained by the I object and should not be freed by the caller. -OSSL_ENCODER_get0_description() returns a pointer to a decription, or NULL if +OSSL_ENCODER_get0_description() returns a pointer to a description, or NULL if there isn't one. OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all @@ -134,7 +134,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ENCODER_CTX.pod b/doc/man3/OSSL_ENCODER_CTX.pod index 2d7a6a298..b4b5f61e1 100644 --- a/doc/man3/OSSL_ENCODER_CTX.pod +++ b/doc/man3/OSSL_ENCODER_CTX.pod @@ -80,7 +80,7 @@ as DER to PEM, as well as more specialized encoders like RSA to DER. The final output type must be given, and a chain of encoders must end with an implementation that produces that output type. -At the beginning of the encoding process, a contructor provided by the +At the beginning of the encoding process, a constructor provided by the caller is called to ensure that there is an appropriate provider-side object to start with. The constructor is set with OSSL_ENCODER_CTX_set_construct(). @@ -148,7 +148,7 @@ The pointer that was set with OSSL_ENCODE_CTX_set_construct_data(). The constructor is expected to return a valid (non-NULL) pointer to a provider-native object that can be used as first input of an encoding chain, -or NULL to indicate that an error has occured. +or NULL to indicate that an error has occurred. These utility functions may be used by a constructor: @@ -211,7 +211,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod index 8ba3bdd46..3bf9c10e3 100644 --- a/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod +++ b/doc/man3/OSSL_ENCODER_CTX_new_for_pkey.pod @@ -136,7 +136,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ESS_check_signing_certs.pod b/doc/man3/OSSL_ESS_check_signing_certs.pod index bff26193d..726dbc285 100644 --- a/doc/man3/OSSL_ESS_check_signing_certs.pod +++ b/doc/man3/OSSL_ESS_check_signing_certs.pod @@ -46,7 +46,7 @@ while the list contained in I is of type B. As far as these lists are present, they must be nonempty. The certificate identified by their first entry must be the first element of I, i.e. the signer certificate. -Any further certficates referenced in the list must also be found in I. +Any further certificates referenced in the list must also be found in I. The matching is done using the given certificate hash algorithm and value. In addition to the checks required by RFCs 2624 and 5035, if the B field is included in an B or B @@ -78,7 +78,7 @@ OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index fbe1a152b..ea468a664 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -133,7 +133,7 @@ The function may need to be called again if its result is -1, which indicates L. In such a case it is advisable to sleep a little in between, using L on the read BIO to prevent a busy loop. -OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on successs +OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on success in addition parses the response, which must be a DER-encoded ASN.1 structure, using the ASN.1 template I and places the result in I<*pval>. @@ -213,6 +213,13 @@ This may be omitted if the GET method is used and "keep-alive" is not requested. When the request context is fully prepared, the HTTP exchange may be performed with OSSL_HTTP_REQ_CTX_nbio() or OSSL_HTTP_REQ_CTX_exchange(). +=head1 NOTES + +When built with tracing enabled, OSSL_HTTP_REQ_CTX_nbio() and all functions +using it, such as OSSL_HTTP_REQ_CTX_exchange() and L, +may be traced using B. +See also L and L. + =head1 RETURN VALUES OSSL_HTTP_REQ_CTX_new() returns a pointer to a B, or NULL @@ -248,7 +255,8 @@ L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/man3/OSSL_HTTP_parse_url.pod b/doc/man3/OSSL_HTTP_parse_url.pod index 945e981a7..b9c59a9de 100644 --- a/doc/man3/OSSL_HTTP_parse_url.pod +++ b/doc/man3/OSSL_HTTP_parse_url.pod @@ -57,7 +57,7 @@ The path component is also optional and defaults to C. Each non-NULL result pointer argument I, I, I, I, I, I, and I, is assigned the respective url component. On success, they are guaranteed to contain non-NULL string pointers, else NULL. -It is the reponsibility of the caller to free them using L. +It is the responsibility of the caller to free them using L. If I is NULL, any given query component is handled as part of the path. A string returned via I<*ppath> is guaranteed to begin with a C character. For absent scheme, userinfo, port, query, and fragment components @@ -97,7 +97,7 @@ OCSP_parse_url() was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod index 3337f6d4a..af7c1509a 100644 --- a/doc/man3/OSSL_HTTP_transfer.pod +++ b/doc/man3/OSSL_HTTP_transfer.pod @@ -245,6 +245,10 @@ C, C, C, C, C, and C, have been chosen for maximal compatibility with other HTTP client implementations such as wget, curl, and git. +When built with tracing enabled, OSSL_HTTP_transfer() and all functions using it +may be traced using B. +See also L and L. + =head1 RETURN VALUES OSSL_HTTP_open() returns on success a B, else NULL. @@ -266,7 +270,8 @@ OSSL_HTTP_close() returns 0 if anything went wrong while disconnecting, else 1. L, L, L, L, -L +L, +L =head1 HISTORY diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod index 0aad61924..db669c28e 100644 --- a/doc/man3/OSSL_PARAM.pod +++ b/doc/man3/OSSL_PARAM.pod @@ -108,7 +108,7 @@ B in relation to C strings. When setting parameters, the size should be set to the length of the string, not counting the terminating NUL byte. When requesting parameters, the size should be set to the size of the buffer to be populated, which -should accomodate enough space for a terminating NUL byte. +should accommodate enough space for a terminating NUL byte. When I, it's acceptable for I to be NULL. This can be used by the I to figure out dynamically exactly diff --git a/doc/man3/OSSL_PARAM_allocate_from_text.pod b/doc/man3/OSSL_PARAM_allocate_from_text.pod index e6dc2549f..136eaa4d9 100644 --- a/doc/man3/OSSL_PARAM_allocate_from_text.pod +++ b/doc/man3/OSSL_PARAM_allocate_from_text.pod @@ -197,7 +197,7 @@ L, L =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM_dup.pod b/doc/man3/OSSL_PARAM_dup.pod index 4ae33faf1..d55da4f5c 100644 --- a/doc/man3/OSSL_PARAM_dup.pod +++ b/doc/man3/OSSL_PARAM_dup.pod @@ -49,7 +49,7 @@ The functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index 8864404a7..f27e1e5c2 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -241,7 +241,7 @@ will be assigned the size the parameter's I buffer should have. OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter pointed to by I

. The string is stored into I<*val> with a size limit of I, -which must be large enough to accomodate a terminating NUL byte, +which must be large enough to accommodate a terminating NUL byte, otherwise this function will fail. If I<*val> is NULL, memory is allocated for the string (including the terminating NUL byte) and I is ignored. @@ -250,14 +250,14 @@ If memory is allocated by this function, it must be freed by the caller. OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to by I

to the value referenced by I. If the parameter's I field isn't NULL, its I must indicate -that the buffer is large enough to accomodate the string that I points at, +that the buffer is large enough to accommodate the string that I points at, not including the terminating NUL byte, or this function will fail. A terminating NUL byte is added only if the parameter's I indicates the buffer is longer than the string length, otherwise the string will not be NUL terminated. If the parameter's I field is NULL, then only its I field will be assigned the minimum size the parameter's I buffer should have -to accomodate the string, not including a terminating NUL byte. +to accommodate the string, not including a terminating NUL byte. OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter pointed to by I

. @@ -403,7 +403,7 @@ These APIs were introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_SELF_TEST_new.pod b/doc/man3/OSSL_SELF_TEST_new.pod index 5fe838351..b8fcf534f 100644 --- a/doc/man3/OSSL_SELF_TEST_new.pod +++ b/doc/man3/OSSL_SELF_TEST_new.pod @@ -165,7 +165,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_SELF_TEST_set_callback.pod b/doc/man3/OSSL_SELF_TEST_set_callback.pod index 9866de018..4a9470681 100644 --- a/doc/man3/OSSL_SELF_TEST_set_callback.pod +++ b/doc/man3/OSSL_SELF_TEST_set_callback.pod @@ -42,7 +42,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_STORE_LOADER.pod b/doc/man3/OSSL_STORE_LOADER.pod index b1d838604..c008e397e 100644 --- a/doc/man3/OSSL_STORE_LOADER.pod +++ b/doc/man3/OSSL_STORE_LOADER.pod @@ -327,7 +327,7 @@ definition string, or NULL on error. OSSL_STORE_LOADER_is_a() returns 1 if I was identifiable, otherwise 0. -OSSL_STORE_LOADER_get0_description() returns a pointer to a decription, or NULL if +OSSL_STORE_LOADER_get0_description() returns a pointer to a description, or NULL if there isn't one. The functions with the types B, @@ -380,7 +380,7 @@ were added in OpenSSL 1.1.1, and became deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod index fe51912e8..ae15c8adf 100644 --- a/doc/man3/OSSL_STORE_open.pod +++ b/doc/man3/OSSL_STORE_open.pod @@ -176,7 +176,7 @@ OSSL_STORE_ctrl() and OSSL_STORE_vctrl() were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_trace_enabled.pod b/doc/man3/OSSL_trace_enabled.pod index f9c9dffd8..fcbea3cbf 100644 --- a/doc/man3/OSSL_trace_enabled.pod +++ b/doc/man3/OSSL_trace_enabled.pod @@ -49,8 +49,8 @@ The functions described here are mainly interesting for those who provide OpenSSL functionality, either in OpenSSL itself or in engine modules or similar. -If tracing is enabled (see L below), these functions are used to -generate free text tracing output. +If the tracing facility is enabled (see L below), +these functions are used to generate free text tracing output. The tracing output is divided into types which are enabled individually by the application. @@ -59,13 +59,13 @@ L. The fallback type B should I be used with the functions described here. -Tracing for a specific category is enabled if a so called +Tracing for a specific category is enabled at run-time if a so-called I is attached to it. A trace channel is simply a BIO object to which the application can write its trace output. The application has two different ways of registering a trace channel, -either by directly providing a BIO object using OSSL_trace_set_channel(), -or by providing a callback routine using OSSL_trace_set_callback(). +either by directly providing a BIO object using L, +or by providing a callback routine using L. The latter is wrapped internally by a dedicated BIO object, so for the tracing code both channel types are effectively indistinguishable. We call them a I and a I, @@ -86,7 +86,9 @@ but rather uses a set of convenience macros, see the L section below. =head2 Functions OSSL_trace_enabled() can be used to check if tracing for the given -I is enabled. +I is enabled, i.e., if the tracing facility has been statically +enabled (see L below) and a trace channel has been +registered using L or L. OSSL_trace_begin() is used to starts a tracing section, and get the channel for the given I in form of a BIO. @@ -109,7 +111,7 @@ used as follows to wrap a trace section: OSSL_TRACE_BEGIN(TLS) { - BIO_fprintf(trc_out, ... ); + BIO_printf(trc_out, ... ); } OSSL_TRACE_END(TLS); @@ -119,7 +121,7 @@ This will normally expand to: BIO *trc_out = OSSL_trace_begin(OSSL_TRACE_CATEGORY_TLS); if (trc_out != NULL) { ... - BIO_fprintf(trc_out, ...); + BIO_printf(trc_out, ...); } OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out); } while (0); @@ -133,7 +135,7 @@ trace section: OSSL_TRACE_CANCEL(TLS); goto err; } - BIO_fprintf(trc_out, ... ); + BIO_printf(trc_out, ... ); } OSSL_TRACE_END(TLS); @@ -146,7 +148,7 @@ This will normally expand to: OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out); goto err; } - BIO_fprintf(trc_out, ... ); + BIO_printf(trc_out, ... ); } OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out); } while (0); @@ -249,7 +251,7 @@ For example, take this example from L section above: OSSL_TRACE_CANCEL(TLS); goto err; } - BIO_fprintf(trc_out, ... ); + BIO_printf(trc_out, ... ); } OSSL_TRACE_END(TLS); @@ -262,7 +264,7 @@ When the tracing API isn't operational, that will expand to: ((void)0); goto err; } - BIO_fprintf(trc_out, ... ); + BIO_printf(trc_out, ... ); } } while (0); @@ -276,13 +278,17 @@ operational and enabled, otherwise 0. OSSL_trace_begin() returns a B pointer if the given I is enabled, otherwise NULL. +=head1 SEE ALSO + +L, L + =head1 HISTORY The OpenSSL Tracing API was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_trace_set_channel.pod b/doc/man3/OSSL_trace_set_channel.pod index 3b9c64e54..29c0f3553 100644 --- a/doc/man3/OSSL_trace_set_channel.pod +++ b/doc/man3/OSSL_trace_set_channel.pod @@ -21,13 +21,13 @@ OSSL_trace_set_callback, OSSL_trace_cb - Enabling trace output =head1 DESCRIPTION -If available (see L below), the application can request +If available (see L below), the application can request internal trace output. This output comes in form of free text for humans to read. The trace output is divided into categories which can be enabled individually. -Every category can be enabled individually by attaching a so called +Every category can be enabled individually by attaching a so-called I to it, which in the simplest case is just a BIO object to which the application can write the tracing output for this category. Alternatively, the application can provide a tracer callback in order to @@ -38,6 +38,11 @@ For the tracing code, both trace channel types are indistinguishable. These are called a I and a I, respectively. +L can be used to check whether tracing is currently +enabled for the given category. +Functions like L and macros like L +can be used for producing free-text trace output. + =head2 Functions OSSL_trace_set_channel() is used to enable the given trace C @@ -48,7 +53,7 @@ so the caller must not free it directly. OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add an extra line for each channel, to be output before and after group of tracing output. -What constitues an output group is decided by the code that produces +What constitutes an output group is decided by the code that produces the output. The lines given here are considered immutable; for more dynamic tracing prefixes, consider setting a callback with @@ -58,7 +63,7 @@ OSSL_trace_set_callback() is used to enable the given trace I by giving it the tracer callback I with the associated data I, which will simply be passed through to I whenever it's called. The callback function is internally wrapped by a -dedicated BIO object, the so called I. +dedicated BIO object, the so-called I. This should be used when it's desirable to do form the trace output to something suitable for application needs where a prefix and suffix line aren't enough. @@ -314,6 +319,11 @@ When the library is built with tracing disabled, the macro B is defined in F<< >> and all functions described here are inoperational, i.e. will do nothing. +=head1 SEE ALSO + +L, L, L, +L + =head1 HISTORY OSSL_trace_set_channel(), OSSL_trace_set_prefix(), diff --git a/doc/man3/PKCS12_decrypt_skey.pod b/doc/man3/PKCS12_decrypt_skey.pod index 7a41b2b06..d58c05ffe 100644 --- a/doc/man3/PKCS12_decrypt_skey.pod +++ b/doc/man3/PKCS12_decrypt_skey.pod @@ -21,7 +21,7 @@ decrypt functions PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I using the supplied password I of length I. -PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex +PKCS12_decrypt_skey_ex() is similar to the above but allows for a library context I and property query I to be used to select algorithm implementations. =head1 RETURN VALUES @@ -45,7 +45,7 @@ PKCS12_decrypt_skey_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index 53b55e870..c4610ecaa 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -21,7 +21,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure =head1 DESCRIPTION PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the -supplied password along with a set of already configured paramters. +supplied password along with a set of already configured parameters. PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied password. @@ -62,7 +62,7 @@ L =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/RAND_bytes.pod b/doc/man3/RAND_bytes.pod index ee7ed4af8..3b7bf5363 100644 --- a/doc/man3/RAND_bytes.pod +++ b/doc/man3/RAND_bytes.pod @@ -37,7 +37,7 @@ and L. RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and RAND_priv_bytes() except that they both take additional I and -I parameters. The bytes genreated will have a security strength of at +I parameters. The bytes generated will have a security strength of at least I bits. The DRBG used for the operation is the public or private DRBG associated with the specified I. The parameter can be NULL, in which case @@ -101,7 +101,7 @@ The RAND_bytes_ex() and RAND_priv_bytes_ex() functions were added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/RAND_get0_primary.pod b/doc/man3/RAND_get0_primary.pod index 408d02077..c82bb3ec2 100644 --- a/doc/man3/RAND_get0_primary.pod +++ b/doc/man3/RAND_get0_primary.pod @@ -4,7 +4,9 @@ RAND_get0_primary, RAND_get0_public, -RAND_get0_private +RAND_get0_private, +RAND_set0_public, +RAND_set0_private - get access to the global EVP_RAND_CTX instances =head1 SYNOPSIS @@ -14,6 +16,8 @@ RAND_get0_private EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx); + int RAND_set0_public(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand); + int RAND_set0_private(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand); =head1 DESCRIPTION @@ -25,7 +29,10 @@ by RAND_bytes() and RAND_priv_bytes(), respectively. The I DRBG is a global instance, which is not intended to be used directly, but is used internally to reseed the other two instances. -These functions here provide access to the shared DRBG instances. +The three get functions provide access to the shared DRBG instances. + +The two set functions allow the public and private DRBG instances to be +replaced by another random number generator. =head1 RETURN VALUES @@ -38,8 +45,8 @@ for the given OSSL_LIB_CTX B. RAND_get0_private() returns a pointer to the I DRBG instance for the given OSSL_LIB_CTX B. -In all the above cases the B parameter can -be NULL in which case the default OSSL_LIB_CTX is used. +RAND_set0_public() and RAND_set0_private() return 1 on success and 0 +on error. =head1 NOTES @@ -61,6 +68,10 @@ To set the type of DRBG that will be instantiated, use the L call before accessing the random number generation infrastructure. +The two set functions, operate on the the current thread. If you want to +use the same random number generator across all threads, each thread +must individually call the set functions. + =head1 SEE ALSO L, @@ -68,11 +79,13 @@ L =head1 HISTORY -These functions were added in OpenSSL 3.0. +RAND_set0_public() and RAND_set0_private() were added in OpenSSL 3.1. + +The remaining functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/RSA_get0_key.pod b/doc/man3/RSA_get0_key.pod index 0a0f79125..ffcc04e3b 100644 --- a/doc/man3/RSA_get0_key.pod +++ b/doc/man3/RSA_get0_key.pod @@ -54,7 +54,7 @@ see L: All of the functions described on this page are deprecated. Applications should instead use L for any methods that -return a B. Refer to L for more infomation. +return a B. Refer to L for more information. An RSA object contains the components for the public and private key, B, B, B, B

, B, B, B and B. B is @@ -184,7 +184,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/RSA_sign.pod b/doc/man3/RSA_sign.pod index e883caf76..4dc47b0ab 100644 --- a/doc/man3/RSA_sign.pod +++ b/doc/man3/RSA_sign.pod @@ -67,7 +67,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_cipher_list.pod b/doc/man3/SSL_CTX_set_cipher_list.pod index 71f399400..20af9b3f0 100644 --- a/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/doc/man3/SSL_CTX_set_cipher_list.pod @@ -119,7 +119,7 @@ OSSL_default_cipher_list() and OSSL_default_ciphersites() are new in 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_generate_session_id.pod b/doc/man3/SSL_CTX_set_generate_session_id.pod index 14fb12cfd..c3498b3a8 100644 --- a/doc/man3/SSL_CTX_set_generate_session_id.pod +++ b/doc/man3/SSL_CTX_set_generate_session_id.pod @@ -128,7 +128,7 @@ L, L =head1 COPYRIGHT -Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod index a45954900..f40086d8a 100644 --- a/doc/man3/SSL_CTX_set_security_level.pod +++ b/doc/man3/SSL_CTX_set_security_level.pod @@ -79,29 +79,28 @@ are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security -bits. +bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all disabled at +this level. =item B Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also -prohibited. SSL version 3 is also not allowed. Compression is disabled. +prohibited. Compression is disabled. =item B Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. In addition to the level 2 exclusions cipher suites not offering forward -secrecy are prohibited. TLS versions below 1.1 are not permitted. Session -tickets are disabled. +secrecy are prohibited. Session tickets are disabled. =item B Security level set to 192 bits of security. As a result RSA, DSA and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are -prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS -versions below 1.2 are not permitted. +prohibited. Cipher suites using SHA1 for the MAC are prohibited. =item B @@ -181,7 +180,7 @@ These functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod index 509740439..2231f5b12 100644 --- a/doc/man3/SSL_CTX_set_split_send_fragment.pod +++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod @@ -56,7 +56,7 @@ of pipelines that will be used at any one time. This value applies to both used (i.e. normal non-parallel operation). The number of pipelines set must be in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also automatically turn on "read_ahead" (see L). This is -explained further below. OpenSSL will only every use more than one pipeline if +explained further below. OpenSSL will only ever use more than one pipeline if a cipher suite is negotiated that uses a pipeline capable cipher provided by an engine. @@ -96,7 +96,10 @@ into the buffer. Without this set data is read into the read buffer one record at a time. The more data that can be read, the more opportunity there is for parallelising the processing at the cost of increased memory overhead per connection. Setting B can impact the behaviour of the SSL_pending() -function (see L). +function (see L). In addition the default size of the internal +read buffer is multiplied by the number of pipelines available to ensure that we +can read multiple records in one go. This can therefore have a significant +impact on memory usage. The SSL_CTX_set_default_read_buffer_len() and SSL_set_default_read_buffer_len() functions control the size of the read buffer that will be used. The B @@ -179,7 +182,7 @@ and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index 4daf78b8d..c0d69f6f6 100644 --- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -73,9 +73,9 @@ the built-in parameter support described above. Applications wishing to supply their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or SSL_set0_tmp_dh_pkey() to supply the parameters for the B or B respectively. The parameters should be supplied in the I argument as -an B containg DH parameters. Ownership of the I value is +an B containing DH parameters. Ownership of the I value is passed to the B or B object as a result of this call, and so the -caller should not free it if the function call is succesful. +caller should not free it if the function call is successful. The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the diff --git a/doc/man3/SSL_CTX_use_serverinfo.pod b/doc/man3/SSL_CTX_use_serverinfo.pod index ebdb5c6f7..2153474ba 100644 --- a/doc/man3/SSL_CTX_use_serverinfo.pod +++ b/doc/man3/SSL_CTX_use_serverinfo.pod @@ -77,7 +77,7 @@ L =head1 COPYRIGHT -Copyright 2013-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_NAME_get_index_by_NID.pod b/doc/man3/X509_NAME_get_index_by_NID.pod index 805c5fc51..2746c8569 100644 --- a/doc/man3/X509_NAME_get_index_by_NID.pod +++ b/doc/man3/X509_NAME_get_index_by_NID.pod @@ -116,7 +116,7 @@ L, L =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index 2319012a9..9c7abfee8 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -177,7 +177,7 @@ administrator might only trust it for the former. An X.509 certificate extension exists that can record extended key usage information to supplement the purpose information described above. This extended mechanism is arbitrarily extensible and not well suited for a generic library API; applications that need to -validate extended key usage information in certifiates will need to define a +validate extended key usage information in certificates will need to define a custom "purpose" (see below) or supply a nondefault verification callback (L). diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 75a167702..20aea99b5 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -222,7 +222,7 @@ X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for failure. X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and -X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers pecified above +X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers specified above or NULL if the respective value has not been set or on error. X509_VERIFY_PARAM_get_flags() returns the current verification flags. diff --git a/doc/man3/X509_add_cert.pod b/doc/man3/X509_add_cert.pod index 1512d8170..a4f3ea503 100644 --- a/doc/man3/X509_add_cert.pod +++ b/doc/man3/X509_add_cert.pod @@ -31,7 +31,7 @@ The value B, which equals 0, means no special semantics. If B is set then the reference counts of those certificates added successfully are increased. -If B is set then the certifcates are prepended to I. +If B is set then the certificates are prepended to I. By default they are appended to I. In both cases the original order of the added certificates is preserved. @@ -66,7 +66,7 @@ were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_digest.pod b/doc/man3/X509_digest.pod index f4921dbc1..7ef7f7ec6 100644 --- a/doc/man3/X509_digest.pod +++ b/doc/man3/X509_digest.pod @@ -44,9 +44,9 @@ X509_digest_sig() calculates a digest of the given certificate I using the same hash algorithm as in its signature, if the digest is an integral part of the certificate signature algorithm identifier. Otherwise, a fallback hash algorithm is determined as follows: -SHA512 if the signature alorithm is ED25519, +SHA512 if the signature algorithm is ED25519, SHAKE256 if it is ED448, otherwise SHA256. -The output parmeters are assigned as follows. +The output parameters are assigned as follows. Unless I is NULL, the hash algorithm used is provided in I<*md_used> and must be freed by the caller (if it is not NULL). Unless I is NULL, @@ -81,7 +81,7 @@ The X509_digest_sig() function was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index 9fc355c7c..bc80caa51 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -350,7 +350,7 @@ to generate the function bodies. B_new>() allocates an empty object of the indicated type. The object returned must be released by calling B_free>(). -B_new_ex>() is similiar to B_new>() but also passes the +B_new_ex>() is similar to B_new>() but also passes the library context I and the property query I to use when retrieving algorithms from providers. This created object can then be used when loading binary data using B>(). @@ -383,7 +383,7 @@ deprecated in 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod index fe78d5bc6..1775aa9d5 100644 --- a/doc/man3/d2i_PrivateKey.pod +++ b/doc/man3/d2i_PrivateKey.pod @@ -125,7 +125,7 @@ d2i_AutoPrivateKey_ex() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/i2d_re_X509_tbs.pod b/doc/man3/i2d_re_X509_tbs.pod index d9247794f..974b234bb 100644 --- a/doc/man3/i2d_re_X509_tbs.pod +++ b/doc/man3/i2d_re_X509_tbs.pod @@ -78,7 +78,7 @@ L =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 77a8055e8..8d312c661 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -73,7 +73,7 @@ done with the following directive: The default behavior, where the B is B or B, is to treat the dollarsign as indicating a variable name; C is interpreted as C followed by the expansion of the variable C. If B is -B or B, then C is a single seven-character name nad +B or B, then C is a single seven-character name and variable expansions must be specified using braces or parentheses. .pragma [=] includedir:value @@ -415,7 +415,7 @@ For example: =head2 Random Configuration The name B in the initialization section names the section -containing the random number generater settings. +containing the random number generator settings. Within the random section, the following names have meaning: @@ -575,7 +575,7 @@ L. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod index cd0012a73..225546430 100644 --- a/doc/man5/fips_config.pod +++ b/doc/man5/fips_config.pod @@ -113,7 +113,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_CIPHER-NULL.pod b/doc/man7/EVP_CIPHER-NULL.pod new file mode 100644 index 000000000..44e07dcf1 --- /dev/null +++ b/doc/man7/EVP_CIPHER-NULL.pod @@ -0,0 +1,72 @@ +=pod + +=head1 NAME + +EVP_CIPHER-NULL - The NULL EVP_CIPHER implementation + +=head1 DESCRIPTION + +Support for a NULL symmetric encryption using the B API. +This is used when the TLS cipher suite is TLS_NULL_WITH_NULL_NULL. +This does no encryption (just copies the data) and has a mac size of zero. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Parameters + +This implementation supports the following parameters: + +=head3 Gettable EVP_CIPHER parameters + +See L + +=head3 Gettable EVP_CIPHER_CTX parameters + +=over 4 + +=item "keylen" (B) + +=item "ivlen" (B and ) + +=item "tls-mac" (B) + +=back + +See L for further information. + +=head3 Settable EVP_CIPHER_CTX parameters + +=over 4 + +=item "tls-mac-size" (B) + +=back + +See L for further information. + +=head1 CONFORMING TO + +RFC 5246 section-6.2.3.1 + +=head1 SEE ALSO + +L, L + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/EVP_KDF-HKDF.pod b/doc/man7/EVP_KDF-HKDF.pod index 5fc0a7324..833c6bfa8 100644 --- a/doc/man7/EVP_KDF-HKDF.pod +++ b/doc/man7/EVP_KDF-HKDF.pod @@ -146,7 +146,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod index 6e25882d6..1b9342f69 100644 --- a/doc/man7/EVP_KDF-KB.pod +++ b/doc/man7/EVP_KDF-KB.pod @@ -29,7 +29,7 @@ used if unspecified. =item "mac" (B) -The value is either CMAC or HMAC. +The value is either CMAC, HMAC, KMAC128 or KMAC256. =item "digest" (B) @@ -58,10 +58,17 @@ Set to B<0> to disable use of the optional Fixed Input data 'zero separator' (see SP800-108) that is placed between the Label and Context. The default value of B<1> will be used if unspecified. +=item "r" (B) + +Set the fixed value 'r', indicating the length of the counter in bits. + +Supported values are B<8>, B<16>, B<24>, and B<32>. +The default value of B<32> will be used if unspecified. + =back Depending on whether mac is CMAC or HMAC, either digest or cipher is required -(respectively) and the other is unused. +(respectively) and the other is unused. They are unused for KMAC128 and KMAC256. The parameters key, salt, info, and seed correspond to KI, Label, Context, and IV (respectively) in SP800-108. As in that document, salt, info, and seed are @@ -159,9 +166,11 @@ L This functionality was added in OpenSSL 3.0. +Support for KMAC was added in OpenSSL 3.1. + =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Copyright 2019 Red Hat, Inc. Licensed under the Apache License 2.0 (the "License"). You may not use diff --git a/doc/man7/EVP_KDF-KRB5KDF.pod b/doc/man7/EVP_KDF-KRB5KDF.pod index 014f55e79..00b8f45e3 100644 --- a/doc/man7/EVP_KDF-KRB5KDF.pod +++ b/doc/man7/EVP_KDF-KRB5KDF.pod @@ -104,7 +104,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PBKDF1.pod b/doc/man7/EVP_KDF-PBKDF1.pod index c73ad6a9e..347acc164 100644 --- a/doc/man7/EVP_KDF-PBKDF1.pod +++ b/doc/man7/EVP_KDF-PBKDF1.pod @@ -72,7 +72,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-PKCS12KDF.pod b/doc/man7/EVP_KDF-PKCS12KDF.pod index 7edde1dc9..8b256af39 100644 --- a/doc/man7/EVP_KDF-PKCS12KDF.pod +++ b/doc/man7/EVP_KDF-PKCS12KDF.pod @@ -76,7 +76,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-SCRYPT.pod b/doc/man7/EVP_KDF-SCRYPT.pod index 2bda54c52..ed4ea5387 100644 --- a/doc/man7/EVP_KDF-SCRYPT.pod +++ b/doc/man7/EVP_KDF-SCRYPT.pod @@ -140,7 +140,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-TLS13_KDF.pod b/doc/man7/EVP_KDF-TLS13_KDF.pod index d588b121f..c589c8380 100644 --- a/doc/man7/EVP_KDF-TLS13_KDF.pod +++ b/doc/man7/EVP_KDF-TLS13_KDF.pod @@ -122,7 +122,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-TLS1_PRF.pod b/doc/man7/EVP_KDF-TLS1_PRF.pod index 8a60e9731..ecc95a56e 100644 --- a/doc/man7/EVP_KDF-TLS1_PRF.pod +++ b/doc/man7/EVP_KDF-TLS1_PRF.pod @@ -104,7 +104,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-X942-CONCAT.pod b/doc/man7/EVP_KDF-X942-CONCAT.pod index 6b8ebff37..5b3146ee9 100644 --- a/doc/man7/EVP_KDF-X942-CONCAT.pod +++ b/doc/man7/EVP_KDF-X942-CONCAT.pod @@ -25,7 +25,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KDF-X963.pod b/doc/man7/EVP_KDF-X963.pod index 3d6f4372c..882e03d98 100644 --- a/doc/man7/EVP_KDF-X963.pod +++ b/doc/man7/EVP_KDF-X963.pod @@ -98,7 +98,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_KEM-RSA.pod b/doc/man7/EVP_KEM-RSA.pod index 3a89f5db3..e3ff836d8 100644 --- a/doc/man7/EVP_KEM-RSA.pod +++ b/doc/man7/EVP_KEM-RSA.pod @@ -60,7 +60,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_MAC-CMAC.pod b/doc/man7/EVP_MAC-CMAC.pod index cf80586f0..43eb315c4 100644 --- a/doc/man7/EVP_MAC-CMAC.pod +++ b/doc/man7/EVP_MAC-CMAC.pod @@ -38,7 +38,8 @@ Setting this parameter is identical to passing a I to L. =item "cipher" (B) -Sets the name of the underlying cipher to be used. +Sets the name of the underlying cipher to be used. The mode of the cipher +must be CBC. =item "properties" (B) @@ -76,7 +77,7 @@ L, L =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_MAC-KMAC.pod b/doc/man7/EVP_MAC-KMAC.pod index 1065c166d..0214c1e25 100644 --- a/doc/man7/EVP_MAC-KMAC.pod +++ b/doc/man7/EVP_MAC-KMAC.pod @@ -142,7 +142,7 @@ L, L =head1 COPYRIGHT -Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_MD-NULL.pod b/doc/man7/EVP_MD-NULL.pod new file mode 100644 index 000000000..bce399a1e --- /dev/null +++ b/doc/man7/EVP_MD-NULL.pod @@ -0,0 +1,42 @@ +=pod + +=head1 NAME + +EVP_MD-NULL - The NULL EVP_MD implementation + +=head1 DESCRIPTION + +Support for a NULL digest through the B API. +This algorithm does nothing and returns 1 for its init, +update and final methods. + +=head2 Algorithm Name + +The following algorithm is available in the default provider: + +=over 4 + +=item "NULL" + +=back + +=head2 Gettable Parameters + +This implementation supports the common gettable parameters described +in L. + +=head1 SEE ALSO + +L, L, +L + +=head1 COPYRIGHT + +Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod index 668a02401..3b14e2567 100644 --- a/doc/man7/EVP_PKEY-EC.pod +++ b/doc/man7/EVP_PKEY-EC.pod @@ -15,7 +15,7 @@ The B keytype is implemented in OpenSSL's default provider. The normal way of specifying domain parameters for an EC curve is via the curve name "group". For curves with no curve name, explicit parameters can be used that specify "field-type", "p", "a", "b", "generator" and "order". -Explicit parameters are supported for backwards compability reasons, but they +Explicit parameters are supported for backwards compatibility reasons, but they are not compliant with multiple standards (including RFC5915) which only allow named curves. @@ -70,7 +70,7 @@ I multiplied by the I gives the number of points on the curve. =item "decoded-from-explicit" (B) -Gets a flag indicating wether the key or parameters were decoded from explicit +Gets a flag indicating whether the key or parameters were decoded from explicit curve parameters. Set to 1 if so or 0 if a named curve was used. =item "use-cofactor-flag" (B) @@ -99,7 +99,7 @@ point_conversion_forms please see L. Valid values are Sets or Gets the type of group check done when EVP_PKEY_param_check() is called. Valid values are "default", "named" and "named-nist". The "named" type checks that the domain parameters match the inbuilt curve parameters, -"named-nist" is similiar but also checks that the named curve is a nist curve. +"named-nist" is similar but also checks that the named curve is a nist curve. The "default" type does domain parameter validation for the OpenSSL default provider, but is equivalent to "named-nist" for the OpenSSL FIPS provider. @@ -142,7 +142,7 @@ Used for getting the EC public key X component. Used for getting the EC public key Y component. -=item (B) +=item "default-digest" (B) Getter that returns the default digest name. (Currently returns "SHA256" as of OpenSSL 3.0). @@ -272,7 +272,7 @@ L =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_RAND-TEST-RAND.pod b/doc/man7/EVP_RAND-TEST-RAND.pod index a5527cee3..6ef3ee67c 100644 --- a/doc/man7/EVP_RAND-TEST-RAND.pod +++ b/doc/man7/EVP_RAND-TEST-RAND.pod @@ -106,7 +106,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod index 1ce32cc44..13d053e26 100644 --- a/doc/man7/EVP_SIGNATURE-RSA.pod +++ b/doc/man7/EVP_SIGNATURE-RSA.pod @@ -68,6 +68,11 @@ Use the maximum salt length. Auto detect the salt length. +=item "auto-digestmax" (B) + +Auto detect the salt length when verifying. Maximize the salt length up to the +digest size when signing to comply with FIPS 186-4 section 5.5. + =back =back diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 58008ae59..4f908888b 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -7,7 +7,7 @@ OSSL_PROVIDER-FIPS - OpenSSL FIPS provider =head1 DESCRIPTION The OpenSSL FIPS provider is a special provider that conforms to the Federal -Information Processing Standards (FIPS) specified in FIPS 140-2. This 'module' +Information Processing Standards (FIPS) specified in FIPS 140-3. This 'module' contains an approved set of cryptographic algorithms that is validated by an accredited testing laboratory. @@ -29,14 +29,32 @@ L or L, as well as with other functions that take a property query string, such as L. -It isn't mandatory to query for any of these properties, except to -make sure to get implementations of this provider and none other. +To be FIPS compliant, it is mandatory to include C as +part of all property queries. This ensures that only FIPS approved +implementations are used for cryptographic operations. The C +query may also include other non-crypto support operations that +are not in the FIPS provider, such as asymmetric key encoders, see +L. -The "fips=yes" property can be use to make sure only FIPS approved -implementations are used for crypto operations. This may also include -other non-crypto support operations that are not in the FIPS provider, -such as asymmetric key encoders, -see L. +It is not mandatory to include C as part of your property +query. Including C in your property query guarantees +that the OpenSSL FIPS provider is used for cryptographic operations +rather than other FIPS capable providers. + +=head2 Provider parameters + +See L for a list of base parameters. +Additionally the OpenSSL FIPS provider also supports the following gettable +parameters: + +=over 4 + +=item "security-checks" (B) + +For further information refer to the L option +B<-no_security_checks>. + +=back =head1 OPERATIONS AND ALGORITHMS @@ -172,6 +190,22 @@ The OpenSSL FIPS provider supports these operations and algorithms: =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L + +=item HASH-DRBG, see L + +=item HMAC-DRBG, see L + +=item TEST-RAND, see L + +TEST-RAND is an unapproved algorithm. + +=back + =head1 SELF TESTING One of the requirements for the FIPS module is self testing. An optional callback @@ -392,6 +426,22 @@ A simple self test callback is shown below for illustrative purposes. return ret; } +=head1 NOTES + +The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, +consequently the property query C is mandatory for applications that +want to operate in a FIPS approved manner. The algorithms are: + +=over 4 + +=item Triple DES ECB + +=item Triple DES CBC + +=item EdDSA + +=back + =head1 SEE ALSO L, @@ -407,9 +457,13 @@ L This functionality was added in OpenSSL 3.0. +OpenSSL 3.0 includes a FIPS 140-2 approved FIPS provider. + +OpenSSL 3.1 includes a FIPS 140-3 approved FIPS provider. + =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-base.pod b/doc/man7/OSSL_PROVIDER-base.pod index c51adbde1..6f9d4a4d0 100644 --- a/doc/man7/OSSL_PROVIDER-base.pod +++ b/doc/man7/OSSL_PROVIDER-base.pod @@ -90,7 +90,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-default.pod b/doc/man7/OSSL_PROVIDER-default.pod index 43ba0ef02..e39d76abd 100644 --- a/doc/man7/OSSL_PROVIDER-default.pod +++ b/doc/man7/OSSL_PROVIDER-default.pod @@ -71,6 +71,8 @@ The OpenSSL default provider supports these operations and algorithms: =item RIPEMD160, see L +=item NULL, see L + =back =head2 Symmetric Ciphers @@ -93,6 +95,8 @@ The OpenSSL default provider supports these operations and algorithms: =item ChaCha20-Poly1305, see L +=item NULL, see L + =back =head2 Message Authentication Code (MAC) @@ -216,6 +220,22 @@ The OpenSSL default provider supports these operations and algorithms: =back +=head2 Random Number Generation + +=over 4 + +=item CTR-DRBG, see L + +=item HASH-DRBG, see L + +=item HMAC-DRBG, see L + +=item SEED-SRC, see L + +=item TEST-RAND, see L + +=back + =head2 Asymmetric Key Encoder The default provider also includes all of the encoding algorithms @@ -251,7 +271,7 @@ All other functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-legacy.pod b/doc/man7/OSSL_PROVIDER-legacy.pod index f10827de7..87bff9720 100644 --- a/doc/man7/OSSL_PROVIDER-legacy.pod +++ b/doc/man7/OSSL_PROVIDER-legacy.pod @@ -121,7 +121,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/OSSL_PROVIDER-null.pod b/doc/man7/OSSL_PROVIDER-null.pod index 618ca1df1..e3dcc1a67 100644 --- a/doc/man7/OSSL_PROVIDER-null.pod +++ b/doc/man7/OSSL_PROVIDER-null.pod @@ -29,7 +29,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/crypto.pod b/doc/man7/crypto.pod index 59c60e4b5..c31e10ac2 100644 --- a/doc/man7/crypto.pod +++ b/doc/man7/crypto.pod @@ -116,7 +116,8 @@ algorithm implementations in the default provider. Property query strings can be specified explicitly as an argument to a function. It is also possible to specify a default property query string for the whole -library context using the L function. Where both +library context using the L or +L functions. Where both default properties and function specific properties are specified then they are combined. Function specific properties will override default properties where there is a conflict. @@ -164,7 +165,7 @@ functions that use them. For example the L function takes as a parameter an B object which may have been returned from an earlier call to L. -=head2 Implicit fetch +=head2 Implicit fetching OpenSSL has a number of functions that return an algorithm object with no associated implementation, such as L, L, @@ -206,10 +207,73 @@ If anything in this step fails, the next step is used as a fallback. As a fallback, try to fetch the operation type implementation from the same provider as the original L's L, still using the -propery string from the B. +property string from the B. =back +=head2 Performance + +If you perform the same operation many times then it is recommended to use +L to prefetch an algorithm once initially, +and then pass this created object to any operations that are currently +using L. +See an example of Explicit fetching in L. + +Prior to OpenSSL 3.0, constant method tables (such as EVP_sha256()) were used +directly to access methods. If you pass one of these convenience functions +to an operation the fixed methods are ignored, and only the name is used to +internally fetch methods from a provider. + +If the prefetched object is not passed to operations, then any implicit +fetch will use the internally cached prefetched object, but it will +still be slower than passing the prefetched object directly. + +Fetching via a provider offers more flexibility, but it is slower than the +old method, since it must search for the algorithm in all loaded providers, +and then populate the method table using provider supplied methods. +Internally OpenSSL caches similar algorithms on the first fetch +(so loading a digest caches all digests). + +The following methods can be used for prefetching: + +=over 4 + +=item L + +=item L + +=item L + +=item L + +=item L + +=item L + +=item L + +=item L + +=back + +The following methods are used internally when performing operations: + +=over 4 + +=item L + +=item L + +=item L + +=item L + +=back + +See L, and +for a list of algorithm names that +can be fetched. + =head1 FETCHING EXAMPLES The following section provides a series of examples of fetching algorithm @@ -404,6 +468,8 @@ encryption/decryption, signatures, message authentication codes, etc. * we're not supplying any particular search criteria for our SHA256 * implementation (second NULL parameter). Any SHA256 implementation will * do. + * In a larger application this fetch would just be done once, and could + * be used for multiple calls to other operations such as EVP_DigestInit_ex(). */ sha256 = EVP_MD_fetch(NULL, "SHA256", NULL); if (sha256 == NULL) @@ -504,7 +570,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod index b1d67ca61..a75c461c6 100644 --- a/doc/man7/fips_module.pod +++ b/doc/man7/fips_module.pod @@ -80,6 +80,7 @@ Edit the config file to add the following lines near the beginning: [openssl_init] providers = provider_sect + alg_section = algorithm_sect [provider_sect] fips = fips_sect @@ -88,11 +89,14 @@ Edit the config file to add the following lines near the beginning: [base_sect] activate = 1 + [algorithm_sect] + default_properties = fips=yes + Obviously the include file location above should match the path and name of the FIPS module config file that you installed earlier. See L. -For FIPS usage, it is recommened that the B option is +For FIPS usage, it is recommended that the B option is enabled to prevent accidental use of non-FIPS validated algorithms via broken or mistaken configuration. See L. @@ -330,6 +334,14 @@ base providers. The other library context will just use the default provider. if (!OSSL_LIB_CTX_load_config(fips_libctx, "openssl-fips.cnf")) goto err; + /* + * Set the default property query on the FIPS library context to + * ensure that only FIPS algorithms can be used. There are a few non-FIPS + * approved algorithms in the FIPS provider for backward compatibility reasons. + */ + if (!EVP_set_default_properties(fips_libctx, "fips=yes")) + goto err; + /* * We don't need to do anything special to load the default * provider into nonfips_libctx. This happens automatically if no @@ -419,7 +431,7 @@ contexts. * We assume that a nondefault library context with the FIPS * provider loaded has been created called fips_libctx. */ - SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, NULL, TLS_method()); + SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, "fips=yes", TLS_method()); /* * We assume that a nondefault library context with the default * provider loaded has been created called non_fips_libctx. @@ -456,6 +468,22 @@ use L. To extract the name from the B, use L. +=head1 NOTES + +The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, +consequently the property query C is mandatory for applications that +want to operate in a FIPS approved manner. The algorithms are: + +=over 4 + +=item Triple DES ECB + +=item Triple DES CBC + +=item EdDSA + +=back + =head1 SEE ALSO L, L, L @@ -465,9 +493,13 @@ L, L, L The FIPS module guide was created for use with the new FIPS provider in OpenSSL 3.0. +OpenSSL 3.0 includes a FIPS 140-2 approved FIPS provider. + +OpenSSL 3.1 includes a FIPS 140-3 approved FIPS provider. + =head1 COPYRIGHT -Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/life_cycle-pkey.pod b/doc/man7/life_cycle-pkey.pod index 6768750f4..8d3e03534 100644 --- a/doc/man7/life_cycle-pkey.pod +++ b/doc/man7/life_cycle-pkey.pod @@ -22,7 +22,7 @@ This state represents the PKEY after it has been allocated. =item decapsulate This state represents the PKEY when it is ready to perform a private key decapsulation -opeartion. +operation. =item decrypt @@ -40,7 +40,7 @@ operation. =item encapsulate This state represents the PKEY when it is ready to perform a public key encapsulation -opeartion. +operation. =item encrypt @@ -703,7 +703,7 @@ The provider PKEY interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index a234147f4..d54bccfdc 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -11,11 +11,31 @@ See the individual manual pages for details. =head1 DESCRIPTION This guide details the changes required to migrate to new versions of OpenSSL. -Currently this covers OpenSSL 3.0. For earlier versions refer to +Currently this covers OpenSSL 3.0 & 3.1. For earlier versions refer to L. For an overview of some of the key concepts introduced in OpenSSL 3.0 see L. +=head1 OPENSSL 3.1 + +=head2 Main Changes from OpenSSL 3.0 + +The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms, +consequently the property query C is mandatory for applications that +want to operate in a FIPS approved manner. The algorithms are: + +=over 4 + +=item Triple DES ECB + +=item Triple DES CBC + +=item EdDSA + +=back + +There are no other changes requiring additional migration measures since OpenSSL 3.0. + =head1 OPENSSL 3.0 =head2 Main Changes from OpenSSL 1.1.1 @@ -130,7 +150,7 @@ New algorithms provided via engines will still work. Engine-backed keys can be loaded via custom B implementation. In this case the B objects created via L -will be concidered legacy and will continue to work. +will be considered legacy and will continue to work. To ensure the future compatibility, the engines should be turned to providers. To prefer the provider-based hardware offload, you can specify the default @@ -189,6 +209,15 @@ All new applications should use the new L interface. See also L and L. +=head4 Algorithm Fetching + +Using calls to convenience functions such as EVP_sha256() and EVP_aes_256_gcm() may +incur a performance penalty when using providers. +Retrieving algorithms from providers involves searching for an algorithm by name. +This is much slower than directly accessing a method table. +It is recommended to prefetch algorithms if an algorithm is used many times. +See L, L and L. + =head4 Support for Linux Kernel TLS In order to use KTLS, support for it must be compiled in using the @@ -329,7 +358,7 @@ This code is now always set to zero. Related functions are deprecated. =head4 STACK and HASH macros have been cleaned up The type-safe wrappers are declared everywhere and implemented once. -See L and L. +See L and L. =head4 The RAND_DRBG subsystem has been removed @@ -632,7 +661,7 @@ set up with the default library context. Use L, L, L and L if a library context is required. -All functions listed below with a I have a replacment function I +All functions listed below with a I have a replacement function I that takes B as an additional argument. Functions that have other mappings are listed along with the respective name. @@ -990,7 +1019,7 @@ that refer to these categories. Any accessor that uses an ENGINE is deprecated (such as EVP_PKEY_set1_engine()). Applications using engines should instead use providers. -Before providers were added algorithms were overriden by changing the methods +Before providers were added algorithms were overridden by changing the methods used by algorithms. All these methods such as RSA_new_method() and RSA_meth_new() are now deprecated and can be replaced by using providers instead. @@ -1539,7 +1568,7 @@ See L EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags() -See L which handles flags as seperate +See L which handles flags as separate parameters for B, B, B, B and diff --git a/doc/man7/openssl-core.h.pod b/doc/man7/openssl-core.h.pod index 568bf397b..ef5c65395 100644 --- a/doc/man7/openssl-core.h.pod +++ b/doc/man7/openssl-core.h.pod @@ -44,7 +44,7 @@ The types described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/openssl-env.pod b/doc/man7/openssl-env.pod index a2443d54d..922d3c147 100644 --- a/doc/man7/openssl-env.pod +++ b/doc/man7/openssl-env.pod @@ -74,7 +74,7 @@ See L. Additional arguments for the L command. -=item B, B, B, B, B +=item B, B, B, B, B, B OpenSSL supports a number of different algorithm implementations for various machines and, by default, it determines which to use based on the @@ -91,7 +91,7 @@ See L. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/openssl-glossary.pod b/doc/man7/openssl-glossary.pod index b112b375a..994246fb8 100644 --- a/doc/man7/openssl-glossary.pod +++ b/doc/man7/openssl-glossary.pod @@ -12,7 +12,7 @@ openssl-glossary - An OpenSSL Glossary =item Algorithm -Cryptograpic primitives such as the SHA256 digest, or AES encryption are +Cryptographic primitives such as the SHA256 digest, or AES encryption are referred to in OpenSSL as "algorithms". There can be more than one implementation for any given algorithm available for use. @@ -45,7 +45,7 @@ L =item Default Provider -An OpenSSL Provider that contains the most commmon OpenSSL algorithm +An OpenSSL Provider that contains the most common OpenSSL algorithm implementations. It is loaded by default if no other provider is available. All the algorithm implementations in the Base Provider are also available in the Default Provider. @@ -81,7 +81,7 @@ Fetching is the process of looking through the available algorithm implementations, applying selection criteria (via a property query string), and finally choosing the implementation that will be used. -Also see Explicit Fetching and Implict Fetching. +Also see Explicit Fetching and Implicit Fetching. L @@ -221,7 +221,7 @@ This glossary was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/openssl-threads.pod b/doc/man7/openssl-threads.pod index 56cc638e1..50de6f876 100644 --- a/doc/man7/openssl-threads.pod +++ b/doc/man7/openssl-threads.pod @@ -73,8 +73,8 @@ For implicit global state or singletons, thread-safety depends on the facility. The L and related API's have their own lock, while L assumes the underlying platform allocation will do any necessary locking. -Some API's, such as L and related, or L -do no locking at all; this can be considered a bug. +Some API's, such as L and related do no locking at all; +this can be considered a bug. A separate, although related, issue is modifying "factory" objects when other objects have been created from that. @@ -95,7 +95,7 @@ This page is admittedly very incomplete. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod index ac3f62719..72a8520d1 100644 --- a/doc/man7/provider-asym_cipher.pod +++ b/doc/man7/provider-asym_cipher.pod @@ -259,7 +259,7 @@ The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod index c587e0e52..383c1d868 100644 --- a/doc/man7/provider-base.pod +++ b/doc/man7/provider-base.pod @@ -265,7 +265,6 @@ It will treat as success the case where the OID already exists (even if the short name I or long name I provided as arguments differ from those associated with the existing OID, in which case the new names are not associated). -This function is not thread safe. The core_obj_add_sigid() function registers a new composite signature algorithm (I) consisting of an underlying signature algorithm (I) @@ -280,7 +279,6 @@ signature algorithm already exists (even if registered against a different underlying signature or digest algorithm). For I, NULL or an empty string is permissible for signature algorithms that do not need a digest to operate correctly. The function returns 1 on success or 0 on failure. -This function is not thread safe. CRYPTO_malloc(), CRYPTO_zalloc(), CRYPTO_free(), CRYPTO_clear_free(), CRYPTO_realloc(), CRYPTO_clear_realloc(), CRYPTO_secure_malloc(), @@ -609,6 +607,11 @@ or maximum. A -1 indicates that the group should not be used in that protocol. =back +=head1 NOTES + +The core_obj_create() and core_obj_add_sigid() functions were not thread safe +in OpenSSL 3.0. + =head1 EXAMPLES This is an example of a simple provider made available as a @@ -779,7 +782,7 @@ This relies on a few things existing in F: #define OSSL_FUNC_BAR_FREECTX 2 typedef void (OSSL_FUNC_bar_freectx_fn)(void *ctx); - static ossl_inline OSSL_FUNC_bar_newctx(const OSSL_DISPATCH *opf) + static ossl_inline OSSL_FUNC_bar_freectx(const OSSL_DISPATCH *opf) { return (OSSL_FUNC_bar_freectx_fn *)opf->function; } #define OSSL_FUNC_BAR_INIT 3 @@ -809,7 +812,7 @@ introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-cipher.pod b/doc/man7/provider-cipher.pod index 1faf69810..14ff581c7 100644 --- a/doc/man7/provider-cipher.pod +++ b/doc/man7/provider-cipher.pod @@ -228,7 +228,7 @@ L, L, L, L, L, L, L, L, L, L, L, L, -L, +L, L, L, L =head1 HISTORY @@ -237,7 +237,7 @@ The provider CIPHER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-decoder.pod b/doc/man7/provider-decoder.pod index f279955a6..66a0ae1ab 100644 --- a/doc/man7/provider-decoder.pod +++ b/doc/man7/provider-decoder.pod @@ -302,7 +302,7 @@ The DECODER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-digest.pod b/doc/man7/provider-digest.pod index c96dfe396..cac53ac29 100644 --- a/doc/man7/provider-digest.pod +++ b/doc/man7/provider-digest.pod @@ -268,6 +268,7 @@ L, L, L, L, L, L, L, L, L, L, L, +L, L, L =head1 HISTORY @@ -276,7 +277,7 @@ The provider DIGEST interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-encoder.pod b/doc/man7/provider-encoder.pod index f3e9ce5b1..710e3710f 100644 --- a/doc/man7/provider-encoder.pod +++ b/doc/man7/provider-encoder.pod @@ -321,7 +321,7 @@ The ENCODER interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-kdf.pod b/doc/man7/provider-kdf.pod index ad80869eb..4221f9a0f 100644 --- a/doc/man7/provider-kdf.pod +++ b/doc/man7/provider-kdf.pod @@ -198,7 +198,7 @@ Sets the mode in the associated KDF ctx. =item "pkcs5" (B) -Enables or diables the SP800-132 compliance checks. +Enables or disables the SP800-132 compliance checks. A mode of 0 enables the compliance checks. The checks performed are: diff --git a/doc/man7/provider-kem.pod b/doc/man7/provider-kem.pod index 8436a7f25..049d09de1 100644 --- a/doc/man7/provider-kem.pod +++ b/doc/man7/provider-kem.pod @@ -202,7 +202,7 @@ The provider KEM interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-keymgmt.pod b/doc/man7/provider-keymgmt.pod index be3a65e31..c6399b837 100644 --- a/doc/man7/provider-keymgmt.pod +++ b/doc/man7/provider-keymgmt.pod @@ -374,6 +374,36 @@ dimensions handled in the rest of the same provider. The value should be the number of security bits of the given key. Bits of security is defined in SP800-57. +=item "mandatory-digest" (B) + +If there is a mandatory digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When EVP_PKEY_get_default_digest_name() queries this parameter and it's +filled in by the implementation, its return value will be 2. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L will place the string C<"UNDEF"> into +its argument I. This signifies that no digest should be specified +with the corresponding signature operation. + +=item "default-digest" (B) + +If there is a default digest for performing a signature operation with +keys from this keymgmt, this parameter should get its name as value. + +When L queries this parameter and it's +filled in by the implementation, its return value will be 1. Note that if +B is responded to as well, +L ignores the response to this +parameter. + +If the keymgmt implementation fills in the value C<""> or C<"UNDEF">, +L will place the string C<"UNDEF"> into +its argument I. This signifies that no digest has to be specified +with the corresponding signature operation, but may be specified as an +option. + =back =head1 RETURN VALUES @@ -412,7 +442,7 @@ The KEYMGMT interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-object.pod b/doc/man7/provider-object.pod index 1088e0355..497942572 100644 --- a/doc/man7/provider-object.pod +++ b/doc/man7/provider-object.pod @@ -164,7 +164,7 @@ A human readable text that describes extra details on the object. =back -When a provider-native object abtraction is used, it I contain object +When a provider-native object abstraction is used, it I contain object data in at least one form (object data I, i.e. the "data" item, or object data I, i.e. the "reference" item). Both may be present at once, in which case the OpenSSL library code that @@ -184,7 +184,7 @@ introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-rand.pod b/doc/man7/provider-rand.pod index e115d845d..45ac0439c 100644 --- a/doc/man7/provider-rand.pod +++ b/doc/man7/provider-rand.pod @@ -292,7 +292,7 @@ The provider RAND interface was introduced in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index fa38be1b1..adbff9a54 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -50,7 +50,7 @@ provider-signature - The signature library E-E provider functions int OSSL_FUNC_signature_digest_sign_final(void *ctx, unsigned char *sig, size_t *siglen, size_t sigsize); int OSSL_FUNC_signature_digest_sign(void *ctx, - unsigned char *sigret, size_t *siglen, + unsigned char *sig, size_t *siglen, size_t sigsize, const unsigned char *tbs, size_t tbslen); diff --git a/engines/e_dasync.c b/engines/e_dasync.c index 7974106ae..6baf698f3 100644 --- a/engines/e_dasync.c +++ b/engines/e_dasync.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/engines/e_devcrypto.c b/engines/e_devcrypto.c index b42317522..27048b3ac 100644 --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c @@ -10,7 +10,7 @@ /* We need to use some deprecated APIs */ #define OPENSSL_SUPPRESS_DEPRECATED -#include "../e_os.h" +#include "internal/e_os.h" #include #include #include @@ -25,6 +25,7 @@ #include #include #include "crypto/cryptodev.h" +#include "internal/nelem.h" /* #define ENGINE_DEVCRYPTO_DEBUG */ diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c index eba7ab14b..87056c4de 100644 --- a/engines/e_loader_attic.c +++ b/engines/e_loader_attic.c @@ -226,7 +226,7 @@ static OSSL_STORE_INFO *new_EMBEDDED(const char *new_pem_name, /*- * The try_decode function is called to check if the blob of data can * be used by this handler, and if it can, decodes it into a supported - * OpenSSL type and returns a OSSL_STORE_INFO with the decoded data. + * OpenSSL type and returns an OSSL_STORE_INFO with the decoded data. * Input: * pem_name: If this blob comes from a PEM file, this holds * the PEM name. If it comes from another type of @@ -254,7 +254,7 @@ static OSSL_STORE_INFO *new_EMBEDDED(const char *new_pem_name, * libctx: The library context to be used if applicable * propq: The property query string for any algorithm fetches * Output: - * a OSSL_STORE_INFO + * an OSSL_STORE_INFO */ typedef OSSL_STORE_INFO *(*file_try_decode_fn)(const char *pem_name, const char *pem_header, diff --git a/fuzz/build.info b/fuzz/build.info index 7b26b8c15..7ba41a7a6 100644 --- a/fuzz/build.info +++ b/fuzz/build.info @@ -10,6 +10,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server x509 + PROGRAMS{noinst}=punycode IF[{- !$disabled{"cmp"} -}] PROGRAMS{noinst}=cmp @@ -63,6 +64,10 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] INCLUDE[ct]=../include {- $ex_inc -} DEPEND[ct]=../libcrypto {- $ex_lib -} + SOURCE[punycode]=punycode.c driver.c + INCLUDE[punycode]=../include {- $ex_inc -} + DEPEND[punycode]=../libcrypto.a {- $ex_lib -} + SOURCE[server]=server.c driver.c fuzz_rand.c INCLUDE[server]=../include {- $ex_inc -} DEPEND[server]=../libcrypto ../libssl {- $ex_lib -} @@ -74,6 +79,7 @@ ENDIF IF[{- !$disabled{tests} -}] PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test x509-test + PROGRAMS{noinst}=punycode-test IF[{- !$disabled{"cmp"} -}] PROGRAMS{noinst}=cmp-test @@ -128,6 +134,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[ct-test]=../include DEPEND[ct-test]=../libcrypto + SOURCE[punycode-test]=punycode.c test-corpus.c + INCLUDE[punycode-test]=../include + DEPEND[punycode-test]=../libcrypto.a + SOURCE[server-test]=server.c test-corpus.c fuzz_rand.c INCLUDE[server-test]=../include DEPEND[server-test]=../libcrypto ../libssl diff --git a/fuzz/corpora/punycode/0000000000000000000000000000000000000000 b/fuzz/corpora/punycode/0000000000000000000000000000000000000000 new file mode 100644 index 000000000..36f766173 Binary files /dev/null and b/fuzz/corpora/punycode/0000000000000000000000000000000000000000 differ diff --git a/fuzz/corpora/punycode/0000000000000000000000000000000000000001 b/fuzz/corpora/punycode/0000000000000000000000000000000000000001 new file mode 100644 index 000000000..33abaeb3a Binary files /dev/null and b/fuzz/corpora/punycode/0000000000000000000000000000000000000001 differ diff --git a/fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 b/fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 new file mode 100644 index 000000000..4eaf125cd Binary files /dev/null and b/fuzz/corpora/x509/21c8004279f4b57fd8f904382cf138effd089b25 differ diff --git a/fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f b/fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f new file mode 100644 index 000000000..64dac7d16 Binary files /dev/null and b/fuzz/corpora/x509/2bd8a58cc944497f08ea233d69443d6696c9fb3f differ diff --git a/fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 b/fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 new file mode 100644 index 000000000..268e3e061 Binary files /dev/null and b/fuzz/corpora/x509/2fe700400bc899b9e7f30d66be5b19271ac47c64 differ diff --git a/fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 b/fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 new file mode 100644 index 000000000..953c6f83c Binary files /dev/null and b/fuzz/corpora/x509/31305f3b3ee0a5510918efdad62d29da23c1d057 differ diff --git a/fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 b/fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 new file mode 100644 index 000000000..8c85d3a07 Binary files /dev/null and b/fuzz/corpora/x509/382c9ce318e5d7abe889c3b2e9ace063d9ef5344 differ diff --git a/fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 b/fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 new file mode 100644 index 000000000..f00d2ef7d Binary files /dev/null and b/fuzz/corpora/x509/39cf74c117b5dba51828cff51a27790c737045d7 differ diff --git a/fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f b/fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f new file mode 100644 index 000000000..311355eb8 Binary files /dev/null and b/fuzz/corpora/x509/57927e05973120e02ca3e0af582a70d3398f085f differ diff --git a/fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 b/fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 new file mode 100644 index 000000000..1b6e76987 Binary files /dev/null and b/fuzz/corpora/x509/5dbc640a493e76958fdb2c73c9da4d9101f30061 differ diff --git a/fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 b/fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 new file mode 100644 index 000000000..e74427530 Binary files /dev/null and b/fuzz/corpora/x509/6a1cee93d3b815669b0c65bde8e391c614a29ea3 differ diff --git a/fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 b/fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 new file mode 100644 index 000000000..2c3a0708c Binary files /dev/null and b/fuzz/corpora/x509/6dcc554810035cc46962eac88c1883623f3e69c6 differ diff --git a/fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 b/fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 new file mode 100644 index 000000000..7303487e6 Binary files /dev/null and b/fuzz/corpora/x509/76b8ba06006375c9c47466dacf3a53021672df12 differ diff --git a/fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 b/fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 new file mode 100644 index 000000000..1ce08697e Binary files /dev/null and b/fuzz/corpora/x509/8b5fc9262d78c8c87d100ead207dc93df6361295 differ diff --git a/fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 b/fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 new file mode 100644 index 000000000..0be1c3b17 Binary files /dev/null and b/fuzz/corpora/x509/9900db635402ea32ef26249b5f811a0d85a56385 differ diff --git a/fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 b/fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 new file mode 100644 index 000000000..756d80137 Binary files /dev/null and b/fuzz/corpora/x509/aa0e6c5373568c9d7f48dc627d19400208baed83 differ diff --git a/fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 b/fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 new file mode 100644 index 000000000..c562cfb95 Binary files /dev/null and b/fuzz/corpora/x509/b1259bf4ca791b0f46887d9a959598e3ed5b6d33 differ diff --git a/fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 b/fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 new file mode 100644 index 000000000..c5d8052b7 Binary files /dev/null and b/fuzz/corpora/x509/b73532123cb6a663e8cf7334de9c9771ecb432f7 differ diff --git a/fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a b/fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a new file mode 100644 index 000000000..a51e79d9d Binary files /dev/null and b/fuzz/corpora/x509/ce89063b8353b1880cb86f73f618a4008d83532a differ diff --git a/fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc b/fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc new file mode 100644 index 000000000..a885aeb03 Binary files /dev/null and b/fuzz/corpora/x509/d056ac458b78c0344a83c0383f76a20dbb4dcdbc differ diff --git a/fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 b/fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 new file mode 100644 index 000000000..372c0cbdc Binary files /dev/null and b/fuzz/corpora/x509/d57f9f790ec3895b7e11969a0b319bf274284be3 differ diff --git a/fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 b/fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 new file mode 100644 index 000000000..daed8ef2a Binary files /dev/null and b/fuzz/corpora/x509/d60a803dc64c2f98c732660fb006b944df9f9270 differ diff --git a/fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c b/fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c new file mode 100644 index 000000000..2e68ea904 Binary files /dev/null and b/fuzz/corpora/x509/e690741d65108fc3e8ce0af814e6b6967cfad51c differ diff --git a/fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 b/fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 new file mode 100644 index 000000000..e7bfca9be Binary files /dev/null and b/fuzz/corpora/x509/e7c6f4d50fb62030e2259c94f3a423e0d1c0fa16 differ diff --git a/fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 b/fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 new file mode 100644 index 000000000..5bade84ae Binary files /dev/null and b/fuzz/corpora/x509/e8ff454fe20035d1ee1c6fbb50cda330e8a48d47 differ diff --git a/fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e b/fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e new file mode 100644 index 000000000..3eb164e54 Binary files /dev/null and b/fuzz/corpora/x509/ea973eb22df5eedd5f52639e1ad0950118c76b2e differ diff --git a/fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 b/fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 new file mode 100644 index 000000000..0e9915f4d Binary files /dev/null and b/fuzz/corpora/x509/ebabb2852689b7bedc46cc38d10deb4a4be8c8f7 differ diff --git a/fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 b/fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 new file mode 100644 index 000000000..188b05f49 Binary files /dev/null and b/fuzz/corpora/x509/ec16dacfbdb34e2a1f0909ec9c59f9e6fa7d5ab3 differ diff --git a/fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 b/fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 new file mode 100644 index 000000000..ab49a3525 Binary files /dev/null and b/fuzz/corpora/x509/ee7a250cc7b123f8f3000fa2b0c045efd080f752 differ diff --git a/fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 b/fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 new file mode 100644 index 000000000..26cbb9718 Binary files /dev/null and b/fuzz/corpora/x509/f11550062adba3ac78fccf835a882a68e1bffab2 differ diff --git a/fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 b/fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 new file mode 100644 index 000000000..568f803a4 Binary files /dev/null and b/fuzz/corpora/x509/f11f61828aa0a0fecaf44cbc155d7e174d814eb6 differ diff --git a/fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc b/fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc new file mode 100644 index 000000000..51e6882f5 Binary files /dev/null and b/fuzz/corpora/x509/f1506975d926f6e98be686ea147854951d8fefcc differ diff --git a/fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 b/fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 new file mode 100644 index 000000000..b99db14b1 Binary files /dev/null and b/fuzz/corpora/x509/f3aebf0d2a2db39f8e4917e5b6a0e5fb0e0ce806 differ diff --git a/fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 b/fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 new file mode 100644 index 000000000..9368383e9 Binary files /dev/null and b/fuzz/corpora/x509/f5f0426c6dafa100b79a8675f15aca90a68d9e16 differ diff --git a/fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f b/fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f new file mode 100644 index 000000000..bff7c2384 Binary files /dev/null and b/fuzz/corpora/x509/f6735b84d4c704f3674a50e6475c83bc2a3d6f1f differ diff --git a/fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 b/fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 new file mode 100644 index 000000000..227221916 Binary files /dev/null and b/fuzz/corpora/x509/fa4768c5efcb1b5c8ecda30b263f5e9ca4320718 differ diff --git a/fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 b/fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 new file mode 100644 index 000000000..9bae34555 Binary files /dev/null and b/fuzz/corpora/x509/fae428be68618af3fc3fb89ab79d92f9d1a9b1b9 differ diff --git a/fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 b/fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 new file mode 100644 index 000000000..a14aae963 Binary files /dev/null and b/fuzz/corpora/x509/fb92fed0a0bc2235437683e655533d84b64a59c0 differ diff --git a/fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 b/fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 new file mode 100644 index 000000000..abce23c4a Binary files /dev/null and b/fuzz/corpora/x509/fc48a26e3e5e2a9229452819e8605b1cbfdd9892 differ diff --git a/fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 b/fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 new file mode 100644 index 000000000..95d521e55 Binary files /dev/null and b/fuzz/corpora/x509/fe543a8d7e09109a9a08114323eefec802ad79e2 differ diff --git a/fuzz/fuzzer.h b/fuzz/fuzzer.h index cd460dea8..3bb8241f6 100644 --- a/fuzz/fuzzer.h +++ b/fuzz/fuzzer.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -8,6 +8,9 @@ * or in the file LICENSE in the source distribution. */ +#include /* for size_t */ +#include /* for uint8_t */ + int FuzzerTestOneInput(const uint8_t *buf, size_t len); int FuzzerInitialize(int *argc, char ***argv); void FuzzerCleanup(void); diff --git a/fuzz/punycode.c b/fuzz/punycode.c new file mode 100644 index 000000000..76ae3dea0 --- /dev/null +++ b/fuzz/punycode.c @@ -0,0 +1,42 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "crypto/punycode.h" +#include "internal/nelem.h" +#include +#include "fuzzer.h" + +#include +#include + +int FuzzerInitialize(int *argc, char ***argv) +{ + return 1; +} + +int FuzzerTestOneInput(const uint8_t *buf, size_t len) +{ + char *b; + unsigned int out[16], outlen = OSSL_NELEM(out); + char outc[16]; + + b = OPENSSL_malloc(len + 1); + if (b != NULL) { + ossl_punycode_decode((const char *)buf, len, out, &outlen); + memcpy(b, buf, len); + b[len] = '\0'; + ossl_a2ulabel(b, outc, sizeof(outc)); + OPENSSL_free(b); + } + return 0; +} + +void FuzzerCleanup(void) +{ +} diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h index e95ad5aa5..95e7e71d4 100644 --- a/include/crypto/aes_platform.h +++ b/include/crypto/aes_platform.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,6 +74,20 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks # define HWAES_xts_encrypt aes_p8_xts_encrypt # define HWAES_xts_decrypt aes_p8_xts_decrypt +# ifndef OPENSSL_SYS_AIX +# define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) +# define AES_GCM_ENC_BYTES 128 +# define AES_GCM_DEC_BYTES 128 +size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, unsigned char ivec[16], + u64 *Xi); +size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, unsigned char ivec[16], + u64 *Xi); +# define AES_GCM_ASM_PPC(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ + (gctx)->gcm.funcs.ghash==gcm_ghash_p8) +void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); +# endif /* OPENSSL_SYS_AIX */ # endif /* PPC */ # if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) @@ -104,7 +118,9 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, # define AES_gcm_encrypt armv8_aes_gcm_encrypt # define AES_gcm_decrypt armv8_aes_gcm_decrypt # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_v8_ctr32_encrypt_blocks && \ - (gctx)->gcm.ghash==gcm_ghash_v8) + (gctx)->gcm.funcs.ghash==gcm_ghash_v8) +/* The [unroll8_eor3_]aes_gcm_(enc|dec)_(128|192|256)_kernel() functions + * take input length in BITS and return number of BYTES processed */ size_t aes_gcm_enc_128_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, uint64_t *Xi, unsigned char ivec[16], const void *key); size_t aes_gcm_enc_192_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, @@ -117,6 +133,18 @@ size_t aes_gcm_dec_192_kernel(const uint8_t * ciphertext, uint64_t plaintext_len uint64_t *Xi, unsigned char ivec[16], const void *key); size_t aes_gcm_dec_256_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, uint64_t *Xi, unsigned char ivec[16], const void *key); +size_t unroll8_eor3_aes_gcm_enc_128_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, + uint64_t *Xi, unsigned char ivec[16], const void *key); +size_t unroll8_eor3_aes_gcm_enc_192_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, + uint64_t *Xi, unsigned char ivec[16], const void *key); +size_t unroll8_eor3_aes_gcm_enc_256_kernel(const uint8_t * plaintext, uint64_t plaintext_length, uint8_t * ciphertext, + uint64_t *Xi, unsigned char ivec[16], const void *key); +size_t unroll8_eor3_aes_gcm_dec_128_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, + uint64_t *Xi, unsigned char ivec[16], const void *key); +size_t unroll8_eor3_aes_gcm_dec_192_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, + uint64_t *Xi, unsigned char ivec[16], const void *key); +size_t unroll8_eor3_aes_gcm_dec_256_kernel(const uint8_t * ciphertext, uint64_t plaintext_length, uint8_t * plaintext, + uint64_t *Xi, unsigned char ivec[16], const void *key); size_t armv8_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, const void *key, unsigned char ivec[16], u64 *Xi); size_t armv8_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, const void *key, @@ -134,6 +162,13 @@ void gcm_ghash_v8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); # define AESNI_CBC_HMAC_SHA_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) # endif +# if defined(__loongarch__) || defined(__loongarch64) +# include "loongarch_arch.h" +# if defined(VPAES_ASM) +# define VPAES_CAPABLE (OPENSSL_loongarchcap_P & LOONGARCH_CFG2_LSX) +# endif +# endif + # if defined(AES_ASM) && !defined(I386_ONLY) && ( \ ((defined(__i386) || defined(__i386__) || \ defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \ @@ -226,7 +261,7 @@ void gcm_ghash_avx(u64 Xi[2], const u128 Htable[16], const u8 *in, size_t len); # define AES_gcm_encrypt aesni_gcm_encrypt # define AES_gcm_decrypt aesni_gcm_decrypt # define AES_GCM_ASM(ctx) (ctx->ctr == aesni_ctr32_encrypt_blocks && \ - ctx->gcm.ghash == gcm_ghash_avx) + ctx->gcm.funcs.ghash == gcm_ghash_avx) # endif @@ -396,6 +431,38 @@ void aes256_t4_xts_decrypt(const unsigned char *in, unsigned char *out, /* Convert key size to function code: [16,24,32] -> [18,19,20]. */ # define S390X_AES_FC(keylen) (S390X_AES_128 + ((((keylen) << 3) - 128) >> 6)) +# elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 +/* RISC-V 64 support */ +# include "riscv_arch.h" +# define RV64I_ZKND_ZKNE_CAPABLE (RISCV_HAS_ZKND() && RISCV_HAS_ZKNE()) + +int rv64i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +int rv64i_zknd_set_decrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +void rv64i_zkne_encrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key); +void rv64i_zknd_decrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key); +# elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 +/* RISC-V 32 support */ +# include "riscv_arch.h" +# define RV32I_ZKND_ZKNE_CAPABLE (RISCV_HAS_ZKND() && RISCV_HAS_ZKNE()) +# define RV32I_ZBKB_ZKND_ZKNE_CAPABLE (RV32I_ZKND_ZKNE_CAPABLE && RISCV_HAS_ZBKB()) + +int rv32i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +/* set_decrypt_key needs both zknd and zkne */ +int rv32i_zknd_zkne_set_decrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +int rv32i_zbkb_zkne_set_encrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +int rv32i_zbkb_zknd_zkne_set_decrypt_key(const unsigned char *userKey, const int bits, + AES_KEY *key); +void rv32i_zkne_encrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key); +void rv32i_zknd_decrypt(const unsigned char *in, unsigned char *out, + const AES_KEY *key); # endif # if defined(HWAES_CAPABLE) diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 390e5ac07..f6bfdeb5e 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -95,6 +95,8 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, BN_GENCB *cb, int enhanced, int *status); +int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, + BN_GENCB *cb); const BIGNUM *ossl_bn_get0_small_factors(void); diff --git a/include/crypto/context.h b/include/crypto/context.h new file mode 100644 index 000000000..cc06c71be --- /dev/null +++ b/include/crypto/context.h @@ -0,0 +1,41 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +void *ossl_provider_store_new(OSSL_LIB_CTX *); +void *ossl_property_string_data_new(OSSL_LIB_CTX *); +void *ossl_stored_namemap_new(OSSL_LIB_CTX *); +void *ossl_property_defns_new(OSSL_LIB_CTX *); +void *ossl_ctx_global_properties_new(OSSL_LIB_CTX *); +void *ossl_rand_ctx_new(OSSL_LIB_CTX *); +void *ossl_prov_conf_ctx_new(OSSL_LIB_CTX *); +void *ossl_bio_core_globals_new(OSSL_LIB_CTX *); +void *ossl_child_prov_ctx_new(OSSL_LIB_CTX *); +void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *); +void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *); +void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *); +void *ossl_thread_event_ctx_new(OSSL_LIB_CTX *); +void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *); + +void ossl_provider_store_free(void *); +void ossl_property_string_data_free(void *); +void ossl_stored_namemap_free(void *); +void ossl_property_defns_free(void *); +void ossl_ctx_global_properties_free(void *); +void ossl_rand_ctx_free(void *); +void ossl_prov_conf_ctx_free(void *); +void ossl_bio_core_globals_free(void *); +void ossl_child_prov_ctx_free(void *); +void ossl_prov_drbg_nonce_ctx_free(void *); +void ossl_self_test_set_callback_free(void *); +void ossl_rand_crng_ctx_free(void *); +void ossl_thread_event_ctx_free(void *); +void ossl_fips_prov_ossl_ctx_free(void *); +void ossl_release_default_drbg_ctx(void); diff --git a/include/crypto/cryptoerr.h b/include/crypto/cryptoerr.h index 288b87ac8..1b6192e3f 100644 --- a/include/crypto/cryptoerr.h +++ b/include/crypto/cryptoerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/decoder.h b/include/crypto/decoder.h index 107a7b502..6b5ee56ac 100644 --- a/include/crypto/decoder.h +++ b/include/crypto/decoder.h @@ -13,10 +13,6 @@ # include -OSSL_DECODER *ossl_decoder_fetch_by_number(OSSL_LIB_CTX *libctx, - int id, - const char *properties); - /* * These are specially made for the 'file:' provider-native loader, which * uses this to install a DER to anything decoder, which doesn't do much diff --git a/include/crypto/dsaerr.h b/include/crypto/dsaerr.h index 9898097d0..fde8358fc 100644 --- a/include/crypto/dsaerr.h +++ b/include/crypto/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/ecerr.h b/include/crypto/ecerr.h index 4658ae8fb..782526bf8 100644 --- a/include/crypto/ecerr.h +++ b/include/crypto/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/encoder.h b/include/crypto/encoder.h index 562081ad4..5c53bbea3 100644 --- a/include/crypto/encoder.h +++ b/include/crypto/encoder.h @@ -13,8 +13,6 @@ # include -OSSL_ENCODER *ossl_encoder_fetch_by_number(OSSL_LIB_CTX *libctx, int id, - const char *properties); int ossl_encoder_get_number(const OSSL_ENCODER *encoder); int ossl_encoder_store_cache_flush(OSSL_LIB_CTX *libctx); int ossl_encoder_store_remove_all_provided(const OSSL_PROVIDER *prov); diff --git a/include/crypto/evp.h b/include/crypto/evp.h index e70d8e9e8..dbbdcccbd 100644 --- a/include/crypto/evp.h +++ b/include/crypto/evp.h @@ -909,6 +909,8 @@ int evp_set_default_properties_int(OSSL_LIB_CTX *libctx, const char *propq, char *evp_get_global_properties_str(OSSL_LIB_CTX *libctx, int loadconfig); void evp_md_ctx_clear_digest(EVP_MD_CTX *ctx, int force, int keep_digest); +/* just free the algctx if set, returns 0 on inconsistent state of ctx */ +int evp_md_ctx_free_algctx(EVP_MD_CTX *ctx); /* Three possible states: */ # define EVP_PKEY_STATE_UNKNOWN 0 diff --git a/include/crypto/md32_common.h b/include/crypto/md32_common.h index 3b16f1b72..966e2684e 100644 --- a/include/crypto/md32_common.h +++ b/include/crypto/md32_common.h @@ -1,5 +1,5 @@ /* - * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -95,6 +95,28 @@ #define ROTATE(a,n) (((a)<<(n))|(((a)&0xffffffff)>>(32-(n)))) +#ifndef PEDANTIC +# if defined(__GNUC__) && __GNUC__>=2 && \ + !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) +# if defined(__riscv_zbb) || defined(__riscv_zbkb) +# if __riscv_xlen == 64 +# undef ROTATE +# define ROTATE(x, n) ({ MD32_REG_T ret; \ + asm ("roriw %0, %1, %2" \ + : "=r"(ret) \ + : "r"(x), "i"(32 - (n))); ret;}) +# endif +# if __riscv_xlen == 32 +# undef ROTATE +# define ROTATE(x, n) ({ MD32_REG_T ret; \ + asm ("rori %0, %1, %2" \ + : "=r"(ret) \ + : "r"(x), "i"(32 - (n))); ret;}) +# endif +# endif +# endif +#endif + #if defined(DATA_ORDER_IS_BIG_ENDIAN) # define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \ diff --git a/include/crypto/modes.h b/include/crypto/modes.h index 19f9d8595..573e1197d 100644 --- a/include/crypto/modes.h +++ b/include/crypto/modes.h @@ -1,5 +1,5 @@ /* - * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -74,6 +74,13 @@ typedef unsigned char u8; asm ("rev %0,%1" \ : "=r"(ret_) : "r"((u32)(x))); \ ret_; }) +# elif (defined(__riscv_zbb) || defined(__riscv_zbkb)) && __riscv_xlen == 64 +# define BSWAP8(x) ({ u64 ret_=(x); \ + asm ("rev8 %0,%0" \ + : "+r"(ret_)); ret_; }) +# define BSWAP4(x) ({ u32 ret_=(x); \ + asm ("rev8 %0,%0; srli %0,%0,32"\ + : "+&r"(ret_)); ret_; }) # endif # elif defined(_MSC_VER) # if _MSC_VER>=1300 @@ -100,14 +107,14 @@ _asm mov eax, val _asm bswap eax} u64 hi, lo; } u128; -#ifdef TABLE_BITS -# undef TABLE_BITS -#endif -/* - * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should - * never be set to 8 [or 1]. For further information see gcm128.c. - */ -#define TABLE_BITS 4 +typedef void (*gcm_init_fn)(u128 Htable[16], const u64 H[2]); +typedef void (*gcm_ghash_fn)(u64 Xi[2], const u128 Htable[16], const u8 *inp, size_t len); +typedef void (*gcm_gmult_fn)(u64 Xi[2], const u128 Htable[16]); +struct gcm_funcs_st { + gcm_init_fn ginit; + gcm_ghash_fn ghash; + gcm_gmult_fn gmult; +}; struct gcm128_context { /* Following 6 names follow names in GCM specification */ @@ -118,17 +125,11 @@ struct gcm128_context { size_t t[16 / sizeof(size_t)]; } Yi, EKi, EK0, len, Xi, H; /* - * Relative position of Xi, H and pre-computed Htable is used in some - * assembler modules, i.e. don't change the order! + * Relative position of Yi, EKi, EK0, len, Xi, H and pre-computed Htable is + * used in some assembler modules, i.e. don't change the order! */ -#if TABLE_BITS==8 - u128 Htable[256]; -#else u128 Htable[16]; - void (*gmult) (u64 Xi[2], const u128 Htable[16]); - void (*ghash) (u64 Xi[2], const u128 Htable[16], const u8 *inp, - size_t len); -#endif + struct gcm_funcs_st funcs; unsigned int mres, ares; block128_f block; void *key; diff --git a/include/crypto/ppc_arch.h b/include/crypto/ppc_arch.h index 3b3ce4bff..d999396a2 100644 --- a/include/crypto/ppc_arch.h +++ b/include/crypto/ppc_arch.h @@ -1,5 +1,5 @@ /* - * Copyright 2014-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,5 +24,6 @@ extern unsigned int OPENSSL_ppccap_P; # define PPC_MADD300 (1<<4) # define PPC_MFTB (1<<5) # define PPC_MFSPR268 (1<<6) +# define PPC_BRD31 (1<<7) #endif diff --git a/include/crypto/punycode.h b/include/crypto/punycode.h index 133826d87..4c6e49f51 100644 --- a/include/crypto/punycode.h +++ b/include/crypto/punycode.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,8 @@ # define OSSL_CRYPTO_PUNYCODE_H # pragma once +# include /* for size_t */ + int ossl_punycode_decode ( const char *pEncoded, const size_t enc_len, @@ -18,7 +20,8 @@ int ossl_punycode_decode ( unsigned int *pout_length ); -int ossl_a2ulabel(const char *in, char *out, size_t *outlen); +int ossl_a2ulabel(const char *in, char *out, size_t outlen); int ossl_a2ucompare(const char *a, const char *u); + #endif diff --git a/include/crypto/rand.h b/include/crypto/rand.h index 165deaf95..6a71a339c 100644 --- a/include/crypto/rand.h +++ b/include/crypto/rand.h @@ -125,5 +125,4 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, size_t ossl_pool_acquire_entropy(RAND_POOL *pool); int ossl_pool_add_nonce_data(RAND_POOL *pool); -void ossl_rand_ctx_free(void *vdgbl); #endif diff --git a/include/crypto/riscv_arch.def b/include/crypto/riscv_arch.def new file mode 100644 index 000000000..6c26dbf40 --- /dev/null +++ b/include/crypto/riscv_arch.def @@ -0,0 +1,43 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* X Macro Definitions for Specification of RISC-V Arch Capabilities */ + +/* + * Each RISC-V capability ends up encoded as a single set bit in an array of + * words. When specifying a new capability, write a new RISCV_DEFINE_CAP + * statement, with an argument as the extension name in all-caps, + * second argument as the index in the array where the capability will be stored + * and third argument as the index of the bit to be used to encode the + * capability. + * RISCV_DEFINE_CAP(EXTENSION NAME, array index, bit index) */ + +RISCV_DEFINE_CAP(ZBA, 0, 0) +RISCV_DEFINE_CAP(ZBB, 0, 1) +RISCV_DEFINE_CAP(ZBC, 0, 2) +RISCV_DEFINE_CAP(ZBS, 0, 3) +RISCV_DEFINE_CAP(ZBKB, 0, 4) +RISCV_DEFINE_CAP(ZBKC, 0, 5) +RISCV_DEFINE_CAP(ZBKX, 0, 6) +RISCV_DEFINE_CAP(ZKND, 0, 7) +RISCV_DEFINE_CAP(ZKNE, 0, 8) +RISCV_DEFINE_CAP(ZKNH, 0, 9) +RISCV_DEFINE_CAP(ZKSED, 0, 10) +RISCV_DEFINE_CAP(ZKSH, 0, 11) +RISCV_DEFINE_CAP(ZKR, 0, 12) +RISCV_DEFINE_CAP(ZKT, 0, 13) + +/* + * In the future ... + * RISCV_DEFINE_CAP(ZFOO, 0, 31) + * RISCV_DEFINE_CAP(ZBAR, 1, 0) + * ... and so on. + */ + +#undef RISCV_DEFINE_CAP diff --git a/include/crypto/riscv_arch.h b/include/crypto/riscv_arch.h new file mode 100644 index 000000000..89a40bea8 --- /dev/null +++ b/include/crypto/riscv_arch.h @@ -0,0 +1,59 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_CRYPTO_RISCV_ARCH_H +# define OSSL_CRYPTO_RISCV_ARCH_H + +# include +# include + +# define RISCV_DEFINE_CAP(NAME, INDEX, BIT_INDEX) +1 +extern uint32_t OPENSSL_riscvcap_P[ (( +# include "riscv_arch.def" +) + sizeof(uint32_t) - 1) / sizeof(uint32_t) ]; + +# ifdef OPENSSL_RISCVCAP_IMPL +# define RISCV_DEFINE_CAP(NAME, INDEX, BIT_INDEX) +1 +uint32_t OPENSSL_riscvcap_P[ (( +# include "riscv_arch.def" +) + sizeof(uint32_t) - 1) / sizeof(uint32_t) ]; +# endif + +# define RISCV_DEFINE_CAP(NAME, INDEX, BIT_INDEX) \ + static inline int RISCV_HAS_##NAME(void) \ + { \ + return (OPENSSL_riscvcap_P[INDEX] & (1 << BIT_INDEX)) != 0; \ + } +# include "riscv_arch.def" + +struct RISCV_capability_s { + const char *name; + size_t index; + size_t bit_offset; +}; + +# define RISCV_DEFINE_CAP(NAME, INDEX, BIT_INDEX) +1 +extern const struct RISCV_capability_s RISCV_capabilities[ +# include "riscv_arch.def" +]; + +# ifdef OPENSSL_RISCVCAP_IMPL +# define RISCV_DEFINE_CAP(NAME, INDEX, BIT_INDEX) \ + { #NAME, INDEX, BIT_INDEX }, +const struct RISCV_capability_s RISCV_capabilities[] = { +# include "riscv_arch.def" +}; +# endif + +# define RISCV_DEFINE_CAP(NAME, INDEX, BIT_INDEX) +1 +static const size_t kRISCVNumCaps = +# include "riscv_arch.def" +; + +#endif diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h new file mode 100644 index 000000000..11f9b9d88 --- /dev/null +++ b/include/crypto/sm4_platform.h @@ -0,0 +1,77 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_SM4_PLATFORM_H +# define OSSL_SM4_PLATFORM_H +# pragma once + +# if defined(OPENSSL_CPUID_OBJ) +# if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) +# include "arm_arch.h" +# if __ARM_MAX_ARCH__>=8 +extern unsigned int OPENSSL_arm_midr; +static inline int vpsm4_capable(void) +{ + return (OPENSSL_armcap_P & ARMV8_CPUID) && + (MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1) || + MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1)); +} +# if defined(VPSM4_ASM) +# define VPSM4_CAPABLE vpsm4_capable() +# endif +# define HWSM4_CAPABLE (OPENSSL_armcap_P & ARMV8_SM4) +# define HWSM4_set_encrypt_key sm4_v8_set_encrypt_key +# define HWSM4_set_decrypt_key sm4_v8_set_decrypt_key +# define HWSM4_encrypt sm4_v8_encrypt +# define HWSM4_decrypt sm4_v8_decrypt +# define HWSM4_cbc_encrypt sm4_v8_cbc_encrypt +# define HWSM4_ecb_encrypt sm4_v8_ecb_encrypt +# define HWSM4_ctr32_encrypt_blocks sm4_v8_ctr32_encrypt_blocks +# endif +# endif +# endif /* OPENSSL_CPUID_OBJ */ + +# if defined(HWSM4_CAPABLE) +int HWSM4_set_encrypt_key(const unsigned char *userKey, SM4_KEY *key); +int HWSM4_set_decrypt_key(const unsigned char *userKey, SM4_KEY *key); +void HWSM4_encrypt(const unsigned char *in, unsigned char *out, + const SM4_KEY *key); +void HWSM4_decrypt(const unsigned char *in, unsigned char *out, + const SM4_KEY *key); +void HWSM4_cbc_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const SM4_KEY *key, + unsigned char *ivec, const int enc); +void HWSM4_ecb_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const SM4_KEY *key, + const int enc); +void HWSM4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + const unsigned char ivec[16]); +# endif /* HWSM4_CAPABLE */ + +#ifdef VPSM4_CAPABLE +int vpsm4_set_encrypt_key(const unsigned char *userKey, SM4_KEY *key); +int vpsm4_set_decrypt_key(const unsigned char *userKey, SM4_KEY *key); +void vpsm4_encrypt(const unsigned char *in, unsigned char *out, + const SM4_KEY *key); +void vpsm4_decrypt(const unsigned char *in, unsigned char *out, + const SM4_KEY *key); +void vpsm4_cbc_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const SM4_KEY *key, + unsigned char *ivec, const int enc); +void vpsm4_ecb_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const SM4_KEY *key, + const int enc); +void vpsm4_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, + size_t len, const void *key, + const unsigned char ivec[16]); +# endif /* VPSM4_CAPABLE */ + + +#endif /* OSSL_SM4_PLATFORM_H */ diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index 934d4b089..ac50eb3bb 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -59,7 +59,7 @@ typedef struct ex_callback_st EX_CALLBACK; DEFINE_STACK_OF(EX_CALLBACK) typedef struct mem_st MEM; -DEFINE_LHASH_OF(MEM); +DEFINE_LHASH_OF_EX(MEM); # define OPENSSL_CONF "openssl.cnf" @@ -170,37 +170,18 @@ typedef struct ossl_ex_data_global_st { # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 # define OSSL_LIB_CTX_MAX_INDEXES 19 -# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 -# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 -# define OSSL_LIB_CTX_METHOD_PRIORITY_1 1 -# define OSSL_LIB_CTX_METHOD_PRIORITY_2 2 - -typedef struct ossl_lib_ctx_method { - int priority; - void *(*new_func)(OSSL_LIB_CTX *ctx); - void (*free_func)(void *); -} OSSL_LIB_CTX_METHOD; - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); int ossl_lib_ctx_is_global_default(OSSL_LIB_CTX *ctx); /* Functions to retrieve pointers to data by index */ -void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *, int /* index */, - const OSSL_LIB_CTX_METHOD * ctx); +void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *, int /* index */); void ossl_lib_ctx_default_deinit(void); OSSL_EX_DATA_GLOBAL *ossl_lib_ctx_get_ex_data_global(OSSL_LIB_CTX *ctx); -typedef int (ossl_lib_ctx_run_once_fn)(OSSL_LIB_CTX *ctx); -typedef void (ossl_lib_ctx_onfree_fn)(OSSL_LIB_CTX *ctx); -int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, - ossl_lib_ctx_run_once_fn run_once_fn); -int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); -void ossl_release_default_drbg_ctx(void); - OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, CRYPTO_EX_DATA *ad); diff --git a/e_os.h b/include/internal/e_os.h similarity index 99% rename from e_os.h rename to include/internal/e_os.h index db05b7f81..7fdc38998 100644 --- a/e_os.h +++ b/include/internal/e_os.h @@ -15,7 +15,7 @@ # include # include -# include "internal/nelem.h" +# include "internal/numbers.h" /* Ensure the definition of SIZE_MAX */ /* * contains what we can justify to make visible to the diff --git a/include/internal/namemap.h b/include/internal/namemap.h index a4c60ae69..fd36883fc 100644 --- a/include/internal/namemap.h +++ b/include/internal/namemap.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,8 +18,6 @@ void ossl_namemap_free(OSSL_NAMEMAP *namemap); int ossl_namemap_empty(OSSL_NAMEMAP *namemap); int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name); -int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number, - const char *name, size_t name_len); /* * The number<->name relationship is 1<->many diff --git a/include/internal/provider.h b/include/internal/provider.h index a0d9b8f86..18937f84c 100644 --- a/include/internal/provider.h +++ b/include/internal/provider.h @@ -37,7 +37,6 @@ int ossl_provider_up_ref(OSSL_PROVIDER *prov); void ossl_provider_free(OSSL_PROVIDER *prov); /* Setters */ -int ossl_provider_set_fallback(OSSL_PROVIDER *prov); int ossl_provider_set_module_path(OSSL_PROVIDER *prov, const char *module_path); int ossl_provider_add_parameter(OSSL_PROVIDER *prov, const char *name, const char *value); diff --git a/include/internal/refcount.h b/include/internal/refcount.h index 7412d62f5..3392d3b49 100644 --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,7 @@ # include # include -# ifndef OPENSSL_DEV_NO_ATOMICS +# if defined(OPENSSL_THREADS) && !defined(OPENSSL_DEV_NO_ATOMICS) # if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \ && !defined(__STDC_NO_ATOMICS__) # include diff --git a/include/internal/sockets.h b/include/internal/sockets.h index 1876af8fa..1f5fefccf 100644 --- a/include/internal/sockets.h +++ b/include/internal/sockets.h @@ -77,7 +77,7 @@ struct servent *PASCAL getservbyname(const char *, const char *); # include # else # include -# ifndef NO_SYS_UN_H +# if !defined(NO_SYS_UN_H) && defined(AF_UNIX) && !defined(OPENSSL_NO_UNIX_SOCK) # include # ifndef UNIX_PATH_MAX # define UNIX_PATH_MAX sizeof(((struct sockaddr_un *)NULL)->sun_path) @@ -125,6 +125,15 @@ struct servent *PASCAL getservbyname(const char *, const char *); # endif # endif +/* + * Some platforms define AF_UNIX, but don't support it + */ +# if !defined(OPENSSL_NO_UNIX_SOCK) +# if !defined(AF_UNIX) || defined(NO_SYS_UN_H) +# define OPENSSL_NO_UNIX_SOCK +# endif +# endif + # define get_last_socket_error() errno # define clear_socket_error() errno=0 diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index 60ecbd5f0..17205d107 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -56,8 +56,7 @@ # define TSAN_QUALIFIER _Atomic # define tsan_load(ptr) atomic_load_explicit((ptr), memory_order_relaxed) # define tsan_store(ptr, val) atomic_store_explicit((ptr), (val), memory_order_relaxed) -# define tsan_counter(ptr) atomic_fetch_add_explicit((ptr), 1, memory_order_relaxed) -# define tsan_decr(ptr) atomic_fetch_add_explicit((ptr), -1, memory_order_relaxed) +# define tsan_add(ptr, n) atomic_fetch_add_explicit((ptr), (n), memory_order_relaxed) # define tsan_ld_acq(ptr) atomic_load_explicit((ptr), memory_order_acquire) # define tsan_st_rel(ptr, val) atomic_store_explicit((ptr), (val), memory_order_release) # endif @@ -69,8 +68,7 @@ # define TSAN_QUALIFIER volatile # define tsan_load(ptr) __atomic_load_n((ptr), __ATOMIC_RELAXED) # define tsan_store(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELAXED) -# define tsan_counter(ptr) __atomic_fetch_add((ptr), 1, __ATOMIC_RELAXED) -# define tsan_decr(ptr) __atomic_fetch_add((ptr), -1, __ATOMIC_RELAXED) +# define tsan_add(ptr, n) __atomic_fetch_add((ptr), (n), __ATOMIC_RELAXED) # define tsan_ld_acq(ptr) __atomic_load_n((ptr), __ATOMIC_ACQUIRE) # define tsan_st_rel(ptr, val) __atomic_store_n((ptr), (val), __ATOMIC_RELEASE) # endif @@ -113,13 +111,10 @@ # pragma intrinsic(_InterlockedExchangeAdd) # ifdef _WIN64 # pragma intrinsic(_InterlockedExchangeAdd64) -# define tsan_counter(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), 1) \ - : _InterlockedExchangeAdd((ptr), 1)) -# define tsan_decr(ptr) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), -1) \ - : _InterlockedExchangeAdd((ptr), -1)) +# define tsan_add(ptr, n) (sizeof(*(ptr)) == 8 ? _InterlockedExchangeAdd64((ptr), (n)) \ + : _InterlockedExchangeAdd((ptr), (n))) # else -# define tsan_counter(ptr) _InterlockedExchangeAdd((ptr), 1) -# define tsan_decr(ptr) _InterlockedExchangeAdd((ptr), -1) +# define tsan_add(ptr, n) _InterlockedExchangeAdd((ptr), (n)) # endif # if !defined(_ISO_VOLATILE) # define tsan_ld_acq(ptr) (*(ptr)) @@ -139,8 +134,7 @@ # define tsan_load(ptr) (*(ptr)) # define tsan_store(ptr, val) (*(ptr) = (val)) -# define tsan_counter(ptr) ((*(ptr))++) -# define tsan_decr(ptr) ((*(ptr))--) +# define tsan_add(ptr, n) (*(ptr) += (n)) /* * Lack of tsan_ld_acq and tsan_ld_rel means that compiler support is not * sophisticated enough to support them. Code that relies on them should be @@ -148,3 +142,7 @@ */ #endif + +#define tsan_counter(ptr) tsan_add((ptr), 1) +#define tsan_decr(ptr) tsan_add((ptr), -1) + diff --git a/include/openssl/asn1.h.in b/include/openssl/asn1.h.in index 6d5094a3f..d478bc96d 100644 --- a/include/openssl/asn1.h.in +++ b/include/openssl/asn1.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,6 +22,9 @@ use OpenSSL::stackhash qw(generate_stack_macros); # define HEADER_ASN1_H # endif +# ifndef OPENSSL_NO_STDIO +# include +# endif # include # include # include diff --git a/include/openssl/bn.h b/include/openssl/bn.h index ecd7f01b9..27b127a58 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -344,6 +344,7 @@ int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); /* returns * -2 for * error */ +int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); BIGNUM *BN_mod_inverse(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); BIGNUM *BN_mod_sqrt(BIGNUM *ret, diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index f05cb3e54..e525e9316 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * diff --git a/include/openssl/conf.h.in b/include/openssl/conf.h.in index b0bd579aa..044b3eb53 100644 --- a/include/openssl/conf.h.in +++ b/include/openssl/conf.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -28,6 +28,9 @@ use OpenSSL::stackhash qw(generate_stack_macros generate_lhash_macros); # include # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/core_dispatch.h b/include/openssl/core_dispatch.h index 99fcda002..11e3c861a 100644 --- a/include/openssl/core_dispatch.h +++ b/include/openssl/core_dispatch.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -511,7 +511,7 @@ OSSL_CORE_MAKE_FUNC(void,rand_clear_seed, * and key material, etc, essentially everything that manipulates the keys * themselves and their parameters. * - * The key objects are commonly refered to as |keydata|, and it MUST be able + * The key objects are commonly referred to as |keydata|, and it MUST be able * to contain parameters if the key has any, the public key and the private * key. All parts are optional, but their presence determines what can be * done with the key object in terms of encryption, signature, and so on. diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 6bed5a8a6..f5dcb9954 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,11 +21,12 @@ extern "C" { #define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */ /* Well known parameter names that Providers can define */ -#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ -#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ -#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ -#define OSSL_PROV_PARAM_STATUS "status" /* uint */ -#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ +#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ +#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ +#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ +#define OSSL_PROV_PARAM_STATUS "status" /* uint */ +#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ +#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ /* Self test callback parameters */ #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ @@ -217,6 +218,7 @@ extern "C" { #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */ +#define OSSL_KDF_PARAM_KBKDF_R "r" /* int */ #define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info" #define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" #define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" @@ -397,6 +399,7 @@ extern "C" { #define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" #define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" #define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" +#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" /* Key generation parameters */ #define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in index 7232f647e..fb0c7cbb8 100644 --- a/include/openssl/crypto.h.in +++ b/include/openssl/crypto.h.in @@ -318,11 +318,11 @@ void CRYPTO_get_mem_functions(CRYPTO_malloc_fn *malloc_fn, CRYPTO_realloc_fn *realloc_fn, CRYPTO_free_fn *free_fn); -void *CRYPTO_malloc(size_t num, const char *file, int line); -void *CRYPTO_zalloc(size_t num, const char *file, int line); -void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); -char *CRYPTO_strdup(const char *str, const char *file, int line); -char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); +OSSL_CRYPTO_ALLOC void *CRYPTO_malloc(size_t num, const char *file, int line); +OSSL_CRYPTO_ALLOC void *CRYPTO_zalloc(size_t num, const char *file, int line); +OSSL_CRYPTO_ALLOC void *CRYPTO_memdup(const void *str, size_t siz, const char *file, int line); +OSSL_CRYPTO_ALLOC char *CRYPTO_strdup(const char *str, const char *file, int line); +OSSL_CRYPTO_ALLOC char *CRYPTO_strndup(const char *str, size_t s, const char *file, int line); void CRYPTO_free(void *ptr, const char *file, int line); void CRYPTO_clear_free(void *ptr, size_t num, const char *file, int line); void *CRYPTO_realloc(void *addr, size_t num, const char *file, int line); @@ -331,8 +331,8 @@ void *CRYPTO_clear_realloc(void *addr, size_t old_num, size_t num, int CRYPTO_secure_malloc_init(size_t sz, size_t minsize); int CRYPTO_secure_malloc_done(void); -void *CRYPTO_secure_malloc(size_t num, const char *file, int line); -void *CRYPTO_secure_zalloc(size_t num, const char *file, int line); +OSSL_CRYPTO_ALLOC void *CRYPTO_secure_malloc(size_t num, const char *file, int line); +OSSL_CRYPTO_ALLOC void *CRYPTO_secure_zalloc(size_t num, const char *file, int line); void CRYPTO_secure_free(void *ptr, const char *file, int line); void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *file, int line); diff --git a/include/openssl/cryptoerr.h b/include/openssl/cryptoerr.h index c6a04d9b9..e84b12df6 100644 --- a/include/openssl/cryptoerr.h +++ b/include/openssl/cryptoerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -28,10 +28,19 @@ # define CRYPTO_R_INSUFFICIENT_DATA_SPACE 106 # define CRYPTO_R_INSUFFICIENT_PARAM_SIZE 107 # define CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE 108 +# define CRYPTO_R_INTEGER_OVERFLOW 127 # define CRYPTO_R_INVALID_NEGATIVE_VALUE 122 # define CRYPTO_R_INVALID_NULL_ARGUMENT 109 # define CRYPTO_R_INVALID_OSSL_PARAM_TYPE 110 +# define CRYPTO_R_NO_PARAMS_TO_MERGE 131 +# define CRYPTO_R_NO_SPACE_FOR_TERMINATING_NULL 128 # define CRYPTO_R_ODD_NUMBER_OF_DIGITS 103 +# define CRYPTO_R_PARAM_CANNOT_BE_REPRESENTED_EXACTLY 123 +# define CRYPTO_R_PARAM_NOT_INTEGER_TYPE 124 +# define CRYPTO_R_PARAM_OF_INCOMPATIBLE_TYPE 129 +# define CRYPTO_R_PARAM_UNSIGNED_INTEGER_NEGATIVE_VALUE_UNSUPPORTED 125 +# define CRYPTO_R_PARAM_UNSUPPORTED_FLOATING_POINT_FORMAT 130 +# define CRYPTO_R_PARAM_VALUE_TOO_LARGE_FOR_DESTINATION 126 # define CRYPTO_R_PROVIDER_ALREADY_EXISTS 104 # define CRYPTO_R_PROVIDER_SECTION_ERROR 105 # define CRYPTO_R_RANDOM_SECTION_ERROR 119 diff --git a/include/openssl/dh.h b/include/openssl/dh.h index b97871eca..ec5a493da 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -79,6 +79,9 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); # define EVP_PKEY_DH_KDF_NONE 1 # define EVP_PKEY_DH_KDF_X9_42 2 +# ifndef OPENSSL_NO_STDIO +# include +# endif # ifndef OPENSSL_NO_DH # include # include diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 5c0e4cddf..160404cc7 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,12 +19,27 @@ # include # include +# include + +# ifndef OPENSSL_NO_DSA +# include +# include +# include +# include +# include +# ifndef OPENSSL_NO_DEPRECATED_1_1_0 +# include +# endif +# include +# ifndef OPENSSL_NO_STDIO +# include +# endif +# endif + # ifdef __cplusplus extern "C" { # endif -# include - int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits); int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits); int EVP_PKEY_CTX_set_dsa_paramgen_md_props(EVP_PKEY_CTX *ctx, @@ -42,16 +57,6 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); # define EVP_PKEY_CTRL_DSA_PARAMGEN_MD (EVP_PKEY_ALG_CTRL + 3) # ifndef OPENSSL_NO_DSA -# include -# include -# include -# include -# include -# ifndef OPENSSL_NO_DEPRECATED_1_1_0 -# include -# endif -# include - # ifndef OPENSSL_DSA_MAX_MODULUS_BITS # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 # endif diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h index 5f0ca8d12..26ada57d8 100644 --- a/include/openssl/dsaerr.h +++ b/include/openssl/dsaerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,6 +38,7 @@ # define DSA_R_P_NOT_PRIME 115 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 +# define DSA_R_TOO_MANY_RETRIES 116 # endif #endif diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index 672890927..32e142a97 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -248,6 +248,9 @@ typedef int int32_t; typedef unsigned int uint32_t; typedef __int64 int64_t; typedef unsigned __int64 uint64_t; +# elif defined(OPENSSL_SYS_TANDEM) +# include +# include # else # include # undef OPENSSL_NO_STDINT_H diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 44d71932d..be9fb2f08 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -88,6 +88,9 @@ typedef enum { const char *OSSL_EC_curve_nid2name(int nid); +# ifndef OPENSSL_NO_STDIO +# include +# endif # ifndef OPENSSL_NO_EC # include # include diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h index 46405ac62..f15f91f6b 100644 --- a/include/openssl/ecerr.h +++ b/include/openssl/ecerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -90,6 +90,7 @@ # define EC_R_RANDOM_NUMBER_GENERATION_FAILED 158 # define EC_R_SHARED_INFO_ERROR 150 # define EC_R_SLOT_FULL 108 +# define EC_R_TOO_MANY_RETRIES 176 # define EC_R_UNDEFINED_GENERATOR 113 # define EC_R_UNDEFINED_ORDER 128 # define EC_R_UNKNOWN_COFACTOR 164 diff --git a/include/openssl/engine.h b/include/openssl/engine.h index c96580085..2fbc82c3f 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -612,7 +612,7 @@ OSSL_DEPRECATEDIN_3_0 int ENGINE_get_flags(const ENGINE *e); */ /* - * Initialise a engine type for use (or up its reference count if it's + * Initialise an engine type for use (or up its reference count if it's * already in use). This will fail if the engine is not currently operational * and cannot initialise. */ @@ -620,7 +620,7 @@ OSSL_DEPRECATEDIN_3_0 int ENGINE_get_flags(const ENGINE *e); OSSL_DEPRECATEDIN_3_0 int ENGINE_init(ENGINE *e); # endif /* - * Free a functional reference to a engine type. This does not require a + * Free a functional reference to an engine type. This does not require a * corresponding call to ENGINE_free as it also releases a structural * reference. */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 49e8e1df7..86f4e22c7 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -634,6 +634,7 @@ unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_get_num(const EVP_CIPHER_CTX *ctx); # define EVP_CIPHER_CTX_num EVP_CIPHER_CTX_get_num int EVP_CIPHER_CTX_set_num(EVP_CIPHER_CTX *ctx, int num); +EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in); int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in); void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); @@ -699,6 +700,7 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx); # define EVP_MD_CTX_create() EVP_MD_CTX_new() # define EVP_MD_CTX_init(ctx) EVP_MD_CTX_reset((ctx)) # define EVP_MD_CTX_destroy(ctx) EVP_MD_CTX_free((ctx)) +__owur EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in); __owur int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); @@ -1248,6 +1250,7 @@ const OSSL_PROVIDER *EVP_RAND_get0_provider(const EVP_RAND *rand); int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]); EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent); +int EVP_RAND_CTX_up_ref(EVP_RAND_CTX *ctx); void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx); EVP_RAND *EVP_RAND_CTX_get0_rand(EVP_RAND_CTX *ctx); int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]); diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h index 0fdf5440c..a94e26239 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -53,6 +53,14 @@ extern "C" { */ # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" +/* + * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. + * This is disabled by default. + * + * Type: OSSL_PARAM_UTF8_STRING + */ +# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" + # ifdef __cplusplus } # endif diff --git a/include/openssl/lhash.h.in b/include/openssl/lhash.h.in index febefa3c4..dc344a548 100644 --- a/include/openssl/lhash.h.in +++ b/include/openssl/lhash.h.in @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,6 +26,9 @@ use OpenSSL::stackhash qw(generate_lhash_macros); # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { @@ -94,13 +97,17 @@ unsigned long OPENSSL_LH_get_down_load(const OPENSSL_LHASH *lh); void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long down_load); # ifndef OPENSSL_NO_STDIO -void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); -void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); -void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); +# ifndef OPENSSL_NO_DEPRECATED_3_1 +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats(const OPENSSL_LHASH *lh, FILE *fp); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats(const OPENSSL_LHASH *lh, FILE *fp); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats(const OPENSSL_LHASH *lh, FILE *fp); +# endif +# endif +# ifndef OPENSSL_NO_DEPRECATED_3_1 +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); +OSSL_DEPRECATEDIN_3_1 void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); # endif -void OPENSSL_LH_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -void OPENSSL_LH_node_stats_bio(const OPENSSL_LHASH *lh, BIO *out); -void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); # ifndef OPENSSL_NO_DEPRECATED_1_1_0 # define _LHASH OPENSSL_LHASH @@ -131,110 +138,145 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); /* Helper macro for internal use */ # define DEFINE_LHASH_OF_INTERNAL(type) \ - LHASH_OF(type) { union lh_##type##_dummy { void* d1; unsigned long d2; int d3; } dummy; }; \ + LHASH_OF(type) { \ + union lh_##type##_dummy { void* d1; unsigned long d2; int d3; } dummy; \ + }; \ typedef int (*lh_##type##_compfunc)(const type *a, const type *b); \ typedef unsigned long (*lh_##type##_hashfunc)(const type *a); \ typedef void (*lh_##type##_doallfunc)(type *a); \ - static ossl_unused ossl_inline type *ossl_check_##type##_lh_plain_type(type *ptr) \ + static ossl_unused ossl_inline type *\ + ossl_check_##type##_lh_plain_type(type *ptr) \ { \ return ptr; \ } \ - static ossl_unused ossl_inline const type *ossl_check_const_##type##_lh_plain_type(const type *ptr) \ + static ossl_unused ossl_inline const type * \ + ossl_check_const_##type##_lh_plain_type(const type *ptr) \ { \ return ptr; \ } \ - static ossl_unused ossl_inline const OPENSSL_LHASH *ossl_check_const_##type##_lh_type(const LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline const OPENSSL_LHASH * \ + ossl_check_const_##type##_lh_type(const LHASH_OF(type) *lh) \ { \ return (const OPENSSL_LHASH *)lh; \ } \ - static ossl_unused ossl_inline OPENSSL_LHASH *ossl_check_##type##_lh_type(LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline OPENSSL_LHASH * \ + ossl_check_##type##_lh_type(LHASH_OF(type) *lh) \ { \ return (OPENSSL_LHASH *)lh; \ } \ - static ossl_unused ossl_inline OPENSSL_LH_COMPFUNC ossl_check_##type##_lh_compfunc_type(lh_##type##_compfunc cmp) \ + static ossl_unused ossl_inline OPENSSL_LH_COMPFUNC \ + ossl_check_##type##_lh_compfunc_type(lh_##type##_compfunc cmp) \ { \ return (OPENSSL_LH_COMPFUNC)cmp; \ } \ - static ossl_unused ossl_inline OPENSSL_LH_HASHFUNC ossl_check_##type##_lh_hashfunc_type(lh_##type##_hashfunc hfn) \ + static ossl_unused ossl_inline OPENSSL_LH_HASHFUNC \ + ossl_check_##type##_lh_hashfunc_type(lh_##type##_hashfunc hfn) \ { \ return (OPENSSL_LH_HASHFUNC)hfn; \ } \ - static ossl_unused ossl_inline OPENSSL_LH_DOALL_FUNC ossl_check_##type##_lh_doallfunc_type(lh_##type##_doallfunc dfn) \ + static ossl_unused ossl_inline OPENSSL_LH_DOALL_FUNC \ + ossl_check_##type##_lh_doallfunc_type(lh_##type##_doallfunc dfn) \ { \ return (OPENSSL_LH_DOALL_FUNC)dfn; \ } \ LHASH_OF(type) -# define DEFINE_LHASH_OF(type) \ - LHASH_OF(type) { union lh_##type##_dummy { void* d1; unsigned long d2; int d3; } dummy; }; \ - static ossl_unused ossl_inline LHASH_OF(type) *lh_##type##_new(unsigned long (*hfn)(const type *), \ - int (*cfn)(const type *, const type *)) \ +# ifndef OPENSSL_NO_DEPRECATED_3_1 +# define DEFINE_LHASH_OF_DEPRECATED(type) \ + static ossl_unused ossl_inline void \ + lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ + { \ + OPENSSL_LH_node_stats_bio((const OPENSSL_LHASH *)lh, out); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_node_usage_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ + { \ + OPENSSL_LH_node_usage_stats_bio((const OPENSSL_LHASH *)lh, out); \ + } \ + static ossl_unused ossl_inline void \ + lh_##type##_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ + { \ + OPENSSL_LH_stats_bio((const OPENSSL_LHASH *)lh, out); \ + } +# else +# define DEFINE_LHASH_OF_DEPRECATED(type) +# endif + +# define DEFINE_LHASH_OF_EX(type) \ + LHASH_OF(type) { \ + union lh_##type##_dummy { void* d1; unsigned long d2; int d3; } dummy; \ + }; \ + static ossl_unused ossl_inline LHASH_OF(type) * \ + lh_##type##_new(unsigned long (*hfn)(const type *), \ + int (*cfn)(const type *, const type *)) \ { \ return (LHASH_OF(type) *) \ OPENSSL_LH_new((OPENSSL_LH_HASHFUNC)hfn, (OPENSSL_LH_COMPFUNC)cfn); \ } \ - static ossl_unused ossl_inline void lh_##type##_free(LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline void \ + lh_##type##_free(LHASH_OF(type) *lh) \ { \ OPENSSL_LH_free((OPENSSL_LHASH *)lh); \ } \ - static ossl_unused ossl_inline void lh_##type##_flush(LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline void \ + lh_##type##_flush(LHASH_OF(type) *lh) \ { \ OPENSSL_LH_flush((OPENSSL_LHASH *)lh); \ } \ - static ossl_unused ossl_inline type *lh_##type##_insert(LHASH_OF(type) *lh, type *d) \ + static ossl_unused ossl_inline type * \ + lh_##type##_insert(LHASH_OF(type) *lh, type *d) \ { \ return (type *)OPENSSL_LH_insert((OPENSSL_LHASH *)lh, d); \ } \ - static ossl_unused ossl_inline type *lh_##type##_delete(LHASH_OF(type) *lh, const type *d) \ + static ossl_unused ossl_inline type * \ + lh_##type##_delete(LHASH_OF(type) *lh, const type *d) \ { \ return (type *)OPENSSL_LH_delete((OPENSSL_LHASH *)lh, d); \ } \ - static ossl_unused ossl_inline type *lh_##type##_retrieve(LHASH_OF(type) *lh, const type *d) \ + static ossl_unused ossl_inline type * \ + lh_##type##_retrieve(LHASH_OF(type) *lh, const type *d) \ { \ return (type *)OPENSSL_LH_retrieve((OPENSSL_LHASH *)lh, d); \ } \ - static ossl_unused ossl_inline int lh_##type##_error(LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline int \ + lh_##type##_error(LHASH_OF(type) *lh) \ { \ return OPENSSL_LH_error((OPENSSL_LHASH *)lh); \ } \ - static ossl_unused ossl_inline unsigned long lh_##type##_num_items(LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline unsigned long \ + lh_##type##_num_items(LHASH_OF(type) *lh) \ { \ return OPENSSL_LH_num_items((OPENSSL_LHASH *)lh); \ } \ - static ossl_unused ossl_inline void lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ - { \ - OPENSSL_LH_node_stats_bio((const OPENSSL_LHASH *)lh, out); \ - } \ - static ossl_unused ossl_inline void lh_##type##_node_usage_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ - { \ - OPENSSL_LH_node_usage_stats_bio((const OPENSSL_LHASH *)lh, out); \ - } \ - static ossl_unused ossl_inline void lh_##type##_stats_bio(const LHASH_OF(type) *lh, BIO *out) \ - { \ - OPENSSL_LH_stats_bio((const OPENSSL_LHASH *)lh, out); \ - } \ - static ossl_unused ossl_inline unsigned long lh_##type##_get_down_load(LHASH_OF(type) *lh) \ + static ossl_unused ossl_inline unsigned long \ + lh_##type##_get_down_load(LHASH_OF(type) *lh) \ { \ return OPENSSL_LH_get_down_load((OPENSSL_LHASH *)lh); \ } \ - static ossl_unused ossl_inline void lh_##type##_set_down_load(LHASH_OF(type) *lh, unsigned long dl) \ + static ossl_unused ossl_inline void \ + lh_##type##_set_down_load(LHASH_OF(type) *lh, unsigned long dl) \ { \ OPENSSL_LH_set_down_load((OPENSSL_LHASH *)lh, dl); \ } \ - static ossl_unused ossl_inline void lh_##type##_doall(LHASH_OF(type) *lh, \ - void (*doall)(type *)) \ + static ossl_unused ossl_inline void \ + lh_##type##_doall(LHASH_OF(type) *lh, void (*doall)(type *)) \ { \ OPENSSL_LH_doall((OPENSSL_LHASH *)lh, (OPENSSL_LH_DOALL_FUNC)doall); \ } \ - static ossl_unused ossl_inline void lh_##type##_doall_arg(LHASH_OF(type) *lh, \ - void (*doallarg)(type *, void *), \ - void *arg) \ + static ossl_unused ossl_inline void \ + lh_##type##_doall_arg(LHASH_OF(type) *lh, \ + void (*doallarg)(type *, void *), void *arg) \ { \ OPENSSL_LH_doall_arg((OPENSSL_LHASH *)lh, \ (OPENSSL_LH_DOALL_FUNCARG)doallarg, arg); \ } \ LHASH_OF(type) +# define DEFINE_LHASH_OF(type) \ + DEFINE_LHASH_OF_EX(type); \ + DEFINE_LHASH_OF_DEPRECATED(type) \ + LHASH_OF(type) + #define IMPLEMENT_LHASH_DOALL_ARG_CONST(type, argtype) \ int_implement_lhash_doall(type, argtype, const type) @@ -247,7 +289,8 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out); void (*fn)(cbargtype *, argtype *), \ argtype *arg) \ { \ - OPENSSL_LH_doall_arg((OPENSSL_LHASH *)lh, (OPENSSL_LH_DOALL_FUNCARG)fn, (void *)arg); \ + OPENSSL_LH_doall_arg((OPENSSL_LHASH *)lh, \ + (OPENSSL_LH_DOALL_FUNCARG)fn, (void *)arg); \ } \ LHASH_OF(type) diff --git a/include/openssl/macros.h b/include/openssl/macros.h index a6bc3f1fe..bcd42ec73 100644 --- a/include/openssl/macros.h +++ b/include/openssl/macros.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -177,6 +177,17 @@ # undef OPENSSL_NO_DEPRECATED_1_0_0 # undef OPENSSL_NO_DEPRECATED_0_9_8 +# if OPENSSL_API_LEVEL >= 30100 +# ifndef OPENSSL_NO_DEPRECATED +# define OSSL_DEPRECATEDIN_3_1 OSSL_DEPRECATED(3.1) +# define OSSL_DEPRECATEDIN_3_1_FOR(msg) OSSL_DEPRECATED_FOR(3.1, msg) +# else +# define OPENSSL_NO_DEPRECATED_3_1 +# endif +# else +# define OSSL_DEPRECATEDIN_3_1 +# define OSSL_DEPRECATEDIN_3_1_FOR(msg) +# endif # if OPENSSL_API_LEVEL >= 30000 # ifndef OPENSSL_NO_DEPRECATED # define OSSL_DEPRECATEDIN_3_0 OSSL_DEPRECATED(3.0) @@ -301,4 +312,14 @@ # endif # endif +# ifndef OSSL_CRYPTO_ALLOC +# if defined(__GNUC__) +# define OSSL_CRYPTO_ALLOC __attribute__((malloc)) +# elif defined(_MSC_VER) +# define OSSL_CRYPTO_ALLOC __declspec(restrict) +# else +# define OSSL_CRYPTO_ALLOC +# endif +# endif + #endif /* OPENSSL_MACROS_H */ diff --git a/include/openssl/pem.h b/include/openssl/pem.h index 80940dfa9..000d9c89c 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,6 +22,9 @@ # include # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/pkcs12.h.in b/include/openssl/pkcs12.h.in index c98eebfb3..cf956b418 100644 --- a/include/openssl/pkcs12.h.in +++ b/include/openssl/pkcs12.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,6 +26,9 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in index f5c55a3fb..0a0c415b1 100644 --- a/include/openssl/pkcs7.h.in +++ b/include/openssl/pkcs7.h.in @@ -1,7 +1,7 @@ /* * {- join("\n * ", @autowarntext) -} * - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -29,6 +29,9 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h index ad67a8f89..5d5c16d9d 100644 --- a/include/openssl/proverr.h +++ b/include/openssl/proverr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,6 +32,7 @@ # define PROV_R_CIPHER_OPERATION_FAILED 102 # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 # define PROV_R_DIGEST_NOT_ALLOWED 174 +# define PROV_R_EMS_NOT_ENABLED 233 # define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 # define PROV_R_ERROR_INSTANTIATING_DRBG 188 # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 diff --git a/include/openssl/rand.h b/include/openssl/rand.h index ad3054fd5..90e0f0a03 100644 --- a/include/openssl/rand.h +++ b/include/openssl/rand.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -82,6 +82,8 @@ OSSL_DEPRECATEDIN_1_1_0 int RAND_pseudo_bytes(unsigned char *buf, int num); EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx); EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx); +int RAND_set0_public(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand); +int RAND_set0_private(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand); int RAND_set_DRBG_type(OSSL_LIB_CTX *ctx, const char *drbg, const char *propq, const char *cipher, const char *digest); diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index a55c9727c..d0c959927 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,6 +27,9 @@ # endif # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif # ifdef __cplusplus extern "C" { @@ -137,6 +140,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); # define RSA_PSS_SALTLEN_AUTO -2 /* Set salt length to maximum possible */ # define RSA_PSS_SALTLEN_MAX -3 +/* Auto-detect on verify, set salt length to min(maximum possible, digest + * length) on sign */ +# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4 /* Old compatible max salt length for sign only */ # define RSA_PSS_SALTLEN_MAX_SIGN -2 diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h index ee4949e5a..337a3190c 100644 --- a/include/openssl/self_test.h +++ b/include/openssl/self_test.h @@ -30,6 +30,8 @@ extern "C" { # define OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY "Install_Integrity" # define OSSL_SELF_TEST_TYPE_CRNG "Continuous_RNG_Test" # define OSSL_SELF_TEST_TYPE_PCT "Conditional_PCT" +# define OSSL_SELF_TEST_TYPE_PCT_KAT "Conditional_KAT" +# define OSSL_SELF_TEST_TYPE_KAT_INTEGRITY "KAT_Integrity" # define OSSL_SELF_TEST_TYPE_KAT_CIPHER "KAT_Cipher" # define OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER "KAT_AsymmetricCipher" # define OSSL_SELF_TEST_TYPE_KAT_DIGEST "KAT_Digest" diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 105b4a4a3..f03f52fbd 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -43,6 +43,9 @@ use OpenSSL::stackhash qw(generate_stack_macros generate_const_stack_macros); # include # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index b156fc2ff..f1882558b 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index d6e9331fa..793155e18 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1138,78 +1138,35 @@ int SSL_CTX_set_tlsext_ticket_key_evp_cb # define TLS1_FINISH_MAC_LENGTH 12 -# define TLS_MD_MAX_CONST_SIZE 22 -# define TLS_MD_CLIENT_FINISH_CONST "client finished" -# define TLS_MD_CLIENT_FINISH_CONST_SIZE 15 -# define TLS_MD_SERVER_FINISH_CONST "server finished" -# define TLS_MD_SERVER_FINISH_CONST_SIZE 15 -# define TLS_MD_KEY_EXPANSION_CONST "key expansion" -# define TLS_MD_KEY_EXPANSION_CONST_SIZE 13 -# define TLS_MD_CLIENT_WRITE_KEY_CONST "client write key" -# define TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE 16 -# define TLS_MD_SERVER_WRITE_KEY_CONST "server write key" -# define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16 -# define TLS_MD_IV_BLOCK_CONST "IV block" -# define TLS_MD_IV_BLOCK_CONST_SIZE 8 -# define TLS_MD_MASTER_SECRET_CONST "master secret" -# define TLS_MD_MASTER_SECRET_CONST_SIZE 13 -# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "extended master secret" -# define TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE 22 - -# ifdef CHARSET_EBCDIC -# undef TLS_MD_CLIENT_FINISH_CONST -/* - * client finished - */ -# define TLS_MD_CLIENT_FINISH_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64" - -# undef TLS_MD_SERVER_FINISH_CONST -/* - * server finished - */ -# define TLS_MD_SERVER_FINISH_CONST "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64" - -# undef TLS_MD_SERVER_WRITE_KEY_CONST -/* - * server write key - */ -# define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" - -# undef TLS_MD_KEY_EXPANSION_CONST -/* - * key expansion - */ -# define TLS_MD_KEY_EXPANSION_CONST "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e" - -# undef TLS_MD_CLIENT_WRITE_KEY_CONST -/* - * client write key - */ -# define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" - -# undef TLS_MD_SERVER_WRITE_KEY_CONST -/* - * server write key - */ -# define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" - -# undef TLS_MD_IV_BLOCK_CONST -/* - * IV block - */ -# define TLS_MD_IV_BLOCK_CONST "\x49\x56\x20\x62\x6c\x6f\x63\x6b" - -# undef TLS_MD_MASTER_SECRET_CONST -/* - * master secret - */ -# define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" -# undef TLS_MD_EXTENDED_MASTER_SECRET_CONST -/* - * extended master secret - */ -# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x6e\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" -# endif +# define TLS_MD_MAX_CONST_SIZE 22 + +/* ASCII: "client finished", in hex for EBCDIC compatibility */ +# define TLS_MD_CLIENT_FINISH_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x66\x69\x6e\x69\x73\x68\x65\x64" +# define TLS_MD_CLIENT_FINISH_CONST_SIZE 15 +/* ASCII: "server finished", in hex for EBCDIC compatibility */ +# define TLS_MD_SERVER_FINISH_CONST "\x73\x65\x72\x76\x65\x72\x20\x66\x69\x6e\x69\x73\x68\x65\x64" +# define TLS_MD_SERVER_FINISH_CONST_SIZE 15 +/* ASCII: "server write key", in hex for EBCDIC compatibility */ +# define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" +# define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16 +/* ASCII: "key expansion", in hex for EBCDIC compatibility */ +# define TLS_MD_KEY_EXPANSION_CONST "\x6b\x65\x79\x20\x65\x78\x70\x61\x6e\x73\x69\x6f\x6e" +# define TLS_MD_KEY_EXPANSION_CONST_SIZE 13 +/* ASCII: "client write key", in hex for EBCDIC compatibility */ +# define TLS_MD_CLIENT_WRITE_KEY_CONST "\x63\x6c\x69\x65\x6e\x74\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" +# define TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE 16 +/* ASCII: "server write key", in hex for EBCDIC compatibility */ +# define TLS_MD_SERVER_WRITE_KEY_CONST "\x73\x65\x72\x76\x65\x72\x20\x77\x72\x69\x74\x65\x20\x6b\x65\x79" +# define TLS_MD_SERVER_WRITE_KEY_CONST_SIZE 16 +/* ASCII: "IV block", in hex for EBCDIC compatibility */ +# define TLS_MD_IV_BLOCK_CONST "\x49\x56\x20\x62\x6c\x6f\x63\x6b" +# define TLS_MD_IV_BLOCK_CONST_SIZE 8 +/* ASCII: "master secret", in hex for EBCDIC compatibility */ +# define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" +# define TLS_MD_MASTER_SECRET_CONST_SIZE 13 +/* ASCII: "extended master secret", in hex for EBCDIC compatibility */ +# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x6e\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" +# define TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE 22 /* TLS Session Ticket extension struct */ struct tls_session_ticket_ext_st { diff --git a/include/openssl/trace.h b/include/openssl/trace.h index ae14f6d9b..97e138576 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -55,8 +55,10 @@ extern "C" { # define OSSL_TRACE_CATEGORY_DECODER 15 # define OSSL_TRACE_CATEGORY_ENCODER 16 # define OSSL_TRACE_CATEGORY_REF_COUNT 17 +# define OSSL_TRACE_CATEGORY_HTTP 18 /* Count of available categories. */ -# define OSSL_TRACE_CATEGORY_NUM 18 +# define OSSL_TRACE_CATEGORY_NUM 19 +/* KEEP THIS LIST IN SYNC with trace_categories[] in crypto/trace.c */ /* Returns the trace category number for the given |name| */ int OSSL_trace_get_category_num(const char *name); diff --git a/include/openssl/ts.h b/include/openssl/ts.h index 5136e4e97..8ff673323 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -30,13 +30,15 @@ # include # include # include +# include +# include +# ifndef OPENSSL_NO_STDIO +# include +# endif # ifdef __cplusplus extern "C" { # endif -# include -# include - typedef struct TS_msg_imprint_st TS_MSG_IMPRINT; typedef struct TS_req_st TS_REQ; typedef struct TS_accuracy_st TS_ACCURACY; diff --git a/include/openssl/types.h b/include/openssl/types.h index de9f16652..5f9d8c23e 100644 --- a/include/openssl/types.h +++ b/include/openssl/types.h @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,9 +7,21 @@ * https://www.openssl.org/source/license.html */ +/* + * Unfortunate workaround to avoid symbol conflict with wincrypt.h + * See https://github.com/openssl/openssl/issues/9981 + */ +#ifdef _WIN32 +# define WINCRYPT_USE_SYMBOL_PREFIX +# undef X509_NAME +# undef X509_EXTENSIONS +# undef PKCS7_SIGNER_INFO +# undef OCSP_REQUEST +# undef OCSP_RESPONSE +#endif + #ifndef OPENSSL_TYPES_H # define OPENSSL_TYPES_H -# pragma once # include @@ -70,15 +82,6 @@ typedef struct ASN1_ITEM_st ASN1_ITEM; typedef struct asn1_pctx_st ASN1_PCTX; typedef struct asn1_sctx_st ASN1_SCTX; -# ifdef _WIN32 -# undef X509_NAME -# undef X509_EXTENSIONS -# undef PKCS7_ISSUER_AND_SERIAL -# undef PKCS7_SIGNER_INFO -# undef OCSP_REQUEST -# undef OCSP_RESPONSE -# endif - # ifdef BIGNUM # undef BIGNUM # endif diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 3ef741f60..d4df2adc5 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -41,6 +41,9 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index fe7756df9..e33c9d305 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -26,6 +26,9 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include # include +# ifndef OPENSSL_NO_STDIO +# include +# endif #ifdef __cplusplus extern "C" { diff --git a/oqs-provider b/oqs-provider new file mode 160000 index 000000000..3f3d8a8cf --- /dev/null +++ b/oqs-provider @@ -0,0 +1 @@ +Subproject commit 3f3d8a8cf331c73a26fe93a598273997cb54eb4f diff --git a/providers/baseprov.c b/providers/baseprov.c index 44c6e8b7e..2e5e0b384 100644 --- a/providers/baseprov.c +++ b/providers/baseprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,7 +19,6 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_util.h" -#include "internal/nelem.h" /* * Forward declarations to ensure that interface functions are correctly diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c index 7223d5516..ed37e7696 100644 --- a/providers/common/capabilities.c +++ b/providers/common/capabilities.c @@ -17,7 +17,7 @@ #include "internal/nelem.h" #include "internal/tlsgroups.h" #include "prov/providercommon.h" -#include "e_os.h" +#include "internal/e_os.h" /* If neither ec or dh is available then we have no TLS-GROUP capabilities */ #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) diff --git a/providers/common/der/oids_to_c.pm b/providers/common/der/oids_to_c.pm index 6f57df09b..a6b0930f9 100644 --- a/providers/common/der/oids_to_c.pm +++ b/providers/common/der/oids_to_c.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/include/prov/proverr.h b/providers/common/include/prov/proverr.h index 5084af201..69e14465c 100644 --- a/providers/common/include/prov/proverr.h +++ b/providers/common/include/prov/proverr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/common/include/prov/provider_util.h b/providers/common/include/prov/provider_util.h index dfe91f29b..5511565e7 100644 --- a/providers/common/include/prov/provider_util.h +++ b/providers/common/include/prov/provider_util.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -136,3 +136,7 @@ typedef struct ag_capable_st { */ void ossl_prov_cache_exported_algorithms(const OSSL_ALGORITHM_CAPABLE *in, OSSL_ALGORITHM *out); + +/* Duplicate a lump of memory safely */ +int ossl_prov_memdup(const void *src, size_t src_len, + unsigned char **dest, size_t *dest_len); diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h index 4a7f85f71..611c6d531 100644 --- a/providers/common/include/prov/securitycheck.h +++ b/providers/common/include/prov/securitycheck.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, int sha1_allowed); int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); +int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index 344c12211..f21c50007 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { "derivation function init failed"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), "digest not allowed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), "entropy source strength too weak"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 58d4db337..48dc41c39 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -19,7 +19,6 @@ # include "crypto/evp.h" #endif #include "prov/provider_util.h" -#include "internal/nelem.h" void ossl_prov_cipher_reset(PROV_CIPHER *pc) { @@ -165,7 +164,7 @@ int ossl_prov_digest_copy(PROV_DIGEST *dst, const PROV_DIGEST *src) } const EVP_MD *ossl_prov_digest_fetch(PROV_DIGEST *pd, OSSL_LIB_CTX *libctx, - const char *mdname, const char *propquery) + const char *mdname, const char *propquery) { EVP_MD_free(pd->alloc_md); pd->md = pd->alloc_md = EVP_MD_fetch(libctx, mdname, propquery); @@ -351,3 +350,20 @@ void ossl_prov_cache_exported_algorithms(const OSSL_ALGORITHM_CAPABLE *in, out[j++] = in[i].alg; } } + +/* Duplicate a lump of memory safely */ +int ossl_prov_memdup(const void *src, size_t src_len, + unsigned char **dest, size_t *dest_len) +{ + if (src != NULL) { + if ((*dest = OPENSSL_memdup(src, src_len)) == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + *dest_len = src_len; + } else { + *dest = NULL; + *dest_len = 0; + } + return 1; +} diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index de7f0d3a0..246323493 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) return 0; } +/* Disable the ems check in the default provider */ +int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) +{ + return 0; +} + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, ossl_unused int sha1_allowed) { diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index b7659bd39..41ba523bf 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,6 +20,7 @@ #include "prov/securitycheck.h" int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); +int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) { @@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ } +int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) +{ + return FIPS_tls_prf_ems_check(libctx); +} + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, int sha1_allowed) { diff --git a/providers/defltprov.c b/providers/defltprov.c index ed3f4799e..cc0b0c3b6 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -289,6 +289,8 @@ static const OSSL_ALGORITHM_CAPABLE deflt_ciphers[] = { ALG(PROV_NAMES_DES_EDE_CFB, ossl_tdes_ede2_cfb_functions), #endif /* OPENSSL_NO_DES */ #ifndef OPENSSL_NO_SM4 + ALG(PROV_NAMES_SM4_GCM, ossl_sm4128gcm_functions), + ALG(PROV_NAMES_SM4_CCM, ossl_sm4128ccm_functions), ALG(PROV_NAMES_SM4_ECB, ossl_sm4128ecb_functions), ALG(PROV_NAMES_SM4_CBC, ossl_sm4128cbc_functions), ALG(PROV_NAMES_SM4_CTR, ossl_sm4128ctr_functions), diff --git a/providers/fips-sources.checksums b/providers/fips-sources.checksums index 10076d9d2..fefeb315b 100644 --- a/providers/fips-sources.checksums +++ b/providers/fips-sources.checksums @@ -10,6 +10,9 @@ a2466f18da5847c7d9fbced17524633c10ce024671a72f53f9c9c55b9b9923dd crypto/aes/aes 88b6f8396cd9d86004743d5c3b0f72b7b8c3d5a2b00b0bbb761ba91ae5a7cdc8 crypto/aes/asm/aes-mips.pl 7ff9c96ef3d591d45d776fa4b244601ea0d9328e289aeab1e1b92436ce7d02ad crypto/aes/asm/aes-parisc.pl f1244cdeadcb4e48f35bc5df19d4cfaf07e0086ad951b84f07ff6966501faa5b crypto/aes/asm/aes-ppc.pl +538ce0e80698d773c9419a9ca8892d61bc5b3cd1b071c5fc5f315d7f5573e96d crypto/aes/asm/aes-riscv32-zkn.pl +063ab365d4dfebe248e45b328009210cdcc1a63f90eaae8870eaa06a4f8923d9 crypto/aes/asm/aes-riscv64-zkn.pl +f0388e17ba4268ed0b562da60e0780072180a824a379b79fafb60e25b8da3b52 crypto/aes/asm/aes-riscv64.pl ecbfe826f4c514810c3ee20e265f4f621149694c298554b2682e5de4f029f14f crypto/aes/asm/aes-s390x.pl ee4e8cacef972942d2a89c1a83c984df9cad87c61a54383403c5c4864c403ba1 crypto/aes/asm/aes-sparcv9.pl 2b3b9ac56bf54334d053857a24bdb08592151e8a7a60b89b8195846b7f8ee7b5 crypto/aes/asm/aes-x86_64.pl @@ -21,10 +24,12 @@ c56c324667b67d726e040d70379efba5b270e2937f403c1b5979018b836903c7 crypto/aes/asm c7c6694480bb5319690f94826139a93f5c460ebea6dba101b520a76cb956ec93 crypto/aes/asm/aesni-x86_64.pl f3a8f3c960c0f47aaa8fc2633d18b14e7c7feeccc536b0115a08bc58333122b6 crypto/aes/asm/aesp8-ppc.pl e397a5781893e97dd90a5a52049633be12a43f379ec5751bca2a6350c39444c8 crypto/aes/asm/aest4-sparcv9.pl -90d53250761de35280f57463855b1a41403c68dfe22771b2f622c5c9b3418eb4 crypto/aes/asm/aesv8-armx.pl +64dce763aa0324690cffe55b8ffd610414ee490c6599369a40ee6a73bb7ac7ff crypto/aes/asm/aesv8-armx.pl 15cf92ba0ea6fb216c75bb0c134fa1e1b4159a3f9d3c571b2a8319252c4ae633 crypto/aes/asm/bsaes-armv7.pl +5ee643fd833120756300d92722fa9c8fe2ab58764d64b11350f86c41687b8d7a crypto/aes/asm/bsaes-armv8.pl 0726a2c4c15c27a12b2f7d5e16863df4a1b1daa7b7d9b728f621b2b224d290e6 crypto/aes/asm/bsaes-x86_64.pl -1ff94d6bf6c8ae4809f64657eb89260fe3cb22137f649d3c73f72cb190258196 crypto/aes/asm/vpaes-armv8.pl +762cadf988080f45d1a2f1232058688ac3f5afe76767649d15513a7a5eedcf38 crypto/aes/asm/vpaes-armv8.pl +4b723628a4ea14a763c3b21afa2439534ccf9d21480f2d0e3a0f5ee270169c23 crypto/aes/asm/vpaes-loongarch64.pl c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm/vpaes-ppc.pl 3ec24185750a995377516bc2fb2eae8b1c52094c6fff093bff591837fc12d6c3 crypto/aes/asm/vpaes-x86.pl 060bb6620f50af9afecdf97df051b45b9a50be9daf343dfec1cbb29693ce00a4 crypto/aes/asm/vpaes-x86_64.pl @@ -32,7 +37,7 @@ c3541865cd02d81101cdbab4877ed82772e6980d2c677b9008b38fa1b26d36d4 crypto/aes/asm 819c9fd2b0cae9aab81c3cbd1815c2e22949d75f132f649b5883812d0bbaa39a crypto/bn/asm/alpha-mont.pl 0070595128b250b9ebdebe48ce53d2d27ca16ec4f7c6c8bd169ab2e4a913b2d1 crypto/bn/asm/armv4-gf2m.pl 8c1c53a725b8a4f92b8a353bfeeb393be94198df41c912e3270f9e654417b250 crypto/bn/asm/armv4-mont.pl -8d6192337fedb0012764229d600634f8357c3b74fd38bcbfe8b86ddc6ca96ea2 crypto/bn/asm/armv8-mont.pl +12203c1af986c729fc227832ed03b103e56bdac2568878e5635ab037be01609a crypto/bn/asm/armv8-mont.pl cb4ad7b7461fcb8e2a0d52881158d0211b79544842d4eae36fc566869a2d62c8 crypto/bn/asm/bn-586.pl 636da7e2a66272a81f9c99e90b36c6f132ad6236c739e8b9f2e7315f30b72edd crypto/bn/asm/c64xplus-gf2m.pl c86664fb974362ee52a454c83c2c4b23fd5b7d64b3c9e23ef1e0dfd130a46ee5 crypto/bn/asm/co-586.pl @@ -43,10 +48,12 @@ a511aafbf76647a0c83705d4491c898a5584d300aa449fa6166c8803372946eb crypto/bn/asm/ b27ec5181e387e812925bb26823b830f49d7a6e4971b6d11ea583f5632a1504b crypto/bn/asm/parisc-mont.pl 9973523b361db963eea4938a7a8a3adc692e1a4e1aec4fa1f1e57dc93da37921 crypto/bn/asm/ppc-mont.pl 59cd27e1e10c4984b7fb684b27f491e7634473b1bcff197a07e0ca653124aa9a crypto/bn/asm/ppc.pl -e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 crypto/bn/asm/ppc64-mont-fixed.pl +0b3350f56d423a4df918a08e90c7c66227c4449a9f9c44096eacc254ebc65f9f crypto/bn/asm/ppc64-mont-fixed.pl a25be64867ab837d93855af232e2bfa71b85b2c6f00e35e620fdc5618187fb6f crypto/bn/asm/ppc64-mont.pl +28b87b717644f466c4579d60354273c9f781f482c0ee37835e5f9fee962456d0 crypto/bn/asm/rsaz-2k-avx512.pl +7452a82cce3d2860546646290e4ea61cb374a43b4df1f26f7ea84a29812adf71 crypto/bn/asm/rsaz-3k-avx512.pl +3260892767d3c422d8d24bba287e331f79900bf5f5442704c5e91ef8d1a65fb0 crypto/bn/asm/rsaz-4k-avx512.pl 231579e532443665020d4d522d9f11713d9c5d5c814b95b434b0f65452e16de4 crypto/bn/asm/rsaz-avx2.pl -1657600d320ea549b527b2d878a7658533d60d26eeb38f42ea470fc612f9bb53 crypto/bn/asm/rsaz-avx512.pl 31e84dc905b13e38850071528d3abbfcaf8910bbc8b46f38d19c2b386a5f838e crypto/bn/asm/rsaz-x86_64.pl 30fedf48dfc5fec1c2044b6c226dd9fc42a92522cc589797a23a79d452bdd2cf crypto/bn/asm/s390x-gf2m.pl 590388d69d7ac3a0e9af4014792f4f0fdb9552719e8fb48ebc7e5dfca2a491d4 crypto/bn/asm/s390x-mont.pl @@ -66,52 +73,52 @@ d444ca73875e97e0ea88b20e4c02f2fcf3850e8b9311e3b67a2d04fe2796d543 crypto/bn/asm/ da7f7780d27eed164797e5334cd45b35d9c113e86afaca051463aef9a8fd787c crypto/bn/asm/x86_64-mont.pl 259fb8d7f40c0dba46920b1f169d5b37de03b0fda645463d19e3ae2b56de851d crypto/bn/asm/x86_64-mont5.pl 0ea8185a037a2951bb3d1e590bbbdeac305176d5e618f3e43a04c09733a9de34 crypto/bn/bn_add.c -3962dfaa0142e67115ab84f7809d46d59bd122758be09a081b08b2e0d4743b2e crypto/bn/bn_asm.c +22e3f0225b037b0d3c9941c6d886b8144471d7d752e2467e4db8c3810ec3cc0d crypto/bn/bn_asm.c 01a35f971062b97b4953604151d3b6a411be439743b5540aa25b638d2186db6f crypto/bn/bn_blind.c 7b761d541e3b7f6a3f2b14a09b2b3836a079a845cf67a54db4853e3fd38277c6 crypto/bn/bn_const.c 58b587e20404efa408b31a88ba9c357059ced709bea78c07deb91df7b687db81 crypto/bn/bn_conv.c 2893b6d03d4850d09c15959941b0759bbb50d8c20e873bed088e7cde4e15a65a crypto/bn/bn_ctx.c d94295953ab91469fe2b9da2a542b8ea11ac38551ecde8f8202b7f645c2dea16 crypto/bn/bn_dh.c 74b63a4515894592b7241fb30b91b21510beaa3d397809e3d74bc9a73e879d18 crypto/bn/bn_div.c -a29b8b7fa8460f11e50f880e3c3c9e0755b93889bcbb5476206c4d938a9c5735 crypto/bn/bn_exp.c +98f5d5ac4bb7cc9ba4326ff48eca6830763c72efe13c97f523714aed082be860 crypto/bn/bn_exp.c ec2b6e3af6df473a23e7f1a8522f2554cb0eb5d34e3282458c4a66d242278434 crypto/bn/bn_exp2.c -1abab2cc5466b005b939d156e7d8664a4d42a191c9040dbb83941269d6844f0c crypto/bn/bn_gcd.c +79d9999d197e2c797fdece0a6467d04aaca549abf80dd874859f8f4308ddf3c7 crypto/bn/bn_gcd.c 4d6cc7ed36978247a191df1eea0120f8ee97b639ba228793dabe5a8355a1a609 crypto/bn/bn_gf2m.c 081e8a6abc23599307dab3b1a92113a65e0bf8717cbc40c970c7469350bc4581 crypto/bn/bn_intern.c 602ed46fbfe12c899dfb7d9d99ff0dbfff96b454fce3cd02817f3e2488dd9192 crypto/bn/bn_kron.c -b33295765dc6d3843e3571007e2d6dbe75564645ebf181191a91464706d9fadb crypto/bn/bn_lib.c +e07eae5846273e30162a745d179d8e64b48dcb9a914bc828edf944be7a42b23a crypto/bn/bn_lib.c 0567e3881c4577f25eb7b93070ac1914251d5ef98e3ac4ebacec09a65a12868c crypto/bn/bn_local.h 07247dc2ccc55f3be525baed92fd20031bbaa80fd0bc56155e80ee0da3fc943d crypto/bn/bn_mod.c f60f3d49b183b04bcdf9b82f7c961b8c1bcb00e68a2c1166fe9edd95a783356e crypto/bn/bn_mont.c 2da73a76b746a47d8cf8ec8b3e0708c2a34e810abde4b4f1241a49e7f5bb2b60 crypto/bn/bn_mpi.c 76982b18b0803d59b33168b260677e7412970757d3b9513de5c80025290f211d crypto/bn/bn_mul.c 4e3bf49a788ec36cd1d919475bc410a743931aa144e7c60d603e9c0b448faab4 crypto/bn/bn_nist.c -c6760a724d696b7209f0a71f8483fabcf4f081f7e93e2628284c32ef78f69365 crypto/bn/bn_prime.c +b93ce358e1cdffcf36466bc6a1e4e050bd35841bb9afbbf5c77158240710ce7d crypto/bn/bn_prime.c c56ad3073108a0de21c5820a48beae2bccdbf5aa8075ec21738878222eb9adc3 crypto/bn/bn_prime.h 628419eabdb88b265823e43a7a1c88fdfecef79771180836f6089050dc9eadb1 crypto/bn/bn_rand.c 1f6e13da1d9965b341f81bc0842a987a7db9b7de0fa7f7040d49be01b92d282b crypto/bn/bn_recp.c -626226d4dae8e19530a60d8a94b270b262740550787fc46f686b301a043c705b crypto/bn/bn_rsa_fips186_4.c +569cebbb1644d1a4f0df888f17e9f0f474c1066b439e2633dcad415d04932509 crypto/bn/bn_rsa_fips186_4.c 704b0b4723e5c9e9bae5f3e35f9ae8ae8dca3383929e954de9e5169845abfdb2 crypto/bn/bn_shift.c 622e90766b29e0d25f46474429aebda8eba2246835b9e85dc26da7cdbd49334f crypto/bn/bn_sqr.c 42c8ce944c889abcfcf089d0ad2744b7587696d8d7785efa91b3f7ec53dc062a crypto/bn/bn_sqrt.c 24e62baa56e02f2db6454e10168b7c7fa7638db9221b9acda1803d43f38f36e0 crypto/bn/bn_word.c -2e69544977adab07422acab5cbb32f4efb7ab68bc160dde711e3f7a8e755b43d crypto/bn/rsa_sup_mul.c +1223afacbc6923af1580340bbe6f7b9da453da3e29f0a251ac49b1e0bf109cf5 crypto/bn/rsa_sup_mul.c be27115efd36f0077a3ec26b1ff1f586b0b8969ba05d8ffa34b2ff4badf227bf crypto/bn/rsaz_exp.c c4d64da1cdc732ea918fccd6a7bb2746b03365dd26f7ba1e74e08c307ca4c58e crypto/bn/rsaz_exp.h -5b82cb8dbf3087c2e671871cb0a92e4039223a51af533a2ee996f3bfd47453a7 crypto/bn/rsaz_exp_x2.c +9ec2b47477e22d8ddb708df5ab507a4a5ada49284c1ecdd91ad5e582cf8d4c6e crypto/bn/rsaz_exp_x2.c 834db8ff36006e5cb53e09ca6c44290124bd23692f4341ea6563b66fcade4cea crypto/bsearch.c c39334b70e1394e43f378ae8d31b6e6dc125e4d9181e6536d38e649c4eaadb75 crypto/buffer/buffer.c 0e1a41a2d81b5765bca3df448f60bf1fad91e485fe89dd65a7300ffc419e316d crypto/cmac/cmac.c -ff9be205d6d7ff00b0e64508f0eb8d9ec0415fbabc0948d26e308212b3f7b2d8 crypto/context.c +cff758f936cade38b1e41f4d5debd7263b5ef6afe2fe40e6cecfb5533e0ec518 crypto/context.c c309d81ea991ddf5be4337afad2fd132169f7443c76f863349d3f3c82f3374e4 crypto/core_algorithm.c f0fd9eb38bf7f196bbb4d26ce8fdf86d0a4f9db219157e66b2c0ffefb4f42005 crypto/core_fetch.c -02670d631bf0f34cca1e3477079d7fe5de4e03c391cf3992986f44f55319597c crypto/core_namemap.c -469e2f53b5f76cd487a60d3d4c44c8fc3a6c4d08405597ba664661ba485508d3 crypto/cpuid.c -71f0fff881eb4c5505fb17662f0ea4bbff24c6858c045a013ad8f786b07da5c4 crypto/cryptlib.c +b2fda5598c9709aa294bf05f94558672ab152ae144c7cb2255e025ae7712b0e0 crypto/core_namemap.c +97dfe8dd6278dc0f94f2ea3845b03a8d78cb31ee03c802c4b5822d9bfb28c1c6 crypto/cpuid.c +14ffbee223d679dcc2b365999f7fa5be259582ec53609399c74e2ff09df80899 crypto/cryptlib.c 66dbfc58916709d5a6913777346083247942a8d9458ee9b2bf443f0ea4988d64 crypto/ctype.c 51e56541daea6d4a26d5bae2ea458414063bf08b045bab8df370f6695903e0a5 crypto/der_writer.c fea3ba4225df97aee90690adf387625b746d8edfdc5af2357ee65151a3d236ac crypto/des/des_enc.c -4971cdc016ee262d81e31f96c1617a33a63c0d90139e440c2ff32a368ee07bbd crypto/des/des_local.h +9da9a319d4391b6d20b646f0de9dc79489f230621b983c4088fef146c79cacea crypto/des/des_local.h eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb3_enc.c 04d4cc355200b57f1e7d265a2cebdf094df1eb6e96621b533adddc3d60d31fbe crypto/des/fcrypt_b.c 499513b3ad386fe694c4e04b3c8a9fd4c4e18fc44bb6c4f94d6bf2d9362a3a5a crypto/des/ncbc_enc.c @@ -119,35 +126,35 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81 crypto/des/ecb 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d crypto/des/spr.h 816472a54c273906d0a2b58650e0b9d28cc2c8023d120f0d77160f1fe34c4ca3 crypto/dh/dh_backend.c d2d0569bea2598bd405f23b60e5283a6ce353f1145a25ff8f28cf15711743156 crypto/dh/dh_check.c -7838e9a35870b0fbcba0aff2f52a2439f64d026e9922bce6e5978c2f22c51120 crypto/dh/dh_gen.c +c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7 crypto/dh/dh_gen.c 6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64 crypto/dh/dh_group_params.c -a5cf5cb464b40f1bc5457dc2a6f2c5ec0f050196603cd2ba7037a23ab64adbf7 crypto/dh/dh_kdf.c +a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902 crypto/dh/dh_kdf.c 0afa7dd237f9b21b0cfb0de10505facd57eb07ded905d888d43a1de2356d4002 crypto/dh/dh_key.c b0046b2c4e1d74ff4e93f2486a00f63728909b8a75cbdd29b9100e607f97995c crypto/dh/dh_lib.c 8300775d88db0a1aa26a77eb49d6c4f7252e7fee69e1440de4c40edadc9da044 crypto/dh/dh_local.h bbcf4fc3067ac462a27d7277973180b7dc140df9262a686c7fbe4318ca01f7b8 crypto/dsa/dsa_backend.c b9c5992089203123c3fae46e39bb4d05e19854087bca7a30ad1f82a3505deec7 crypto/dsa/dsa_check.c ae727bf6319eb57e682de35d75ea357921987953b3688365c710e7fba51c7c58 crypto/dsa/dsa_gen.c -b1de1624e590dbf76f76953802ff162cc8de7c5e2eaba897313c866424d6902b crypto/dsa/dsa_key.c +100889e879ffba26b3f2cf0a118943e7cf04076e632d76cfacf96c133949791a crypto/dsa/dsa_key.c 9e436a2e0867920c3a5ac58bc14300cad4ab2c4c8fe5e40b355dfd21bfdfe146 crypto/dsa/dsa_lib.c f4d52d3897219786c6046bf76abb2f174655c584caa50272bf5d281720df5022 crypto/dsa/dsa_local.h -f88db9fd73a78e66967e56df442b55230f405b4cd804f31f8696324f0b702f15 crypto/dsa/dsa_ossl.c +b3030ed4a6c3c572680c78efcc3f1ee50dc5aef75fe99a5b0e0f32cdcc8e6328 crypto/dsa/dsa_ossl.c 6222aa8f60d7451d974dd87c66995033919f36d7f858cbe609cf731ad1eee34e crypto/dsa/dsa_sign.c 53fa10cc87ac63e35df661882852dc46ae68e6fee83b842f1aeefe00b8900ee1 crypto/dsa/dsa_vrf.c -0a206e4c4de4702808cba7c9304bedb66abcbc33e513bc25574a795cd5fa3db0 crypto/ec/asm/ecp_nistp521-ppc64.pl +d9722ad8c6b6e209865a921f3cda831d09bf54a55cacd1edd9802edb6559190a crypto/ec/asm/ecp_nistp521-ppc64.pl 78ad06b88fcc8689a3a846b82f9ee01546e5734acd1bccf2494e523b71dc74d1 crypto/ec/asm/ecp_nistz256-armv4.pl -4617351d2de4d0b2abfd358c58050cee00702d0b4c1acca09312ec870e351c7d crypto/ec/asm/ecp_nistz256-armv8.pl +598da295053253578d5461892098b74ec9dcd02c1eb99d537e14e0c5e958c7b9 crypto/ec/asm/ecp_nistz256-armv8.pl 3715ddd921425f3018741037f01455ed26a840ace08691a800708170a66cf4d2 crypto/ec/asm/ecp_nistz256-ppc64.pl cfe7e75a2fddc87a7251684469a8808b9da82b2f5725eafad5806920f89932bd crypto/ec/asm/ecp_nistz256-sparcv9.pl 922725c4761cfa567af6ed9ecab04f2c7729ae2595f2fc0fa46dc67879dc87b0 crypto/ec/asm/ecp_nistz256-x86.pl ac327475c7ec828d11aa05628b4e3b81ec3b1400f30fe7bec01daf3cf71f2dc9 crypto/ec/asm/ecp_nistz256-x86_64.pl cc727533130f5f1a29229929b3d4e8454585d647be25d6344f3c6a0240998368 crypto/ec/asm/x25519-ppc64.pl ee897e230964511baa0d1bf95fb938312407a40a88ebe01476879c2763e5f732 crypto/ec/asm/x25519-x86_64.pl -340336e01aa04fcde9bfd56536f90c9bc0ad56a002b6cfa321a1e421f1e93ceb crypto/ec/curve25519.c -9a95ec8366154bb20aeb24f4767a8cbb9953ca0380708eb2f39caca6078cd59e crypto/ec/curve448/arch_32/f_impl32.c +c0bcde09fd6f1d4682438a6e61365b377a288ce53d1ec81b354d76832bf308fa crypto/ec/curve25519.c +ebd47dd501b147a53ea3c0a0cca18789ac14e2ee4b94e2eed54248992763d454 crypto/ec/curve448/arch_32/f_impl32.c 063dac1e4a9573c47532123e9e03e3532a7473cc3e146521ba9ec6f486ddf3b1 crypto/ec/curve448/arch_64/arch_intrinsics.h 43423b7ee85a5c740c1d81499ee06f4a17732c7731a598e7429d5e402ee77cf4 crypto/ec/curve448/arch_64/f_impl.h -1689097ae10e4982a8cbe50c2f6eddb03c83436f331f0b67edb98d6b58adc962 crypto/ec/curve448/arch_64/f_impl64.c +6b01b404354822a5d9cee5ab26f015c362b8ea64be373236e6526bfa67380b51 crypto/ec/curve448/arch_64/f_impl64.c 9b408ec0d43f3b6d714ef5963147e2c2abaddc88633db7dd759193d3c56ed727 crypto/ec/curve448/curve448.c 3c12d90e3fdd59b5d32d63186f1a6f15c75eb73f5035b844a2054356a9459780 crypto/ec/curve448/curve448_local.h 178fb9863c33174b633c2e7607160b1bedb506d66cc06d53382d87431441f306 crypto/ec/curve448/curve448_tables.c @@ -162,45 +169,45 @@ f6447921a0031fa5beddedd298e82096fb3fdb189b712fab328b61f6beae0c23 crypto/ec/curv ae1637d89287c9d22a34bdc0d67f6e01262a2f8dcef9b61369dba8c334f5a80d crypto/ec/ec2_oct.c 6bbbf570ce31f5b579f7e03ec9f8a774663c7c1eb5e475bd31f8fee94a021ffc crypto/ec/ec2_smpl.c 2a71bd8dbe4f427c117d990581709a4ddce07fa8e530794b5a9574fef7c48a0c crypto/ec/ec_asn1.c -69b1b3acb4295f5fff961b339e8ace913176ca63fcedf4af0da4c27171f24f94 crypto/ec/ec_backend.c +73318950cad070cf883f2883d73ca85adae4125cde85d7feb98a220e6044dc6a crypto/ec/ec_backend.c 86e2becf9b3870979e2abefa1bd318e1a31820d275e2b50e03b17fc287abb20a crypto/ec/ec_check.c 265f911b9d4aada326a2d52cd8a589b556935c8b641598dcd36c6f85d29ce655 crypto/ec/ec_curve.c 8cfd0dcfb5acbf6105691a2d5e2826dba1ff3906707bc9dd6ff9bffcc306468f crypto/ec/ec_cvt.c -95ce53663ab8a1d05bd6f4999f30113e1edce771fb6d218a772fe02de7bdaf4d crypto/ec/ec_key.c +ec6b509d9fa3af18c7ca83624d3426ffdd63a9936bcabddb9c23eddc142f2b2d crypto/ec/ec_key.c 7e40fc646863e0675bbb90f075b809f61bdf0600d8095c8366858d9533ab7700 crypto/ec/ec_kmeth.c -bbd6f618c3dfe425ce0ba1c6710fe59418130e06351881162a590475e6438c44 crypto/ec/ec_lib.c +57c6107e235ace603498eadde6bcb03ede2e2e828c0041ed2084a42aa5eb7144 crypto/ec/ec_lib.c a8a4690e42b4af60aad822aa8b16196df337906af53ea4db926707f7b596ff27 crypto/ec/ec_local.h fa901b996eb0e460359cd470843bdb03af7a77a2f1136c5e1d30daef70f3e4d2 crypto/ec/ec_mult.c 129c6b42417bfcf582f4a959cfd65433e6f85b158274f4fa38f9c62615ac9166 crypto/ec/ec_oct.c c7fba2f2c33f67dafa23caef8c3abd12f5336274a9a07d412b83be0366969ee6 crypto/ec/ecdh_kdf.c b2cf8f052a5716137da7b0e857ed7a5df5fb513b6d14534199a05e32f2b5a866 crypto/ec/ecdh_ossl.c -c3750d77c287500884a1ab01def8a6a8500c345d5de1c0f6a70e614fff1b9755 crypto/ec/ecdsa_ossl.c +951f614029125cda7110cd6b7206c0b51094fd2118223180993eb00b9e708b74 crypto/ec/ecdsa_ossl.c b6baa42b16e8df69a12e0ab101033100cddc808ec2682ba1574373e6ec86ae93 crypto/ec/ecdsa_sign.c f686cea8c8a3259d95c1e6142813d9da47b6d624c62f26c7e4a16d5607cddb35 crypto/ec/ecdsa_vrf.c 141cfc1459214555b623517a054a9e8d5e4065a11301237b7247be2c6f397a0a crypto/ec/ecp_mont.c 13b30f34aeeb0c98747239bfe91b5f0f14e91b2c1f11db62ebb5950c7219daa0 crypto/ec/ecp_nist.c f288c23b6f83740956886b2303c64d5a3098c98b530859c3bb4b698c01c1643b crypto/ec/ecp_nistz256.c 51cb98e7e9c241e33261589f0d74103238baaa850e333c61ff1da360e127518a crypto/ec/ecp_oct.c -b4b7c683279454ba41438f50a015cb63ef056ccb9be0168918dfbae00313dc68 crypto/ec/ecp_smpl.c +19f227a48a24d34a1db31f1c4b925ac01a709ba1916a1d3aefec1da4d834d065 crypto/ec/ecp_smpl.c 2096e13aa2fbcb0d4b10faca3e3f5359cf66098b0397a6d74c6fca14f5dee659 crypto/ec/ecx_backend.c 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3 crypto/ec/ecx_backend.h 22c44f561ab42d1bd7fd3a3c538ebaba375a704f98056b035e7949d73963c580 crypto/ec/ecx_key.c 28abc295dad8888b5482eb61d31cd78dd80545ecb67dc6f9446a36deb8c40a5e crypto/evp/asymcipher.c 0e75a058dcbbb62cfe39fec6c4a85385dc1a8fce794e4278ce6cebb29763b82b crypto/evp/dh_support.c -59d514629005748901718e82f2646ecb1d7fbedbc872726749ce9a5af0d205f2 crypto/evp/digest.c +4ffb956048404b073d17c6649433d4c81ff307997245aadb63e401e607734a10 crypto/evp/digest.c 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55 crypto/evp/ec_support.c -1c3d1b1f800b1f1f5adb1fdbdd67cdf37ca7ea93b264d1468c72a63c140873ce crypto/evp/evp_enc.c -7f10367f9b6191c4a8c01784130d26b2d778485a41cdac5fa17c9a1c4096f132 crypto/evp/evp_fetch.c -ebe32b2895f7f9767710674352c8949efe93b4bbb5e7b71c27bb5d1822339b46 crypto/evp/evp_lib.c -78f07bf50b6999611a4e9414ab3a20b219b0ab29ca2bd05002d6919a3f67b8eb crypto/evp/evp_local.h -117e679d49d2ae87e49d3c942ff0ce768959e8b9713f84a99025cabba462ccd5 crypto/evp/evp_rand.c +b3af6375133a47c5f63231ed776e3fddc71e865b9fdcffe61cff6d0604693190 crypto/evp/evp_enc.c +4b15287d3ce9cb75cb5ac68003c0deddc2688ffd4abb065eaa04d0998efcbcf9 crypto/evp/evp_fetch.c +ce982249442688249f7c53d0824ae6affb1cf89281f35fbd68c1e0c4c57217d3 crypto/evp/evp_lib.c +5afebfcf415079974ab3b8b70eac93b618fd264135cd68fee5834edffc60ce22 crypto/evp/evp_local.h +8dcb59a4222335424349f2af4ba8501d4904f80770774ecc4a5201b9350de0eb crypto/evp/evp_rand.c 2a128617ec0178e9eeacbe41d75a5530755f41ea524cd124607543cf73456a0c crypto/evp/evp_utils.c ca8c6cfd30efd53f2e5d1f19bcf09a3a3d0dff6d8947c3943d07a3f4b354aa86 crypto/evp/exchange.c 9e25042581b73e295c059c6217f3ecf809134d518eb79b1b67f34e3ca9145677 crypto/evp/kdf_lib.c 1d72f5506984df1df8606e8c7045f041cf517223e2e1b50c4da8ba8bf1c6c186 crypto/evp/kdf_meth.c 5179624b8e03615dc9caedc9ec16d094fa081495613dd552d71c2c39475bcd83 crypto/evp/kem.c 5016dd7ef8b4cf7e9ea8465c18d1daa4c8808cb589261cf236058ee75bc868d7 crypto/evp/keymgmt_lib.c -a976cf4e7bfb61e06a147360b748238010d23efb069d191fd023abc38d9a2af9 crypto/evp/keymgmt_meth.c +fe4a4d01c1b0f2137df58dee3fd1cbab4ed782bd71aaa1d411d7839e43a5546e crypto/evp/keymgmt_meth.c e1a052839b8b70dca20dbac1282d61abd1c415bf4fb6afb56b811e8770d8a2e1 crypto/evp/m_sigver.c 4290c95f63b43688a8da57690d122add5161a6811f9753da1444d28f46739961 crypto/evp/mac_lib.c e7e8eb5683cd3fbd409df888020dc353b65ac291361829cc4131d5bc86c9fcb3 crypto/evp/mac_meth.c @@ -210,57 +217,61 @@ b3eebfe75d050bef62a2ce6c13399a2b72bdf60bb540666d01a47691f68931b3 crypto/evp/p_l 76511fba789089a50ef87774817a5482c33633a76a94ecf7b6e8eb915585575d crypto/evp/pmeth_lib.c 4b2dbddf0f9ceed34c3822347138be754fb194febca1c21c46bcc3a5cce33674 crypto/evp/signature.c b06cb8fd4bd95aae1f66e1e145269c82169257f1a60ef0f78f80a3d4c5131fac crypto/ex_data.c -709d40d5096497349b8b9e2917e949a0a75e6065df62798d1816866ca7e7b4ca crypto/ffc/ffc_backend.c +1c8389c5d49616d491978f0f2b2a54ba82d805ec41c8f75c67853216953cf46a crypto/ffc/ffc_backend.c a12af33e605315cdddd6d759e70cd9632f0f33682b9aa7103ed1ecd354fc7e55 crypto/ffc/ffc_dh.c 854378f57707e31ad02cca6eec94369f91f327288d3665713e249c12f7b13211 crypto/ffc/ffc_key_generate.c 2695c9c8ad9193a8c1ab53d5d09712d50d12c91eb8d62e8a15cbc78f327afe84 crypto/ffc/ffc_key_validate.c -b18d5d7cfc95163defea41f5a081e90f6a7163a6b81c6cfadb8b470ef2e83fc5 crypto/ffc/ffc_params.c +8b72d5a7452b2c15aec6d20027053a83f7df89d49a3b6cfedd77e2b1a29e9fc1 crypto/ffc/ffc_params.c 1a1d227f9a0f427d2ec93bc646c726c9cd49a84a343b4aff0c9c744fa6df05a9 crypto/ffc/ffc_params_generate.c 73dac805abab36cd9df53a421221c71d06a366a4ce479fa788be777f11b47159 crypto/ffc/ffc_params_validate.c 0a4fc92e408b0562cf95c480df93a9907a318a2c92356642903a5d50ed04fd88 crypto/hmac/hmac.c 0395c1b0834f2f4a0ca1756385f4dc1a4ef6fb925b2db3743df7f57256c5166f crypto/hmac/hmac_local.h -f897493b50f4e9dd4cacb2a7accda6683c10ece602641874cdff1dac7128a751 crypto/initthread.c -5482c47c266523129980302426d25839fda662f1544f4b684707e6b272a952c9 crypto/lhash/lhash.c +5b38180a8ed150ab1be44a86cacd0c6668d2e6ba3de6b0c3420c8056543af54d crypto/initthread.c +29c58cd3875ee6eb84efe9c2a5085e434a1172f4183dff300634ff0c680d58ce crypto/lhash/lhash.c 5d49ce00fc06df1b64cbc139ef45c71e0faf08a33f966bc608c82d574521a49e crypto/lhash/lhash_local.h f866aafae928db1b439ac950dc90744a2397dfe222672fe68b3798396190c8b0 crypto/mem_clr.c -183bdca6f855182d7d2c78a5c961b34283f85ea69ac828b700605ee82546397d crypto/modes/asm/aes-gcm-armv8_64.pl +9abccd2f35b3b2419efb58b1d77950f8020754b452999a84476c32b65743b5ce crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl +e7111149908a16fdd9186739e2a3674c7aea7ff35826216b008517f18b83889f crypto/modes/asm/aes-gcm-armv8_64.pl +ad2ab797578f4a70d3e154cbc90af361eebb93fa4323836fe0b4cc11cdbaeeb8 crypto/modes/asm/aes-gcm-avx512.pl +400a202abf66c6a3430965c38f7164ac297c856e8585862f59e3ff188bb35a6b crypto/modes/asm/aes-gcm-ppc.pl 1d686af304f94743038f916125effcb51790c025f3165d8d37b526bbeee781f0 crypto/modes/asm/aesni-gcm-x86_64.pl c2e874a8deb418b5d8c935b2e256370566a5150e040c9fa008cdb5b463c26904 crypto/modes/asm/ghash-alpha.pl 6bc7d63569c73d7020ede481f2de05221ac92403c7cc11e7263ada7644f6aa9b crypto/modes/asm/ghash-armv4.pl 097975df63370de7ebea012d17de14fc1f361fb83acf03b432a99ae7d5bceb24 crypto/modes/asm/ghash-c64xplus.pl fdde3bc48b37790c6e0006014da71e7a831bbb4fdbfcda2d01dbe0ceb0ba88fa crypto/modes/asm/ghash-ia64.pl e472d73d06933667a51a0af973479993eed333c71b43af03095450acb36dbeb4 crypto/modes/asm/ghash-parisc.pl -6fb4332ac88113a20915ad4de1931ef88b0114b5379b16e1d967820e1229fbb0 crypto/modes/asm/ghash-s390x.pl +b7e66337683b00148796478563d985f727fddf7f433896046c4ab1f9f24b7624 crypto/modes/asm/ghash-riscv64.pl +92071f9c046f312c4eb7df483f385bc71ade863392e1acf3e821912bcc5cfaa7 crypto/modes/asm/ghash-s390x.pl 6af1a05981e1d41e4dea51e58938360e3abc4a4f58e179908242466d032b1a8a crypto/modes/asm/ghash-sparcv9.pl 26f55a57e77f774d17dfba93d757f78edfa3a03f68a71ffa37ccf3bfc468b1e2 crypto/modes/asm/ghash-x86.pl 72744131007d2389c09665a59a862f5f6bb61b64bd3456e9b400985cb56586b8 crypto/modes/asm/ghash-x86_64.pl a4e9f2e496bd9362b17a1b5989aa4682647cefcff6117f0607122a9e11a9dfd9 crypto/modes/asm/ghashp8-ppc.pl -0029b5beb1d4cd4c5ad47164c23f3e7c9d1eaff66ef54af025ee26795b11a1c7 crypto/modes/asm/ghashv8-armx.pl +2b9d67942f97024f5b42430b73281526df7e0119339caea53136816727f80bda crypto/modes/asm/ghashv8-armx.pl 65112dfe63cd59487e7bdb1706b44acfcf48ecede12cc3ae51daa5b661f41f06 crypto/modes/cbc128.c 1611e73dc1e01b5c2201f51756a7405b7673aa0bb872e2957d1ec80c3530486f crypto/modes/ccm128.c d8c2f256532a4b94db6d03aea5cb609cccc938069f644b2fc77c5015648d148d crypto/modes/cfb128.c af1c034152d82b29cb7c938c8516cfd136b62bac0908c1d40eb50790d23b288c crypto/modes/ctr128.c -2413852b46ee90bcbb711c0d4fb79fc6b0cac1f837b4df4896a0003935d4211a crypto/modes/gcm128.c +df064432bdd596550920b7a5807811116d24bb11d17729f8d49033418964bed1 crypto/modes/gcm128.c bdf25257b15eca206be4d950d2dd807ca5f058f91f54edbd7a0d312ed83eef8e crypto/modes/ofb128.c e55a816c356b2d526bc6e40c8b81afa02576e4d44c7d7b6bbe444fb8b01aad41 crypto/modes/wrap128.c 608a04f387be2a509b4d4ad414b7015ab833e56b85020e692e193160f36883a2 crypto/modes/xts128.c -8aa2504f84a0637b5122f0c963c9d82773ba248bad972ab92be7169995d162b5 crypto/o_str.c +dc2a6064c95ec84e8f73181123cad0721ca3931b922e2872d77bde1704f0cea4 crypto/o_str.c 8ddbbdf43131c10dcd4428aef0eff2b1e98b0410accada0fad41a4925868beef crypto/packet.c -a20bfd927d69737c86ca95d3cf636afa8cefd8fe23412d1a3897644a0da21211 crypto/param_build.c -c2fe815fb3fd5efe9a6544cae55f9469063a0f6fb728361737b927f6182ae0bb crypto/param_build_set.c -06e67fdd2a308bf355c8dae2e0acd9af94f6e53d428a7d31966311eb5c0aebc1 crypto/params.c -4fda13f6af05d80b0ab89ec4f5813c274a21a9b4565be958a02d006236cef05c crypto/params_dup.c +f86fbec8357ef5bbc6442d11717db88a57a7f453fac4b082282b1370abace9e2 crypto/param_build.c +fa2062acdb901c9b15904b5c8f805247bba8b0eaa935c35fdfbe8d53ff463a7a crypto/param_build_set.c +1140c577ed7935288e2afc00decd77c5115af917fef43f32e8638ce4c2c8705e crypto/params.c +5aed5133eac67516866a8187ec875ff2f8abac4272f80264b52fa225b732dc4a crypto/params_dup.c a0097ff2da8955fe15ba204cb54f3fd48a06f846e2b9826f507b26acf65715c3 crypto/params_from_text.c -b4d34272a0bd1fbe6562022bf7ea6259b6a5a021a48222d415be47ef5ef2a905 crypto/property/defn_cache.c -7da6ae864beb1a4daa4be31eb41d48141a3a7eb7a263a4937a6889e05656a595 crypto/property/property.c +467c416422ecf61e3b713c5eb259fdbcb4aa73ae8dee61804d0b85cfd3fff4f7 crypto/property/defn_cache.c +7b3e6585a25db7f3c51b33037de050118ef0cc70dd1f931d476c3002bc309524 crypto/property/property.c 66da4f28d408133fb544b14aeb9ad4913e7c5c67e2826e53f0dc5bf4d8fada26 crypto/property/property_local.h -921305e62749aec22da4843738bee3448b61e7e30d5309beddc7141ad07a8004 crypto/property/property_parse.c +988e14f794b50729aa9e809e1160d7c52cc77bc891df037ac19cefa946df20cc crypto/property/property_parse.c a7cefda6a117550e2c76e0f307565ce1e11640b11ba10c80e469a837fd1212a3 crypto/property/property_query.c -065698c8d88a5facc0cbc02a3bd0c642c94687a8c5dd79901c942138b406067d crypto/property/property_string.c -9653ec9c1476350a94b9cc7f8be3d99961fd803870c9ac03315298d2909a6a8e crypto/provider_core.c +20e69b9d594dfc443075eddbb0e6bcc0ed36ca51993cd50cc5a4f86eb31127f8 crypto/property/property_string.c +0d2fba9cbb87ad30e0238727662b01e8e7c20a341e6658d26b8c162aea912878 crypto/provider_core.c d0af10d4091b2032aac1b7db80f8c2e14fa7176592716b25b9437ab6b53c0a89 crypto/provider_local.h 5ba2e1c74ddcd0453d02e32612299d1eef18eff8493a7606c15d0dc3738ad1d9 crypto/provider_predefined.c -a5a4472636b8b0095ad8d4acd37e275ad79da1a67ecff7b7b5c3e46c9ebc65b7 crypto/rand/rand_lib.c +470406e440ed0f117743fb645e4c9ac5319df03a06863675f88ebfd3be820a64 crypto/rand/rand_lib.c fd03b9bb2c23470fa40880ed3bf9847bb17d50592101a78c0ad7a0f121209788 crypto/rand/rand_local.h f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd crypto/rsa/rsa_acvp_test_params.c 9e7dd6fc91d3266d4aa4f0f41b7986381122b7d98114e63ebf04c5ee298b5fda crypto/rsa/rsa_backend.c @@ -274,28 +285,28 @@ cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00 crypto/rsa/rsa 33de2accc3af530fd0a4758eb83d5e1d994bf49bac4512b01387dbae656e1a7d crypto/rsa/rsa_oaep.c 178c98421b54ec50ee55470a7b1acb771ed22efef2c2c0e059544baa7e6d387e crypto/rsa/rsa_ossl.c be3f39c1fcb777d6c0122061f9ef735d10a6bee95d67fcc1ca6ae2a664022d2b crypto/rsa/rsa_pk1.c -174a42e156be48927fe6d6bf0d95575619b8e643a99761275bff933bc3449722 crypto/rsa/rsa_pss.c +04b3d6145d36262d7b8f625a2595a48ea8cbf2190b2760762c1eef3cdb8566c0 crypto/rsa/rsa_pss.c bf6d300b7e7e9e512a47c5bd1f8713806ae3033a140d83dfae4a16ad58d11170 crypto/rsa/rsa_schemes.c f01af62704dbf9457e2669c3e7c1d4d740f0388faa49df93611b987a8aa2bf11 crypto/rsa/rsa_sign.c 740c022caff3b2487c5838b581cdddcc7de2ceabb504aad72dc0dd70a67bf7cf crypto/rsa/rsa_sp800_56b_check.c 20e54cf2a8fd23ced0962c5f358cedd8ec0c398a87d33b34f1a4326d11e4892e crypto/rsa/rsa_sp800_56b_gen.c 1c1c2aeeb18bf1d69e8f134315b7e50d8f43d30eb1aa5bf42983eec9136a2fdc crypto/rsa/rsa_x931.c -5fa59240ca885cbc0c1cd026934b226d44fc9c3fdf0c2e7e3a7bd7f4963ca2e5 crypto/self_test_core.c +465f850c3d6f2e9410f2e1ee9604b1b5b80f99bae1f6c581161c2f7ebc2c6e41 crypto/self_test_core.c 05c533fde7fdba0c76103e97d881b7224c8427451b453e2f6413552996063e31 crypto/sha/asm/keccak1600-armv4.pl -ca3b2b654f9a8c4bc2fa2538c1f19d17acd4a6b9e0df6a4b81df04efa697e67e crypto/sha/asm/keccak1600-armv8.pl +e32c7d698a6f156544aa42443e359af67076097471d9a171177afc668e9ebc74 crypto/sha/asm/keccak1600-armv8.pl ef575a7fb4956cc3be4ef10a6aeaa10702eadfc92c86167880690320ce942b26 crypto/sha/asm/keccak1600-avx2.pl f1dcf75789dfb0c5d7cd35988cb8046f60097bbaf1fbdab32a9269fa5492214c crypto/sha/asm/keccak1600-avx512.pl 63e547b100562d1142512d5b54e16efc276ecb6c743c27873dbcdd7cb917c828 crypto/sha/asm/keccak1600-avx512vl.pl 33bdcc6f7668460c3bdf779633e43bfad62b937042a73acb007b462fc5b0a034 crypto/sha/asm/keccak1600-c64x.pl 09fc831dd39bd90a701e9b16d9e9987cc215252a22e1e0355f5da6c495fca35a crypto/sha/asm/keccak1600-mmx.pl -ce4a58129e5ee3ac4c9dfec5ecc010440570ebf7bf869e3e9977f2121a64b27a crypto/sha/asm/keccak1600-ppc64.pl +bd0157f1a5741e0d23f3d84a8dad5a939f8d3c6182573ba2446187dd0d195233 crypto/sha/asm/keccak1600-ppc64.pl a859fc8cb073b2d0012a93f3155a75fb6eb677441462b0de4f8cf8df1445e970 crypto/sha/asm/keccak1600-s390x.pl 618dcd4891b4064d3b8aa6dcd74bea7ef55f4962a64957b05a05448f6e3e0f17 crypto/sha/asm/keccak1600-x86_64.pl 831b8b02ab25d78ba6300ce960d96c13439bfba5844e13061e19c4e25cbacc3d crypto/sha/asm/keccak1600p8-ppc.pl 75d832db9bf0e98e7a5c522169060a6dd276c5118cfb297fc3f1111f55cd4007 crypto/sha/asm/sha1-586.pl c96e87d4f5311cd73bbdf499acc03418588be12426d878e157dd67e0099e0219 crypto/sha/asm/sha1-alpha.pl 4ba6d1c7f12fe76bf39babea966f0a4b7f8769e0c0510cbfc2c46a65dd62d45c crypto/sha/asm/sha1-armv4-large.pl -efc69cb0d867b7fac6b3fa8985c343d1f984d552bc8e75bbbbace0adf9ee5f15 crypto/sha/asm/sha1-armv8.pl +3ca053a2a27550b6076d2f12579899b027b2eadc0f30bef867c3eeae03e5e8bf crypto/sha/asm/sha1-armv8.pl 11d332b4e058e9fa418d6633316d2e9f9bf520a08b2d933e877bdf38b2edefcf crypto/sha/asm/sha1-c64xplus.pl 32ff0e701a7b8f25bcfe8477b20795de54f536527bd87d3ce694fd9aaae356d4 crypto/sha/asm/sha1-ia64.pl 471c27efca685b2a82ad7fefe329ca54172df9f49b9785da6d706b913b75e693 crypto/sha/asm/sha1-mb-x86_64.pl @@ -313,7 +324,7 @@ b9cee5c5a283f61f601d2dba68a7a76e7aba10bfafffc1a5c4987f9c0aa6f87d crypto/sha/asm 8be5c5d69733ecb16774aa8410b4bcb3623a9f060d2be103d8aa67bf6e4c5843 crypto/sha/asm/sha256-mb-x86_64.pl dd82e1311703abb019975fc7b61fb87d67e1ed916dddd065aced051e851114b9 crypto/sha/asm/sha512-586.pl 8d84164f3cfd53290c0c14bb5655510b7a9238857866328c0604d64b4e76fe21 crypto/sha/asm/sha512-armv4.pl -dadacb6d66b160913bffb4e1a6c3e5f7be6509b26e2c099701d8d3fdb92c1be0 crypto/sha/asm/sha512-armv8.pl +e840aeed694a04153364585989f09a791422c95260cfe5b89c3f8c57e0916a1c crypto/sha/asm/sha512-armv8.pl 6f548a088feae3b6faa179653ba449df9d3f5cda1e0561e5b5f120b32274d1eb crypto/sha/asm/sha512-c64xplus.pl 9fa54fbc34fd881f4b344374b9b4f8fb15b641424be7af9a31c71af89ae5d577 crypto/sha/asm/sha512-ia64.pl fb06844e7c3b014a58dccc8ec6020c71843cfdc5be08288bc7d204f0a840c474 crypto/sha/asm/sha512-mips.pl @@ -325,23 +336,23 @@ f64d16c1e5c3fa4a7969de494a8372127502171a517c14be7a1e3a43a7308699 crypto/sha/asm 8725cabb8d695c576619f19283b034074a3fa0f1c0be952a9dbe9793be15b907 crypto/sha/asm/sha512p8-ppc.pl 57f6cf54b1b5d2cac7a8f622b7b6bd1878f360fff3fa0f02352061c24162ebbb crypto/sha/keccak1600.c 306cacd3f86e5cacaca74c58ef862516515e5c0cafaff48636d537fd84f1c2fb crypto/sha/sha1dgst.c -4d8cf04f5806611e7586aab47fb28165ec1afb00168e2c9876bb36cb5c29bf8b crypto/sha/sha256.c +58f6bacfa26273c9cf1b7b11dd2456253f44f20958905f7cb9d0f8eaf40f9591 crypto/sha/sha256.c 3d972a11be18bfbfcd45790028635d63548bfe0a2e45d2fc56b6051b759d22f0 crypto/sha/sha3.c -8038a5a97f826f519424db634be5b082b3f7eca3ccb89875ca40fa6bd7dfdcfd crypto/sha/sha512.c +dc89d6740cfb58729e3276e03d290ae8319c6b081bfeaf21a0aa15ffb9839e17 crypto/sha/sha512.c 6c6f0e6069ac98e407a5810b84deace2d1396d252c584703bcd154d1a015c3ea crypto/sha/sha_local.h c50c584c55e56347bb43aca4b796b5344d70daece3061f586b79c871c21f5d1a crypto/sparse_array.c 8da78169fa8c09dc3c29c9bf1602b22e88c5eac4815e274ba1864c166e31584b crypto/stack/stack.c -7b4efa594d8d1f3ecbf4605cf54f72fb296a3b1d951bdc69e415aaa08f34e5c8 crypto/threads_lib.c +67ba8d87fbbb7c9a9e438018e7ecfd1cedd4d00224be05755580d044f5f1317a crypto/threads_lib.c a41ae93a755e2ec89b3cb5b4932e2b508fdda92ace2e025a2650a6da0e9e972c crypto/threads_none.c 2637a8727dee790812b000f2e02b336f7907949df633dda72938bbaafdb204fe crypto/threads_pthread.c 7959c65c27280cdb1166a30a27c931befd6cfa4ed109094c40eb5a6d253c790c crypto/threads_win.c fd6c27cf7c6b5449b17f2b725f4203c4c10207f1973db09fd41571efe5de08fd crypto/x86_64cpuid.pl -0a9c484f640d96e918921f57f592e82e99ccdbe35d3138d64b10c7af839e9a07 e_os.h -6f353dc7c8c4d8f24f7ffbf920668ccb224ebb5810805a7c80d96770cd858005 include/crypto/aes_platform.h +921201bcee9557a442b5baaf20ec8c5e35c165dbfbee3ffae6dad7a94775f08a include/crypto/aes_platform.h 8c6f308c1ca774e6127e325c3b80511dbcdc99631f032694d8db53a5c02364ee include/crypto/asn1_dsa.h -f49a26fc4348f3b79507dc4a04fade82cf870f7c22e6c977f402c859fdd1b98b include/crypto/bn.h +1412d955bee9f2b973dc7b4b2ef7c6ad4fc10353b567311c58aac8da8d18769e include/crypto/bn.h 1c46818354d42bd1b1c4e5fdae9e019814936e775fd8c918ca49959c2a6416df include/crypto/bn_conf.h.in 7a43a4898fcc8446065e6c99249bcc14e475716e8c1d40d50408c0ab179520e6 include/crypto/bn_dh.h +9f1fa7b67a1664dd0fdc60aa65b153467398aeb07d8bc82c16a6341b2d96dc2f include/crypto/context.h e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504 include/crypto/cryptlib.h 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c include/crypto/ctype.h 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7 include/crypto/des_platform.h @@ -349,11 +360,11 @@ daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f include/crypto 20d99c9a740e4d7d67e23fa4ae4c6a39d114e486c66ad41b65d91a8244cd1dea include/crypto/dsa.h 2ea47c059e84ce9d14cc31f4faf45f64d631de9e2937aa1d7a83de5571c63574 include/crypto/ec.h edbfae8720502a4708983b60eac72aa04f031059f197ada31627cb5e72812858 include/crypto/ecx.h -9dab9af8b0a657fe5de46375b71aefcad7e98af272b69ed69c7c104e9e057414 include/crypto/evp.h +952d5ec260fd49065e1d95f27cc1f492f9539083efcac469f35803f5a259c6ba include/crypto/evp.h bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6 include/crypto/lhash.h -162812058c69f65a824906193057cd3edeabc22f51a4220aea7cb9064379a9b6 include/crypto/md32_common.h -f12bfc145290444bcc7bf408874bded348e742443c145b8b5bc70ae558d96c31 include/crypto/modes.h -f326212c978576c5346c89ae0336c2428594494b54054f6045b1f1038bfbc004 include/crypto/rand.h +9190c0b67ead73be80c0b9e53a492bbbc7f22641e6abed82e105fd80198595c4 include/crypto/md32_common.h +cf90ee889f93092e260ae6d7a01bbefbf3ad8651153729206e45db671bac3dab include/crypto/modes.h +8aa4f71ebd9753baceed428e323d5f550d74aff43ab9a55eda7c096d838b8f49 include/crypto/rand.h 90930fc8788d6e04e57829346e0405293ac7a678c3cef23d0692c742e9586d09 include/crypto/rand_pool.h 306abf9d327a9e63fff2cdef730275abc4d2781254a032b1f370f3428eb5a2ef include/crypto/rsa.h 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401 include/crypto/security_bits.h @@ -363,69 +374,70 @@ f326212c978576c5346c89ae0336c2428594494b54054f6045b1f1038bfbc004 include/crypto 782a83d4e489fd865e2768a20bfa31e78c2071fd0ceeb9eb077276ae2bcc6590 include/internal/bio.h 92aacb3e49288f91b44f97e41933e88fe455706e1dd21a365683c2ab545db131 include/internal/constant_time.h c5bb97f654984130c8b44c09a52395bce0b22985d5dbc9c4d9377d86283f11f8 include/internal/core.h -0b572801dfb8a41cc239e3439f8097a0ad11bbdf5d54811d10ceba3175cf2f17 include/internal/cryptlib.h +7b5b7c98d783cc5ae769f59c1973f0f46117116abf766e72b6837228412bb030 include/internal/cryptlib.h 9571cfd3d5666749084b354a6d65adee443deeb5713a58c098c7b03bc69dbc63 include/internal/deprecated.h 3325b895d15c0a6341f456a8d866a0f83e80fc8a31a01c34fcfd717715b33075 include/internal/der.h fd1722d6b79520ee4ac477280d5131eb1b744c3b422fd15f5e737ef966a97c3b include/internal/dso.h f144daebef828a5bd4416466257a50f06b894e0ce0adf1601aa381f34f25a9e7 include/internal/dsoerr.h +f73c8f38f60fb6c15f59b53167f2591f3253c7afef9cec7ba5b53ecde11d466d include/internal/e_os.h 70d3e0d5a1bd8db58dcc57bea4d1c3ed816c735fe0e6b2f4b07073712d2dc5ef include/internal/endian.h 094b69aeb8f349cafa8865b577e253132088c25eabb61b910fab141e6f7d2929 include/internal/ffc.h -100053a1bad1a85a98c5b919cf81ace0ee147b2164732963e40474d7b5fbbb99 include/internal/namemap.h +55c4102496ed5ab16de11afe38c328a1396c3b6e2c7e44add4a38855103c19da include/internal/namemap.h b02701592960eb4608bb83b297eed90184004828c7fc03ea81568062f347623d include/internal/nelem.h ae41a2fb41bf592bbb47e4855cf4efd9ef85fc11f910a7e195ceef78fb4321dc include/internal/numbers.h b89cca3b727d4526b459246de11e768a20333555bf3a9ed9a9b8beb2b565dc7f include/internal/packet.h dd7ddecf30bef3002313e6b776ce34d660931e783b2f6edacf64c7c6e729e688 include/internal/param_build_set.h d4ac19b28ea61f03383364cfad1e941cac44fc36787d80882c5b76ecc9d34e29 include/internal/property.h 727326afb3d33fdffdf26471e313f27892708318c0934089369e4b28267e2635 include/internal/propertyerr.h -6a899ef3e360c7144d84d3c3dbbd14aa457f5d38b83b13c0be7ec7f372076595 include/internal/provider.h -5af9a40c44def13576fe2c0eb082fb73c3565c5e00f902d51b1ed1593d481ccb include/internal/refcount.h +9a73c9ac02eb93a8399381862397bc27fbf8abb7523b07e9f1da9f2e66a913ae include/internal/provider.h +80d7d12b8b3d9945bde3991cb0d1413d120a58a04b17ac673549789e3f37b18a include/internal/refcount.h 11ee9893f7774c83fcfdee6e0ca593af3d28b779107883553facdbfdae3a68f5 include/internal/sha3.h 494ab5c802716bf38032986674fb094dde927a21752fe395d82e6044d81801d1 include/internal/sizes.h 24f41a1985fa305833c3f58030c494d2563d15fc922cdf3eeb6a7ea8c135a880 include/internal/symhacks.h 640cc6a2aae208073a7f495c08b4c5006a69e8ac1c2d9aaaafd56b0e74d5f859 include/internal/thread_once.h 415b725d7f949a6191ab7bb30b48931bafc01c7aa93607e529fabbc853a4ddc5 include/internal/tlsgroups.h -fc0f9199487ef278b9fd317d1572db3e3fb95e182055f0e49c4d8faf78ed7dd2 include/internal/tsan_assist.h +7c8d8dfb769cd88c23033e86a2b2cf945391d33c6df1dce86c8d2fc5112636e2 include/internal/tsan_assist.h 2b38fb6e65d549aca3b2c76907daf67124f395251c0261dec26faa54da8d6d73 include/openssl/aes.h -98aa2fc5eae9ef2a36d3d0053212696d58893baa083fa1fcf720660fb4bc0a9f include/openssl/asn1.h.in +3157a0e4fba3df5db17e7843ef614d46dd4b6bcdebcb2c3667b777f20a092f2c include/openssl/asn1.h.in d4733dcd490b3a2554eaf859d1ea964fe76f7d24f78e42be1094bdad6dee7429 include/openssl/asn1err.h 1550474ee05423896ec4abfb6346f1bc44c7be22329efac9ea25de10e81d549c include/openssl/asn1t.h.in 2cd8163cdc6c93386bc05e8ed983e5ca604d0bf9da65500cab736cfa8bc2b048 include/openssl/bio.h.in 0a26138aaded05cafe2326e11fdc19b28408e054cfe3dda40d45ef95ce8136b0 include/openssl/bioerr.h -7d1f9880976a926ba6e0cad08e8de6f326aae48d8350b499aa79127f63d4d108 include/openssl/bn.h +82171a089d3dc93249ea59ae4900d78197eef1040cd658117be67f3b0b318d03 include/openssl/bn.h 9ad8b04764797f5138f01f549ba18b44cf698ffc7fe795fef42c1822d84a6ff4 include/openssl/bnerr.h 93954e6c450716e158948d67f64736a451ea9473d02f3a908f3bc8a96cf049a5 include/openssl/buffer.h 9d48e6cab2ee98ae94d7113e4c65f000d97e125fdb3445642865ace3f34d06ac include/openssl/buffererr.h 8e772c24b051e59d2f65339f54584e3e44165a3eaf997d497faea764990130f5 include/openssl/cmac.h -55aa91482d327d1784484922389e8277bdcdff7a7df27e84200d5c908bd40454 include/openssl/conf.h.in +1342636127f3d365ac538115e706ea1aea43ab8fa79e86756e818b30a72789c7 include/openssl/conf.h.in f20c3c845129a129f5e0b1dae970d86a5c96ab49f2e3f6f364734521e9e1abe3 include/openssl/conferr.h 02a1baff7b71a298419c6c5dcb43eaa9cc13e9beeb88c03fb14854b4e84e8862 include/openssl/configuration.h.in 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7 include/openssl/conftypes.h df5e60af861665675e4a00d40d15e36884f940e3379c7b45c9f717eaf1942697 include/openssl/core.h 00110e80b9b4f621c604ea99f05e7a75d3db4721fc2779224e6fa7e52f06e345 include/openssl/core_dispatch.h -cbd9d7855ca3ba4240207fc025c22bbfef7411116446ff63511e336a0559bed0 include/openssl/core_names.h -194f96a30bdc4dab3f65693c09326ef53c54ebfd613c2513d8258a0aa35a6996 include/openssl/crypto.h.in -1d1697bd3e35920ff9eaec23c29472d727a7fc4d108150957f41f6f5ecf80f1a include/openssl/cryptoerr.h +138d29707caf6dbc4566a948bd8e5303a10d3f928945eba6165886592afac901 include/openssl/core_names.h +80e6806ba08aaafb45fefc6fec015f93bf3b717ff61f83f33dfd54f5ff3bd00e include/openssl/crypto.h.in +2f9570c2514b4d1b2a86fbdf30ced879e5c52e62f1d3691cb3da37ce4f6a98dd include/openssl/cryptoerr.h bbc82260cbcadd406091f39b9e3b5ea63146d9a4822623ead16fa12c43ab9fc6 include/openssl/cryptoerr_legacy.h fa3e6b6c2e6222424b9cd7005e3c5499a2334c831cd5d6a29256ce945be8cb1d include/openssl/des.h -3a57eceec58ab781d79cb0458c2251a233f45ba0ef8f414d148c55ac2dff1bc8 include/openssl/dh.h +0558a131214f508cd0619658a33af1d62579d94d50df5348994a1de12371b98e include/openssl/dh.h 836130f5a32bbdce51b97b34758ed1b03a9d06065c187418eaf323dca6adfc6d include/openssl/dherr.h -92ae2c907fd56859e3ae28a085071611be5c9245879305cdf8bad027219e64b6 include/openssl/dsa.h -335eb40a33cd1e95e7783bda2d031ec2bcf02cff8aa804ba3484d1354452b7ea include/openssl/dsaerr.h -41bf49e64e1c341a8c17778147ddeba35e88dfd7ff131db6210e801ef25a8fd5 include/openssl/e_os2.h +3cfb7211419c5dcc98b9a20713e2245befa0182a10615edb89a5ce0a0725a787 include/openssl/dsa.h +276d1f6e111ba933bc708e6a0670047cbe0d0b67aabe31807abbbc231de4d8cf include/openssl/dsaerr.h +46921241755eec0c0fe1a0a5b32c51ac7a3ecd33b9aa05a7489ad4f67d5454be include/openssl/e_os2.h bc9ec2be442a4f49980ba2c63c8f0da701de1f6e23d7db35d781658f833dd7b9 include/openssl/ebcdic.h -33b6321d1c6b7b1621198346946401bb81472054aa236b03c6f22f247248d2ad include/openssl/ec.h -dad1943d309aaadb800be4a3056096abec611d81982b83c601b482405e11d5c0 include/openssl/ecerr.h +b6a11924ed95072f4af0a895ee6b93d17aa06104619fb79c9cd0a7bfd5c9164c include/openssl/ec.h +7aa8c5bee779af59d4733f6a50f7f6be39f1eb43409e5b3357440f9a7d0ca115 include/openssl/ecerr.h 61c76ee3f12ed0e42503a56421ca00f1cb9a0f4caa5f9c4421c374bcd45917d7 include/openssl/encoder.h 69dd983f45b8ccd551f084796519446552963a18c52b70470d978b597c81b2dc include/openssl/encodererr.h c6ee8f17d7252bdd0807a124dc6d50a95c32c04e17688b7c2e061998570b7028 include/openssl/err.h.in -12ec111c0e22581e0169be5e1838353a085fb51e3042ef59a7db1cee7da73c5b include/openssl/evp.h +f55d107d6b31ba1e0b4a2f27480aa9b2e044240c3acbb7eb589eeb9d87a1d273 include/openssl/evp.h 5bd1b5dcd14067a1fe490d49df911002793c0b4f0bd4492cd8f71cfed7bf9f2a include/openssl/evperr.h -5381d96fe867a4ee0ebc09b9e3a262a0d7a27edc5f91dccfb010c7d713cd0820 include/openssl/fips_names.h +daec971f5cd309818ee87440744d2b53091c0e027849b115ebf63a74bb6e0a25 include/openssl/fips_names.h b1d41beba560a41383f899a361b786e04f889106fb5960ec831b0af7996c9783 include/openssl/fipskey.h.in 47a088c98ad536ea99f2c6a9333e372507cb61b9bdffb930c586ed52f8f261eb include/openssl/hmac.h faab8accc9520269dd874126ae164a43526d5784e6280521c7ab3772c02b0a0c include/openssl/kdf.h -c6db6926e90c9efd530a7bdb018be8c62f2c2b3c2f7b90228e9f73b8437dd785 include/openssl/lhash.h.in -fd5c049ac6c3498750fa8f8dcbf88b2a31c02fa62dfe43a33d7b490fb86f61c8 include/openssl/macros.h +2dc06275ed23fbea883b1126e69c5344ef64fbc81036478fba0c3c9f2d20839f include/openssl/lhash.h.in +e17ff4d8d6a705c9658c490a9f7baea5eb7266ce2aa1e21ff8a364bdcad463d2 include/openssl/macros.h 9184207c562fd1fa7bd3a4f1fadcb984130561279818f0cdfcf3e9c55be8a7d1 include/openssl/modes.h 7c71200e35f4cc1b4011a4bc14e521e4dc037b9b2d640a74bc30ef334b813de3 include/openssl/obj_mac.h 157797b450215f973eb10be96a04e58048ab9c131ad29427e80d0e37e230ed98 include/openssl/objects.h @@ -435,21 +447,21 @@ fe6acd42c3e90db31aaafc2236a7d30ebfa53c4c07ea4d8265064c7fcb951970 include/openss 767d9d7d5051c937a3ce8a268c702902fda93eeaa210a94dfde1f45c23277d20 include/openssl/param_build.h 30085f4d1b4934bb25ffe7aa9a30859966318a1b4d4dcea937c426e90e6e1984 include/openssl/params.h 097615b849375e2903967521f76c570512e5be47b8159fdbcd31e433f8a4cca7 include/openssl/prov_ssl.h -bdadffba7b7b8294c9f7450ce2563ae31145ca0f196f5ce7b8c2f19ed7fba816 include/openssl/proverr.h +033c0dd117bbd44af2af9ab2eddb16552bd46ce1ce7435736a187ef82357ee92 include/openssl/proverr.h b97e8ad49b38683817387596aefec0abd5f4d572643beef48be4f7acba26768d include/openssl/provider.h -7c9b5f479d9b22cfc8db0976dddfc2a1ee6e757b436e01a2b4d2744bcb6d81a5 include/openssl/rand.h +e512ab2e492d968a9bf8b2b048f79ac5dfe11bddf3c00f2eec6e9c6ecc57d330 include/openssl/rand.h 108966f56c82fedff53df76a4aa7861c82be4db1fd1ddafb59dc086ea155831c include/openssl/randerr.h -c1015b77c444a3816d2ea7ad770f1c3b79a1e54887930af6dd662895701f3323 include/openssl/rsa.h +140340d4735a8bac1be0a07f5446ce316619ebacde0f8a8a942ab03ddc4f3da3 include/openssl/rsa.h 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23 include/openssl/rsaerr.h 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2 include/openssl/safestack.h.in -af5cc56fb31161ccd87cf925f3d3f22119dfbca78bc39a2e2d65d78bfcf0f0c6 include/openssl/self_test.h +676015d7541e7929c8ecbea648665f869d7edf50f9e7292a401b18c63a7ffe05 include/openssl/self_test.h 2964274ab32b1ba8578a06b06663db2eda4317ae806369271d889176bb5a7d04 include/openssl/sha.h c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70 include/openssl/stack.h 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6 include/openssl/symhacks.h -5e452bf61d802fdf7b6a65d1c8a1e3f72a7885e4bf2f521eca6443cea69f4ce5 include/openssl/trace.h -873d2ec2054ec24c52df4abe830cb2b9666fe4e75cc62b4de0f50ef9d20c5812 include/openssl/types.h +c2a80f226bf916c1fd9067f2d9f37d78a48a9377d14bb554ef013b6ee3ca4a24 include/openssl/trace.h +a22bb862d4e1e7bb41b4199f81fc6737dc0a277534b17f9e22b102ea297532c1 include/openssl/types.h c0a9551efccf43f3dd748d4fd8ec897ddaabbc629c00ec1ad76ce983e1195a13 providers/common/bio_prov.c -4546387d6642603c81ec4cd8d5fc4af8ba60ac7359eb6f31e7d24827031e68ad providers/common/capabilities.c +e086f0f9c4a22bdada5e2f7ba34124d8cdc52d12d2f156e49ea7a5cf1ec85dac providers/common/capabilities.c f94b7435d4ec888ec30df1c611afa8b9eedbb59e905a2c7cb17cfc8c4b9b85b8 providers/common/der/der_digests_gen.c.in 424d7b2ece984a0904b80c73e541400c6e2d50a285c397dd323b440a4f2a8d8e providers/common/der/der_dsa_gen.c.in 27ff361a5fbfc97cd41690ab26639708961d0507b60912f55f5919649842c6ae providers/common/der/der_dsa_key.c @@ -473,21 +485,21 @@ ce605f32413b09d33ce5795de9498a08183895c3347f33344f9ae5d31c29ccac providers/comm 6c1fa3f229c6f049c3ac152c4c265f3eb056d94221b82df95a15400649690e93 providers/common/include/prov/der_wrap.h.in 76087f04f4de6414c240f88807659fb2a04af914108f0c5f2515a4cb5482f655 providers/common/include/prov/proverr.h 83a57505d88a6a9cc4f7781c9f7f4af07668e7923502dfd6c5960bb492c1d24e providers/common/include/prov/provider_ctx.h -03fcfea9ed6e23d1df7ffd230af15f0f9b91a6aa635f77b9cbe52d5112168d09 providers/common/include/prov/provider_util.h +f533a548eee6ec1863ca4afc4eb27766596fdf74c5eaed81817a92d26bbf26f0 providers/common/include/prov/provider_util.h e1ef8b2be828a54312d6561b37751a5b6e9d5ebdb6c3e63589728c3d8adca7dc providers/common/include/prov/providercommon.h -73d0e15963759fcb7c5c434bb214b50bc32f6066e90ac07fb53dad11c2fd1939 providers/common/include/prov/securitycheck.h +c2b4301a9f835c0b3776ad3afba7121d00cd7ae6387fe11c96269a37da08027c providers/common/include/prov/securitycheck.h 737cc1228106e555e9bab24e3c2438982e04e05b0d5b9ee6995d71df16c49143 providers/common/provider_ctx.c -a8b73b10ab0100942dd2bc45f2fc9c9238b70bec0e49708ba113bc7479c8b92a providers/common/provider_err.c +34d0b6d119167d18770ac47e6cee0ad169ec9318e9a33747341a1a75beb20175 providers/common/provider_err.c 9eae3e2cac89c7b63d091fdca1b6d80c5c5d52aa79c8ba4ce0158c5437ad62f3 providers/common/provider_seeding.c -eec462d685dd3b4764b076a3c18ecd9dd254350a0b78ddc2f8a60587829e1ce3 providers/common/provider_util.c +8008cc352afcc74177ae3c61dd997097395bddcec4461871c0f52ffed6b7e50c providers/common/provider_util.c ba345b0d71f74c9e3d752579e16d11cc70b4b00faa329cc674bc43dd2620e044 providers/common/securitycheck.c -527eda471e26763a5fcf123b2d290234d5c836de7b8ef6eef2166ef439919d82 providers/common/securitycheck_fips.c +981c2b12d8ffb656e399dc908cf0945d6bb42379030bbcc5095cfc0c53f4c4e2 providers/common/securitycheck_fips.c abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101 providers/fips/fips_entry.c -0f761a26c8fa6ad8d5a15c817afe1741352b21769b2164a2eb7dd50e1f6fe04f providers/fips/fipsprov.c -52b48aece6aa3592593c94b53326410c75efb95ac480697ce414679446b49943 providers/fips/self_test.c +8e082ed46b7267608cf41f5d091dcd0b078335b9c9cf9bfa3b16db5aa138ed88 providers/fips/fipsprov.c +2ceef6e94dfef12be887cfaeda47dff780c44acbb45564b779c3e1823cb22eb8 providers/fips/self_test.c f822a03138e8b83ccaa910b89d72f31691da6778bf6638181f993ec7ae1167e3 providers/fips/self_test.h -d3c95c9c6cc4e3b1a5e4b2bfb2ae735a4109d763bcda7b1e9b8f9eb253f79820 providers/fips/self_test_data.inc -629f619ad055723e42624230c08430a3ef53e17ab405dc0fd35499e9ca4e389c providers/fips/self_test_kats.c +551631b909f8d173eafcccac782a44c8aed92bb8463bfccdb936b7f3aee2a48b providers/fips/self_test_data.inc +ed6dc106e223a422b133f774f94079fcd404899d7fad624179dd152354dbb500 providers/fips/self_test_kats.c 6b082c1af446ef9a2bfe68a9ee4362dfa4f1f09f975f11f9ba2e5010493039c6 providers/implementations/asymciphers/rsa_enc.c 4db1826ecce8b60cb641bcd7a61430ec8cef73d2fe3cbc06aa33526afe1c954a providers/implementations/ciphers/cipher_aes.c f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/implementations/ciphers/cipher_aes.h @@ -497,28 +509,29 @@ f9d4b30e7110c90064b990c07430bb79061f4436b06ccaa981b25c306cfbfaa2 providers/impl 6d2ab2e059ef38fad342d4c65eebd533c08a2092bb174ff3566c6604e175c5a4 providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c 6d6bf36329af3b77f457898294be05fea3940a61cdaf0ed60cfb8d091a94186e providers/implementations/ciphers/cipher_aes_ccm.c 00f36bf48e522dbb5ec71df0ec13e387955fa3672e6ff90e8a412ae95c4a642f providers/implementations/ciphers/cipher_aes_ccm.h -6337b570e0dc4e98af07aa9704254d3ab958cf605584e250fbd76cd1d2a25ac7 providers/implementations/ciphers/cipher_aes_ccm_hw.c +b18ca62d4962990bd29bc9531493d61bcb74ba6d8d3ae6c3d6c7b39ba5189b2b providers/implementations/ciphers/cipher_aes_ccm_hw.c 302b3819ff9fdfed750185421616b248b0e1233d75b45a065490fe4762b42f55 providers/implementations/ciphers/cipher_aes_ccm_hw_aesni.inc a8eaca99a71521ff8ac4ffcf08315e59220f7e0b7f505ecddad04fadd021ec14 providers/implementations/ciphers/cipher_aes_cts.inc 710ee60704dd9dffa2a11e2e96596af1f7f84f915cedcedeec7292e0d978317a providers/implementations/ciphers/cipher_aes_gcm.c 79f5a732820d2512a7f4fc2a99ece7e6e2523a51e62561eb67a4b70d5538b0c4 providers/implementations/ciphers/cipher_aes_gcm.h -ab298c5f89f3165fa11093fad8063b7bcbff0924b43fb3107148ae66d54adcb5 providers/implementations/ciphers/cipher_aes_gcm_hw.c -8ed4a100e4756c31c56147b4b0fab76a4c6e5292aa2f079045f37b5502fd41b9 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc -4c6f3a2818754a5aa7b6db36dae53e248504f9e82cc5af2ed68c723903d4f9d5 providers/implementations/ciphers/cipher_aes_hw.c +1a422ccd2f1b276a3cfac2d4a00d3fb8f6ed42ef7d77eb255686d3806b0a6cb5 providers/implementations/ciphers/cipher_aes_gcm_hw.c +be18c20e0197f25fe7b9e0268657a2271a69d216b89cb100f082fa5fcaad1e07 providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc +26b55801b80128e60fa4cd4fb2b7a81a8741fc78142b0b670b09483ada592f0d providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc +73e27d146a51c59abb0999889de5054dcec7d3ad9b47be70c9ef03f50ef527a6 providers/implementations/ciphers/cipher_aes_hw.c 89de794c090192459d99d95bc4a422e7782e62192cd0fdb3bdef4128cfedee68 providers/implementations/ciphers/cipher_aes_hw_aesni.inc 0264d1ea3ece6f730b342586fb1fe00e3f0ff01e47d53f552864df986bf35573 providers/implementations/ciphers/cipher_aes_ocb.c 88138a1aff9705e608c0557653be92eb4de65b152555a2b79ec8b2a8fae73e8f providers/implementations/ciphers/cipher_aes_ocb.h -855869ab5a8d7a61a11674cfe5d503dfa67f59e7e393730835d1d8cf0ab85c70 providers/implementations/ciphers/cipher_aes_ocb_hw.c +06a116e0d790b6618c1403efb0f08af13d8f62e7ffd2be777251a49079d4a610 providers/implementations/ciphers/cipher_aes_ocb_hw.c a872195161ac6c3a2cb59c3d15b212e34bb7596a41712258f5d0b5e771e25239 providers/implementations/ciphers/cipher_aes_wrp.c 527ff9277b92606517ee7af13225a9d5fcffbbc36eb18bce39f59d594cbe4931 providers/implementations/ciphers/cipher_aes_xts.c c4a2499b214d7cf786dafaaee5c8c6963b3d5d1c27c144eec4b460f839074a3b providers/implementations/ciphers/cipher_aes_xts.h 281157d1da4d7285d878978e6d42d0d33b3a6bc16e3bc5b6879e39093a7d70da providers/implementations/ciphers/cipher_aes_xts_fips.c -f358c4121a8a223e2c6cf009fd28b8a195520279016462890214e8858880f632 providers/implementations/ciphers/cipher_aes_xts_hw.c +c05b9144577565675244ba2e795356797dec38fd480150131985e5e6f4d42e42 providers/implementations/ciphers/cipher_aes_xts_hw.c 46ba8271917b53fd8fdf77aee19cc326a219c950b94e043d6d118dcac25ad7ad providers/implementations/ciphers/cipher_cts.c 74640ce402acc704af72e055fb7f27e6aa8efd417babc56f710478e571d8631c providers/implementations/ciphers/cipher_cts.h fcc3bb0637864252402aaa9d543209909df9a39611127f777b168bc888498dc0 providers/implementations/ciphers/cipher_tdes.c 77709f7fc3f7c08986cd4f0ebf2ef6e44bacb975c1483ef444b3cf5e5071f9d6 providers/implementations/ciphers/cipher_tdes.h -9e07260067083c76d26eb0dd8a8bb4a8dac678812644ff88951a0661be70d9fd providers/implementations/ciphers/cipher_tdes_common.c +6fc41326c5f464f27b7d31c16d5ad7116d6244b99e242893f6c96d0c61f3639a providers/implementations/ciphers/cipher_tdes_common.c 50645122f08ef4891cd96cace833bd550be7f5278ab785515fd61fe8993c8c25 providers/implementations/ciphers/cipher_tdes_hw.c 6bb3c24bfd872e3b4c779b29e9f962348f6ae3effeb4f243c8ea66abefe8a4fa providers/implementations/ciphers/ciphercommon.c dd72ea861edf70b94197821ceb00e07165d550934a2e851d62afa5034b79f468 providers/implementations/ciphers/ciphercommon_block.c @@ -529,32 +542,32 @@ bb67eaa7a98494ca938726f9218213870fc97dd87b56bda950626cc794baf20b providers/impl 23fd89e3239e596c325a8c5d23eb1fe157a8d23aa4d90ed2c574bf06dfabd693 providers/implementations/ciphers/ciphercommon_hw.c c4b1cb143de15acc396ce2e03fdd165defd25ebc831de9cdfacf408ea883c666 providers/implementations/ciphers/ciphercommon_local.h 39b47b6ef9d71852964c26e07ef0e9b23f04c7493b1b16ba7c3dba7074b6b70d providers/implementations/digests/digestcommon.c -80551b53302d95faea257df3edbdbd02d48427ce42da2c4335f998456400d057 providers/implementations/digests/sha2_prov.c -de342d04be6af69037922d5c97bdc40c0c27f6740636e72786a765d0d8ad9173 providers/implementations/digests/sha3_prov.c -b5f94d597df72ca58486c59b2a70b4057d13f09528f861ed41a84b7125b54a82 providers/implementations/exchange/dh_exch.c -9c46dc0d859875fcc0bc3d61a7b610cd3520b1bf63718775c1124f54a1fe5f24 providers/implementations/exchange/ecdh_exch.c +5f41dd1bf77bd08d287a875f9d6e5a423bf286524694ae7ee133cdd03ee763c0 providers/implementations/digests/sha2_prov.c +d06fd84c0771176e847ad5ea546a1d77f7d9575cd8ce53c9913c7b422dab1b88 providers/implementations/digests/sha3_prov.c +966496fb90dc7506d518c9e5198e0eb89cdd8fd6f6dd27ef8707d1cd405e3f8c providers/implementations/exchange/dh_exch.c +f8692118f4b6c89258c62864b273ebdfce302662dfe4b7647701a4cd7c5419b5 providers/implementations/exchange/ecdh_exch.c 9bf87b8429398a6465c7e9f749a33b84974303a458736b56f3359b30726d3969 providers/implementations/exchange/ecx_exch.c 0cc02005660c5c340660123decac838c59b7460ef1003d9d50edc604cfd8e375 providers/implementations/exchange/kdf_exch.c -31d3dba3d2e6b043b0d14a74caf6bf1a6c550471fb992a495ab7d3337081a526 providers/implementations/include/prov/ciphercommon.h +a6f269ec18344e0d50fcd29dcc7304ca1548dc7d833739f39fcdb34b2300a8c3 providers/implementations/include/prov/ciphercommon.h 6dc876a1a785420e84210f085be6e4c7aca407ffb5433dbca4cd3f1c11bb7f06 providers/implementations/include/prov/ciphercommon_aead.h dd07797d61988fd4124cfb920616df672938da80649fac5977bfd061c981edc5 providers/implementations/include/prov/ciphercommon_ccm.h 0c1e99d70155402a790e4de65923228c8df8ad970741caccfe8b513837457d7f providers/implementations/include/prov/ciphercommon_gcm.h b9a61ce951c1904d8315b1bb26c0ab0aaadb47e71d4ead5df0a891608c728c4b providers/implementations/include/prov/digestcommon.h -3e2558c36298cdb4fdaebe5a0cfa1dbbc78e0f60a9012f3a34e711cafb09c7b5 providers/implementations/include/prov/implementations.h +82087efa8777dc5417d934873ae4ef5feeca73dca12ad937fa4e437b2ea29de2 providers/implementations/include/prov/implementations.h 5f09fc71874b00419d71646714f21ebbdcceda277463b6f77d3d3ea6946914e8 providers/implementations/include/prov/kdfexchange.h c95ce5498e724b9b3d58e3c2f4723e7e3e4beb07f9bea9422e43182cbadb43af providers/implementations/include/prov/macsignature.h -29d1a112b799e1f45fdf8bcee8361c2ed67428c250c1cdf408a9fbb7ebf4cce1 providers/implementations/include/prov/names.h -2187713b446d8b6d24ee986748b941ac3e24292c71e07ff9fb53a33021decdda providers/implementations/include/prov/seeding.h -04f22d6afbad5a6e806cf3af9a25843ccfefb748e24d97a09830a1677706acd5 providers/implementations/kdfs/hkdf.c -a62e3af09f5af84dcf36f951ba4ac90ca1694adaf3747126186020b155f94186 providers/implementations/kdfs/kbkdf.c -e0644e727aacfea4da3cf2c4d2602d7ef0626ebb760b6467432ffd54d5fbb24d providers/implementations/kdfs/pbkdf2.c +0eaab474a7e8464cd22adb886295ee5afc46137c687b02af3d2ba5dd69a8da9c providers/implementations/include/prov/names.h +b9f8781167f274ccd8b643b3bb6c4e1108fb27b2aae588518261af9415228dae providers/implementations/include/prov/seeding.h +62968fa7586a7d4dcbc6f750d675c79dc8863948d55e7cac5b2a6c1d82ba5e88 providers/implementations/kdfs/hkdf.c +0b45ad30687ead5f6b2d712f154b560483fd136d496e82c36570468550eedb57 providers/implementations/kdfs/kbkdf.c +5cb7cf8c6387a73ea779aedd133ed14b7642f02569f414dde5aa973e2a38d5c9 providers/implementations/kdfs/pbkdf2.c c0778565abff112c0c5257329a7750ec4605e62f26cc36851fa1fbee6e03c70c providers/implementations/kdfs/pbkdf2.h abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc providers/implementations/kdfs/pbkdf2_fips.c -9cc42a4b0a8089e6d1be64637dbb9e41bd21ae5e3386022a27a8f29308ad25c9 providers/implementations/kdfs/sshkdf.c -8571556d77d10e8edc98212473a38f09632e3f19e9995dde89ee6c95f2e84ccf providers/implementations/kdfs/sskdf.c -589f6133799da80760e8bc3ab0191a341ab6d4d2706e92e6eb4a24b0250fefa6 providers/implementations/kdfs/tls1_prf.c -4d4a6d9a562d2dcfec941d3f113a544663b5ac2fbe4accd89ec70c1cc11751d0 providers/implementations/kdfs/x942kdf.c -6b6c776b12664164f3cb54c21df61e1c4477c7855d89431a16fb338cdae58d43 providers/implementations/kem/rsa_kem.c +13717d4f921787ab2b994ffb86d56aede9b3109bdf00c2a17baf6f53e11c4434 providers/implementations/kdfs/sshkdf.c +6a798e505555baa96ef302dc84f26aeb6920d355b0ad138eb3d17c63e7687234 providers/implementations/kdfs/sskdf.c +a66987548504bbe5bb81b80e7c1e190ab68abd852fb04f59ae40fd4e93160841 providers/implementations/kdfs/tls1_prf.c +1e5aaa6dc3bb52b0b5a07e662386b71e0e3ee7c83b9f15a4144ab24264c7431c providers/implementations/kdfs/x942kdf.c +8e8b9094c757c78638f60d7bde822a035adeecde11f9565cbd24c1322ec7e06b providers/implementations/kem/rsa_kem.c 37120f8a420de0e44b7dc1f31b50d59520e5318cf546e83684e0c3de5c7b76c5 providers/implementations/keymgmt/dh_kmgmt.c 2a4493c9e68f41d37d7ec69c272005c6df7b1a34db2d49663f52e836e4fd888c providers/implementations/keymgmt/dsa_kmgmt.c ed6825fb92d0ab30f9f858ee29dfa403caa22430cccf493f850f993fd03a975e providers/implementations/keymgmt/ec_kmgmt.c @@ -563,21 +576,21 @@ d77ece2494e6b12a6201a2806ee5fb24a6dc2fa3e1891a46012a870e0b781ab1 providers/impl 053a2be39a87f50b877ebdbbf799cf5faf8b2de33b04311d819d212ee1ea329b providers/implementations/keymgmt/kdf_legacy_kmgmt.c e30357311e4a3e1c78266af6315fd1fc99584bfb09f4a7cd0ddc7261cf1e17e1 providers/implementations/keymgmt/mac_legacy_kmgmt.c 96b47ba54dcbc05f7ee98c7f78df04e9671b6dbddbc85e3ea53e74ad04663e7a providers/implementations/keymgmt/rsa_kmgmt.c -aeb42590728ca87b916b8a3d337351b1c82ee0747213e5ce740c2350b3db7185 providers/implementations/macs/cmac_prov.c +d0eff68c72e177c3fe0c77bc8c38eded7e3ce41f72042e2c034c706a12284dd5 providers/implementations/macs/cmac_prov.c e69aa06f8f3c6f5a26702b9f44a844b8589b99dc0ee590953a29e8b9ef10acbe providers/implementations/macs/gmac_prov.c 895c8dc7235b9ad5ff893be0293cbc245a5455e8850195ac7d446646e4ea71d0 providers/implementations/macs/hmac_prov.c f75fbfe5348f93ad610da7d310f4e8fecf18c0549f27605da25d393c33e0edc2 providers/implementations/macs/kmac_prov.c -bf30274dd6b528ae913984775bd8f29c6c48c0ef06d464d0f738217727b7aa5c providers/implementations/rands/crngt.c -c7236e6e2e8adce14f8206da0ceef63c7974d4ba1a7dd71b94fa100cac6b46ba providers/implementations/rands/drbg.c +3034074f99b02db045f2ccecc8782322e876dad07a3c169bdb24168b6b1f8cbd providers/implementations/rands/crngt.c +d808df0b437582c6e8e0dcd94fe865b87cb2eeb4a8297d2d57e51d388f1b8d27 providers/implementations/rands/drbg.c bb5f8161a80d0d1a7ee919af2b167972b00afd62e326252ca6aa93101f315f19 providers/implementations/rands/drbg_ctr.c a05adc3f6d9d6f948e5ead75f0522ed3164cb5b2d301169242f3cb97c4a7fac3 providers/implementations/rands/drbg_hash.c 0876dfae991028c569631938946e458e6829cacf4cfb673d2b144ae50a3160bb providers/implementations/rands/drbg_hmac.c -fc43558964bdf12442d3f6ab6cc3e6849f7adb42f4d0123a1279819befcf71cb providers/implementations/rands/drbg_local.h +29a6f14ab8de430c71f7ee86d835809188fd3baea3ee48a7c6a48b6482b7722a providers/implementations/rands/drbg_local.h 04339b66c10017229ef368cb48077f58a252ebfda9ab12b9f919e4149b1036ed providers/implementations/rands/test_rng.c -cafb9e6f54ad15889fcebddac6df61336bff7d78936f7de3bb5aab8aee5728d2 providers/implementations/signature/dsa_sig.c +6bb8ae1a0608746d42c7162a51e8245c5b9868be4c6e51bef30ae39ef06b60f3 providers/implementations/signature/dsa_sig.c a30dc6308de0ca33406e7ce909f3bcf7580fb84d863b0976b275839f866258df providers/implementations/signature/ecdsa_sig.c -02e833a767afbe98247d6f09dfb1eb5a5cf7304a93f2c5427a9f6af9c8a3b549 providers/implementations/signature/eddsa_sig.c +9a752462904fc50748c15cdab54262b0bf5e2a8220fbd718d93ccb60aa551fee providers/implementations/signature/eddsa_sig.c 3bb0f342b4cc1b4594ed0986adc47791c0a7b5c1ae7b1888c1fb5edb268a78d9 providers/implementations/signature/mac_legacy_sig.c -2334c8bba705032b8c1db5dd28e024a45a73b72cae82a2d815fe855445a49d10 providers/implementations/signature/rsa_sig.c +11ba748b9d9d985366257d3b182217009e7e4aa57c3b90907b1fe381dd492f23 providers/implementations/signature/rsa_sig.c a14e901b02fe095713624db4080b3aa3ca685d43f9ebec03041f992240973346 ssl/record/tls_pad.c 3f2e01a98d9e3fda6cc5cb4b44dd43f6cae4ec34994e8f734d11b1e643e58636 ssl/s3_cbc.c diff --git a/providers/fips.checksum b/providers/fips.checksum index 7f7abb3ea..2e179e877 100644 --- a/providers/fips.checksum +++ b/providers/fips.checksum @@ -1 +1 @@ -fd6bce79efec94a99e40c919e0a5ee392514b81cac01d4d46b5c76f27fb1b839 providers/fips-sources.checksums +7bac1a4c59283c7f287096ecf06a93856ae2f490ef3a6edeef3c6ac7cf7e0ede providers/fips-sources.checksums diff --git a/providers/fips.module.sources b/providers/fips.module.sources index 8861ceaca..1cbc62b22 100644 --- a/providers/fips.module.sources +++ b/providers/fips.module.sources @@ -10,6 +10,9 @@ crypto/aes/asm/aes-ia64.S crypto/aes/asm/aes-mips.pl crypto/aes/asm/aes-parisc.pl crypto/aes/asm/aes-ppc.pl +crypto/aes/asm/aes-riscv32-zkn.pl +crypto/aes/asm/aes-riscv64-zkn.pl +crypto/aes/asm/aes-riscv64.pl crypto/aes/asm/aes-s390x.pl crypto/aes/asm/aes-sparcv9.pl crypto/aes/asm/aes-x86_64.pl @@ -23,8 +26,10 @@ crypto/aes/asm/aesp8-ppc.pl crypto/aes/asm/aest4-sparcv9.pl crypto/aes/asm/aesv8-armx.pl crypto/aes/asm/bsaes-armv7.pl +crypto/aes/asm/bsaes-armv8.pl crypto/aes/asm/bsaes-x86_64.pl crypto/aes/asm/vpaes-armv8.pl +crypto/aes/asm/vpaes-loongarch64.pl crypto/aes/asm/vpaes-ppc.pl crypto/aes/asm/vpaes-x86.pl crypto/aes/asm/vpaes-x86_64.pl @@ -45,8 +50,10 @@ crypto/bn/asm/ppc-mont.pl crypto/bn/asm/ppc.pl crypto/bn/asm/ppc64-mont-fixed.pl crypto/bn/asm/ppc64-mont.pl +crypto/bn/asm/rsaz-2k-avx512.pl +crypto/bn/asm/rsaz-3k-avx512.pl +crypto/bn/asm/rsaz-4k-avx512.pl crypto/bn/asm/rsaz-avx2.pl -crypto/bn/asm/rsaz-avx512.pl crypto/bn/asm/rsaz-x86_64.pl crypto/bn/asm/s390x-gf2m.pl crypto/bn/asm/s390x-mont.pl @@ -223,13 +230,17 @@ crypto/initthread.c crypto/lhash/lhash.c crypto/lhash/lhash_local.h crypto/mem_clr.c +crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl crypto/modes/asm/aes-gcm-armv8_64.pl +crypto/modes/asm/aes-gcm-avx512.pl +crypto/modes/asm/aes-gcm-ppc.pl crypto/modes/asm/aesni-gcm-x86_64.pl crypto/modes/asm/ghash-alpha.pl crypto/modes/asm/ghash-armv4.pl crypto/modes/asm/ghash-c64xplus.pl crypto/modes/asm/ghash-ia64.pl crypto/modes/asm/ghash-parisc.pl +crypto/modes/asm/ghash-riscv64.pl crypto/modes/asm/ghash-s390x.pl crypto/modes/asm/ghash-sparcv9.pl crypto/modes/asm/ghash-x86.pl @@ -336,12 +347,12 @@ crypto/threads_none.c crypto/threads_pthread.c crypto/threads_win.c crypto/x86_64cpuid.pl -e_os.h include/crypto/aes_platform.h include/crypto/asn1_dsa.h include/crypto/bn.h include/crypto/bn_conf.h.in include/crypto/bn_dh.h +include/crypto/context.h include/crypto/cryptlib.h include/crypto/ctype.h include/crypto/des_platform.h @@ -368,6 +379,7 @@ include/internal/deprecated.h include/internal/der.h include/internal/dso.h include/internal/dsoerr.h +include/internal/e_os.h include/internal/endian.h include/internal/ffc.h include/internal/namemap.h @@ -504,6 +516,7 @@ providers/implementations/ciphers/cipher_aes_gcm.c providers/implementations/ciphers/cipher_aes_gcm.h providers/implementations/ciphers/cipher_aes_gcm_hw.c providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc +providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc providers/implementations/ciphers/cipher_aes_hw.c providers/implementations/ciphers/cipher_aes_hw_aesni.inc providers/implementations/ciphers/cipher_aes_ocb.c diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 6a8803942..3457dfc57 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -21,7 +21,9 @@ #include "prov/providercommon.h" #include "prov/provider_util.h" #include "prov/seeding.h" +#include "internal/nelem.h" #include "self_test.h" +#include "crypto/context.h" #include "internal/core.h" static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; @@ -36,11 +38,16 @@ static OSSL_FUNC_provider_gettable_params_fn fips_gettable_params; static OSSL_FUNC_provider_get_params_fn fips_get_params; static OSSL_FUNC_provider_query_operation_fn fips_query; -#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } +#define ALGC(NAMES, FUNC, CHECK) \ + { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } +#define UNAPPROVED_ALGC(NAMES, FUNC, CHECK) \ + { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK } #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) +#define UNAPPROVED_ALG(NAMES, FUNC) UNAPPROVED_ALGC(NAMES, FUNC, NULL) extern OSSL_FUNC_core_thread_start_fn *c_thread_start; int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); +int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); /* * Should these function pointers be stored in the provider side provctx? Could @@ -76,10 +83,12 @@ typedef struct fips_global_st { const OSSL_CORE_HANDLE *handle; SELF_TEST_POST_PARAMS selftest_params; int fips_security_checks; + int fips_tls1_prf_ems_check; const char *fips_security_check_option; + const char *fips_tls1_prf_ems_check_option; } FIPS_GLOBAL; -static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) +void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) { FIPS_GLOBAL *fgbl = OPENSSL_zalloc(sizeof(*fgbl)); @@ -88,21 +97,17 @@ static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) fgbl->fips_security_checks = 1; fgbl->fips_security_check_option = "1"; + fgbl->fips_tls1_prf_ems_check = 0; /* Disabled by default */ + fgbl->fips_tls1_prf_ems_check_option = "0"; + return fgbl; } -static void fips_prov_ossl_ctx_free(void *fgbl) +void ossl_fips_prov_ossl_ctx_free(void *fgbl) { OPENSSL_free(fgbl); } -static const OSSL_LIB_CTX_METHOD fips_prov_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - fips_prov_ossl_ctx_new, - fips_prov_ossl_ctx_free, -}; - - /* Parameters we provide to the core */ static const OSSL_PARAM fips_param_types[] = { OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), @@ -110,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = { OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), OSSL_PARAM_END }; @@ -120,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) * NOTE: inside core_get_params() these will be loaded from config items * stored inside prov->parameters (except for * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). - * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. + * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and + * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. */ - OSSL_PARAM core_params[8], *p = core_params; + OSSL_PARAM core_params[9], *p = core_params; *p++ = OSSL_PARAM_construct_utf8_ptr( OSSL_PROV_PARAM_CORE_MODULE_FILENAME, @@ -152,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, (char **)&fgbl->fips_security_check_option, sizeof(fgbl->fips_security_check_option)); + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, + (char **)&fgbl->fips_tls1_prf_ems_check_option, + sizeof(fgbl->fips_tls1_prf_ems_check_option)); *p = OSSL_PARAM_construct_end(); if (!c_get_params(fgbl->handle, core_params)) { @@ -171,8 +182,7 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) { OSSL_PARAM *p; FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), - OSSL_LIB_CTX_FIPS_PROV_INDEX, - &fips_prov_ossl_ctx_method); + OSSL_LIB_CTX_FIPS_PROV_INDEX); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) @@ -189,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK); + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check)) + return 0; return 1; } @@ -209,8 +222,7 @@ static void set_self_test_cb(FIPS_GLOBAL *fgbl) static int fips_self_test(void *provctx) { FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), - OSSL_LIB_CTX_FIPS_PROV_INDEX, - &fips_prov_ossl_ctx_method); + OSSL_LIB_CTX_FIPS_PROV_INDEX); set_self_test_cb(fgbl); return SELF_TEST_post(&fgbl->selftest_params, 1) ? 1 : 0; @@ -327,8 +339,8 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES - ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), - ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), + UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), #endif /* OPENSSL_NO_DES */ { { NULL, NULL, NULL }, NULL } }; @@ -391,8 +403,9 @@ static const OSSL_ALGORITHM fips_signature[] = { #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + ossl_ed25519_signature_functions }, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, @@ -436,9 +449,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { PROV_DESCS_X25519 }, { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, PROV_DESCS_X448 }, - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, PROV_DESCS_ED25519 }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, PROV_DESCS_ED448 }, #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, @@ -667,8 +680,7 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, goto err; } - if ((fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX, - &fips_prov_ossl_ctx_method)) == NULL) + if ((fgbl = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_FIPS_PROV_INDEX)) == NULL) goto err; fgbl->handle = handle; @@ -701,6 +713,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, && strcmp(fgbl->fips_security_check_option, "0") == 0) fgbl->fips_security_checks = 0; + /* Enable the ems check if it's enabled in the fips config file. */ + if (fgbl->fips_tls1_prf_ems_check_option != NULL + && strcmp(fgbl->fips_tls1_prf_ems_check_option, "1") == 0) + fgbl->fips_tls1_prf_ems_check = 1; + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { @@ -813,8 +830,7 @@ int ERR_pop_to_mark(void) const OSSL_CORE_HANDLE *FIPS_get_core_handle(OSSL_LIB_CTX *libctx) { FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, - OSSL_LIB_CTX_FIPS_PROV_INDEX, - &fips_prov_ossl_ctx_method); + OSSL_LIB_CTX_FIPS_PROV_INDEX); if (fgbl == NULL) return NULL; @@ -892,12 +908,19 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) { FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, - OSSL_LIB_CTX_FIPS_PROV_INDEX, - &fips_prov_ossl_ctx_method); + OSSL_LIB_CTX_FIPS_PROV_INDEX); return fgbl->fips_security_checks; } +int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx) +{ + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + return fgbl->fips_tls1_prf_ems_check; +} + void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, void **cbarg) { diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index 80d048a84..10804d9f5 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -15,7 +15,8 @@ #include #include #include -#include "e_os.h" +#include +#include "internal/e_os.h" #include "prov/providercommon.h" /* @@ -172,6 +173,64 @@ DEP_FINI_ATTRIBUTE void cleanup(void) } #endif +/* + * We need an explicit HMAC-SHA-256 KAT even though it is also + * checked as part of the KDF KATs. Refer IG 10.3. + */ +static const unsigned char hmac_kat_pt[] = { + 0xdd, 0x0c, 0x30, 0x33, 0x35, 0xf9, 0xe4, 0x2e, + 0xc2, 0xef, 0xcc, 0xbf, 0x07, 0x95, 0xee, 0xa2 +}; +static const unsigned char hmac_kat_key[] = { + 0xf4, 0x55, 0x66, 0x50, 0xac, 0x31, 0xd3, 0x54, + 0x61, 0x61, 0x0b, 0xac, 0x4e, 0xd8, 0x1b, 0x1a, + 0x18, 0x1b, 0x2d, 0x8a, 0x43, 0xea, 0x28, 0x54, + 0xcb, 0xae, 0x22, 0xca, 0x74, 0x56, 0x08, 0x13 +}; +static const unsigned char hmac_kat_digest[] = { + 0xf5, 0xf5, 0xe5, 0xf2, 0x66, 0x49, 0xe2, 0x40, + 0xfc, 0x9e, 0x85, 0x7f, 0x2b, 0x9a, 0xbe, 0x28, + 0x20, 0x12, 0x00, 0x92, 0x82, 0x21, 0x3e, 0x51, + 0x44, 0x5d, 0xe3, 0x31, 0x04, 0x01, 0x72, 0x6b +}; + +static int integrity_self_test(OSSL_SELF_TEST *ev, OSSL_LIB_CTX *libctx) +{ + int ok = 0; + unsigned char out[EVP_MAX_MD_SIZE]; + size_t out_len = 0; + + OSSL_PARAM params[2]; + EVP_MAC *mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); + EVP_MAC_CTX *ctx = EVP_MAC_CTX_new(mac); + + OSSL_SELF_TEST_onbegin(ev, OSSL_SELF_TEST_TYPE_KAT_INTEGRITY, + OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + + params[0] = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); + params[1] = OSSL_PARAM_construct_end(); + + if (ctx == NULL + || mac == NULL + || !EVP_MAC_init(ctx, hmac_kat_key, sizeof(hmac_kat_key), params) + || !EVP_MAC_update(ctx, hmac_kat_pt, sizeof(hmac_kat_pt)) + || !EVP_MAC_final(ctx, out, &out_len, MAX_MD_SIZE)) + goto err; + + /* Optional corruption */ + OSSL_SELF_TEST_oncorrupt_byte(ev, out); + + if (out_len != sizeof(hmac_kat_digest) + || memcmp(out, hmac_kat_digest, out_len) != 0) + goto err; + ok = 1; +err: + OSSL_SELF_TEST_onend(ev, ok); + EVP_MAC_free(mac); + EVP_MAC_CTX_free(ctx); + return ok; +} + /* * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify * the result matches the expected value. @@ -190,6 +249,9 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex EVP_MAC_CTX *ctx = NULL; OSSL_PARAM params[2], *p = params; + if (!integrity_self_test(ev, libctx)) + goto err; + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); @@ -246,6 +308,8 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) unsigned char *indicator_checksum = NULL; int loclstate; OSSL_SELF_TEST *ev = NULL; + EVP_RAND *testrand = NULL; + EVP_RAND_CTX *rng; if (!RUN_ONCE(&fips_self_test_init, do_fips_self_test_init)) return 0; @@ -355,8 +419,20 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) goto end; } } + + /* Verify that the RNG has been restored properly */ + testrand = EVP_RAND_fetch(st->libctx, "TEST-RAND", NULL); + if (testrand == NULL + || (rng = RAND_get0_private(st->libctx)) == NULL + || strcmp(EVP_RAND_get0_name(EVP_RAND_CTX_get0_rand(rng)), + EVP_RAND_get0_name(testrand)) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); + goto end; + } + ok = 1; end: + EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); OPENSSL_free(module_checksum); OPENSSL_free(indicator_checksum); diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index 8ae8cd6f4..2057378d3 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -106,6 +106,12 @@ typedef struct st_kat_sign_st { const char *algorithm; const char *mdalgorithm; const ST_KAT_PARAM *key; + const unsigned char *entropy; + size_t entropy_len; + const unsigned char *nonce; + size_t nonce_len; + const unsigned char *persstr; + size_t persstr_len; const unsigned char *sig_expected; /* Set to NULL if this value changes */ size_t sig_expected_len; } ST_KAT_SIGN; @@ -235,19 +241,6 @@ static const unsigned char aes_128_ecb_ct[] = { }; static const ST_KAT_CIPHER st_kat_cipher_tests[] = { -#ifndef OPENSSL_NO_DES - { - { - OSSL_SELF_TEST_DESC_CIPHER_TDES, - "DES-EDE3-CBC", - ITM(des_ede3_cbc_pt), - ITM(des_ede3_cbc_ct) - }, - CIPHER_MODE_ENCRYPT | CIPHER_MODE_DECRYPT, - ITM(des_ede3_cbc_key), - ITM(des_ede3_cbc_iv), - }, -#endif { { OSSL_SELF_TEST_DESC_CIPHER_AES_GCM, @@ -361,19 +354,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { }; static const char pbkdf2_digest[] = "SHA256"; +/* + * Input parameters from RFC 6070, vector 5 (because it is the only one with + * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The + * expected output is taken from + * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, + * which ran these test vectors with SHA-256. + */ static const unsigned char pbkdf2_password[] = { - 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, - 0x64 + 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, + 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 }; static const unsigned char pbkdf2_salt[] = { - 0x73, 0x61, 0x00, 0x6c, 0x74 + 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, + 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, + 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 }; static const unsigned char pbkdf2_expected[] = { - 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, - 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, + 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, + 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, + 0x1c }; static int pbkdf2_iterations = 4096; -static int pbkdf2_pkcs5 = 1; +static int pbkdf2_pkcs5 = 0; static const ST_KAT_PARAM pbkdf2_params[] = { ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), @@ -1396,6 +1399,16 @@ static const unsigned char ecd_prime_pub[] = { 0xc4, 0xb7, 0x33, 0x68, 0xe4, 0x24, 0xa9, 0x12, 0x82 }; +static const unsigned char ecdsa_prime_expected_sig[] = { + 0x30, 0x3d, 0x02, 0x1d, 0x00, 0xd2, 0x4a, 0xc9, + 0x4f, 0xaf, 0xdb, 0x62, 0xfc, 0x41, 0x4a, 0x81, + 0x2a, 0x9f, 0xcf, 0xa3, 0xda, 0xfe, 0xa3, 0x49, + 0xbd, 0xea, 0xbf, 0x2a, 0x51, 0xb4, 0x0b, 0xc3, + 0xbc, 0x02, 0x1c, 0x7f, 0x30, 0xb7, 0xad, 0xab, + 0x09, 0x6e, 0x3c, 0xad, 0x7f, 0xf9, 0x5e, 0xaa, + 0xe2, 0x38, 0xe5, 0x29, 0x16, 0xc4, 0xc8, 0x77, + 0xa1, 0xf8, 0x60, 0x77, 0x39, 0x7a, 0xec +}; static const ST_KAT_PARAM ecdsa_prime_key[] = { ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name), ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub), @@ -1421,6 +1434,17 @@ static const unsigned char ecd_bin_pub[] = { 0x02, 0xa8, 0xe9, 0x6f, 0x54, 0xfd, 0x3a, 0x6b, 0x99, 0xb6, 0x8f, 0x80, 0x46 }; +static const unsigned char ecdsa_bin_expected_sig[] = { + 0x30, 0x3f, 0x02, 0x1d, 0x08, 0x11, 0x7c, 0xcd, + 0xf4, 0xa1, 0x31, 0x9a, 0xc1, 0xfd, 0x50, 0x0e, + 0x5d, 0xa9, 0xb6, 0x0e, 0x95, 0x49, 0xe1, 0xbd, + 0x44, 0xe3, 0x5b, 0xa9, 0x35, 0x94, 0xa5, 0x2f, + 0xae, 0x02, 0x1e, 0x00, 0xe3, 0xba, 0xb8, 0x8f, + 0x4b, 0x05, 0x76, 0x88, 0x1e, 0x49, 0xd6, 0x62, + 0x76, 0xd3, 0x22, 0x4d, 0xa3, 0x7b, 0x04, 0xcc, + 0xfa, 0x7b, 0x41, 0x9b, 0x8c, 0xaf, 0x1b, 0x6d, + 0xbd +}; static const ST_KAT_PARAM ecdsa_bin_key[] = { ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_bin_curve_name), ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_bin_pub), @@ -1546,6 +1570,16 @@ static const unsigned char dsa_priv[] = { 0x66, 0x35, 0xba, 0xc3, 0x94, 0x23, 0x50, 0x5e, 0x40, 0x7e, 0x5c, 0xb7 }; +static const unsigned char dsa_expected_sig[] = { + 0x30, 0x3c, 0x02, 0x1c, 0x70, 0xa4, 0x77, 0xb6, + 0x02, 0xb5, 0xd3, 0x07, 0x21, 0x22, 0x2d, 0xe3, + 0x4f, 0x7d, 0xfd, 0xfd, 0x6b, 0x4f, 0x03, 0x27, + 0x4c, 0xd3, 0xb2, 0x8c, 0x7c, 0xc5, 0xc4, 0xdf, + 0x02, 0x1c, 0x11, 0x52, 0x65, 0x16, 0x9f, 0xbd, + 0x4c, 0xe5, 0xab, 0xb2, 0x01, 0xd0, 0x7a, 0x30, + 0x5c, 0xc5, 0xba, 0x22, 0xc6, 0x62, 0x7e, 0xa6, + 0x7d, 0x98, 0x96, 0xc9, 0x77, 0x00 +}; static const ST_KAT_PARAM dsa_key[] = { ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_FFC_P, dsa_p), @@ -1557,12 +1591,31 @@ static const ST_KAT_PARAM dsa_key[] = { }; #endif /* OPENSSL_NO_DSA */ +/* Hash DRBG inputs for signature KATs */ +static const unsigned char sig_kat_entropyin[] = { + 0x06, 0x6d, 0xc8, 0xce, 0x75, 0xb2, 0x89, 0x66, 0xa6, 0x85, 0x16, 0x3f, + 0xe2, 0xa4, 0xd4, 0x27, 0xfb, 0xdb, 0x61, 0x66, 0x50, 0x61, 0x6b, 0xa2, + 0x82, 0xfc, 0x33, 0x2b, 0x4e, 0x6f, 0x12, 0x20 +}; +static const unsigned char sig_kat_nonce[] = { + 0x55, 0x9f, 0x7c, 0x64, 0x89, 0x70, 0x83, 0xec, 0x2d, 0x73, 0x70, 0xd9, + 0xf0, 0xe5, 0x07, 0x1f +}; +static const unsigned char sig_kat_persstr[] = { + 0x88, 0x6f, 0x54, 0x9a, 0xad, 0x1a, 0xc6, 0x3d, 0x18, 0xcb, 0xcc, 0x66, + 0x85, 0xda, 0xa2, 0xc2, 0xf7, 0x9e, 0xb0, 0x89, 0x4c, 0xb4, 0xae, 0xf1, + 0xac, 0x54, 0x4f, 0xce, 0x57, 0xf1, 0x5e, 0x11 +}; + static const ST_KAT_SIGN st_kat_sign_tests[] = { { OSSL_SELF_TEST_DESC_SIGN_RSA, "RSA", "SHA-256", rsa_crt_key, + ITM(sig_kat_entropyin), + ITM(sig_kat_nonce), + ITM(sig_kat_persstr), ITM(rsa_expected_sig) }, #ifndef OPENSSL_NO_EC @@ -1571,10 +1624,10 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { "EC", "SHA-256", ecdsa_prime_key, - /* - * The ECDSA signature changes each time due to it using a random k. - * So there is no expected KAT for this case. - */ + ITM(sig_kat_entropyin), + ITM(sig_kat_nonce), + ITM(sig_kat_persstr), + ITM(ecdsa_prime_expected_sig) }, # ifndef OPENSSL_NO_EC2M { @@ -1582,10 +1635,10 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { "EC", "SHA-256", ecdsa_bin_key, - /* - * The ECDSA signature changes each time due to it using a random k. - * So there is no expected KAT for this case. - */ + ITM(sig_kat_entropyin), + ITM(sig_kat_nonce), + ITM(sig_kat_persstr), + ITM(ecdsa_bin_expected_sig) }, # endif #endif /* OPENSSL_NO_EC */ @@ -1595,10 +1648,10 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { "DSA", "SHA-256", dsa_key, - /* - * The DSA signature changes each time due to it using a random k. - * So there is no expected KAT for this case. - */ + ITM(sig_kat_entropyin), + ITM(sig_kat_nonce), + ITM(sig_kat_persstr), + ITM(dsa_expected_sig) }, #endif /* OPENSSL_NO_DSA */ }; diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index ad896e40d..74ee25dcb 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -12,11 +12,18 @@ #include #include #include +#include #include "internal/cryptlib.h" #include "internal/nelem.h" #include "self_test.h" #include "self_test_data.inc" +static int set_kat_drbg(OSSL_LIB_CTX *ctx, + const unsigned char *entropy, size_t entropy_len, + const unsigned char *nonce, size_t nonce_len, + const unsigned char *persstr, size_t persstr_len); +static int reset_original_drbg(OSSL_LIB_CTX *ctx); + static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) { @@ -437,7 +444,7 @@ static int self_test_ka(const ST_KAT_KAS *t, #endif /* !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) */ static int self_test_sign(const ST_KAT_SIGN *t, - OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) { int ret = 0; OSSL_PARAM *params = NULL, *params_sig = NULL; @@ -499,10 +506,6 @@ static int self_test_sign(const ST_KAT_SIGN *t, || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) goto err; - /* - * Used by RSA, for other key types where the signature changes, we - * can only use the verify. - */ if (t->sig_expected != NULL && (siglen != t->sig_expected_len || memcmp(sig, t->sig_expected, t->sig_expected_len) != 0)) @@ -689,9 +692,16 @@ static int self_test_kas(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) { int i, ret = 1; - - for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { - if (!self_test_sign(&st_kat_sign_tests[i], st, libctx)) + const ST_KAT_SIGN *t; + + for (i = 0; ret && i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { + t = st_kat_sign_tests + i; + if (!set_kat_drbg(libctx, t->entropy, t->entropy_len, + t->nonce, t->nonce_len, t->persstr, t->persstr_len)) + return 0; + if (!self_test_sign(t, st, libctx)) + ret = 0; + if (!reset_original_drbg(libctx)) ret = 0; } return ret; @@ -723,3 +733,121 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) return ret; } + +/* + * Swap the library context DRBG for KAT testing + * + * In FIPS 140-3, the asymmetric POST must be a KAT, not a PCT. For DSA and ECDSA, + * the sign operation includes the random value 'k'. For a KAT to work, we + * have to have control of the DRBG to make sure it is in a "test" state, where + * its output is truly deterministic. + * + */ + +/* + * The default private DRBG of the library context, saved for the duration + * of KAT testing. + */ +static EVP_RAND_CTX *saved_rand = NULL; + +/* Replacement "random" source */ +static EVP_RAND_CTX *kat_rand = NULL; + +static int set_kat_drbg(OSSL_LIB_CTX *ctx, + const unsigned char *entropy, size_t entropy_len, + const unsigned char *nonce, size_t nonce_len, + const unsigned char *persstr, size_t persstr_len) { + EVP_RAND *rand; + unsigned int strength = 256; + EVP_RAND_CTX *parent_rand = NULL; + OSSL_PARAM drbg_params[3] = { + OSSL_PARAM_END, OSSL_PARAM_END, OSSL_PARAM_END + }; + + /* If not NULL, we didn't cleanup from last call: BAD */ + if (kat_rand != NULL || saved_rand != NULL) + return 0; + + rand = EVP_RAND_fetch(ctx, "TEST-RAND", NULL); + if (rand == NULL) + return 0; + + parent_rand = EVP_RAND_CTX_new(rand, NULL); + EVP_RAND_free(rand); + if (parent_rand == NULL) + goto err; + + drbg_params[0] = OSSL_PARAM_construct_uint(OSSL_RAND_PARAM_STRENGTH, &strength); + if (!EVP_RAND_CTX_set_params(parent_rand, drbg_params)) + goto err; + + rand = EVP_RAND_fetch(ctx, "HASH-DRBG", NULL); + if (rand == NULL) + goto err; + + kat_rand = EVP_RAND_CTX_new(rand, parent_rand); + EVP_RAND_free(rand); + if (kat_rand == NULL) + goto err; + + drbg_params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA256", 0); + if (!EVP_RAND_CTX_set_params(kat_rand, drbg_params)) + goto err; + + /* Instantiate the RNGs */ + drbg_params[0] = + OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_ENTROPY, + (void *)entropy, entropy_len); + drbg_params[1] = + OSSL_PARAM_construct_octet_string(OSSL_RAND_PARAM_TEST_NONCE, + (void *)nonce, nonce_len); + if (!EVP_RAND_instantiate(parent_rand, strength, 0, NULL, 0, drbg_params)) + goto err; + + EVP_RAND_CTX_free(parent_rand); + parent_rand = NULL; + + if (!EVP_RAND_instantiate(kat_rand, strength, 0, persstr, persstr_len, NULL)) + goto err; + + /* Update the library context DRBG */ + if ((saved_rand = RAND_get0_private(ctx)) != NULL) + /* Avoid freeing this since we replace it */ + if (!EVP_RAND_CTX_up_ref(saved_rand)) { + saved_rand = NULL; + goto err; + } + if (RAND_set0_private(ctx, kat_rand) > 0) { + /* Keeping a copy to verify zeroization */ + if (EVP_RAND_CTX_up_ref(kat_rand)) + return 1; + if (saved_rand != NULL) + RAND_set0_private(ctx, saved_rand); + } + + err: + EVP_RAND_CTX_free(parent_rand); + EVP_RAND_CTX_free(saved_rand); + EVP_RAND_CTX_free(kat_rand); + kat_rand = saved_rand = NULL; + return 0; +} + +static int reset_original_drbg(OSSL_LIB_CTX *ctx) { + int ret = 1; + + if (saved_rand != NULL) { + if (!RAND_set0_private(ctx, saved_rand)) + ret = 0; + saved_rand = NULL; + } + if (kat_rand != NULL) { + if (!EVP_RAND_uninstantiate(kat_rand) + || !EVP_RAND_verify_zeroization(kat_rand)) + ret = 0; + EVP_RAND_CTX_free(kat_rand); + kat_rand = NULL; + } + return ret; +} + diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info index e4c5f4f05..b5d9d4f6c 100644 --- a/providers/implementations/ciphers/build.info +++ b/providers/implementations/ciphers/build.info @@ -105,7 +105,9 @@ ENDIF IF[{- !$disabled{sm4} -}] SOURCE[$SM4_GOAL]=\ - cipher_sm4.c cipher_sm4_hw.c + cipher_sm4.c cipher_sm4_hw.c \ + cipher_sm4_gcm.c cipher_sm4_gcm_hw.c \ + cipher_sm4_ccm.c cipher_sm4_ccm_hw.c ENDIF IF[{- !$disabled{ocb} -}] diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw.c b/providers/implementations/ciphers/cipher_aes_ccm_hw.c index 263d19028..5dbb74bdc 100644 --- a/providers/implementations/ciphers/cipher_aes_ccm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -61,6 +61,10 @@ static const PROV_CCM_HW aes_ccm = { # include "cipher_aes_ccm_hw_aesni.inc" #elif defined(SPARC_AES_CAPABLE) # include "cipher_aes_ccm_hw_t4.inc" +#elif defined(RV64I_ZKND_ZKNE_CAPABLE) +# include "cipher_aes_ccm_hw_rv64i_zknd_zkne.inc" +#elif defined(RV32I_ZBKB_ZKND_ZKNE_CAPABLE) && defined(RV32I_ZKND_ZKNE_CAPABLE) +# include "cipher_aes_ccm_hw_rv32i_zknd_zkne.inc" #else const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits) { diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i_zknd_zkne.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i_zknd_zkne.inc new file mode 100644 index 000000000..345bc2faa --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv32i_zknd_zkne.inc @@ -0,0 +1,60 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * RISC-V 32 ZKND ZKNE support for AES CCM. + * This file is included by cipher_aes_ccm_hw.c + */ + +static int ccm_rv32i_zknd_zkne_initkey(PROV_CCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx; + + AES_HW_CCM_SET_KEY_FN(rv32i_zkne_set_encrypt_key, rv32i_zkne_encrypt, + NULL, NULL); + return 1; +} + +static int ccm_rv32i_zbkb_zknd_zkne_initkey(PROV_CCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx; + + AES_HW_CCM_SET_KEY_FN(rv32i_zbkb_zkne_set_encrypt_key, rv32i_zkne_encrypt, + NULL, NULL); + return 1; +} + +static const PROV_CCM_HW rv32i_zknd_zkne_ccm = { + ccm_rv32i_zknd_zkne_initkey, + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag +}; + +static const PROV_CCM_HW rv32i_zbkb_zknd_zkne_ccm = { + ccm_rv32i_zbkb_zknd_zkne_initkey, + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag +}; + +const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits) +{ + if (RV32I_ZBKB_ZKND_ZKNE_CAPABLE) + return &rv32i_zbkb_zknd_zkne_ccm; + if (RV32I_ZKND_ZKNE_CAPABLE) + return &rv32i_zknd_zkne_ccm; + return &aes_ccm; +} diff --git a/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i_zknd_zkne.inc b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i_zknd_zkne.inc new file mode 100644 index 000000000..2f23209d0 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_ccm_hw_rv64i_zknd_zkne.inc @@ -0,0 +1,37 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * RISC-V 64 ZKND ZKNE support for AES CCM. + * This file is included by cipher_aes_ccm_hw.c + */ + +static int ccm_rv64i_zknd_zkne_initkey(PROV_CCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_AES_CCM_CTX *actx = (PROV_AES_CCM_CTX *)ctx; + + AES_HW_CCM_SET_KEY_FN(rv64i_zkne_set_encrypt_key, rv64i_zkne_encrypt, + NULL, NULL); + return 1; +} + +static const PROV_CCM_HW rv64i_zknd_zkne_ccm = { + ccm_rv64i_zknd_zkne_initkey, + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag +}; + +const PROV_CCM_HW *ossl_prov_aes_hw_ccm(size_t keybits) +{ + return RV64I_ZKND_ZKNE_CAPABLE ? &rv64i_zknd_zkne_ccm : &aes_ccm; +} diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c index 44fa9d4d7..145b207c4 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -141,6 +141,12 @@ static const PROV_GCM_HW aes_gcm = { # include "cipher_aes_gcm_hw_t4.inc" #elif defined(AES_PMULL_CAPABLE) && defined(AES_GCM_ASM) # include "cipher_aes_gcm_hw_armv8.inc" +#elif defined(PPC_AES_GCM_CAPABLE) +# include "cipher_aes_gcm_hw_ppc.inc" +#elif defined(RV64I_ZKND_ZKNE_CAPABLE) +# include "cipher_aes_gcm_hw_rv64i_zknd_zkne.inc" +#elif defined(RV32I_ZBKB_ZKND_ZKNE_CAPABLE) && defined(RV32I_ZKND_ZKNE_CAPABLE) +# include "cipher_aes_gcm_hw_rv32i_zknd_zkne.inc" #else const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) { diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc index e6aa0479d..92f41b8cd 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_aesni.inc @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -31,8 +31,17 @@ static const PROV_GCM_HW aesni_gcm = { ossl_gcm_one_shot }; +#include "cipher_aes_gcm_hw_vaes_avx512.inc" + const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) { - return AESNI_CAPABLE ? &aesni_gcm : &aes_gcm; +#ifdef VAES_GCM_ENABLED + if (ossl_vaes_vpclmulqdq_capable()) + return &vaes_gcm; + else +#endif + if (AESNI_CAPABLE) + return &aesni_gcm; + else + return &aes_gcm; } - diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc index 310f4470d..bdcf67071 100644 --- a/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_armv8.inc @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,7 @@ */ /* - * Crypto extention support for AES GCM. + * Crypto extension support for AES GCM. * This file is included by cipher_aes_gcm_hw.c */ @@ -22,13 +22,25 @@ size_t armv8_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t switch(aes_key->rounds) { case 10: - aes_gcm_enc_128_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + if (IS_CPU_SUPPORT_UNROLL8_EOR3()) { + unroll8_eor3_aes_gcm_enc_128_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } else { + aes_gcm_enc_128_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } break; case 12: - aes_gcm_enc_192_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + if (IS_CPU_SUPPORT_UNROLL8_EOR3()) { + unroll8_eor3_aes_gcm_enc_192_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } else { + aes_gcm_enc_192_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } break; case 14: - aes_gcm_enc_256_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + if (IS_CPU_SUPPORT_UNROLL8_EOR3()) { + unroll8_eor3_aes_gcm_enc_256_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } else { + aes_gcm_enc_256_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } break; } return align_bytes; @@ -44,13 +56,25 @@ size_t armv8_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t switch(aes_key->rounds) { case 10: - aes_gcm_dec_128_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + if (IS_CPU_SUPPORT_UNROLL8_EOR3()) { + unroll8_eor3_aes_gcm_dec_128_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } else { + aes_gcm_dec_128_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } break; case 12: - aes_gcm_dec_192_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + if (IS_CPU_SUPPORT_UNROLL8_EOR3()) { + unroll8_eor3_aes_gcm_dec_192_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } else { + aes_gcm_dec_192_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } break; case 14: - aes_gcm_dec_256_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + if (IS_CPU_SUPPORT_UNROLL8_EOR3()) { + unroll8_eor3_aes_gcm_dec_256_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } else { + aes_gcm_dec_256_kernel(in, align_bytes * 8, out, (uint64_t *)Xi, ivec, key); + } break; } return align_bytes; diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc new file mode 100644 index 000000000..153eb7989 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc @@ -0,0 +1,155 @@ +/* + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * PPC support for AES GCM. + * This file is included by cipher_aes_gcm_hw.c + */ + +static int aes_ppc_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; + AES_KEY *ks = &actx->ks.ks; + + GCM_HW_SET_KEY_CTR_FN(ks, aes_p8_set_encrypt_key, aes_p8_encrypt, + aes_p8_ctr32_encrypt_blocks); + return 1; +} + +static inline u32 UTO32(unsigned char *buf) +{ + return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); +} + +static inline u32 add32TOU(unsigned char buf[4], u32 n) +{ + u32 r; + + r = UTO32(buf); + r += n; + buf[0] = (unsigned char) (r >> 24) & 0xFF; + buf[1] = (unsigned char) (r >> 16) & 0xFF; + buf[2] = (unsigned char) (r >> 8) & 0xFF; + buf[3] = (unsigned char) r & 0xFF; + return r; +} + +static size_t ppc_aes_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, + const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) +{ + int s = 0; + int ndone = 0; + int ctr_reset = 0; + u64 blocks_unused; + u64 nb = len / 16; + u64 next_ctr = 0; + unsigned char ctr_saved[12]; + + memcpy(ctr_saved, ivec, 12); + + while (nb) { + blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); + if (nb > blocks_unused) { + len = blocks_unused * 16; + nb -= blocks_unused; + next_ctr = blocks_unused; + ctr_reset = 1; + } else { + len = nb * 16; + next_ctr = nb; + nb = 0; + } + + s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) + : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); + + /* add counter to ivec */ + add32TOU(ivec + 12, (u32) next_ctr); + if (ctr_reset) { + ctr_reset = 0; + in += len; + out += len; + } + memcpy(ivec, ctr_saved, 12); + ndone += s; + } + + return ndone; +} + +static int ppc_aes_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, + size_t len, unsigned char *out) +{ + if (ctx->enc) { + if (ctx->ctr != NULL) { + size_t bulk = 0; + + if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM_PPC(ctx)) { + size_t res = (16 - ctx->gcm.mres) % 16; + + if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, res)) + return 0; + + bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res, + ctx->gcm.key, + ctx->gcm.Yi.c, ctx->gcm.Xi.u, 1); + + ctx->gcm.len.u[1] += bulk; + bulk += res; + } + if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in + bulk, out + bulk, + len - bulk, ctx->ctr)) + return 0; + } else { + if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len)) + return 0; + } + } else { + if (ctx->ctr != NULL) { + size_t bulk = 0; + + if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM_PPC(ctx)) { + size_t res = (16 - ctx->gcm.mres) % 16; + + if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, res)) + return -1; + + bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res, + ctx->gcm.key, + ctx->gcm.Yi.c, ctx->gcm.Xi.u, 0); + + ctx->gcm.len.u[1] += bulk; + bulk += res; + } + if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in + bulk, out + bulk, + len - bulk, ctx->ctr)) + return 0; + } else { + if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len)) + return 0; + } + } + return 1; +} + +static const PROV_GCM_HW aes_ppc_gcm = { + aes_ppc_gcm_initkey, + ossl_gcm_setiv, + ossl_gcm_aad_update, + ppc_aes_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot +}; + +const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) +{ + return PPC_AES_GCM_CAPABLE ? &aes_ppc_gcm : &aes_gcm; +} + diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i_zknd_zkne.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i_zknd_zkne.inc new file mode 100644 index 000000000..dd5878736 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv32i_zknd_zkne.inc @@ -0,0 +1,63 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * RISC-V 32 ZKND ZKNE support for AES GCM. + * This file is included by cipher_aes_gcm_hw.c + */ + +static int rv32i_zknd_zkne_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; + AES_KEY *ks = &actx->ks.ks; + + GCM_HW_SET_KEY_CTR_FN(ks, rv32i_zkne_set_encrypt_key, rv32i_zkne_encrypt, + NULL); + return 1; +} + +static int rv32i_zbkb_zknd_zkne_gcm_initkey(PROV_GCM_CTX *ctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; + AES_KEY *ks = &actx->ks.ks; + + GCM_HW_SET_KEY_CTR_FN(ks, rv32i_zbkb_zkne_set_encrypt_key, rv32i_zkne_encrypt, + NULL); + return 1; +} + +static const PROV_GCM_HW rv32i_zknd_zkne_gcm = { + rv32i_zknd_zkne_gcm_initkey, + ossl_gcm_setiv, + ossl_gcm_aad_update, + generic_aes_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot +}; + +static const PROV_GCM_HW rv32i_zbkb_zknd_zkne_gcm = { + rv32i_zbkb_zknd_zkne_gcm_initkey, + ossl_gcm_setiv, + ossl_gcm_aad_update, + generic_aes_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot +}; + +const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) +{ + if (RV32I_ZBKB_ZKND_ZKNE_CAPABLE) + return &rv32i_zbkb_zknd_zkne_gcm; + if (RV32I_ZKND_ZKNE_CAPABLE) + return &rv32i_zknd_zkne_gcm; + return &aes_gcm; +} diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i_zknd_zkne.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i_zknd_zkne.inc new file mode 100644 index 000000000..44325d846 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_rv64i_zknd_zkne.inc @@ -0,0 +1,40 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * RISC-V 64 ZKND ZKNE support for AES GCM. + * This file is included by cipher_aes_gcm_hw.c + */ + +static int rv64i_zknd_zkne_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; + AES_KEY *ks = &actx->ks.ks; + GCM_HW_SET_KEY_CTR_FN(ks, rv64i_zkne_set_encrypt_key, rv64i_zkne_encrypt, + NULL); + return 1; +} + +static const PROV_GCM_HW rv64i_zknd_zkne_gcm = { + rv64i_zknd_zkne_gcm_initkey, + ossl_gcm_setiv, + ossl_gcm_aad_update, + generic_aes_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot +}; + +const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) +{ + if (RV64I_ZKND_ZKNE_CAPABLE) + return &rv64i_zknd_zkne_gcm; + else + return &aes_gcm; +} diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc new file mode 100644 index 000000000..ef1867797 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc @@ -0,0 +1,205 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2021, Intel Corporation. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * AVX512 VAES + VPCLMULDQD support for AES GCM. + * This file is included by cipher_aes_gcm_hw_aesni.inc + */ + +#undef VAES_GCM_ENABLED +#if (defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64)) +# define VAES_GCM_ENABLED + +/* Returns non-zero when AVX512F + VAES + VPCLMULDQD combination is available */ +int ossl_vaes_vpclmulqdq_capable(void); + +# define OSSL_AES_GCM_UPDATE(direction) \ + void ossl_aes_gcm_ ## direction ## _avx512(const void *ks, \ + void *gcm128ctx, \ + unsigned int *pblocklen, \ + const unsigned char *in, \ + size_t len, \ + unsigned char *out); + +OSSL_AES_GCM_UPDATE(encrypt) +OSSL_AES_GCM_UPDATE(decrypt) + +void ossl_aes_gcm_init_avx512(const void *ks, void *gcm128ctx); +void ossl_aes_gcm_setiv_avx512(const void *ks, void *gcm128ctx, + const unsigned char *iv, size_t ivlen); +void ossl_aes_gcm_update_aad_avx512(void *gcm128ctx, const unsigned char *aad, + size_t aadlen); +void ossl_aes_gcm_finalize_avx512(void *gcm128ctx, unsigned int pblocklen); + +void ossl_gcm_gmult_avx512(u64 Xi[2], const void *gcm128ctx); + +static int vaes_gcm_setkey(PROV_GCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + GCM128_CONTEXT *gcmctx = &ctx->gcm; + PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; + AES_KEY *ks = &actx->ks.ks; + + ctx->ks = ks; + aesni_set_encrypt_key(key, keylen * 8, ks); + memset(gcmctx, 0, sizeof(*gcmctx)); + gcmctx->key = ks; + ctx->key_set = 1; + + ossl_aes_gcm_init_avx512(ks, gcmctx); + + return 1; +} + +static int vaes_gcm_setiv(PROV_GCM_CTX *ctx, const unsigned char *iv, + size_t ivlen) +{ + GCM128_CONTEXT *gcmctx = &ctx->gcm; + + gcmctx->Yi.u[0] = 0; /* Current counter */ + gcmctx->Yi.u[1] = 0; + gcmctx->Xi.u[0] = 0; /* AAD hash */ + gcmctx->Xi.u[1] = 0; + gcmctx->len.u[0] = 0; /* AAD length */ + gcmctx->len.u[1] = 0; /* Message length */ + gcmctx->ares = 0; + gcmctx->mres = 0; + + /* IV is limited by 2^64 bits, thus 2^61 bytes */ + if (ivlen > (U64(1) << 61)) + return 0; + + ossl_aes_gcm_setiv_avx512(ctx->ks, gcmctx, iv, ivlen); + + return 1; +} + +static int vaes_gcm_aadupdate(PROV_GCM_CTX *ctx, + const unsigned char *aad, + size_t aad_len) +{ + GCM128_CONTEXT *gcmctx = &ctx->gcm; + u64 alen = gcmctx->len.u[0]; + unsigned int ares; + size_t i, lenBlks; + + /* Bad sequence: call of AAD update after message processing */ + if (gcmctx->len.u[1] > 0) + return 0; + + alen += aad_len; + /* AAD is limited by 2^64 bits, thus 2^61 bytes */ + if ((alen > (U64(1) << 61)) || (alen < aad_len)) + return 0; + + gcmctx->len.u[0] = alen; + + ares = gcmctx->ares; + /* Partial AAD block left from previous AAD update calls */ + if (ares > 0) { + /* + * Fill partial block buffer till full block + * (note, the hash is stored reflected) + */ + while (ares > 0 && aad_len > 0) { + gcmctx->Xi.c[15 - ares] ^= *(aad++); + --aad_len; + ares = (ares + 1) % AES_BLOCK_SIZE; + } + /* Full block gathered */ + if (ares == 0) { + ossl_gcm_gmult_avx512(gcmctx->Xi.u, gcmctx); + } else { /* no more AAD */ + gcmctx->ares = ares; + return 1; + } + } + + /* Bulk AAD processing */ + lenBlks = aad_len & ((size_t)(-AES_BLOCK_SIZE)); + if (lenBlks > 0) { + ossl_aes_gcm_update_aad_avx512(gcmctx, aad, lenBlks); + aad += lenBlks; + aad_len -= lenBlks; + } + + /* Add remaining AAD to the hash (note, the hash is stored reflected) */ + if (aad_len > 0) { + ares = aad_len; + for (i = 0; i < aad_len; i++) + gcmctx->Xi.c[15 - i] ^= aad[i]; + } + + gcmctx->ares = ares; + + return 1; +} + +static int vaes_gcm_cipherupdate(PROV_GCM_CTX *ctx, const unsigned char *in, + size_t len, unsigned char *out) +{ + GCM128_CONTEXT *gcmctx = &ctx->gcm; + u64 mlen = gcmctx->len.u[1]; + + mlen += len; + if (mlen > ((U64(1) << 36) - 32) || (mlen < len)) + return 0; + + gcmctx->len.u[1] = mlen; + + /* Finalize GHASH(AAD) if AAD partial blocks left unprocessed */ + if (gcmctx->ares > 0) { + ossl_gcm_gmult_avx512(gcmctx->Xi.u, gcmctx); + gcmctx->ares = 0; + } + + if (ctx->enc) + ossl_aes_gcm_encrypt_avx512(ctx->ks, gcmctx, &gcmctx->mres, in, len, out); + else + ossl_aes_gcm_decrypt_avx512(ctx->ks, gcmctx, &gcmctx->mres, in, len, out); + + return 1; +} + +static int vaes_gcm_cipherfinal(PROV_GCM_CTX *ctx, unsigned char *tag) +{ + GCM128_CONTEXT *gcmctx = &ctx->gcm; + unsigned int *res = &gcmctx->mres; + + /* Finalize AAD processing */ + if (gcmctx->ares > 0) + res = &gcmctx->ares; + + ossl_aes_gcm_finalize_avx512(gcmctx, *res); + + if (ctx->enc) { + ctx->taglen = GCM_TAG_MAX_SIZE; + memcpy(tag, gcmctx->Xi.c, + ctx->taglen <= sizeof(gcmctx->Xi.c) ? ctx->taglen : + sizeof(gcmctx->Xi.c)); + *res = 0; + } else { + return !CRYPTO_memcmp(gcmctx->Xi.c, tag, ctx->taglen); + } + + return 1; +} + +static const PROV_GCM_HW vaes_gcm = { + vaes_gcm_setkey, + vaes_gcm_setiv, + vaes_gcm_aadupdate, + vaes_gcm_cipherupdate, + vaes_gcm_cipherfinal, + ossl_gcm_one_shot +}; + +#endif diff --git a/providers/implementations/ciphers/cipher_aes_hw.c b/providers/implementations/ciphers/cipher_aes_hw.c index 596cdba8d..074d04d87 100644 --- a/providers/implementations/ciphers/cipher_aes_hw.c +++ b/providers/implementations/ciphers/cipher_aes_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -142,6 +142,10 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_##mode(size_t keybits) \ # include "cipher_aes_hw_t4.inc" #elif defined(S390X_aes_128_CAPABLE) # include "cipher_aes_hw_s390x.inc" +#elif defined(RV64I_ZKND_ZKNE_CAPABLE) +# include "cipher_aes_hw_rv64i_zknd_zkne.inc" +#elif defined(RV32I_ZBKB_ZKND_ZKNE_CAPABLE) && defined(RV32I_ZKND_ZKNE_CAPABLE) +# include "cipher_aes_hw_rv32i_zknd_zkne.inc" #else /* The generic case */ # define PROV_CIPHER_HW_declare(mode) diff --git a/providers/implementations/ciphers/cipher_aes_hw_rv32i_zknd_zkne.inc b/providers/implementations/ciphers/cipher_aes_hw_rv32i_zknd_zkne.inc new file mode 100644 index 000000000..d3173fa40 --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_hw_rv32i_zknd_zkne.inc @@ -0,0 +1,102 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * RISC-V 32 ZKND ZKNE support for AES modes ecb, cbc, ofb, cfb, ctr. + * This file is included by cipher_aes_hw.c + */ + +#define cipher_hw_rv32i_zknd_zkne_cbc ossl_cipher_hw_generic_cbc +#define cipher_hw_rv32i_zknd_zkne_ecb ossl_cipher_hw_generic_ecb +#define cipher_hw_rv32i_zknd_zkne_ofb128 ossl_cipher_hw_generic_ofb128 +#define cipher_hw_rv32i_zknd_zkne_cfb128 ossl_cipher_hw_generic_cfb128 +#define cipher_hw_rv32i_zknd_zkne_cfb8 ossl_cipher_hw_generic_cfb8 +#define cipher_hw_rv32i_zknd_zkne_cfb1 ossl_cipher_hw_generic_cfb1 +#define cipher_hw_rv32i_zknd_zkne_ctr ossl_cipher_hw_generic_ctr + +#define cipher_hw_rv32i_zbkb_zknd_zkne_cbc ossl_cipher_hw_generic_cbc +#define cipher_hw_rv32i_zbkb_zknd_zkne_ecb ossl_cipher_hw_generic_ecb +#define cipher_hw_rv32i_zbkb_zknd_zkne_ofb128 ossl_cipher_hw_generic_ofb128 +#define cipher_hw_rv32i_zbkb_zknd_zkne_cfb128 ossl_cipher_hw_generic_cfb128 +#define cipher_hw_rv32i_zbkb_zknd_zkne_cfb8 ossl_cipher_hw_generic_cfb8 +#define cipher_hw_rv32i_zbkb_zknd_zkne_cfb1 ossl_cipher_hw_generic_cfb1 +#define cipher_hw_rv32i_zbkb_zknd_zkne_ctr ossl_cipher_hw_generic_ctr + +static int cipher_hw_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *dat, + const unsigned char *key, size_t keylen) +{ + int ret; + PROV_AES_CTX *adat = (PROV_AES_CTX *)dat; + AES_KEY *ks = &adat->ks.ks; + + dat->ks = ks; + + if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE) + && !dat->enc) { + ret = rv32i_zknd_zkne_set_decrypt_key(key, keylen * 8, ks); + dat->block = (block128_f) rv32i_zknd_decrypt; + dat->stream.cbc = NULL; + } else { + ret = rv32i_zkne_set_encrypt_key(key, keylen * 8, ks); + dat->block = (block128_f) rv32i_zkne_encrypt; + dat->stream.cbc = NULL; + } + + if (ret < 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); + return 0; + } + + return 1; +} + +static int cipher_hw_rv32i_zbkb_zknd_zkne_initkey(PROV_CIPHER_CTX *dat, + const unsigned char *key, size_t keylen) +{ + int ret; + PROV_AES_CTX *adat = (PROV_AES_CTX *)dat; + AES_KEY *ks = &adat->ks.ks; + + dat->ks = ks; + + if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE) + && !dat->enc) { + ret = rv32i_zbkb_zknd_zkne_set_decrypt_key(key, keylen * 8, ks); + dat->block = (block128_f) rv32i_zknd_decrypt; + dat->stream.cbc = NULL; + } else { + ret = rv32i_zbkb_zkne_set_encrypt_key(key, keylen * 8, ks); + dat->block = (block128_f) rv32i_zkne_encrypt; + dat->stream.cbc = NULL; + } + + if (ret < 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); + return 0; + } + + return 1; +} + +#define PROV_CIPHER_HW_declare(mode) \ +static const PROV_CIPHER_HW rv32i_zknd_zkne_##mode = { \ + cipher_hw_rv32i_zknd_zkne_initkey, \ + cipher_hw_rv32i_zknd_zkne_##mode, \ + cipher_hw_aes_copyctx \ +}; \ +static const PROV_CIPHER_HW rv32i_zbkb_zknd_zkne_##mode = { \ + cipher_hw_rv32i_zbkb_zknd_zkne_initkey, \ + cipher_hw_rv32i_zbkb_zknd_zkne_##mode, \ + cipher_hw_aes_copyctx \ +}; +#define PROV_CIPHER_HW_select(mode) \ +if (RV32I_ZBKB_ZKND_ZKNE_CAPABLE) \ + return &rv32i_zbkb_zknd_zkne_##mode; \ +if (RV32I_ZKND_ZKNE_CAPABLE) \ + return &rv32i_zknd_zkne_##mode; diff --git a/providers/implementations/ciphers/cipher_aes_hw_rv64i_zknd_zkne.inc b/providers/implementations/ciphers/cipher_aes_hw_rv64i_zknd_zkne.inc new file mode 100644 index 000000000..762d211ef --- /dev/null +++ b/providers/implementations/ciphers/cipher_aes_hw_rv64i_zknd_zkne.inc @@ -0,0 +1,59 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * RISC-V 64 ZKND ZKNE support for AES modes ecb, cbc, ofb, cfb, ctr. + * This file is included by cipher_aes_hw.c + */ + +#define cipher_hw_rv64i_zknd_zkne_cbc ossl_cipher_hw_generic_cbc +#define cipher_hw_rv64i_zknd_zkne_ecb ossl_cipher_hw_generic_ecb +#define cipher_hw_rv64i_zknd_zkne_ofb128 ossl_cipher_hw_generic_ofb128 +#define cipher_hw_rv64i_zknd_zkne_cfb128 ossl_cipher_hw_generic_cfb128 +#define cipher_hw_rv64i_zknd_zkne_cfb8 ossl_cipher_hw_generic_cfb8 +#define cipher_hw_rv64i_zknd_zkne_cfb1 ossl_cipher_hw_generic_cfb1 +#define cipher_hw_rv64i_zknd_zkne_ctr ossl_cipher_hw_generic_ctr + +static int cipher_hw_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *dat, + const unsigned char *key, size_t keylen) +{ + int ret; + PROV_AES_CTX *adat = (PROV_AES_CTX *)dat; + AES_KEY *ks = &adat->ks.ks; + + dat->ks = ks; + + if ((dat->mode == EVP_CIPH_ECB_MODE || dat->mode == EVP_CIPH_CBC_MODE) + && !dat->enc) { + ret = rv64i_zknd_set_decrypt_key(key, keylen * 8, ks); + dat->block = (block128_f) rv64i_zknd_decrypt; + dat->stream.cbc = NULL; + } else { + ret = rv64i_zkne_set_encrypt_key(key, keylen * 8, ks); + dat->block = (block128_f) rv64i_zkne_encrypt; + dat->stream.cbc = NULL; + } + + if (ret < 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SETUP_FAILED); + return 0; + } + + return 1; +} + +#define PROV_CIPHER_HW_declare(mode) \ +static const PROV_CIPHER_HW rv64i_zknd_zkne_##mode = { \ + cipher_hw_rv64i_zknd_zkne_initkey, \ + cipher_hw_rv64i_zknd_zkne_##mode, \ + cipher_hw_aes_copyctx \ +}; +#define PROV_CIPHER_HW_select(mode) \ +if (RV64I_ZKND_ZKNE_CAPABLE) \ + return &rv64i_zknd_zkne_##mode; diff --git a/providers/implementations/ciphers/cipher_aes_ocb_hw.c b/providers/implementations/ciphers/cipher_aes_ocb_hw.c index 7aa97dc77..5b93d2b71 100644 --- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c +++ b/providers/implementations/ciphers/cipher_aes_ocb_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -103,6 +103,65 @@ static const PROV_CIPHER_HW aes_t4_ocb = { \ # define PROV_CIPHER_HW_select() \ if (SPARC_AES_CAPABLE) \ return &aes_t4_ocb; +#elif defined(RV64I_ZKND_ZKNE_CAPABLE) + +static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx; + + OCB_SET_KEY_FN(rv64i_zkne_set_encrypt_key, rv64i_zknd_set_decrypt_key, + rv64i_zkne_encrypt, rv64i_zknd_decrypt, NULL, NULL); + return 1; +} + +# define PROV_CIPHER_HW_declare() \ +static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = { \ + cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey, \ + NULL \ +}; +# define PROV_CIPHER_HW_select() \ + if (RV64I_ZKND_ZKNE_CAPABLE) \ + return &aes_rv64i_zknd_zkne_ocb; +#elif defined(RV32I_ZBKB_ZKND_ZKNE_CAPABLE) && defined(RV32I_ZKND_ZKNE_CAPABLE) + +static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx; + + OCB_SET_KEY_FN(rv32i_zkne_set_encrypt_key, rv32i_zknd_zkne_set_decrypt_key, + rv32i_zkne_encrypt, rv32i_zknd_decrypt, NULL, NULL); + return 1; +} + +static int cipher_hw_aes_ocb_rv32i_zbkb_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_OCB_CTX *ctx = (PROV_AES_OCB_CTX *)vctx; + + OCB_SET_KEY_FN(rv32i_zbkb_zkne_set_encrypt_key, rv32i_zbkb_zknd_zkne_set_decrypt_key, + rv32i_zkne_encrypt, rv32i_zknd_decrypt, NULL, NULL); + return 1; +} + +# define PROV_CIPHER_HW_declare() \ +static const PROV_CIPHER_HW aes_rv32i_zknd_zkne_ocb = { \ + cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey, \ + NULL \ +}; \ +static const PROV_CIPHER_HW aes_rv32i_zbkb_zknd_zkne_ocb = { \ + cipher_hw_aes_ocb_rv32i_zbkb_zknd_zkne_initkey, \ + NULL \ +}; +# define PROV_CIPHER_HW_select() \ + if (RV32I_ZBKB_ZKND_ZKNE_CAPABLE) \ + return &aes_rv32i_zbkb_zknd_zkne_ocb; \ + if (RV32I_ZKND_ZKNE_CAPABLE) \ + return &aes_rv32i_zknd_zkne_ocb; #else # define PROV_CIPHER_HW_declare() # define PROV_CIPHER_HW_select() diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c index c71492f51..c8c9cbf19 100644 --- a/providers/implementations/ciphers/cipher_aes_xts_hw.c +++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -158,6 +158,73 @@ static const PROV_CIPHER_HW aes_xts_t4 = { \ # define PROV_CIPHER_HW_select_xts() \ if (SPARC_AES_CAPABLE) \ return &aes_xts_t4; +#elif defined(RV64I_ZKND_ZKNE_CAPABLE) + +static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)ctx; + OSSL_xts_stream_fn stream_enc = NULL; + OSSL_xts_stream_fn stream_dec = NULL; + + XTS_SET_KEY_FN(rv64i_zkne_set_encrypt_key, rv64i_zknd_set_decrypt_key, + rv64i_zkne_encrypt, rv64i_zknd_decrypt, + stream_enc, stream_dec); + return 1; +} + +# define PROV_CIPHER_HW_declare_xts() \ +static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = { \ + cipher_hw_aes_xts_rv64i_zknd_zkne_initkey, \ + NULL, \ + cipher_hw_aes_xts_copyctx \ +}; +# define PROV_CIPHER_HW_select_xts() \ +if (RV64I_ZKND_ZKNE_CAPABLE) \ + return &aes_xts_rv64i_zknd_zkne; +#elif defined(RV32I_ZBKB_ZKND_ZKNE_CAPABLE) && defined(RV32I_ZKND_ZKNE_CAPABLE) + +static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)ctx; + + XTS_SET_KEY_FN(rv32i_zkne_set_encrypt_key, rv32i_zknd_zkne_set_decrypt_key, + rv32i_zkne_encrypt, rv32i_zknd_decrypt, + NULL, NULL); + return 1; +} + +static int cipher_hw_aes_xts_rv32i_zbkb_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, + const unsigned char *key, + size_t keylen) +{ + PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)ctx; + + XTS_SET_KEY_FN(rv32i_zbkb_zkne_set_encrypt_key, rv32i_zbkb_zknd_zkne_set_decrypt_key, + rv32i_zkne_encrypt, rv32i_zknd_decrypt, + NULL, NULL); + return 1; +} + +# define PROV_CIPHER_HW_declare_xts() \ +static const PROV_CIPHER_HW aes_xts_rv32i_zknd_zkne = { \ + cipher_hw_aes_xts_rv32i_zknd_zkne_initkey, \ + NULL, \ + cipher_hw_aes_xts_copyctx \ +}; \ +static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = { \ + cipher_hw_aes_xts_rv32i_zbkb_zknd_zkne_initkey, \ + NULL, \ + cipher_hw_aes_xts_copyctx \ +}; +# define PROV_CIPHER_HW_select_xts() \ +if (RV32I_ZBKB_ZKND_ZKNE_CAPABLE) \ + return &aes_xts_rv32i_zbkb_zknd_zkne; \ +if (RV32I_ZKND_ZKNE_CAPABLE) \ + return &aes_xts_rv32i_zknd_zkne; # else /* The generic case */ # define PROV_CIPHER_HW_declare_xts() diff --git a/providers/implementations/ciphers/cipher_rc5.h b/providers/implementations/ciphers/cipher_rc5.h index c630e7c87..ab3da8d73 100644 --- a/providers/implementations/ciphers/cipher_rc5.h +++ b/providers/implementations/ciphers/cipher_rc5.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,7 +10,7 @@ #include #include "prov/ciphercommon.h" -typedef struct prov_blowfish_ctx_st { +typedef struct prov_rc5_ctx_st { PROV_CIPHER_CTX base; /* Must be first */ union { OSSL_UNION_ALIGN; diff --git a/providers/implementations/ciphers/cipher_sm4.h b/providers/implementations/ciphers/cipher_sm4.h index f7f833fcb..9ab49e327 100644 --- a/providers/implementations/ciphers/cipher_sm4.h +++ b/providers/implementations/ciphers/cipher_sm4.h @@ -1,5 +1,5 @@ /* - * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,6 +9,7 @@ #include "prov/ciphercommon.h" #include "crypto/sm4.h" +#include "crypto/sm4_platform.h" typedef struct prov_cast_ctx_st { PROV_CIPHER_CTX base; /* Must be first */ diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.c b/providers/implementations/ciphers/cipher_sm4_ccm.c new file mode 100644 index 000000000..38e75016e --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_ccm.c @@ -0,0 +1,39 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Dispatch functions for SM4 CCM mode */ + +#include "cipher_sm4_ccm.h" +#include "prov/implementations.h" +#include "prov/providercommon.h" + +static OSSL_FUNC_cipher_freectx_fn sm4_ccm_freectx; + +static void *sm4_ccm_newctx(void *provctx, size_t keybits) +{ + PROV_SM4_CCM_CTX *ctx; + + if (!ossl_prov_is_running()) + return NULL; + + ctx = OPENSSL_zalloc(sizeof(*ctx)); + if (ctx != NULL) + ossl_ccm_initctx(&ctx->base, keybits, ossl_prov_sm4_hw_ccm(keybits)); + return ctx; +} + +static void sm4_ccm_freectx(void *vctx) +{ + PROV_SM4_CCM_CTX *ctx = (PROV_SM4_CCM_CTX *)vctx; + + OPENSSL_clear_free(ctx, sizeof(*ctx)); +} + +/* sm4128ccm functions */ +IMPLEMENT_aead_cipher(sm4, ccm, CCM, AEAD_FLAGS, 128, 8, 96); diff --git a/providers/implementations/ciphers/cipher_sm4_ccm.h b/providers/implementations/ciphers/cipher_sm4_ccm.h new file mode 100644 index 000000000..fbfb46a6d --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_ccm.h @@ -0,0 +1,22 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "crypto/sm4.h" +#include "prov/ciphercommon.h" +#include "prov/ciphercommon_ccm.h" + +typedef struct prov_sm4_ccm_ctx_st { + PROV_CCM_CTX base; /* Must be first */ + union { + OSSL_UNION_ALIGN; + SM4_KEY ks; + } ks; /* SM4 key schedule to use */ +} PROV_SM4_CCM_CTX; + +const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keylen); diff --git a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c new file mode 100644 index 000000000..426ebe963 --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c @@ -0,0 +1,41 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * Generic support for SM4 CCM. + */ + +#include "cipher_sm4_ccm.h" + +static int ccm_sm4_initkey(PROV_CCM_CTX *ctx, + const unsigned char *key, size_t keylen) +{ + PROV_SM4_CCM_CTX *actx = (PROV_SM4_CCM_CTX *)ctx; + + ossl_sm4_set_key(key, &actx->ks.ks); + CRYPTO_ccm128_init(&ctx->ccm_ctx, ctx->m, ctx->l, &actx->ks.ks, + (block128_f)ossl_sm4_encrypt); + ctx->str = NULL; + ctx->key_set = 1; + return 1; +} + +static const PROV_CCM_HW ccm_sm4 = { + ccm_sm4_initkey, + ossl_ccm_generic_setiv, + ossl_ccm_generic_setaad, + ossl_ccm_generic_auth_encrypt, + ossl_ccm_generic_auth_decrypt, + ossl_ccm_generic_gettag +}; + +const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keybits) +{ + return &ccm_sm4; +} diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.c b/providers/implementations/ciphers/cipher_sm4_gcm.c new file mode 100644 index 000000000..ce1aa2b07 --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_gcm.c @@ -0,0 +1,40 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Dispatch functions for SM4 GCM mode */ + +#include "cipher_sm4_gcm.h" +#include "prov/implementations.h" +#include "prov/providercommon.h" + +static OSSL_FUNC_cipher_freectx_fn sm4_gcm_freectx; + +static void *sm4_gcm_newctx(void *provctx, size_t keybits) +{ + PROV_SM4_GCM_CTX *ctx; + + if (!ossl_prov_is_running()) + return NULL; + + ctx = OPENSSL_zalloc(sizeof(*ctx)); + if (ctx != NULL) + ossl_gcm_initctx(provctx, &ctx->base, keybits, + ossl_prov_sm4_hw_gcm(keybits)); + return ctx; +} + +static void sm4_gcm_freectx(void *vctx) +{ + PROV_SM4_GCM_CTX *ctx = (PROV_SM4_GCM_CTX *)vctx; + + OPENSSL_clear_free(ctx, sizeof(*ctx)); +} + +/* ossl_sm4128gcm_functions */ +IMPLEMENT_aead_cipher(sm4, gcm, GCM, AEAD_FLAGS, 128, 8, 96); diff --git a/providers/implementations/ciphers/cipher_sm4_gcm.h b/providers/implementations/ciphers/cipher_sm4_gcm.h new file mode 100644 index 000000000..abd5ce75f --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_gcm.h @@ -0,0 +1,22 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "crypto/sm4.h" +#include "prov/ciphercommon.h" +#include "prov/ciphercommon_gcm.h" + +typedef struct prov_sm4_gcm_ctx_st { + PROV_GCM_CTX base; /* must be first entry in struct */ + union { + OSSL_UNION_ALIGN; + SM4_KEY ks; + } ks; +} PROV_SM4_GCM_CTX; + +const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits); diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c new file mode 100644 index 000000000..268d47f65 --- /dev/null +++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c @@ -0,0 +1,87 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/*- + * Generic support for SM4 GCM. + */ + +#include "cipher_sm4_gcm.h" +#include "crypto/sm4_platform.h" + +static int sm4_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, + size_t keylen) +{ + PROV_SM4_GCM_CTX *actx = (PROV_SM4_GCM_CTX *)ctx; + SM4_KEY *ks = &actx->ks.ks; + + ctx->ks = ks; +# ifdef HWSM4_CAPABLE + if (HWSM4_CAPABLE) { + HWSM4_set_encrypt_key(key, ks); + CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f) HWSM4_encrypt); +# ifdef HWSM4_ctr32_encrypt_blocks + ctx->ctr = (ctr128_f) HWSM4_ctr32_encrypt_blocks; +# else /* HWSM4_ctr32_encrypt_blocks */ + ctx->ctr = (ctr128_f)NULL; +# endif + } else +# endif /* HWSM4_CAPABLE */ +# ifdef VPSM4_CAPABLE + if (VPSM4_CAPABLE) { + vpsm4_set_encrypt_key(key, ks); + CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f) vpsm4_encrypt); + ctx->ctr = (ctr128_f) vpsm4_ctr32_encrypt_blocks; + } else +# endif /* VPSM4_CAPABLE */ + { + ossl_sm4_set_key(key, ks); + CRYPTO_gcm128_init(&ctx->gcm, ks, (block128_f)ossl_sm4_encrypt); + ctx->ctr = (ctr128_f)NULL; + } + ctx->key_set = 1; + + return 1; +} + +static int hw_gcm_cipher_update(PROV_GCM_CTX *ctx, const unsigned char *in, + size_t len, unsigned char *out) +{ + if (ctx->enc) { + if (ctx->ctr != NULL) { + if (CRYPTO_gcm128_encrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr)) + return 0; + } else { + if (CRYPTO_gcm128_encrypt(&ctx->gcm, in, out, len)) + return 0; + } + } else { + if (ctx->ctr != NULL) { + if (CRYPTO_gcm128_decrypt_ctr32(&ctx->gcm, in, out, len, ctx->ctr)) + return 0; + } else { + if (CRYPTO_gcm128_decrypt(&ctx->gcm, in, out, len)) + return 0; + } + } + return 1; +} + +static const PROV_GCM_HW sm4_gcm = { + sm4_gcm_initkey, + ossl_gcm_setiv, + ossl_gcm_aad_update, + hw_gcm_cipher_update, + ossl_gcm_cipher_final, + ossl_gcm_one_shot +}; + +const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits) +{ + return &sm4_gcm; +} diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c index 0db04b1a7..1fd916a56 100644 --- a/providers/implementations/ciphers/cipher_sm4_hw.c +++ b/providers/implementations/ciphers/cipher_sm4_hw.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,14 +15,83 @@ static int cipher_hw_sm4_initkey(PROV_CIPHER_CTX *ctx, PROV_SM4_CTX *sctx = (PROV_SM4_CTX *)ctx; SM4_KEY *ks = &sctx->ks.ks; - ossl_sm4_set_key(key, ks); ctx->ks = ks; if (ctx->enc || (ctx->mode != EVP_CIPH_ECB_MODE - && ctx->mode != EVP_CIPH_CBC_MODE)) - ctx->block = (block128_f)ossl_sm4_encrypt; - else - ctx->block = (block128_f)ossl_sm4_decrypt; + && ctx->mode != EVP_CIPH_CBC_MODE)) { +#ifdef HWSM4_CAPABLE + if (HWSM4_CAPABLE) { + HWSM4_set_encrypt_key(key, ks); + ctx->block = (block128_f)HWSM4_encrypt; + ctx->stream.cbc = NULL; +#ifdef HWSM4_cbc_encrypt + if (ctx->mode == EVP_CIPH_CBC_MODE) + ctx->stream.cbc = (cbc128_f)HWSM4_cbc_encrypt; + else +#endif +#ifdef HWSM4_ecb_encrypt + if (ctx->mode == EVP_CIPH_ECB_MODE) + ctx->stream.ecb = (ecb128_f)HWSM4_ecb_encrypt; + else +#endif +#ifdef HWSM4_ctr32_encrypt_blocks + if (ctx->mode == EVP_CIPH_CTR_MODE) + ctx->stream.ctr = (ctr128_f)HWSM4_ctr32_encrypt_blocks; + else +#endif + (void)0; /* terminate potentially open 'else' */ + } else +#endif +#ifdef VPSM4_CAPABLE + if (VPSM4_CAPABLE) { + vpsm4_set_encrypt_key(key, ks); + ctx->block = (block128_f)vpsm4_encrypt; + ctx->stream.cbc = NULL; + if (ctx->mode == EVP_CIPH_CBC_MODE) + ctx->stream.cbc = (cbc128_f)vpsm4_cbc_encrypt; + else if (ctx->mode == EVP_CIPH_ECB_MODE) + ctx->stream.ecb = (ecb128_f)vpsm4_ecb_encrypt; + else if (ctx->mode == EVP_CIPH_CTR_MODE) + ctx->stream.ctr = (ctr128_f)vpsm4_ctr32_encrypt_blocks; + } else +#endif + { + ossl_sm4_set_key(key, ks); + ctx->block = (block128_f)ossl_sm4_encrypt; + } + } else { +#ifdef HWSM4_CAPABLE + if (HWSM4_CAPABLE) { + HWSM4_set_decrypt_key(key, ks); + ctx->block = (block128_f)HWSM4_decrypt; + ctx->stream.cbc = NULL; +#ifdef HWSM4_cbc_encrypt + if (ctx->mode == EVP_CIPH_CBC_MODE) + ctx->stream.cbc = (cbc128_f)HWSM4_cbc_encrypt; +#endif +#ifdef HWSM4_ecb_encrypt + if (ctx->mode == EVP_CIPH_ECB_MODE) + ctx->stream.ecb = (ecb128_f)HWSM4_ecb_encrypt; +#endif + } else +#endif +#ifdef VPSM4_CAPABLE + if (VPSM4_CAPABLE) { + vpsm4_set_decrypt_key(key, ks); + ctx->block = (block128_f)vpsm4_decrypt; + ctx->stream.cbc = NULL; + if (ctx->mode == EVP_CIPH_CBC_MODE) + ctx->stream.cbc = (cbc128_f)vpsm4_cbc_encrypt; + else if (ctx->mode == EVP_CIPH_ECB_MODE) + ctx->stream.ecb = (ecb128_f)vpsm4_ecb_encrypt; + } else +#endif + { + ossl_sm4_set_key(key, ks); + ctx->block = (block128_f)ossl_sm4_decrypt; + } + } + return 1; } @@ -31,7 +100,7 @@ IMPLEMENT_CIPHER_HW_COPYCTX(cipher_hw_sm4_copyctx, PROV_SM4_CTX) # define PROV_CIPHER_HW_sm4_mode(mode) \ static const PROV_CIPHER_HW sm4_##mode = { \ cipher_hw_sm4_initkey, \ - ossl_cipher_hw_chunked_##mode, \ + ossl_cipher_hw_generic_##mode, \ cipher_hw_sm4_copyctx \ }; \ const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_##mode(size_t keybits) \ diff --git a/providers/implementations/ciphers/cipher_tdes_common.c b/providers/implementations/ciphers/cipher_tdes_common.c index 346aec05a..af2f5b984 100644 --- a/providers/implementations/ciphers/cipher_tdes_common.c +++ b/providers/implementations/ciphers/cipher_tdes_common.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -123,13 +123,12 @@ static int tdes_generatekey(PROV_CIPHER_CTX *ctx, void *ptr) if (kl == 0 || RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0) return 0; DES_set_odd_parity(deskey); - if (kl >= 16) + if (kl >= 16) { DES_set_odd_parity(deskey + 1); - if (kl >= 24) { - DES_set_odd_parity(deskey + 2); - return 1; + if (kl >= 24) + DES_set_odd_parity(deskey + 2); } - return 0; + return 1; } int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[]) diff --git a/providers/implementations/digests/sha2_prov.c b/providers/implementations/digests/sha2_prov.c index 3b731796b..b239adbb4 100644 --- a/providers/implementations/digests/sha2_prov.c +++ b/providers/implementations/digests/sha2_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,7 +17,6 @@ #include #include #include -#include #include #include #include "prov/digestcommon.h" @@ -92,4 +91,3 @@ IMPLEMENT_digest_functions(sha512_224, SHA512_CTX, IMPLEMENT_digest_functions(sha512_256, SHA512_CTX, SHA512_CBLOCK, SHA256_DIGEST_LENGTH, SHA2_FLAGS, sha512_256_init, SHA512_Update, SHA512_Final) - diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c index 168825d47..3690dc93d 100644 --- a/providers/implementations/digests/sha3_prov.c +++ b/providers/implementations/digests/sha3_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -177,6 +177,38 @@ static int s390x_shake_final(unsigned char *md, void *vctx) return 1; } +static int s390x_keccakc_final(unsigned char *md, void *vctx, int padding) +{ + KECCAK1600_CTX *ctx = vctx; + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; + size_t needed = ctx->md_size; + static const unsigned char empty[KECCAK1600_WIDTH / 8] = {0}; + + if (!ossl_prov_is_running()) + return 0; + if (ctx->md_size == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); + ctx->buf[num] = padding; + ctx->buf[bsz - 1] |= 0x80; + s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A); + while (needed > bsz) { + memcpy(md, ctx->A, bsz); + needed -= bsz; + md += bsz; + s390x_kimd(empty, bsz, ctx->pad, ctx->A); + } + memcpy(md, ctx->A, needed); + + return 1; +} + +static int s390x_kmac_final(unsigned char *md, void *vctx) +{ + return s390x_keccakc_final(md, vctx, 0x04); +} + static PROV_SHA3_METHOD sha3_s390x_md = { s390x_sha3_absorb, @@ -189,6 +221,12 @@ static PROV_SHA3_METHOD shake_s390x_md = s390x_shake_final }; +static PROV_SHA3_METHOD kmac_s390x_md = +{ + s390x_sha3_absorb, + s390x_kmac_final +}; + # define SHA3_SET_MD(uname, typ) \ if (S390_SHA3_CAPABLE(uname)) { \ ctx->pad = S390X_##uname; \ @@ -196,8 +234,16 @@ static PROV_SHA3_METHOD shake_s390x_md = } else { \ ctx->meth = sha3_generic_md; \ } +# define KMAC_SET_MD(bitlen) \ + if (S390_SHA3_CAPABLE(SHAKE_##bitlen)) { \ + ctx->pad = S390X_SHAKE_##bitlen; \ + ctx->meth = kmac_s390x_md; \ + } else { \ + ctx->meth = sha3_generic_md; \ + } #else # define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; +# define KMAC_SET_MD(bitlen) ctx->meth = sha3_generic_md; #endif /* S390_SHA3 */ #define SHA3_newctx(typ, uname, name, bitlen, pad) \ @@ -224,7 +270,7 @@ static void *uname##_newctx(void *provctx) \ if (ctx == NULL) \ return NULL; \ ossl_keccak_kmac_init(ctx, pad, bitlen); \ - ctx->meth = sha3_generic_md; \ + KMAC_SET_MD(bitlen) \ return ctx; \ } @@ -262,7 +308,7 @@ static void *keccak_dupctx(void *ctx) { KECCAK1600_CTX *in = (KECCAK1600_CTX *)ctx; KECCAK1600_CTX *ret = ossl_prov_is_running() ? OPENSSL_malloc(sizeof(*ret)) - : NULL; + : NULL; if (ret != NULL) *ret = *in; diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c index b9cee2571..9f4a9c577 100644 --- a/providers/implementations/encode_decode/decode_der2key.c +++ b/providers/implementations/encode_decode/decode_der2key.c @@ -35,6 +35,7 @@ #include "prov/bio.h" #include "prov/implementations.h" #include "endecoder_local.h" +#include "internal/nelem.h" struct der2key_ctx_st; /* Forward declaration */ typedef int check_key_fn(void *, struct der2key_ctx_st *ctx); diff --git a/providers/implementations/encode_decode/encode_key2any.c b/providers/implementations/encode_decode/encode_key2any.c index c7b01cb2b..efbaa0d8c 100644 --- a/providers/implementations/encode_decode/encode_key2any.c +++ b/providers/implementations/encode_decode/encode_key2any.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -168,7 +168,7 @@ static X509_PUBKEY *key_to_pubkey(const void *key, int key_nid, * EncryptedPrivateKeyInfo structure (defined by PKCS#8). They require * that there's an intent to encrypt, anything else is an error. * - * key_to_pki_* primarly produce encoded output with the private key data + * key_to_pki_* primarily produce encoded output with the private key data * in a PrivateKeyInfo structure (also defined by PKCS#8). However, if * there is an intent to encrypt the data, the corresponding key_to_epki_* * function is used instead. diff --git a/providers/implementations/exchange/dh_exch.c b/providers/implementations/exchange/dh_exch.c index 1d8a2e27b..dd5254fef 100644 --- a/providers/implementations/exchange/dh_exch.c +++ b/providers/implementations/exchange/dh_exch.c @@ -351,12 +351,13 @@ static int dh_set_ctx_params(void *vpdhctx, const OSSL_PARAM params[]) EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = EVP_MD_fetch(pdhctx->libctx, name, mdprops); + if (pdhctx->kdf_md == NULL) + return 0; if (!ossl_digest_is_allowed(pdhctx->libctx, pdhctx->kdf_md)) { EVP_MD_free(pdhctx->kdf_md); pdhctx->kdf_md = NULL; - } - if (pdhctx->kdf_md == NULL) return 0; + } } p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN); diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c index 35d665fb9..43caedb6d 100644 --- a/providers/implementations/exchange/ecdh_exch.c +++ b/providers/implementations/exchange/ecdh_exch.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -283,12 +283,13 @@ int ecdh_set_ctx_params(void *vpecdhctx, const OSSL_PARAM params[]) EVP_MD_free(pectx->kdf_md); pectx->kdf_md = EVP_MD_fetch(pectx->libctx, name, mdprops); + if (pectx->kdf_md == NULL) + return 0; if (!ossl_digest_is_allowed(pectx->libctx, pectx->kdf_md)) { EVP_MD_free(pectx->kdf_md); pectx->kdf_md = NULL; - } - if (pectx->kdf_md == NULL) return 0; + } } p = OSSL_PARAM_locate_const(params, OSSL_EXCHANGE_PARAM_KDF_OUTLEN); diff --git a/providers/implementations/include/prov/ciphercommon.h b/providers/implementations/include/prov/ciphercommon.h index 8153872cb..94f485f9b 100644 --- a/providers/implementations/include/prov/ciphercommon.h +++ b/providers/implementations/include/prov/ciphercommon.h @@ -42,6 +42,13 @@ typedef int (PROV_CIPHER_HW_FN)(PROV_CIPHER_CTX *dat, unsigned char *out, #define PROV_CIPHER_FLAG_INVERSE_CIPHER 0x0200 struct prov_cipher_ctx_st { + /* place buffer at the beginning for memory alignment */ + /* The original value of the iv */ + unsigned char oiv[GENERIC_BLOCK_SIZE]; + /* Buffer of partial blocks processed via update calls */ + unsigned char buf[GENERIC_BLOCK_SIZE]; + unsigned char iv[GENERIC_BLOCK_SIZE]; + block128_f block; union { cbc128_f cbc; @@ -82,12 +89,6 @@ struct prov_cipher_ctx_st { * manage partial blocks themselves. */ unsigned int num; - - /* The original value of the iv */ - unsigned char oiv[GENERIC_BLOCK_SIZE]; - /* Buffer of partial blocks processed via update calls */ - unsigned char buf[GENERIC_BLOCK_SIZE]; - unsigned char iv[GENERIC_BLOCK_SIZE]; const PROV_CIPHER_HW *hw; /* hardware specific functions */ const void *ks; /* Pointer to algorithm specific key data */ OSSL_LIB_CTX *libctx; diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index 3f6dd7ee1..498eab4ad 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -174,6 +174,8 @@ extern const OSSL_DISPATCH ossl_seed128ofb128_functions[]; extern const OSSL_DISPATCH ossl_seed128cfb128_functions[]; #endif /* OPENSSL_NO_SEED */ #ifndef OPENSSL_NO_SM4 +extern const OSSL_DISPATCH ossl_sm4128gcm_functions[]; +extern const OSSL_DISPATCH ossl_sm4128ccm_functions[]; extern const OSSL_DISPATCH ossl_sm4128ecb_functions[]; extern const OSSL_DISPATCH ossl_sm4128cbc_functions[]; extern const OSSL_DISPATCH ossl_sm4128ctr_functions[]; diff --git a/providers/implementations/include/prov/names.h b/providers/implementations/include/prov/names.h index e0dbb69a9..025d25ab0 100644 --- a/providers/implementations/include/prov/names.h +++ b/providers/implementations/include/prov/names.h @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -162,6 +162,8 @@ #define PROV_NAMES_SM4_CTR "SM4-CTR:1.2.156.10197.1.104.7" #define PROV_NAMES_SM4_OFB "SM4-OFB:SM4-OFB128:1.2.156.10197.1.104.3" #define PROV_NAMES_SM4_CFB "SM4-CFB:SM4-CFB128:1.2.156.10197.1.104.4" +#define PROV_NAMES_SM4_GCM "SM4-GCM:1.2.156.10197.1.104.8" +#define PROV_NAMES_SM4_CCM "SM4-CCM:1.2.156.10197.1.104.9" #define PROV_NAMES_ChaCha20 "ChaCha20" #define PROV_NAMES_ChaCha20_Poly1305 "ChaCha20-Poly1305" #define PROV_NAMES_CAST5_ECB "CAST5-ECB" diff --git a/providers/implementations/include/prov/seeding.h b/providers/implementations/include/prov/seeding.h index 637b921b2..2a1203926 100644 --- a/providers/implementations/include/prov/seeding.h +++ b/providers/implementations/include/prov/seeding.h @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,17 +14,6 @@ size_t ossl_prov_acquire_entropy_from_tsc(RAND_POOL *pool); size_t ossl_prov_acquire_entropy_from_cpu(RAND_POOL *pool); -/* - * Add some platform specific additional data - * - * This function is platform specific and adds some random noise to the - * additional data used for generating random bytes and for reseeding - * the drbg. - * - * Returns 1 on success and 0 on failure. - */ -int ossl_rand_pool_add_additional_data(RAND_POOL *pool); - /* * External seeding functions from the core dispatch table. */ diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c index dfa7786bd..6701b05f2 100644 --- a/providers/implementations/kdfs/hkdf.c +++ b/providers/implementations/kdfs/hkdf.c @@ -29,12 +29,13 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_util.h" -#include "e_os.h" +#include "internal/e_os.h" #define HKDF_MAXBUF 2048 #define HKDF_MAXINFO (32*1024) static OSSL_FUNC_kdf_newctx_fn kdf_hkdf_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_hkdf_dup; static OSSL_FUNC_kdf_freectx_fn kdf_hkdf_free; static OSSL_FUNC_kdf_reset_fn kdf_hkdf_reset; static OSSL_FUNC_kdf_derive_fn kdf_hkdf_derive; @@ -127,6 +128,36 @@ static void kdf_hkdf_reset(void *vctx) ctx->provctx = provctx; } +static void *kdf_hkdf_dup(void *vctx) +{ + const KDF_HKDF *src = (const KDF_HKDF *)vctx; + KDF_HKDF *dest; + + dest = kdf_hkdf_new(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->salt, src->salt_len, &dest->salt, + &dest->salt_len) + || !ossl_prov_memdup(src->key, src->key_len, + &dest->key , &dest->key_len) + || !ossl_prov_memdup(src->prefix, src->prefix_len, + &dest->prefix, &dest->prefix_len) + || !ossl_prov_memdup(src->label, src->label_len, + &dest->label, &dest->label_len) + || !ossl_prov_memdup(src->data, src->data_len, + &dest->data, &dest->data_len) + || !ossl_prov_memdup(src->info, src->info_len, + &dest->info, &dest->info_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->mode = src->mode; + } + return dest; + + err: + kdf_hkdf_free(dest); + return NULL; +} + static size_t kdf_hkdf_size(KDF_HKDF *ctx) { int sz; @@ -355,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_hkdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_hkdf_derive }, @@ -770,6 +802,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index a542f84df..aa3df15bc 100644 --- a/providers/implementations/kdfs/kbkdf.c +++ b/providers/implementations/kdfs/kbkdf.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2019 Red Hat, Inc. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -44,7 +44,7 @@ #include "prov/provider_util.h" #include "prov/providercommon.h" -#include "e_os.h" +#include "internal/e_os.h" #define ossl_min(a, b) ((a) < (b)) ? (a) : (b) @@ -60,6 +60,7 @@ typedef struct { EVP_MAC_CTX *ctx_init; /* Names are lowercased versions of those found in SP800-108. */ + int r; unsigned char *ki; size_t ki_len; unsigned char *label; @@ -69,11 +70,13 @@ typedef struct { unsigned char *iv; size_t iv_len; int use_l; + int is_kmac; int use_separator; } KBKDF; /* Definitions needed for typechecking. */ static OSSL_FUNC_kdf_newctx_fn kbkdf_new; +static OSSL_FUNC_kdf_dupctx_fn kbkdf_dup; static OSSL_FUNC_kdf_freectx_fn kbkdf_free; static OSSL_FUNC_kdf_reset_fn kbkdf_reset; static OSSL_FUNC_kdf_derive_fn kbkdf_derive; @@ -100,8 +103,10 @@ static uint32_t be32(uint32_t host) static void init(KBKDF *ctx) { + ctx->r = 32; ctx->use_l = 1; ctx->use_separator = 1; + ctx->is_kmac = 0; } static void *kbkdf_new(void *provctx) @@ -147,12 +152,43 @@ static void kbkdf_reset(void *vctx) init(ctx); } +static void *kbkdf_dup(void *vctx) +{ + const KBKDF *src = (const KBKDF *)vctx; + KBKDF *dest; + + dest = kbkdf_new(src->provctx); + if (dest != NULL) { + dest->ctx_init = EVP_MAC_CTX_dup(src->ctx_init); + if (dest->ctx_init == NULL + || !ossl_prov_memdup(src->ki, src->ki_len, + &dest->ki, &dest->ki_len) + || !ossl_prov_memdup(src->label, src->label_len, + &dest->label, &dest->label_len) + || !ossl_prov_memdup(src->context, src->context_len, + &dest->context, &dest->context_len) + || !ossl_prov_memdup(src->iv, src->iv_len, + &dest->iv, &dest->iv_len)) + goto err; + dest->mode = src->mode; + dest->r = src->r; + dest->use_l = src->use_l; + dest->use_separator = src->use_separator; + dest->is_kmac = src->is_kmac; + } + return dest; + + err: + kbkdf_free(dest); + return NULL; +} + /* SP800-108 section 5.1 or section 5.2 depending on mode. */ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, size_t iv_len, unsigned char *label, size_t label_len, unsigned char *context, size_t context_len, unsigned char *k_i, size_t h, uint32_t l, int has_separator, - unsigned char *ko, size_t ko_len) + unsigned char *ko, size_t ko_len, int r) { int ret = 0; EVP_MAC_CTX *ctx = NULL; @@ -186,7 +222,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) goto done; - if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) + if (!EVP_MAC_update(ctx, 4 - (r / 8) + (unsigned char *)&i, r / 8) || !EVP_MAC_update(ctx, label, label_len) || (has_separator && !EVP_MAC_update(ctx, &zero, 1)) || !EVP_MAC_update(ctx, context, context_len) @@ -209,6 +245,31 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, return ret; } +/* This must be run before the key is set */ +static int kmac_init(EVP_MAC_CTX *ctx, const unsigned char *custom, size_t customlen) +{ + OSSL_PARAM params[2]; + + if (custom == NULL || customlen == 0) + return 1; + params[0] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_CUSTOM, + (void *)custom, customlen); + params[1] = OSSL_PARAM_construct_end(); + return EVP_MAC_CTX_set_params(ctx, params) > 0; +} + +static int kmac_derive(EVP_MAC_CTX *ctx, unsigned char *out, size_t outlen, + const unsigned char *context, size_t contextlen) +{ + OSSL_PARAM params[2]; + + params[0] = OSSL_PARAM_construct_size_t(OSSL_MAC_PARAM_SIZE, &outlen); + params[1] = OSSL_PARAM_construct_end(); + return EVP_MAC_CTX_set_params(ctx, params) > 0 + && EVP_MAC_update(ctx, context, contextlen) + && EVP_MAC_final(ctx, out, NULL, outlen); +} + static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { @@ -217,6 +278,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, unsigned char *k_i = NULL; uint32_t l = 0; size_t h = 0; + uint64_t counter_max; if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params)) return 0; @@ -240,14 +302,30 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } + if (ctx->is_kmac) { + ret = kmac_derive(ctx->ctx_init, key, keylen, + ctx->context, ctx->context_len); + goto done; + } + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); if (h == 0) goto done; + if (ctx->iv_len != 0 && ctx->iv_len != h) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SEED_LENGTH); goto done; } + if (ctx->mode == COUNTER) { + /* Fail if keylen is too large for r */ + counter_max = (uint64_t)1 << (uint64_t)ctx->r; + if ((uint64_t)(keylen / h) >= counter_max) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + goto done; + } + } + if (ctx->use_l != 0) l = be32(keylen * 8); @@ -257,7 +335,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, - ctx->use_separator, key, keylen); + ctx->use_separator, key, keylen, ctx->r); done: if (ret != 1) OPENSSL_cleanse(key, keylen); @@ -288,13 +366,19 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (!ossl_prov_macctx_load_from_params(&ctx->ctx_init, params, NULL, NULL, NULL, libctx)) return 0; - else if (ctx->ctx_init != NULL - && !EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), - OSSL_MAC_NAME_HMAC) - && !EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), - OSSL_MAC_NAME_CMAC)) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MAC); - return 0; + else if (ctx->ctx_init != NULL) { + if (EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), + OSSL_MAC_NAME_KMAC128) + || EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), + OSSL_MAC_NAME_KMAC256)) { + ctx->is_kmac = 1; + } else if (!EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), + OSSL_MAC_NAME_HMAC) + && !EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), + OSSL_MAC_NAME_CMAC)) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MAC); + return 0; + } } p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); @@ -329,14 +413,27 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l)) return 0; + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_R); + if (p != NULL) { + int new_r = 0; + + if (!OSSL_PARAM_get_int(p, &new_r)) + return 0; + if (new_r != 8 && new_r != 16 && new_r != 24 && new_r != 32) + return 0; + ctx->r = new_r; + } + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR); if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator)) return 0; /* Set up digest context, if we can. */ - if (ctx->ctx_init != NULL && ctx->ki_len != 0 - && !EVP_MAC_init(ctx->ctx_init, ctx->ki, ctx->ki_len, NULL)) + if (ctx->ctx_init != NULL && ctx->ki_len != 0) { + if ((ctx->is_kmac && !kmac_init(ctx->ctx_init, ctx->label, ctx->label_len)) + || !EVP_MAC_init(ctx->ctx_init, ctx->ki, ctx->ki_len, NULL)) return 0; + } return 1; } @@ -355,6 +452,7 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL), OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL), + OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_R, NULL), OSSL_PARAM_END, }; return known_settable_ctx_params; @@ -382,6 +480,7 @@ static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_kbkdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kbkdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kbkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kbkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kbkdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kbkdf_derive }, diff --git a/providers/implementations/kdfs/krb5kdf.c b/providers/implementations/kdfs/krb5kdf.c index 8516a3f82..0ad59734f 100644 --- a/providers/implementations/kdfs/krb5kdf.c +++ b/providers/implementations/kdfs/krb5kdf.c @@ -34,6 +34,7 @@ /* KRB5 KDF defined in RFC 3961, Section 5.1 */ static OSSL_FUNC_kdf_newctx_fn krb5kdf_new; +static OSSL_FUNC_kdf_dupctx_fn krb5kdf_dup; static OSSL_FUNC_kdf_freectx_fn krb5kdf_free; static OSSL_FUNC_kdf_reset_fn krb5kdf_reset; static OSSL_FUNC_kdf_derive_fn krb5kdf_derive; @@ -102,6 +103,27 @@ static int krb5kdf_set_membuf(unsigned char **dst, size_t *dst_len, return OSSL_PARAM_get_octet_string(p, (void **)dst, 0, dst_len); } +static void *krb5kdf_dup(void *vctx) +{ + const KRB5KDF_CTX *src = (const KRB5KDF_CTX *)vctx; + KRB5KDF_CTX *dest; + + dest = krb5kdf_new(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->key, src->key_len, + &dest->key, &dest->key_len) + || !ossl_prov_memdup(src->constant, src->constant_len, + &dest->constant , &dest->constant_len) + || !ossl_prov_cipher_copy(&dest->cipher, &src->cipher)) + goto err; + } + return dest; + + err: + krb5kdf_free(dest); + return NULL; +} + static int krb5kdf_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { @@ -198,6 +220,7 @@ static const OSSL_PARAM *krb5kdf_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_krb5kdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))krb5kdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))krb5kdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))krb5kdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))krb5kdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))krb5kdf_derive }, diff --git a/providers/implementations/kdfs/pbkdf1.c b/providers/implementations/kdfs/pbkdf1.c index 1a042bac9..ff51074c4 100644 --- a/providers/implementations/kdfs/pbkdf1.c +++ b/providers/implementations/kdfs/pbkdf1.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,7 @@ #include "prov/provider_util.h" static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf1_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf1_dup; static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf1_free; static OSSL_FUNC_kdf_reset_fn kdf_pbkdf1_reset; static OSSL_FUNC_kdf_derive_fn kdf_pbkdf1_derive; @@ -130,6 +131,28 @@ static void kdf_pbkdf1_reset(void *vctx) ctx->provctx = provctx; } +static void *kdf_pbkdf1_dup(void *vctx) +{ + const KDF_PBKDF1 *src = (const KDF_PBKDF1 *)vctx; + KDF_PBKDF1 *dest; + + dest = kdf_pbkdf1_new(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->salt, src->salt_len, + &dest->salt, &dest->salt_len) + || !ossl_prov_memdup(src->pass, src->pass_len, + &dest->pass , &dest->pass_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->iter = src->iter; + } + return dest; + + err: + kdf_pbkdf1_free(dest); + return NULL; +} + static int kdf_pbkdf1_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { @@ -231,6 +254,7 @@ static const OSSL_PARAM *kdf_pbkdf1_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_pbkdf1_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf1_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_pbkdf1_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf1_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf1_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf1_derive }, diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c index 2a0ae63ac..5c3e7b95c 100644 --- a/providers/implementations/kdfs/pbkdf2.c +++ b/providers/implementations/kdfs/pbkdf2.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -37,6 +37,7 @@ #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free; static OSSL_FUNC_kdf_reset_fn kdf_pbkdf2_reset; static OSSL_FUNC_kdf_derive_fn kdf_pbkdf2_derive; @@ -45,10 +46,10 @@ static OSSL_FUNC_kdf_set_ctx_params_fn kdf_pbkdf2_set_ctx_params; static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_pbkdf2_gettable_ctx_params; static OSSL_FUNC_kdf_get_ctx_params_fn kdf_pbkdf2_get_ctx_params; -static int pbkdf2_derive(const char *pass, size_t passlen, - const unsigned char *salt, int saltlen, uint64_t iter, - const EVP_MD *digest, unsigned char *key, - size_t keylen, int extra_checks); +static int pbkdf2_derive(const char *pass, size_t passlen, + const unsigned char *salt, int saltlen, uint64_t iter, + const EVP_MD *digest, unsigned char *key, + size_t keylen, int extra_checks); typedef struct { void *provctx; @@ -63,7 +64,7 @@ typedef struct { static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx); -static void *kdf_pbkdf2_new(void *provctx) +static void *kdf_pbkdf2_new_no_init(void *provctx) { KDF_PBKDF2 *ctx; @@ -76,7 +77,15 @@ static void *kdf_pbkdf2_new(void *provctx) return NULL; } ctx->provctx = provctx; - kdf_pbkdf2_init(ctx); + return ctx; +} + +static void *kdf_pbkdf2_new(void *provctx) +{ + KDF_PBKDF2 *ctx = kdf_pbkdf2_new_no_init(provctx); + + if (ctx != NULL) + kdf_pbkdf2_init(ctx); return ctx; } @@ -108,6 +117,30 @@ static void kdf_pbkdf2_reset(void *vctx) kdf_pbkdf2_init(ctx); } +static void *kdf_pbkdf2_dup(void *vctx) +{ + const KDF_PBKDF2 *src = (const KDF_PBKDF2 *)vctx; + KDF_PBKDF2 *dest; + + /* We need a new PBKDF2 object but uninitialised since we're filling it */ + dest = kdf_pbkdf2_new_no_init(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->salt, src->salt_len, + &dest->salt, &dest->salt_len) + || !ossl_prov_memdup(src->pass, src->pass_len, + &dest->pass, &dest->pass_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->iter = src->iter; + dest->lower_bound_checks = src->lower_bound_checks; + } + return dest; + + err: + kdf_pbkdf2_free(dest); + return NULL; +} + static void kdf_pbkdf2_init(KDF_PBKDF2 *ctx) { OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; @@ -249,6 +282,7 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_pbkdf2_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pbkdf2_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_pbkdf2_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pbkdf2_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pbkdf2_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pbkdf2_derive }, diff --git a/providers/implementations/kdfs/pkcs12kdf.c b/providers/implementations/kdfs/pkcs12kdf.c index 3218daa78..5e0e0614d 100644 --- a/providers/implementations/kdfs/pkcs12kdf.c +++ b/providers/implementations/kdfs/pkcs12kdf.c @@ -1,5 +1,5 @@ /* - * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -24,6 +24,7 @@ #include "prov/provider_util.h" static OSSL_FUNC_kdf_newctx_fn kdf_pkcs12_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_pkcs12_dup; static OSSL_FUNC_kdf_freectx_fn kdf_pkcs12_free; static OSSL_FUNC_kdf_reset_fn kdf_pkcs12_reset; static OSSL_FUNC_kdf_derive_fn kdf_pkcs12_derive; @@ -178,6 +179,29 @@ static void kdf_pkcs12_reset(void *vctx) ctx->provctx = provctx; } +static void *kdf_pkcs12_dup(void *vctx) +{ + const KDF_PKCS12 *src = (const KDF_PKCS12 *)vctx; + KDF_PKCS12 *dest; + + dest = kdf_pkcs12_new(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->salt, src->salt_len, + &dest->salt, &dest->salt_len) + || !ossl_prov_memdup(src->pass, src->pass_len, + &dest->pass , &dest->pass_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->iter = src->iter; + dest->id = src->id; + } + return dest; + + err: + kdf_pkcs12_free(dest); + return NULL; +} + static int pkcs12kdf_set_membuf(unsigned char **buffer, size_t *buflen, const OSSL_PARAM *p) { @@ -287,6 +311,7 @@ static const OSSL_PARAM *kdf_pkcs12_gettable_ctx_params( const OSSL_DISPATCH ossl_kdf_pkcs12_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_pkcs12_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_pkcs12_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_pkcs12_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_pkcs12_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_pkcs12_derive }, diff --git a/providers/implementations/kdfs/scrypt.c b/providers/implementations/kdfs/scrypt.c index a7072f785..e914eef99 100644 --- a/providers/implementations/kdfs/scrypt.c +++ b/providers/implementations/kdfs/scrypt.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -20,11 +20,12 @@ #include "prov/implementations.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" -#include "prov/implementations.h" +#include "prov/provider_util.h" #ifndef OPENSSL_NO_SCRYPT static OSSL_FUNC_kdf_newctx_fn kdf_scrypt_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_scrypt_dup; static OSSL_FUNC_kdf_freectx_fn kdf_scrypt_free; static OSSL_FUNC_kdf_reset_fn kdf_scrypt_reset; static OSSL_FUNC_kdf_derive_fn kdf_scrypt_derive; @@ -54,7 +55,7 @@ typedef struct { static void kdf_scrypt_init(KDF_SCRYPT *ctx); -static void *kdf_scrypt_new(void *provctx) +static void *kdf_scrypt_new_inner(OSSL_LIB_CTX *libctx) { KDF_SCRYPT *ctx; @@ -66,11 +67,16 @@ static void *kdf_scrypt_new(void *provctx) ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return NULL; } - ctx->libctx = PROV_LIBCTX_OF(provctx); + ctx->libctx = libctx; kdf_scrypt_init(ctx); return ctx; } +static void *kdf_scrypt_new(void *provctx) +{ + return kdf_scrypt_new_inner(PROV_LIBCTX_OF(provctx)); +} + static void kdf_scrypt_free(void *vctx) { KDF_SCRYPT *ctx = (KDF_SCRYPT *)vctx; @@ -92,6 +98,38 @@ static void kdf_scrypt_reset(void *vctx) kdf_scrypt_init(ctx); } +static void *kdf_scrypt_dup(void *vctx) +{ + const KDF_SCRYPT *src = (const KDF_SCRYPT *)vctx; + KDF_SCRYPT *dest; + + dest = kdf_scrypt_new_inner(src->libctx); + if (dest != NULL) { + if (src->sha256 != NULL && !EVP_MD_up_ref(src->sha256)) + goto err; + if (src->propq != NULL) { + dest->propq = OPENSSL_strdup(src->propq); + if (dest->propq == NULL) + goto err; + } + if (!ossl_prov_memdup(src->salt, src->salt_len, + &dest->salt, &dest->salt_len) + || !ossl_prov_memdup(src->pass, src->pass_len, + &dest->pass , &dest->pass_len)) + goto err; + dest->N = src->N; + dest->r = src->r; + dest->p = src->p; + dest->maxmem_bytes = src->maxmem_bytes; + dest->sha256 = src->sha256; + } + return dest; + + err: + kdf_scrypt_free(dest); + return NULL; +} + static void kdf_scrypt_init(KDF_SCRYPT *ctx) { /* Default values are the most conservative recommendation given in the @@ -275,6 +313,7 @@ static const OSSL_PARAM *kdf_scrypt_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_scrypt_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_scrypt_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_scrypt_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_scrypt_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_scrypt_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_scrypt_derive }, diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c index c592ba72f..1afac4e47 100644 --- a/providers/implementations/kdfs/sshkdf.c +++ b/providers/implementations/kdfs/sshkdf.c @@ -24,6 +24,7 @@ /* See RFC 4253, Section 7.2 */ static OSSL_FUNC_kdf_newctx_fn kdf_sshkdf_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_sshkdf_dup; static OSSL_FUNC_kdf_freectx_fn kdf_sshkdf_free; static OSSL_FUNC_kdf_reset_fn kdf_sshkdf_reset; static OSSL_FUNC_kdf_derive_fn kdf_sshkdf_derive; @@ -87,6 +88,30 @@ static void kdf_sshkdf_reset(void *vctx) ctx->provctx = provctx; } +static void *kdf_sshkdf_dup(void *vctx) +{ + const KDF_SSHKDF *src = (const KDF_SSHKDF *)vctx; + KDF_SSHKDF *dest; + + dest = kdf_sshkdf_new(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->key, src->key_len, + &dest->key, &dest->key_len) + || !ossl_prov_memdup(src->xcghash, src->xcghash_len, + &dest->xcghash , &dest->xcghash_len) + || !ossl_prov_memdup(src->session_id, src->session_id_len, + &dest->session_id , &dest->session_id_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->type = src->type; + } + return dest; + + err: + kdf_sshkdf_free(dest); + return NULL; +} + static int sshkdf_set_membuf(unsigned char **dst, size_t *dst_len, const OSSL_PARAM *p) { @@ -212,6 +237,7 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_sshkdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_sshkdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_sshkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_sshkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_sshkdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_sshkdf_derive }, diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c index eb54972e1..ecb98de6f 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c @@ -73,6 +73,7 @@ typedef struct { static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; static OSSL_FUNC_kdf_newctx_fn sskdf_new; +static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_reset_fn sskdf_reset; static OSSL_FUNC_kdf_derive_fn sskdf_derive; @@ -320,6 +321,36 @@ static void sskdf_free(void *vctx) } } +static void *sskdf_dup(void *vctx) +{ + const KDF_SSKDF *src = (const KDF_SSKDF *)vctx; + KDF_SSKDF *dest; + + dest = sskdf_new(src->provctx); + if (dest != NULL) { + if (src->macctx != NULL) { + dest->macctx = EVP_MAC_CTX_dup(src->macctx); + if (dest->macctx == NULL) + goto err; + } + if (!ossl_prov_memdup(src->info, src->info_len, + &dest->info, &dest->info_len) + || !ossl_prov_memdup(src->salt, src->salt_len, + &dest->salt , &dest->salt_len) + || !ossl_prov_memdup(src->secret, src->secret_len, + &dest->secret, &dest->secret_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->out_len = src->out_len; + dest->is_kmac = src->is_kmac; + } + return dest; + + err: + sskdf_free(dest); + return NULL; +} + static int sskdf_set_buffer(unsigned char **out, size_t *out_len, const OSSL_PARAM *p) { @@ -532,6 +563,7 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))sskdf_derive }, @@ -546,6 +578,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index a4d64b935..54124ad4c 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -45,6 +45,13 @@ * A(0) = seed * A(i) = HMAC_(secret, A(i-1)) */ + +/* + * Low level APIs (such as DH) are deprecated for public use, but still ok for + * internal use. + */ +#include "internal/deprecated.h" + #include #include #include @@ -60,9 +67,11 @@ #include "prov/providercommon.h" #include "prov/implementations.h" #include "prov/provider_util.h" -#include "e_os.h" +#include "prov/securitycheck.h" +#include "internal/e_os.h" static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; +static OSSL_FUNC_kdf_dupctx_fn kdf_tls1_prf_dup; static OSSL_FUNC_kdf_freectx_fn kdf_tls1_prf_free; static OSSL_FUNC_kdf_reset_fn kdf_tls1_prf_reset; static OSSL_FUNC_kdf_derive_fn kdf_tls1_prf_derive; @@ -77,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, unsigned char *out, size_t olen); #define TLS1_PRF_MAXBUF 1024 +#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" +#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 /* TLS KDF kdf context structure */ typedef struct { @@ -133,10 +144,36 @@ static void kdf_tls1_prf_reset(void *vctx) ctx->provctx = provctx; } +static void *kdf_tls1_prf_dup(void *vctx) +{ + const TLS1_PRF *src = (const TLS1_PRF *)vctx; + TLS1_PRF *dest; + + dest = kdf_tls1_prf_new(src->provctx); + if (dest != NULL) { + if (src->P_hash != NULL + && (dest->P_hash = EVP_MAC_CTX_dup(src->P_hash)) == NULL) + goto err; + if (src->P_sha1 != NULL + && (dest->P_sha1 = EVP_MAC_CTX_dup(src->P_sha1)) == NULL) + goto err; + if (!ossl_prov_memdup(src->sec, src->seclen, &dest->sec, &dest->seclen)) + goto err; + memcpy(dest->seed, src->seed, src->seedlen); + dest->seedlen = src->seedlen; + } + return dest; + + err: + kdf_tls1_prf_free(dest); + return NULL; +} + static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, const OSSL_PARAM params[]) { TLS1_PRF *ctx = (TLS1_PRF *)vctx; + OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) return 0; @@ -158,6 +195,21 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, return 0; } + /* + * The seed buffer is prepended with a label. + * If EMS mode is enforced then the label "master secret" is not allowed, + * We do the check this way since the PRF is used for other purposes, as well + * as "extended master secret". + */ + if (ossl_tls1_prf_ems_check_enabled(libctx)) { + if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE + && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, + TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { + ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); + return 0; + } + } + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, ctx->sec, ctx->seclen, ctx->seed, ctx->seedlen, @@ -250,6 +302,7 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( const OSSL_DISPATCH ossl_kdf_tls1_prf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_prf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_tls1_prf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_tls1_prf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_tls1_prf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_prf_derive }, diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c index b1bc6f7e1..4c274fe27 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -8,7 +8,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include @@ -17,6 +17,7 @@ #include #include "internal/packet.h" #include "internal/der.h" +#include "internal/nelem.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" #include "prov/implementations.h" @@ -26,6 +27,7 @@ #define X942KDF_MAX_INLEN (1 << 30) static OSSL_FUNC_kdf_newctx_fn x942kdf_new; +static OSSL_FUNC_kdf_dupctx_fn x942kdf_dup; static OSSL_FUNC_kdf_freectx_fn x942kdf_free; static OSSL_FUNC_kdf_reset_fn x942kdf_reset; static OSSL_FUNC_kdf_derive_fn x942kdf_derive; @@ -169,7 +171,7 @@ static int der_encode_sharedinfo(WPACKET *pkt, unsigned char *buf, size_t buflen * |cek_oidlen| The length (in bytes) of the key wrapping algorithm oid, * |acvp| is the optional blob of DER data representing one or more of the * OtherInfo fields related to |partyu|, |partyv|, |supp_pub| and |supp_priv|. - * This field should noramlly be NULL. If |acvp| is non NULL then |partyu|, + * This field should normally be NULL. If |acvp| is non NULL then |partyu|, * |partyv|, |supp_pub| and |supp_priv| should all be NULL. * |acvp_len| is the |acvp| length (in bytes). * |partyu| is the optional public info contributed by the initiator. @@ -370,6 +372,41 @@ static void x942kdf_free(void *vctx) } } +static void *x942kdf_dup(void *vctx) +{ + const KDF_X942 *src = (const KDF_X942 *)vctx; + KDF_X942 *dest; + + dest = x942kdf_new(src->provctx); + if (dest != NULL) { + if (!ossl_prov_memdup(src->secret, src->secret_len, + &dest->secret , &dest->secret_len) + || !ossl_prov_memdup(src->acvpinfo, src->acvpinfo_len, + &dest->acvpinfo , &dest->acvpinfo_len) + || !ossl_prov_memdup(src->partyuinfo, src->partyuinfo_len, + &dest->partyuinfo , &dest->partyuinfo_len) + || !ossl_prov_memdup(src->partyvinfo, src->partyvinfo_len, + &dest->partyvinfo , &dest->partyvinfo_len) + || !ossl_prov_memdup(src->supp_pubinfo, src->supp_pubinfo_len, + &dest->supp_pubinfo, + &dest->supp_pubinfo_len) + || !ossl_prov_memdup(src->supp_privinfo, src->supp_privinfo_len, + &dest->supp_privinfo, + &dest->supp_privinfo_len) + || !ossl_prov_digest_copy(&dest->digest, &src->digest)) + goto err; + dest->cek_oid = src->cek_oid; + dest->cek_oid_len = src->cek_oid_len; + dest->dkm_len = src->dkm_len; + dest->use_keybits = src->use_keybits; + } + return dest; + + err: + x942kdf_free(dest); + return NULL; +} + static int x942kdf_set_buffer(unsigned char **out, size_t *out_len, const OSSL_PARAM *p) { @@ -581,6 +618,7 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, const OSSL_DISPATCH ossl_kdf_x942_kdf_functions[] = { { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x942kdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))x942kdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))x942kdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))x942kdf_reset }, { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x942kdf_derive }, diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 882cf1612..365ae3d7d 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -23,6 +23,7 @@ #include #include "crypto/rsa.h" #include +#include "internal/nelem.h" #include "prov/provider_ctx.h" #include "prov/implementations.h" #include "prov/securitycheck.h" diff --git a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c index 0b301c333..57fc7b5af 100644 --- a/providers/implementations/keymgmt/kdf_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/kdf_legacy_kmgmt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,7 +69,7 @@ int ossl_kdf_data_up_ref(KDF_DATA *kdfdata) /* This is effectively doing a new operation on the KDF_DATA and should be * adequately guarded again modules' error states. However, both current - * calls here are guarded propery in exchange/kdf_exch.c. Thus, it + * calls here are guarded properly in exchange/kdf_exch.c. Thus, it * could be removed here. The concern is that something in the future * might call this function without adequate guards. It's a cheap call, * it seems best to leave it even though it is currently redundant. diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index c934ff164..fd1928930 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -108,7 +108,7 @@ int ossl_mac_key_up_ref(MAC_KEY *mackey) /* This is effectively doing a new operation on the MAC_KEY and should be * adequately guarded again modules' error states. However, both current - * calls here are guarded propery in signature/mac_legacy.c. Thus, it + * calls here are guarded properly in signature/mac_legacy.c. Thus, it * could be removed here. The concern is that something in the future * might call this function without adequate guards. It's a cheap call, * it seems best to leave it even though it is currently redundant. diff --git a/providers/implementations/macs/cmac_prov.c b/providers/implementations/macs/cmac_prov.c index 96da429e8..fc9f911be 100644 --- a/providers/implementations/macs/cmac_prov.c +++ b/providers/implementations/macs/cmac_prov.c @@ -18,6 +18,8 @@ #include #include #include +#include +#include #include "prov/implementations.h" #include "prov/provider_ctx.h" @@ -195,8 +197,16 @@ static int cmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[]) if (params == NULL) return 1; - if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx)) - return 0; + if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_CIPHER)) != NULL) { + if (!ossl_prov_cipher_load_from_params(&macctx->cipher, params, ctx)) + return 0; + + if (EVP_CIPHER_get_mode(ossl_prov_cipher_cipher(&macctx->cipher)) + != EVP_CIPH_CBC_MODE) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_MODE); + return 0; + } + } if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) { if (p->data_type != OSSL_PARAM_OCTET_STRING) diff --git a/providers/implementations/macs/kmac_prov.c b/providers/implementations/macs/kmac_prov.c index b2f85398b..b93975b57 100644 --- a/providers/implementations/macs/kmac_prov.c +++ b/providers/implementations/macs/kmac_prov.c @@ -1,5 +1,5 @@ /* - * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c index 4095994bd..fa4a2db14 100644 --- a/providers/implementations/rands/crngt.c +++ b/providers/implementations/rands/crngt.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -23,6 +23,7 @@ #include "crypto/rand_pool.h" #include "drbg_local.h" #include "prov/seeding.h" +#include "crypto/context.h" typedef struct crng_test_global_st { unsigned char crngt_prev[EVP_MAX_MD_SIZE]; @@ -52,7 +53,7 @@ static int crngt_get_entropy(PROV_CTX *provctx, const EVP_MD *digest, return 0; } -static void rand_crng_ossl_ctx_free(void *vcrngt_glob) +void ossl_rand_crng_ctx_free(void *vcrngt_glob) { CRNG_TEST_GLOBAL *crngt_glob = vcrngt_glob; @@ -61,7 +62,7 @@ static void rand_crng_ossl_ctx_free(void *vcrngt_glob) OPENSSL_free(crngt_glob); } -static void *rand_crng_ossl_ctx_new(OSSL_LIB_CTX *ctx) +void *ossl_rand_crng_ctx_new(OSSL_LIB_CTX *ctx) { CRNG_TEST_GLOBAL *crngt_glob = OPENSSL_zalloc(sizeof(*crngt_glob)); @@ -82,12 +83,6 @@ static void *rand_crng_ossl_ctx_new(OSSL_LIB_CTX *ctx) return crngt_glob; } -static const OSSL_LIB_CTX_METHOD rand_crng_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - rand_crng_ossl_ctx_new, - rand_crng_ossl_ctx_free, -}; - static int prov_crngt_compare_previous(const unsigned char *prev, const unsigned char *cur, size_t sz) @@ -113,8 +108,7 @@ size_t ossl_crngt_get_entropy(PROV_DRBG *drbg, int crng_test_pass = 1; OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx); CRNG_TEST_GLOBAL *crngt_glob - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX, - &rand_crng_ossl_ctx_method); + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_RAND_CRNGT_INDEX); OSSL_CALLBACK *stcb = NULL; void *stcbarg = NULL; OSSL_SELF_TEST *st = NULL; diff --git a/providers/implementations/rands/drbg.c b/providers/implementations/rands/drbg.c index c8fe66aa5..007a181c8 100644 --- a/providers/implementations/rands/drbg.c +++ b/providers/implementations/rands/drbg.c @@ -21,6 +21,7 @@ #include "crypto/rand_pool.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" +#include "crypto/context.h" /* * Support framework for NIST SP 800-90A DRBG @@ -274,7 +275,7 @@ typedef struct prov_drbg_nonce_global_st { * to be in a different global data object. Otherwise we will go into an * infinite recursion loop. */ -static void *prov_drbg_nonce_ossl_ctx_new(OSSL_LIB_CTX *libctx) +void *ossl_prov_drbg_nonce_ctx_new(OSSL_LIB_CTX *libctx) { PROV_DRBG_NONCE_GLOBAL *dngbl = OPENSSL_zalloc(sizeof(*dngbl)); @@ -290,7 +291,7 @@ static void *prov_drbg_nonce_ossl_ctx_new(OSSL_LIB_CTX *libctx) return dngbl; } -static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl) +void ossl_prov_drbg_nonce_ctx_free(void *vdngbl) { PROV_DRBG_NONCE_GLOBAL *dngbl = vdngbl; @@ -302,12 +303,6 @@ static void prov_drbg_nonce_ossl_ctx_free(void *vdngbl) OPENSSL_free(dngbl); } -static const OSSL_LIB_CTX_METHOD drbg_nonce_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - prov_drbg_nonce_ossl_ctx_new, - prov_drbg_nonce_ossl_ctx_free, -}; - /* Get a nonce from the operating system */ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout, size_t min_len, size_t max_len) @@ -316,8 +311,7 @@ static size_t prov_drbg_get_nonce(PROV_DRBG *drbg, unsigned char **pout, unsigned char *buf = NULL; OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(drbg->provctx); PROV_DRBG_NONCE_GLOBAL *dngbl - = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX, - &drbg_nonce_ossl_ctx_method); + = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_DRBG_NONCE_INDEX); struct { void *drbg; int count; diff --git a/providers/implementations/rands/drbg_local.h b/providers/implementations/rands/drbg_local.h index 8bc5df89c..b43ef8a2b 100644 --- a/providers/implementations/rands/drbg_local.h +++ b/providers/implementations/rands/drbg_local.h @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -50,13 +50,8 @@ # define DRBG_MAX_LENGTH INT32_MAX /* The default nonce */ -#ifdef CHARSET_EBCDIC -# define DRBG_DEFAULT_PERS_STRING { 0x4f, 0x70, 0x65, 0x6e, 0x53, 0x53, \ - 0x4c, 0x20, 0x4e, 0x49, 0x53, 0x54, 0x20, 0x53, 0x50, 0x20, 0x38, 0x30, \ - 0x30, 0x2d, 0x39, 0x30, 0x41, 0x20, 0x44, 0x52, 0x42, 0x47, 0x00}; -#else -# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" -#endif +/* ASCII: "OpenSSL NIST SP 800-90A DRBG", in hex for EBCDIC compatibility */ +#define DRBG_DEFAULT_PERS_STRING "\x4f\x70\x65\x6e\x53\x53\x4c\x20\x4e\x49\x53\x54\x20\x53\x50\x20\x38\x30\x30\x2d\x39\x30\x41\x20\x44\x52\x42\x47" typedef struct prov_drbg_st PROV_DRBG; diff --git a/providers/implementations/rands/seeding/build.info b/providers/implementations/rands/seeding/build.info index 2788146ad..9c5eefee2 100644 --- a/providers/implementations/rands/seeding/build.info +++ b/providers/implementations/rands/seeding/build.info @@ -1,10 +1,15 @@ -$COMMON=rand_unix.c rand_win.c rand_tsc.c rand_cpu_x86.c +$COMMON=rand_unix.c rand_win.c rand_tsc.c IF[{- $config{target} =~ /vxworks/i -}] $COMMON=$COMMON rand_vxworks.c ENDIF IF[{- $config{target} =~ /vms/i -}] $COMMON=$COMMON rand_vms.c ENDIF +IF[{- !$disabled{asm} && $config{target} =~ '.*aarch64' -}] + $COMMON=$COMMON rand_cpu_arm64.c +ELSE + $COMMON=$COMMON rand_cpu_x86.c +ENDIF SOURCE[../../../libdefault.a]=$COMMON diff --git a/providers/implementations/rands/seeding/rand_cpu_arm64.c b/providers/implementations/rands/seeding/rand_cpu_arm64.c new file mode 100644 index 000000000..778ec395c --- /dev/null +++ b/providers/implementations/rands/seeding/rand_cpu_arm64.c @@ -0,0 +1,67 @@ +/* + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "internal/cryptlib.h" +#include +#include "crypto/rand_pool.h" +#include "prov/seeding.h" + + +#ifdef OPENSSL_RAND_SEED_RDCPU +#include "crypto/arm_arch.h" + +size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len); + +static size_t get_hardware_random_value(unsigned char *buf, size_t len); + +/* + * Acquire entropy using Arm-specific cpu instructions + * + * Uses the RNDRRS instruction. RNDR is never needed since + * RNDRRS will always be available if RNDR is an available + * instruction. + * + * Returns the total entropy count, if it exceeds the requested + * entropy count. Otherwise, returns an entropy count of 0. + */ +size_t ossl_prov_acquire_entropy_from_cpu(RAND_POOL *pool) +{ + size_t bytes_needed; + unsigned char *buffer; + + bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + if (bytes_needed > 0) { + buffer = ossl_rand_pool_add_begin(pool, bytes_needed); + + if (buffer != NULL) { + if (get_hardware_random_value(buffer, bytes_needed) == bytes_needed) + ossl_rand_pool_add_end(pool, bytes_needed, 8 * bytes_needed); + else + ossl_rand_pool_add_end(pool, 0, 0); + } + } + + return ossl_rand_pool_entropy_available(pool); +} + +static size_t get_hardware_random_value(unsigned char *buf, size_t len) +{ + /* Always use RNDRRS or nothing */ + if (OPENSSL_armcap_P & ARMV8_RNG) { + if (OPENSSL_rndrrs_bytes(buf, len) != len) + return 0; + } else { + return 0; + } + return len; +} + +#else +NON_EMPTY_TRANSLATION_UNIT +#endif /* OPENSSL_RAND_SEED_RDCPU */ diff --git a/providers/implementations/rands/seeding/rand_unix.c b/providers/implementations/rands/seeding/rand_unix.c index 750afca58..cd02a0236 100644 --- a/providers/implementations/rands/seeding/rand_unix.c +++ b/providers/implementations/rands/seeding/rand_unix.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,15 +10,15 @@ #ifndef _GNU_SOURCE # define _GNU_SOURCE #endif -#include "../e_os.h" +#include "internal/e_os.h" #include #include "internal/cryptlib.h" #include #include #include "crypto/rand_pool.h" #include "crypto/rand.h" -#include #include "internal/dso.h" +#include "internal/nelem.h" #include "prov/seeding.h" #ifdef __linux @@ -50,7 +50,6 @@ # include static uint64_t get_time_stamp(void); -static uint64_t get_timer_bits(void); /* Macro to convert two thirty two bit values into a sixty four bit one */ # define TWO32TO64(a, b) ((((uint64_t)(a)) << 32) + (b)) @@ -774,31 +773,6 @@ int ossl_pool_add_nonce_data(RAND_POOL *pool) return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); } -int ossl_rand_pool_add_additional_data(RAND_POOL *pool) -{ - struct { - int fork_id; - CRYPTO_THREAD_ID tid; - uint64_t time; - } data; - - /* Erase the entire structure including any padding */ - memset(&data, 0, sizeof(data)); - - /* - * Add some noise from the thread id and a high resolution timer. - * The fork_id adds some extra fork-safety. - * The thread id adds a little randomness if the drbg is accessed - * concurrently (which is the case for the drbg). - */ - data.fork_id = openssl_get_fork_id(); - data.tid = CRYPTO_THREAD_get_current_id(); - data.time = get_timer_bits(); - - return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); -} - - /* * Get the current time with the highest possible resolution * @@ -828,55 +802,5 @@ static uint64_t get_time_stamp(void) return time(NULL); } -/* - * Get an arbitrary timer value of the highest possible resolution - * - * The timer value is added as random noise to the additional data, - * which is not considered a trusted entropy sourec, so any result - * is acceptable. - */ -static uint64_t get_timer_bits(void) -{ - uint64_t res = OPENSSL_rdtsc(); - - if (res != 0) - return res; - -# if defined(__sun) || defined(__hpux) - return gethrtime(); -# elif defined(_AIX) - { - timebasestruct_t t; - - read_wall_time(&t, TIMEBASE_SZ); - return TWO32TO64(t.tb_high, t.tb_low); - } -# elif defined(OSSL_POSIX_TIMER_OKAY) - { - struct timespec ts; - -# ifdef CLOCK_BOOTTIME -# define CLOCK_TYPE CLOCK_BOOTTIME -# elif defined(_POSIX_MONOTONIC_CLOCK) -# define CLOCK_TYPE CLOCK_MONOTONIC -# else -# define CLOCK_TYPE CLOCK_REALTIME -# endif - - if (clock_gettime(CLOCK_TYPE, &ts) == 0) - return TWO32TO64(ts.tv_sec, ts.tv_nsec); - } -# endif -# if defined(__unix__) \ - || (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) - { - struct timeval tv; - - if (gettimeofday(&tv, NULL) == 0) - return TWO32TO64(tv.tv_sec, tv.tv_usec); - } -# endif - return time(NULL); -} #endif /* (defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_SYS_VXWORKS)) || defined(__DJGPP__) */ diff --git a/providers/implementations/rands/seeding/rand_vms.c b/providers/implementations/rands/seeding/rand_vms.c index f12ecb3b0..713718189 100644 --- a/providers/implementations/rands/seeding/rand_vms.c +++ b/providers/implementations/rands/seeding/rand_vms.c @@ -7,11 +7,12 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #define __NEW_STARLET 1 /* New starlet definitions since VMS 7.0 */ #include #include "internal/cryptlib.h" +#include "internal/nelem.h" #include #include "crypto/rand.h" #include "crypto/rand_pool.h" diff --git a/providers/implementations/rands/seeding/rand_vxworks.c b/providers/implementations/rands/seeding/rand_vxworks.c index 12be9357b..04e8e3925 100644 --- a/providers/implementations/rands/seeding/rand_vxworks.c +++ b/providers/implementations/rands/seeding/rand_vxworks.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -76,26 +76,6 @@ void ossl_rand_pool_keep_random_devices_open(int keep) { } -int ossl_rand_pool_add_additional_data(RAND_POOL *pool) -{ - struct { - CRYPTO_THREAD_ID tid; - uint64_t time; - } data; - - memset(&data, 0, sizeof(data)); - - /* - * Add some noise from the thread id and a high resolution timer. - * The thread id adds a little randomness if the drbg is accessed - * concurrently (which is the case for the drbg). - */ - data.tid = CRYPTO_THREAD_get_current_id(); - data.time = get_timer_bits(); - - return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); -} - int ossl_pool_add_nonce_data(RAND_POOL *pool) { struct { diff --git a/providers/implementations/rands/seeding/rand_win.c b/providers/implementations/rands/seeding/rand_win.c index cf903f3cb..7a9e971df 100644 --- a/providers/implementations/rands/seeding/rand_win.c +++ b/providers/implementations/rands/seeding/rand_win.c @@ -147,26 +147,6 @@ int ossl_pool_add_nonce_data(RAND_POOL *pool) return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); } -int ossl_rand_pool_add_additional_data(RAND_POOL *pool) -{ - struct { - DWORD tid; - LARGE_INTEGER time; - } data; - - /* Erase the entire structure including any padding */ - memset(&data, 0, sizeof(data)); - - /* - * Add some noise from the thread id and a high resolution timer. - * The thread id adds a little randomness if the drbg is accessed - * concurrently (which is the case for the drbg). - */ - data.tid = GetCurrentThreadId(); - QueryPerformanceCounter(&data.time); - return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0); -} - int ossl_rand_pool_init(void) { return 1; diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c index 28fd7c498..70d0ea5d2 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,7 +22,6 @@ #include #include #include -#include #include #include "internal/nelem.h" #include "internal/sizes.h" diff --git a/providers/implementations/signature/eddsa_sig.c b/providers/implementations/signature/eddsa_sig.c index c78f1fbb5..3c9b306ea 100644 --- a/providers/implementations/signature/eddsa_sig.c +++ b/providers/implementations/signature/eddsa_sig.c @@ -13,7 +13,6 @@ #include #include #include -#include #include #include "internal/nelem.h" #include "internal/sizes.h" diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c index 7023a8661..be7cf53b2 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -189,8 +189,8 @@ static void *rsa_newctx(void *provctx, const char *propq) prsactx->libctx = PROV_LIBCTX_OF(provctx); prsactx->flag_allow_md = 1; prsactx->propq = propq_copy; - /* Maximum for sign, auto for verify */ - prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; + /* Maximum up to digest length for sign, auto for verify */ + prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; prsactx->min_saltlen = -1; return prsactx; } @@ -198,13 +198,27 @@ static void *rsa_newctx(void *provctx, const char *propq) static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) { int saltlen = ctx->saltlen; - + int saltlenMax = -1; + + /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection + * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the + * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of + * the hash function output block (in bytes)." + * + * Provide a way to use at most the digest length, so that the default does + * not violate FIPS 186-4. */ if (saltlen == RSA_PSS_SALTLEN_DIGEST) { saltlen = EVP_MD_get_size(ctx->md); - } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { + } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { + saltlen = RSA_PSS_SALTLEN_MAX; + saltlenMax = EVP_MD_get_size(ctx->md); + } + if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2; if ((RSA_bits(ctx->rsa) & 0x7) == 1) saltlen--; + if (saltlenMax >= 0 && saltlen > saltlenMax) + saltlen = saltlenMax; } if (saltlen < 0) { ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); @@ -408,8 +422,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, prsactx->operation = operation; - /* Maximum for sign, auto for verify */ - prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; + /* Maximize up to digest length for sign, auto for verify */ + prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; prsactx->min_saltlen = -1; switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { @@ -827,7 +841,7 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, return 0; rslen = RSA_public_decrypt(siglen, sig, prsactx->tbuf, prsactx->rsa, prsactx->pad_mode); - if (rslen == 0) { + if (rslen <= 0) { ERR_raise(ERR_LIB_PROV, ERR_R_RSA_LIB); return 0; } @@ -1107,6 +1121,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) case RSA_PSS_SALTLEN_AUTO: value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; break; + case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: + value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; + break; default: { int len = BIO_snprintf(p->data, p->data_size, "%d", @@ -1270,6 +1287,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) saltlen = RSA_PSS_SALTLEN_MAX; else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) saltlen = RSA_PSS_SALTLEN_AUTO; + else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) + saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; else saltlen = atoi(p->data); break; @@ -1278,11 +1297,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) } /* - * RSA_PSS_SALTLEN_MAX seems curiously named in this check. - * Contrary to what it's name suggests, it's the currently - * lowest saltlen number possible. + * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. + * Contrary to what it's name suggests, it's the currently lowest + * saltlen number possible. */ - if (saltlen < RSA_PSS_SALTLEN_MAX) { + if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); return 0; } @@ -1290,6 +1309,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) if (rsa_pss_restricted(prsactx)) { switch (saltlen) { case RSA_PSS_SALTLEN_AUTO: + case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: if (prsactx->operation == EVP_PKEY_OP_VERIFY) { ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, "Cannot use autodetected salt length"); diff --git a/providers/implementations/signature/sm2_sig.c b/providers/implementations/signature/sm2_sig.c index fffb280c7..b3647a9a7 100644 --- a/providers/implementations/signature/sm2_sig.c +++ b/providers/implementations/signature/sm2_sig.c @@ -9,7 +9,7 @@ /* * ECDSA low level APIs are deprecated for public use, but still ok for - * internal use - SM2 implemetation uses ECDSA_size() function. + * internal use - SM2 implementation uses ECDSA_size() function. */ #include "internal/deprecated.h" @@ -66,9 +66,9 @@ typedef struct { EC_KEY *ec; /* - * Flag to termine if the 'z' digest needs to be computed and fed to the + * Flag to determine if the 'z' digest needs to be computed and fed to the * hash function. - * This flag should be set on initialization and the compuation should + * This flag should be set on initialization and the computation should * be performed only once, on first update. */ unsigned int flag_compute_z_digest : 1; diff --git a/python-ecdsa b/python-ecdsa new file mode 160000 index 000000000..4de8d5bf8 --- /dev/null +++ b/python-ecdsa @@ -0,0 +1 @@ +Subproject commit 4de8d5bf89089d1140eb99aa5d7eb2dc8e6337b6 diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 95a34093c..871c187a9 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,5 +1,5 @@ /* - * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 4121f3b2a..3baf82076 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -215,25 +215,7 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, /* start with empty packet ... */ if (left == 0) rb->offset = align; - else if (align != 0 && left >= SSL3_RT_HEADER_LENGTH) { - /* - * check if next packet length is large enough to justify payload - * alignment... - */ - pkt = rb->buf + rb->offset; - if (pkt[0] == SSL3_RT_APPLICATION_DATA - && (pkt[3] << 8 | pkt[4]) >= 128) { - /* - * Note that even if packet is corrupted and its length field - * is insane, we can only be led to wrong decision about - * whether memmove will occur or not. Header values has no - * effect on memmove arguments and therefore no buffer - * overrun can be triggered. - */ - memmove(rb->buf + align, pkt, left); - rb->offset = align; - } - } + s->rlayer.packet = rb->buf + rb->offset; s->rlayer.packet_length = 0; /* ... now we can act as if 'extend' was set */ @@ -626,14 +608,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, if (numpipes > maxpipes) numpipes = maxpipes; - if (n / numpipes >= max_send_fragment) { + if (n / numpipes >= split_send_fragment) { /* * We have enough data to completely fill all available * pipelines */ - for (j = 0; j < numpipes; j++) { - pipelens[j] = max_send_fragment; - } + for (j = 0; j < numpipes; j++) + pipelens[j] = split_send_fragment; } else { /* We can partially fill all available pipelines */ tmppipelen = n / numpipes; diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index f631829ef..97b0c26ce 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -58,6 +58,11 @@ int ssl3_setup_read_buffer(SSL *s) if (ssl_allow_compression(s)) len += SSL3_RT_MAX_COMPRESSED_OVERHEAD; #endif + + /* Ensure our buffer is large enough to support all our pipelines */ + if (s->max_pipelines > 1) + len *= s->max_pipelines; + if (b->default_len > len) len = b->default_len; if ((p = OPENSSL_malloc(len)) == NULL) { diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 1867f0011..edcbd6d5a 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -964,6 +964,7 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, EVP_CIPHER_CTX *ds; size_t reclen[SSL_MAX_PIPELINES]; unsigned char buf[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN]; + unsigned char *data[SSL_MAX_PIPELINES]; int i, pad = 0, tmpr; size_t bs, ctr, padnum, loop; unsigned char padval; @@ -1123,8 +1124,6 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending, } } if (n_recs > 1) { - unsigned char *data[SSL_MAX_PIPELINES]; - /* Set the output buffers */ for (ctr = 0; ctr < n_recs; ctr++) { data[ctr] = recs[ctr].data; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index e4168e74c..76b55779d 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -24,6 +24,16 @@ #include "ssl_local.h" #include "ssl_cert_table.h" #include "internal/thread_once.h" +#ifndef OPENSSL_NO_POSIX_IO +# include +# ifdef _WIN32 +# define stat _stat +# endif +#endif + +#ifndef S_ISDIR +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +#endif static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, @@ -751,6 +761,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, while ((filename = OPENSSL_DIR_read(&d, dir))) { char buf[1024]; int r; + struct stat st; if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) { ERR_raise(ERR_LIB_SSL, SSL_R_PATH_TOO_LONG); @@ -761,6 +772,9 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, #else r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename); #endif + /* Skip subdirectories */ + if (!stat(buf, &st) && S_ISDIR(st.st_mode)) + continue; if (r <= 0 || r >= (int)sizeof(buf)) goto err; if (!SSL_add_file_cert_subjects_to_stack(stack, buf)) @@ -1050,18 +1064,12 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, } case SSL_SECOP_VERSION: if (!SSL_IS_DTLS(s)) { - /* SSLv3 not allowed at level 2 */ - if (nid <= SSL3_VERSION && level >= 2) - return 0; - /* TLS v1.1 and above only for level 3 */ - if (nid <= TLS1_VERSION && level >= 3) - return 0; - /* TLS v1.2 only for level 4 and above */ - if (nid <= TLS1_1_VERSION && level >= 4) + /* SSLv3, TLS v1.0 and TLS v1.1 only allowed at level 0 */ + if (nid <= TLS1_1_VERSION && level > 0) return 0; } else { - /* DTLS v1.2 only for level 4 and above */ - if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4) + /* DTLS v1.0 only allowed at level 0 */ + if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level > 0) return 0; } break; diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 73a821289..93de9cf8f 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -819,8 +819,9 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, OSSL_TRACE_BEGIN(TLS_CIPHER){ BIO_printf(trc_out, "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n", - rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls, - algo_strength, strength_bits); + rule, (unsigned int)alg_mkey, (unsigned int)alg_auth, + (unsigned int)alg_enc, (unsigned int)alg_mac, min_tls, + (unsigned int)algo_strength, (int)strength_bits); } if (rule == CIPHER_DEL || rule == CIPHER_BUMP) @@ -864,9 +865,13 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, BIO_printf(trc_out, "\nName: %s:" "\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n", - cp->name, cp->algorithm_mkey, cp->algorithm_auth, - cp->algorithm_enc, cp->algorithm_mac, cp->min_tls, - cp->algo_strength); + cp->name, + (unsigned int)cp->algorithm_mkey, + (unsigned int)cp->algorithm_auth, + (unsigned int)cp->algorithm_enc, + (unsigned int)cp->algorithm_mac, + cp->min_tls, + (unsigned int)cp->algo_strength); } if (cipher_id != 0 && (cipher_id != cp->id)) continue; diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 41898844f..84ee821c3 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index db0234d7a..36cb8060e 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" #include "internal/err.h" #include diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 214884b0f..f12ad6d03 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -11,7 +11,7 @@ #include #include "ssl_local.h" -#include "e_os.h" +#include "internal/e_os.h" #include #include #include @@ -22,6 +22,7 @@ #include #include #include "internal/cryptlib.h" +#include "internal/nelem.h" #include "internal/refcount.h" #include "internal/ktls.h" @@ -1046,7 +1047,7 @@ int SSL_dane_enable(SSL *s, const char *basedomain) /* * Default SNI name. This rejects empty names, while set1_host below - * accepts them and disables host name checks. To avoid side-effects with + * accepts them and disables hostname checks. To avoid side-effects with * invalid input, set the SNI name first. */ if (s->ext.hostname == NULL) { diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 5fb1feb80..845329a80 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -12,7 +12,7 @@ #ifndef OSSL_SSL_LOCAL_H # define OSSL_SSL_LOCAL_H -# include "e_os.h" /* struct timeval for DTLS */ +# include "internal/e_os.h" /* struct timeval for DTLS */ # include # include # include @@ -772,9 +772,9 @@ typedef enum tlsext_index_en { TLSEXT_IDX_num_builtins } TLSEXT_INDEX; -DEFINE_LHASH_OF(SSL_SESSION); +DEFINE_LHASH_OF_EX(SSL_SESSION); /* Needed in ssl_cert.c */ -DEFINE_LHASH_OF(X509_NAME); +DEFINE_LHASH_OF_EX(X509_NAME); # define TLSEXT_KEYNAME_LENGTH 16 # define TLSEXT_TICK_KEY_LENGTH 32 diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 68b57a532..f065f2f75 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -59,9 +59,11 @@ __owur static int timeoutcmp(SSL_SESSION *a, SSL_SESSION *b) */ void ssl_session_calculate_timeout(SSL_SESSION *ss) { +#ifndef __DJGPP__ /* time_t is unsigned on djgpp */ /* Force positive timeout */ if (ss->timeout < 0) ss->timeout = 0; +#endif ss->calc_timeout = ss->time + ss->timeout; /* * |timeout| is always zero or positive, so the check for @@ -70,7 +72,7 @@ void ssl_session_calculate_timeout(SSL_SESSION *ss) ss->timeout_ovf = ss->time > 0 && ss->calc_timeout < ss->time; /* * N.B. Realistic overflow can only occur in our lifetimes on a - * 32-bit machine in January 2038. + * 32-bit machine with signed time_t, in January 2038. * However, There are no controls to limit the |timeout| * value, except to keep it positive. */ diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 212fe0096..2be08e37f 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -151,7 +151,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (istls13) { if (BIO_printf(bp, " Max Early Data: %u\n", - x->ext.max_early_data) <= 0) + (unsigned int)x->ext.max_early_data) <= 0) goto err; } diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 8c9c16ec2..977e6a201 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -17,7 +17,6 @@ #include "internal/cryptlib.h" #include "../ssl_local.h" #include "statem_local.h" -#include "internal/cryptlib.h" static int final_renegotiate(SSL *s, unsigned int context, int sent); static int init_server_name(SSL *s, unsigned int context); @@ -1465,13 +1464,10 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, unsigned char hash[EVP_MAX_MD_SIZE], binderkey[EVP_MAX_MD_SIZE]; unsigned char finishedkey[EVP_MAX_MD_SIZE], tmpbinder[EVP_MAX_MD_SIZE]; unsigned char *early_secret; -#ifdef CHARSET_EBCDIC - static const unsigned char resumption_label[] = { 0x72, 0x65, 0x73, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; - static const unsigned char external_label[] = { 0x65, 0x78, 0x74, 0x20, 0x62, 0x69, 0x6E, 0x64, 0x65, 0x72, 0x00 }; -#else - static const unsigned char resumption_label[] = "res binder"; - static const unsigned char external_label[] = "ext binder"; -#endif + /* ASCII: "res binder", in hex for EBCDIC compatibility */ + static const unsigned char resumption_label[] = "\x72\x65\x73\x20\x62\x69\x6E\x64\x65\x72"; + /* ASCII: "ext binder", in hex for EBCDIC compatibility */ + static const unsigned char external_label[] = "\x65\x78\x74\x20\x62\x69\x6E\x64\x65\x72"; const unsigned char *label; size_t bindersize, labelsize, hashsize; int hashsizei = EVP_MD_get_size(md); diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 16765a5a5..00b1ee531 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1147,7 +1147,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, * rounding errors. */ if (id == 0 - && sess->timeout >= (long)agesec + && sess->timeout >= (time_t)agesec && agems / (uint32_t)1000 == agesec && ticket_age <= agems + 1000 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index bcce73bcd..71da19fd9 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -212,19 +212,13 @@ int tls_setup_handshake(SSL *s) static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, void **hdata, size_t *hdatalen) { -#ifdef CHARSET_EBCDIC - static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, - 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, - 0x69, 0x66, 0x79, 0x00 }; - static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, - 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, - 0x69, 0x66, 0x79, 0x00 }; -#else - static const char servercontext[] = "TLS 1.3, server CertificateVerify"; - static const char clientcontext[] = "TLS 1.3, client CertificateVerify"; -#endif + /* ASCII: "TLS 1.3, server CertificateVerify", in hex for EBCDIC compatibility */ + static const char servercontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x73\x65\x72" + "\x76\x65\x72\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; + /* ASCII: "TLS 1.3, client CertificateVerify", in hex for EBCDIC compatibility */ + static const char clientcontext[] = "\x54\x4c\x53\x20\x31\x2e\x33\x2c\x20\x63\x6c\x69" + "\x65\x6e\x74\x20\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x56\x65\x72\x69\x66\x79"; + if (SSL_IS_TLS13(s)) { size_t hashlen; diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index a9e67f9d3..5d59d5356 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2899,7 +2899,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt) * We must not leak whether a decryption failure occurs because of * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, * section 7.4.7.1). We use the special padding type - * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automaticaly decrypt the + * RSA_PKCS1_WITH_TLS_PADDING to do that. It will automatically decrypt the * RSA, check the padding and check that the client version is as expected * in the premaster secret. If any of that fails then the function appears * to return successfully but with a random result. The call below could diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 405b1e686..c1f3d9107 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,6 +12,7 @@ #ifndef OPENSSL_NO_SSL_TRACE /* Packet trace support for OpenSSL */ +#include "internal/nelem.h" typedef struct { int num; @@ -883,7 +884,7 @@ static int ssl_print_extension(BIO *bio, int indent, int server, | ((unsigned int)ext[2] << 8) | (unsigned int)ext[3]; BIO_indent(bio, indent + 2, 80); - BIO_printf(bio, "max_early_data=%u\n", max_early_data); + BIO_printf(bio, "max_early_data=%u\n", (unsigned int)max_early_data); break; default: diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index ddcff5eb8..9ae2126e3 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -18,11 +18,8 @@ #define TLS13_MAX_LABEL_LEN 249 -#ifdef CHARSET_EBCDIC -static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; -#else -static const unsigned char label_prefix[] = "tls13 "; -#endif +/* ASCII: "tls13 ", in hex for EBCDIC compatibility */ +static const unsigned char label_prefix[] = "\x74\x6C\x73\x31\x33\x20"; /* * Given a |secret|; a |label| of length |labellen|; and |data| of length @@ -110,11 +107,8 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *key, size_t keylen) { -#ifdef CHARSET_EBCDIC - static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; -#else - static const unsigned char keylabel[] = "key"; -#endif + /* ASCII: "key", in hex for EBCDIC compatibility */ + static const unsigned char keylabel[] = "\x6B\x65\x79"; return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, NULL, 0, key, keylen, 1); @@ -127,11 +121,8 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *iv, size_t ivlen) { -#ifdef CHARSET_EBCDIC - static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; -#else - static const unsigned char ivlabel[] = "iv"; -#endif + /* ASCII: "iv", in hex for EBCDIC compatibility */ + static const unsigned char ivlabel[] = "\x69\x76"; return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, NULL, 0, iv, ivlen, 1); @@ -141,11 +132,8 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, const unsigned char *secret, unsigned char *fin, size_t finlen) { -#ifdef CHARSET_EBCDIC - static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; -#else - static const unsigned char finishedlabel[] = "finished"; -#endif + /* ASCII: "finished", in hex for EBCDIC compatibility */ + static const unsigned char finishedlabel[] = "\x66\x69\x6E\x69\x73\x68\x65\x64"; return tls13_hkdf_expand(s, md, secret, finishedlabel, sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); @@ -170,11 +158,8 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, OSSL_PARAM params[7], *p = params; int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; const char *mdname = EVP_MD_get0_name(md); -#ifdef CHARSET_EBCDIC - static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; -#else - static const char derived_secret_label[] = "derived"; -#endif + /* ASCII: "derived", in hex for EBCDIC compatibility */ + static const char derived_secret_label[] = "\x64\x65\x72\x69\x76\x65\x64"; kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq); kctx = EVP_KDF_CTX_new(kdf); @@ -402,25 +387,22 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, int tls13_change_cipher_state(SSL *s, int which) { -#ifdef CHARSET_EBCDIC - static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; - static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; - static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; - static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; - static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; - static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; - static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; - static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; -#else - static const unsigned char client_early_traffic[] = "c e traffic"; - static const unsigned char client_handshake_traffic[] = "c hs traffic"; - static const unsigned char client_application_traffic[] = "c ap traffic"; - static const unsigned char server_handshake_traffic[] = "s hs traffic"; - static const unsigned char server_application_traffic[] = "s ap traffic"; - static const unsigned char exporter_master_secret[] = "exp master"; - static const unsigned char resumption_master_secret[] = "res master"; - static const unsigned char early_exporter_master_secret[] = "e exp master"; -#endif + /* ASCII: "c e traffic", in hex for EBCDIC compatibility */ + static const unsigned char client_early_traffic[] = "\x63\x20\x65\x20\x74\x72\x61\x66\x66\x69\x63"; + /* ASCII: "c hs traffic", in hex for EBCDIC compatibility */ + static const unsigned char client_handshake_traffic[] = "\x63\x20\x68\x73\x20\x74\x72\x61\x66\x66\x69\x63"; + /* ASCII: "c ap traffic", in hex for EBCDIC compatibility */ + static const unsigned char client_application_traffic[] = "\x63\x20\x61\x70\x20\x74\x72\x61\x66\x66\x69\x63"; + /* ASCII: "s hs traffic", in hex for EBCDIC compatibility */ + static const unsigned char server_handshake_traffic[] = "\x73\x20\x68\x73\x20\x74\x72\x61\x66\x66\x69\x63"; + /* ASCII: "s ap traffic", in hex for EBCDIC compatibility */ + static const unsigned char server_application_traffic[] = "\x73\x20\x61\x70\x20\x74\x72\x61\x66\x66\x69\x63"; + /* ASCII: "exp master", in hex for EBCDIC compatibility */ + static const unsigned char exporter_master_secret[] = "\x65\x78\x70\x20\x6D\x61\x73\x74\x65\x72"; + /* ASCII: "res master", in hex for EBCDIC compatibility */ + static const unsigned char resumption_master_secret[] = "\x72\x65\x73\x20\x6D\x61\x73\x74\x65\x72"; + /* ASCII: "e exp master", in hex for EBCDIC compatibility */ + static const unsigned char early_exporter_master_secret[] = "\x65\x20\x65\x78\x70\x20\x6D\x61\x73\x74\x65\x72"; unsigned char *iv; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char secret[EVP_MAX_MD_SIZE]; @@ -745,11 +727,8 @@ int tls13_change_cipher_state(SSL *s, int which) int tls13_update_key(SSL *s, int sending) { -#ifdef CHARSET_EBCDIC - static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; -#else - static const unsigned char application_traffic[] = "traffic upd"; -#endif + /* ASCII: "traffic upd", in hex for EBCDIC compatibility */ + static const unsigned char application_traffic[] = "\x74\x72\x61\x66\x66\x69\x63\x20\x75\x70\x64"; const EVP_MD *md = ssl_handshake_md(s); size_t hashlen; unsigned char key[EVP_MAX_KEY_LENGTH]; @@ -822,11 +801,8 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, size_t contextlen, int use_context) { unsigned char exportsecret[EVP_MAX_MD_SIZE]; -#ifdef CHARSET_EBCDIC - static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; -#else - static const unsigned char exporterlabel[] = "exporter"; -#endif + /* ASCII: "exporter", in hex for EBCDIC compatibility */ + static const unsigned char exporterlabel[] = "\x65\x78\x70\x6F\x72\x74\x65\x72"; unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; const EVP_MD *md = ssl_handshake_md(s); EVP_MD_CTX *ctx = EVP_MD_CTX_new(); @@ -863,11 +839,8 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, const unsigned char *context, size_t contextlen) { -#ifdef CHARSET_EBCDIC - static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; -#else - static const unsigned char exporterlabel[] = "exporter"; -#endif + /* ASCII: "exporter", in hex for EBCDIC compatibility */ + static const unsigned char exporterlabel[] = "\x65\x78\x70\x6F\x72\x74\x65\x72"; unsigned char exportsecret[EVP_MAX_MD_SIZE]; unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; const EVP_MD *md; diff --git a/test/README-external.md b/test/README-external.md index 3e10526b8..e1f4819fa 100644 --- a/test/README-external.md +++ b/test/README-external.md @@ -87,6 +87,39 @@ explicitly run (with more debugging): $ make test VERBOSE=1 TESTS=test_external_gost_engine +OQSprovider test suite +====================== + +Much like the PYCA/Cryptography test suite, this builds and runs the OQS +(OpenQuantumSafe -- www.openquantumsafe.org) provider tests against the +local OpenSSL build. + +You will need a git checkout of oqsprovider at the top level: + + $ git submodule update --init + +Then configure/build OpenSSL enabling external tests: + + $ ./config shared enable-external-tests + $ make + +oqsprovider requires CMake for the build process. + +OQSprovider tests will then be run as part of the rest of the suite, or can be +explicitly run (with more debugging): + + $ make test VERBOSE=1 TESTS=test_external_oqsprovider + +The environment variable `OQS_SKIP_TESTS` can be set to select tests and +algorithms to be skipped. If not set, the "rainbow" algorithm set as well as +the (OQS-)OpenSSL1.1.1 compatibility tests will not be executed. So, for +example to exclude the "mceliece" and "kyber" algorithms execute + + OQS_SKIP_TESTS=mceliece,kyber make test TESTS=test_external_oqsprovider + +The names of all supported quantum-safe algorithms are available at + + Updating test suites ==================== diff --git a/test/README.ssltest.md b/test/README.ssltest.md index 81ee7dfdb..85a643079 100644 --- a/test/README.ssltest.md +++ b/test/README.ssltest.md @@ -283,3 +283,14 @@ of the generated `test/ssl-tests/*.cnf` correspond to expected outputs in with the default Configure options. To run `ssl_test` manually from the command line in a build with a different configuration, you may need to generate the right `*.cnf` file from the `*.cnf.in` input first. + +Running a test manually via make +-------------------------------- + +Individual tests may be run by adding the SSL_TESTS variable to the `make` +command line. The SSL_TESTS variable is set to the list of input (or ".in") +files. The values in SSL_TESTS are globbed. + + $ make test TESTS=test_ssl_new SSL_TESTS="0*.cnf.in" + + $ make test TESTS=test_ssl_new SSL_TESTS="01-simple.cnf.in 05-sni.cnf.in" diff --git a/test/bad_dtls_test.c b/test/bad_dtls_test.c index e6ee1ea09..7b50ee054 100644 --- a/test/bad_dtls_test.c +++ b/test/bad_dtls_test.c @@ -499,6 +499,7 @@ static int test_bad_dtls(void) || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA"))) goto end; + SSL_CTX_set_security_level(ctx, 0); con = SSL_new(ctx); if (!TEST_ptr(con) || !TEST_true(SSL_set_session(con, sess))) diff --git a/test/bntest.c b/test/bntest.c index c5894c157..a91ba7f4d 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -38,6 +38,7 @@ typedef struct mpitest_st { static const int NUM0 = 100; /* number of tests */ static const int NUM1 = 50; /* additional tests for some functions */ +static const int NUM_PRIME_TESTS = 20; static BN_CTX *ctx; /* @@ -168,6 +169,11 @@ static int test_swap(void) || !equalBN("swap", b, c)) goto err; + /* regular swap: same pointer */ + BN_swap(a, a); + if (!equalBN("swap with same pointer", a, d)) + goto err; + /* conditional swap: true */ cond = 1; BN_consttime_swap(cond, a, b, top); @@ -175,6 +181,11 @@ static int test_swap(void) || !equalBN("cswap true", b, d)) goto err; + /* conditional swap: true, same pointer */ + BN_consttime_swap(cond, a, a, top); + if (!equalBN("cswap true", a, c)) + goto err; + /* conditional swap: false */ cond = 0; BN_consttime_swap(cond, a, b, top); @@ -182,6 +193,11 @@ static int test_swap(void) || !equalBN("cswap false", b, d)) goto err; + /* conditional swap: false, same pointer */ + BN_consttime_swap(cond, a, a, top); + if (!equalBN("cswap false", a, c)) + goto err; + /* same tests but checking flag swap */ BN_set_flags(a, BN_FLG_CONSTTIME); @@ -2573,6 +2589,25 @@ static int test_ctx_consttime_flag(void) return st; } +static int test_coprime(void) +{ + BIGNUM *a = NULL, *b = NULL; + int ret = 0; + + ret = TEST_ptr(a = BN_new()) + && TEST_ptr(b = BN_new()) + && TEST_true(BN_set_word(a, 66)) + && TEST_true(BN_set_word(b, 99)) + && TEST_int_eq(BN_are_coprime(a, b, ctx), 0) + && TEST_int_eq(BN_are_coprime(b, a, ctx), 0) + && TEST_true(BN_set_word(a, 67)) + && TEST_int_eq(BN_are_coprime(a, b, ctx), 1) + && TEST_int_eq(BN_are_coprime(b, a, ctx), 1); + BN_free(a); + BN_free(b); + return ret; +} + static int test_gcd_prime(void) { BIGNUM *a = NULL, *b = NULL, *gcd = NULL; @@ -2585,11 +2620,12 @@ static int test_gcd_prime(void) if (!TEST_true(BN_generate_prime_ex(a, 1024, 0, NULL, NULL, NULL))) goto err; - for (i = 0; i < NUM0; i++) { + for (i = 0; i < NUM_PRIME_TESTS; i++) { if (!TEST_true(BN_generate_prime_ex(b, 1024, 0, NULL, NULL, NULL)) || !TEST_true(BN_gcd(gcd, a, b, ctx)) - || !TEST_true(BN_is_one(gcd))) + || !TEST_true(BN_is_one(gcd)) + || !TEST_true(BN_are_coprime(a, b, ctx))) goto err; } @@ -3066,6 +3102,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_is_prime, (int)OSSL_NELEM(primes)); ADD_ALL_TESTS(test_not_prime, (int)OSSL_NELEM(not_primes)); ADD_TEST(test_gcd_prime); + ADD_TEST(test_coprime); ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests)); ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests)); ADD_TEST(test_mod_exp2_mont); diff --git a/test/build.info b/test/build.info index 4e385770e..f8b508578 100644 --- a/test/build.info +++ b/test/build.info @@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}] sanitytest rsa_complex exdatatest bntest \ ecstresstest gmdifftest pbelutest \ destest mdc2test sha_test \ - exptest pbetest localetest evp_pkey_ctx_new_from_name\ + exptest pbetest localetest evp_pkey_ctx_new_from_name \ evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ evp_fetch_prov_test evp_libctx_test ossl_store_test \ v3nametest v3ext punycode_test \ @@ -58,11 +58,12 @@ IF[{- !$disabled{tests} -}] recordlentest drbgtest rand_status_test sslbuffertest \ time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ http_test servername_test ocspapitest fatalerrtest tls13ccstest \ - sysdefaulttest errtest ssl_ctx_test \ + sysdefaulttest errtest ssl_ctx_test build_wincrypt_test \ context_internal_test aesgcmtest params_test evp_pkey_dparams_test \ keymgmt_internal_test hexstr_test provider_status_test defltfips_test \ bio_readbuffer_test user_property_test pkcs7_test upcallstest \ - provfetchtest prov_config_test rand_test fips_version_test + provfetchtest prov_config_test rand_test fips_version_test \ + nodefltctxtest IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=enginetest @@ -214,6 +215,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[provider_status_test]=../include ../apps/include DEPEND[provider_status_test]=../libcrypto.a libtestutil.a + SOURCE[nodefltctxtest]=nodefltctxtest.c + INCLUDE[nodefltctxtest]=../include ../apps/include + DEPEND[nodefltctxtest]=../libcrypto.a libtestutil.a + IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=igetest bftest casttest @@ -593,7 +598,7 @@ IF[{- !$disabled{tests} -}] IF[1] PROGRAMS{noinst}=asn1_internal_test modes_internal_test x509_internal_test \ tls13encryptiontest wpackettest ctype_internal_test \ - rdrand_sanitytest property_test ideatest rsa_mp_test \ + rdcpu_sanitytest property_test ideatest rsa_mp_test \ rsa_sp800_56b_test bn_internal_test ecdsatest rsa_test \ rc2test rc4test rc5test hmactest ffc_internal_test \ asn1_dsa_internal_test dsatest dsa_no_digest_size_test \ @@ -746,9 +751,9 @@ IF[{- !$disabled{tests} -}] INCLUDE[rc4test]=../include ../apps/include DEPEND[rc4test]=../libcrypto.a libtestutil.a - SOURCE[rdrand_sanitytest]=rdrand_sanitytest.c - INCLUDE[rdrand_sanitytest]=../include ../apps/include - DEPEND[rdrand_sanitytest]=../libcrypto.a libtestutil.a + SOURCE[rdcpu_sanitytest]=rdcpu_sanitytest.c + INCLUDE[rdcpu_sanitytest]=../include ../apps/include ../crypto + DEPEND[rdcpu_sanitytest]=../libcrypto.a libtestutil.a SOURCE[rsa_sp800_56b_test]=rsa_sp800_56b_test.c INCLUDE[rsa_sp800_56b_test]=.. ../include ../crypto/rsa ../apps/include @@ -886,6 +891,14 @@ IF[{- !$disabled{tests} -}] SOURCE[endecode_test]=endecode_test.c helpers/predefined_dhparams.c INCLUDE[endecode_test]=.. ../include ../apps/include DEPEND[endecode_test]=../libcrypto.a libtestutil.a + IF[{- !$disabled{module} && !$disabled{legacy} -}] + DEFINE[endecode_test]=STATIC_LEGACY + SOURCE[endecode_test]=../providers/legacyprov.c + INCLUDE[endecode_test]=../providers/common/include \ + ../providers/implementations/include + DEPEND[endecode_test]=../providers/liblegacy.a \ + ../providers/libcommon.a + ENDIF IF[{- !$disabled{'deprecated-3.0'} -}] PROGRAMS{noinst}=endecoder_legacy_test @@ -916,6 +929,17 @@ ENDIF INCLUDE[ssl_ctx_test]=../include ../apps/include DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a + SOURCE[build_wincrypt_test]=build_wincrypt_test.c + INCLUDE[build_wincrypt_test]=../include + DEPEND[build_wincrypt_test]=../libssl ../libcrypto + + IF[{- !$disabled{shared} -}] + PROGRAMS{noinst}=timing_load_creds + SOURCE[timing_load_creds]=timing_load_creds.c + INCLUDE[timing_load_creds]=../include + DEPEND[timing_load_creds]=../libcrypto.a + ENDIF + {- use File::Spec::Functions; use File::Basename; diff --git a/test/build_wincrypt_test.c b/test/build_wincrypt_test.c new file mode 100644 index 000000000..5bd75e6a4 --- /dev/null +++ b/test/build_wincrypt_test.c @@ -0,0 +1,42 @@ +/* + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Simple buildtest to check for symbol collisions between wincrypt and + * OpenSSL headers + */ + +#include + +#ifdef _WIN32 +# ifndef WIN32_LEAN_AND_MEAN +# define WIN32_LEAN_AND_MEAN +# endif +# include +# include +# ifndef X509_NAME +# ifndef PEDANTIC +# warning "wincrypt.h no longer defining X509_NAME before OpenSSL headers" +# endif +# endif +#endif + +#include +#ifndef OPENSSL_NO_STDIO +# include +#endif + +#include +#include +#include + +int main(void) +{ + return 0; +} diff --git a/test/certs/ee-timestampsign-CABforum-anyextkeyusage.pem b/test/certs/ee-timestampsign-CABforum-anyextkeyusage.pem new file mode 100644 index 000000000..1ea457e36 --- /dev/null +++ b/test/certs/ee-timestampsign-CABforum-anyextkeyusage.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDHjCCAgagAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjezB5MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDAcBgNVHSUBAf8EEjAQBggrBgEFBQcDCAYEVR0lADAN +BgkqhkiG9w0BAQsFAAOCAQEARF7Aal4usByz7BIWnjqvTNoXQBwGOZ+5nuENUbqr +OcMrWTmA9huqOiseVG665VGE+eLvOi6wSZv+8OEWS4nxwmEFkegMDIyQufP85xN2 +XDtsZNiFk1Wwtq7B29F/kZSqL8py650CAQZhqgHCawlvAFj6Datf8OYsqRmdLvjH +DpySBOiv06rtCHR4ThEhvou9Tln6Tb6Ap+sq3/pu4Nf4q/ureqCaSQTS+ayvMuAb +Cg+75Xgvl6nOQSPLkI6YoeA1F0o/51elldCbtfTZM+74btrDnclT3Pyrkp+E63eS +FcNZWN5nxYl5VZGC9DaoO3+3b6VYQoyROBS5tW0ztf5BeA== +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-CABforum-crlsign.pem b/test/certs/ee-timestampsign-CABforum-crlsign.pem new file mode 100644 index 000000000..cfb6465db --- /dev/null +++ b/test/certs/ee-timestampsign-CABforum-crlsign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjdTBzMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIBgjAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG +9w0BAQsFAAOCAQEAKlm2VpIAqs6OEBh8+J8N+wGjn4lzB92H8nPr+UsxeVzbFJAY +ESu9CJFWW9iPjzk6tCu2qwbCQd8jmMbgwHRVekafW6Cpit3qhIE+GZ5bmM7OmRnT +ueNWtMYoh/V+rNtpZcoTvPDcxHuEmh/kKgxqTrZ/7+SlusO2ita6GfOrWgD4Xc3h +djQ1WTSEG/G8PHSnYZ7YEvBhFHAHblaN2AgawexM/mcoWQgOEcQTouMk98zdStp2 ++N+oNmRO4FbKy/vkrSQNly6P+EZKI2ZJ6f6cRB5LDdCXyPcjCC/JqL4/Ota2xnJU +4RX9/X+Uxvvfsc/6dmqy2orJ4KxSlgaHS0Ip2A== +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-CABforum-keycertsign.pem b/test/certs/ee-timestampsign-CABforum-keycertsign.pem new file mode 100644 index 000000000..6bfc5b672 --- /dev/null +++ b/test/certs/ee-timestampsign-CABforum-keycertsign.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjdTBzMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIChDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG +9w0BAQsFAAOCAQEAXSCrYzwK4/ZfXgURG9nxn1ZJtx/z2TdEyebe6f5YmZE14VxU +cQbLynkydPSntmn60IQWABtueFlTpqOXEfQOxDosN8Nd3L4TkgG/a8mJbuTdfho6 +3NizJzkIxUW7nWiMjrSpkr082HPX/FCbRcg/2oSCOJb5Ap9ZvHpCKtowXGRwcAMW +Yvw5pJDDntklTIWiKqTMo5poKRi4v8Sk/Dh7EwLi8l3e6BlHVx5aBh6l7REj0Stm +j/0HbIBHYLK8+hR32uwA7KoZivgaXxvl0A1DsMGuLZjH+yUd2n7yibqln/Dc2NV8 +aXefMwNqGYnAufJijTmiSdR+CkMex4RYDQgdwQ== +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-CABforum-noncritxku.pem b/test/certs/ee-timestampsign-CABforum-noncritxku.pem new file mode 100644 index 000000000..850403d27 --- /dev/null +++ b/test/certs/ee-timestampsign-CABforum-noncritxku.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDCDANBgkqhkiG9w0B +AQsFAAOCAQEAjQfg65wHwxrd5jBi/Y50BVWb3uvHM/n8y/weOoWP5YXQTUbVqbNT +cxy2SrfDMK4wh5YErwgO9C0yHGBL7fXvnqBqSDnMM2lh9D7DnOQ4K02ZyZLjzkXH +3oprmYKbGSAsifGPuAUhfw8bvhbH1i+gNDxK1g0TcuQhfQ//3vUwIsp5e8ADaFIg +4qCNhvMnv/VkfEpg5hBeVOYSv2ITVhLwkvIKjxEIbfOxj2muglw3fwFhLlAUKp/t +f4i8+OHIMVCQIPpceA/cwmh7HPpLiaQ4EJBWHynb03RwZ8RqZL2tGzg/pZQsjggj +kiZlT3EwSpQjqgBPNLY9DPWMDBCnY+DPWw== +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-CABforum-serverauth.pem b/test/certs/ee-timestampsign-CABforum-serverauth.pem new file mode 100644 index 000000000..f6fcc13e9 --- /dev/null +++ b/test/certs/ee-timestampsign-CABforum-serverauth.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIjCCAgqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjfzB9MB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDCAYIKwYBBQUH +AwEwDQYJKoZIhvcNAQELBQADggEBACT1ybiBVe+mNC+DSH+8ZG0Ih96OKLiyPNL4 +fA+uCzpn4Ey2cPAnPK/7w0V77dGs7Phpc0LPBj/kVfybhZvJVJDgjnXcdbK1JxUC +zKMRMFP38cE7wyYgsAR6bZilMMsdWAvA+BERd1DoAkePEB3F0/NUj0EP6bDiWE6F +ZtvVyqQYSpmu6VkrxR9lOhUpEzHddNTz2V7QvGcI+8zValG++IluvPHbRL/lFsvV +QjmzuMW8d3+oVycC53bWO6Lj0yX/h6DwP8Tj50w2OgUnV+CmXaxbLNF2sMjM8Omp +YzVRJg2Vqu02KI6QYnwvLHNR6JjGw+OJYHF1DY+GDEEN24BOK8k= +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-CABforum.pem b/test/certs/ee-timestampsign-CABforum.pem new file mode 100644 index 000000000..7e40e4c82 --- /dev/null +++ b/test/certs/ee-timestampsign-CABforum.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjdTBzMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG +9w0BAQsFAAOCAQEAkWshPdAJh5hdpXTqFx3o6UinpCxszJyupHjFzpOoW8FXafva +AgHDjHnbnS7t/haUHb8bDh3qYUBgJM6QvJS2O6rZd1ZRV3+dFevePUcwQXu4w6Zp +vX9GS4v/grpiqc2LKqLekuWIkyxJ0sLjDHcAPb8KTpquCWVWsX9qxPjujyxXBlTc +s9vPQU1j6utbqWPm7LAURebJCNBxHz/IgC0gp+1ln7LP97gkGz/bDQYOLeDsNXz4 +3YpIyRoSTJTnjeotfXhYL2Sak2z0KGtZS5S2BgDv0xjYMprGbJ7JbbSty1Os0I8w +Wfw9muf+O/IStl6or/QbWRde6sTr4En7BdObWg== +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-rfc3161-digsig.pem b/test/certs/ee-timestampsign-rfc3161-digsig.pem new file mode 100644 index 000000000..50c05fe87 --- /dev/null +++ b/test/certs/ee-timestampsign-rfc3161-digsig.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjcjBwMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MAsGA1UdDwQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDANBgkqhkiG9w0B +AQsFAAOCAQEAUHC/kPMTXWZHVsHbIYuqitxgvfplpvTf9FEeoo7RjzY4Zb9xymOt +EeBHfz0HMMIz6c0eV/Y0cfqEBSWf263qRTN+b1XgFaAP30JII3Okxfv7ul8kxvD2 +f22z4+h471FkeH4ZvQ6tD1mwiBcZbXm9g4fRn+WIQfhNY+JaKkespA7diG8i1hSm +/3wc0k/U155vBAmrfIGyUFZzewkt18qnOYQVEw+TPHeV5yd6yrbUQs55CafqEwFV +U9Fb781PIXAw2lKMnoID9/Mm9k5HlQgJ5+bYlRQQhfvfHVv/1WHDlwxE+1L9t1g3 +khZmeRPu1hDAMS5TFaO2lHTRvTTUexsICw== +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-rfc3161-noncritxku.pem b/test/certs/ee-timestampsign-rfc3161-noncritxku.pem new file mode 100644 index 000000000..9a94846f1 --- /dev/null +++ b/test/certs/ee-timestampsign-rfc3161-noncritxku.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBTCCAe2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjYjBgMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQBrivg4yDW+ +SeLTjEPEhVmSHgJ7CTnU6wJxZKXDLGhTi3dB7yrBMMy7F0Vmbz/Pg+xxZIsOeMzt +uPi196nfbilHN+sIjn847i06KJgTuQhr13lzy3ky3UIQ5TIWWfaEkz/+mr7zcRD3 +i37GpPSTWOpbmNsZELHuowtpaHLCnaG0SGJoKLJX/DOUsRNKyAHL3eFPwF+w89dK +7YMikdPWW39gLcjCLMtI0M179a8woW1oNHAUCsIUabiRLI8GzUumyO2hPqhTXRMq +FKABr+H2uuRN+MPTZun9g/QLZBqY4sADDI3ko7OYWHwjYeDaqzNWs1T6R7d7+SsO +ws2OW3INcQC8 +-----END CERTIFICATE----- diff --git a/test/certs/ee-timestampsign-rfc3161.pem b/test/certs/ee-timestampsign-rfc3161.pem new file mode 100644 index 000000000..3a49fe820 --- /dev/null +++ b/test/certs/ee-timestampsign-rfc3161.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCDCCAfCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg +Fw0yMjA2MTcxMDU4MzBaGA8yMTIyMDYxODEwNTgzMFowGTEXMBUGA1UEAwwOc2Vy +dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY +YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT +5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l +Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 +U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 +ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn +iIQPYf55NB9KiR+3AgMBAAGjZTBjMB0GA1UdDgQWBBTnm+IqrYpsOst2UeWOB5gi +l+FzojAfBgNVHSMEGDAWgBS0ETPx1+Je91OeICIQT4YGvx/JXjAJBgNVHRMEAjAA +MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IBAQB7UIs8 +nTM63TDe8tO+isxz5d0WWIn/DCdBPw9t2BNJ4KsgaaP6TPLeQBU4M5+fp7kNV5Re +mphQxwl/DMTvMtbqkVVrN2HOTXYoLi/SoOck7oGU+YwOhocxAZHxvZlqrUxCVZEb +kQOsosfFNE0PhPdF2UuHC8h/wmjEb1hgSAz2JlKzW2dATb8OOm+5iqzSQwGB0nKj +cGTo+K0DDYGrL9iZnGpjT6S4Nhk8opfrCgJyd/E2BB050yrhU/7QUAtBpSt3rdke +V6LiW+y6+CiH4OpEnxtuWI42Bq8KBxFgMNOhOvC2dBcmciE6oPFslOLCF17DzEPO +9YE9aULDF/HfXbMR +-----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index 2240cd9df..97122e7cf 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -174,6 +174,17 @@ openssl x509 -in ee-client.pem -trustout \ openssl x509 -in ee-client.pem -trustout \ -addreject clientAuth -out ee-clientAuth.pem +# time stamping certificates +./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum ca-key ca-cert +./mkcert.sh genee -p timeStamping -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-noncritxku ca-key ca-cert +./mkcert.sh genee -p critical,timeStamping,serverAuth -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-serverauth ca-key ca-cert +./mkcert.sh genee -p critical,timeStamping,2.5.29.37.0 -k critical,digitalSignature server.example ee-key ee-timestampsign-CABforum-anyextkeyusage ca-key ca-cert +./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature,cRLSign server.example ee-key ee-timestampsign-CABforum-crlsign ca-key ca-cert +./mkcert.sh genee -p critical,timeStamping -k critical,digitalSignature,keyCertSign server.example ee-key ee-timestampsign-CABforum-keycertsign ca-key ca-cert +./mkcert.sh genee -p critical,timeStamping server.example ee-key ee-timestampsign-rfc3161 ca-key ca-cert +./mkcert.sh genee -p timeStamping server.example ee-key ee-timestampsign-rfc3161-noncritxku ca-key ca-cert +./mkcert.sh genee -p critical,timeStamping -k digitalSignature server.example ee-key ee-timestampsign-rfc3161-digsig ca-key ca-cert + # Leaf cert security level variants # MD5 issuer signature OPENSSL_SIGALG=md5 \ diff --git a/test/certs/timing-cert.pem b/test/certs/timing-cert.pem new file mode 100644 index 000000000..cc17d3ffa --- /dev/null +++ b/test/certs/timing-cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +-----END CERTIFICATE----- diff --git a/test/certs/timing-key.pem b/test/certs/timing-key.pem new file mode 100644 index 000000000..a0b8e8dab --- /dev/null +++ b/test/certs/timing-key.pem @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDVXWBq3/xh7kiq +jBFIQ6VttlJdqphJsWGSNbH8OgQlDG15/7TVyelcHDvgq7O4faPebb3g3ddavxRH +EUJepoLQYcF/3RNG5gmFBw7y1PwaZNIKrSCrIGuW8K3MxBlTVdwBHaSz74q0SVNd +igUc8dzhRL/F1+J3GVdclwt17ohDcQ/KbMG0slCnd0ZsWA8Rv/F2JFquOUK3UWcp +4dBVMG8X5JHqrfgowkNvomSp+52YkmJIPusNT4JKiv8/cu6Wta6hwZi6732QdW3/ +WlKeq/XAftCHQ9uFBwcPfTh6/dHT7mUd0+o5aoc37krT4A1u9XCswr3xbvOSlV6p +8KFllZONAgMBAAECggEADLTt7A+A2Vg2jamf0dztejY0e42QWjstI2b9PZc67fXq +gyx+WYkX07t+uWegYWliG/oPJ9guXiIpE/5sJHToL37S5kmFP2CtynVcJ4wVo4DD +nY0n9+kLX0bgIuS+2V6wpoRcbbbjXM9NHrH8kfe5ftT4UtEDlLI2qLX6IcDd7p4u +OYjILChR8GSGTw96yIy2Ws/1Uq9PMw64JoT4RcK5QqnkcPMDFRH1SeLOL+zXP2c4 +nEl9yOy3HauZKxwl/Ry/XK1s3DdjopIAU29ut+hAuMiTb06kzZnumL9NoplKoZtU +otw/gVcCKhT+Ep+p6i8InLF0XEME8A0qUR0niWebgQKBgQD6vkxR49B8ZZQrzjw4 +XKs1lI9cP7cgPiuWlDHMNjYou3WbOaGrMeScvbB1Ldh9A8pjAhxlw8AaV/xs4qcA +trmVmSISVMVyc1wSGlJXWi2nUzTNs9OE3vj22SyStihf8UUZtWwX2b5Y4JrYhA/V ++ThGGqHR03oLNLShNLtJc2c7YQKBgQDZ1nkibEyrepexw/fnwkw61IJKq9wRIh1G +PREakhbe9wU5ie0knuf9razt7awzQiwFmlixmWqsM7UEtLuXNnNPciwdrKhhbvrd +vD/rkbIEHEPllIhFlDtOzn3hRBWTzWmXFjpou/2LvHTSbVis4IYVZymTp2jb1ZLs +7VbiG9JTrQKBgQDc6n75g1szzpdehQT/r33U5j/syeJBUSU8NPMu9fB/sLHsgjlT +SNEf2+y1QSBE/Or6kmiMrIv7advn30W+Vj9qc5HWTsPrk4HiHTjA553jl2alebN5 +lK4LZspjtIQcC8mS3goPdXPEgJdM/gWpwzr2YQ6DfOxBJT2j7n64NyoT4QKBgH7/ +yx+GhCx1DHtXBPDZFhg2TL+78lEK0oZgk9gp06up2CHzh44SFq6O0oLkTcCUk5Ww +poTkLIy4mJBlzfgahp+KsK2cO46SZS9g0ONFzcMXt33hWpE2Gl2XhUwPpYTF/QlY +rDTjZK5S8Mi9dzVSsNlJi7PJphiEK2R1+nFYRwcBAoGBANWoIG85jpXAOnq/Kcgx +Rl3YivR0Ke6r1tFlP58rT7X3EkiboXyQl5vLIFCAwUte6RGrLl1dy3Qyh80B9ySL +Jx6vj42CK7vgv6A96TuVYhnXTnEI6ZvwAQ2VGaw4BizhjALs/kdSE/og9aSCs3ws +KQypwAFz0tbHxaNag/bSAN0J +-----END PRIVATE KEY----- + diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c index 9111b8942..361385892 100644 --- a/test/cmp_protect_test.c +++ b/test/cmp_protect_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -95,7 +95,7 @@ static int execute_calc_protection_pbmac_test(CMP_PROTECT_TEST_FIXTURE *fixture) /* * This function works similarly to parts of CMP_verify_signature in cmp_vfy.c, - * but without the need for a OSSL_CMP_CTX or a X509 certificate + * but without the need for an OSSL_CMP_CTX or a X509 certificate */ static int verify_signature(OSSL_CMP_MSG *msg, ASN1_BIT_STRING *protection, diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index ed8e1b314..705a81ae5 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -434,7 +434,7 @@ static int execute_msg_check_test(CMP_VFY_TEST_FIXTURE *fixture) fixture->additional_arg))) return 0; - if (fixture->expected == 0) /* error expected aready during above check */ + if (fixture->expected == 0) /* error expected already during above check */ return 1; return TEST_int_eq(0, diff --git a/test/context_internal_test.c b/test/context_internal_test.c index 4c02f601c..8fea53fee 100644 --- a/test/context_internal_test.c +++ b/test/context_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,103 +12,25 @@ #include "internal/cryptlib.h" #include "testutil.h" -/* - * Everything between BEGIN EXAMPLE and END EXAMPLE is copied from - * doc/internal/man3/ossl_lib_ctx_get_data.pod - */ - -/* - * ====================================================================== - * BEGIN EXAMPLE - */ - -typedef struct foo_st { - int i; - void *data; -} FOO; - -static void *foo_new(OSSL_LIB_CTX *ctx) -{ - FOO *ptr = OPENSSL_zalloc(sizeof(*ptr)); - if (ptr != NULL) - ptr->i = 42; - return ptr; -} -static void foo_free(void *ptr) -{ - OPENSSL_free(ptr); -} -static const OSSL_LIB_CTX_METHOD foo_method = { - OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, - foo_new, - foo_free -}; - -/* - * END EXAMPLE - * ====================================================================== - */ - -static int test_context(OSSL_LIB_CTX *ctx) -{ - FOO *data = NULL; - - return TEST_ptr(data = ossl_lib_ctx_get_data(ctx, 0, &foo_method)) - /* OPENSSL_zalloc in foo_new() initialized it to zero */ - && TEST_int_eq(data->i, 42); -} - -static int test_app_context(void) -{ - OSSL_LIB_CTX *ctx = NULL; - int result = - TEST_ptr(ctx = OSSL_LIB_CTX_new()) - && test_context(ctx); - - OSSL_LIB_CTX_free(ctx); - return result; -} - -static int test_def_context(void) -{ - return test_context(NULL); -} - static int test_set0_default(void) { OSSL_LIB_CTX *global = OSSL_LIB_CTX_get0_global_default(); OSSL_LIB_CTX *local = OSSL_LIB_CTX_new(); OSSL_LIB_CTX *prev; int testresult = 0; - FOO *data = NULL; if (!TEST_ptr(global) || !TEST_ptr(local) - || !TEST_ptr_eq(global, OSSL_LIB_CTX_set0_default(NULL)) - || !TEST_ptr(data = ossl_lib_ctx_get_data(local, 0, &foo_method))) - goto err; - - /* Set local "i" value to 43. Global "i" should be 42 */ - data->i++; - if (!TEST_int_eq(data->i, 43)) - goto err; - - /* The default context should still be the "global" default */ - if (!TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) - || !TEST_int_eq(data->i, 42)) + || !TEST_ptr_eq(global, OSSL_LIB_CTX_set0_default(NULL))) goto err; /* Check we can change the local default context */ if (!TEST_ptr(prev = OSSL_LIB_CTX_set0_default(local)) - || !TEST_ptr_eq(global, prev) - || !TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) - || !TEST_int_eq(data->i, 43)) + || !TEST_ptr_eq(global, prev)) goto err; /* Calling OSSL_LIB_CTX_set0_default() with a NULL should be a no-op */ - if (!TEST_ptr_eq(local, OSSL_LIB_CTX_set0_default(NULL)) - || !TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) - || !TEST_int_eq(data->i, 43)) + if (!TEST_ptr_eq(local, OSSL_LIB_CTX_set0_default(NULL))) goto err; /* Global default should be unchanged */ @@ -116,10 +38,8 @@ static int test_set0_default(void) goto err; /* Check we can swap back to the global default */ - if (!TEST_ptr(prev = OSSL_LIB_CTX_set0_default(global)) - || !TEST_ptr_eq(local, prev) - || !TEST_ptr(data = ossl_lib_ctx_get_data(NULL, 0, &foo_method)) - || !TEST_int_eq(data->i, 42)) + if (!TEST_ptr(prev = OSSL_LIB_CTX_set0_default(global)) + || !TEST_ptr_eq(local, prev)) goto err; testresult = 1; @@ -130,8 +50,6 @@ static int test_set0_default(void) int setup_tests(void) { - ADD_TEST(test_app_context); - ADD_TEST(test_def_context); ADD_TEST(test_set0_default); return 1; } diff --git a/test/destest.c b/test/destest.c index e0c4b30f9..d5f00fa69 100644 --- a/test/destest.c +++ b/test/destest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -838,6 +838,29 @@ static int test_des_check_bad_parity(int n) return TEST_int_eq(DES_check_key_parity(key), bad_parity_keys[n].expect); } + +/* Test that two key 3DES can generate a random key without error */ +static int test_des_two_key(void) +{ + int res = 0; + EVP_CIPHER *cipher = NULL; + EVP_CIPHER_CTX *ctx = NULL; + unsigned char key[16]; + + if (!TEST_ptr(cipher = EVP_CIPHER_fetch(NULL, "DES-EDE-ECB", NULL)) + || !TEST_ptr(ctx = EVP_CIPHER_CTX_new()) + || !EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 1) + || !EVP_CIPHER_CTX_set_key_length(ctx, sizeof(key)) + || !EVP_CIPHER_CTX_rand_key(ctx, key)) + goto err; + + res = 1; + err: + EVP_CIPHER_free(cipher); + EVP_CIPHER_CTX_free(ctx); + return res; +} + #endif int setup_tests(void) @@ -866,6 +889,7 @@ int setup_tests(void) ADD_ALL_TESTS(test_des_key_wrap, OSSL_NELEM(test_des_key_wrap_sizes)); ADD_ALL_TESTS(test_des_weak_keys, OSSL_NELEM(weak_keys)); ADD_ALL_TESTS(test_des_check_bad_parity, OSSL_NELEM(bad_parity_keys)); + ADD_TEST(test_des_two_key); #endif return 1; } diff --git a/test/dsatest.c b/test/dsatest.c index 2d34ca426..b1de58575 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -32,6 +32,32 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); +static unsigned char out_p[] = { + 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, + 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, + 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, + 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, + 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, + 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, + 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, + 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, +}; +static unsigned char out_q[] = { + 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, + 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, + 0xda, 0xce, 0x91, 0x5f, +}; +static unsigned char out_g[] = { + 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, + 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, + 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, + 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, + 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, + 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, + 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, + 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, +}; + static int dsa_test(void) { BN_GENCB *cb; @@ -51,31 +77,6 @@ static int dsa_test(void) 0xb6, 0x21, 0x1b, 0x40, 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, }; - static unsigned char out_p[] = { - 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, - 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, - 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, - 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, - 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, - 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, - 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, - 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, - }; - static unsigned char out_q[] = { - 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, - 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, - 0xda, 0xce, 0x91, 0x5f, - }; - static unsigned char out_g[] = { - 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, - 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, - 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, - 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, - 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, - 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, - 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, - 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, - }; static const unsigned char str1[] = "12345678901234567890"; if (!TEST_ptr(cb = BN_GENCB_new())) @@ -114,7 +115,6 @@ static int dsa_test(void) goto end; if (TEST_int_gt(DSA_verify(0, str1, 20, sig, siglen, dsa), 0)) ret = 1; - end: DSA_free(dsa); BN_GENCB_free(cb); @@ -325,6 +325,89 @@ static int test_dsa_default_paramgen_validate(int i) return ret; } +static int test_dsa_sig_infinite_loop(void) +{ + int ret = 0; + DSA *dsa = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *priv = NULL, *pub = NULL, *priv2 = NULL; + BIGNUM *badq = NULL, *badpriv = NULL; + const unsigned char msg[] = { 0x00 }; + unsigned int signature_len; + unsigned char signature[64]; + + static unsigned char out_priv[] = { + 0x17, 0x00, 0xb2, 0x8d, 0xcb, 0x24, 0xc9, 0x98, + 0xd0, 0x7f, 0x1f, 0x83, 0x1a, 0xa1, 0xc4, 0xa4, + 0xf8, 0x0f, 0x7f, 0x12 + }; + static unsigned char out_pub[] = { + 0x04, 0x72, 0xee, 0x8d, 0xaa, 0x4d, 0x89, 0x60, + 0x0e, 0xb2, 0xd4, 0x38, 0x84, 0xa2, 0x2a, 0x60, + 0x5f, 0x67, 0xd7, 0x9e, 0x24, 0xdd, 0xe8, 0x50, + 0xf2, 0x23, 0x71, 0x55, 0x53, 0x94, 0x0d, 0x6b, + 0x2e, 0xcd, 0x30, 0xda, 0x6f, 0x1e, 0x2c, 0xcf, + 0x59, 0xbe, 0x05, 0x6c, 0x07, 0x0e, 0xc6, 0x38, + 0x05, 0xcb, 0x0c, 0x44, 0x0a, 0x08, 0x13, 0xb6, + 0x0f, 0x14, 0xde, 0x4a, 0xf6, 0xed, 0x4e, 0xc3 + }; + if (!TEST_ptr(p = BN_bin2bn(out_p, sizeof(out_p), NULL)) + || !TEST_ptr(q = BN_bin2bn(out_q, sizeof(out_q), NULL)) + || !TEST_ptr(g = BN_bin2bn(out_g, sizeof(out_g), NULL)) + || !TEST_ptr(pub = BN_bin2bn(out_pub, sizeof(out_pub), NULL)) + || !TEST_ptr(priv = BN_bin2bn(out_priv, sizeof(out_priv), NULL)) + || !TEST_ptr(priv2 = BN_dup(priv)) + || !TEST_ptr(badq = BN_new()) + || !TEST_true(BN_set_word(badq, 1)) + || !TEST_ptr(badpriv = BN_new()) + || !TEST_true(BN_set_word(badpriv, 0)) + || !TEST_ptr(dsa = DSA_new())) + goto err; + + if (!TEST_true(DSA_set0_pqg(dsa, p, q, g))) + goto err; + p = q = g = NULL; + + if (!TEST_true(DSA_set0_key(dsa, pub, priv))) + goto err; + pub = priv = NULL; + + if (!TEST_int_le(DSA_size(dsa), sizeof(signature))) + goto err; + + if (!TEST_true(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa))) + goto err; + + /* Test using a private key of zero fails - this causes an infinite loop without the retry test */ + if (!TEST_true(DSA_set0_key(dsa, NULL, badpriv))) + goto err; + badpriv = NULL; + if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa))) + goto err; + + /* Restore private and set a bad q - this caused an infinite loop in the setup */ + if (!TEST_true(DSA_set0_key(dsa, NULL, priv2))) + goto err; + priv2 = NULL; + if (!TEST_true(DSA_set0_pqg(dsa, NULL, badq, NULL))) + goto err; + badq = NULL; + if (!TEST_false(DSA_sign(0, msg, sizeof(msg), signature, &signature_len, dsa))) + goto err; + + ret = 1; +err: + BN_free(badq); + BN_free(badpriv); + BN_free(pub); + BN_free(priv); + BN_free(priv2); + BN_free(g); + BN_free(q); + BN_free(p); + DSA_free(dsa); + return ret; +} + #endif /* OPENSSL_NO_DSA */ int setup_tests(void) @@ -332,6 +415,7 @@ int setup_tests(void) #ifndef OPENSSL_NO_DSA ADD_TEST(dsa_test); ADD_TEST(dsa_keygen_test); + ADD_TEST(test_dsa_sig_infinite_loop); ADD_ALL_TESTS(test_dsa_default_paramgen_validate, 2); #endif return 1; diff --git a/test/dtlstest.c b/test/dtlstest.c index 3ada3ce2b..e32b03b45 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -425,6 +425,12 @@ static int test_just_finished(void) &sctx, NULL, cert, privkey))) return 0; +#ifdef OPENSSL_NO_DTLS1_2 + /* DTLSv1 is not allowed at the default security level */ + if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))) + goto end; +#endif + serverssl = SSL_new(sctx); rbio = BIO_new(BIO_s_mem()); wbio = BIO_new(BIO_s_mem()); @@ -462,6 +468,80 @@ static int test_just_finished(void) return testresult; } +/* + * Test that swapping a record from the next epoch into the current epoch still + * works. Libssl should buffer the record until it needs it. + */ +static int test_swap_epoch(void) +{ + SSL_CTX *sctx = NULL, *cctx = NULL; + SSL *sssl = NULL, *cssl = NULL; + int testresult = 0; + BIO *bio; + + if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), + DTLS_client_method(), + DTLS1_VERSION, 0, + &sctx, &cctx, cert, privkey))) + return 0; + +#ifndef OPENSSL_NO_DTLS1_2 + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA"))) + goto end; +#else + /* Default sigalgs are SHA1 based in err = "DIGESTFINALXOF_ERROR"; + return 0; + } + if (!TEST_str_eq(dont, "touch")) { + EVP_MD_CTX_free(mctx); + t->err = "DIGESTFINALXOF_ERROR"; + return 0; + } + EVP_MD_CTX_free(mctx); + return 1; +} + static int digest_test_run(EVP_TEST *t) { DIGEST_DATA *expected = t->data; @@ -436,26 +456,19 @@ static int digest_test_run(EVP_TEST *t) xof = (EVP_MD_get_flags(expected->digest) & EVP_MD_FLAG_XOF) != 0; if (xof) { EVP_MD_CTX *mctx_cpy; - char dont[] = "touch"; if (!TEST_ptr(mctx_cpy = EVP_MD_CTX_new())) { goto err; } - if (!EVP_MD_CTX_copy(mctx_cpy, mctx)) { + if (!TEST_true(EVP_MD_CTX_copy(mctx_cpy, mctx))) { EVP_MD_CTX_free(mctx_cpy); goto err; - } - if (!EVP_DigestFinalXOF(mctx_cpy, (unsigned char *)dont, 0)) { - EVP_MD_CTX_free(mctx_cpy); - t->err = "DIGESTFINALXOF_ERROR"; + } else if (!test_duplicate_md_ctx(t, mctx_cpy)) { goto err; } - if (!TEST_str_eq(dont, "touch")) { - EVP_MD_CTX_free(mctx_cpy); - t->err = "DIGESTFINALXOF_ERROR"; + + if (!test_duplicate_md_ctx(t, EVP_MD_CTX_dup(mctx))) goto err; - } - EVP_MD_CTX_free(mctx_cpy); got_len = expected->output_len; if (!EVP_DigestFinalXOF(mctx, got, got_len)) { @@ -695,7 +708,7 @@ static int cipher_test_enc(EVP_TEST *t, int enc, size_t in_len, out_len, donelen = 0; int ok = 0, tmplen, chunklen, tmpflen, i; EVP_CIPHER_CTX *ctx_base = NULL; - EVP_CIPHER_CTX *ctx = NULL; + EVP_CIPHER_CTX *ctx = NULL, *duped; t->err = "TEST_FAILURE"; if (!TEST_ptr(ctx_base = EVP_CIPHER_CTX_new())) @@ -833,6 +846,12 @@ static int cipher_test_enc(EVP_TEST *t, int enc, EVP_CIPHER_CTX_free(ctx); ctx = ctx_base; } + /* Likewise for dup */ + duped = EVP_CIPHER_CTX_dup(ctx); + if (duped != NULL) { + EVP_CIPHER_CTX_free(ctx); + ctx = duped; + } ERR_pop_to_mark(); if (expected->mac_key != NULL @@ -2740,6 +2759,13 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, if (p != NULL) *p++ = '\0'; + if (strcmp(name, "r") == 0 + && OSSL_PARAM_locate_const(defs, name) == NULL) { + TEST_info("skipping, setting 'r' is unsupported"); + t->skip = 1; + goto end; + } + rv = OSSL_PARAM_allocate_from_text(kdata->p, defs, name, p, p != NULL ? strlen(p) : 0, NULL); *++kdata->p = OSSL_PARAM_construct_end(); @@ -2753,6 +2779,7 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, TEST_info("skipping, '%s' is disabled", p); t->skip = 1; } + goto end; } if (p != NULL && (strcmp(name, "cipher") == 0 @@ -2760,7 +2787,15 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, && is_cipher_disabled(p)) { TEST_info("skipping, '%s' is disabled", p); t->skip = 1; + goto end; + } + if (p != NULL + && (strcmp(name, "mac") == 0) + && is_mac_disabled(p)) { + TEST_info("skipping, '%s' is disabled", p); + t->skip = 1; } + end: OPENSSL_free(name); return 1; } @@ -2782,6 +2817,7 @@ static int kdf_test_run(EVP_TEST *t) KDF_DATA *expected = t->data; unsigned char *got = NULL; size_t got_len = expected->output_len; + EVP_KDF_CTX *ctx; if (!EVP_KDF_CTX_set_params(expected->ctx, expected->params)) { t->err = "KDF_CTRL_ERROR"; @@ -2791,6 +2827,10 @@ static int kdf_test_run(EVP_TEST *t) t->err = "INTERNAL_ERROR"; goto err; } + if ((ctx = EVP_KDF_CTX_dup(expected->ctx)) != NULL) { + EVP_KDF_CTX_free(expected->ctx); + expected->ctx = ctx; + } if (EVP_KDF_derive(expected->ctx, got, got_len, NULL) <= 0) { t->err = "KDF_DERIVE_ERROR"; goto err; diff --git a/test/exptest.c b/test/exptest.c index 59285b17a..143dfa995 100644 --- a/test/exptest.c +++ b/test/exptest.c @@ -252,11 +252,12 @@ static int test_mod_exp_x2(int idx) BIGNUM *m2 = NULL; int factor_size = 0; - /* - * Currently only 1024-bit factor size is supported. - */ if (idx <= 100) factor_size = 1024; + else if (idx <= 200) + factor_size = 1536; + else if (idx <= 300) + factor_size = 2048; if (!TEST_ptr(ctx = BN_CTX_new())) goto err; @@ -332,6 +333,6 @@ int setup_tests(void) { ADD_TEST(test_mod_exp_zero); ADD_ALL_TESTS(test_mod_exp, 200); - ADD_ALL_TESTS(test_mod_exp_x2, 100); + ADD_ALL_TESTS(test_mod_exp_x2, 300); return 1; } diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h index 190c46a28..72de892d5 100644 --- a/test/fake_rsaprov.h +++ b/test/fake_rsaprov.h @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/fips-and-base.cnf b/test/fips-and-base.cnf index 494e96a87..f233f8306 100644 --- a/test/fips-and-base.cnf +++ b/test/fips-and-base.cnf @@ -7,6 +7,12 @@ config_diagnostics = 1 [openssl_init] providers = provider_sect +# You MUST uncomment the following line to operate in a FIPS approved manner, +# It is commented out here purely for testing purposes. +#alg_section = evp_properties + +[evp_properties] +default_properties = "fips=yes" [provider_sect] fips = fips_sect diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c index 285391bc0..42f7aaf02 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c @@ -641,6 +641,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, if (extra->server.session_ticket_app_data != NULL) { server_ctx_data->session_ticket_app_data = OPENSSL_strdup(extra->server.session_ticket_app_data); + if (!TEST_ptr(server_ctx_data->session_ticket_app_data)) + goto err; SSL_CTX_set_session_ticket_cb(server_ctx, generate_session_ticket_cb, decrypt_session_ticket_cb, server_ctx_data); } @@ -649,6 +651,8 @@ static int configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, goto err; server2_ctx_data->session_ticket_app_data = OPENSSL_strdup(extra->server2.session_ticket_app_data); + if (!TEST_ptr(server2_ctx_data->session_ticket_app_data)) + goto err; SSL_CTX_set_session_ticket_cb(server2_ctx, NULL, decrypt_session_ticket_cb, server2_ctx_data); } diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index 4c17faea5..6aadc3341 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -12,7 +12,7 @@ #include "internal/nelem.h" #include "ssltestlib.h" #include "../testutil.h" -#include "e_os.h" /* for ossl_sleep() etc. */ +#include "internal/e_os.h" /* for ossl_sleep() etc. */ #ifdef OPENSSL_SYS_UNIX # include @@ -406,10 +406,93 @@ static int mempacket_test_read(BIO *bio, char *out, int outl) } memcpy(out, thispkt->data, outl); + mempacket_free(thispkt); return outl; } +/* + * Look for records from different epochs and swap them around + */ +int mempacket_swap_epoch(BIO *bio) +{ + MEMPACKET_TEST_CTX *ctx = BIO_get_data(bio); + MEMPACKET *thispkt; + int rem, len, prevlen = 0, pktnum; + unsigned char *rec, *prevrec = NULL, *tmp; + unsigned int epoch; + int numpkts = sk_MEMPACKET_num(ctx->pkts); + + if (numpkts <= 0) + return 0; + + /* + * If there are multiple packets we only look in the last one. This should + * always be the one where any epoch change occurs. + */ + thispkt = sk_MEMPACKET_value(ctx->pkts, numpkts - 1); + if (thispkt == NULL) + return 0; + + for (rem = thispkt->len, rec = thispkt->data; rem > 0; rem -= len, rec += len) { + if (rem < DTLS1_RT_HEADER_LENGTH) + return 0; + epoch = (rec[EPOCH_HI] << 8) | rec[EPOCH_LO]; + len = ((rec[RECORD_LEN_HI] << 8) | rec[RECORD_LEN_LO]) + + DTLS1_RT_HEADER_LENGTH; + if (rem < len) + return 0; + + /* Assumes the epoch change does not happen on the first record */ + if (epoch != ctx->epoch) { + if (prevrec == NULL) + return 0; + + /* + * We found 2 records with different epochs. Take a copy of the + * earlier record + */ + tmp = OPENSSL_malloc(prevlen); + if (tmp == NULL) + return 0; + + memcpy(tmp, prevrec, prevlen); + /* + * Move everything from this record onwards, including any trailing + * records, and overwrite the earlier record + */ + memmove(prevrec, rec, rem); + thispkt->len -= prevlen; + pktnum = thispkt->num; + + /* + * Create a new packet for the earlier record that we took out and + * add it to the end of the packet list. + */ + thispkt = OPENSSL_malloc(sizeof(*thispkt)); + if (thispkt == NULL) { + OPENSSL_free(tmp); + return 0; + } + thispkt->type = INJECT_PACKET; + thispkt->data = tmp; + thispkt->len = prevlen; + thispkt->num = pktnum + 1; + if (sk_MEMPACKET_insert(ctx->pkts, thispkt, numpkts) <= 0) { + OPENSSL_free(tmp); + OPENSSL_free(thispkt); + return 0; + } + + return 1; + } + prevrec = rec; + prevlen = len; + } + + return 0; +} + /* Take the last and penultimate packets and swap them around */ int mempacket_swap_recent(BIO *bio) { diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h index 1f9e803ff..93c5316d7 100644 --- a/test/helpers/ssltestlib.h +++ b/test/helpers/ssltestlib.h @@ -49,6 +49,7 @@ void bio_s_always_retry_free(void); #define MEMPACKET_CTRL_GET_DROP_REC (3 << 15) #define MEMPACKET_CTRL_SET_DUPLICATE_REC (4 << 15) +int mempacket_swap_epoch(BIO *bio); int mempacket_swap_recent(BIO *bio); int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, int type); diff --git a/test/lhash_test.c b/test/lhash_test.c index 537ae1876..ff4f3ffe0 100644 --- a/test/lhash_test.c +++ b/test/lhash_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -27,7 +27,7 @@ #pragma clang diagnostic ignored "-Wunused-function" #endif -DEFINE_LHASH_OF(int); +DEFINE_LHASH_OF_EX(int); static int int_tests[] = { 65537, 13, 1, 3, -5, 6, 7, 4, -10, -12, -14, 22, 9, -17, 16, 17, -23, 35, 37, 173, 11 }; @@ -210,11 +210,6 @@ static int test_stress(void) if (!TEST_int_eq(lh_int_num_items(h), n)) goto end; - TEST_info("hash full statistics:"); - OPENSSL_LH_stats_bio((OPENSSL_LHASH *)h, bio_err); - TEST_note("hash full node usage:"); - OPENSSL_LH_node_usage_stats_bio((OPENSSL_LHASH *)h, bio_err); - /* delete in a different order */ for (i = 0; i < n; i++) { const int j = (7 * i + 4) % n * 3 + 1; @@ -230,11 +225,6 @@ static int test_stress(void) OPENSSL_free(p); } - TEST_info("hash empty statistics:"); - OPENSSL_LH_stats_bio((OPENSSL_LHASH *)h, bio_err); - TEST_note("hash empty node usage:"); - OPENSSL_LH_node_usage_stats_bio((OPENSSL_LHASH *)h, bio_err); - testresult = 1; end: lh_int_free(h); diff --git a/test/localetest.c b/test/localetest.c index 9df90ed90..616356a14 100644 --- a/test/localetest.c +++ b/test/localetest.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include "../e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/test/mdc2test.c b/test/mdc2test.c index 619574fb0..8f5a5cd2b 100644 --- a/test/mdc2test.c +++ b/test/mdc2test.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,6 @@ #include #include #include -#include "internal/nelem.h" #include "testutil.h" #if defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_MDC2) diff --git a/test/nodefltctxtest.c b/test/nodefltctxtest.c new file mode 100644 index 000000000..3af3f9173 --- /dev/null +++ b/test/nodefltctxtest.c @@ -0,0 +1,60 @@ +/* + * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include "testutil.h" + +/* + * Test that the default libctx does not get initialised when using a custom + * libctx. We assume that this test application has been executed such that the + * null provider is loaded via the config file. + */ +static int test_no_deflt_ctx_init(void) +{ + int testresult = 0; + EVP_MD *md = NULL; + OSSL_LIB_CTX *ctx = OSSL_LIB_CTX_new(); + + if (!TEST_ptr(ctx)) + return 0; + + md = EVP_MD_fetch(ctx, "SHA2-256", NULL); + if (!TEST_ptr(md)) + goto err; + + /* + * Since we're using a non-default libctx above, the default libctx should + * not have been initialised via config file, and so it is not too late to + * use OPENSSL_INIT_NO_LOAD_CONFIG. + */ + OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL); + + /* + * If the config file was incorrectly loaded then the null provider will + * have been initialised and the default provider loading will have been + * blocked. If the config file was NOT loaded (as we expect) then the + * default provider should be available. + */ + if (!TEST_true(OSSL_PROVIDER_available(NULL, "default"))) + goto err; + if (!TEST_false(OSSL_PROVIDER_available(NULL, "null"))) + goto err; + + testresult = 1; + err: + EVP_MD_free(md); + OSSL_LIB_CTX_free(ctx); + return testresult; +} + +int setup_tests(void) +{ + ADD_TEST(test_no_deflt_ctx_init); + return 1; +} diff --git a/test/null.cnf b/test/null.cnf new file mode 100644 index 000000000..964f7f3ef --- /dev/null +++ b/test/null.cnf @@ -0,0 +1,13 @@ +openssl_conf = openssl_init + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + +[openssl_init] +providers = provider_sect + +[provider_sect] +null = null_sect + +[null_sect] +activate = 1 diff --git a/test/p_test.c b/test/p_test.c index 80f0784dd..b922ec997 100644 --- a/test/p_test.c +++ b/test/p_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -26,7 +26,7 @@ # define OSSL_provider_init PROVIDER_INIT_FUNCTION_NAME #endif -#include "e_os.h" +#include "internal/e_os.h" #include #include #include diff --git a/test/packettest.c b/test/packettest.c index 17831d940..5bdcfd662 100644 --- a/test/packettest.c +++ b/test/packettest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/param_build_test.c b/test/param_build_test.c index 8257c6fba..a96ae63bd 100644 --- a/test/param_build_test.c +++ b/test/param_build_test.c @@ -384,7 +384,7 @@ static int builder_limit_test(void) } if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - /* Count the elements in the params arrary, expecting n */ + /* Count the elements in the params array, expecting n */ for (i = 0; params[i].key != NULL; i++); if (!TEST_int_eq(i, n)) goto err; @@ -396,7 +396,7 @@ static int builder_limit_test(void) if (!TEST_true(OSSL_PARAM_BLD_push_int(bld, "g", 2)) || !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))) goto err; - /* Count the elements in the params arrary, expecting 1 */ + /* Count the elements in the params array, expecting 1 */ for (i = 0; params[i].key != NULL; i++); if (!TEST_int_eq(i, 1)) goto err; diff --git a/test/params_api_test.c b/test/params_api_test.c index 48e2f8920..07ad3a2c3 100644 --- a/test/params_api_test.c +++ b/test/params_api_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use @@ -78,7 +78,7 @@ static int test_param_type_extra(OSSL_PARAM *param, const unsigned char *cmp, const int signd = param->data_type == OSSL_PARAM_INTEGER; /* - * Set the unmodified sentinal directly because there is no param array + * Set the unmodified sentinel directly because there is no param array * for these tests. */ param->return_size = OSSL_PARAM_UNMODIFIED; @@ -424,14 +424,15 @@ static int test_param_bignum(int n) int ret = 0; param.data = bnbuf; - param.data_size = len; + param.data_size = sizeof(bnbuf); - le_copy(buf, raw_values[n].value, len); if (!TEST_ptr(b = BN_lebin2bn(raw_values[n].value, (int)len, NULL))) goto err; - if (!TEST_true(OSSL_PARAM_set_BN(¶m, b)) - || !TEST_mem_eq(bnbuf, param.return_size, buf, param.return_size)) + if (!TEST_true(OSSL_PARAM_set_BN(¶m, b))) + goto err; + le_copy(buf, bnbuf, sizeof(bnbuf)); + if (!TEST_mem_eq(raw_values[n].value, len, buf, len)) goto err; param.data_size = param.return_size; if (!TEST_true(OSSL_PARAM_get_BN(¶m, &c)) diff --git a/test/params_conversion_test.c b/test/params_conversion_test.c index 30477e812..01a768efd 100644 --- a/test/params_conversion_test.c +++ b/test/params_conversion_test.c @@ -190,7 +190,8 @@ static int param_conversion_test(const PARAM_CONVERSION *pc, int line) double d; if (!pc->valid_i32) { - if (!TEST_false(OSSL_PARAM_get_int32(pc->param, &i32))) { + if (!TEST_false(OSSL_PARAM_get_int32(pc->param, &i32)) + || !TEST_ulong_ne(ERR_get_error(), 0)) { TEST_note("unexpected valid conversion to int32 on line %d", line); return 0; } @@ -210,7 +211,8 @@ static int param_conversion_test(const PARAM_CONVERSION *pc, int line) } if (!pc->valid_i64) { - if (!TEST_false(OSSL_PARAM_get_int64(pc->param, &i64))) { + if (!TEST_false(OSSL_PARAM_get_int64(pc->param, &i64)) + || !TEST_ulong_ne(ERR_get_error(), 0)) { TEST_note("unexpected valid conversion to int64 on line %d", line); return 0; } @@ -230,7 +232,8 @@ static int param_conversion_test(const PARAM_CONVERSION *pc, int line) } if (!pc->valid_u32) { - if (!TEST_false(OSSL_PARAM_get_uint32(pc->param, &u32))) { + if (!TEST_false(OSSL_PARAM_get_uint32(pc->param, &u32)) + || !TEST_ulong_ne(ERR_get_error(), 0)) { TEST_note("unexpected valid conversion to uint32 on line %d", line); return 0; } @@ -250,7 +253,8 @@ static int param_conversion_test(const PARAM_CONVERSION *pc, int line) } if (!pc->valid_u64) { - if (!TEST_false(OSSL_PARAM_get_uint64(pc->param, &u64))) { + if (!TEST_false(OSSL_PARAM_get_uint64(pc->param, &u64)) + || !TEST_ulong_ne(ERR_get_error(), 0)) { TEST_note("unexpected valid conversion to uint64 on line %d", line); return 0; } @@ -270,7 +274,8 @@ static int param_conversion_test(const PARAM_CONVERSION *pc, int line) } if (!pc->valid_d) { - if (!TEST_false(OSSL_PARAM_get_double(pc->param, &d))) { + if (!TEST_false(OSSL_PARAM_get_double(pc->param, &d)) + || !TEST_ulong_ne(ERR_get_error(), 0)) { TEST_note("unexpected valid conversion to double on line %d", line); return 0; } diff --git a/test/params_test.c b/test/params_test.c index 6a970feaa..614c8debb 100644 --- a/test/params_test.c +++ b/test/params_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -46,7 +46,7 @@ struct object_st { */ double p2; /* - * Documented as an arbitrarly large unsigned integer. + * Documented as an arbitrarily large unsigned integer. * The data size must be large enough to accommodate. * Assumed data type OSSL_PARAM_UNSIGNED_INTEGER */ diff --git a/test/pkcs12_format_test.c b/test/pkcs12_format_test.c index d4129d252..5597250a2 100644 --- a/test/pkcs12_format_test.c +++ b/test/pkcs12_format_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,8 +11,6 @@ #include #include -#include "internal/nelem.h" - #include #include #include diff --git a/test/property_test.c b/test/property_test.c index 6a405e364..45b1db3e8 100644 --- a/test/property_test.c +++ b/test/property_test.c @@ -50,30 +50,59 @@ static void down_ref(void *p) static int test_property_string(void) { - OSSL_METHOD_STORE *store; + OSSL_LIB_CTX *ctx; + OSSL_METHOD_STORE *store = NULL; int res = 0; OSSL_PROPERTY_IDX i, j; - if (TEST_ptr(store = ossl_method_store_new(NULL)) - && TEST_int_eq(ossl_property_name(NULL, "fnord", 0), 0) - && TEST_int_ne(ossl_property_name(NULL, "fnord", 1), 0) - && TEST_int_ne(ossl_property_name(NULL, "name", 1), 0) + /*- + * Use our own library context because we depend on ordering from a + * pristine state. + */ + if (TEST_ptr(ctx = OSSL_LIB_CTX_new()) + && TEST_ptr(store = ossl_method_store_new(ctx)) + && TEST_int_eq(ossl_property_name(ctx, "fnord", 0), 0) + && TEST_int_ne(ossl_property_name(ctx, "fnord", 1), 0) + && TEST_int_ne(ossl_property_name(ctx, "name", 1), 0) + /* Pre loaded names */ + && TEST_str_eq(ossl_property_name_str(ctx, 1), "provider") + && TEST_str_eq(ossl_property_name_str(ctx, 2), "version") + && TEST_str_eq(ossl_property_name_str(ctx, 3), "fips") + && TEST_str_eq(ossl_property_name_str(ctx, 4), "output") + && TEST_str_eq(ossl_property_name_str(ctx, 5), "input") + && TEST_str_eq(ossl_property_name_str(ctx, 6), "structure") + /* The names we added */ + && TEST_str_eq(ossl_property_name_str(ctx, 7), "fnord") + && TEST_str_eq(ossl_property_name_str(ctx, 8), "name") + /* Out of range */ + && TEST_ptr_null(ossl_property_name_str(ctx, 0)) + && TEST_ptr_null(ossl_property_name_str(ctx, 9)) /* Property value checks */ - && TEST_int_eq(ossl_property_value(NULL, "fnord", 0), 0) - && TEST_int_ne(i = ossl_property_value(NULL, "no", 0), 0) - && TEST_int_ne(j = ossl_property_value(NULL, "yes", 0), 0) + && TEST_int_eq(ossl_property_value(ctx, "fnord", 0), 0) + && TEST_int_ne(i = ossl_property_value(ctx, "no", 0), 0) + && TEST_int_ne(j = ossl_property_value(ctx, "yes", 0), 0) && TEST_int_ne(i, j) - && TEST_int_eq(ossl_property_value(NULL, "yes", 1), j) - && TEST_int_eq(ossl_property_value(NULL, "no", 1), i) - && TEST_int_ne(i = ossl_property_value(NULL, "illuminati", 1), 0) - && TEST_int_eq(j = ossl_property_value(NULL, "fnord", 1), i + 1) - && TEST_int_eq(ossl_property_value(NULL, "fnord", 1), j) + && TEST_int_eq(ossl_property_value(ctx, "yes", 1), j) + && TEST_int_eq(ossl_property_value(ctx, "no", 1), i) + && TEST_int_ne(i = ossl_property_value(ctx, "illuminati", 1), 0) + && TEST_int_eq(j = ossl_property_value(ctx, "fnord", 1), i + 1) + && TEST_int_eq(ossl_property_value(ctx, "fnord", 1), j) + /* Pre loaded values */ + && TEST_str_eq(ossl_property_value_str(ctx, 1), "yes") + && TEST_str_eq(ossl_property_value_str(ctx, 2), "no") + /* The value we added */ + && TEST_str_eq(ossl_property_value_str(ctx, 3), "illuminati") + && TEST_str_eq(ossl_property_value_str(ctx, 4), "fnord") + /* Out of range */ + && TEST_ptr_null(ossl_property_value_str(ctx, 0)) + && TEST_ptr_null(ossl_property_value_str(ctx, 5)) /* Check name and values are distinct */ - && TEST_int_eq(ossl_property_value(NULL, "cold", 0), 0) - && TEST_int_ne(ossl_property_name(NULL, "fnord", 0), - ossl_property_value(NULL, "fnord", 0))) + && TEST_int_eq(ossl_property_value(ctx, "cold", 0), 0) + && TEST_int_ne(ossl_property_name(ctx, "fnord", 0), + ossl_property_value(ctx, "fnord", 0))) res = 1; ossl_method_store_free(store); + OSSL_LIB_CTX_free(ctx); return res; } diff --git a/test/punycode_test.c b/test/punycode_test.c index 9d8171346..5b8b0bd27 100644 --- a/test/punycode_test.c +++ b/test/punycode_test.c @@ -12,6 +12,7 @@ #include "crypto/punycode.h" #include "internal/nelem.h" +#include "internal/packet.h" #include "testutil.h" @@ -166,29 +167,17 @@ static int test_punycode(int n) static int test_a2ulabel(void) { char out[50]; - size_t outlen; /* - * Test that no buffer correctly returns the true length. * The punycode being passed in and parsed is malformed but we're not * verifying that behaviour here. */ - if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0) - || !TEST_size_t_eq(outlen, 7) - || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)) - return 0; - /* Test that a short input length returns the true length */ - outlen = 1; - if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) - || !TEST_size_t_eq(outlen, 7) - || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) - || !TEST_str_eq(out,"\xc2\x80.b.c")) + if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, 1), 0) + || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, 7), 1)) return 0; /* Test for an off by one on the buffer size works */ - outlen = 6; - if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) - || !TEST_size_t_eq(outlen, 7) - || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) + if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, 6), 0) + || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, 7), 1) || !TEST_str_eq(out,"\xc2\x80.b.c")) return 0; return 1; @@ -211,9 +200,57 @@ static int test_puny_overrun(void) return 1; } +static int test_dotted_overflow(void) +{ + static const char string[] = "a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a"; + const size_t num_reps = OSSL_NELEM(string) / 2; + WPACKET p; + BUF_MEM *in; + char *out = NULL; + size_t i; + int res = 0; + + /* Create out input punycode string */ + if (!TEST_ptr(in = BUF_MEM_new())) + return 0; + if (!TEST_true(WPACKET_init_len(&p, in, 0))) { + BUF_MEM_free(in); + return 0; + } + for (i = 0; i < num_reps; i++) { + if (i > 1 && !TEST_true(WPACKET_put_bytes_u8(&p, '.'))) + goto err; + if (!TEST_true(WPACKET_memcpy(&p, "xn--a", sizeof("xn--a") - 1))) + goto err; + } + if (!TEST_true(WPACKET_put_bytes_u8(&p, '\0'))) + goto err; + if (!TEST_ptr(out = OPENSSL_malloc(in->length))) + goto err; + + /* Test the decode into an undersized buffer */ + memset(out, 0x7f, in->length - 1); + if (!TEST_int_le(ossl_a2ulabel(in->data, out, num_reps), 0) + || !TEST_int_eq(out[num_reps], 0x7f)) + goto err; + + /* Test the decode works into a full size buffer */ + if (!TEST_int_gt(ossl_a2ulabel(in->data, out, in->length), 0) + || !TEST_size_t_eq(strlen(out), num_reps * 3)) + goto err; + + res = 1; + err: + WPACKET_cleanup(&p); + BUF_MEM_free(in); + OPENSSL_free(out); + return res; +} + int setup_tests(void) { ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases)); + ADD_TEST(test_dotted_overflow); ADD_TEST(test_a2ulabel); ADD_TEST(test_puny_overrun); return 1; diff --git a/test/rdrand_sanitytest.c b/test/rdcpu_sanitytest.c similarity index 77% rename from test/rdrand_sanitytest.c rename to test/rdcpu_sanitytest.c index dcc9d2800..c14e85c9b 100644 --- a/test/rdrand_sanitytest.c +++ b/test/rdcpu_sanitytest.c @@ -1,5 +1,5 @@ /* - * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,10 +16,24 @@ #if (defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined (_M_X64)) && defined(OPENSSL_CPUID_OBJ) - +# define IS_X_86 1 size_t OPENSSL_ia32_rdrand_bytes(unsigned char *buf, size_t len); size_t OPENSSL_ia32_rdseed_bytes(unsigned char *buf, size_t len); +#else +# define IS_X_86 0 +#endif + +#if defined(__aarch64__) && defined(OPENSSL_CPUID_OBJ) +# define IS_AARCH_64 1 +# include "arm_arch.h" + +size_t OPENSSL_rndr_bytes(unsigned char *buf, size_t len); +size_t OPENSSL_rndrrs_bytes(unsigned char *buf, size_t len); +#else +# define IS_AARCH_64 0 +#endif +#if (IS_X_86 || IS_AARCH_64) static int sanity_check_bytes(size_t (*rng)(unsigned char *, size_t), int rounds, int min_failures, int max_retries, int max_zero_words) { @@ -76,7 +90,9 @@ static int sanity_check_bytes(size_t (*rng)(unsigned char *, size_t), end: return testresult; } +#endif +#if IS_X_86 static int sanity_check_rdrand_bytes(void) { return sanity_check_bytes(OPENSSL_ia32_rdrand_bytes, 1000, 0, 10, 10); @@ -92,11 +108,24 @@ static int sanity_check_rdseed_bytes(void) */ return sanity_check_bytes(OPENSSL_ia32_rdseed_bytes, 1000, 1, 10000, 10); } +#elif IS_AARCH_64 +static int sanity_check_rndr_bytes(void) +{ + return sanity_check_bytes(OPENSSL_rndr_bytes, 1000, 0, 10, 10); +} + +static int sanity_check_rndrrs_bytes(void) +{ + return sanity_check_bytes(OPENSSL_rndrrs_bytes, 1000, 0, 10000, 10); +} +#endif int setup_tests(void) { +#if (IS_X_86 || IS_AARCH_64) OPENSSL_cpuid_setup(); +# if IS_X_86 int have_rdseed = (OPENSSL_ia32cap_P[2] & (1 << 18)) != 0; int have_rdrand = (OPENSSL_ia32cap_P[1] & (1 << (62 - 32))) != 0; @@ -107,16 +136,15 @@ int setup_tests(void) if (have_rdseed) { ADD_TEST(sanity_check_rdseed_bytes); } +# elif IS_AARCH_64 + int have_rndr_rndrrs = (OPENSSL_armcap_P & (1 << 8)) != 0; - return 1; -} - - -#else + if (have_rndr_rndrrs) { + ADD_TEST(sanity_check_rndr_bytes); + ADD_TEST(sanity_check_rndrrs_bytes); + } +# endif +#endif -int setup_tests(void) -{ return 1; } - -#endif diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index c39b2cee0..5876fc6ad 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -24,7 +24,7 @@ use platform; plan skip_all => "Test only supported in a fips build" if disabled("fips"); -plan tests => 29; +plan tests => 31; my $infile = bldtop_file('providers', platform->dso('fips')); my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00'; @@ -227,7 +227,25 @@ SKIP: { "fipsinstall fails when the kas result is corrupted"); } -# corrupt a Signature test +# corrupt a Signature test - 140-3 requires a known answer test +SKIP: { + skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 + if disabled("dsa"); + + run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version is too old for KAT DSA signature test", 1 + if !$exit; + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", + '-section_name', 'fips_sect', '-self_test_oninstall', + '-corrupt_desc', 'DSA', + '-corrupt_type', 'KAT_Signature'])), + "fipsinstall fails when the signature result is corrupted"); +} + +# corrupt a Signature test - 140-2 allows a pairwise consistency test SKIP: { skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 if disabled("dsa"); @@ -236,7 +254,6 @@ SKIP: { capture => 1, statusvar => \my $exit); skip "FIPS provider version is too new for PCT DSA signature test", 1 if !$exit; - ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", @@ -269,24 +286,31 @@ ok(replace_parent_line_file('fips_no_module_mac.cnf', '-config', 'fips_parent_no_module_mac.cnf'])), "verify load config fail no module mac"); -ok(replace_parent_line_file('fips_no_install_mac.cnf', - 'fips_parent_no_install_mac.cnf') - && !run(app(['openssl', 'fipsinstall', - '-config', 'fips_parent_no_install_mac.cnf'])), - "verify load config fail no install mac"); +SKIP: { + run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version doesn't support self test indicator", 3 + if !$exit; -ok(replace_parent_line_file('fips_bad_indicator.cnf', - 'fips_parent_bad_indicator.cnf') - && !run(app(['openssl', 'fipsinstall', - '-config', 'fips_parent_bad_indicator.cnf'])), - "verify load config fail bad indicator"); + ok(replace_parent_line_file('fips_no_install_mac.cnf', + 'fips_parent_no_install_mac.cnf') + && !run(app(['openssl', 'fipsinstall', + '-config', 'fips_parent_no_install_mac.cnf'])), + "verify load config fail no install mac"); + ok(replace_parent_line_file('fips_bad_indicator.cnf', + 'fips_parent_bad_indicator.cnf') + && !run(app(['openssl', 'fipsinstall', + '-config', 'fips_parent_bad_indicator.cnf'])), + "verify load config fail bad indicator"); -ok(replace_parent_line_file('fips_bad_install_mac.cnf', - 'fips_parent_bad_install_mac.cnf') - && !run(app(['openssl', 'fipsinstall', - '-config', 'fips_parent_bad_install_mac.cnf'])), - "verify load config fail bad install mac"); + + ok(replace_parent_line_file('fips_bad_install_mac.cnf', + 'fips_parent_bad_install_mac.cnf') + && !run(app(['openssl', 'fipsinstall', + '-config', 'fips_parent_bad_install_mac.cnf'])), + "verify load config fail bad install mac"); +} ok(replace_parent_line_file('fips_bad_module_mac.cnf', 'fips_parent_bad_module_mac.cnf') @@ -294,17 +318,36 @@ ok(replace_parent_line_file('fips_bad_module_mac.cnf', '-config', 'fips_parent_bad_module_mac.cnf'])), "verify load config fail bad module mac"); +SKIP: { + run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version doesn't support self test indicator", 3 + if !$exit; + + my $stconf = "fipsmodule_selftest.cnf"; -my $stconf = "fipsmodule_selftest.cnf"; + ok(run(app(['openssl', 'fipsinstall', '-out', $stconf, + '-module', $infile, '-self_test_onload'])), + "fipsinstall config saved without self test indicator"); -ok(run(app(['openssl', 'fipsinstall', '-out', $stconf, - '-module', $infile, '-self_test_onload'])), - "fipsinstall config saved without self test indicator"); + ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf, + '-module', $infile, '-verify'])), + "fipsinstall config verify fails without self test indicator"); -ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf, - '-module', $infile, '-verify'])), - "fipsinstall config verify fails without self test indicator"); + ok(run(app(['openssl', 'fipsinstall', '-in', $stconf, + '-module', $infile, '-self_test_onload', '-verify'])), + "fipsinstall config verify passes when self test indicator is not present"); +} -ok(run(app(['openssl', 'fipsinstall', '-in', $stconf, - '-module', $infile, '-self_test_onload', '-verify'])), - "fipsinstall config verify passes when self test indicator is not present"); +SKIP: { + run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version can run self tests on install", 1 + if !$exit; + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", + '-section_name', 'fips_sect', '-self_test_oninstall', + '-ems_check'])), + "fipsinstall fails when attempting to run self tests on install"); +} diff --git a/test/recipes/04-test_nodefltctx.t b/test/recipes/04-test_nodefltctx.t new file mode 100644 index 000000000..54f306b28 --- /dev/null +++ b/test/recipes/04-test_nodefltctx.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2023The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test::Simple; +use OpenSSL::Test qw/:DEFAULT srctop_file/; +use Cwd qw(abs_path); + +setup("test_nodefltctx"); + +# Load the null provider by default into the default libctx +$ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "null.cnf")); + +simple_test("test_nodefltctx", "nodefltctxtest"); diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t index 3f352db9d..f68039a5d 100644 --- a/test/recipes/05-test_rand.t +++ b/test/recipes/05-test_rand.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/06-test_rdrand_sanity.t b/test/recipes/06-test_rdcpu_sanity.t similarity index 78% rename from test/recipes/06-test_rdrand_sanity.t rename to test/recipes/06-test_rdcpu_sanity.t index a20e09e77..772ab9491 100644 --- a/test/recipes/06-test_rdrand_sanity.t +++ b/test/recipes/06-test_rdcpu_sanity.t @@ -1,6 +1,6 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -13,10 +13,10 @@ use OpenSSL::Test; # get 'plan' use OpenSSL::Test::Simple; use OpenSSL::Test::Utils; -setup("test_rdrand_sanity"); +setup("test_rdcpu_sanity"); # We also need static builds to be enabled even on linux plan skip_all => "This test is unsupported if static builds are not enabled" if disabled("static"); -simple_test("test_rdrand_sanity", "rdrand_sanitytest"); +simple_test("test_rdcpu_sanity", "rdcpu_sanitytest"); diff --git a/test/recipes/15-test_rsapss.t b/test/recipes/15-test_rsapss.t index c566ade93..e5dbab1d8 100644 --- a/test/recipes/15-test_rsapss.t +++ b/test/recipes/15-test_rsapss.t @@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; setup("test_rsapss"); -plan tests => 11; +plan tests => 16; #using test/testrsa.pem which happens to be a 512 bit RSA ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', @@ -67,6 +67,15 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), srctop_file('test', 'testrsa.pem')])), "openssl dgst -sign rsa512bit.pem -sha1 -sigopt rsa_pss_saltlen:max produces 42 bits of PSS salt"); +ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), + '-sha1', + '-sigopt', 'rsa_padding_mode:pss', + '-sigopt', 'rsa_pss_saltlen:auto-digestmax', + '-sigopt', 'rsa_mgf1_md:sha512', + '-signature', 'testrsapss-restricted.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -prverify rsa512bit.pem -sha1 -sigopt rsa_pss_saltlen:auto-digestmax verifies signatures with saltlen > digestlen"); + ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha1', '-sigopt', 'rsa_padding_mode:pss', @@ -74,6 +83,32 @@ ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), srctop_file('test', 'testrsa.pem')])), "openssl dgst -prverify [plain RSA key, PSS padding mode, no PSS restrictions]"); +ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha1', + '-sigopt', 'rsa_padding_mode:pss', + '-sigopt', 'rsa_pss_saltlen:auto-digestmax', + '-out', 'testrsapss-sha1-autodigestmax.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign -sha1 -rsa_pss_saltlen:auto-digestmax"); +ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha1', + '-sigopt', 'rsa_padding_mode:pss', + '-sigopt', 'rsa_pss_saltlen:20', + '-signature', 'testrsapss-sha1-autodigestmax.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign -sha1 -rsa_padding_mode:auto-digestmax produces 20 (i.e., digestlen) bits of PSS salt"); + +ok(run(app(['openssl', 'dgst', '-sign', srctop_file('test', 'testrsa.pem'), '-sha256', + '-sigopt', 'rsa_padding_mode:pss', + '-sigopt', 'rsa_pss_saltlen:auto-digestmax', + '-out', 'testrsapss-sha256-autodigestmax.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign -sha256 -rsa_pss_saltlen:auto-digestmax"); +ok(run(app(['openssl', 'dgst', '-prverify', srctop_file('test', 'testrsa.pem'), '-sha256', + '-sigopt', 'rsa_padding_mode:pss', + '-sigopt', 'rsa_pss_saltlen:30', + '-signature', 'testrsapss-sha256-autodigestmax.sig', + srctop_file('test', 'testrsa.pem')])), + "openssl dgst -sign rsa512bit.pem -sha256 -rsa_padding_mode:auto-digestmax produces 30 bits of PSS salt (due to 512bit key)"); + # Test that RSA-PSS keys are supported by genpkey and rsa commands. { my $rsapss = "rsapss.key"; diff --git a/test/recipes/20-test_dhparam.t b/test/recipes/20-test_dhparam.t index eefd897b1..f5eaca290 100644 --- a/test/recipes/20-test_dhparam.t +++ b/test/recipes/20-test_dhparam.t @@ -29,6 +29,7 @@ sub checkdhparams { my $gen = shift; #2, 5 or something else (0 is "something else")? my $format = shift; #DER or PEM? my $bits = shift; #Number of bits in p + my $keybits = shift; #Recommended private key bits my $pemtype; my $readtype; my $readbits = 0; @@ -84,6 +85,13 @@ sub checkdhparams { ok((grep { (index($_, $genline) + length ($genline)) == length ($_)} @textdata), "Checking generator is correct"); + + if ($keybits) { + my $keybits_line = "recommended-private-length: $keybits bits"; + ok((grep { (index($_, $keybits_line) + length($keybits_line)) + == length($_) } @textdata), + "Checking recommended private key bits is correct"); + } } #Test some "known good" parameter files to check that we can read them @@ -122,28 +130,28 @@ subtest "Read: 1024 bit X9.42 params, DER file" => sub { #Test that generating parameters of different types creates what we expect. We #use 512 for the size for speed reasons. Don't use this in real applications! subtest "Generate: 512 bit PKCS3 params, generator 2, PEM file" => sub { - plan tests => 5; + plan tests => 6; ok(run(app([ 'openssl', 'dhparam', '-out', 'gen-pkcs3-2-512.pem', '512' ]))); - checkdhparams("gen-pkcs3-2-512.pem", "PKCS3", 2, "PEM", 512); + checkdhparams("gen-pkcs3-2-512.pem", "PKCS3", 2, "PEM", 512, 125); }; subtest "Generate: 512 bit PKCS3 params, explicit generator 2, PEM file" => sub { - plan tests => 5; + plan tests => 6; ok(run(app([ 'openssl', 'dhparam', '-out', 'gen-pkcs3-exp2-512.pem', '-2', '512' ]))); - checkdhparams("gen-pkcs3-exp2-512.pem", "PKCS3", 2, "PEM", 512); + checkdhparams("gen-pkcs3-exp2-512.pem", "PKCS3", 2, "PEM", 512, 125); }; subtest "Generate: 512 bit PKCS3 params, generator 5, PEM file" => sub { - plan tests => 5; + plan tests => 6; ok(run(app([ 'openssl', 'dhparam', '-out', 'gen-pkcs3-5-512.pem', '-5', '512' ]))); - checkdhparams("gen-pkcs3-5-512.pem", "PKCS3", 5, "PEM", 512); + checkdhparams("gen-pkcs3-5-512.pem", "PKCS3", 5, "PEM", 512, 125); }; subtest "Generate: 512 bit PKCS3 params, generator 2, explicit PEM file" => sub { - plan tests => 5; + plan tests => 6; ok(run(app([ 'openssl', 'dhparam', '-out', 'gen-pkcs3-2-512.exp.pem', '-outform', 'PEM', '512' ]))); - checkdhparams("gen-pkcs3-2-512.exp.pem", "PKCS3", 2, "PEM", 512); + checkdhparams("gen-pkcs3-2-512.exp.pem", "PKCS3", 2, "PEM", 512, 125); }; SKIP: { skip "Skipping tests that require DSA", 4 if disabled("dsa"); diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t index 183499f3f..4719358cf 100755 --- a/test/recipes/20-test_legacy_okay.t +++ b/test/recipes/20-test_legacy_okay.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index e615f1b33..35541aed1 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub { ok(!run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"), "-new", "-out", "testreq-rsapss3.pem", "-utf8", - "-sigopt", "rsa_pss_saltlen:-4", + "-sigopt", "rsa_pss_saltlen:-5", "-key", srctop_file("test", "testrsapss.pem")])), "Generating request with expected failure"); diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t index 2a4c36e86..e8464df26 100644 --- a/test/recipes/25-test_verify.t +++ b/test/recipes/25-test_verify.t @@ -29,7 +29,7 @@ sub verify { run(app([@args])); } -plan tests => 164; +plan tests => 173; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -242,6 +242,26 @@ ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]), ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"), "reject non-ca with pathlen:0 with strict flag"); +# EE veaiants wrt timestamp signing +ok(verify("ee-timestampsign-CABforum", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "accept timestampsign according to CAB forum"); +ok(!verify("ee-timestampsign-CABforum-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to CAB forum with extendedKeyUsage not critical"); +ok(!verify("ee-timestampsign-CABforum-serverauth", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to CAB forum with serverAuth"); +ok(!verify("ee-timestampsign-CABforum-anyextkeyusage", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to CAB forum with anyExtendedKeyUsage"); +ok(!verify("ee-timestampsign-CABforum-crlsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to CAB forum with cRLSign"); +ok(!verify("ee-timestampsign-CABforum-keycertsign", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to CAB forum with keyCertSign"); +ok(verify("ee-timestampsign-rfc3161", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "accept timestampsign according to RFC 3161"); +ok(!verify("ee-timestampsign-rfc3161-noncritxku", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "fail timestampsign according to RFC 3161 with extendedKeyUsage not critical"); +ok(verify("ee-timestampsign-rfc3161-digsig", "timestampsign", [qw(root-cert)], [qw(ca-cert)]), + "accept timestampsign according to RFC 3161 with digitalSignature"); + # Proxy certificates ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]), "fail to accept proxy cert without -allow_proxy_certs"); diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 0a036b7da..9d7040ced 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -44,6 +44,8 @@ my @files = qw( evpciph_aes_stitched.txt evpciph_des3_common.txt evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt + evpkdf_kbkdf_kmac.txt evpkdf_pbkdf1.txt evpkdf_pbkdf2.txt evpkdf_ss.txt @@ -82,7 +84,7 @@ push @files, qw( my @defltfiles = qw( evpciph_aes_ocb.txt evpciph_aes_siv.txt - evpciph_aria.txt + evpciph_aria.txt evpciph_bf.txt evpciph_camellia.txt evpciph_camellia_cts.txt diff --git a/test/recipes/30-test_evp_data/evpciph_aes_ccm_cavs.txt b/test/recipes/30-test_evp_data/evpciph_aes_ccm_cavs.txt index 41b7b065c..0fa1f547e 100644 --- a/test/recipes/30-test_evp_data/evpciph_aes_ccm_cavs.txt +++ b/test/recipes/30-test_evp_data/evpciph_aes_ccm_cavs.txt @@ -1,5 +1,5 @@ # -# Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,7 +8,7 @@ # Tests from NIST CCM Test Vectors (SP800-38C) -Title = NIST CCM 128 Decryption-Verfication Process Tests +Title = NIST CCM 128 Decryption-Verification Process Tests Cipher = aes-128-ccm Key = 4ae701103c63deca5b5a3939d7d05992 @@ -2241,7 +2241,7 @@ Plaintext = 4da40b80579c1d9a5309f7efecb7c059a2f914511ca5fc10 Ciphertext = 1bf0ba0ebb20d8edba59f29a9371750c9c714078f73c335d -Title = NIST CCM 192 Decryption-Verfication Process Tests +Title = NIST CCM 192 Decryption-Verification Process Tests Cipher = aes-192-ccm Key = c98ad7f38b2c7e970c9b965ec87a08208384718f78206c6c @@ -4474,7 +4474,7 @@ Plaintext = 4da40b80579c1d9a5309f7efecb7c059a2f914511ca5fc10 Ciphertext = 30c154c616946eccc2e241d336ad33720953e449a0e6b0f0 -Title = NIST CCM 256 Decryption-Verfication Process Tests +Title = NIST CCM 256 Decryption-Verification Process Tests Cipher = aes-256-ccm Key = eda32f751456e33195f1f499cf2dc7c97ea127b6d488f211ccc5126fbb24afa6 diff --git a/test/recipes/30-test_evp_data/evpciph_sm4.txt b/test/recipes/30-test_evp_data/evpciph_sm4.txt index ec8a45bd3..57700d061 100644 --- a/test/recipes/30-test_evp_data/evpciph_sm4.txt +++ b/test/recipes/30-test_evp_data/evpciph_sm4.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -19,6 +19,18 @@ IV = 0123456789ABCDEFFEDCBA9876543210 Plaintext = 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 Ciphertext = 2677F46B09C122CC975533105BD4A22AF6125F7275CE552C3A2BBCF533DE8A3B +Cipher = SM4-CBC +Key = 0123456789ABCDEFFEDCBA9876543210 +IV = 0123456789ABCDEFFEDCBA9876543210 +Plaintext = 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 +Ciphertext = 2677F46B09C122CC975533105BD4A22AF6125F7275CE552C3A2BBCF533DE8A3BFFF5A4F208092C0901BA02D5772977369915E3FA2356C9F4EB6460ECC457E7f8E3CFA3DEEBFE9883E3A48BCF7C4A11AA3EC9E0D317C5D319BE72A5CDDDEC640C + +Cipher = SM4-CBC +Key = 0123456789ABCDEFFEDCBA9876543210 +IV = 0123456789ABCDEFFEDCBA9876543210 +Plaintext = 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 +Ciphertext = 2677f46b09c122cc975533105bd4a22af6125f7275ce552c3a2bbcf533de8a3bfff5a4f208092c0901ba02d5772977369915e3fa2356c9f4eb6460ecc457e7f8e3cfa3deebfe9883e3a48bcf7c4a11aa3ec9e0d317c5d319be72a5cdddec640c6fc70bfa3ddaafffdd7c09b2774dcb2cec29f0c6f0b6773e985b3e395e924238505a8f120d9ca84de5c3cf7e45f097b14b3a46c5b1068669982a5c1f5f61be291b984f331d44ffb2758f771672448fc957fa1416c446427a41e25d5524a2418b9d96b2f17582f0f1aa9c204c6807f54f7b6833c5f00856659ddabc245936868c + Cipher = SM4-OFB Key = 0123456789ABCDEFFEDCBA9876543210 IV = 0123456789ABCDEFFEDCBA9876543210 @@ -36,3 +48,23 @@ Key = 0123456789ABCDEFFEDCBA9876543210 IV = 0123456789ABCDEFFEDCBA9876543210 Plaintext = AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFEEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAA Ciphertext = C2B4759E78AC3CF43D0852F4E8D5F9FD7256E8A5FCB65A350EE00630912E44492A0B17E1B85B060D0FBA612D8A95831638B361FD5FFACD942F081485A83CA35D + +Title = SM4 GCM test vectors from RFC8998 + +Cipher = SM4-GCM +Key = 0123456789abcdeffedcba9876543210 +IV = 00001234567800000000abcd +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 83de3541e4c2b58177e065a9bf7b62ec +Plaintext = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa +Ciphertext = 17f399f08c67d5ee19d0dc9969c4bb7d5fd46fd3756489069157b282bb200735d82710ca5c22f0ccfa7cbf93d496ac15a56834cbcf98c397b4024a2691233b8d + +Title = SM4 CCM test vectors from RFC8998 + +Cipher = SM4-CCM +Key = 0123456789abcdeffedcba9876543210 +IV = 00001234567800000000abcd +AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2 +Tag = 16842d4fa186f56ab33256971fa110f4 +Plaintext = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffeeeeeeeeeeeeeeeeaaaaaaaaaaaaaaaa +Ciphertext = 48af93501fa62adbcd414cce6034d895dda1bf8f132f042098661572e7483094fd12e518ce062c98acee28d95df4416bed31a2f04476c18bb40c84a74b97dc5b diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt new file mode 100644 index 000000000..173311245 --- /dev/null +++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt @@ -0,0 +1,1843 @@ +# +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + +Title = KBKDF tests + +# Test vectors taken from +# https://csrc.nist.gov/CSRC/media/Projects/ +# Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip + + +# [PRF=CMAC_AES128] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:dff1e50ac0b69dc40f1051d46c2b069c +Ctrl.hexinfo = hexinfo:c16e6e02c5a3dcc8d78b9ac1306877761310455b4e41469951d9e6c2245a064b33fd8c3b01203a7824485bf0a64060c4648b707d2607935699316ea5 +Output = 8be8f0869b3c0ba97b71863d1b9f7813 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:682e814d872397eba71170a693514904 +Ctrl.hexinfo = hexinfo:e323cdfa7873a0d72cd86ffb4468744f097db60498f7d0e3a43bafd2d1af675e4a88338723b1236199705357c47bf1d89b2f4617a340980e6331625c +Output = dac9b6ca405749cfb065a0f1e42c7c4224d3d5db32fdafe9dee6ca193316f2c7 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:7aa9973481d560f3be217ac3341144d8 +Ctrl.hexinfo = hexinfo:46f88b5af7fb9e29262dd4e010143a0a9c465c627450ec74ab7251889529193e995c4b56ff55bc2fc8992a0df1ee8056f6816b7614fba4c12d3be1a5 +Output = 1746ae4f09903f74bfbe1b8ae2b79d74576a3b09 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:e91e0d06ab23a4e495bbcc430efddcaf +Ctrl.hexinfo = hexinfo:24acb8e9227b180f2ccebea48051cbdbcd1be2bf94400d1e92945fe9b887585a295f46c469036107697813a3e12c45ae2ffde9a940f8f8c181018a93 +Output = e81ef2483729d4165aaa4866c17f26496e6c6924e2fe34f608efef0c35835f86df29a1e19ce166a8 + + +# [PRF=CMAC_AES128] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:30ec5f6fa1def33cff008178c4454211 +Ctrl.hexinfo = hexinfo:c95e7b1d4f2570259abfc05bb00730f0284c3bb9a61d07259848a1cb57c81d8a6c3382c500bf801dfc8f70726b082cf4c3fa34386c1e7bf0e5471438 +Output = 00018fff9574994f5c4457f461c7a67e + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:145c9e9365041f075ebde8ce26aa2149 +Ctrl.hexinfo = hexinfo:0d39b1c9c34d95b5b521971828c81d9f2dbdbc4af2ddd14f628721117e5c39faa030522b93cc07beb8f142fe36f674942453ec5518ca46c3e6842a73 +Output = 8a204ce7eab882fae3e2b8317fe431dba16dabb8fe5235525e7b61135e1b3c16 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:6f3f8cbf40d2a694274cfa2eb2f265a3 +Ctrl.hexinfo = hexinfo:e7b88baa4a2c22b3d78f41d509996c95468c8cb834b035dd5e09e0a455da254b8b5687a1433861751d2dd603f69b2d4ba4ae47776335d37c98b44b4b +Output = d147f1c78121c583cbcb9d4b0d3767a357bd7232 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:5e534bea459e54c58a6942abfd4df8ab +Ctrl.hexinfo = hexinfo:e9a5cc15d223aaa74abd122983b2a10512199b9cc87663fd8a62d417cef53770264fc51f683890fe42da2df7be0f60898c5b09d5c4932137b6b1e06e +Output = 92480eb4860123ceda76f1e6bf2668520bea49ed72bb900ae50725bb8cfcdb733af1a9de71fe1af5 + + +# [PRF=CMAC_AES128] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:ca1cf43e5ccd512cc719a2f9de41734c +Ctrl.hexinfo = hexinfo:e3884ac963196f02ddd09fc04c20c88b60faa775b5ef6feb1faf8c5e098b5210e2b4e45d62cc0bf907fd68022ee7b15631b5c8daf903d99642c5b831 +Output = 1cb2b12326cc5ec1eba248167f0efd58 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:1bfaf4cd6efd25a132e2a1d41b124465 +Ctrl.hexinfo = hexinfo:b933cfbb223ea65ed0e8db822f83be64ee21d3b9ca1eb0bc32f9d77f145a3e4ed4e2cc72cb3d93ea44824ab81eefdf71bbdb62067e0eb34a79914e4f +Output = 75f4d20c558d71646ec062d2ca75369a218cedb7104be3abf27026af003e98f3 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:80168f187848a68b0b82a7ef43b4eedc +Ctrl.hexinfo = hexinfo:9357281df7665ae5ae961fe5f93a3124416cab3deb11583429c5e529af3fc71094aad560cbc279168fe1c3327787f91a414acfff063832bcd78ed1b5 +Output = be4517c9e6de96929e655a08f5b6d5bb77364f85 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:26fa0e32e7e08f9b157ebae9f579710f +Ctrl.hexinfo = hexinfo:ceab805efbe0c50a8aef62e59d95e7a54daa74ed86aa9b1ae8abf68b985b5af4b0ee150e83e6c063b59c7bf813ede9826af149237aed85b415898fa8 +Output = f1d9138afcc3db6001eb54c4da567a5db3659fc0ed48e664a0408946bcee0742127c17cabf348c7a + + +# [PRF=CMAC_AES128] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:c10b152e8c97b77e18704e0f0bd38305 +Ctrl.hexinfo = hexinfo:98cd4cbbbebe15d17dc86e6dbad800a2dcbd64f7c7ad0e78e9cf94ffdba89d03e97eadf6c4f7b806caf52aa38f09d0eb71d71f497bcc6906b48d36c4 +Output = 26faf61908ad9ee881b8305c221db53f + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:695f1b1a16c949cea51cdf2554ec9d42 +Ctrl.hexinfo = hexinfo:4fce5942832a390aa1cbe8a0bf9d202cb799e986c9d6b51f45e4d597a6b57f06a4ebfec6467335d116b7f5f9c5b954062f661820f5db2a5bbb3e0625 +Output = d34b601ec18c34dfa0f9e0b7523e218bdddb9befe8d08b6c0202d75ace0dba89 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:b523ae21fc36bc58cc46e5a3cda97493 +Ctrl.hexinfo = hexinfo:8dbe6d4d9b09b2eabd165b6e6e97e3bc782f8335cb1ea04ad0403affd88a5071db5f36ce2e84ab296261730b2226a9189d867991fbd4ff86f43a3cfb +Output = 530211df01975dd6c08064c34105f88a6007f2b2 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES128 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:b2fcf854b1029888aeb0274ca09bb21a +Ctrl.hexinfo = hexinfo:a6b84baae7a6ceb1d63ed704757500c510c0a8bdc22d2f42af09f79c815f37f33b67dad0b30f428fc1e2d355f7f91f65acbedd2fdd5b8c38dd890407 +Output = fe4c2c0242c5a295c008aeb87ae0815171de6173773292347f4f5ec07185c3f860b5667c199aad55 + + +# [PRF=CMAC_AES192] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:53d1705caab7b06886e2dbb53eea349aa7419a034e2d92b9 +Ctrl.hexinfo = hexinfo:b120f7ce30235784664deae3c40723ca0539b4521b9aece43501366cc5df1d9ea163c602702d0974665277c8a7f6a057733d66f928eb7548cf43e374 +Output = eae32661a323f6d06d0116bb739bd76a + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:d10046bb18c3f363e87f4e57b961b294d4edf2ca91dc3e38 +Ctrl.hexinfo = hexinfo:2d043069de979bffb1be38a3cef2869dc07d5d3e99bde2e2204f10138081743f423f0c0b1aec0735a25bc61a8e2936dec6a25bb0ae105ab46caf8a2a +Output = 8991a58882a0488bb5478996f2893989adb66d08d5030ad90f6ce5fdfca7754b + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:bf0abb70098d6c203074f1bce3d7468116cd1e5e8e618f20 +Ctrl.hexinfo = hexinfo:d9ce030a48668ada6c67a2ac163515ec22383c4b5332e18d06901bacbb63dd649c683cfd4fee2f33346817b23cb4c734060a1c727b0c72c12448f4f9 +Output = ecd1eef152b5835376f1a4324cd968bcb0cf850a + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:8725918ca07ad8e108473e5ffdf43eb1cf5c44baf0bd1cec +Ctrl.hexinfo = hexinfo:f4a57b84a881cf282aac5402cfa8fc4ede0db6f8e902d5c0c41c4712077306484e626e3ffc4129d9b43b46cbb6c53d2838a811dc8aedad7253cf94d4 +Output = 5a795fd0d7661968c478860b526cca40eb8702083fdbff3ff8adfa697e795398ca7106bc950fbb45 + + +# [PRF=CMAC_AES192] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:d7e8eefc503a39e70d931f16645958ad06fb789f0cbc518b +Ctrl.hexinfo = hexinfo:b10ea2d67904a8b3b7ce5eef7d9ee49768e8deb3506ee74a2ad8dd8661146fde74137a8f6dfc69a370945d15335e0d6403fa029da19d34140c7e3da0 +Output = 95278b8883852f6676c587507b0aa162 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:5e6695d7c3f5b156c7b457c8c2b801ba2ae30c9c8a36ee61 +Ctrl.hexinfo = hexinfo:1406756f40efb8e29d5455d2da4bf1993b3c3901d67ec90934895f5de7845f573ae8a0dc8a6ad77d80da29e81329440d61d63dda8eaa7851bc7a172d +Output = 72046d5eed909f6ab25810ead446ace7422fd87e6bd496ff2e84b115b8e0d27e + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:e3b88f40c9974410955820a8f8392701e9c67cc6efd3b0ff +Ctrl.hexinfo = hexinfo:a520f36b6b60dfce34dc1d1f6b16132efa82566efa49f3140113fbc59e309c40db42962c06123721f122f433fa417ce3319bca9c58b4184fd8c7be8f +Output = 134b6236a80c257591cc1437ab007b3fa4bd7191 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:51574d47f2f1d202a30252823b52ba7858b729d5ed4c92f7 +Ctrl.hexinfo = hexinfo:0819c17dd3f9a68493a958c46152d04ba450043908a0016b99cc124d5e75b0d11e7c26f27365609c110eee7f8baa88a7d99fecc690e617150f93bd6c +Output = c46db4cd822e9841408fba79932d6c748bc7ab17421ed1ad188aed327c2a0d694e380c0cade8b37f + + +# [PRF=CMAC_AES192] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:f7c1e0682a12f1f17d23dc8af5c463b8aa28f87ed82fad22 +Ctrl.hexinfo = hexinfo:890ec4966a8ac3fd635bd264a4c726c87341611c6e282766b7ffe621080d0c00ac9cf8e2784a80166303505f820b2a309e9c3a463d2e3fd4814e3af5 +Output = a71b0cbe30331fdbb63f8d51249ae50b + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:3eeed1560e17aaffe9f6ca9d81815b89a6879a56ebe4182a +Ctrl.hexinfo = hexinfo:a643378a557af69ce2c606bc623a04b568a848207534d25bfa22664f9148997a6b4c00f4624b5100b4eb01857240b119876c3a86c1e8b02335475939 +Output = 8a1dc0f616353bf3ecf5553d7a7651e9ea6d884a32172d3391ad342bfaf60785 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:c984c3f65cdc32e7503678764a9e84292a1f50e335167a36 +Ctrl.hexinfo = hexinfo:0061cd40f9eef84d6c8b04e0142d70aa50d4690e0a1de8e3ff5f5cea10cd2d28281eb1df90c519b8b51f7aa0d63a313ebbf80538b54dd11a66115be6 +Output = afe93ae91930261344e30ef9e1718e76f74225d9 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:993305e59f34a94f62931fd7662bb5b73c77d8d4bc6a33ba +Ctrl.hexinfo = hexinfo:fcceb2d7ac6a68717c2490ec95bebea484c4930d156683c43164dc53bff0bafcbfb31e920109927ef08e12f66f258b6f8ba284908faee7d3376e1bac +Output = 40e358cfdeee0286d152fcb4626ff22e67eea3b65d8750a273001b67645804cbf613832201b0a9ba + + +# [PRF=CMAC_AES192] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:f4267280cb8667c2cf82bb37f389da6391f58cc74deba0cc +Ctrl.hexinfo = hexinfo:34abbc9f7b12622309a827de5abfdd51fb5bb824838fcde88ca7bc5f3953abdcb445147f13e809e294f75e6d4e3f13b66e47f2dfc881ed392e3a1bf6 +Output = 2d1b4b5694b6741b2ed9c02c05474225 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:dc866a038c4f78f22d46caca65892bcdb15c1eb49b275827 +Ctrl.hexinfo = hexinfo:b4a123bad4890c7a791f5e192bd8b6e9c8c3620329f99249f11e1eb517a5b27b9e5b047a6591b45f6fff53e6d04b32d82e052af2eb8519bd21c10f93 +Output = 731a2e23ab2e58551490254041ee8fabd9c5a1918d76307f1048535be0763b20 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:dd5e0f1a30b0b722b00626ee663df29601af58082708e18c +Ctrl.hexinfo = hexinfo:b7c6eb48c80b071080fd07a827d0bfdc781599862084f7ffd968a4cbff0be9a6adef5ea206aa8af4d8a85705953e33cd7c4cbb69969c73698f54c6b8 +Output = 84e1ca286776cda0784c4fc48b054384ca565d17 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES192 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:d64c598436507f4d05d7ebe780092996f281901dc9c8612f +Ctrl.hexinfo = hexinfo:0ea737cfca2560856917f3a2ff5e2175930d0719bba85a9c8d8cb311a0a1b8caf8ffe03e9a86ab17046670011c9fec5c5cd697d9cd931f615cdfe649 +Output = 3c26968bd3997c653f79bb725c36d784b590d18a64678cf312abe8a57b2891c27282e37b6a49cd73 + + +# [PRF=CMAC_AES256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:aeb7201d055f754212b3e497bd0b25789a49e51da9f363df414a0f80e6f4e42c +Ctrl.hexinfo = hexinfo:11ec30761780d4c44acb1f26ca1eb770f87c0e74505e15b7e456b019ce0c38103c4d14afa1de71d340db51410596627512cf199fffa20ef8c5f4841e +Output = 2a9e2fe078bd4f5d3076d14d46f39fb2 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:5402c978955128558789bee7b571465174a60582a7640037387f99ac16683173 +Ctrl.hexinfo = hexinfo:5c7eb447481c2884a5398449eaecbb8b55f1f1981ba0fd187818d8b3581b430c3da52ab83d444e003625ff36fcbd160c67b18d85b6c9d00da1a15d15 +Output = f22a4686abe599c2194d21fc9071ffceb023dd9b24c13f05a3d44cfc77fec44a + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:cac968a8ffd81c73948bdfb48bf8a29c1378517d3be294df9a8a80724075bdbd +Ctrl.hexinfo = hexinfo:08817bcd560edf810aa004194c817e455fb66bbc3b84fef1d66df2d1cebb3403c24231fa822f130c5d8fe886217122dcab15cb725197bbcbeb8010f5 +Output = 651c43e113b32026b204119af394301f0cb9831c + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:9debd1762a9643e967dbc174f2040e177b8053afb0829189a81fed94f8c365ee +Ctrl.hexinfo = hexinfo:6c4e1e3fdd7f5c97d58bcdda792642cbd271d6968f6a8e368013d88763d0b306c832b7ab46b84d099596972d12220a4e9c81f82d6f5003d18b93c595 +Output = 2518a44ea347e924b03a7b4c966ec4e4bd76c1456d09096be9387638c2737faeebba4e2b921b19db + + +# [PRF=CMAC_AES256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:4df60800bf8e2f6055c5ad6be43ee3deb54e2a445bc88a576e111b9f7f66756f +Ctrl.hexinfo = hexinfo:962adcaf12764c87dad298dbd9ae234b1ff37fed24baee0649562d466a80c0dcf0a65f04fe5b477fd00db6767199fa4d1b26c68158c8e656e740ab4d +Output = eca99d4894cdda31fe355b82059a845c + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:4c30b96d9beff5cc3c37527694eeec8207fae2c13ef295556919a7a46e5b90c1 +Ctrl.hexinfo = hexinfo:86e1ad34bd7a998281a822129a23102f799812864cf5349f3f21cec7729f83ad8c8aa6517fafcc9521cde887686629048159ed3f15c01408984f547e +Output = 815fe232e0e89f7eeaa87c3ba5007694a43c1577657ccb3018076c5a5c035d95 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:e508ce78aca2cc50c80a6cbdb2b178f8ee5e315dad71ddfa700eb6cf503239b3 +Ctrl.hexinfo = hexinfo:28c47ddd23d349e3b30bf97975c5fa591f2158e001dae3faa154d93c615c89fc7449c901a2585e618f68a0b2cbd3f35f53424d5ea015cbf7e8e09f68 +Output = 6bc69b4c11aa7c04ac3c03baa44daeac4a047992 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:ee0a0f88b3b441826264de7a31b890a66edf7c2a28d0286eab285846b586fb8e +Ctrl.hexinfo = hexinfo:1ea9771ab763056260d885073e80e835e20e5d7ca9659fdf5dd3b7f2ae6286608f8bc7a6728e41346c55544942b1bf06642fb6a6738fb5b7f0128f9c +Output = 5484f170b6602b505e9e6ccffccf2262b55c3554728244bba94daff0adbc619400b33f38013a2293 + + +# [PRF=CMAC_AES256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:1612a40daa7fce6c6788b3b71311188ffb850613fd81d0e87a891831348e2f28 +Ctrl.hexinfo = hexinfo:1696438fcdf9a85284759b2604b64d7ea76199514709e711ecde5a505b5f27ae38d154aba14322481ddc9fd9169364b991460a0c9a05c7fcb2d099c9 +Output = d101f4f2b5e239bae881cb488995bd52 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:77b50e24b859725d1cab531c885a6e60e7d5b0432f37408185ae688dffa5f6a5 +Ctrl.hexinfo = hexinfo:0b2c907499cddaa1fcfb02002ab8b9756c5f1f9fea482d79b8a6aa9fa2fb48e69df94dca4cb6f2e90a462678279ddaacc482fdd76581996b43974a22 +Output = c2a02b3743d506cdc1a41d4c2ae4c67610c5d607df0c26cbf7f4fe2198cb35f1 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:18a5c3e669967b42e9a29bad8fe86699f2b5d496ff767cd3171d1c7195ecef59 +Ctrl.hexinfo = hexinfo:33231c50326592c25ec3eee2c61a3ad4c8a23c098dd83eafe5db411d0948eb122bb6eb7a1d04d2dbcd0b98d0b70b7ff305bb3ef6ac9d4e8e3f7ecd4f +Output = e80afb5cd274cb5fa4952aa95177ae83337f4c8f + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:0b589e556b7583f0fa9144868603b59262f457dee1e887ffc0e39968218959b9 +Ctrl.hexinfo = hexinfo:1b95b940e0b950a58f09ea09941b80852cb29838940bb146dc3db0ddcd87f72ee28813c09fcef773e95438c0ed3dbcf29e78de0c78377561c5869d5f +Output = 260aef65eefd58816fe1a77120d047548b00c475c25178a2a33d4c801d49e8a0fb830513d0b3ff17 + + +# [PRF=CMAC_AES256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:d0b1b3b70b2393c48ca05159e7e28cbeadea93f28a7cdae964e5136070c45d5c +Ctrl.hexinfo = hexinfo:dd2f151a3f173492a6fbbb602189d51ddf8ef79fc8e96b8fcbe6dabe73a35b48104f9dff2d63d48786d2b3af177091d646a9efae005bdfacb61a1214 +Output = 8c449fb474d1c1d4d2a33827103b656a + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:d54b6fd94f7cf98fd955517f937e9927f9536caebe148fba1818c1ba46bba3a4 +Ctrl.hexinfo = hexinfo:94c4a0c69526196c1377cebf0a2ae0fb4b57797c61bea8eeb0518ca08652d14a5e1bd1b116b1794ac8a476acbdbbcd4f6142d7b8515bad09ec72f7af +Output = 2e1efed4aef3fdd324e098c0a07c0d97f8fd2c748a996ce29861ca042474daea + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:99f212241a343c1c8c2104ca6d28062413d985c21e6bba27fde0c622e2e4e6b7 +Ctrl.hexinfo = hexinfo:af8dc1cb7d1f82ca834628c20f0fc81920eb3ff3f75d3f4e3000593e9c15872479711d99d1b7be794f58d80a31bb112219dc16e6354111ab1161e21d +Output = 7f778c625bf0d083169a51584f6683f24af7c35e + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.cipher = cipher:AES256 +Ctrl.mac = mac:CMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:dabde95d751ff1c132bd49f80f4ee347bf39218cf8bfec61bc3ad865d9aa1182 +Ctrl.hexinfo = hexinfo:55da554307ed756764d4e97febb77ce85391b53225ee09417ad57def48ead090e3d1e7c2ed04f02462a6324ea0163b18f86201c69db27fd50b4c42c5 +Output = 5cc29221cfa6f3a4ded7afeef5a59c05bac787fc5e98a35ee0c96ba582b05c42f758966566084f69 + + +# [PRF=HMAC_SHA1] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:00a39bd547fb88b2d98727cf64c195c61e1cad6c +Ctrl.hexinfo = hexinfo:98132c1ffaf59ae5cbc0a3133d84c551bb97e0c75ecaddfc30056f6876f59803009bffc7d75c4ed46f40b8f80426750d15bc1ddb14ac5dcb69a68242 +Output = 0611e1903609b47ad7a5fc2c82e47702 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:1ee222f5cdd60b0ae956eeeaa838c51bd767672c +Ctrl.hexinfo = hexinfo:4b10500ba5c9391da83d2ef78d01bcdccda32ff6f242960323324474b9d0685d99dc9143ac6d667a5b46dcc89784b3a4af7a7684b01efee41b144f48 +Output = 806e342013853083a3f7294c63a9ec9a6dba75b256c62fac1e480ef26276cd4b + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:0e71d9e9c9e951978ada75c831d627dd5d3b4c59 +Ctrl.hexinfo = hexinfo:08b6f69698e8eb6c8c63953abd3538531d722cc4e9ca7ffcb68abba4dd4b027b3787efa107902ace8abb54549bede4ffdadabec3f282865b2166d46e +Output = 86137b96ec15b7954fdc5df8d371ee2d8016e97a + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:f0e5ad280b3465e719afdf86377bbcda59f5c59b +Ctrl.hexinfo = hexinfo:231b6d83f0194499f27848108fd1fcdcf9520e67522cf54486fb919a839532d165019388242ce373a89ce644d7818e7415f5730a0b743595ab19add4 +Output = 9a9ddd19818bb085d24e48ee99d6e628235a422fb2ae383282b7bbbf0e5f5edf42d7237b8ed6aa1d + + +# [PRF=HMAC_SHA1] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:a510fe5ad1640d345a6dbba65d629c2a2fedd1ae +Ctrl.hexinfo = hexinfo:9953de43418a85aa8db2278a1e380e83fb1e47744d902e8f0d1b3053f185bbcc734d12f219576e75477d7f7b799b7afed1a4847730be8fd2ef3f342e +Output = c00707a18c57acdb84f17ef05a322da2 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:abec6c894ae9df32e5afdf5d06a0434e8940ca71 +Ctrl.hexinfo = hexinfo:9a6574a0ea1123ab9580906f8a2c4a0ecba9a8a84079c37a6e283ad4d4e957c3d16db66ae4be99e688b221c359a8dd2505868beb6a49fd7ce6c35df4 +Output = 5b37675aec199c7d08435ef6321cf6235c12453a4530072d4a73ba0ad34634a5 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:df4e835a2f201a3d0f840eab38a18adf72adf9eb +Ctrl.hexinfo = hexinfo:84c6ca541d24a8b419037b9657ee4e0d5ef96d8b198355940a30b09bf8784e81d3b93558de21c46f04aec4afd610c3b230d17473c80b47b5004955e7 +Output = 1202915544844b1f913caab512c582735bf76fed + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:cbe1d2895640dcd1545e60e04ce9d995707ec539 +Ctrl.hexinfo = hexinfo:c80d735ec5fd0bf811a4a71c55e99373f83f4111194ec24a8e9fe24ef03f56ed15b4e135e02488d96dba8c0d60c26592df55a492691cf3b7eced40d1 +Output = 1fd5a183be95c2d909deed31d686417d5c08bb88e6f75b150df330c8e7703bb8ccdffacb3e9ee3ff + + +# [PRF=HMAC_SHA1] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:928c170199473291bf719a1985a13673afb8f298 +Ctrl.hexinfo = hexinfo:f54388503cde2bf544db4c9510ff7a2759ba9b4e66da3baf41c90ce796d5ea7045bc27424afb03e137abfafe95158954c832090abdba02d86bab569d +Output = 8c01160c72c925178d616a5c953df0a7 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:df7ecebec20e14be6db5d46af2769fe4e4ed689c +Ctrl.hexinfo = hexinfo:308ec6953d4945f075d37932d5dd335c7de0d2e7899a8321724a50b52240191fcdf991520c47a25b04ce6eecc835e4265b623c68d687afc615f74ae5 +Output = c2129eeb33ee6783b6b187e5ae884f8f5bd78ca224e5e01c04a68ecef376ea38 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:2539c58bba8ae61be8b867b767ad698eb1f52a0b +Ctrl.hexinfo = hexinfo:9f6de21c93176f8814e9290a40149f749f946d376eb65f888eddcc4a24a58dbdbb3222fb53487e0abb08efff6d6a43511b18c40f489abe4013647273 +Output = 20bc5ab8c27dd3f6f6fa5485f2eed8bd8b8b3d35 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:66002f224106971edc62a7c6957931b2097aabc3 +Ctrl.hexinfo = hexinfo:f5fe599fac3bac5b10a4296b0783e2fc78cb498347ff3f74e2d9d230dfb6653e1a274e7bc37f0319eac2b0b48533b7be9d3633eed32101837ee460ff +Output = c195b9139fee020eda70b8a161aef28474977412c0612afafe23b16b1594871548b5889b38e0cf2a + + +# [PRF=HMAC_SHA1] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:f7591733c856593565130975351954d0155abf3c +Ctrl.hexinfo = hexinfo:8e347ef55d5f5e99eab6de706b51de7ce004f3882889e259ff4e5cff102167a5a4bd711578d4ce17dd9abe56e51c1f2df950e2fc812ec1b217ca08d6 +Output = 34fe44b0d8c41b93f5fa64fb96f00e5b + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:c1efb8d25affc61ed060d994fcd5017c2adfc388 +Ctrl.hexinfo = hexinfo:b92fc055057fec71b9c53e7c44872423a57ed186d6ba66d980fecd1253bf71479320b7bf38d505ef79ca4d62d78ca662642cdcedb99503ea04c1dbe8 +Output = 8db784cf90b573b06f9b7c7dca63a1ea16d93ee7d70ff9d87fa2558e83dc4eaa + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:e02ba5d5c410e855bbd13f840124273e6b864237 +Ctrl.hexinfo = hexinfo:b14e227b4438f973d671141c6246acdc794eee91bc7efd1d5ff02a7b8fb044009fb6f1f0f64f35365fb1098e1995a34f8b70a71ed0265ed17ae7ae40 +Output = f077c2d5d36a658031c74ef5a66aa48b4456530a + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA1 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:693adb9037184627ad300f176985bd379f388a95 +Ctrl.hexinfo = hexinfo:7f09570c2d9304ec743ab845a8761c126c18f5cf72358eada2b5d1deb43dc6a0f4ff8f933bef7af0bcfacb33fa07f8ca04a06afe231835d5075996be +Output = 52f55f51010e9bd78e4f58cab274ecafa561bd4e0f20da84f0303a1e5ff9bebc514361ec6df5c77e + + +# [PRF=HMAC_SHA224] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:7e2f7a5ab3e82ef927a005308456823da473787bf33d18a864aca63f +Ctrl.hexinfo = hexinfo:b35695a6e23a765105b87756468d442a53a60cd4225186dc94221c06c5d6f1e98462135656ebca90468a939f29112b811413567d498df9867914d94c +Output = 10ba5c6ea609da8fa8abe8be552c97a1 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:667f72fc660e32943de386af9670c78e975c838cae91dca97f4f8508 +Ctrl.hexinfo = hexinfo:e713e8c38e92c8ba0f0791cc4a0d00c98d8dda8f3137a775104e7aa65b5f04fed12ee78a88262b2931717b7ac5624162fd5f0307f4faef038dcc210c +Output = 835b343242a489249eec3cd56384ea2a5b295e29a4430fec2aae0c8b9fa36d20 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:3344fb80fd655b16f08c78150516cbbc009fbdf1b510905f9113d275 +Ctrl.hexinfo = hexinfo:dc2aa42084d645baeb822c0c1d9b8e200737e9a2c7dcd922d8f056d6c02552295d95a488758919724207eebb4c21887f71b51a2a7ce98827cf7af4bb +Output = e281d09a31c57d053f0c2f902792c8bbb9a0f443 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:eb9386450d7b2da5492da5b139cf4b0b951a5b0c7d40c22ae2c20677 +Ctrl.hexinfo = hexinfo:bd8b73969e3e2d7a943b937c3bffe3a9199d1cf27e289bb10c3b88696a5ae36b3b868b4fc6a20ca93dd0b328f3351f71ce656bb558fa33c74741398d +Output = bc902dfba79fb4084339b6666c7f72b9f47675229dc24ec61068bb05082717eead35647ff147d7de + + +# [PRF=HMAC_SHA224] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:093b2ce84c6175d1723fbe94b9ee963b6251d018fcf8c05c2e3e9b0b +Ctrl.hexinfo = hexinfo:083e114aca1f97166551b03f27b135c0c802294aa4845a46170b26ec0549cb59c70a85557a3fc3a37d23eed6947d50f10c15baf5c52a7b918ca80bf5 +Output = 94ced61c3665616d4a368f83a7283648 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:ffb5c9d920522477cb2ecf16ae1e075587b7598348e019df85ca3d43 +Ctrl.hexinfo = hexinfo:252743519ab4e03f8bb0ed137e2d315aac5010b951645c7626c6f5a77c4a6c4e0b0b4030abf937141f7142bcd702678b15d2d4e8850e0570ec782c79 +Output = 3d1813da0322201ed45ac2aaf3542843913bb32fd832a33a5dc94bad964bfe56 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:7f0ea811340cddbbf261d0260b0c98dec790133cffd2b04b8f8be2b1 +Ctrl.hexinfo = hexinfo:0a744543acddf7d8c0a205372a0450e32631a33bb89ad2e3bb2d9766c248ab755fec152a6da866ef50baeab607d88e5177042056970013aa18f9fb1e +Output = e55120e7848cf61254159e79c2ac47a9a906a73c + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:6e237178c4884e13470b6b4848b40389d9856311735da4eefa2f6f38 +Ctrl.hexinfo = hexinfo:9cd9f9ad88471668f3b25515851fff63d3a886b8c6cf371eae159bab58f997b83eda5815567a142c4264978d8f24d24fe2d513c0eeaff983b86fdbd8 +Output = 1e6638ea717338cfeb7dea373785c3c763bd5e509358e4940e9a4e4fd0a3e0347973858bc20243b8 + + +# [PRF=HMAC_SHA224] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:f09e65e8de7500847b43bd95e6c3506e01aadd484e9699b027897542 +Ctrl.hexinfo = hexinfo:c20f6188517b2ca10086b9f7f8d6f2d38d66f24193c037008d035f361c6bd74db26aef588a87aa8a1c3cdad2ba0207f7e7b39def0df797c4cb3bf614 +Output = 73d30c2af54744eb1efb70429f8e303a + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:6079eafeba179a915e194b14e12ffee1e2bad56a62077897a4654e4b +Ctrl.hexinfo = hexinfo:87686603814d619107aabfab85b4c4fe38ae1a5c2a4d78df12119871b8a4f85d583e7d842ee15e7fe03f61dd02b10784838ed163dc67cca43586d628 +Output = d888a21e1a698654fa46288509ae7a28dc7b05e6fc696a909451c2437097056b + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:2efe2905a1b7e1993da0316f2a747be1e91415ca1e6ad14d04341fee +Ctrl.hexinfo = hexinfo:4d283c0f6d209379facd8a26aa889780863cf6a81893dc3bd2c928a7f8d922ced9c829bf627d2c556441d0d41a1eb00c0deea78349429de56a275f04 +Output = ec162b6ff6413f5eae9336fd489fab538d042db8 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:0b15638489d3ac7729a7db82797754e7a7c8d52da0cf3638a27a1a9c +Ctrl.hexinfo = hexinfo:90988848764dacc6eeba817e0b74086b1233bca9d573717b8e3dd3bd23a532aac7db8b196e4c4702f54cc71bb8882dc776b0317457803a632b429776 +Output = 481293e1e621ad8bab5c9f5090594bb2507a1456ee8ffc30db159cb5b02d69110c3e5270880bf4a7 + + +# [PRF=HMAC_SHA224] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:f5cb7cc6207f5920dd60155ddb68c3fbbdf5104365305d2c1abcd311 +Ctrl.hexinfo = hexinfo:4e5ac7539803da89581ee088c7d10235a10536360054b72b8e9f18f77c25af01019b290656b60428024ce01fccf49022d831941407e6bd27ff9e2d28 +Output = 0adbaab43edd532b560a322c84ac540e + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:992815121d88ffb26c337606723c02ef317713086e2cfbbd37e1a167 +Ctrl.hexinfo = hexinfo:152d974eb2719b9027d32054a327312361125959df9d96a1832e2056c2571d4f1cf45f6e8f6544c87f15861cef627d2f16e9b0b4ab799bb3362f4aae +Output = 475eda3a32d569932e043db64dbf0e9bb0945b54dcdfa203be1a28524c147075 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:2eabb6b922c24326ef9ae3c192dfd341caf57efe15dd649772a2ac3b +Ctrl.hexinfo = hexinfo:c75f6f5a1561aab39ea0e22702a6cf7dba3ca4dd9f046bb0abea2d3284168fd9fb39ff725523a660d21f8c2ade03d18d4273c52fb6f22c9e39d6bc2e +Output = ae50acebe308a1cf1747b9b178a0720748fa5fe5 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA224 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:9b75e7fa216c884037c7d6953092ed335c4efd88ca57a742d6ac3221 +Ctrl.hexinfo = hexinfo:12bea97865df99315259ff620302432ecafc9dce2619e87dfb4979410456a524434315dd3920e2b1aa1c79d5e07132a758a7b7b71ef10bcf1bb877f3 +Output = 60071bd0ceea0fe0f879223b940d3de7dde02ca6858f8450fb9c0032e49f968ef9cd9b5703163dbc + + +# [PRF=HMAC_SHA256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:3edc6b5b8f7aadbd713732b482b8f979286e1ea3b8f8f99c30c884cfe3349b83 +Ctrl.hexinfo = hexinfo:98e9988bb4cc8b34d7922e1c68ad692ba2a1d9ae15149571675f17a77ad49e80c8d2a85e831a26445b1f0ff44d7084a17206b4896c8112daad18605a +Output = 6c037652990674a07844732d0ad985f9 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:f109513435d72f14863660dfc027118e47e13995ad44a02415c9c8f63d38675c +Ctrl.hexinfo = hexinfo:53696208d6f42909136a575010e135e142e31f631d72386a631cc704e5ad4049a889422cd6da7f1805e59a273c6f4fa986bc3082952fca658979f1b0 +Output = 1aaf080fd51b37585ea464a9c617bc3ab859cc78cbe1f2d5d557148ee36821a0 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:6ed1b41a1fc2ca8c7e09d5bccc410661683ec29d41a0fd01dd820a2e824ff672 +Ctrl.hexinfo = hexinfo:f6dc72adbd8ad4ea91259b61237a042a02546f37d58d933d3efadc54a5e1936a8faf70c33e707c473125bd5006b7dfa6883c04bf27cf53010e1d10bc +Output = 4090ee711fa361f03267a6ff2a5ace977c8c1db5 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:63a657fb6c5bacb9a124d3e7db8bbb7d42bfdfaf8f04cb6359cd888c70669652 +Ctrl.hexinfo = hexinfo:2697b6ec112cab4d6f1714c991c17d44fb36a0b6ef0b0f5451619ab248950f56f403215c78711aa563683ced05be7246f32574fa294f162dbbeb3dee +Output = 1992e75756fa64734d5caecc5f6420fcb28b8b90421eee97dc8b6140ce18518405688bea489d2aaa + + +# [PRF=HMAC_SHA256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:743434c930fe923c350ec202bef28b768cd6062cf233324e21a86c31f9406583 +Ctrl.hexinfo = hexinfo:9bdb8a454bd55ab30ced3fd420fde6d946252c875bfe986ed34927c7f7f0b106dab9cc85b4c702804965eb24c37ad883a8f695587a7b6094d3335bbc +Output = 19c8a56db1d2a9afb793dc96fbde4c31 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:365592398d23d31f2cac8bf6211f1ad5f52608efcdc5997b144ea6ded3866cf6 +Ctrl.hexinfo = hexinfo:07dce524556d3f68d2d91d4c15c9c6212635e0df1aef54938490db46f98737064d6a5624d7f938c263af01e632c45d9fe7a871b67f7d4bf110796eb4 +Output = 5624c6911dc1b08e090c8c95347adf17895b696aae211932cde3ec8227fcbea8 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:c104e187e344668997b7bd9c8cdf097320518dd7dbcb541c414418b55b58cbb2 +Ctrl.hexinfo = hexinfo:32f6bd59840c61909f2f92f98f54bd238083577e33c3d071c1abe4c694bd87c1ad235eb9a2d272b3dc67c955574d5e6cad84615120476d6e7e04f51f +Output = 1b5d9e60aa909aeb973e76d9bf6be208327bb096 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:d4349c26108719debacc04e166a09063ffb5e17bcbaf8738dc2618aa7d1e97ae +Ctrl.hexinfo = hexinfo:da1f5ed45ead428689b0ecca9dbc2569e76953cda0df085499cca6d5949d8995e1e42bbdc94b0dd78c164867c364a64c894de85294ad89d267ff443d +Output = 00550ae0f29a2373269af175e7f829ec32c3d05099a39f8c0e02caa00b68afb7457669334383ffb2 + + +# [PRF=HMAC_SHA256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:388e93e0273e62f086f52f6f5369d9e4626d143dce3b6afc7caf2c6e7344276b +Ctrl.hexinfo = hexinfo:697bb34b3fbe6853864cac3e1bc6c8c44a4335565479403d949fcbb5e2c1795f9a3849df743389d1a99fe75ef566e6227c591104122a6477dd8e8c8e +Output = d697442b3dd51f96cae949586357b9a6 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:f5207566ad012002ae6f2b501f0c24180228345889c20616d043b868a76d015a +Ctrl.hexinfo = hexinfo:f36dbc8d1dfda60d4ba05214f8773aaa9f01944150bca68812d0d8deb5492f3f68f09809ba5e8b89e9dca86c70f6f353b3d5f49ef27e2fd01cfa911d +Output = 0faed440796a0685a24a1c5e1cacde566c7a1a4189885229251c6308a53c3f6e + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:e2758918edcf15d957a556055602d283dbdf9c95b6025a3cddf1eeac1e0ac889 +Ctrl.hexinfo = hexinfo:eda2f792580d6129b43e7b89c661786a29ab502ec6198f4a2bec6d0ffca1a75b8807d4313e7bf769a94fbf4b41c4cc309358a211105312c05818d8f3 +Output = 67e3273b2cfa4c663377f5841606679aee420dce + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:c9063598d6cf8660300073b5c25603baf3ade910c182deea15d8107d6f6be295 +Ctrl.hexinfo = hexinfo:22d27eec90c2dd4ae5cf4a705abecfd781b9051ba512b048ea9499364b791e9cdf63215db43680dacffe6f19d77fc93f8a46d84dd52146389d9ec308 +Output = f3a5b521b435a8c83eaf2d264b5b1a6dcc32c21b4897511203f97f01f2a691eef080b4cd7ca4fc38 + + +# [PRF=HMAC_SHA256] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0 +Ctrl.hexinfo = hexinfo:01322b96b30acd197979444e468e1c5c6859bf1b1cf951b7e725303e237e46b864a145fab25e517b08f8683d0315bb2911d80a0e8aba17f3b413faac +Output = 10621342bfb0fd40046c0e29f2cfdbf0 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:e204d6d466aad507ffaf6d6dab0a5b26152c9e21e764370464e360c8fbc765c6 +Ctrl.hexinfo = hexinfo:7b03b98d9f94b899e591f3ef264b71b193fba7043c7e953cde23bc5384bc1a6293580115fae3495fd845dadbd02bd6455cf48d0f62b33e62364a3a80 +Output = 770dfab6a6a4a4bee0257ff335213f78d8287b4fd537d5c1fffa956910e7c779 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:dc60338d884eecb72975c603c27b360605011756c697c4fc388f5176ef81efb1 +Ctrl.hexinfo = hexinfo:44d7aa08feba26093c14979c122c2437c3117b63b78841cd10a4bc5ed55c56586ad8986d55307dca1d198edcffbc516a8fbe6152aa428cdd800c062d +Output = 29ac07dccf1f28d506cd623e6e3fc2fa255bd60b + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA256 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:c4bedbddb66493e7c7259a3bbbc25f8c7e0ca7fe284d92d431d9cd99a0d214ac +Ctrl.hexinfo = hexinfo:1c69c54766791e315c2cc5c47ecd3ffab87d0d273dd920e70955814c220eacace6a5946542da3dfe24ff626b4897898cafb7db83bdff3c14fa46fd4b +Output = 1da47638d6c9c4d04d74d4640bbd42ab814d9e8cc22f4326695239f96b0693f12d0dd1152cf44430 + + +# [PRF=HMAC_SHA384] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:0be1999848a7a14a555649048fcadf2f644304d163190dc9b23a21b80e3c8c373515d6267d9c5cfd31b560ffd6a2cd5c +Ctrl.hexinfo = hexinfo:11340cfbdb40f20f84cac4b8455bdd76c730adcecd0484af9011bacd46e22ff2d87755dfb4d5ba7217c37cb83259bdbe0983cc716adc2e6c826ed53c +Output = c2ea7454de25afb27065f4676a392385 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:218f47301a3adf39a4e1ddc25a1df2b7db53d7780c207f47ab4cefcaa960ed82cb6cbc34b97b4c332d52ca81cc40cb9a +Ctrl.hexinfo = hexinfo:60dcb116d7cfd3cca7315c9dc7e9650f886b67d9fbcd98c226239a0f66eff075da23c6cb750a2129ae71b9582934f57423a815249cac2c61f958b35d +Output = 26b01d94c4dd51a9c8b54f78647257f9e937a8d67dffa78f85749cdfb22db620 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:426c4facbacecb654555bc9843f9864a53e14c9a5e19600abf57b03cf8b6f825f71191eaaf3cfd70961314acbf1e6e29 +Ctrl.hexinfo = hexinfo:d224dc52dd16bde3391fab24fa875b695d63215e182efa970537904f4cd1d7f929f87c17fa97bd490f10cfc3bb80353ea4a4bb403f79e18677c39d29 +Output = 431c73810e9fe4f4982202f55eb5f0212f302142 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:522a72c006a6b77911915c78952dd61848725a4b0789b2cfce3b29d947d9faa145417740c0365bd81a860a600012543b +Ctrl.hexinfo = hexinfo:4a3cd102c4b95fe193660c4c174f02c725207449b785edb8fa8c4404f01a25bef3238637d3bae370758332c678deb578322e031ec3970876600196d2 +Output = 2f5d52226949aecfe6359561a5fdd87a843457019e24faacacedd34177cda6cba18cc78cc8c78cef + + +# [PRF=HMAC_SHA384] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:26ef897e4b617b597f766ec8d8ccf44c543e790a7d218f029dcb4a3695ae2caccce9d3e935f6741581f2f53e49cd46f8 +Ctrl.hexinfo = hexinfo:bc2c728f9dc6db426dd4e85fdb493826a31fec0607644209f9bf2264b6401b5db3004c1a76aa08d93f08d3d9e2ba434b682e480004fb0d9271a8e8cd +Output = a43d31f07f0ee484455ae11805803f60 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:269cce234dd4783067ceaa04a70deb1c9700acf705548495767c22f78493851ca9c699077a002874caacb760106016c6 +Ctrl.hexinfo = hexinfo:f64bfb4bdaac81b5801d2f9f08bc2e4d009990b67290fd49b3730c3a145696447aceae6a82f7508a19c396a548c9c33d943dab82b2538c18b8eee871 +Output = ab4182261c5d9c0d23a26477f14a507dd7f5e9550d04f48de29e644ed55f3406 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:ec71de96c9520386f9d11bebe474bae0c0549e2b2e8fda6b2336050ee3acbec38bc57d56e6422d3cd493ead69772a059 +Ctrl.hexinfo = hexinfo:4313d1efba21dded84ce12bf80b1be54400619d3bb1987f18bf85400e335103969e77c819a5360cf1dd3f4addb6b8eec0199508c75adfe2cfc067dc8 +Output = 8e37ecc86dcb5ee7cf48d8a07f06c47cdce624cc + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:afe2d3a4746792908aca8ece67ba8562382000b4e26122414b3ef2e120511bae68448955cf186be87caf69eaced47e87 +Ctrl.hexinfo = hexinfo:1f6dd0b17fed7f479c4f62927291a95292a4e232441c30ffcaa1d347543e50db939360bb37976eacb911f76c38ad8cce12a0c263875bbcd7f6011ffd +Output = 17b671ca433cea81384b03b69c26a55257085cdfa48e6d8529431464bd439a881de560294afb0073 + + +# [PRF=HMAC_SHA384] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:4fab4f1e3512b5f443ec31d2f6425d5f0fc13a5f82c83f72788a48a1bd499495ff18fb7acc0d4c1666c99db12e28f725 +Ctrl.hexinfo = hexinfo:f0f010f99fbd8ec1bd0f23cd12bb41b2b8acb8713bb031f927e439f616e6ae27aed3f5582f8206893deea1204df125cedce35ce2b01b32bcefb388fd +Output = c3c263b5aa6d0cfe5304a7c9d21a44ba + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:af3cd100d14dcb5e63f8915eced4b59477936c48e0e2b9232449a97d53d3eddf9e00bf44a8f2370c38a13434c13e0977 +Ctrl.hexinfo = hexinfo:81f178f11615309844af84e163ff694f1936f7528aba6f0e60d41b4afac87e9dd48fbb5aebe534733f576950484aab15b386b468a055a1e0be8982c0 +Output = 0b52be4ebd8b2116df895a42317ac78808993673c99da6391f0eee13cc8470fa + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:fc3ba84439d8b7ead37ac6c825e088fc80152788bbc9c68569213dd6189d5fd552c37ab73b3d53ee9809a485194fb3cd +Ctrl.hexinfo = hexinfo:df5728d5d146898b68d8713aa8053d03db52b7227d502d3effcd51a22d52ecd9175a4b01d2f27ecfc8abf02c1dd80f5c90a5e01396c1107dddb02226 +Output = 87ff36ca26778fcaf4f9209d38095c55c40f5e22 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:08d867a61b13cd8c79d3a1cbec3493925ece900e06993063bc0dfe0247cd059ba50a5fb6afc65ac469793817a1f2dfee +Ctrl.hexinfo = hexinfo:af0c83a659267869bd7cde387bf1c29c9c0ff3c6cabf512c73fd671748e4e9e49218de9350fc0dde27839eb1e2878f900689abeb7b540c70203e5a95 +Output = 3fef69d875b9b6047c33f295619f6e7c7125c875d55409500100f71bee6551d511327fbde607ac41 + + +# [PRF=HMAC_SHA384] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:216ed044769c4c3908188ece61601af8819c30f501d12995df608e06f5e0e607ab54f542ee2da41906dfdb4971f20f9d +Ctrl.hexinfo = hexinfo:638e9506a2c7be69ea346b84629a010c0e225b7548f508162c89f29c1ddbfd70472c2b58e7dc8aa6a5b06602f1c8ed4948cda79c62708218e26ac0e2 +Output = d4b144bb40c7cabed13963d7d4318e72 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:8fca201473433f2dc8f6ae51e48de1a5654ce687e711d2d65f0dc5da6fee9a6a3db9d8535d3e4455ab53d35850c88272 +Ctrl.hexinfo = hexinfo:195bd88aa2d4211912334fe2fd9bd24522f7d9fb08e04747609bc34f2538089a9d28bbc70b2e1336c3643753cec6e5cd3f246caa915e3c3a6b94d3b6 +Output = f51ac86b0f462388d189ed0197ef99c2ff3a65816d8442e5ea304397b98dd11f + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:bc3157b8932e88d1b1cf8e4622137010a242d3527b1d23d6d9c0db9cc9edfc20e5135de823977bf4defafae44d6cdab6 +Ctrl.hexinfo = hexinfo:b42a8e43cc2d4e5c69ee5e4f6b19ff6b8071d26bab4dfe45650b92b1f47652d25162d4b61441d8448c54918ae568ae2fb53091c624dbfffacee51d88 +Output = 91314bdf542162031643247d6507838eaba50f1a + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA384 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:582f968a54b8797b9ea8c655b42e397adb73d773b1984b1e1c429cd597b8015d2f91d59e4136a9d523bf6491a4733c7a +Ctrl.hexinfo = hexinfo:e6d3c193eff34e34f8b7b00e66565aeb01f63206bb27e27aa281592afc06ae1ec5b7eb97a39684ce773d7c3528f2667c1f5d428406e78ce4cf39f652 +Output = 691726c111e5030b5f9657069107861ecc18bc5835a814c3d2e5092c901cb1fb6c1a7cd3eb0be2a7 + + +# [PRF=HMAC_SHA512] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=8_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:6ea2c385bb3e7bbafc2225cee1d3ee103ce300c1fdf033d0c1e99c57e6a596e037020838e857c0434040b58a5ca5410be672b888ef9955bdd54eb6a67416ff6a +Ctrl.hexinfo = hexinfo:be119901ed8679b243508b97663f35da322774d7d2012d6557da6657c1176a115ebc73b0f1bfa1dba6b8c3b124f0a47cff2998b230c955b0ea809784 +Output = e0755fa6f116ef7a8e8361f47fd57511 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:0ef984d7b4ee76f5c9e080b27f45ccab4ac2362c4cafa68198786b18e239d0f69ee62148373643ad9aa42474700348ef651fee9973130a42e76b7e7633eba1e9 +Ctrl.hexinfo = hexinfo:56ece7c14c1fc5467f8316f3a931a7ddfa490969f442d7a132f3755809f6ca11dbc9c6493a541c244c32be6656e13ef2868cb79415b807b3882f00d2 +Output = 19aa765affdd3cc7294b2c97e1bd5adc368523a3283c387d0719761e938f83db + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:a35728d4ec0d7e94019a45d52264e5cd63c7540c21e30a9882d8d531cbb510edaa78e42c03994c18d8efcf7f826a1a9fdbbbacc55c640e7b532cc08e0615a093 +Ctrl.hexinfo = hexinfo:f501cc527bad6fe5d8e4f1f0f53d416ab17235f380f7e0d1c90dca18206af1fb1d977551e2e0e25c1fe41a8f825fbae2c07c94b768e98ad5ab8ddb2e +Output = 54cf238101418ce050eee03aae0c39c4602ab838 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:8 +Ctrl.hexkey = hexkey:baed493b0294c9a5dbbe4547a30f0602c6124cedb549b45cff0ee4f3689a7ae5b695e5ecdfebf611bba1174e5e3a8824383e555daef396dc58c2842f77d5a674 +Ctrl.hexinfo = hexinfo:1371182cb0725416b1eccf4ac9fb20cf4e0f77e7d006a531e0ab2b2b46e0859473dad9dcae65ba5eb902228787dae19e735d002c919a4b74012f8904 +Output = 09bb55c9f3cee604f4bc5544a802be8b02b34b99f7928ceee696221975f947905f1b5979d9d4c2a1 + + +# [PRF=HMAC_SHA512] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=16_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:bb0c55c7201ceb2e1369a6c49e2cdc1ae5e4cd1d64638105072c3a9172b2fa6a127c4d6d55132585fb2644b5ae3cf9d347875e0d0bf80945eaabef3b4319605e +Ctrl.hexinfo = hexinfo:89bf925033f00635c100e2c88a98ad9f08cd6a002b934617d4ebfffc0fe9bca1d19bd942da3704da127c7493cc62c67f507c415e4cb67d7d0be70005 +Output = 05efd62522beb9bfff6492ecd24501a7 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:393eb889e9c2f251b95aa147d53e4cd029fd0391110be9c6b2f8ba32857864847c448a9a591686de88da7486d0a0f0f8c927560fa8f79c30e66a7efaacaa638f +Ctrl.hexinfo = hexinfo:116bf7f9e5eb884c86cd0d3a2b33d41de7735677e6bd727e83fbde5c8113de56bf84c9f80610db760ae2df73f4f0db9df0cc1655ea9bc98bb06beeda +Output = 212e4e4057a6871e166e7563205833bc7f01e86c724b6a61166d9311c55b5044 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:eeec4383a808fae57f24a7a5eb6157cca66483a613590c89ed39f59617ea97fcfa7cdfc83ba8140fa0d8542263d6423a9bcca70e11addb7a646f194ff0878cac +Ctrl.hexinfo = hexinfo:b2565a20171eef1eaa04728e6c369405b251062bbd0a2b9171c8c6fedf0ff783691db787f153bbf5167301808f768a03df0deec99f2b9efb90cab571 +Output = 4f31b7bcd54c74d8a7d31aca187b8736f0a59db7 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:16 +Ctrl.hexkey = hexkey:62690d8ef259d175911d8eb52a331af29a8e3b797c4b315a67fa5cd1b00e585b2f7d97341284d0fcaa15a080732f7958e3b33e938e730623d1e651dbea9b2233 +Ctrl.hexinfo = hexinfo:266535b58de26ed62f936bc7147c8c3b31ee0c1bb92c5ef63699ac7225e01cec5afd2e6e39cf095882324c7dc94b0daa2befc50f790da0547d7c6184 +Output = 9336a88737d9ae01b5c43be5789c8545689557aad295ea3c03d2a2e0143603365fea1656175c20bf + + +# [PRF=HMAC_SHA512] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=24_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:d10933b0683f6787c33eccea1c311b8444270504fb3980bfd56443ba4068722184c31541d9174f71068b7789440bc34cec456e115067f9c65a5f2883c6868204 +Ctrl.hexinfo = hexinfo:dcb2ea8d715821d6393bd49a3e35f69a6c2519edb614f80fbc3f7ae1d65ff4a04c499e75d08819a09092ddaadba510e03cb2ac898804590dbd61fb7e +Output = 876d73040d03d569e2fcae33b241d98e + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:44e6e9abd8572a19ba127dfa2ca6a1b53beaef8c19a1ec5b67f1f6f7919671cd80ade7ded7c0f096525936ef427b152339de915f024964ca9ea908a120e2553a +Ctrl.hexinfo = hexinfo:c2884a0c3ea2ff5b0bc848698f49f2c59eff511d77caddba897dec7714a0984e54f330dd9e9fdca9c033dfbc36d3293eca0ce7601e316463966ad4fd +Output = b294537440bec490953bf6e9a77c4510536916b84a5a2f45b5bf9f76666d8f12 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:a39131ca2f8df817ea2f155aac72d58a696d915b66b7cbe172a0f48a407aa8af0edbaea051eb027fe8fcc435cc7f160feeb57bd39a39d94104fe35167dac1aae +Ctrl.hexinfo = hexinfo:52b6d1f6381fc3dd44baf1c9d36f0c313e58bf4fdb936b78103afdb90373079de90e4bb7d7089e65e0aef23f2a34df5198b8392aac705eb998c1f8cd +Output = e707c910b4db3a648815fcad5ca7af18e5354c2e + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:24 +Ctrl.hexkey = hexkey:af5a39f0303b11bca55584ce24162dabd1625aed14ce54f9e407866e03efb24b12a36e164f96faf36bc92a08acd194285107173fb84caef787672d6471028459 +Ctrl.hexinfo = hexinfo:1cd84829b89d3149948967494aece985f1df3d7ec7735e8cc468bb3e6fdb50964d32dcde5521a82402577371047bf77e34714437e9d213561055b9db +Output = a0e81b336a6f4ab395aada28314d8ba96b9216ae389b01aaec158e166239e554a217e69f603988fb + + +# [PRF=HMAC_SHA512] +# [CTRLOCATION=BEFORE_FIXED] +# [RLEN=32_BITS] + +# COUNT=0 +# L = 128 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:dd5dbd45593ee2ac139748e7645b450f223d2ff297b73fd71cbcebe71d41653c950b88500de5322d99ef18dfdd30428294c4b3094f4c954334e593bd982ec614 +Ctrl.hexinfo = hexinfo:b50b0c963c6b3034b8cf19cd3f5c4ebe4f4985af0c03e575db62e6fdf1ecfe4f28b95d7ce16df85843246e1557ce95bb26cc9a21974bbd2eb69e8355 +Output = e5993bf9bd2aa1c45746042e12598155 + +# COUNT=10 +# L = 256 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:5be2bf7f5e2527e15fe65cde4507d98ba55457006867de9e4f36645bcff4ca38754f92898b1c5544718102593b8c26d45d1fceaea27d97ede9de8b9ebfe88093 +Ctrl.hexinfo = hexinfo:004b13c1f628cb7a00d9498937bf437b71fe196cc916c47d298fa296c6b86188073543bbc66b7535eb17b5cf43c37944b6ca1225298a9e563413e5bb +Output = cee0c11be2d8110b808f738523e718447d785878bbb783fb081a055160590072 + +# COUNT=20 +# L = 160 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:9dd03864a31aa4156ca7a12000f541680ce0a5f4775eef1088ac13368200b447a78d0bf14416a1d583c54b0f11200ff4a8983dd775ce9c0302d262483e300ae6 +Ctrl.hexinfo = hexinfo:037369f142d669fca9e87e9f37ae8f2c8d506b753fdfe8a3b72f75cac1c50fa1f8620883b8dcb8dcc67adcc95e70aa624adb9fe1b2cb396692b0d2e8 +Output = 96e8d1bc01dc95c0bf42c3c38fc54c090373ced4 + +# COUNT=30 +# L = 320 +KDF = KBKDF +Ctrl.mode = mode:COUNTER +Ctrl.digest = digest:SHA512 +Ctrl.mac = mac:HMAC +Ctrl.use-l = use-l:0 +Ctrl.use-separator = use-separator:0 +Ctrl.r = r:32 +Ctrl.hexkey = hexkey:a9f4a2c5af839867f5db5a1e520ab3cca72a166ca60de512fd7fe7e64cf94f92cf1d8b636175f293e003275e021018c3f0ede495997a505ec9a2afeb0495be57 +Ctrl.hexinfo = hexinfo:8e9db3335779db688bcfe096668d9c3bc64e193e3529c430e68d09d56c837dd6c0f94678f121a68ee1feea4735da85a49d34a5290aa39f7b40de435f +Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf66dd40d81 + diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_kmac.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_kmac.txt new file mode 100644 index 000000000..d0ce058f9 --- /dev/null +++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_kmac.txt @@ -0,0 +1,917 @@ +# +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the License). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Tests start with one of these keywords +# Cipher Decrypt Derive Digest Encoding KDF MAC PBE +# PrivPubKeyPair Sign Verify VerifyRecover +# and continue until a blank line. Lines starting with a pound sign are ignored. + +Title = KBKDF tests + +# Test vectors taken from a ACVP test data related to 108r1_kmac_req.json and 108r1_kmac_exp.json files. + +# 1 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:49F487EB1C0CD23551994F14AA5AC304113EEAB7677998B18290D396E503D0 +Ctrl.hexkey = hexkey:05D4B9A2B11D230FD173C8C03E81037678B6F30C2977F7EA3FD0A70066E4D2FEE673A7857F9408D954CBAC648B8A78DBCE30FBDD97912EAC593937B9F778DA7ED8534AB75DD2A674948B9E57245124768A9E784062AB51312A045826089C64F322D0B6AF01027A46715E89E9C358B1B15F40565C6BFD4E8E034BB9D81918D21D7461B0D50383B7E0FAE33EB139547DE4DC713EDBB9D854D3A6BA33B8E3752AB010C23D403C8D239E1B1034BFD1F44836049D4D43C8E3E0B1A1ED632622D2F02FA30FA6828B81812AB407BE998AF5C009E0558BD3A5CDC0B645C9C1BEB8D8A5DAAABFB591FE298C8F70F3108899257A62AB1BFEC8AD9AEF58A1A5AB1710F21DC59058BF05586C24DF1E386E9525615BF1E0D1B0D59D363269C50DFD2309AAC8DF8836EAF5165B345CF19CFEE003B5669FC8B5C1D8D1A6FC7A4ED6618CC8167C1C19714A8B0024A6A1AA827C99B1813F269AC63986C6E151D3C2EB1ABDFDDEDE6D36AF6143DB0065023B88B92279BE6568935E6BA783B2CC7AB5268C6626E22A64A4F65716E9D384066DBC38935B06F94E +Output = E9B6BE42A65132094E1AF7CB3C022D450D578AD88C033D9B7B5F90AE6E31CF9271152E2E2104F8C6A4AF5641A354227D6492AED8B906CE623F329EA9682EA512AF128209BC7F5FB9B8C0CBA2BEE44D0F1CA71D0AD088E3B95F1153FF7F249BC7BFA0D320A3762DBE2E041AB89FBB8CED0EDFB8D04F03F8F3436DB8CA645B3D0A6D6C88046537889B670E7C3AA7512499AD0797471CB953BB34AF1EBD9E60D129F22D1E8C0519378797A44DC3C2FFB78FCA40926ECF38CF4CC42EA3B51CD62906B31EAEDD0CA4852A86F71407816599C1A36599E451298CA0E1E48C6E9E10D47142D8494914A91619DA99DC0AD2CD6082302AD75681EB39AA4DBB6F8C37F6AEE7815BCBC077A11BD32A338E42D92A628D839E049C961E13BBC674C2CD7F98C3800A13A71C9CA854B77640713F20B5412744E796E9765F3DD8BBA8ED1514541D3A277C8A24DE973C13306C2F6DE1228E3A82C64A375AC60D2D10B7661D01810C218A485E2490B84CF6A979EFCE426AA1DF7D639F4164C12128B4821D3DE9E17843DEA35600E288CAB66A28A976EBECD0F2FCFFF9FA330E3FBDA4C317B3106AB11CFF43DC2782D64E8AE7F7E76F3F7BF721B48B57D2AE183E96978A46AA0F58E6AE0A8C5108C560FDFEBA1F633B50ECF6357FE2994323849116600780B54771EEF88E6ECBE17BAC800E52CCC0445E96AA57D3F8D979ECC4BF20A4170F4E8A55AA57 + +# 2 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:6483EEED1148E7E4A75962A21BC7B5758673DB33117CE428BF7967B3FC398A6FEB759DB297B9D5139C33910C95984C8E128695952ABCB1013585A7E65B84183866F73A6856C8FC1C0805F0C37E1AAE6660C3371471F06726DDF37B93D6DE198DF70F2743FEAC514A9B078691E38FF5B0187DC574110F488D3A3914A81397238F97D35373CBC6E425374924BA7EA160F29B +Ctrl.hexinfo = hexinfo:9AA4DFDAC1AA8A2537CFE929C88E7BC823B100C87601DBFE3893DDDA1D8012BD221A5F3E74B343E8D5A680D04CBA7979290D103249F393F9E3538E059260CBB7A036E34107A4D533E349BB0AFABF51C698703AE837B2F3055C66E24AE7273191B17A8F9D8012E964F647E53DF8F05FC69D762CC4F17C3230D36454F008CC7BC886B4FB5A85EF3DC5342C6569E3C76AB157EB1663F0B846ACD5158DBDD71E905CB1C80463A1B7B1B4DA1C7D3829084560222B0F99282D908B189C1136A317E1B1648E7129288CDC66843E9181435E49E74C30D5B9D0F5EB23F12DEF7E1D35F26B9DC09672EF9191F7E4DF8E135182B8081B2F6B96837F72FB0161BAB983C1451252E303FC666416B7C7583843F1EC85ACE7733F6347454FA0BDFDD60649584F1D2280FFD62E9F7C5A93B3DBD22030F9D8680412D3DE689352BA319BE2BEAA6BA22A5973EBC4EDB0F9461DCCDA9709D259E095B0B4FB7976966BC4C4DE99C2785F8E73DBF289DA6D18B90D4C54FEFE167E1035A53609F916054CFCC632066A079372CAD9AD87E28E86CCB9AE117FC29231F6CA49A056EA2A682163D517613AD2681FCB1791300C4859D5FC21336237682114276CD8D2265F8A5C0ABAD03C +Ctrl.hexsalt = hexsalt:3A2B2DDF0024DC4F01EE8229AD34921D5F4FCBE4FB991463CDD87C5D7ECC2315315D59742A65BE402FCD0F88DB0F1A28232B9886F6D4CA93A05845BF650C1D11775D38C85CB549F8D5C2B8C62CB4BB1297E2699BDE9A736925B52A735D9402E8943C3D9721B20B8DC77721693DF049CACCA25368F4B14EB5F55A7A6742106FF62BF6B7767F87B5EB4A5E4C2C4F68C4A01D6D84CD8A2EDF4BB3BD1FD79D55EC13A471D2019067375070DE96D4FD0172143118BD2E231367FEF847DDB7D826C9E1324A2EC27DF5B8DB9CA7E1F22CD7939175F7FD66371F5DD23350F74842D3F852D1C3AC9092E70C2F7EF44D81E69B4EF090208BD079 +Output = 56909081282D0F4618FF119D21EBEF78CC63407FBF53EAB96691F440663D33C5A8473ECF170548943940FE90317BDF69283F7F3B0DCD67A0C75926B7DD2F2057CC830D6BA089C6FC73E800E26BF38F19340ECA308C8E + +# 3 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:B12B3B521EDA2F18C177CE97820BDDBAE3E4316E8F92000375CF8F328F00D3FD440114435E1C53ECB558E77D8D0B7A94E2BC3EB373536EC56E9A6F71C6E571A8F55BA2FCA0BF762198A4C2FD586E9EE440561701A9C859E7FEB403D53DEB9177563FEC2BEFBBEBF9BDE77CCC3B6D7A7170AD5D585CC7E7E28792B88BB934081471FD6AD2E00E919EAE73C891AAE17AB640BC0A46000274C112CD3A81599A6D867827ADB523BB2D7BF35D5BD188FAAFC214122526BA813C1FB38E8E0E8985FC0944518B5AA38EC866E3C5C83C22274FA0DBC40756A4B2D703815144EC211140BC9A7DF8D89A8A861B68CAD89285BE70F77BAF1FC94197873D2A26E52AA93130BC574DFB921FCB4FFB8E48ED2BEF0229677BEE1E51CD9809960F18A4EA86156456F5C895 +Ctrl.hexinfo = hexinfo:5E81BB39BD70A08E09064F30CF217CAF1BA7083BA5BA6F422B4C29B0763BB06EE462E3FB4E18547FF8E94FCCF26C8B729E83A513E3E83C427D095212EF987858D3419D5A931B33C0BAEC24E2FDEC4C7D5E1949EF9484AF81BC771682D80F6B1CCC4CB83EE9EA8BE7733997936AF9B9938C2B215BB545A48C8087441F02A6F9527F8EDCB67FD8A88074FE343910300801961929D262EBABA8023817926AFFE6A773A7C373FA4FADB5FD834661EDA7C49719AF1FE94E6CFA4301D6062D8DA604BB6022E1D5C722B0B502773F5C2FAD7F0966A4386FBB46C9547D8A95AB05AF2C3DE0760E6C +Ctrl.hexsalt = hexsalt:90D88EA2B1449337CB5CED87F18FB910E732A91FB392C27E9EFDAD76BD43945DAF413E48ED0C69627504DA +Output = FE911C6D527B1546875534F2F95C9CDFF45D833118394EDC116F1C26CF6A6ED4E1172FA4CAB7ECF617E29867C91CC5E69222168768DF89908257165360C6B5AE06D8464E9734FC490E5923B41D3C374A9D0B6434201BF3B385381FE3A33262D58ABA6B9A5AAE4069944FEDFBB154522A219C79437097108A94C2110166DFA6EE34DFC24363BE053E0C4B38EF7F468A312FF8AE507EC8E34B1350106DDB01234C8DF28DCC58A10B7ECF1E666CE767CF33830C4C1111AE1D5CCE1FBC00BEE7E1BA6B58040558 + +# 4 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:5A99C04B55A533108077D31AEF79CC1CF062890FD38B11BB255A8891511956739537BB5A2C8B6EC70D78AA824913881C666B81361E3EB415F4EDD7C46C40882AFA1C2E779633887198A84D87A105A8FD1FF5D2D944508FC3AF518DB5FD076F5A004B88F211A7113945C586AE01646781A2D5CBDB9B8876820E3F1EA76CCE371F564FEC08874BD2EAD06E62BAD29E02CEF9FA833426C5A9EC540F3DE391E2A7A880594C0332617B250AF1A14575CA914B22B08A1476B778A3521E690370DCDC72B3D78564EA257E830EF9EC9E68FC0ABE12ADC06E555B7F05BD3629B1E58A1EF6900A427F88A3F9E21EDF6FF6BD35D97CCF4F8D8FD36D7DF6570D08E3089D637DEFA9D44278DA0D9F3D93DBD251D713C51A314E48070EA0654DBB5995433676FAB1C0CDD0FBF4AD1E97949E74D3CAB1B1A34B1A +Ctrl.hexinfo = hexinfo:37AD8DFA3D7B642917A628C4E469626C93FB85C332B6CF4BFCB75681E69018594E9B68788000ACF3D0274A486805AD84AD9FC8D90BCF43A0250DFBE96E355162EF90CA92ED100B5BD590927557F559F7A0C5B638F208E9182E56898B5C8184639DA23EC1FD4E4964D7BBE2F5E871F7AF99576AF398EE042D51C8E03774E317B7867AE64EA4F34F0AB84E27F7363BE00E8EFD6F73380ADD83F0E2B44D5901B2FFB21831C97F85AC09CBA2FD7672F5100615393927E2CACFB74366D451FC1AADB5C499ED4642F648C725513D07C221E9C534B16706B77799A05E73BFC84DD25B08AABF975CBA45B77D40F09F7B6A2D2B032E2123572358755CF6A88BFA7388B8C4CDA735ED2418E758088B5E2CD48F48EA6D3350059628B0E0ADBC74A29DC0089F1C730BB21899367E27BA80D33822196B4A29BA7C27D438D85A4E865B970E12895E974EEDFA921428AF77DACE010A2E34180BB0B04A67366B6105452CC1E6F6018882DE66563177FAD904E35D4099DEA07A48418D109B0B3DFDA51F718DED2D93D51A67E0ABA87C +Ctrl.hexsalt = hexsalt:98C59B4911CD7EA226ABDF6B779DB0500E64C74FD8FFE44A6F489C7FC73FEAF4878B648C8E3B1F0BC53E0C63C54A6FCDE385A2E97EFC24FD512A8530D943E1330EA5B5E66B93D5B14E454BFCFD3674F47875C3A872F9993D72D02064EC6D51103B099A3A3FE743A72E14E3173A96CE728E729E2A541C3DA9DFF5CEAF3B03C6325D8593CBA8036716A018C5AFA2783240805B68B39FAE96CED4433DA6FEE4C0F3C486906CD74ECEF7253ED9EBEB12EC1C9BCD93FBF78AB8EDF26A1977FA8C547904B0C18E95CE0E1357603D589C8939EEBA3832535DC4A48615253BE5612557639675752400A655CE20F1BF9B10CD132E507B9C52EFEAEF79D4C235EA9D2E0417FB4E25AFB88969568A223E4C3D78484A10D814663C53B1BB242DAD6AFDE0F15E3DFD145918230765E2D9A5A1A613A7822C32CB8E8D42140FA73ED3BFEF4C2F30C3E560E4FB747DDB66A2A9516359F9F8EC9CB62D11B5449EE20FCD95FF6D078B2A08FAA00C931FE35FDC43D2E0F71F75D3D32DF7D75A39BE866C781A58DDB8AA748A4882CECDCB19948E874A73CA0A5B2A2573B8177C16728BC96ED7ADB371E726B79CEB52499B478B4473EDCCC588F44325CEC9C4DF6111769ACB6A14565E077C530FFCBF4E80F8EF3797798D8C0D5734832D0BBBED3B36B35B3AD3418B7F22BE017ADA1CBC78713189B7FF15146CB06E0DF594781C09F62E2CB837C0B281A7 +Output = EF3623D3661B1305F611E5FB0E202C19A3CCB8EE69EA4ABAEE0C58C9B2952EF8DD111B257276303A234A6F96C8C124C7DF6FF4148309FEFD57E839D10E56C6FF790D41F0A7591252435C0C66987CC13A96FFF21FAE24AF1D94360A912BCB0D77C760E80146AEEDBBD407B21F775F734E11FA01565A81FE8FA7E6EE0A812115970418481C4085AAE03627B828B5FC5EBCA7AA57BA2E896A2794D715C72BAE75CFBFBEAB373AA451296C86E2992460A3E1F22DAAA111255747A401A95B28C14300DD6D662422E8DA31D81582B48005 + +# 5 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:20093092B8A5044151BDD21B0ABE64B2AD353699485766C32C895D3BD6F1CD7B54C3CBA4DF356DB654C570BA561B566EF8FB3F92643026ECAE0FC7265B5806C2772936612C5CADECC89BCA6E4314D3F4AFB994DDB444A48B25F7018C2235511E33B4CE2A1006278CD8F3D609BC4BE4AF9CEA5BAD773A774653466754E985E09FA486B927C46FDE0B660C182B8AF8D28C4CEA1202D5F5A5EDDC939AEE118E98F01E61028FD7309AAEEC31A31D2853D9EE3578E28276FF01A61691585E1ECB3C092A407E64E608052E6D8801D69CBC7F34F2B9BA4E97C2319DC5E897DC5E0737EE073FD9A788CBA7F0C67A45A79CC68FAD6DB76656B9434903E8072F8DF8CBA8B22F9E9D2C69EDEB580F7492E1C619A5F57690A807B9678CA46C43947424B764585B0BC041BC063E16BE20BE46E8B5477D7B53455C2404BEF0DF5932A703AA78CEBA7A970E962049BCECCD0B78586CFD9EEB981E9D851ED3F21A576206C22AE3CA9816B2E65433159AF1CA7BF8F6D848425FF4D2E67411E56D60EB42ACBB3A +Ctrl.hexinfo = hexinfo:2F567340D8405523FDB1BA0B1B3D229290904F92EECF66A5680C7B5E979F28C733FD96E2F6FF54FC588490AEB540A2A914C9030A812549C538693F2C3DADA88D5F704CBDE6365C939AD0B837949F0FA839B90C3F2D883780BB7C185392EECD10BC244DC5E9DB62 +Ctrl.hexsalt = hexsalt:8AA38C201C238B1080B866D460B3AAB62F491DDFC374132DE2D28EC910E99B012C3C3316CA202D0F4C4ADA936F382C9161D7CF314DBA57BEB957414A32D85A5B4CD50C8C450C8DFF7A6A991B32CD84241DC0A16B45E7D739C97823581FA879E6660D61F45C49520342151824F32137DDAF61F2ACBEC169ADC969D6970FD014938F8D3C69AA33850F6C602CAE95A1A29F103228343B0973A2770C27E259BF636FC4ADC596C0470FD7952DB53263E1BAF14B +Output = A46BF10479386AB4BA8DEFD2862CB58407120334F3298F7FEADC08995BC867B1ABDFE4373A0B1775467145E6C4A95D21622369CE179EBFFE02887CB10D3547AA3F54B5AB7FB0CF75ECB2D49825C3B2BF2159AAF59BEB1D00A77F07E8760F9B105A6564B3ED348C + +# 6 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:AE5FC2570FCF1828B71484C3C5A40889FBD97543BCA009D55F16892B0AAE8CC3CC728303827F1E207A5243B31E3FB66C6C4D25CCE51B94326344D72DF0927AFBC8A2037C1175D620A65A5E50D26C1A374479BE85AA5466D0EE9479599FC57BD8A216203876FBE62BD2CF214BEB82C7DC9D76F36B6B1D11E8DB7A77F7A0A9EFC7A64AD29949B7AD38E52AA2BB3C414A658C1A028E8D212375AF69F02433CC56748A5D8D36E853F6A005818D8F92C152CC9FAAC3F71E7A253381BBED3F58B3B973B9347D8E0DEA0F50112109B355A4309DA948D8EC3F10A908EC9B21F8A407C10F34E233C25EFB1478960307C78212CEA2B392471AC2ED56EDF6DC8A2262A65418E88BC62447E32FF1629BDA95FEA0E477BD849EF820AA9AFA067BA68EED77137099056766898C26528A68C45DE85D689D6A779A7617ED1E50F250B06D35BA5927F9C2F3673D4EEF57FAB6E63EFB8D4AB7E8DB48469F0C338C6CA5B579E4210870A7C0EA32145178B2BE39834A798AF5A8C9948F3D2B01E8E3F507B8B501AD917E005FC9F135134C7719734887F02894255BB62775 +Ctrl.hexsalt = hexsalt:59A34209CF46AF79130F31EEEA20300375616A08FD5F4E43452E79038E57886A557ECF6A58D6CEFBADDF76C6D0EC9669984C511DDEC7AD280D9ADF9D425D598AD601DA808AC94FC77E49CFAB885CDE25CCBB61E8E15E6B30FF5933A79D4D447D8BFE22AF116225F934337B4AF7AD8241427DEB87DAE488F9B0ECE3AFC284FAFA94C7580A9D21A2B7433BCD6A571C1CE209F62C9848D944E309C0D0B41A6834019DD367138F8B376F1533601EC892B981A0FD18F78698CEFBDAE895D590B8EBA35A95FC119DBCE021EEB23016D41ECC9E96616C050C8E979AE404D06FAD2621464A343D943150E20C0324861D33B2FFAB5843FBB2FE35D7972A2D6180C8E34674CF64C9D3CA24E291136B3BE326C1C846849953F39AF1AA130807B913E2F6773E08ACDEFBF88444AB3696A3A948DF9FE340437640224F21 +Output = 33C5F236C358A4FC254C5F46C24A + +# 7 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:443C379A0CC125D4BA88C66DC3D84C53E07159785331F4BAE7209D +Ctrl.hexinfo = hexinfo:B438A1768C9E052897A6CD14D9962F2BC52A476C187F71778E54C267BF9EF90D2BB95DE8E434370EF17525F8B1FF8805C88D6F22E59795112086AAC4ADF79EBC9F7F14619CF8B8354D2C04AD9192FD38186F5E5D5A998D3F1AFAE09D6A853BF522B78AAF38A17527EACABC72D6B00B01231449E9ECC0732A2F4C02121FA300099EDB5D9D93214D62594B1ECEC4BC8C1D0CFF416A8FD9D080541ED08504CE720999802E63CD1800647ED8C2BD40C84800D206E192AC998ACC3E2BB59385CB3B1B095F970DBC5E24ED91ED0419A60FAB0AB156513FEA7C68308EEBC2F206925283F269CCECD3FA562346CC0E15CA18B8011EBC25D84F2E85D64C6A0813826BBAA003CF325E10CAC6D72EA06E7052B49B96FE455DC032555224C8DDB69AD285C4B43C60C966AEB6467B7C582EA1534DB30304DA984720F600CD35E1155645432F5D42C1BD05B7A070978C7DB733228805DD33FCDD02E20775FA6681061F4DD3F9338B5129582AE700E2DC7B4E95F1674E3C00622A3F77BBAE6B19E8ECB7834D13DB13A89A71C4063F5D3C54BD91728FE35239896C60AE0DDC25C2ED5F6A +Ctrl.hexsalt = hexsalt:54FBED7FE80780D781CBF01F93A4A452CE5EF4026F013CCB38D618C723619607533F16E0C7B8B86E0CC7845DA6873A70344360CDD128D76BDB +Output = 580EEBBB85CE1D44EFC40739D79958FFFB2ED0D08EBB80B179B07975EB5E09D10DBCB744F7A43479F6CBE060569479633902D66C53784368969E905A4267D9512BB16FE93D039CBCE7546AC9CC6C4A61E4508606C6F788EF2AF4358D79BE09D1F75AA40306E5C1D9C15731805C2D2E4B2C68 + +# 8 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:139DD1CF23F4A1E906FEA79CF257351C416396B6FEF8B6D3B10E88743EDC94F34D12CE9200662665147711B8F39D2035935B2561B626AEE12FD2354A5AB66118B79B39128DC97767C44DDCACDAE5A5E758E22A9FF54B8E86255B5B78CDEBB2F124EB9D99847918BEFB1AAC45ADD33D8B4A03350CA785035434BE8CA5877381719289801770F0EA8EEFD225F8A0C345B200E2EB4F5D457BA4030E896F08079020134D09F2853E6D3552925223290663BE2E95AC189395BF9B7C0655DE263D2141F64EFF03827347ADFA7FE41CE0F7AA59ECB0AD2A48866F13518B65CDEC68B536AF331AD45F4F6EDBBFF59E03A81027E1D34147DB74D07410235F53F14F06A399828C2C08D97E9B338B21FABD979272A47CB4D48F0237C3DB3BF452FB83FAFDBAB336951BB5A396A7D1491337ACAF05755AD7EB4CC156D017A7E1AB6F266C7D9E59A76C9C07CD7B680095E6D24F6BBDE76378670099566120D39DE8310C973DB81C62A3699668EDC2D784A22376A3B59012B8076325 +Ctrl.hexinfo = hexinfo:5D59863E7BADA4CC9FC831EB110AD29CABBDE18A9DB1263BCFFB08803329C358BA1367A7B98FCA3786605CB7E648D814378A6E8EE5E799C50040CD45E52B2CFB7F1733E91E09271A4CC7723677277B9C40EDAB6025436FEEFC86B0E0A916FFF996D3DE62E41801E2EB93D255D6954CB120765CE424C3CF5D79180220EB12AD1F1C48CCC3D89B +Ctrl.hexsalt = hexsalt:5E3F65459EF8E5D989A299C6821526F9DCB17EB858BBAF2C00F34E10D0F70E7980D2F615A218017BABB14CACA690280DC604B6A2C992DD5554085EA073908AD64E4056AA22EDFD9354484A361004345E93C2A05BCD5DBAD77D19029FAB55C4F5E75DB0DBEEBBCF665F8400846A5A6E57A709F538867234FF1B4566F2535C1754CCB4907F5BDB6789FA26CE015CD51CE30C56FCC2AA90AA78DD0BB65645CA8D2D86 +Outputversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:F6FCAC8FA9462E5DF6F71945F52A2B58CC4D65DBD4A875FAED6F62102288BC85C3D891761C3D070D0766C1535337A094301B6BD04981E88773C9CDB15336C3B84A6C7C95BE5B74371DAE5CBD30 +Ctrl.hexinfo = hexinfo:85F299DC7162F18281B221DB2855F7DDA59C43E20CA0E91F699145F446700A131B8EB25FB5159455A33B346FD2EE2908A3B24F1458C1D738524EF106B895BEB521F3CA525D9A8FF4B09BA3E3D93B6E5A97FD8905262C07E6E110FA450A45F1471F0DAA4049C0052CB7764160A7B8484D94FB4BA9DCDDC3CC34131362C7476AF2FC4B9C22880256E2A766E2EAF83CF9F473C28C7437EE93BB3033429FA3AC939A603A9CA1ADBC0F207083976F99F30077B2B60F5BE1CB2C99EC49DE9823C6663FD67CDEF9B4ACAA821D6E4064877F050ECC66660AEB6A163F33504D583F2C8FB1E71EEF9F02CCDD19C0FBC5F80A5FE93AA11DC5B2784E5DC61BE1C591C56B7EE2664BC470BAA72C9118DE5849303220F8E213C3BD0F +Ctrl.hexsalt = hexsalt:1904E08A7F3BC43D32645A8205108F27FCFE3EE862F38E92F6939EE4816035ACEA6070391C100C214232C29B44710E326BAFA1812136C5893EFC9B8C5D066FF5009EF31342FAD69D80601F287DCC8F911FFCEBF056354BDE73B334F2AE8C81615A3F68D3022D2E57A0F7B76C14393C72EE4A18DF67C9356872F6417151769537CC3361B93E7EDC38DB53BA8C9EBDD4B424856844C44E94BCF9A751DF660AAA5A84552AE8ED61F7578EDD2DFC852E0FC4D5A77CFBD1198DF61C4F1A36D56A15094F40BBAE82A95BA0813A5E5145B10B14DE274A7B14FA9B3F04AC9249017991ED2E73AD9143EEEC1F2390F66C5891A2AF991CB06758447CFDD2FE9C6EC97F3177A6B7E2E860A4308E8FA2C091F76D3DA01A5BC833F138A4105B0E36747C7BC1E322EEDA9631BD0B624FA1A0FC54D80C087219E98A625366814D13A56B0680302F9E14690476B0B904E62B8657BAF224007A3DF4ADAB60F88BF25046EBC2F18DD6F95AEE79D8864667C695EA5ADF58D294FF675D94572A8A8C8E428ABD17809AD18565B08C862368D7D14BD735ED86CE7D0D5D6C5CC3123CA9E6749D415E18B39ECBD7E0ADD5E0F26BC420A693D371012B83E9D5CA1E65A96613856C788F2DF878DFABA7EEB15166E3288AC16C784F2F53ED2C6E5690924972C692FF3CC31AF6858C1FE303C4EF58F23F655D68D76FF812C12F9385B38598C2AE6BDE0944A648 +Output = 0434F244E1B1350563DE4AA262A255C06FEB5B95FC1910BA40C920F905507447CCED10F18900A3A71105A5BAC17F62022DB2DE2FF7D18F75030B9F636C61DB7BFE4B01C5E1EFCBB413D2C80B9744296AA9988BAB7F2B59CC906083385EDB90AEA6404BCC13BB98C5DF5786EC3DD1E122748FF856BE1360CD1FB49B172E1FC4FB5E2C8E266D25516A428DB502CEE4C53AF3E0409876DE79AB345884366CE4AC08F87E1F44D92939 + +# 10 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:AB612CE30D992542E201BD728A37070095592EAE063603F8E672938DB6FFDD29727E76C295097569566F2EE788D3B68C54505488EB6A312223C1ED82027BB210E8464541C45B51EAE11A19375827BAD3F596086910C66FB7BF3A1DE6F357836FA7870E43A6AC235DB9654E5B21F15C41A7E0D986EB5998F789EBEDE7B80A4F30753B28B56862B4CF1DF3C3A9BDF9A3AD22D6F14387F8AACF3D77A55A +Ctrl.hexinfo = hexinfo:83865206B79DB2A0AF0A3B4547FA390399884CF89A45E42E3126C0C2F4039A77C7FF7A5619B14D2F469FCFA9928210F5D2593F2E95DA44FEDC6BB804CDF93F7FB3CEC757F00C5CD8B6E1D3DF43C199E92B8EBC33834E468F566A63758A03111A7E136B2C6C3B838E8DC27CDC6A9B683FE04208DF13BD931EFB3393749BE99A33BD3D7AAC017A2C336DCFF1166D41C3E9DEFE5F2537CF57F8BF6CA6986FF15E7ED9E91D2D85463E406740AE6BB6538BA2CC0265FA67741DDB6BFFF33FBA94741B3BA769F8E38FEC43F8C79955AAC2F8B3 +Ctrl.hexsalt = hexsaltutput = FC8D2E1E7A3DD423289D383005A8BA08E213B841D0DE31CBF16DB0FB6CE2EDC7814CF8D5C005739627BF1EC5394F3C498992F77CC15837AD4613A705172525BF52AFAC95E0A838F52D26BAA1E1B5D547EB37A6D2CD5175B1B4F926BD5BBD5C9D40D3E2532B1C229BA10AF200062AA01813A42AA7BFC49363DDF917DC71BBC00CBF76B571CCCCDCFEBE314D5C54AC46C6A6CED6CF10912DC526410EE3FF252DF60B892FC6E4DB1F40606C4C8EEF0CA7B2B22E198C3DAC5B7C7BBA2EC28481098996CD0E29034D31FB2AE8EDD96F48A5D201009D70B5E9327235A31EDF75F3DC12538D4D74A93678D6AF0D031BF57281EF03D9EB90E82C082E2FF382451BAA224FEF969BC5419ABDF5B34FA822A63A03349B1D114005D412B065C2D55E84158E4A43DA1A486A75E191F04787123EE60A1CC2EB9DD1CE86F02599071F7CFA04509C985B30EC14534210ABE02589FC168C213B78BCCCD81B109B4BDB20F83A802E64456012701802762F8F7C3C29E9E888BC1A14397315DA0A504715EDAE0BE2BA5F8CFBCD4F207953B48A9CFF0EF84B3B52FCBCFEDAA3276207FAB342BBDA7440387D6B8D8744973E709A5E85AABF6478E4268EC6AEEC30F7D7C78969E72F2BF2AC5E45C73A80C12FCDE030DD9D6D3F1C6F6550A8741E + +# 11 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:CA2ABCD032EB6A6A222E340E5E4D9234BD0BDF3245B0CE800E3465DC0E9CD0656B21B9E8990765376B19094839A89C3E1B84B227FF503E841356D89722D6832B766EB6FA8BAEB97032DF828334E2D6E7CC88B391C847D3221C459753789817EE9C3D2A0F9068C6CF167B6FD3735AC9AAA9503039C52069A17E4763527DD0EBA2B2F6DEFD8C8038FDC278B232E951697F971423643AC9E57A3BB790C8668847C8AD5825DDDA60BE +Ctrl.hexinfo = hexinfo:DCF9FDAA7C437B26FE329D8B8506172FC282DCBC36518D347C534BB6686A42CA1254454D5FF0227AA91D2B2C65712ECFDBC1BAE6A3851021475C9A9FBD2544295F02FDB3D6F3F17D6980424773D59017F208DBAC94A1CC0F081B41506D8BFAEB649E02F58820D8B76E4E887095183D88AD082AB710A8C861F885D4AEAA5FCCF1F0D75FB05E3D1F1DBFEC555C03C595DCCAECAF3A7CEAC2C34F6133A73E98A4C3AB8B352AF408755D42A7A2D36C17C22C2D12464F23777C260153B8D39A62C561BFC173C5F1C2EE113BD3B2F910C4170734CE0A03FA63851F5027ECE319B030F4A0B297831FF7FA371540B3A897CD4EEE37D284CB566614574593BDECF90452EE7B49C65EB24EDAB99960690EBBCAB20E14E6E86B9FAB3E67114AD2F9B194987F4F6E7249DB62D41F3E237695CD26A2178D6E809183A25DED93A2C1876E18DC10F637355DE13F7D95776B0EFC99D10AD3D140128EA48EB685CC538959F74C8B4C1F1066D8F973589FFC25203A2729411CFBB8D3F964FC215C0F2FD139DF7ABA97A63525DBEE068BA43A778AC5EAC5B49D8D69D3B2E4318144EB54DE8518921787EB0A00DCC6CF85CF6AB72AE6410DB1EEB4E9CBF601A6A2A611EBAA74D5F65B645ECCD29CB46986595FD45886D7933096C8B47B74F77554BEA7B4454D28E5A4C33E027A72A37AA2305DC36B55644A5A5739D35979B99967D83E7616569AE41C +Ctrl.hexsalt = hexsalt:46DA8D3990CE081A3E169F18ECFCC6E07E73C1190CEBD5C0887273A60507BE8C48575C8FD7D16954FA62AB01467CC0EF25BC4459BBC299A36A640AFA23037CEA17E594ACECEB9DC3CD7DDCA58F4025936C96AA81F2D671DD03497B759436D1D7073A416B0F2C86CF3E362F2DA09DECE6D99E30F4DA84255950A4D973BB +Outputversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:CBDDC5BF19FC85ECCA19DC7A725A9DC4AEBA8C355B421392FD7D487C46E1941F117F9D0FE4A29B0E1210CC8B6A08BD41A8B61D3B0A9AAA69EDA961B40A98FD97A447822F9C457BCBF596CF06AB013B5F3253144378396794AE3955606D91A5E116788CA667F094BDFA9574712E +Ctrl.hexinfo = hexinfo:D24E21D5D83E28DADF00CB81CCE0308514410BCDDBAB3417252BA8F01E896BA5CB387AA83740A2046F326271547214A1AC2F7636CD3D644CF759167B42970C42721FF4E181DDB58A77D80B3FF82B703CA6EA882B +Ctrl.hexsalt = hexsalt:45CC361AEE151593206D1A7498E09CE3B6F8E9B77F923DD4C5281683F5AA75B6F9FD74E7F5061F0E6D516F7BB2268A7EF93AFE25519C83BAB32C200D2383E590E8CC9B235E961DB41D3A54034CF100E5363A07DA3A5E839520D37D13BA3C48C154BC6DB30CC1B800143983D431A38D3140DB4A6C45394C5580A7E4179632EDA10E85A7DA2341C081A74C1387B4033D05EA1446A8DD5747FB9690F4CC425F4D28C137D76FA97746868328C38D35E3E674742776E35BAED9E5F5505269C744A96ADA496B9A77B22C61F8A157B73C3D4CE9F9BC10ECCA27722C +Output = A1D99073D826DF2E12C5110B7D82558640CEF5E175286E06E32ED51DB53DC7BFF26C06A314979EA0776692D9E03D8715A588A9666A855FB928A65B2ACEB260F98125E21535E2B38091F81B5C24A326A78C8FAABAB053129CB774725B4997B64FC3EC0FA334B40D26D701CD2399E1392D89EC8CBAEE078E3CBE09BC78A7151DEE44D1E10A8B5FF0CECA4642CE5876F2E433403F5396E24673F9049A24DE995D9C6FF47EB8F9327BEA7A32F62588713313C6EDE498D2F2ECAF517A92101FBE3C79D906D1A56B4F604E7618B188E45DAF8B68B5573A9BEC63C6BCD0A8A41C41632E2B71840997CA38D5BFC73575A12ED1A546699562F24AC1BA5490B423328550E0965C9AB3B96E132D9182D49942AFF5FF6D9941540C839C5FA40E098F4830FC12F19796EFB6414EC63B788FDEBB802573EA8800FDDDA72B63F7ED6299895E0676C42987440EF5F01C0145F24ABFC2122F91D3E54AA4A42889B45DA6085239E338BEF23FC20878BA935CE4109BA5A6DE30E5F87045EE0FBD9EC935738B6F84548419E49A15601C3C1CB2689F25934AB7822579FE02B1A941BCB5B70B734E27B28BE9B429B79C3C5B87587F59534F729CB5039464208CD341C90954BCD6AF762DB6D60AD5B7E65AA5211049DEC339CA342F35929D3BDDD0D424BE9FCC531B784061BAF8 + +# 13 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:957664151E0806BC543D87A9FFF4DCC6D6B555FB4481CE9EACF3955DAEDCE919BEEAB262FB5C0F121DB999A04FF7D89CF079E072110D9F47D95F712D1B2475EDDED6A1D790CC40B6276608E4C9A7FE1D21B08123CAC7F05FC1422F3C133678269D62484E15F94D719DAA3A016D618A089C8464944A12502625B6D1DD3DDE616167764553AF9AA285 +Ctrl.hexinfo = hexinfo:B0DDE6686C8890B9488B6649E8EF839E7A7D577F0F3363FD729B633738ADBFD2A10A43716710C321EF23352C1C1B56095A558189E3C3E4F34E4E782FAA7FDD7EB882653FF9DEF4FC063A42F327B14CEBCB0EB7152B785506493C4F5B0CC95C31175DDE68062117126BAD0138C92D2F9DAA85F906B1F5DB97EB6C6110F05FA908730C21564EF770C414680B070F4072AB4C40BBB5D1D03E39B32D5F77E52B7A76B411793CD97BDD663BCAD7EF2F8FC44BE3473C6BD65E19ED48FBD22C5DAB8EEC573A96D48C56F288AB9114EABE86358559BD227418D2B14BE50693CB0488F84FB5 +Ctrl.hexsalt = hexsalt:7397DE25A74F845ECD38EBAEADEFE0CD798B4384A056AC672035E187B24F7EBFA6A79D896D5600D0E463772503A402658D8B9D0D0F443E11204B7BA81F68C1455DEE52B0546E59169952C9DE67CDB29BDD01F07494DCADF957F2F7C66C9922AD42DEF2B63FE0667E0031E9BC3E95031812E842421604234FA49290BBEC5947830F07746BE5C5831F430678B72B528CE7ADE420B31C31B5B649D87BC300A98478E9150FCA7CB1FC329C5F74CBBB6D272056906571D230981FD2F01DE2F81F7EB7D233255373E2771355F2E4B55188A766BB74E37E6157AC0E6883ADF4C452258014C55462D4E2953A0FC6C87E3F01A280E5E2351DA0927D2696F936081C86D91D7124B6F3088C48F0918411DE7E43089F8BCA7B9E7096A5CAB85CEF1DD326BE20A546C247A02D4A6080A5B3465D35838616092FDBA77E64336B572153EDC99545CA6F1401C91EA9BAA5221DD4C91121DA +Output = 357E453BBA5261943660EB89EE0B826C58994A2EE4D0C3388B2051D37D8813216C2BA89EAE2B1033B943B0D02497124D1BB481AA751ADAED6CA9E88F59377CD45D338B8235DF03EBB7B7DD03F8BCA54F115EC9774AE35409891EE0B850FA82F0CEC225FED7FDCD1B850724C8900326151FA6A0BCC9E3CD717614B5B24EC9E79D4CB3441D78E032CCCA512D975C2EA62DFB27A92AA80F1A313C15C460A1C677DB4FFCE28BEDE056B3C011AC21E1174D93A548F5A7DC48FAE15ED78023DD2B9BAA3B619963F836B20032509416DF85CA28CC96E81DF552794F0B62590659C5F7C427F039801FB7853B + +# 14 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:3359A0B6BEA50E3CDB38FCEF63078F910F575A944FDCD421FAA6BEA6FDC7249390CD11DE33CC7785BD3706AC0B7D393ED287EE6F1011C7 +Ctrl.hexinfo = hexinfo:62C9E15D00D461ABF5A81E62248A2ED1C33004A92D2520CF3DACADF834C87F708249489EB16C3A8A84339981EC9BD5134C1491805C693FAB6793C93B5FE5DF8E290AFEF99E7AE654B160126CD0876307E70CDE1456A97A8043E71898C0EBEB97A06A094FA2BC202A28E72AD7E98392802B8A274B7C80F9 +Ctrl.hexsalt = hexsalt:5A3209EE2C95C43BE2C7820D1914F45CB7BAA3E2302759F6B5CD8FE661C521BC2543F841CAB1760EEDCB6C4C0F679862AF29FDAFE6E8C05373D3A0A3A4B1074E139175B276A486B56A89CBF07BCDCA557033986814354E9BF56FE65067E098B9BCE819DABD0996489211E53484B6C35A2407843C6AC3372D6C33BB0DED19C64FBD4FA73E27EF5DF570032C4B63BACEB17DD36A2E305608632741C91AFF064CBF5D49EE5268402D8F35B59373275E6F364DBA1439D82498ACA20F7E557E92AA037753A9D3F01C6C910D4352C802AA73A59748ADA90AC313071CDE6ED4D13BD2877D961E9A04077EFB641EFDEB2BB48B11E35091511A289995EEADDA6E17D0B00A2F7D7D8EBB57F62899C7D2A45901B4F64D86A481460105FB24DAF1FA3018C236C356EDE0ABD89788D2D7521F24BE70E0A80A86DA0673611C5D296653DFC800ECE6F6 +Outputversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:BD8BD76F3F6C2F6AFD849532BF90931FBE1162E6E370F95B9A89117B0EF10C9C0D267E935187BAFC2F409292CE2A7C2C623788BD7C72173C1E29F6FA695FAA8F16635C3BBCF65647CEDF58FAAC188491847BDAB88022006A613B8AA8CE88DB883B3EAA53BB00A73DEF09E07CDC7977A8D1C58245E7E5CDC1B7183C64334651AE5C357424C1565706C0C29E4EE3B7839E9FBEEF203737BDAF636BAA130767FF8E58C4345F171766C0E6BA7DA595312C612C44CB33D4AA7290958B3B28173EC13D67337F1019AFE26BF1C4CAAAC8523A9E94C151C9A566C2D8D44D0FF9825884B16445F7D0CFC1237D0D709A978247DEA485BE809CEF26835F034FD23C2DEFDC8C5B4DF2A6F7C05D +Ctrl.hexinfo = hexinfo:1446F4AED8B3F7767944CA1C136CD0028D4612E0F4A437EE898EF352EF56376A064CBC1EA26BC2313F23FF0F718435AAF767E2E3DD83B3D16496199BE5379A78543BA04916C76A6F29EF63A8769C85A229D88A8ACF8BA6A796D3E60DDBEC21A3CC75ABF6275F8281F2B26E832B4AA44BA3F48707DA66EEFF31C8A999495C2298738FF21AE72997B1DF64F1 +Ctrl.hexsalt = hexsalt:0B0DC3015F355D8DF9A11E7D9722909725EC24246540B1FA02A963A5DE55DA3653E43296C9E3CC3BCFBA5358B153141252890E0F81A81A3DA38DE42C712C484CFAD0D0AC35E32033FCA6CC807E5487E7D5D4D227A2D4072490677AEA17C9E29C3BD1AD383AEAE725B0B1E488CCABA41D77FCF553C8841EA7080A961C09D1E5E02F992C2272FFE3CB289BABC17C0F2F278483BBFCAA113568F420371DB50FC05B726098FBD228A032F89F64FEEC13C840284C2CCA2C5741C894FE4B1331DC6B8C9997D444505773B04DE853EBDACA67403469F9209C5AF347A5E95345D9EE1A4C8B3FC85354FCAA216CC924209EE7B1E84425014C28F6CC61EB2841FA79DF7A7108F2D28CB2AB6536B6221669BCDE6FE7E4CC25545F233E5ECB7AFFB93260448332E0FF0ECE96B46A796170675497DCEAE2745BBD63AD520800A1226716DE9726896B0099C9525B3F898901B22B3FFFEEE21598CA86CEEF337AC8602AD63EF47A149CA75385BF007A3EE28B52E0CCD060CBF8A60A59ACC231BF8658C9CC9A2215DCE27FFCA0CAE68820F17649FFAEB9D2922DC4F854D05C9398471E6C47206CB52B8A019A9F638E90F1FADAB5405B78DDF2A0EA39504E9FDD7C1F5F2E5AD882FBA7B6A4788BAC727D66 +Output = 8DF0B1C26C7C5C33BA0619B0EC4E45B0D29C1FCF3164CC803576B7399E9C67DEECD8C58F4D8C97495E3F05FB8503374212967C3D882EEC7D30EC0AF73E26DDCD178435B1B1E10227273D143140E7605F796337F90AB53D3E0DED1B65D5BA942392CD2433230EE31B9C94629319CD8306D12D0406E530345DD0632AFB78EA9705702A1583245C6E6B4B7911B92C393F39F660FFE31BEE1222D428AD9ADC031622FC494A686199F09DB99331F3FD0FE3F8F32AD7357944CEAE1B55E415943592BE59B9B4A65DA7C2712095083AAABCDC487EE27FE7587D6364BD45FF582A8D7919B20E4014C791189C064C60A075601B75C657235B1EE15864DCE3F81A8C33F0FC3B7154A814ADC967C18FAD5E1B7DA6E20A600921DCEFEB9F4CB8F0A20F1A6FAC186E + +# 16 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:81DC536E3E8CA142DB84FDFF172BCE89412DC0B7C33307E0450A695C09E416C4193BF353DC10E1DF11FF237747238CFFEA4E4AA2F7B4C9752F307F1F6CB341FEFC4523A32AB9D88CD0B86C8CA83710C42AD5104BE312093CDF1E0CB49DB1987E8BCCAF58E8B6D4FB9A2EB501F1A8933CE51CD10431CCCBAB9D0B5AFFB472BA85B95D353C73F5E0FCD94118AEBEA7473A1DC126573651DCC008224EC9B2AD3CB2DC73A839E3B1FD0C7408550D8DD3CEEBD40DADF12497F8619718ED710154042F4FA5828C921C48CAB24BEF2EB373D9F6944F1EB7DD8C585FFF3B552B7CB0576337098166C9623BF2C48A7D7DF6F79DEC44692259B73B39D00C4CEFCD0E0D5530C9E62650601D5FB7A9D5F2165C65ACEE086438D1E121495D5AE1842919E4C8B7A1DAE2A3E6A5517D3B037A019893B1917609B2D7C4F70BAC890CF6B19B9BBA24D78BAA0EF622F7BB3BFDC9EDCDD26A50921FC4D4099F424BE9D9C5DE618C7A04F148D303E443B13BDEBB760742F4854EEA583D159FAC6CAA8E8E51A85DD577B2040BE1522055A8CF3564807549D1D93B8122B3D83E7E10D29AF3588D13E69F5E31C0D81C2F07719E307C94B07F079EE71B658EFD34A872DC28115991F4D94CC915FF7CE7B8F5A01020E881B15B38E4F4854C665FB0B55EADA89112D0179187B12EF0E963FB243382C43FB293561B6E3AE271237B8B7AB9FE63780CEC786550D2 +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:7413B4CC24CAAF4145481008B3DE12A43826B25314912C57C6451C696263E1E8131429F8F887E3C06B172F598BABE8A10064C0A1320C639E0CAC54078A1A5974A19CB39B7F1309F8C8E55F782F38041A4CA784BBD88384C6B0A90C0180ABA5CA8F5E918FC63548851F9925B7D2144718AED4B230E5E8D3332B79D1 +Output = 8D2526D19D8929B9BA8B2979895922EE999AEA3D33C8F4207D772EBFCB0BD04807075AC3AAC5CEC5AEB7AD77E7AEC69713C62E518FA4F6958F657E23B12357183C1C793D96285BDB83B808D2072CA225153BFECE73A23FBD1D9A32672F614A + +# 17 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:737343C3387E98E37F16A28F9B2B29A4A674CB773D205D23BD4540926617AFECC6EECC56CDA5065294924DD203ACF0FEB5971CF0B845033FCA1069 +Ctrl.hexinfo = hexinfo:A88148C0D24619C4A6F77B8E53A0C1A0F06D0672A233FFF829ADE9E0F90CC2FA8398984A3753A02C29FE92871D542C75E0EFAABE23310441CB7F14 +Ctrl.hexsalt = hexsalt:289071E3C7EC0FC249F225D30874C2A3E939C03731AABA26B0F8B15E9E1F6268486F5663D414C1AA5370DDC4368B7EB068DBA2C63466CA7EF445F88896623326B65C5E87242B7E8C00F59DFC29AE6B +Output = ECC7969372237FE5BD42287E881ECCC0E9ED242A7E086978E108A2508F3413A77985E9ABE1EA704148237CF67F84BE3DAED8C6AEEFD7A76BB0F36218751D4F7BC6D02F6C6590DF5156C2FF6495A6E80FCEA553334FC65D45D1F7F87D44B6C6F5EF3F03CBC023C462B84D86B8573C69B8275C04E047676FEE646A7AD1CFD33BD80BD5B26A746A84C8432B493EDB40AC13AFBAB49AB64F3C36794F48626192DFE20A64A77FD65CFAC68F40ADD69932435970A568CDE6427463449FBC4F94797F5F423BC8FF0E45E63587A8834C192EF1AE4750D9CE5B5153668DD9A566ED9EAD5A256F6E100C7FCC132668DE447496C88E2771 + +# 18 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:69AE432156C45D1AD04D17A195BB422F0017E8BC57D82CAFE33C447076216A0D0E62CDFD55ACEB663A2BA044B07AA8D583BFE4373CA2B136AB99CE422B98467091C81B3D90C6EEE54F245E080ED748B27E6F09BC92FCD529A05DC344923B8B9934AF1BF92C26448C7C763312CC51946EDD607DB6317B1FADC14764D4536A5B83362A5AA3462513FC253B37B2A99771043216AFEDBEC1C48F5262 +Ctrl.hexinfo = hexinfo:A9295B2FEB0966A2193031AF6C6AD5DD4A662C708536EB8027A30F14483ACE83F24E86877E4AF46C434A2540B2FCEACC9493EA1CB575BE30B1D97AE076AAEC3E70E4AC57366A703482E1E643679C5AA28485BF35783F679EA5BDF2EF7F774D2A8E8CDC0C9E6F5154C9625B1D1464EDA3C9F957C4D47ACA4CF14AC788BF3997DDFEFAA85440239CDB4993B0438B59E96D45B12917544C2436E11C303A4B9AE879A6E776FDD13355F211AC10F9B1AC6921841223A7B33EC474F87A879515AD88598D62EFF57A6E7F6858DC5519C11DB168B145E7D3F475DC95DCF06B519CADCE66C6D21663151B676CE5181C8FD4A16564CB2442E4144E2CA3C50410E2DA6481746C29BA27817D8DF42AFB212118A19AEDD346B61D223A9080F998E0A2109168073935316E8E38AB8141641FA4CF253BA5A62173436CBAA99D9849602CFFCE5949A0F0465447410E468922D7CBD828CA59C5DF7069DB08F77F8978B09D7F35A31830F7CD997F0185178A4F4B6339331548E6DF62A2E78A416D8AC555CD589996D58511FFED71B039278257F31C758145DF450836150A292A30E53E4AB828076F7E6BC1E57F135B511CF56CCC11BA26ABD47E7ED4C71701966B911249C2CD2F944F +Ctrl.hexsalt = hexsalt:FF97F583EE0B6A1AAD8401496AC95B3B19C8F6C35367BB6F5B0E657545E5B060930EDB8EB7D2A48FAEE0408F8C78BA2F5DC994DD2ADBFEDB26AC55929A19FAED148DC124F8B805ADA6209E5142E11CB1A1008E3FD2C4EE5432D446BD804AB04D318370 +Output = DAEED88796E486D4F1E140EC9AA7E7B68365370686309C5669CB9A5CC2A816D4C991D280265CD6EE00B9A19C8351886AE8CC5C17F1B48FFA324E29D70C52FE045BA80AA3B11ADE0378874690139A6914AA99C1ABD2 + +# 19 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:B49233D84525183790243DCF4AEF5B9B3C0FC7BD39AD1AD0D11250850D7CE4E6B68D45764987CB10C12CE5C731BAF8E29346B7C14B6E5BFA087C601035DA6376EC6F8A42D2EEE1F3D0132B95A8224D3123865F71F2D05640CF18652A7B9C23EDC18EEA7EEB1B69F2B7AA92A1AF2B126DA7DBAD58C82404D6EE755D3BE1989E63B4DAC0BA90F40CD0DE2796F7A744B62D5347C319FFD8C882497A73F8EB471A4DA23AE6655866B46AF4AC3090A74D51616E4983FCE6409D9B401921445F017D0FB73D44F9A62476D643A95A9D73089C6ABFD2F96857D28BE6338C8ACF3DF8144F49A49843B710 +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:155E40EF28C6C627A68A3CE95EE4E0FE57ECEE902DD681 +Output = BA3DEDACA66E557B29248FBD5D60E4308FEF3062F61640795E159F753F5CD691F04C466DB7D3DFCD746C278033961A2A7BBC5A3C9219C42B306DA5447FE2B7A09659D6A45426D758369F0A0E156E413DE0322F424617FAD23036D8D2B8935E421A55B3B90A1B7CD359C736E2B3446DF129E4A3D35841CD30DE23C8EB66CB8AFEF7C368EDF04B11F34A4790DB2DD20A8EFE9695BF4E3478A0004EA002F44E409EB90ADAAD8A9F98BBE6F2BD65E17E0A171B81EDC3AA56DFA07A50D7AAFEA7D3CCD747FB48F288E3A3A8440F72F1E098FD5148E187FF23B253F33A7B4F99C73161233FF3E371B2D9E59FFC0360A74FCCE8DCD7B9F75DF24414E5BB866BB998DC01139532A6BEA7396CAE07CA7736B985671E9D3313DF4B7D0B5067C6768848F4A53E040C505AD2DE07DC1AA6B6D7DC302B2ECE426D20A1CC6CCFE76C0608D1748C7621D8F9C3E2BF51287A3C7CCE6E9D8F00606F669FB9417EECB466B23E8D29F1C2F8D6175E4A2C60AC8F82EBFA107DB18FCBBAB9ED7B433F7BB2EB5FD6E1694977237D77FAC3D7823B9F743FC69E871B76296E11DF7116CDD5BE68FCDDB26CC9B3643D9CBAB56FFD2E0FDF8FF9CD07824DB3D0C5962B63B6B86FBAC273A10107E286903585DC01EE14B34C504E8F85453A4C0188644410ECAC20F2163400CF0FDB699952FB8DFC06CA464ED1FE072C + +# 20 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:B26E54FE25B9DC2DF70C4004F448B76E37DAD0E972CC41D7780071884E2B6C91C13C94C1F83340B6B12C0AA17CF6FBCFAE30A0EFEC75A747304D31666F8E5901ADBCFBF018669FD8CABD5E19147124A966E117A82C1A4DBC2CAD28980B0B7310461E12A19F62B1C5D9CD +Ctrl.hexinfo = hexinfo:E7889910D75C2BF3270110F4D58235B8B6C4157E0FAE84EDAD6A8217ECE1933BB4741D6232B8D90554CD6F1E688D04C1E212C97055C0D405EACBC9B16280C1971F7982D94317CB80346A3EE4B36FB8771BE598AE78B2B5364E6179FE390E7093B2238D21041FA67AC042230AF6226663CA02BFD31373BAAC9B86F9EA918CC2577535071AD28279DBB8AB21335F50BC474B0A8AFB65E6C8B93D60A47EFA5E26E275835BB36A +Ctrl.hexsalt = hexsalt:57839C78E2B69F29AD55B633F8BE314366BE4A02DE9AF1B8E2A929CD39518BB1DDB7538CC5C61F76302C1548E2A102F23468057670C45BAA10623E022CCF56C39D99D5FAB066AC6C35BBC63A45011A21AB569D8F15294BB2B204F372325431F6665B49FDC3AD48D2F81B9FBC760DAF03D471575EC6BD1FE69798A8F938A587D4773D47F504EF9203B5634C3410E24B5AFD2C17BA29A934AE504EEC55B1FD364550B09EC268AD2FEC2B8007FA6B6F3583EE59F66EEAD88416FFB0A234DBBE84BD5EB8A4456639B4F49A0193AEBF345EF282C71435BA94FEF5F504FB1CA1CAEEBE2FC72FCA62B74B028EB103E8CD7A1AFBCC43FEC97DB3848D8307FDB13C42A69EEA6029DA2F2B36809091E83E2281FCF2B6375E4768D81F58A15EF69938DC9377F0256ACA6DD0332B8B66A19C0C25EC79A0358DD0B996C4542A96AB6356C2E7322EF5640FFB9D27430718DE2C2D4AEE4CC24C5B1F0EC26C5535656794143B446A92CFE7FB72AEC6FC549C9225EBF9BA922ABF9E9A2C790215F0D6BEC1997BE09A3ECA25E7DC190C60 +Output = AD4AF2FFD2C25A050F53FDE6E2F95C3F5F66A32DED63F509B3E8FED7A9258C8AF0AB95312AFF766BBDF238C3E043AF33447F246AC0702BDC2EC7FEE76A6F63BC75C768E0B2DD + +# 21 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:3FF256A112494701B815B12E14B5FAC69EC1439D69CD0437D82F2A1F084C3F60F797F4EEDE4808CE4477903026B8DF8392CF0D6832644633E134E91B188C794845D8E6F3398C95 +Ctrl.hexinfo = hexinfo:01409C1AE1065D269C136F3102EF27A991B28CA9BD8CE4EF43AA924C24E16B8B1907E76682AA2CB1C2E580B3AC828FEF1ABA57D72D899EE8A61EC50EB71F0B1DC61CB491DE4163E98ABA325C758A0D08B84A6C30FE32A8CD99C6A8E693B66BF442F63DBA8A483986EA5609D55738AE4E0558C523144E1304D63ED918C84E3F9390899523D913607E6D807E12367E0C73DE7034D24AFC7ED71917CDEBC6A70768683F5463AB8DBF392A0F1F92252D1BA42AA0C0CFB6A7D3E5ED40B1984C8B8D8D13A33F522336139F40EB791DE16B18CBAF1A7653341A0CA792779ABF2CFF24A42C00FE3DF8CBBEA0F3F5E9C34F655C88FFDD977130BA8E11E1371DE1D7079429AEC8823EF318A9478BA60DC32BEEDFAF5972C6C029D26DAF +Ctrl.hexsalt = hexsalt:FC3339DF00692A6A171BD2DE9730148587910901C20267E244FEA844B2F11E9159131B46EA39268AA45228C98BEFFE45571CE805F73ED9187A241827F4CEBD3FE45DCD96756CA16F97 +Output = BE6B97608559C5D90BF800DC069488E4AFF4195C5CEE878306F7A516437C8E0922E3F25157380A2B53FEF5FEB651A0F07772886A338C2BEC68E2846309AB9BA3961F93DF95DF44B527FD08FD38607518D793294D5C0AFA76BF5A44702D4CE9EC713810CF882625D6940D99EB2AA1AAC3D67D06500854116E790F58DF + +# 22 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:4FAF8EDD2536B95650479B021C3B0FF9E24B75A99FEF +Ctrl.hexinfo = hexinfo:EDF0B58F2D0CEE75705B3866053B74C7C5823CF78296ACAAD77D6401734C9D334E2E187B185DDA219E3CC8FAFACED1BC767142669F82E3056BCDEC072E8CB239563334D6F8EA3808E8DB7A659C1877C485938D2586F466820510655065C2FD18A26513719256500496C85A0605E816D11D52CA2BA5549E6AA4C62D48EECFD042E27F4DB3EA94174FBE337A245E0A49335954203605DF98F019FE06AAA60E3710EDB8104E1B70263E89CF0B3E44B868AA71D35726E0BEFBF2CE692410D3A11FC971BEDCC6B5BA07B17A00F500D266593D0ED94BC5D8A8CFCA7EC6082321A03E7ED0DDA59EF57784BC992FCFB0887AB9D68C45B1121FF0A7165DD23D3977A0E049B17D7A8B3DE683C0EB6BB57FBF2D9CBC007FC302EAF0FC4B68E28578376F28 +Ctrl.hexsalt = hexsalt:1BCC23201589F42E0C4D35516E45DBE3ACC08160A4966EA50FFCFF881DE1A79B3B1C63897573F126D230792EEAA6979B3F79ED6378A1CD7E56999306B0C65E857B20F705E01B5C9923F9017114C43FA203AF4F7C6623BB332243A4D20D1520D4A18DF229489A4B8FF5548634D5EFC1FB6CA01CD19A00136E4940A02BAA52EEAA2DD760D6BFAB431F81EA7C7A910474C26E4F25FBC04EAB0263B2D48CBACC7971CE183949B2304A919BDC1F460277201DCD5AF724C4BCC3662113060A3CDFFCA0307FF1B222411D6673E9B783B5CC156ABD116BB76DAAF1BFCA5B8BD096BE7A5360D51218E1DE2E381264CEB57B8DC2ACE39DC9B7325D764297D290517930CB429E33117778F80786C89D15E3EC88915BAD040061001887724C8B11E964F7D62748BB3E0DE870B0E3FFC9CFB9CFC2CDA9BCF5484F5713FDDC41FAE729DC07509857E5A6BA314E50F6545874FDF5C86C34B4 +Output = A6513A187E5C25B2E1231A4214AA0294B354AE38544C9D4C6B5923A863ECCF218975A6CE64A981C4C2AE57646F96A4B92D79E911C82F991E7679A9C643BF7EDA802EDD71D562C2440776D6BBB9E0CAD063525CEC5458BFF7A846238FADB65DCDF45AAA14E99ED1E60F04C647DF53CD907B2719BD8E499CB4FA25579307A365A53355FE5610FE6791E26119D7BD0F203C92480A634D3B4949E3697359F02E87578B1F8CADC13BCD62172B0AAC6EB08BD4DB72AB1D37BBA1D023D7D53CE2A36E305AA995DCC27DE351A2EBBC8C10A82ACFC3BDDD0096057F7EAA85917CAFF41B80B8F6A2DCB9D02AC7BF987B721F756105EF0BB3FBA520CB16221009CFF566359697586C16CC4A171CCCFC30CE3B3051E243F520BDE6C8 + +# 23 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:DF2A3FCC0214C1F4C97B4AC0645959593576A0AFA13F78FCBF001597B4F6029A861801912A5670B5A85833302048D0A28A348F81131987E0BC692273CA6A4DFDAC6B0935FCE48DC4F7B3C8291F3566E273DF0101F3AE058F4EFD76B71A686970815265862B43828C35833019A9D5DE33203DDB34DBCE4F11F134797F71C34828CD71FEFD6887204E14DCD043C0F7C4C77CE77B639037E27F50CE0D4B92966906C6F1106D9C5B1A9CA06C6BBD4EA0E0FE800B15DACA0E19DDDF9A588323C0BB7F9A1FE3A1F644D292C24571AA14C21AA851300C4E160426AA9206B26FEDDDE112167F7F6849322F8C592CDFF0B9ABE39109466004D3D1FF1A882CD326D12CBFA1352A56 +Ctrl.hexinfo = hexinfo:2177280412EBBB4158C2A0C23F491A31FFFF5079275A4F47F5010D8157C4288F1FDAD1F68303ECDC83946A6596D28C1CBF6BF728CCBA38F26EAC08FFC83ED5C3273694CC66DA9CF7281C335F4DBDF3FD00D6BF2D8750C6B3A738D020FA15F9B6F4B82389CF8DF27F987F78926E +Ctrl.hexsalt = hexsalt:6EE6633FD4414AD0ACF792354F0D51028A94B234F7973C6A3A00452704635D8715D42B509FA82791DD900FAE4C7B7ACEFC99153486B28D9A3702E7FBD22761BBA6DFB0C9DB4E9CA0C938E68432736D21FB174F651F0366C69E079F3B48F0C9C4154121BA9C75E64CFF3537EC782CA2D63E30EB9CEC77FDC8994D3FC29A9BD500255EB1D449AC51E6B43BDC1DCB0014DDCA39D71EF1EF22C6166B66EE5C9A87DC5203EC8C096C0F164EDC8B0E3D1433FF3C9B5D +Output = 93CE3622DDD27DF7EF8910E1E22E77463063C6A1456D9B492F03F5BB8D5DD641E35E6CFDF5E7A4E2978B415E24C81ADDB704C4301CF8A33DB75BDB0C930B254A60AC871E2AA7F42C7235F34461BFC19E9183FEE6E9877D0D5247A93D59EA5187EFB1A87FE54F3E7CFF1CB191FDFCBFA03A48C5EA43C309F2917EC22338654C8C4165812A004B9EA52021285D7D587647AF36F96800B507BB07A4F8FB5F8F7D2B31DA783C782406F2A9F790487A12B50786B1ADF2D110214C50684861B1384CDC75452887F3BC43FBE0F345E268CFC0975755B8028AA50B983094B8AEE481438A6528E78F35551AA718DC70B75AFA073B + +# 24 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:61431577A297BF26AC5CD28CC91298D6EA155C055462E12708DB1FCE32F4D5BF6B4A560AE568996600F25226BA6C10770553FF947EB6C2B74EFAE03BFDBF18FF828CF8DA899E29EAAADABB171A3022E8171D8E4AF3584B6424E0A90F534440BC096D56DC552794949EF3ECC91AE698F70933803E7B226CD8694E011E32C8DD97A4D6FEB3272C1C975B0A6C +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:9D899062708D4DF3C79776491A855F76B52AB0C1E29E4FA92FC55573BA7A9FE1B5EA8078E076B5CA9405932E36244CFE2B9DB0AB363BEF1D0170D82558E2F85AC5AD6D66838B1365D6E6FCD1BB501908EBAE55B3D5658F22510403F4DB8CB191D64F7E502C38AC81508510C55D40220564B4B20974CFAA44FD999F300D64EAE6AC5A12DD557EBC9DB8CA827FA98CBCF0341058C6725DECE82DD4CEE9D6644BD304BA521A305615BC7A246760B8D718CC8275945837EFA1FE7542346B3A36C21F2A3B56C2593F65C9698F +Output = 454F09CE3D27C4906FEAD909A4679B6470B955A94BF1AE298F2A5F79D09667AA05968D69892B8D3C06768193D9FF8BB688C73D2EA1C97F7E1A3C053F4FBF0CB44E22D1FF77B698FEF37C7479599628795CE553D5AC571F7AC6BA01D6793AAACBF7F5266DA4AF8DC133C0791BFDC6B45DC27D3B82BE684A7E68B20E037540D34BCFE9BE19BA0ABD26071302DB0BE071C556FB27CD8AAEC158B1892F48EF34F6AB136CD4978C4AC3306E743757E0190374C667AE26096C201EC08AC855BE28396725985480F1451BEE2A91B641DA55264F80E24F9095685D11ED09 + +# 25 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:F949E6EDB579F0C816D46F12761CA09A1CA03111A8ED647B6369F1FC80117EE0A9BDD715396E4C8A75315DA02BBE03F45AA4B81E3E9152D15E1F5B020366FA74759AD07911FB3FD5BF70A3FBBFC39BBF6BF5627B85F37B7936E81078430CFA192D1C63C67E6FE9BD203E12B90B89B96F989E0EFE7F2890D8604EE8FAB86013D22AAE857832335E7AF4E2A416CCDBC81FE3C9D956DE24C7B39596F9DCE9DD9FC454DF95D4A99D3871F5ED2347DB266F5A2BD2D8582467B1BF832E166BA5546817297F3C3C36F3F1BC21FDBE90E44BE2AB029E3051F5C944911BCBC79B595A6EB47E0892BED272F95C24CE2268F9CD8B4ACA6FC61408E61FBC3D0FAE2F4F168A4466B85E6F96AC1BC8B23937158582A0CAFA17B1E49ED46CDC78286AED3BAB955BE3A7EA9A9886627B5365E974C297E4A8FDE9DAE5726DEC5052F6F5F8276F2E9BADFAAC6A2A9DB4D5FD23518A25BED26E21915D69474356901215384C5B5F9EA5F00E33950506395A532228C8FDFE658A435158C6151EAAE18FB27064F807F825EB4F898B +Ctrl.hexinfo = hexinfo:767500D32913F41B9576B4780BB7FAA9709747BA759E51AC5864896F3BAF5A99025E24A7A05EE895 +Ctrl.hexsalt = hexsalt:093932D4F558E53C71E39E9F20C05D9A52C92B78A5D3F790EE09C90AE5D8C4B5474DDAAB577E775310B0DF6AA03427DBAB853A757B201AE3E58A536CACF6ED514E3ED3489C09208C3FA799BFB7DC1A41 +Output = 756FAF5D19785702153383AED31AC1F5B69872910BE76412F8B1E7AD81FBCE80FA83B6CF999C55D672E73C5C843DA489C400E6DB4CED4BA541D3973E804FCEF73EC1EF7C707451600DD85377AF64215E202BB47636DF909BA76EC038D728FA4A2C35839FAA57C484C006D8B5A28DBB037F3A969226FF9E181ACB8CF51CA841FF21BD466A6DB85CCAEB03BFD4EEF715C6B43797B62EA65AA1BB38D4C6BBC2A97B052F2387E6F6FCE962FAD6A4BBAA4173BB4DE96A63369BE3B3E2F6D644988E23598362E5152BF99238EF0FA9ED548EAA5E1327FFA98D025DAE17FDB2A1A3BF6F85829618BEBD84D724F5B0A79DF5109D8C467BF1B8A6448ACABD11CD29CFAFDA829806B8206FE36D581CC7AF12ACBC4AFBC8A93777B9F7C7A7D55DB9F97A1D7CC6996B4034B0CE1A493E1AAF4A73E370689A0AB972EDC97ECC2E27BABA77760BC3EDD1D6E0D47DB4D38EFD8D7F54B294206DC51AFA1D92F3785064F0397B69C50376F595B2E224D77B04BA72F9F37CA8E9C494C856A7344EE273D500BDAA14EF420AD6964813B3D778B0A4882BB1A06F9C5DF7FD778EA107D8A05416C96B5E085B09C7E60154E28A84AB5AD7397CDB1D4AF7E9183DEC121EA1A79E3D964AADB806C0B3A30206D27A56BB21B33BFBA72A454AA91DD7F4787FBCCCB57C83DFA554BD5A0B6FDD86FB26A5456511AD5F58F8A19840A0EC42C5E3DCA9C71D8F31 + +# 26 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:9FD128151704C5C3AAC293890E317162964B01B50DCA198F4DD270F0483E8354B3E20729BF9D472E6CECFCCE56D919E114E2AA4F437E12A6FAE8B35F3331B0A690EA6228138544409B45341F7113780031A421F8E5143E160A1AAE04DEE373A00B6DE1 +Ctrl.hexinfo = hexinfo:E4B04AEA14536852185BDAAAE50284079EA5F4EB88AB50FBBA5F30EE9502B71347ADF17F609752A59786C161CD66A57F4C4E783D961CACD530AA8166F9FFD9D9BDA8108A82D15616E38A07358180A53CC52AEE6EDB75BC58377450B6AD35309FBC42E272A26AA93ABD54B25274E44A80602F9B299E951CA01BB2F52C0B136B95DD7C1ACB01066B60538D04F815D70A2DA05CCA18CB0D1BD60EE4790ECBFDC7C14CC72A7F12EADD2B486637BA6C2B8494C1C12AD3D5B85D07FC2DB6DF31B4C78B4770249A6BCBEECB2F +Ctrl.hexsalt = hexsalt:164C35C0A08CEAAE7802BE4FFA04C8AEE5FF9AC6D3624E09A00D6BA0DBCF74978719E4E27A1609AA075BAC0505443841F1D1C952937427FA2FAFD7AA36F10A2408C4933345BA7FAE512D3AFB5D7EB978B7A291E5F37C5B1A4D2A9CFAC55BD741570A83BEBCEFE383B7BDCEEE8F7425CCAA9D050E33612F8B824F23293E376C201CCA70824A6315BDB0C5472308DE6A7053DA31327CF40CC78CCD21D1AD9449FEE0D7CDF9E578A7DBCF81023F29BB59A421D0BE87354CF7E9C355FBF13FE43FB30570DE62838B401162677E74DDD01D87BF60B5EC484E6EBF395085258A09434DF5E00F46431805D6BC06D5A40B3139487B86FA8232349415B6227B8862FD18380C89A51619980EB9E3E821DC6425E1B5D8E723A34150D79BF729DF51D2E9BFDEE23ACAECE612309E293BD209D08B3E96744D7121DBFB72D7768C29493737F5B6F1F168A2BB55024A08FE9EB3274E2820721689C79FB0CF4BDC8642E95C389DC8EFFA58F8ACB0ACFD1511D2AB464F5DB9768582D4FF +Output = 4463556542724C0B3E8A7D8B4F9294B30EEA5C8987262EC560CCEF4362A9C1D6BEED568C759E5225EBE31CA508E24EDB5024EF267F7074D4BBBD17962ECBD5B27FEDC4B1A3D06A8314AD46907E779FDEEEAADF36A3C3A82B73E2A1A63AD80AA3C6ACB70F2D691334A077D90070FF235AE764AB909A14 + +# 27 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:AC222FA6B2F492CBDCDAE55095DF2DA5E4401F95729890333A744F23381A5D1BE89F40E488AB8CD3AB5ACEADA3670E72FE4FE14240EC53EC07B7513FC73D25AA8789B7A4522CF4C6825F82C58597EB8CB316615DC5E4A59F4392107D720F322D1F53458FF3C28960ADA727E58C977F1834C44EF96B45FECC18AA66DB8CA16DA9440E5C05B020500210CDA3C4B1BE4AAA6E9D1EDFB9763C7C59F5AF43C4992D506BD8A3D641EEB553A30770A8C157C2C8EE2A75B9F2D882E8E59DF36574F3098075641B748638D5E35611B73C5E211A4C5B2437CE1AA3B4864C2A0E16D10C645B43CFCADBA41DEC25F98F5DA75FCF12F3B4C571D94E4D504040BF91735DCE72B4B8160B7115CE11CCFD851C6AE3F546DE9D6CE544C01D714F40E0AAB5EAE9AB15F9409CA5AEAF60990A32F6C09D9020 +Ctrl.hexinfo = hexinfo:D038B9B5EAE8B05C7113F8AB5E15A7AEB1E37CAD341FF19B2DF79CA606F5357487F8B95E0C0A8A24F408E495F80D2514A101B9B55B1A148A97C6C0740DA46555A9F1B8842948AF6B98D7C849A98862ED6CAA4B6B4BDE66407CE3A7BC7523FCBC528D1E5AFB91BEEC6D0494C15B916D3E8336980960B7E3C74CB315E8351D6F2C9923DA17C6E52404B3 +Ctrl.hexsalt = hexsalt:1B +Output = 341E037D8CE35BC7564F028C76400A549F4BF24E0BD5FB40B3F655D5BA27B76E28FCDFC897F08E9413C0C9696963AFF8C5487C229B3144832DC8153F4C524CE568068D7C07C0FBAA7C144F4A9368834061CA7FD64D1D75FF0C03B05F694E4620DB6CDDD431EC34BD627ACC0900045D7E85A7D4F79441A4B723BE6F92FD4BD111892C26D930ADC96598BF10A9293AC99FD9C6A640706BC7D549B781C27AE062071013534CEFCB59A114A83C24102C619838FC71067E87C8B47A54767E849FE57F46FE301894E88CB5C998463AC606E7738809BB008DBF6A1F7BF2FBDAE0A4805E064C8499138ACDA310BDEF3AC6D0D5D528E33CB1FE65DD3275D783D7A64FA4E56C517DA0109A82FFF8A40BC6540F1BD1675104B466154CF2AA08F581D9C9208F2922AE9D51ECA39BF8765D7003D75270B81926F3CBD70D4EA3569FC093B94D485023E4089801026494A8648E59D8C86FB376406CE73DDFF6F6DF1806DEA1DD59D303848216361C67D9 + +# 28 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:F59CCDE3DAAB34F2126A739CBE0B4E32278B40369D0E26473476CDA28E5924E178B03ACF1A37A698C4A2210F348EC8A21C3F3DD5352B8E2F6CE71A8043F994347AA72B86AE6B72646075612B3E922E4FF7119B228D9F88A336E93B8C9C070E26CD5FA262DDC0B4B862CB74BDCEC418A774B688521F62941D0908466323D430D53330F05739A2067F64BB8422 +Ctrl.hexinfo = hexinfo:E4B153B2DE +Ctrl.hexsalt = hexsalt:536E947DDECFC6AE4638E89985F8AC66CD416B0A45F9607309B4B20D159EF7E5D7ECC51BE5D3BE53A6EDFF8185426C36D48142D9EC83BF198979509C226D9C46B96EDBF12F80E7101B588E0413E9ED5A51D47AB1 +Output = BDF3BE24D86890E6A48330875F6E625706A0E71CA0EB5741C425CF323F8A122D2EA70F5D3149F18E5F5BDBC3AF44F1D79A380A9A01E11010B836C32CFA0808F2DFEB6A3A5E81595057FD7E258CE180B4E154A8C7427EB1245B08DD09CE924CC06B822138C8BAD870911210E7390B436EE1098B3C69A8383E20BE6DD02520EA3609AD7E6C9F11D1D0E71CBD1920C6F9D2D16D032A20B1730362B9AE79BC5899C09DA11EE90E1AF72C6DD3AF11476BBBF0269F2065B2AB95A806C1A3E655015F5BC5FECF7B88860078342EDF5C871B2E66219DD3D7DAE02BE8F548D95C096E86F0AF07D7742905BE6FBA542D319652793E80F8261EC852ED43F514E5ECD3AC400EAC95628884760792EC34CAF83B30B9A16A003AA8F6ECCB4078D976DAF9985C44E2E39365B5B92CE69A7FCCA22283A7B247F4E42FA3B3AD1A567E93A8CFBA0513BE5A53BDED78404B023D85B83B0DED08E64E83F8F1D7C9B8229CC2325C460125CD9FBE132CF498BE376ECBA975D7BE4C2A3B95A392D350 + +# 29 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:515BD59FA90FF2D38C027E93465482BD61266C97975B3F156E9EB600ACEB543CB9C4DBF2F986676DDC476BBBECF649A949873FB0EC8D562C4DCE25117CCF1AF8BE6A898FFECB44A1D65925EE888CE394AF32CFC6E412A74253D9BD3D273DC60235F448CF8AF9DC194D24C394D0AA050A0C4D4E43D24FEC063A1388DAE592C599EDF6988D97EFE1FE76A215D119E156DCB4A3D0ECD7B4F8CD81DFBF6BF853BB63F5DC752786B9AEDD3926F7CB1C6EE6F9 +Ctrl.hexinfo = hexinfo:DFB0367DAC84324D6E6913646B809B56FF11DFC5E57A5D2CA03340385B794F68D9334CAD2AAE14A6379E84B327596640FA78C12AB2C9082B5E612CC02B6AECF21C3ABDD1C095CEC13B928FEDA6BB8DCDF46BA3476C6BA396040D43F96F5038C78B2B6EB4265AAB9EC02D9656600C38A25A9B116332781D8BEFE32C6C348EEED2E8EFF9DF5EE76806CED5BF8AF7927A307978875E2221B7850ACD9C8F617A747FB88DE9DA3DB21AE1FA3484E9FD28588B738DE6A80EA75FD1CA379178C9623A53BFBDB24F1EEDBD5F20950582F282BD9C4565F19BCD333D6BDD07C8FB123A77FFB6776CBAC49EF16428B4DC4B123DD99332A4B34062F1CA2B7877EE0F52E613FCE118C0CC15EF40F9A6548C985FB5E2CC171AE126375817774381AA059797B9B54C3C01F409F0AE14CAEB997A680EAD237C86A70B9B6038E20DCABDC3040AE43FCEF5A70DD95F52BE267D86703B25410045AF0F7CD787AAF349DA545BAFD492 +Ctrl.hexsalt = hexsaltutput = E51D069F297A4205F307A1C7227C15F3D5D7E853660CDA99D46C2571A41C9E418F669B6EFB3B527620AC98C3C7C62E4DF5500C212F3E52D365E449CA22D274958AA9B25A141D3C53661810B4A9B5F4F488F9694148DB2CBDB2AE9C5CF022347F80EDF91B795664955DC7211A71518EC6F519ACA8BAE0AF15C1559275D2D8BE6AAF58304A2CFBB8B19E6EFF3550A78A9070B19E8197FD6AF0177DA3E218D13E0D81FC18DBA9C1151E1DEF9ACC576193B0E766E905D62A043049FB2B858CC183938D1B4C9BD30272018CA55522C6476241E4F2912C15D3308D136759C901242CAB1CEFA88564F62B796252A97BFD1E3821ABA1544325FA6E46765B5756E4791E4E48052A4DB2D5B673305939BB56E619A22A65A52C8EDEBCED67A7C6B6CF28AC0C1C3009123759F28A27E7DC155A32BDB2B72D90ADF730E44908E8C4DEDD2CB48ADDBFE5BC8B0895CB53A6CE8C01BB2907E8908513D45A1A0A3B45A1B18E0D76DD9B9C65A50C8D58A51C7137AC12C97CAAF5AA8959D941AB232F521648EEE6CCEBA1BE + +# 30 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:2571F2AD00E013C6620FE21238ED923F310D43B5961EFA23648F09872FF3E1CD7D20A798EF2EEDE298D21F3B4E9DCBFC866152073DF735CC09E2DCEDC2AB99814A31AF04E919A1841580ADCCEB0305417CCB32C8752BFE2D2591B191B30263459E0B3F54DE48C8B92AC7333B255A5EBA738FF025F0378C89858E4CB1D2CB4B48BCD22649BD79D16DF1230001B584BB7142835DFE4B1F17C554FCCDAFB5B9DC2BC9E9C0E0CBA03ED08E3C4508FDE186533D016BAFF714327CB3F2EAFC495FA9372BFDE33CD7F972AD3354137D9CCBB73FF8170F5EF00829AC2597D93E4E7225A1BAE1D3B5207F6A4C605CB820C057148D31396E6E016318FEB303BB4145D20AEB75D4D5B058E878668610C20907DCB0E1D91F11585D9A758F922B9E99E6F05C2266BFFD7039EDAD4291CB0976F3AB2A519DA231A2F570AA72450E9E052B0A328F86B6B5312D4D830BC207C8080DBA9E3130C9A3197FE3D91BF02BBEBDF86F495AD4163192DD5A1A40BBB186CE8B9B9D03CB9775756507A6B848928C488E3FBC49D654A4AABE6AC8A63E0920269B21AE7C744CFCB5B91FAF78C1EFFCA5015949DCD722F039181150C84D2E94147F67A74538 +Ctrl.hexinfo = hexinfo:14 +Ctrl.hexsalt = hexsalt:11E23D86214CFBA7E25845C2F3028154F4AAD376E5026884A270CB7D70686F8422426461DFC8E2AAE272F8DE39D8EC1AE81AD5E93CA49E76431C4F03F7DE1ADB377F9BE01D6A6FCA94101B8478ACA1F174C25C8A43A603BE2382CB4F9376BAFEF7718BDBCA61DD44A5198F4062C2F80E6CE27AB2DC114CC25A6642FBAF14E424507E4671BB0ED4EE75389B90695E24657D7A64789A0B7C3EE246E99E50527D40AAF99E87277689D05A15BD584F2F084405924E2C558E1DEF056EE744DE2F043291EBC072A329F8CBA7B906B8FA81ADCA8AC8CD54850E2C6A6B41B12041308A61CDB7DAFCFA930DD3E7D33B82F98930B68F28746991D1EA6BE8BA05B0FCDF9EE23B00412B383CF3FF325E266F79 +Output = D376343D472746AA9C4439A0291E0716ED124F747B8A6A3A95EF1650617EBCE6A0A8AB08EC46EDF7BDA32C956B6AC29E72F544B7DA0F4922B0DA1D7651971FD26E95C303DB5A5FC3C37B252965E31397935CC4C81900A448A6CB8268B163691095DD92BC534A0BA22ACBF038B31CFA0BEFD18AAB89B75451D47334313DACD4E9B4A630BD2BB748312B61A72718974C2FAA4B7ADB8F836A2EDE13B879196B2BD19064A1E576688383E72E347BD9FB0EFE + +# 31 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:40E5BD83D3C85EE54BF157E2D61209F6E8DC0AF27F9310BBA652463A9BA5BDCA0E9619763EAFA9219C214551283CDB25DD037F50218064595CFC337DE9FB0791437F1FB138E6F9682C2C73E3EC6CB7D9D02F35A33600492E48515C3817D64D0F0532BEDF16AB5512A7B6506BAFADAAB8354A5436 +Ctrl.hexinfo = hexinfo:2170984E35F18A75C2051C904D78347DC66A405D2D231D46912518A79D19011E3A2B4F626E6409DCD87FBA9804F53494CFB03BFE9DCDD471D306B33FCE63F57C9E2085810C042E0168DD2A0294F04D4565E60B9296A03FBFAC5C669C6672BA03824E89523A997BDA43D19EDC8D81CE3AA319B1886777CB2772C01A87DF71D306BAB884632AF15E166F720A61C7B180C7E4450E397874BC06B1B34399B0EA4D4E33668E0E49B380B1532AFD237E7DDBB559CB722CBF066C48C7CD16AAA2B2416D9588DFA367DA935772CD +Ctrl.hexsalt = hexsalt:C842546D296EDE610BF32210186FE8E2286086961D26B4CE2F49370BD687FCAC3B021B97A0E78940B755467D5C23069838E06B728E4848E3DAF554B2AF95B752707F331E0720C394D314DE65098EC484FBE6A08DD96C2B6F2122B7647C5C5595BB500C20A7027ED86E45DFB9B769059159D00E042B72A27D9FDA2186F931D9B2CD95CF0F201E550AEBCBFF7CE9CA4A42A8B196550E232B8A5F2C3EFC0C6AA46DC2C98401ACAE42F0261D2756FC02A9DED72DF09D9F9B7B52977BBD630E7B271322FC7E93A9 +Output = 3D9E9A89BBFE09DD8B9C73111AC3DC1E466CDA57E257DC87DEBC3F895A6BDEF58186D6460C1C1A7BDAA6A2D881015B10812B5ECA0657F0D4AE72FA9843DC0DC55FF4F95E74287439E92650FB67FEACCBB642B12979585E40D58FB8CE02527056F95EC9CBBF0E165BE94348995587729C380449394241FA0DEE2B2F49CE80EB7FED39C266F283B8E4585755F32649927D34062D2B2ADCD50A9E00EBF421564068489563C9272A1C970A6E186D9BFFDB155523DB1C0FD8B6582177E55AA5F7ABAADE64D790ACFBC5213E9330A50F6F0E4CFA7CD15374B6095DF98278E1B19AE5AC3DA494406176E4D75D050B1B72FB75028FF5967BE26093540CBFC8123E3927339FFD73DE28FF1852B071A39BE4EFCDE5587292D37B104094421930E59EE3E104DAEF4B1C81AE242E1883150329A0B95FD427053E2C40457B192A9D9275DE8D3519D3B040178CE59E1C66950A5E96A91ED257C6C70FE1F70850423452EB737B6822ADFFB1E1238EAB440222DBE6CC183E24E37325D92B1977BB64449A9DAEDB91349FEB18A20FA4B66BFE059E43147E157C1CFDD5EEEC52B393AC9762B9B9A63C1BCB0899BF7811100B772EF81A7E468733BF15A5032AA45B97C9BC86C023F80F6E57 + +# 32 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:6EA253B95A38CEF4A534A74C0461EC8F1802BE13BBB6E8AEB8994F9B1028CD7C244927154D59093F27C8EFCD3BB1DACCA446FE42D1E4E096B8A1126477F6BC9402E2FEDF2E91D517448FF89B4CA04FCBFDC692CDBCD05F232956A622704ECE1F633C6E8B7DD8933613BB13300809EC5EC383B2461520D1716E7BB7C1C7E8D258C000A439FF134FAF0DA8ED8D42CD9FE1186E0B43A68F2008756E9FCC87A0DE014955FEA7EA05CDCFC658D5362946E00D483F62A6E91BADBEA78F3ECCE21607E2DE16D422DBE7207A15F55E534EC897B33B81E28F83BD171D77D98E0B7FE2C425AB23FEC0FA1B8F2ACFE56301392598369ABEAFA73BB306DDD7CF3D6A11F06078F69878E6FE3172EA291E438A9AEFECB543A0FBE05BBABD240AFDF26C05B849126FFDF026DADCD6959E0A62F9D811DAC93B43225B02D076E7BE53C3D5C710F48B181B9B74B828F866FBFEB0D1A27B78CED2B97DFA4361 +Ctrl.hexsalt = hexsalt:93142F1F5FF7CC7BC7627382FEF8D11183C504B462ABC9262A6382C431833EFE36552E3C21A0ADB37289251E605C6EB2839D943EB23ED0C15050BF0DAA3E05EC80D3DE6CAB54AF1803B6F3326D1977E9712D033670BFD115C2D990D0B8B16A65BC9337D746DFDF86D405FD8353929BE02178BE14A3C180B8AA254C8ADA831D013A46C509FA99623042A7F7F0787C3A0E646B54D5B2A4AB819C3271A810212DCCF576FF8DA1FF4B754D71B94F421CEA1CCE5CAC084F12773AD46609460FAFA1FBF63A0D6398086B1073A3E82ADE7FE7A5788058B21D240602D998960C10BF19369B98CF29C2639C260EC92C561551D26A72190628E53D93C664CFC6342F7AD9A0F9FE7BB0EA5ABF7EA83EEFB0EA6AD29FCCC686EA6012341648B98481E14465FE7A16C0E8F19E30F903663B1A53DC7FE851A879957853B7BAE76C4F1B53C2E4E358428D69532448465BFF3E17CD1B8298D4D744C628BE400780140D39E58CF9417D0836D67554C096 +Output = 1ED75E02D2B41362007F1441866E37DB19 + +# 33 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:E1F41513FC55011D90C927F3F4EED4F465B38A658EBA42A57FB9F2C8D2701995E29E2B74C2E6EF894C5D9931660DFE9978D4A2EC2FDE630C69D7F9EBDE4D7A2AFA8D01F3874DC9089FB944F1C7AB7C79A5D1164D9A1322E391B3C28BEE8E43914E60DDE387A36B8E223C0052C2F5C02B62E87A22DFC98BD8718896F2DCEB459F0C07E687D7DF611FF4F51725EC946C28A69E76332E4F9835E8B4C2E9C35F843962ECE62F1E66C9D91CA97277FF738C33715A516024A78BF23604EDA0B87EC8666D179878C8DE83F8FE9BDBBA42CF3AD6557B678CC5F150FB64AE0DA15EC875 +Ctrl.hexinfo = hexinfo:46D2BA40346B00492257D0A7E8498AC33BE6250D238420ACD86D4663479B48AB383443273C3BA6E05CC45BAE35F948D8FD46AD662D750889FAF67BDA4C5C0E7E0506A13022880AE94C52832C0D1AA3544793BF561A4EB1D96565AF4624F233DFF069C9D94D906BBD9DC7B5DF4F6DEEA93DA0CD803CFFE7CFDFEFC18E45A7B00132D39AFCC4 +Ctrl.hexsalt = hexsalt:6DE15585882520492EF2DFBA105F3EF9CB50C5117CFA7534663534AFEF0D22F390BE261AAC2A6A3E134845D3B9DC1AC23ADB06BD9BBC4A94FB02B0F264349273C699972A2178D4D10E60CDC68E7036162798E48181E88D27E9489281FC789FE10FD343F0F3415B1E5C87A528E434DC8E83AC6B0315A147098A8A6C7C973158B489B1FB6BFEBAC2929CFA23C9F217B256C52AB2542C28920B3F42ABB5D4F7197F509740968AA1B83601972CA8AC874C36404174B0B0A94CC947850DB6F1C32AC8A2CF503E4DF29739DA63FE79F1DA904CF99C79FFBFBB4FA0D68D8821DB9299FF111D823DD3 +Output = 8112E8310A73624C929D993EB7AE36E8898A0E08C8F23BF0BBC10196BFCEDFD46B94AAF3C74053442594FBEB67FFC52ACB7A628C6DA83A13EEB16E26ADD8FF3A51CBBC6FB862DEABB8030E80D7AC2B8E78 + +# 34 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:B531CC46A0B149F4D7ACAD4FBC8874022BB598979CA269CDAD7128AB40EED5014C681A1C71102DECF8A37ED8ABD262DFCCD7F949FBE83ACF4D3D56CE9E4298568459221F6840D925FF9380D772B60A0440C7EED9455A5A6F88835C4B352C80787BF18EB6D6A3A6BAB03FA35557C352AA888BFB1FBB1347130FF8C20FFB8A64A3E9D79AC561938F3BE6AAED8C6D69684B9258D599D06A5016B6F04A66DF8D649ECC11BFBF0EE5025E25CB890C29FE03595EA29C5F2830B4A897A9AB63F2B40770B6178B71C3C7ED2FB8FEC98413E8BF61543C1AE6FD1BB557828286FB15BA5CEF509CF5E860579579889A7BDD88372B1EA4C01E4EA3580DAB00EBC8594075C933DB52BC3F076322728ABE3E0AC7B5434BDCC771DEED38410CDCFC4C82CA2038C7A44293CB8308E6169F0C86E465E9A84C6E937A783C6E756E1D3F47ED79C17E11A3A3F36F01B2DE5640AE4D62A75E4C23EAC6434932DB6A98B2957D615E26C4EC6F2E43B10C9312B2DCAC54A70627049BA1A6143EADEE40E75500031464BA039456548AABFAEDC9FF04F13772C2C098B5A9E21C62BB1A40F9D93E9FD69217A3131F17679FDCAD7EBD08D058EDE71925F4D6952C08CE23ACBEF3665978ABD2CF5DDF1E8CE8B46E4AD6EAEA8568D8336033B74AA862748332ACFF1C0D268468A88D383121474DDC3F7EF7A08B00CFABDA018DDDE1545F088E0066D9C4F3ED42 +Ctrl.hexinfo = hexinfo:64345A9CF1A783B00D07F26EAA9293212CF5F85DA4C9AFA306A81A785F1BEB84D1E0BF5402C437B5653CEE36DDBC203FBF4AF34BA69E2623895D61285DE8EDFB3DCF2BCBD2536C20419EFCCAED380167D077614C172953FDAC91A76EE578546107DB6EDE24F1B621960A74FA9BD2 +Ctrl.hexsalt = hexsalt:9D500097699480F4946084C5A2CF1FF7606B80149E68104C052EE1397113552318F6F4E0E0C2FED0BEF1EC965E39933C523B350E1A0DF59231E05967653FE681F6E3FF350C723396799A2193FA422D5F96467858954B07172C00531358786AE085E6D88C992983CB94CA592124229284F4B1E0D01F6C67CE6F985F8F3DC760D3BB46B68DC72211761798C5FD1A77AF8C9091DBB84C26273C749FAEAAA09B6359C77498D3AE2316D06A2CF746A8DB6E1E42FF2BA1212747541A64B1DDF27BA20EDE6ED98896F18BBC32FDE0947A41A0257DA12643AA42C7A0FD2EC539E049CD4AC071874901ECC06842D5E3E9C84582DF9E9126C0C6638066B7DA75565ACE9116E6A8D9FD203EB6A462ECA62AA97F7A72852008725FB4F2996EA887B7902354E9008C6842B708FFA6038675B9FCEE0F3E910579AFB792A24FEA900520E4B92AD7A5A219B8BE0C77FECFC0040204DD2974C96C71BAFAFA8B1944274F2E07CF66078879962663D8AB03BF74A943ABE77739BE0CF04BC1B2513CC97C90690F37737903AFEA7B17E880B9B8326D4C365495D5905E657A496AB772F5AE0EE39163352CC1E09841BD0798248739B6782547EBD75F22CC45 +Output = 821124AC5965EB76B617F98CB0BAB57DDB4DA1E0AEED57D27CB3B2842C3BD145FA43765BFF8F8ECC5C695CF33181EA9BF23211CADB595A036607FDB61B8E435325A8E8C1618CCEDAB893 + +# 35 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:2E2DA57332C1145C49410C94523364044F5517F7483053C349C78D64EA9923A6BC11898B3AFD525037B066B7826C47F2683955A4DB59C3B7B8DF7084124B0CAFF88F019926CC3DA5FAF3510CE70CA3BA4CA0AF +Ctrl.hexinfo = hexinfo:75CEF79CF6279DD7DEBF6351128B745D63A08F0551188BF2F111FD2C0B1CF33C8B5437272F994FBF065141EFAC0E31F024DEA1AB25E735ADF5273646E6A4291FAE0F5F437B993C044CB5EC87C5801A2757E4D0343CA14CEA98B3C06C9E9B74F2D8066FC63588D4F413DD4D72D2CE60B593D4E15B9601261DD695CC508E50E29927BF552635ADFC393F673663BF227F65034EBC80359CB1 +Ctrl.hexsalt = hexsalt:9CA6D6B6B36C8126BBF5E05571AD165523409A6197225DC165F3D0BFAA04E8DA313C7743C0ACE21B4FB4E6DF0D7E6D444631B5EC6BED7C13EA96629587D1DAA1D4EED4DFF25C87D82D064F14354758C889589085A6BDC8051C69A0478410219FC81B266646F79CD6B65BAA34F2987C8ADEE7A6A970A3BDFB541AD68E333D34D83A42ACB2D136AF2F01002863B91C1FF2F8D384B8E95BE1 +Output = 63FADD8921791579F4874F8E1788D59B6F6E2766CC228253F2AA89495CF6DECB6C4555D56C2A48D7EE2C5DBBC547A07627C124A2D843FBA0DBEB91010020FDC8E76B55826E1D9CA79B21D88A91B265FD4CCAFBFA05E95A919C2F7A43AC4BCCF89ACC0727D5E2C0AC769BD18C62491055D3F857EA22BB0ED98D3078D13960B54462BCBE6B1C13FD3AF9521B512A28E6370E75CD69E8D0F5B27FB60F1B53C01E4A5378E57462C17DC9959FCB8A26F1A28AE611CB9BDFAC632AE6194E8451817829DB29011D5917A0AF9278B2DD180A6A1204C14B4CB4AB2FF50DDA98A4AF5BE8245547028B01743014E831616F99BF9E53B728D920066A20261CD5C3BB036D24BE9201D9FEACB70ABE3C908EBD9115A0A65E1A9B20E71D34A6607B5D45658D361ADAE28EF5808A5077F50D45A0C1B7A3000039BDA85EE0B6A38DB6FF1DA7D73C61A679021969CE5FB5F0CE857B4963464F283A5B183337E7542FB420F1451A5C9A8551CCEADC1E002DEAA1EAFBF06702CAD17C54A3793DF9BE17325829885F403BC8E8BB576E7A56BE9CCE09076FE1EB9237132B2CD90D3C578410A595E5F62EDE66 + +# 36 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:9FCC82F2113A87232EE3C3605F3401D6A443E8E92D60248DB2FB3721DF37989947F46B23E9283A6A35B8A9E86171C1E4ABBB48413C523B0AEF6C1B4CA5BCDCD8CC25D12019AD91EC84243B686B14F9CD48DCDEBB0F64BE181585D17A15BF8E712114FD5B3E09C1897658A5FA6B5090C1E7300C342DFEECC980102ADA3707442A1EA7B9FBD5E0FE54100BB9FC2D3F283F60088259EAAD18DB10D23C3C5ED2953054D2399490F0C9698AF6E145D9FD9CBC4D88ADCC3899FD583B49EB9F4A884BF25192F9C9FC76C80DD5BAF3E7065324FC7287C5AAC5E7C34E9C360A58FD9E247DDDE899FDF90E44123272B4FBE8998E45A2E93E6F0628DAEB90F3D84088FB7F89B6DB809599C7E5B0F6CBD29FD25342747693547D28DB595E7D33C5DFBF3ADD0511864F2A0E05D8F666664A5F86571E56D2977B6601911005068E9A72BE4C17412A59F7F1AA140CF1F9550E38E05FEC17A5832BD67C085F0978F93F1AF7D24C759E2BBF736FC4D9FE6E +Ctrl.hexinfo = hexinfo:8CA678B83659AE9B50CF445E222294E544FBB0AA19EF5C3D6EA3866AC9FFDBB1F02007F4CD25B067A96F6F1AB83B98E620EFA1998677FA949A45DDE7C1580ABFEAFC99BB08B4D5E69537221383F7824C8A48C3D4BEC5AD8ADB10A8A20B46 +Ctrl.hexsalt = hexsalt:08147BA590E6C7AF89712D63BC7034DEEC8A0CE9DEFAA2FFD02281273D78DCDC171C08B5168732F9F7F3B369F5DCA74590D881A2AF44D011C9912DC2DFBFA23DDA233F63B5C5B66D2DBC2EAF0B6C91FDE560E7E0B5B7FF567FBE7ACCF55FB526A2BED587D9 +Output = F34CEBA5ABF8C7AC5E3F1E9E69346D9FC6DA311E77988CA4539C811A0B7A77DD37B5DC699CB287C82A98715AB01802412E12E54F2211D002B03A026685436B4F8B33FD829DC0F4591BC4D4150856B3A67A21E0F77C14B35AA37776193F02F50A6734A820A64013A0352477DEF220BD95B055D444C1D8A173DB63553E8BF06AE7D326A48E71EC23D48F638307715F242486E9A7A106631E04AF682B69E8F8EA84D0C5A3B1B5E53FF518887E868111ACCEF24BAC79DF966F6CA98ACB602FB2114C6A61D7CE51CB3881F7C981989546910EDA82DDE1A9C48FEA4E2E9587947BBDAAAE849CC56F0BD7D3CC9A8AB01EB23656F1070A1B15E4D9A91C8873DBEBF1982C34CBEB46230F742578391B132A2C8B9AB5C1A619C5E3CB5F96AB5FF49D94 + +# 37 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:21C2F697BA1D3870488EFA31841EA07F5380D01A869B60B08206E665EBB3F7A9E55D08FEFB4420F89A78045636C28AA74A0179709863D529C1F1DBDB15D2E84DE530F30FC6EA80CCF0697D5CC521A25EE2FB38D301DDDAD96CCFE97B11116118D4C978D8206CA382D57A4D733C42F8AA6DEDEC77EABD175D08147C6A6D56473EDCBA9EBECC0F4BCF732390183AE3EDE83957D259503ED2738844E76C3B16A6659388562A2A32013F463DB5BD309FA2F080B78013BCDBC732E5C9F0CE4F920C28E1C1B7DCD36EA0B96A8E341771B73D781337FE483F87274A652A98CBEB6CCD7A5427756D17B5277E00C09AE3252C5D7D95DC3B1C0D6050562FCF92FBECA07905715A43CE35D2544E540BA88FDE561AF726856C65723FD597F5AB406C047B8AA94F7939402383030141AD5CE2F846026F3B97777649C97EAB9A675139D396FCB0EEA1D5E0C6558E9DFCB52FF0EA6FFF47E41402002B784A25590096B220FFB7719E4652F78DE6833E97A3EF94EFD8AB301A72388B089AF6409863C74A942641EB4A1EC996A019BA1D9F0A9B22B8E388214A2AD962EA019067DDF2104704234932C6A777 +Ctrl.hexinfo = hexinfo:F8B69B5A103FC99F37647AA61AF5B87FE09974F1005DBC698D07E19D0E7A9EBAEA4CC82D7A6B68AFB4D8E95D7BF1A0277FF168F5854083C1E416C578EE7D78 +Ctrl.hexsalt = hexsalt:244D90423BF9DFE4CBDCAFEE7E24AF1B05A704B95D0B9B661C2C78B91C737388B87FFCF56D768993A4D10201F8E505F6254A1AA56E12B52042FDB9C48C83B5CEDEA7D3841BD466204C72CB122CDE63D5F0043DD14152308B0317CAD396D60670E32EE05CBAF5FB621C5CF89F9DB8380DD1509B92F399FCBE048D7A1737827C451269CB64EB35258C97316B3E1035197D2F0156131B18D9AF93CB91E0829394879A08D4B736680F2763B6ABCD49908A966DFCABCB0A164DE72102CCFA5C884243FFB4CE9BCB877ADACD602969FFFBB15FC6EE69C4D6933B69A4A03EB142DC878D20AAC9FBEF5185D6C1815F4680F28760B30FD7E41662EDC8AFBEEC505E3B5C2CA6A95B875B656F9ED37F27C45BEB2790F19DEC9F092E377B3224605FEF5856E946BB31A88279FD9FAEE1134DDE20EC101DDBA9B424A3E8D751DE0058051D80E6CC06E448FB456C9A511042F1068959327C667C6F3F22EF2B032DEDEF134EB0F0D319D6385269769A4BE8D614CEEC053FCD14A7B60E5300A23F37B271E0B883272511DD0BC82746241C8BC33FC42F62B69ECDA79776D602B1249E5F988D92260F279B4331A2A30D74AB1D8C100524419FCF400306C7ABC3684280AED69BF141A89CC96406CE32F6A2D46E42393F4432D375FB8ACF3BC2D88CA112639946E2E3EE57CB5537 +Output = 7B52501DE2BF47F51F56BC3DCF0D0BE1C0F3C08FF9EB4AD4B0372593FEB8E540FF24D4D5866C9A82FD307A8B759C5C5A575849AB4DEC9CB8B86C7588FDD628D794BA280B44AC4ACB4D812CE1867241020C0118A8F19B032BFA5397AEC79B0DED2CC4C75F6BCBC3787226A7F7F2F5097FB53CD0E666FF2787CEB120BF189C30D710FAD366573451F3AC771FD77A51C908D765854C8A34DD6909F575A5FD378C463145FFFAC89B670151E028B7FF6051E1255C7BE048D9EFA6287E071B55C6E71F8692693A13FA01B8741E15CD8D4DE8FD6AA196369F62A506CD999DDAC5CD5AAE3E6B7F0751DB014C75671A + +# 38 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:52C542CB80165AE299011B35115D4D567C107B835B75241E1BDE20B3779CB4169AE8D876B1511D54A34DCCC7BA23666DE778C3504FC8462B3BF41D9D6AFE2F65C8D65877CA35CF3F61CA4BA2A06012387C8BB1A7017DECF360A3AB81917E1EEFF06C27CD5CE2F8991FC5CE3BBBA7CEE776AE1C89ED1FD2EFA3B55AC3CEEE042F06074A6E4788E798159EC6D46D8FA8BA667A7096AE25 +Ctrl.hexinfo = hexinfo:021D9E3A26F2107B4AC1421478288DA5CEA4CB4554F9821554433E084EBC752E4F111FB05805D34BCEB9C624CD11347F2596EF1B21587E22CDF73FF93EDF3411E60F26ACA8B23BBDBFED9DD31B4F0D943D7CE883CD5C3E75BEC76394C392386B8CE274DAA671FC0D19BD7760CD3CE9308B028C774BC1F35BEACC1DA4C0547B364D6B1005809897C9F43444C1B72942DB6C24E83EC986D69CE7F5733D3BF0425E7E2E8910185554744155FD225EDB505E0A589503B3FA64D77B285BD50CD91FF157A39C07874C3401279C392D5E +Ctrl.hexsalt = hexsalt:C2DDD7DB44AAAD9F7FABA02B6E009721F574ECC98EFA9F9FEB0707BD089B1BE8EB2E52FE1CB95ED853B9C61E9D8C05A4C4F20A3CD10EBE14DCF394A283005845C93DB773A55B1300B0BDD84C0F7B937FAA8BBE61E1E526A2A2F75A30B90F952C06D69A300BB02F8354EC21F7B1600C37244DB2182C5E1C646EC323D4DE68ECD2B489AD1CB3B7CD5DA3EBC0FD499466C5CC3998A6E249B5B3F24DE8D90DD26E14EA6A8C1826D870BDF49462E2120EB1569C30A74D7DD63D40A1D3F52474C1F106CDD20CFAEB02F67387167D1F8A5787E7715D9AFED83CE7F665771A1D4BF8D371B3EC3A99F622B3372F7F8965CDA2B7BCF0401C4833A5F2086C +Output = 09834BA8C91E0327E5160673301816558E78A39D347AD50E3D488977BA70686630FA671DF096463D62DD234A8E6E5215EA511D91369920FC1EAC4D3CC0B78B1F5249FCC6341C80431C9F722EFDD720C457AD31AC2E706C2A76C865342A7B5B646CAB94022F6CF0918EC8A0A39767D1695A36F4518AC3A2A979FAB15CA311C32A4618D3046A2CEBEE7E48D85FC12C8D1515B0516DA31825 + +# 39 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:95D97D65B88FA0DAE263086C374343D9E971C53440D7EB13EEF0FAD5C1D9A9E3C7290F579AB727004325D98CB4FF1D877C3226DA0899A2A431181CE090E3FFBBEFBD6C55CAC00C104CCECEE27C1C2C0AD08BB9C19599 +Ctrl.hexinfo = hexinfo:6D5E287A1B15913B583D8E930F0F792E0F5951359ADE1FDBF69E3E1962F49B594C83EDA5A8F76F0559901F17614A6BE6B19F526762452D5B04D0718B1BEACC7755EFDD7AF52BCE62C1B47BC73923AC68295A032E6BF1482AFEE3D1765A30B9D458583B0DB29540B5CEBE59AA702B3ED547CCBBD5BF24D090FC900F35E19C211A5EEBF377F8F334E52FC3533B8145BA0E19B2127B4A18C04BD03300E67A707821FADAF02A395788594706EE7F70A0C4FD778AA659BD1BF54F162DCF804D7BEB1E42C3DC46433198BF0CD0963F67D778A0B44E62668EBBE4D721335CD217942ADE455656E940784BD9F03415A2F2168273FFE6157759317499AD1DBF8F0B89F422728956EA4A7886C9C5BC97035592F4E0C3675B0BB69C679C41A061C742119588386A34E7F745DA5AF1CB14C1CDB53A0EE501A0A1112C8CA7714D3025D278 +Ctrl.hexsalt = hexsalt:803B342DA7FC8E4553BE8DDA356FF111FF98887569624E9FFCF4CB60EAAE518422A7AB491377E75FD7CC30B15441FA5947F6C29FDFCDE72B8547A48F5B6512846FE21B2FC93907C2376843518DD4E6A18327C6FC32C0673DD674831A3A1FC71A1DBE853BE27D810DF2F45F460BBEA00862DEAE237F2F42F51EFEAC4A46F9B797AF4E0F2EDD4980314B462C74B6853B83BEC914F1B777682CEC628563AECC531E6916CC47415FD277D0659BE85C2F58A3615B169A1820AD7B96518DAFC05097E62E88A40E299DDED5632D1265F2FF7D7A1245B445B282A70D24F5E4203436A4E2CA8DE7DAA96AE915A1C91CBF2ED2717B71C2E56533617416634D7812B3809E7FED4137647AEF3CF7AAE8A726980B5B9D0797A0D3B5912302F261CAE56293FD49EFB5CA896F791312959BF6576466782D32DBA5B0C98D35B8CAA6DD8D01D193A13F0B8C11388D78AD486A61EB49EEA8CFEFCBB6F6343D557CC60317E8265B7CF68640450D3567F9E9D1DAEE1E0AFCBBE28E03E87DC71AE18519C27931774A8836896BE705D037D3D8497E1016C26E3E40358E32AE9205616D451644083F4267E1F1B08D483CF070C1B27B832987269C5DCAB974DE2B79E716B423F641F88553CCA7983D5ECC09F9A9 +Output = 1083A256AD35D8844336F9A1FC684C4E0555226B9489D197 + +# 40 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:5BB883F883565F4AA9EF31BFF59FFEB8C3FAED03BEF8096118DF30F36FD0B6F654FC8BD14E35900146975DABF9742AD5204C8C53BA459CE689D12E1458A6E2069A2A341F751F04504EA7485BDF923346F3889A51D75020881C01F05386DFA98FF33C3E2DBA1E5EBA9E64A4DBCDB9E87A25B4F30136D543D858EE3ED3D9A3B5F2821615C70D58FAE78AD0271B2978775AD4C9F63BD12CA609034B86B505E98AC57FCD544514BC431BEFC52EDCDF4723DEA443BC646934BFD75C2A845074EAACB9AC06624C571C9E912E5F6F91030233889CFAA0B1A237CCE219AB61B34E727A5F +Ctrl.hexinfo = hexinfo:0FF8F9ABD6296C744BA8DF8F6FB324CDECA69493FD3D3EEC6B6BC2B3EB6158FACAABCAF3E83E6A6275DA04AE96F108F379A849497402A8DAEBE2E9418CE24E4F56758178A79D7636F00995A6172ACF55AC4F953AB1AF6F4C2372915F755B6B0B801CD86546B5430EE2FBF9E44ECC4C7C415E9CF8EDCE6C2EDBC72DEAAC5832E9EDE37264A610B3484783091EDD4A14515D3EB7A74459EFF2807E76FAFD8B92EB1AD62E621DA9BAF806E051DDC1EDAD51C22B753F434CBF1C468F0D6109B9299960CA0B8A9CD67DD37DFAF4047535828EE080B42624F3B52561CB389A7C38F3FAE4C612437B8DD276529A33F97220E77F2A8999FDB40D60730D86176E4CCF6DB0F466245CB4AC18797D68348566C3AC793A856AEAE9E8610923C7F0930750DE872099BC1E992104957483E51517843AFD1A1FBE2B568D4AB085BE7EB9418CFC637D4C09A1C1C698F9B0C1783398E6C8A280321F04B35CD32A3B7DE5321AB556ECB77EFBDF27BB30392372872AB7862E6AF1996E9878B3E1792B315DF100BB6B38EB30BAC751B93CEFCA98B795D6FF5B986FE5ED86ED411C71454D9963AAFAD2DB075D29131E9D50DE1F5BDA942527C7C59407ECD29672951443D964A1975C4AA42CDDBC9DC4F0A0 +Ctrl.hexsalt = hexsalt:781521D88DCB7709ADAA3646F4B36889CEF24CE6F1BD11FED11143FAB2AD5CE581A65157580E05D7717BE678DCC4385EE5D8E3D955A2E5C96D7AE792A2E9849323120A2C124E62B2CBA188D6877F78B8A4E6E337407FF88BD363A5BAC1D078FA516DF7547DDC45C90F24594D2DB82C1334A8631BE3D5011A678709571772D624EEB68FB392AC610701C60C429A5F13DDBABD2C97F566B0E0218A01DEE446901C66F3AC4195E7D06040588294B622A46866ED9DA88E3D189AF8249B620DA15F835AC3653FC879CA5865BBD40D01A805BCEC0F7F43CAEBE0CC3374BB603F351B1466843CBBDF9178E53168936F094C0FB385DB9829B6C507977F45D1405FFCC1F82ADE59115C8A9784383509D2835F1105B51A5C012E46F3C09598467716B01B3B3B16CE1B51C4CDE1DCC66FA9869D30C5BCE7F17A37FC +Output = 020FBD6CEA4DF8A72D770BE18C6D5B6B9894562FB6D21122987146F96192BC8475F2F680705AAFAE2A8120B1B39BDDBC79258C4DA3EBD878F931961979526D73EF1C19DDA7E3C4D8581A42D8A475A3FD78C136AE88A685A0B8743598CED6D03F4895BC4CE076D732A6B660F4145DA1282DD3B219C26B9EB2297910BACF8FB9F281EB35D5F014665399D543883271DBCD9D7A5AFC + +# 41 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:EA92F86A3897432C411B3396003E7B03A662CF7EBDC9D003434D5F4193F69CE864A185E7EE60DBBEDAC4BE30295CE01BDD71FF67EAAC8C6F7AE6CA13561DF0004B5DF2E0595874A6CABA2B4A394BE90E60B65F84F6E8455782DF406206A578050EF77B136A41D13CF5F5502F040F4FBB49D1B9CF23FEF7C7715D222B956A9B1AE92F5A880633DF1A858282EEB0B6B4A50BD6CDA1C0623568808247495C57BF78E400E6B9B55A911673793158667849B8A77F8355E2801BCFE80FE397495293B7DBE967FA6E5C248F2BAF22DB321D776419909BF00F9B624BFA5515DAEABCC595546476DEDC6349436F93F044CC1625FEEACD540FE7E81C52C8435EB89F93221BF3EEF1571B62316EA083D82BED2A8F590DB56E0DD8B98346BB92410ED2E9C647BFDD6E5B6F32B359DB2DC96B2ED7E4095130A266DBE2F962496089CFBB0C9B69EE0703D234E089AF1B4AEFD21CCDA64561FC1B6E53B54FC2B0A23CF8E2CEA3CAFFE538D51D46066D9EF61B2AA5A90585596B9D5ED79B4F27DC20193A4E28A53774947C2153FFB1FF5BF209A3DC2BE3C9DD8A208706185F7B078BD4CE46615FA899F8568973E20F7AF3A376361757B3B1EF5F9BADD03F30CB1DEF046379A5A3 +Ctrl.hexinfo = hexinfo:EC159B3B0A80F2E22D3B160753EF06C0D8F50794B5D82BD79F8C404F39811D8D82CF85EB5BC2BFC9E26B5F8956E1709C8974FDF1A876637100F7FECA4AD54E8DC56CE9C48C9034D6E6B00B19492CCE9D568A24870EE2FA6B93117B8F99A579EE84A9B5247FC727AEFB0CD3A2E2F7827C869770C3C3D2367A91688CB33E2FE2B953EE10CCA85535C74EE859445D8BD41FC4B9BF7C5FCDDC95755E7AB48F75965551312EB61747354613CF919F68ABD90C1D1B29D58434EB82A42713DE9C4997DF88C2F03698F13AED8E44B04A4F81BC893C16FD26551E174168C6A85235C48BC41AE020253415221B417EF39C7553494C7949A2270DB1BFA9E7254CBA0C7C6C82E0269E98CE36D2DF3D0BD815C7FE67B481B4CEA1476BEAB978EE5B06F560261993BB9BDD08CA0148EA +Ctrl.hexsalt = hexsalt:075D62AA68C145FCE1BA7A1F6E67DCD149B2FB5722997C16941365AE0AC1FB29D2D21FC6CE6C71C265EF9B762C873430D1920C8269096D27243116D983AAEB7C30A6A6A397AD635534646090C0A047AAEDE959F63E2BD07875B77432C1A626C67F5C17733222192A884AAD3981E2DF9963D880AA716AD9471AD8C5B0D8EBA0E29DE272A03AAA836D94CA611772EA513A684D1E6288C4A9F1FC511EB590ADF5E9622024D31D47E6813A086F1A5CD698388E555ECDD50302C1B58FE7202CBD7603E4BEED0A23DF90C61BF4658A865E81E4714A7306B0DAA8502B47B2AD0E01769F92F679DEBA0A83015C0FA77E532D09683DF622A25D08F95E9CA815A7E0EDD6C372B9B790C7BEDB94EDD00FAA3845F940EF939AE4C4E8584A86409D969E71D26BBAE0C34D6DF8FBD8DBE78BB652809F3A3EB418B35890A336062589C396B67C7887612BD77F38F40746F375681E5F6F0F04334C1AE959CDE5B74285620042CB504FA915C190A36D8BCF020C26755B788B8789056207CB229C23BB7BEDC3C3095319EAC397EAF6990A9654E60BF6F1A0333049260A95E53B124100B829AD04DFB50D0217158EA8D4AD939B4742DE639CDCE428F1A379175630005140BFA42CA5DD97C56E93CD855C21ECA021EB163B6481BF5D5653E1777A7C95E49BEACAC14DB5875D7E42E45C393B7CD31BF493 +Output = A18CD5DF26FE71A7C044D3A71BC4D9C821168A47346C16765EAC3AAB85FB96C844FA75910F0E3D8308A9E4B96967F4A661744367DAB4DC537BEDA8B5B57F9CB3AB21C28D8EAA80EBC6DD23079F2084750986F3D7FB5C145B9CBD033AD9099FEC5864B5475E183460B445F205703BD273FF8CECC8E33B812F6DBDB14249F7B874EFA013C72AB089FAF0B99828FD9B6A61B5E5AD828D332853C89D02BF0F83A38E1361847BF224E72981C710D18C909BF5DAAC1AD99CA108331E76C2353375B54DC9AC86DCF2F88A27C61C433D14A602E37E8825A58A830D4DDB653799EE521155B13DA58079F74FD06EE3F10611456EE0BE402D7257868206E058A3FFF7FE822B2F84A318EF2D1CE6133F62D94872275DFBFF9CAA3F336FFE50310D0E8710D498190703A1C3F21F243BC310D4A3A7EC50AB3B60ECA1D64980E565CFC0EF60259960F9A613D4948146AB34AB372074892DDA6254C642E63E9086C01458F4D9 + +# 42 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:20F94108045D16D2B131929DAADDDBE56314ACFB2FE4ADD34E96B257C520DC053C271B3A919626E57BCF1715D45B2813F04EF28F7A4D743C34D29E2B4291A2C84767F9D3F1CB3456A32648A320E1A6ECC1F4E967E9236C35FB0C05C5ECCA0BC47237F77A48EA08D9B5DBB2E6836F493A978AF54D5614003FE142BDF9A5E931560CCB136A1C3E77B6423F7CE9624D78B806ABAE1E20179085A213B8C0A04A1931C51533FB284FE546A81565E69AA2539A025E44BE1AF76C40C73BB9018420CCA825168CB6E77B164A69C9158C5757C15C153DE06DF23E4852CB1B773E994E0FBEA2BD3E5BFF68D7E3CB36FD6249385B3E7A53 +Ctrl.hexinfo = hexinfo:99B43C5C0FA74AE0CCBA444D4F2F877458CD1CAB8F9C715662D9ADD7732723646B217F4733422202740F1424C91771EBC62D58347812E018FC709E31AABFEFE0DF0D64C11B4EA1B00194BD6FB46DC7010B579663080272CFE29B96D5F22397327EC99290187C435D906137EAE2C3B39246915541F26EAA729E7D3D5EAB3211397FA03268000D92609888D2B374104C +Ctrl.hexsalt = hexsaltutput = DCB45E67D5D48F6B8E00C8453B03863B7E726CA5232C928FDAB90E8C166C36996B4324079628C7830ACD8AEF8EF9FBFC3EC6942FA06EAB97856334EF0B47C169F1FE5270D2936E53B32655B7D687B41AF101980EC7930E9E826B7705FCD645EFD389EFA84276585A07EF91504C16490EBCCF059F86D03B6AC2089EB276CEA7A8ED48FFC394F2266F1AE692CEA60B8431AE68394758EDF2BBCC38AA38FF3B4DE8535D16ABC943E2EF36D334268A0D53063BE0F2F337C83626A39F17D6AE1C55B8023D19CFD0DD621BDF + +# 43 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:0BFAEC7C67C3692C40C20F273D84006236F3E6D0EBC0E817A5B325880954AB84721A31D11BFFDF763A9DF186CB5E4D05A5270EF1B2FD423CCC087C4739A4CA3248DA858A89A58945E599CE2DFDB41F21FA5F2DD487F35FF8A5BA77A544C50F08CAEF3BEA804864D2FB95E511F5E7F744ADC00C49AD942183C506D2EE7785DACBABC414F5F8CCE206A8DA68A87724FE78A9EF2A1F90BACCDFE433B7624E0DAC643E5D36F45FA033D7DF9C03797405B77C6821FB24E91828E1B874952CA3C1A3AC54DCAD2FA16799 +Ctrl.hexsalt = hexsaltutput = EC089622E2ADB35E570BE292013B539F3F5EE6809E4B1EAAE46F8952033A7888B399872AD71A7B52CF2FB4B9ABA03855BA9E36551844D80174755A46006ACD14C7DACB83285744370AE1223255EAC76350E6D6BD103E46B8 + +# 44 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:493168F2D3A9BF1E23D597FD0814 +Ctrl.hexinfo = hexinfo:5A67007DB759564349A8C971D6CD674C0523CF9E1C3C900D7460CBD55A238F1A8AB67343B2E48D0DE9CA234E827641D2540C53AE22F0D3CDABB3614567400E6CF74CE8189FBC5859D1F28FEF0A3CC0D6A53315698F876772CE13FF0B3D5E0078BA2D8A434DE7056976E2358A63A2E1ABBE9EA467B8C999818F35FFA525CE3B067CF291EBE77E754A9ACD322908F7A8CEB925D979657D6A4B1872C1C231A037A80C3D810B709AD1981809E52314B2F351F831465C774844FEFD0286B8168D537FF147DCFC48A000FF8251C1A97B684D9E2AD850852028F0E83ACAAB709A53E9D9B3608B62511E2948B6678567307EC8A972200C006706E07DA92D1B72E8B66708B9F2284411C0BF37D8B78C01A59A16553C9327015BA2CCDBA49D22115602FF42682A0147D4043D9A2268A333E1851ACC3E7174E8F9CF33BB39FC484E5AE1A07BEB6E86C06655C7B07C20D18E5D05D7EDEC7DF2F67DEAB0EFEB689C9BB5B9BAF3F70138B97207 +Ctrl.hexsalt = hexsalt:AB2474F2A6522E1D2E7C84B3F2CE97773FB74522C6FDE87DB0331EDDB124DC7E2F85BFA9707FE3538DA65B2D0FE4235A98A773CB97745F6BCDE57289A5BBC489AA94981628301FB283DD972669B56323BCC39976AE8612C79BE8D99032663124CDC4E27308E01D311D2152AA3BFB53A675A4F0D6DF914E8D07A0F646613CD4D588D321BD5CD8C7AC9A7907FC131A67922E3ACC063CB9F7EF813F4BD08CB8AA251D65C4A38E82E142AA2C90D780D0CC537083FF0B62F23B4C76AF403D1B72D92A5088CCDF6DD7152E462FF877066E9EC17C664266E3FBADEA45317AA4B02871A3A496451F9149B9B3E9E20710DC807EF153F0658C167DC196A85E28268BFF104D3FD4F7855FF2B2E2F359E4A49155486D5806A3C175B1789C1BA512442BAD0CCE86986525EDD7F7F7B2DB3E8E1ADC3BBAA354D497CD97E6A5FAE55C56EA64BD31E7FE81CD10ECC12D9D71585C56728178FBFCA9E9DFF3CC07667611AF0594690A3794009B5537B74C3DB48B9A9F4C1B0C9562EB546FF5C6E899D604C738FFE1280CF7A9727E16DAE65019DFA6DC66DE6A3D4AAEE7BD7501E1067FB22F1E08651C +Output = 886F28BC0832643459F77CD3FCA54B60EB675722F242D52D8E9285CE22693A9A5A613C6D8DC9E935E2DE16103F38A94B23F4E6060A8C67F0BAF7D7EAD5631CFCA7948A2311CD15E7941FE00F40243EF49131A2B5C183D00C2BF919E3A93A2B65C7A88C5E1F88D985252F1939D5B5E741567818A83922F81393B29A426A4F926C7799324BBEB812BF88165E3F2AC0C37FB1951677A1B7AAF3467A035A0F9269F8ED79FF401C397898167C72AD0DFD4206128E461BA4A9A42F30B50B85D297E1C29113DAD11FFB7C784849E39354064E2A0EC116E987271727EFCAFD901A88 + +# 45 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:E5F448D9759EA70E5C1A259A482541AE5F68F84DE71D2CE98AFD695DE368C74500A9DE0D44ADE55CC64979E2693676CDAAC179AEDA672CC4028D865AFB6E57D5FD8ED0BFF3EB6FD816D3B513E22F76115765CB3B3DC4D4D068D2F9B485FB2F7B5D5B11E047CE3276FCB673AE389496FB410C552BE9B5300F6E188D26616C8F8981EDA8782AB81EAD90B5F06ED342E8F5F85A211484B16805D33B98667CC32BED2546F1218A8F556320DADC52BA044A077E09E98C59B4D0730E3207801B3F886C07AB721E4A67FFE2E77BC855257738DBBCB4A50430329898653B8889713DDEE93001C9F2E007BC230E19BFF24C35AF96BC79BDFA29B86ED09E5325068B0EFBA66D158AD40DF45479AECEBD9E0236EB8B4213986DE44CFFBAD6D7E735806BF2CCB8C22938C0F1A955E6A246287344A78588A6717DDAB469964D4BC5B7493B1CF5F731E3AABC7431B49073214DE34D069B8E31709D60E9FD9C6CE5ACF2A63AC807F029757AE036B6F843D267D850D67CF93E6CF212420C1F6DABC4E1726C7587F74C71245F47450781 +Ctrl.hexinfo = hexinfo:55260643068387FBD8E45CB2C922F876AD707822D8B2AC38745CE5D29BCA9575ACC16301D20AC340023421C8734A14E39CF55656833C88B828D84ECAC48A2FF9ACCFFDDD06946B03C6FC5E606AD411C226AA5CCBC44245AA9E69963D0E8A3C60958B9D840D3B8DF9C01A98C8E62721BE165C5400EAC4854A540A18938D2B1E5FC444878C93271F7BAA478F498C99B4B7FC24682CE901A51D1730AC2CB638414F6425629ADE1EE27E883E0290E19D7A0036CFCBCF7B828527DF66AA75A6A7B9ADD771E7079AEA87C8F3E3AE6E298483C2A652D370E518C14B2DFD8565E7D56136AD2B1465602053093FB0E73CCEB22464CC914B08DD66D8ECD64728EDF4C779DB207C214DE95054F15AB1D7BD05989355EB7A2D60B081B3CE79FEB5B412AEBA166EEDD561080FDEF9F2FC8A913451EA8CFC3A9BAFDEE7C8F5DE295DC84946EDE4420B0FF0258F9087290B47797791F7D7C6FFFB0092FD227DDDFAF1989608043A7501222C28B18BF83A2EAC0064A6EFCFC1F4D04E8163E6643838A1B188CBB5D50CAC1F6660B9CB964D7D6378615BB57FAB79634CDD10E6956783 +Ctrl.hexsalt = hexsalt:990FF395CF141DAAE6B3BBA79F69C721DD10252E1C21AF6B93115D85313155624BA0F2B119FAF740095C5D53C7E05B6E1C3AD5B8FDC9598BC00D8FC7 +Output = 01DE661DC1154F41CF2D387F82D1D0153146F175F9505F70BD2C0941890C9C4B50BAF44D70DC56B2D49FFBF66E8F318C4045C98CCC00FFA2FAC218FC8DB721847691316E661CDAE58291036DAC52D1A1575C977F7064D5E3B073A3D9FE4695FFE7E61FAD283D7DC8C4DC24057E6F71688D883F8FFE6BF7832632E1468E3DA52F253B86FA8D5C3944A65D1068C5A063D06848E2D9B857877AF7EBF31C249784B8F74E30A5BDAB5CD46B65614C48A5B50E48564F293EF251D2835306A20D42FA4D2909D929F330E774DD361EA494309F462F8BEA524570689ED6519301B3F34F08600FD8FDF7F83600CFA7224ECDF8736AB828AD5FF872176EDA2C6948FE9CB7FB0E52CC3C57E175DC62E35A7804A60156A1EB1AB41E4293882B386FB4E3C5B1E95CABFF57A9991D95490D1FDF3E2C98B65A75C1E1806278AA3875786CD53DF735917C2E32025582DD8232C053D96A32A07DEE485F5DB2235946106DC22850D6811AD7CA46C581DF2CAE18347F06FDDAFCAAD54FD1FEAE1D50D7352E762068847F90008143DEC137B9CCD77BDCC016F150080AFC6284ACBFED8761F42DABD3EFAF1DA2FEF1581429074465B15E679892FD602821EA5C0D3B9EB2BA3345D8225D79E2C856C48FFD2FB72F928AC866A33A43AEC6E620EEF66FCF2C8A7C4BB97AD1BB165000D7932FD46E758CBBFECEE28E5DFBF153CD7CE615A716E578C59510FCFD + +# 46 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:275997256A0FCD2E5DE0FAB4B77402F429710C6E3AED705C9DF1C5D1906CBE757F181C8B16C290004EB0C91463224CB91CFCC274A122CB44E5AEE8FB101CDE27F45DD7042E1FF1ECE6AE900531560A85EDD6ED6F93B2D3561C4BAA08AF77AFDEB5FA6A6DA7398F0A6C55277578E78F90B69772BFFA94215FCB7E3EBD295D420D2309EDC0E6C11C5F95E803B4129ED55A08D466F184D2E7A2BB512FC49924F26F0A39134E4297641D88F792E237DCB1FB43D7E21CCD4C4737572F584BDFA55627CB3B91C4991832EAF0343ECB0A3ED2139D0E69F04CBEAB9CFDAD6674825551C7C29C2109F04F0AADC72EDA79E944E5BDA3DAA130 +Ctrl.hexinfo = hexinfo:21B9CE46F32299A13060BB36283A4D58FFDBC6E807D8C96CB0B0208744707D8BE32FF33547464EEB3B9B16A98CA1889C0426D199C5621415EE158C420DD43C470A48D8B0D7517ED0758C4B1BEDB8813CF32E5B81B788D3BBE0CB87C617C47786B603620EDE7BCB60A88822991EF4E076DBA306855BF34B6C56B62CA2B2 +Ctrl.hexsalt = hexsalt:70F8B57B8FAF9DB272429FB0A175D9E735A8E0A9D4CEF7C106F6C6DE8E4F49FF0C45219FD8020C235A85B3C32B785BC851E06CE9446BF791988D7E9CD2F7372506CA29FD3D2AC7A1912415CC60904E849399D6C67450C936435FCAA0A49E476F5113547AFDEE6228A7E0390EA13AF1632D233A1A6789385A4426ECA0536F82CA32B70752F47CA7CDB43E50ADAA0E5C2FFF1D0F27687A26596548F7A4BC1666F88EE41CFE6AF0813D4AA3958EE29EA33CCBA9B6B96711AE4FB5724375BAF27149CC334C4D4A27D8B6D7773817C9DCCBA9BEB1972E60322BDA32672643A758B483BA5E6AAE4761ED62D717EC92EBE1B7DBB5EACE6F762CA837E193AF388AAFCDC30A24F880B780938C210D5A08690C6EE1A0B0F3741CBFA8B3DF222FDBED0F6F311F569F5AC2578BA85FEA2E1EDF8759106E9C47F9E1ED1AAA7EBAD84329F2774F2B3990C31DDD7DE8AAD4613669276EB76558CD645E9B6BB019BD373F40357DC02198454D3FBE693C00A6954C9D3368B6FA1879A7B398E87187D08287197E8F3F21FE6AD1DD68D0DF0080FD470DF2809B4551BECF759FBF8C6922B6109E69BDFEEEA23F1DCFAD07B8E8EF46722552943EE020F1D77C7DE2601C3A7EE4 +Output = 05ABA2308C04BA0B8727E3CF3EDD8AB1D8E3AFC0A099870DAAF94C92E9898F60852ABD1F0BDC9A724A1E85625F20CF9A5FA9C6EEA8241B1B519FC0D68EFAD39E1EA6A08B1E0045B28447E2494BFB28AD16AC6BEDE502F77343DD07E52C30C6B8D3A04AC96826D022DA776ECE8E6AA7AD15FD210260D020169960A3ED3B637F403BD3CC80CEC6BA926E2F44B3F35E5EEA77F92B3704949FBFBCD693CE3BECDD49C92CA66229B8284CF43023774A57CDDA16D4D5EE9B34A79836C46D7554C470ECF88FB18BA4B1FE63E5E7D5F3B3 + +# 47 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:17075ED6BE03EF36C62F5B46DBB6938F70E2FE00431938D072F698B3B6057074ED01F573F5BDD9C8269BE1EE54AC2DF428D57F73A56AE60D7A539398CC15D1A81DAFF208AABB65EF56A36B2A26B323068F64C888AD8D24E00AA02E5AAD2F6C91C608A177B2BC59F15D2C01CA4BF1AEA9AD41C838A797B0BF27A5C504ADC21C576DB61BD55CD147579D70205E4C4C86CFA4DB1DC986DA48E1DDFE49FA13F7617D8B4E16D1C05385CB0B4F13EF798EBD719FD9FB0E40A8A58488DB28E19C52A6B16099EC0ABD25A89FEA5E722C5ED0BC05DFE64CBAA8C1177858D4F768F270297D7B72C036939D57EC93A3D05720FD587F441B51C6D0222320CF80A715123C43BBB59329B750012031AC1DDDCBE2E6F9FFEA09A5362BDF10A52A1037B4CF0409716FB23E1AFC4388EA517DA5E0C74E310735761A1BADB26EF4AD26FBD9EB72AF51FDA41A13ED2E75042553E999D3BDCB25E923267E55071689C62B487247AE3D3A17789D92731A2A5BF46F22C33C3420F598428729ACC6CA9B378D2E188A6A74481625CEF3B36368714CD34520A24D16F443D3DCBBF6545FE56C51F6 +Ctrl.hexinfo = hexinfo:17BBC951224A3711BFD8A0C75AA75940177A89EC5F7405F48222972C9DF63E4AEC00BD7301EBDC42262100E9C1D03E00A93CCC26F46C08D52ECA3DFF8D5D32C0C1619898A8027DE4A17D58684934BEBF21258ACFB600AB849965767ED07EC07F8A4A1D7F906025330C8327A0F1A23AA4480D7D4DDCBC0ADFE028F8CD368967C81D4A0A84D907CD9E73668CC1E08CAD9233AC083846DDC994CEF7865DFF989A9844072C9E346E515145C32BA551D8D76785F866D122ACD04AE83EF22B5812629E0CDD9AB7F4328A997E2BE41727B1D3C022DF706137A776DEBE20D0BE08D07D2ADA53572599F947F5599D78998B8F6AB9FDFBFBD53C3DF2640233B03B27E437F6C46FA6926BD0BC1DB5AC9F290B79126F5CF8A23FC6419981E5C2F55517FDA2F9C783129DFEC7B29F3BC217D6BED726F889C738CADDFE7AD70DA5591D70F7DFCD835E0131719C3795C3803E4019A6263FE0654CF6CA2558C8B58439365C751F7902307DE4 +Ctrl.hexsalt = hexsalt:ADF457FAED24DBEEBF43567FA4AA469E8A5AC97F9AF88263B9797A57F72FBC776E2E6AB1F548C4C4B60400B662F7304539C95004C6570117A54C43B1E991F2C0FAB976D4F07F68DA5F8FD79C0F28AFFC2B63E9EAEFB731E5025A315D2324548DA010DF12F35BA922B340BBF73C0372D7AA66D63D1F93D0DACC6A2F99A21C1B1B8713A081FF5A6301A1087DBF91FD4F32F4D37A3E3FDCA14092DF6D565C4A2B31004DF58C3666AA24A5151AC0D462B939C18CE3CD4D1B687C9FD6E8A97F08 +Output = BD80C19FF3B5F21142C7E03463BE5CE6E15D0F654879F89E7D0931D08F7015B940C593ADF7416BB520E2AE1C4CD89CE6E0BBAC7244537FAE17609F3768DF9ABDEE3B6FE0901037CF915C579DA94C1B9A76CD8F40AC92372EE4478A690B8BCB768023D8983CA0BFC5DB31D295BACA188A288BB0B3CFCFF1C51249686DCE604461BF90C4F7A82F53BBFA49A6A7B460421CE79DBEE3523D77B02E60A1CCC7BE95F5F84DAD69C86D3678A05DE512BC916FA082AFB486C0D77DE456F106340C655B3DF66A0A4EFC0E164CBD092286E3F2EE4CA9B6EC7CE88295819C3ACD983A3A2B2CEB8611311798480ADA89832AC12BFFC2DB5BF6A1CE993E321F473BA09F08265BD5887B15D81675881A02069D66BAD9BC018C90351B48603504520C5F3FA041110F9F04635A6D240EEBF81FDCFED38DC365C82C04EB636D5F668E07A8030C6629A8DBA14B541510077BB88B81DEB96212663BFB1AB9671048 + +# 48 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:51B9A525F5C1761A636B7FA34F988205257187480B219EC70069D057851AEBA6BC790AA27E285C521B8DD6C9D8BE770C0D9D9A753232F55B5B234D511391A839355762C6A490A3BFE6BA7B017DFAEB4DBAE3E92D5421FE1E40AE3221E7420C978F53C4C30C32F0F7CAEE963151350A8D4435942029378DF91B6FF995876DAD7DECCD3787882F834E041364E11A1A8D3944B98E94C0F964C6DA4CF38F81F40A2FCFB14BDF6F4E47D3C954198EFE68450EFE7A8992 +Ctrl.hexinfo = hexinfo:A5E8FBD28ED0E421DA740FE16AB67F271829711F7803EACAD282B42A10BE0E3BB5187F898B767C +Ctrl.hexsalt = hexsalt:84416644B35CCAC9F8E3660D4C44E5CDF7A839D021FBAB848672FA29E4EC5943E7EF16EDD6FF85D4771C62661A14EB47D1260451F25FF19A2E3C43393141E55A498122378CB7F4FBFA2C301396DAC1CAAB2B6ACA46A3C40927A3A4CAFA7F01A72FF840DCDF97733CF04AF4B769193ED2073EB832E815538A5D01CE00F3E446EEE4992CD4ADC909645E52DF992D220AF6A397AF406EE5415CCCED +Output = BBD4F21EE83B6B57589D7A67D05E729409B384F2ED9E386D9892B7F5AEE7F79BCE66E5F64569C0AEE148D8D7CEC21F70E3183D06CCFBBC8C1AF47A8D61D3696FBE9A7466884CBF7DD4ED5B96AB63C7867330ED1188A9A0C050C3D3660196B118DEFCE795B1 + +# 49 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:7103FE03315C2CF8A9E87D6D6778A0BCCF2BD218E2A59DA4E9D820FB9BE7C82E79B3A03E00763E135D2A049BB19C598402023CD2865F371142FE796F708922AD832E09C1FDA3BE0CFE58781AB6DFA362489085BD954C5D82749DE2BF823C6CD544BA7B54FFA21588C0D21EE3E2ABAE24BEFBACDD5F6668FE830863122B7EDE1D3C5AC56504625EF56DE524FE4AE08BD8AF0D3E605AA9300A207FB65D97836DE4D069C46D845E32FC5C07869070887D3A66FB969863AE8701C74AC3365EBBFCF4759487C81AF1D345A6A10FE1AAF854E4B615189477E2795732DF5E57A4D89E6CE93088C46D334F7F8F0D7BDC06BAE026A1680FFC27E624FD59F4FC6A706353227E159B8A1FF64CC512407A9CE0D24B2F49CFBBF8FB1C8285BAA7BAB9F961BF0AA95CAF52E929F65D600A19A96BDFA513ADF6CB306EFD7E2E6785B41553ADCF2CE9E67B86E6F925150029F57A4BEA0A6EBD0E67C88DA8F025E2964B0E3EF68756846593764E622115BE59D95E2261C4B394F20CDA0354917C5CC9E8080EE46ED98818DB0F9D9F61C9E86B1C1E254DEECB9E5AF3ADD00F6E60743015B02B0A80DB78FEAC112D620D87A0DCEA72B405AD727914 +Ctrl.hexinfo = hexinfo:9A873286ED73895854EDF8A43DA551C533247E95BB6C6937611904E15993A8BB7B11C240C56CCE50B5D523575953132AD16E3364569FA35DC7F7F3BBC33F2D774451F850D023336689D5355FC9312E54D4C820870BED0D73619263F8D35725EB35ED8888A8E7F2F2F53F51631305EF2BF0C612E82A6365CDD9A037C31629A6DA394964B95D1F1BE7B04BEA71BAE71499557A227A325E349AA6E5A7C3CFA33EE0B10B4B279E44A6124144475EFD0CB280640766540957E684 +Ctrl.hexsalt = hexsaltutput = 7699D0970A60B389A0773D518F4670B9CE45028E12D64879490D0A33F51D3300545937E531F42FC5A5CEDC07B65998972947788A205A2DBC3BD94C2A7BC44D18EE0B50A6C3F16CE95761677ECF2A4C65F8CB5A352990FF423444CEBF45CE0DD05E0C670FBE8C6A6136042D9D8CC5CDFFDCBFEC4DEF1F6D5D918A16B70F3A50009277B99C4CB7F653B0B4D06F6349210F85CA4200FD18C860D3965357DFC29A4E4CEDD67ED7900B7A7FF21307DCD79DA0E7E3A3C6B9CAA0F13526E1993DF094422391545399EF3A37F9845379E4590B8584B6BB4176DB + +# 50 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC128 +Ctrl.hexkey = hexkey:CAA9E417F6383DFA04FCBF71A18613B94B0F16CEB4732D8CCCDD963F72DDA589536B1AB628BD5DE52F765BBDAE055EDAD4CEC5739E6A90E4600DD4531D6D7060B96D76FF60E8871183B53844588E99A030B4ACE33D5EF7CA6B7B9FB0CEE09A67BBB34B48A58E8E81B103D29634FB60FFBDA333B8D52C1305B61B8EEF69391456 +Ctrl.hexinfo = hexinfo:D3F479BC706981F43DC1CCD57526845B24F0DF5BB762DED0EF07A30F10B3EC6BCC91CD087CEF4029682CE685B74279DCD11EFD97FADDC0A1FDF5ACB093EA2024478317EE02557A2187D9397803DCC69CB836FA31D733EFE480CF5EF611C703A1A4EA617DDE3113CB4FD4CBE9C140715BECBD78968BC50EA801F5201521C9F653C2FAB87437B25931CD85F6E5DCF1D9A0E57FBF071BC59B5D5F99303862E05145BAA8DA9BE156DBABC5945C27226D42322E82F5720FB0FB9D959ACB125E1FC529AD18531E230822DBF2CFB8166331F72AAB8F57270AFF5E0DC6FDA30431CD7B7DAABF591A97EEC185AA00716EBEC29B389EFDDFD99C70E90633EA0CE48ECDDB633D76D8FE6A96278B68F397F30592F8D3E231D10D30B8F383BEC3B0BF792A7941F47700B7957D6A6F0A10928FF3A7CAE3AA860E080FCFDA3E2D6E7CD505329BFB838B9BD075A259F139E0DD0BF621F23A98B6F11525FDCD8F47755AEF6EA450E81B89B1E6E162999B9B3305DC5F22B3875EEA79561BB78435717D320E3EF5243FBD3D2EAAA95024120C0CCDA9323F0C7A8499E593E30D254A335A360675A6A869DC381C6B9C3821437E5D644001B78FA883A7B4E75E0177D9A9CAE2CA93A36F714DCF61C2E89022398043955BE7CE141624 +Ctrl.hexsalt = hexsalt:9CBC10B77519BAC2D3F10BFAC1EBF4BC8F1FDBFF33F2D480F018112C6F59F1201E747FB91AE68203ECC24DDA44504B898FEA563396398E1B752B9EF71CA78420CB504A0C7483A6E6527139C10E49AB8E102E +Output = FD6D67189D4629262953199D4A5D2CC8DB3A5F3E2D141C5F70D331B29B990AE959E46BA1252498EE996830771CCF00EBADD5BCCF668796A43CA743AE8253468ADFCB7A + +# ---------------------------------------------------- + +# 51 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:C20388EF0DD7846578800D67AE371BDF83C40D435A1824ABF49EE8E6FCF1B936BD6DF942559BDF66F29D38FC27C621E6096A887F468168BC45DD8BEC3D7702B07D342DD01E244A0B4353C4C3D56A89808B265EFFA2376BEB3E1867A0A723BAB7610D67B046AC0C676A2AB7B26CA7D4AC7E320FF82E64BEE4E5747D2A8CB536FB05316AAA1707B29A1F8D64601C5060BB42F455DE1EC0E8CBB77EB7F9472BF4CE8BD302CD6217A0D4102EB8172F75639C6EC5568184C1CE08FECDC1B8DBC3C9D7A493D67FEDCF819975DA9FECC8E698793692BD100399626153EF9CE4B116AEB01A81FDC8EE9A2F2CD65A1AE72322F89AB173CE8974E359A25CC51A1CFB57F490C1C30EC1814AEC051C32F45D3BBF266D0C973BA6A76F7329437F13DBA04C5ECAB856A649900432EC1976F9E80D9C216FA0BA695921ADE6680D9EC6B337067B151B02FA5C2FC72875F15D538DD781C809334AE11B6279CCB3B2D511B87A +Ctrl.hexinfo = hexinfo:B6FE11FAFEE7DFF548EE70F73E8BE7CFFDC979BFF854D63C83A4AD145113B9126319CDB4319DDD5C389A9A5DB8751E69CB7B42F02C8D3484B34297DB44188FE34B286D5CF5B34A3FB9A54C2CD8897F1A80F22CE1F7053BD076C3687CDC960284C673E737909E5CF75C39F5685DAA471BBF7471479C56573360FEFB51ABA778AE0EAAD620A53E8FF139C9374E389BCE711413245544112F9D948D751F9096C194872D042C1C5C2FE3C9B658CBF3EBC0D61D8CE76C3B00DC12D6F37DD52159A892952A3AF871ECFEFC805F552123059011629778392856BFC22675181A59AF431FD87BD183FD226D96C510C3FA +Ctrl.hexsalt = hexsalt:6880828E58B6A49BF1D9AEDA6C27E8D59C28A67B2EBCC1CD09C964AD6516729CBAD08183E4C5A9AF5069D3F682CC636A77BF407431AF5AE90466530166F405C4CF30A6CF925F94DC9DD72B88A6C6345CCBCBA26BDA42CD619F14E378A246877BF279BCB6292E36192A1B +Output = B53FE7F63A41A69BAE048E78F620084D98BCDF8A2C2B825971634B376A365831F0D2F935B857E053EA97C0FB58299963212934AC992FD7C826C8C065DDA024E2A5942A34B78B4CDE76A2B10FA2D5243DE267D1034104DE1931161C8016FC9BBF90C56885BFA922F362AC1C14FE656C9D96076CFFA0EEAAAAA04847EB8251AD2B6924A9E44F2E5E301E6BB9152CD143B05DC12F9D12FD3E072C332264A692C88E2EB3CBAB4960E365CF3F4817C27922A8B0B7DF09E93F353B106C043F6E885A3306DDB308D64D83BB88DC501B1099C29D36FD92F803B59C260D11521ADC91C2DD1F576CBDBD740A22A37402F1613ABCAC979C0BCF2D36E6BBA39137E9B2927DCAFE376F552E861FCD0306FCE09FBDC4A95AB81B00DD17956E519D47BBFCDCE32447AF6BD74D7A6A3AE9677512D46CAA235043216D1CB1C1F7B8FA59FC7C01FD5FCAD64F2AE849E19280D817263E40024EBADDBAF68125DA352957BCD2897B9CD17B0E242D42159D32D1B3EBF1140269ED6758C251376C + +# 52 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:3E9766C83928B2B022B650D075D866 +Ctrl.hexinfo = hexinfo:E4793023BAB872C0B70442C45BC6F7A19547A846256E52B17241B7E360325F524071EDEC521E960EB8A6573409E2D44A2B60701883CFAED266834250C72A670F394CA63010220205602C15D440B834B4917E0EC841989EE7A1FE0F5424F63ACD7A98ED +Ctrl.hexsalt = hexsalt:6FC098C486B4E5EC771ACDB9A5035BB5AC0621DE4AC60D654A55108DCC6E2308BFC5DCEE1F5F97885B62A9104C6D2744D9E5543F40B54F4BAFB8231E3D404E202B1926CD47359A014562939A12BC1D6D734ECE1A8F4E22E6932424B960DDEBEEFCBBCD69DB9B92A700E48E639BE26FD37184FB282F4BDCF9830169D9DC9AE5D3C62F7D82908FF26E76FD666B47A6E8FCFE005446B1B11D7A3D5EF9CD0A09A4664FD50983DF6DD4C6CAACDA4DC619577DCF73E3810134A9D0B25CEF6456BC1B514A2C849E23B76FE182557A5A81D0D72DC34F89255AEF93D4742D3A4E4F561C44075C1D9D461ACC58993D7094081EFDEDAB3FBB720123AE68CACBB9F00F081FF3EA83797FBE826C7EC28A4908575DA02E1D4A576E4907C880DCDC20B3998EE2E246C8F1A84C1B3802AD0579C9A38A44EA7F527FF2EB66BBDC2CC59AF68519843B53ED939C471F809D3C42D405E3F44676D2A5CD1DCA36CFD96439C8CCB87445810A5DBEE901178F4C6F4928BA3F2016F492536BCB9B8F9811D694B3D76BEFE765FD1425F9E9D8CA3E7068AC6247A66D181133BC9FDA43953056A7C1CB5500B51BAC7061AD3827284EF3450E31BFEFB8985F09D8200B93D55EC15E201126BD837F9A6B52003FCD21E954C833B0A2578E77B8E889D9804F87FE71A07B5A107C1626F5B1894E667181E9E2586F939247FF3DB9318E3C +Output = 5091CAE1A6441E101AD4C0DC19CE71F93A4D0E01673D2613C8FF8BCFC26E31C9D638C4F438A661767E324299944F524778D46A71250541B4F25DBEDDFA7E5E4203EFBF002F804ACD4A6E1189A5C9E1BDF38BFDE8E7605D4F1ADF7441DB49721B4673ABC5E4F24E2F023021C5EA0DF68E2F3DAFA6BED5472499E9D41C1CFE24C4213294380C8B9AE86BE35BF1B7EB16BC265020AA8030C35F9C362D73345802317B2A88348EBB30C3B64C94DF4707D487AACCA4BB78FB1D7DFB1BD11F1133719D13BB1E3F2A9257404B1236B4FBAD0E1C7D8C753F6E9D9C265C9167018F18B2878404071F0F5E2830EE8637D7C375AF5255396D5C414055B2494EB52FC489FB951363E730DA16110850E0703EF2AD41811B6C13F13EC328FABC2EAFACDE58F017EA6D617F42EADBE98E3DEC22477D352519D9976459C73FDE050D8C3791E881F9E7A719A1A312B0A336FFADB68D4E3B96653AA516BFD47F8DF19783231C22658297EDDB6BEB6C7BF4CD2D1963473B9CAA729C7E89A141B0D1823A3390947DA92127D8EAE6A76D84471C791A67ED0EA4E46120EFEE029D3F75D9F63BD2E46E93E49986F6CCE4FA4A3A615E0B4A7D2E44691FDD6021D8690270A87B26FDE65F8DB219D93936B6BD8A18C00A86B1AF7711CBB806452F6D129D3A7F3205F342F3E47FA096726EE579A5502C5300C5AFC3E8C0F960A2B0FE779EF393A3886293FDB27B + +# 53 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:94FB9A971049512EBDEEB6DC88144888D2B0BCEAC55A1D4E72125A4B21F7EEDC635837706F28AF85309107ACBD387D32CB22FDE4D2612CCB6B0AC0C0CF82BFC49A7315064713AAD0958F4BF226895932D229CDE0BC8850785E7E831AF945147B832D35166B505C9802BA6D22D98B4AEE24B905E4FE42F2CF8A8156A3ABAD8A02B2257E70787EECD80DCB23AF58DAF9B5222FC78447C7A1019EAD9458296A632669C6FDD3416C1EEC3D4DAB9F44917D1FD97F0D0FD3F4C8AFF8BFDD966A2925B96A6740D6F9D235303F9B78107699C07B43FF814E23CE8DAA9CF7A6779C5D87B65D2139050DC11E5BCE31DD619E +Ctrl.hexinfo = hexinfo:5E247FF7D5A59639F238322468D61D1EEB12CF0A2014F60ED2B655F7FBACB1148D623D9F7DE072C6EF1132E7C2F88F77A6D5BD75A652899CC3FCD8486B854B241FF41DF74EC4F3A988765DA9B0B90AAAFFC07C46D1D009AB5A8B64718AFA3C4CBBE2A1CDA28E38231B8E46AFFDE327286E6243A7D20607C0C2C08687E80F38CE255B8DD8E1790C42674F4DD891CB6BE1124C81C2C962A849BA8346AFD1A0736866D87B68C53A74EF240D097A50C143096F58275B789FA7A1C452135668314F71CA9D9AD5D4DB393AA8F96170036C9BCED9AFE121113D0600AD5043FE751DE8867E0CE6EC8F1DB8507A38987EA054F20751887451B8CE7EB08929F38D2BB373417802C5F574ED564E0199EF8FED8F2AA0DE6FB2E85F618843025AD9E66CBAEA69C8860ECAF5D0770470D3B24111800B63105F47161D3BC886CCBBC6EBF1C622B4DB0110F9F23A002686CF2327E755FEC846CBAC8E6EC66BD8800105F5F6FED4 +Ctrl.hexsalt = hexsalt:701A49F1C2458E06E963F6134F6B2858B298421F2C84028FE9CCBD2F6ED76B01AE79E631656A6AB213191912B89EF8681E254BF7724E18564BAE5C2CF8A2200375AEB147D3477DFE8FB46E44DA4D3E45F9B5D28EDAE1B060C1BA78E268FA66815EF460F6E4F11EF1B426D822AFDA11C491C426 +Output = 7F15AB47C63FDD5EE7E81B61C68BE7593CCCBFA2D13D50EE7E1217235C76C5AA02FA02B1F3BED63D6A44D91A83804976FAFA1BF832B8874D73FE4B4A4F16BF0AF091DD46394BDCD0D00336B98C8B77B0085ED8C97FC1A7430490D81F7CF4329A6EBA238C29558B64127B95BC059C8B541FD9BB5FC0F5FB8D05398B55EFBB6678F0C75B7A6AA2756FDBE829BC7B44896AD2CA7B2604516DAAD26D06727E98886F3DB314D59C3D8912A34F7F2474FA2FF4E2DA70BA9631209418437A455A8C563F9453F515AA3B87D0A4C404E2952C009262119D4BE9C509A9DFB00727975669EDB2B85B1CBD69D29D244BE0FF41E2B328471B26BBE7F2A909C61245D1ADD7DAFAE5CE88DA6027A12F1E53A8948D0077FB6371676A598D18C8530ED8F81D87324AA617EFBF646E5DB69A57322BF34E1606B9D764D280C8CAF90321CE8AED5169825B03CC310D5BC91A935A + +# 54 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:DBC922B31ED904978C13CB9C2A1726BFCAA4A05D0097F98CBF4A9A04DD93B39C018B27D269B9135C00E0580B465AA771FE77B2078B65F2039C8C6D32350578E41E12F7D28925377DAB2BC2F29A96192C7CD0095577D2AEF85DB0F8A036BF88C3D3F3A16086244107CD2ADA3A5D4FB4942DA4F1BDC84CD7BF727DF6CA2D04A8856520424F2A46D06E8DD2A24F9221 +Ctrl.hexsalt = hexsalt:F34A599B666097661537B819B0D0FB532C108A743E90C1CFFAA71E8B43113E52CA0CBBFC94D706BCBB11F8317A220FAF4463250C826DD5AE46ED726C1D53780D68333BC07F3FB7521D0CE2133F08BC6C143BDEBB1EA78606CC3B3C4B2923C99D253739378E24EB221F44B40873A2EA83389C8FE7F19E45A26ACAE46B62D796D11556B62A8CF508A322CF5A634AF0D0B0A79F22C0F4DEF4DB62C62C97C80EF279A8FEF9445292225B5C84C6E579A7699762AC7A54513FCF0E9B08BCAF516528E8B4D30BB388335C21F373FFC4ED8FE41E757DFDF0F7A64DB3B18178AFB316CF5C49B3745EC5DE155F9C71FB9EF2819013B870C520C2729C2931D1919D92F993EF12F2467DA29D8E3A9EBF6293D07F84431E0AA94705E14F8F3016FB5419B31EFF05CB1D77C5AE1D62B7CB021101CD402C25AB50B1F999BB2F6A0B2CC0FF4506A0D0646110ABAAEE6FBBA2E0C111BA9B5DD7FA9A1F53EF6467 +Outputversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:8AF1EB660C518BCDA148A8C4BAAAABDE9FF05D4BEFC270D87142BF1F5B27594BFEA0DD3C30E0E31BCDD62275E00701D75AA9D49BAED3F9672D1C47EF6C58A3C3BD88CCBB820687738B0B1EE92A9DF5B9312C78FFEB17D4CA5C5F42B8546F27EBBF4D12D5C13304D2A9C0B2829D56C76FD49B5F94446310D05E8DEF87D830343E8EBC40F20DC95591C0BD63FCE832584CE71BE888ADB6A8FF3F1F9E16C4C58F0CBC9AB5F6A2AF8ABD240C4AEC634FF0FCA3B44C683DF0D943B2E2A19886799E0AAAC64CD82FFC003383257986F95BE2E0B8258F62CF3AD30873E4F2A2E20EE29D9343484630A82233161CA210F94C27A58583A66917314EF20D7C81512F164F263672D3210068645E8FA7941E2CE085F43522B932351910676548AE9407B1DBAB3ACFF17E405CC73EB6DC822899B33ABB1088020BC28AF627F1147EC8A71A3B11CF2DD2679C967D372D7CBC2B40017BE31055AE42C3AAD90C368D14BE94F5BB7207C32A14974B10BFCBC5B59C972CB406D213BD628D42D5F94269B3AC5648FDE3185458F5084DF6CEB73C8598A41B76E93A6A0692D8D3C760B832618D1AC8FC505E5AB80D16EF71D8A5963554A38D2CA4F6CD7552995C3ED0616FE479259C64ED902926D1BF6CB7AFBD9FEE16A428D09CAB87297EB58C79842B787ACE9E2E7894ADDA7C732AD72B204B2ADE12E06A48 +Ctrl.hexinfo = hexinfo:8F843D4B21CCDEB330DBA026A6F4FD4028373405321825865FFF4F60EF4BB8F4AC633B5D29F9E03D26B2769F097D0512BAE4A091FA7E5DCBE2674402090466A67AAAA3AC07B825C9C82F8490E308EDA402586555F1329F4F0F42164EC2A86CAA435AA7F722076B1F3992C49ACE6D0DF8B607AB76AEA90022A2C6B472D85E5B8CC952FDF101A3ABADCF13FFF2554115C3B4EEAD1E3536FD404BA89BCEB53A33398419DBE431C1E76425E0ADABEA4BCA3D9469AC0C98E0A5A5362FB2E808D18D7CBFE93D1F7FA92D60FA45FEDADB336FFE91A39F42B7F323C2395A8E5E22E2AA24BA89DF5A495BE133AB64FFBBA2DE00C58DD5CAB2F647069F44877B60DDD8C5FA01A1B8DCF8FDD35C55968ABD936749B4BB6B37E7DCABC67365D8571DB737C935219222EC93BB30C5BDA75DBCBB6B789BA53397A70EE68D238D4B9729C29103B35245280B03EEE8531346CE6ACF54BFFC021AAEBBEB1C7A4A9E25DB7B0E440B8B122C107A687AB653EF83C389302B4968C7A66ECE1C16E062BF9086B942D7D6D7CFFE9618BD86A270E8CBD2CB7F3ADA24DE1D53E51BDB8AA845CD010AEB9F1EC14F42C30B5028861A8B89A9A6BE2630C09B72586199251A9309E64143A12EFA927190F2AFFA7696377EEC0A356E948E8610A239E632905241F2BE81E660050796BF183A4DAC4162D558 +Ctrl.hexsalt = hexsalt:88F2DA9AE574E4259DF52BE0E79573FA81221FB0DFCBFE6D558EFC17013FB396972CEE8E312B0B06797C768D8F8503FA34C8712831FA0676800BC5F17B5DA21383BB65EA8FA8C3F24A51AAE6427F781A7F7874A3533651FD167E37F41D56572363B80D089F8272A96BC45E82F71DF4B800E248D28105CC90C3056D02522FB6A9D4A204373779FDC74AF6A81FC6150283808923D4002BC567EF44829C4ABC9F14E32498FAA1754124B648FD466CBCD445A2B7BFF2439ACE6C9CA5AC799DB410483C15DB9B5BA53B3F7C676ECE97620D9CBD1F515A04DC2ABFC0F3A0DCB5BE8B251795A87A589265F311C3CF6E5A8E5F3C82623829DA27DDE58F342DC0994D034CD5C95DF69E90FEF6492B81E1C2BAF4EDB33929B90B61EF748B470A5788AE1E93A592284E7C1276AC1B438AC99C682D9A8CB66FB8E0A9DEFD17D909143C1A39D3F41D4AF05480A422F10A62E95F064E955C4771C18213B1F0827CCE203567B77E2CEAD0EAFE89E1FD78F1CB929A617AE6FA3F7CF49865BEC4084879367D1C14BC9DFC4BDAED48D4D83B0A2740D7B939FCB34C3D4924547B78C4BD33D2621D08A032A34BD35E2E333788A04813DE82823B1BDC5385BD4660E9D0A90820805D79831E06C25AF455D806D2FA +Output = 9DE8778B2C670F1153DB4A80DA4DEECF798DD539380B07ED2C55CD0C23C4AB8021D02F0A8F13A5D34DD0F094BE4E146B13DB80E1AE0291D7441FDB9505EFB77C154740C085523CB0CBE604D3610001D630DCB499C296D4F4CADF9265DD4BEE44AAFB68BCAF70917DEDC4042F16D1CE535CA4D0BE111FAE79DD1C8415CBBD529200048343125F7231470457326AA065E65E2976E6 + +# 56 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:917D71778A1318CB125FA935551F825CBAB6E31F58EE2C48D7C9B1418C6E4E12168F76F305D396CB95416ECF5531DFE441FF9E7E7F83050870764B21DEAE0D802FFF663404C45C583562A35EF79CBF22EB8FEF99EF7D117CC47AB7612CCC2D399F656C1453CA7431998DFC9000C98227D778ED0CE7ACE69B14B9FF78F6F5E631F3A4287AC4969AD99BD746D5192636C3F2AE5713FE20DDC7DF30ABEEA30F09DF6215B7368D75D52F8BEB2DC574C5CCC0A8A288FFD54947AADBB5EF9AC526C4C99DBA9AE5E6DE667BAD2C5C45CBB87DCFCB711468D8A69AFDFB9D15F4F0835BE831F87EF2949732BC0B61A66F474347F0A9E01D210EF6C11BAD2F7D189B71DC539CA38913A927AFE993235E9AC2472C78B5B066CDD7F78CBA0B27194480C5E06AFB68B773BBFDA00FADF5199AB1CD43C773FDDD7BDCD7BB531745104A375DDEACBE0F67050FA076932B42A4934BA3FF1C7151A25E729E7A636DC6143291CC515288643EB0E9B518155C4F19563A291A2B77A11689B06611FDC050BA27B5D2E34598DFBC65CF76BE88DA52C4839B3AB328EDCA047412EA3144CA0E27A73DF26721D3B591EE5107F57B162973E1ABDC0CE8F8F8191DF3B7FA29CD0E6DC5F2D4B14D34 +Ctrl.hexinfo = hexinfo:CB06F96BEDBF8D5A71C40522F435FAD695D6B3D340038C3C3A0DC85EAA2BA1E393BB9CDB40EB82E98B8676B2E25DAFD75F3F9D29C05CEF68E1395770A819E0E776E87FA30C591533FF732F306C6D76 +Ctrl.hexsalt = hexsalt:88FB98673EB298A2853608FC6A7FE6F8223C68E2E32928DBC3FEFAACD020C7FD6AA4D7B2A0D360B1BADF7FFA3BBB3F7F717441E827325D60AD383A9F645382053144B8A9FE586C642590154089D614FE9E5EFF5226F841234ED60A0C378642CF1F09D050BADDDE70C767E16956AC36B7457225A622A20F01947287DCC833 +Output = 3CA0AE073E07CA09DD5BF63B033B5B7E42C7C8205E0997B4990FBC0BA9 + +# 57 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:DD81EFC82CDDEC51C409BD8CCBAF94F65FFA7B92F111F9402B0D6AE05E449234F03BBAF54FEF1945DA +Ctrl.hexinfo = hexinfo:81A1FE3991EE3FD3904E82E61320EC6B6E140BBA955D0B528E2767B3E0770515BD78F6E88A7D9B08200FE98DD62467E2CC6D42E6605020778989B72DF75FE279DB580B7B02B9D9B0FA6B0BB6D495DB46555F12C3F0E06EC8F4F8A1642E96742BC6BD22B16ABC41DF3032C7CE1814702AEDE5C46B8AA836FD0A763844980AE3C23A24CB45BFC92C19CB9D6C27DE783E2C3D396E1159AE4F9103E27B97D60C7D9D5AA5475741AD645BF71D1ADA3A39DF850D0F5015A73D68817B0DF224242337E577A661BEFE4B3B8E4F154FC130CB9EF5069FBB0EF2F443BB6445A37D3BB47047DF4AA5D92FE625C81D430AEAF9CCC71F8A2DD8956B16301D8090A4231459D15A00488DF7EA2923DF3526252212C44C0969B8D60C0E71906C42900253C55AEF42661DAF45D531D7613AE606FB8372AD82E36A7E039B3777AF8D6328C28A5EC63B22A894C0462F73E7BB724485201DD06A528CB18B9611EBFBDDF574491993D37F6C271954DD000F95F61415873254A502AD41555EDD32623BFC71C156C46AFCD0F977DAC5207DACA8EB8FBEF94DE86D9E4C39B31563CDF646EC3AD289A9FA24B40E626F9FF3F13C6157B92CD4784F76CFFB6A51E81E0A336916CDB75CDF036217633749C3B768099E22D22096370D13A496B18D0B1287EB57252708FC905E33775063E18CF40C80897663700A6159901FC947BA127BB27A44C33DD038F17F0292 +Ctrl.hexsalt = hexsalt:A5DE2A0AF0DA5904CCFF50D3A5D2DEA333C027EDDC6A54549578740DE7B792D664D5FB1F0F87FD65798B818395407A198DCAE04A93A8 +Output = B561E37D06D53480746116086F896FB143AF612893D8DFF6B6234368E484F3ED50B6816D50F4AFF2A5507E25BF05BEE707B095C30438B4F9C11E9608F4C905544AB681925B348A45DD7D98511FD990235997A24E4349EB4E86EC203C31FF495549F5F51679D91C8E6EB31CAFC8AB3A5ACEB1BD5969EEC0283E94D2CC9193736AD6B6C14297B113CFF9553550FC8675989FFC96B143418FFC31093B35227B0196A7F0787B5700F2E59236CE64FD6509D8BC5C825C4C625BCE09B6CF4DAD8EDD96B0CA52C1F4170E2D4EC3F9891A243D01C805BF7D2A46CD9A66EE0578882AEF379E7255DA827A9BE8F7A674B8743903E8B91F9778B9D93716FD2F31DECC06D65AEBD1BB84301681B07E048C0667D18A073376428E87AB906F08ED8DE8D020007E3C4DA44037130F000CB7260393D0BB08D3CCA928C2 + +# 58 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:A88749B656156097C683FD352AD1E3431BC922E36B325810F7C344AE9185DB550C77A6BB9DE9F883E88B03FB82005CA787FEAFA6EC04144E43E79F4F994822CA7E7F3587786A42CB6F0EE880819CF79613DEF7B44F5AD542FE1F26DFB46892D00B84987A966F867EB3FF00C146136E6AC653B72B192E4E17FACCF7FFE9F5CA6FCF2E94EF07BEE9CA0A10E39E71CF0FF61E0FD57ED861FF9F749F38803A908F969E719156098C7A9BD28F8D18CEC2B6334C318F788C69E061859E7C815ABB5A9729B16127025C27AD8861E7B8C3843DF020933C9428B948FF9894B2313A03FDBA48509D0CB3D7C688C6B732D46979F537CFB6845775A2E8C7BD14FEC9E5ED65BB35 +Ctrl.hexinfo = hexinfo:0F1D8AC5469733644622623249CBA2487C5699B6183341F5F293ED6F7713F0994338017CBABD24E4C986FC74545C476C0554FCB127A0B5119A45826A7BFCEA4296B68F9038A79C7807C057CE44DB3A75FD696C62558750D2C93A2457362CA4215440508ED244D671B6513877737E4BBE9CB896201D3F83E74561D50E1952CA4037CA4C8F9AD62E94898AA2D86F95349E483DAA006CDBECA1D0EA6501D960FB582AA80CA71D94FC46B903FB09E153D2AA62AE6E15ABF5E843726A23961CE8988593832C413F964CB75255F6551F5E0BF48181E971E58FDC57E94B3E6A4B4E9CAF591B68ED47532C4B1F54A4884CD28FB0D46FE5B897F1A0FB7074956BE26C0CF7DE4227AE0FE063663A8063868B4DCB7EB721D658457AF281C977CDABBA66CC83DB30D5185046D1ABC82B338A736A733E2050D2AFF0E827B45B78F5E08B2B926E0BD6F1FE8BECCE8AD0C6416D2F4EF9BF5758D74DD5D859CD2F61041FD1A271099862D86C29CA96F79D +Ctrl.hexsalt = hexsalt:20F57CEE02C7954D0C6B93960B599A23236A2D4C563C13CCCE3711EE35DA7240CD4B126EC9335F6AB47E95DCE9C08D5D7D +Output = E6B881CAE792079CA15F7AF4460CDC1EC21617EAC81A7816199F20D8F155F193AA833B0BF7DC65E0A0A02FF97555CFDFA7AD15746CFAD6071C9DAF3278009D148C00FA292D4CCD56E51095B4BCE786D2B676E164768B11058CDD9B90D40FE837C47236D30BC3D43D098BFB81ABD9EE6572100389E24E3E16ACD8CF958748ED156F16BE67E87D8B44C4DDBE3E796B58B57DD0A9B2A0FC0A72115F45CE39511A8CE280B7BAD345D20A55CE744543C86D10E911D3CD7CB77DA50CD7487DC9CF5785893F2B2F7AD9368731E19BD5B32DFB76613C66B8B5755FFC192457B92FB5B43A73BFAB0C8EDE45B3809A87CEF4C4D2BEFA87C1BA4DD51C620F6318C5D2B0169039ADD786166C8FDF83E2663AE9A980F9537B51102BC07958C13495049420800CE7A52FA492EC8BB7866182851D3824626A999B83263E6DD1BFA803E19C5BDFB92C128BCA5DC93AFC46680FEC420D0505CCD909ECBF479B07DB4032DD2BC4BF + +# 59 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:ADDD9E131571DAAB1F2A37FF882D4F1C7A79FE785FA85AC7AA7F9DD6C417AF2AD31D67C7765B2556804C19493D32E0C149198CA3A497A715A5146E3BC85BF73873743268EE9935061CA20F07BDFFDB19BA6532BB4F239F06865661AB6242F99053D648184C9B277BD5DBC6439D2D6B06C0D07DC1EB4B0FBB8D7E0316150BE2E3E5AD3529059BEA37271E075FDF2C858A6D76B74425DF3D89FF4EB436D34E99DC3AA57022B8D97C7715A2A029D40F0A41B5D765AFE81D8856D0ED028212FFDAC847DC6EE96E3A61D2259F61AD350D7602D0C736AD17E1B8A98EDE5D19ABA216774FD6374A11DB08EB847C90A0C616342D06AE2429762A9E7F267FC47726E54FB64028C46A3B7CB0F5F0ACD7B560DF28525683FEFB58569F144073C7C1D0F9985C32F180EE698AB105A97C7F153EDEF2EE409470BE4181A7C0172EF5ED82597270C2169453CE68E7C641407D0017B6423560491B42695A72C6454F575151F346277C97CC811453385BD6DA18B448EC0F6E7F46E0C881EE078E97A8A606C4BEA15AF4C6ED2724C17C41129C3171E9096FEB551B0FF34D3BED6ABEF14290944AF8074B02BDB8D8658A8E392E036E59C580DA393A51BCC6EC5CB27EC58CAF50B66F16 +Ctrl.hexsalt = hexsalt:48C6AE48F6FF3030F15EAF0AFE77F46C5CDD5E5EC4B3BE03787E487A3B9C11496AE42787DE4FC2A7F2A5AD9136E5D4CBF23AF8AA0D40DA704D8C98B9A622D59EEFE5F0D243E6A755876C9E9F240C901137EF9C113B002F5BB76A6E85A44A149144D19DC6F60BBB8E4B34AB3D9B92DABC123C03BAB31A708CACE7DEFE74F38933AA3931FEC8A24D3BAA502BAB8DDB429568E3782E7DBECA75D06568444665DF77DF3919DD27439F8B6B81797E9040F2142B2564536A696CC3175942672DB9BC23CEBBEC7FF06EBBCC37E397E981E2CE13CC96FE0389AD33CCB9094BE310D66E036AFA615F53BEAB2928ED019E3525CC633C523D9CBC271E2F1B403E9B98E3BA3881CD0F4E450B650933BA2AA7DD4E0CF7A4E3C7CA0FF0D07A49A66AB9C8DEE45295DFED421D7147031D4C8D8DA167D685FA06797C364F186E0F2CBF8D0E8356C047CB0FB4D406FE1E60FE19275FE0A60834793D1E9E2C1EA493C1481B90A7013773ED6D48700AFE372518A855F3AC305848503410BAC9ADB5137FBFD33E243709530DD38F38EE596889F8E84CE132245394873FC8B05544477DA536C973882F0E658A8818FFC4DF8818E466FF112A5A4A49325B6E329C93DC25D2541876714DEFF7F9773C7C6E85EFF5726443316A19D1BEAD3BC0782708DCC6058685B4D4FA7D2897692BFC18F885F3D3953A785AE1AB5808ED71EE76876124735575F379C38A +Output = 69F93D4FDE36D30CEECA54DA073BD3F6FA6A74C7EAC9F9CD1B9670498FAFB8F28FA9659CBF85D17C1BF5D1334984D43EB24D00C0FAFA6AA705DF09AB5C496307D27141E6FF85A6927E42AE140E53251B3290EB27054FEF17974E5885B90FF8B403FEC848B8E90A24DC6D3C5ABC99F06AF4DC48E94F56658E19FFCBF1E3BB029D8723513F13C47080CDC52532F281B431F5FB5B860FC4C09810600AD9950FCF0F481B3449E634F720EFF7D3B7C649D87F4992BB4F035EFFEA88DE6D3B9DE21E3472E0633BC07C03CA450D0932E2240E510971720A6CEF8B21C3063ACB1BA03D6D16AB066B108334F520F43379F8F4D784C06923214018FECF93BA6B38D92F53A433C41C60884C9A5CC071AD8965DB353009E1B7D493692C5C96C07B6BA87B60DBC8D8BAF48BE9A485971FF2495AD6A49D21624076FD330B74EF5A8ADA2170DA376314574A1B50EBEC47DC785D3D6BC34F7616F8092F + +# 60 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:610A83BF9829992E21AEB8CCCF97A4BFD5B664261EDE8B78505EF6D13F72142235236B10E6E00646B89F55E42235843A42463D7FA0EB78CD1A69A09E7052CE7692DA0153D1E6061236041196ABA6E2F0FD66230DE9A7FD37763CF7ECF33C4BCA36008B042581A1655426279D22EF09125693DBBC1D04771EDF27D4724C5A385DA23486B5B83883D823401261C6DD5E4BAF44472C99EDFFBCB6443DA95AC4A66687ED7A813BB9569DBF75AA1CC12E621CD02F37F3C1C04B1CB6C16F0ED5424ECD5DD38F28FA2F7BE63709ECE50AB57E255312ECA891043A171674B1B6A08EA6AC5AB4D13F53B52FBCD8C8F7FCD8619167780F9C7CEFA8822E13E3DE29EC53AF2F05C4469C1CF635F08FDB5113324DFAF49E9D0A50BDAC71A051ED3689A5BF9729DC2A49D2553004825F5A286049D31C496C83E9837D8C594F979BCC2079954AB73B9AE74F966678872188DC17FB083C1E0EAF1EEF77D2C4C379E039CDB8250B3C71236885F12BF88A7360564250D32FD069844684D1BBDBA320D87A8FF1EBE877CA2CEA2AD8A6A25433EFAB5276E59CF4702AB9A09DD5685B4E402C947F2C7A1FB3CD27ECC7A0FA2225E3593A172AE44C6DFABC6B0A9B44F219B1CBD3C8C8388D29C37C +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:10 +Output = 701E8A246857F134AC40F9E27C138A7BD6C11E292FB43FFFE72465D7F07A741A3DD7DDD36323F24522E24B8520E66B6E5A210A80E3668B4031E81DA92C74E1B457CFB1F1BECBDF74F922181760BA2839EAE1B446501E7E1CCC6CAB5691FBFE300BF085BC9F76403ADA2FE05B2003F1175E88DF35B75F3C7A1F8437BCCF9CD42AB45D5800F0E941CBD1200503E05E291E8E21DF0D0988AE473530C499DA9470C5C9FE6C7A934EA95946D10248C9A53962E69E7DD67F287108B62973D55FD40A9C5F9DC09A08FFC2DAFDE2721FEBF220321F3A15 + +# 61 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:79741AE5FCB98266CB58E6E3F487CA84C448F729E86AA1AFEA3EBB98312671F697D1AF7BF5886DC19784362A427B823084F7F258B08D4929EF0F6D6A7A19EB0282285E76B84F7CB7A0A7B7319491BE58A936B21C28F41FF54768CA723F0E684EB6CABB01D32B6637141A4CCF839191BA81AC78E267A1CC3E2A31A21F8690D2ED763AC3264C4004221819BEF5334927E987510311FBDE897AF00742D74E7F50D2107F18AB7B190B84BD74C1F01BBD466C09F09FD763E26C8FE63E3F57C5C196D90ADAB379B531DA262866F3686D6FB8305F0799E4595BACC3F9CEDC554034EBB1DC2F60D4EEA574A2D5F83210A5665DC393808BB17373086BAEA11F29D3AF1F5A7699CECB324CB0EBB90C5862C65B6418F8B0045F8F624AAAFA93209F912DAE2D5AF96B0A7E557398DF1A13BD1E03FFCF40B05682DC7A54E2A44C21A6E49006CCCA7665C62AA5C94E32E1D9E344EFF71B39053097F978A3C0BF96B047A4A579B9FE58AC161E38D4704850FA803A14785494C54B5E4A0424768C84FEFF16129F2C6214F7BD438CE084 +Ctrl.hexinfo = hexinfo:3DF7197DB401B315E8088A9D749602A5C14CDA35A2F969546F4A30EC5DB74D76E373BA4FA396F240CE7688E527E1CCF12DA6FB2CF8ED5DF746BC14A642828B70EEB17F41872F4BBC78D22300F1B01083F1726FE9273B2762B5417FEF536A13F17679963765BE649D8F23671F501239C6AC6811557401EA84E9E4FFECCCDAE0E0F273132A76BCEB03C8E4EA12C01047B42D4BCA334A056589A40CF451C12C817A35273098C76712769B5C5BDA8B8E91DE36C1184E541508220CDB928833875F24BE76A051EE7E76469A1F4853277264369527D921503FF0D5791E173DAEAC95E4AF834DF0C426060FE2698D45EB814023184034C86C0FA70B666478F48E58B0276433D568967D76C9F04630F84B573AF213A5965FD4F91884ECE36E3AF0F6561262D99D257454C9AF9F08C2859393EFD59F69EBE46B1301015949BD5F2C16D2B2CBC48C3B2CDA5BFE8A0172D5FB72CDA9439A51C3A921D6EF14C900CF5253B012DEBDF7613D3270F12D9405420216CB5A1810B3DD28B070C325CA6D9CCB8893904375ECC6CCE6B9F678 +Ctrl.hexsalt = hexsalt:244DFDD4A66699D38E7CD37281C1414844DF820AE9 +Output = 343961704AFFF55AAA4335DBB572E466F1B08FFB914716D1271D72A2AEFB6632276F860E617AB025A568F3C1033CB982F153A3B7F2538DF8C9721BC5B904D89520823D586A87F6CC2103E9CB1609067B5701E18687D8C432E364744253190C94CF96DC09AB9B2807AA3FD749B3B2D3FF5DD10884B66F68CD18C80D3FB732E911 + +# 62 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:7705BD18E80F4C70D5669EDA7F122F03E59C07EF5437E57F425EA558DC75A75B88D53763D54349339D9133FE96CDB991E33889A913B727AE +Ctrl.hexinfo = hexinfo:12256932DEB970F8C268A538BC4D6F06225AB79BEE48141E199CCD6E9B6972C0A1F420F66B3D803281D382BC8A7CC412874B4FFF41BC88321CD5705FEBF2CC442430B5815FF7527259F857767B30F389FCB96067AD97F1567580EEBDB0DA2BD84AFEED7E06C0CBE8B2FD963212FEB20A93213A16CB174212AFBB422BDF0570F02A69752E3A86AB36D02B7EF0A9A012B7ABCDC320CB5542BF2C2805B1F69C1331EE40D224B65ED85641056C0ED66F3AB46D39C7F3365F31FD8E2B8D13DCEC3B3C395560E4547FF073C1F97FFC53D1EBB93BE29E32D84D864F2427A4A6D1994FC101BFDFC12976960B6BA040BDAE552433D25EAC2CAE3DFC19178A5AEB8B5C1302B72E52 +Ctrl.hexsalt = hexsalt:4915BF7A577288F224E5428379305453858AF5799A7DABC58091CCDB144DAD4082DFBB97A5DE500A98455E3A78F1F6C5E30C7399900B6B05AD6458A87C2037831FBA746FF53760F82386850582582AD83A49FC4BD1CDFBF74EB1CF05D773901E4AE192A2CA300EDF5844668C02B9B67C6A2F1C0D3F8265B25D3F9F0417B83D891288BF39D5940856563BCD36805936EEB5E6BD14FDA2A70A1B6837D386651B267BE6E539A86C63284419B0E68C801B94 +Output = 9CC44BEC14319346320877A7C729A19B012DC3F5971FD4108E534A1B0F56D2128755277DD77949A2905B06486B830F7A09738D0CA262 + +# 63 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:92D2EC23B2AFE5CC8F8A982319DC64E62869D9656DB5879E94B5D5282A845CFF7D6F0048866114DD061B6DA2A5390388CFFFC5EE0BDE3A931A7385C78DECE7FC2C3E5D1D6434E5ED58E444A748A211197C62141280893DDA8C657C6C4F6CC24AC2B544B75380EBE411457748B9C7F896DFD5344F37AAB271F5B09D5018F733D02DFD6F4139F1EFB0B24CBC32FA328A2AB59564833CEF4831F67DA842309D30CE78727B44F1AE2B4359703E7FDCA9EE9DF2CEED49C6AC42A84160EF65344821F0CC99DBE9D07DF9A3DE2A307E988A92E6E2DD8A528EFC67545B4CC1EA520A6D89EFD60A6F8FD17B7D207C46 +Ctrl.hexinfo = hexinfo:39AA03A1ADB71A06A44EB2A7D541910B61CA +Ctrl.hexsalt = hexsalt:0D2138358F34746CF4E7B077CDEC2353A71843043F58FD43334F94AB2D679B64AC446FBE1AE121ECB6FC3D1C31977BB12EA0CBCE07E69F7CDF5216B0212A693104E10E489E52F373E74AEBDFD5DD954A00B5D696999F46BA8D0D100D550837A1DC12FAC6E17B670437656E4DA12D89F0606CB958CC4544FEA8F0C405562BD955988D0C5FCEF6B6BA0EA2DCDE9DEEAA511267392E5ECF2EE871C8BD973575A713430C3C4C7E9C58999B1828FB2EB6C66587FA7AFD3E1D61D5D98BFB268F51D2369D0B946454324C8C65774CBFA508746DEE4CE908AB441ED770917FCA29BD10E7D8CD03A223B5B2710226425DF4D166595624E3A0 +Output = 82FC5E977734C224AED085DA53B4201D0BB3DEC8A8F3A42FE3D3C838EFFEFE6AEE100722FCD06D25BE68113807A44D88D7245E66E7518E35EE7CE1CC618E97C7458C4720B77B954EBC14734EB489735925465C25048E062C262832F458E7DD9BAACCA320EE712413E43302BF6664FC65EA71AC0D33ECC322510AE883A1E74AA18EDC10C432F3ECECF54D8F6F7868B08EA7396F6DEFA6B7C46627195F61A3E1C319220A984B4B0C49CFA4829011275AA31E496E717F484693EBEB01E4599EB6F95EB6820529AA6276AD876EE528D0A3DA0E59F285D1AFA721D69FD575C0768F8D6AEE29AE5C72F17CA1CADBA70EC2F16420C771172D9BD8B97EA3606E44DCE882FC55DB88147AEBD0BE8EF725E93169857EA4F830487CCCEC4FD086B8C947A19A24CB9D62D0F354D54A8AC42D3D9B99D43753EED7E4B326800BF4C4955CCE68F1694C8224A2677E95E03C9FF1A763A025E213D208BF9E94A56B7AF0F711789BA5779A73849E7F76FCD34E7F4A6FA1137BEA0E23FE0F968B1C7B84DBB8F92F213550F05B218AEB537CA6E9641A41E504164026F2DCCB85C70EFCC98086F3111FE613CBF737AB063E9E89B78961AC98D3963C5A8AD5CB07A9131463B3193D68AD953382F53A284EE2910507840B5CA8 + +# 64 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:B506F12E6B1B9BB898DDFBF21A1815C5772AB0B5042878CDBC5661C8399E7755122D30A821E030B2668C7173E3A98F16EACFF73DC88526E6AF120F9BCD02440A50DE9CAA2E00946F68783B2B0E28DFCBF22ECA7DA8C834AED85FA9B650982AA1B7809BC3758245B54D9F06FC34FF4559C85F34F8A4FB8AECA1112D73B6E10E6E756F2A5482A82A27276F7932B5D5C005D260975E07A011E1D51E6B9FAA6C24C6D2BBD2F40418B960BE3B98B5DD5F0A0DB1D7E0DBA8E12A47632F6C3C09E863BF245692C0E371DDB23B404031E77410415A75880D2C491D657BB565E1CBF5A1FE6D7F29EEA165823AE50C24C546A6FCC9103731AAE7D13F4D44342566ABC2BF600586D8E43D21798C2070DF6C966299A11B11A48A56A7854564670F1BF1A3AAC478BB27E04718DAB5C288516C17A4B5544F16095587381B2D671FFC17D73B1472DDF6104BB6E9B724662CC271D4EC65607FE757051587BA8907DECAFF3C41E185F926597C04343BA71C1FDD42C1230C311E3958B9C10E9836721580F290D443446E8495E11E849AD8A01813AEBE2D9E87D15AD380854F098F0778009E0CDCBF2FCD9B6F5FAADD8CF2BADE08CA9DA0AE73B48CCE500311E0DDE33FBEAA7654B6A8E3B14F6DA052149FABD792652DECCFC62377F3C285A2E11C080FB1BF7D +Ctrl.hexinfo = hexinfo:A3AABB943F7B6272A1C5C24A5634D1A9A6F75CC4F783526025C03EC7881166D20D59B551A21FC2E3145F16490968F1255D1ADAC215283259FB5EB3015E77D1B80ECBB348592EC481B972EC2ADD4DBFD9C29D3F5AC9759DC0A20F7F67A07C550189F396C841B4C29C75A337B3E8D4697BC5537EB4785BABA593F4FD1CCA3924F026D5FE46C8852D4151B7B6741B31B49F2B4AA0C56D7CD687395F4D6EF513532B1852E59D7395C56618EB304EE3E505E163F3301E653D430B7272DB8DEB462C81059A5A201318935B680502B08749FA15ED38B4229559C57272F8 +Ctrl.hexsalt = hexsalt:F93B52B5BA02CB239D54EE6FF704B1A680DA9E2A6E0E3F72D7D5FEC7380695635173B8EAE7688CD442D2889FA6EB468F3308198E56D9A6B2263A1D46D60EF625F4945A3D94E4AE9A68F50314C165ADF51BD5D52E2C8AF8ABB04DCF9602F4CA46E7490553E06265093745184E855600F5D1203BA054DD6FF9E83B9FFAEEE6E08044886BC15B7E1657762A0C9B83E0E75048BD7DE2750ECE520B60D2F7B9DC3343E19B2F6CA648B34F03B1AF232F7B59BB3259D6222AC21B73F4120A0ECE1908254D3C17DD9B19A91EDFA7A59181C365166FA010C202817FF978CB86506792F7A84231E69591C95B431BD9 +Output = 8B81CAC92751ABA7860FF987A0782C42346E1B30845F40C55F56C0F512A08754E9CA87701694EA74D4CD5A7BA95A4B921D4B8E3A9F4D7B4F919C09B0FAB9E96FC32F66B82FC190B24E78EC192BD988CBDA950F82D36A9AF8E535C631A04EB8EF017E372BB11AF26D5AEABFDAB0F178ECD8DE93855A913E4922DD38DC6C00358861450A7FD44F909082F4607916CDFE9B683E2414C261895E8E111DF6 + +# 65 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:D9418C486329BFB73B648B64A3FC1B305777F85B379971DCDF84E14DFFD814B970E7D85982A5996666B07BFF1BEAC9CADA595AC35158E6B19A0EEEFC902668B663A64E6CC6F689B13A4AB41D4B0CEACE807174678F7860BF539E4F0C57D3B01ACEC70B06B84A3C4FC1E93CB2173A50EA1B46 +Ctrl.hexinfo = hexinfo:2E0244ADD62EA81BCF889C20D4E8149C6A7AF23E8D5BBD6B3E8E083E66AABFD74D6EA10C767849CEBCF39D319B57315E6C062730405B26D00FBB2620FD640E6DB93778064780A291AB3299B32CCD2664AF06A37417790FC574E88D190AF40155A6C9FEC1BCE1650F7B3FA94F219AB99DD43015FFBAB537B8F934E7AC901ED05482BA4EE56AFB95C5065E2A4E3108FA5B951E38DA498310F5AE69BD51A66B6EA68DDA571BF64EBB0C0A5F83CBABE621B6868D18FFC45E2FD9D644332508A0248929D63452BE81E9AD1DFC38795DE63AE28EC5F1CBF5987CC22D159DDFFCD90943D9E0B2E5C8B07B78580D9741205DEF732430FF11E3FE6ADBBBFD0239FA41BBB43E59D74C5A5E138ED6D5C9607337C0304F9721B88E479DB02D0C43DC3E524E216D0B79E18D3F0A45E88D5981AE98E7FF +Ctrl.hexsalt = hexsalt:9F075229B58E146C073191E7FBEC098A2FD52DBB2791B7D9964ADA373B2C99B9F8DA0ECFDC7E6541732F18A2562DA07D71680EB7 +Output = 8B75FAAA744703B280F78A37E766315DC1E91D45BCF5587E52BE42DF7818EB3404E7C13272F5E982A34DA9A1B030CBEEE873B97554FEAF669254438DE70C0D94BB0A7750519AA3D72855F86D9D0AE1088A21413A843C55F6395C567334AEC645AD9C8729E0BF904C3DDFD674E15A22F1FE06783BB1BE66E45502DBFBDF195B69CD887793E3E5452A2B7ABDAE3921AE4B49905386E15C1B7D9CB73E41005E2259E190F2BE7AF0EDD02A3677BC6A503C5939D584CAA08566B0 + +# 66 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:0D6CEE8A509ECA16A70BA6FF787AB2D2D48E6B0D571E83AE55EFB4100FEB413F984F6BE97B1F1D2A16D7BDF7B3BD65DCE9668D27489EE4785569A96EC8E1EE640359BDDE569C +Ctrl.hexinfo = hexinfo:E91862ECD13CC4ED404BCC4B74C6CA371622E09AE5098903CC53CA25EB1A4AE430227FC24621443A36ECAE4B3BA1C4D9563F568616936769DBA80E1676FADAEE9607EC389F21766DA8F72D4C7264ABDA694120C609E0EC1C5B1FE3BC8EED31633921AFE67B2D1A76065F6602AFC289BF659C03A85D130F45EE6866B9987CCC0FF9DD0EFB2311776DE97EDA1926DA85C1D97B395BFC2B40471DD3F8F39A04F4E0788CDD3583623B9FF800D49E5B2D19E65B00BD8D5D459BD712925E5EB06F6DBE1C36463FC1E0C2960897A1980252DA7B31A86207C21117BFCB9E1545F843369998D7F136A84A8FBE08809E7405677527D857A2E6080595 +Ctrl.hexsalt = hexsalt:73707C17895B3C08C42B467D40BBB2F9CF3F9D2D031AE4A4BF90DC390114AD6359EA8ACC5B5E9A5180575C77AE0AD165A0695F4B5DB11AFE3DD87523ACBC5F20A3F587112053632E8AFADF1E19217C34B488F661345158E1FCAB1FBF8C254B5F7575992B3F85EE97CB939CB69317AA5C970249F81CD5953D20C7970EEA2EC227B17236C37E1436FD801336CA8E79A894BA0AEE4F4DFDD2AB39184076836EAB015E2B303CAB6467865197F5EF81CF55613D1A7D96302053E1AFE128E59A88947603B799E3DAE6AE37A01F70A0DF818D61FEDAFF17E5AEB9F80F0A225A9B07A5C237D4710E30533B3C326244 +Output = 43DCBB31FC525E0ED93FC9AEF7E577551337F6C9DE8566F5DDB6ABA70A3D84AA65ABDE8EF95202991E139BD166A742BB25F51EC6E3F1ABA98E0AF5BC3BEEA58B6D2CFA907592DB48AA7B1D44E7F988C6423BB4A5A8B6547C9AE11CC7EBAA5B3A0FE7B564F6FD5C2BB6C1DCD92AEFEB47941A643DBC792A7EE4D4EDFDB333395F71939AEEDD8D80614EEB4929BDA28F6F27E86A8E84341DA34E56191A094DD2A68DE0B4FE9D25CE5120E3A66D0E0566386FFF283B5034BC202260DF60ECE450A1E26DF94E9BF7BB6081BDA50D350BAECF51264ADC5608205260483748A32B9BC555B6A3AB806736A2CF65A8ECE5703ECFC0B4C839D2BEF3880EE965C3B35600BC84428DC313B04D54D2CE8949DA31092DF6F44207FB5DA4E72EB20D7877F41535CA9ACAF6F910B1765999EC7F82DE51C95C7EF5E5E870BC93107D548C1B0B5003321F289E704A36128CDF66C8E260466E91351C33739AA69943E2227758A91F4130A310FFDE0B0DC7E61BAFE6CDDAD71B87E6B0CCC20133FB5FB49B180F94D5B033C3774128173E6EE5854BDD9B7F6B7C70A8D9D9515C9EC0A5331549D618A5E4BACB8DE10CF134A4C684C225B0CEE4D76CE52156C93951F88336A293CF9A247C30386613656D580D6E2325C00AC3E2E155AEB527A5E1F19508310FE49CE0E6C05D8D3FDDB2A5D3AE194847B7A81CB6A289B52616E082B48AD40CA00FA955EF + +# 67 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:739487FB3330173D57D3866408B4DF40AEC4146C01226187E4BD6D472C15B83958F401C30ED67B552AAA907E6850D08AEFCF73E4BEB8BA755895D2AE8542E8E751EFB4D93FCF1021A9D324BC97B91DB66CF38A14FC0A290CCD40931EF824294E67283786063C7D79E470EEE8C588B5EBB4CAD2AF914F108975BA16BC49F49197BBE9444DA4D2803EA21B +Ctrl.hexinfo = hexinfo:3D30EFBEE5B3F4EC4CE3CD27B640BEA96D1DE06C131DA7A25D2B845FC5 +Ctrl.hexsalt = hexsalt:96810209753576135986BE9086916616C386DD865C3400E94CC6F3ACF724B07A0D486DCDA18863B2C4747FBFE6D8DA0859C2D9749D6D3E044FA491D9E83A87D846A469619AC0D99CFA7AF49B38508DDD9FDBE77FFCF61F77AA088D7A255D2CB80FB70F73B67AE44141D66ABCE4E90CDC1EB73615F39690561820DB7E011A726536D884442CAC95D6F1DA168D4D379785878E9598C3639093FC3C204C50D61B5863B8F37B6E936BB450FA78832A8C93386C2B551C73D61D2A53F3D89760E5D06A5E401AE06F03B1DCAB086EE18DE486D4D48031204079997D98637E1F6F16BCBFDB0668B16167B89E4C95960C53B68DD21348AD1DA4AB70C6F27B4728A1FD724114C2971BB7991C819DD6CCB1408BF8E08C201DE257D18172211F4B7EE856741947D6974C961AF3302A05EE261E92E63DF9307F1616B917AB0F2E35AACA47878BFDEB4426C9F2110B36349B6F7D91A157CA15C570E271048BFC603EA7262A65C5746BB7C0EAB053BEA061881B45140C4ED65BD52F0CFBF7B5AB2FD71CB0B16DBE50E08389DF77B39F45D16BD927B0BAD37DEF5993E9B5A6F8F497379E5099900C3BAFCCFFE889 +Output = 7CD2A4D273ED6F3647BD59E164DA67E0B34E11214D990FDE8ACF076516EE92785ADEE45CBAA3D3ADC4412207348925499FA69E14C496BA11E7CC9837FA21017687B8F902F49035D43DE68FA855DDA788D8E17C08B2D9B7663E1A4D02C0E489EE16B1520BCA24FFFE8D9C0F9A2AEC03436DF3169FE239A649D2ED3E6C95C3510148E2E96E8DD529FA6D2868AAD80B032D1A10FE07581C1C2EF295B2E940D44CDA0A412BA8931266BD5BF306E3E6014807DABBA361DE0F942E859664AA10ED9BCD988AAFD2754AE38A0850B54E857B13D89CE86DA5154E31590A8CBE4AAF8A6D6A6D2D0ABA394013A9AC4DB9DB7E8A3C914DEF825681121FB5F125F226E74713C3D966C0485A6BC0C395F33656E7848575E2B252A4FD2ADB3E5EEE36041FF553CC + +# 68 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:B3CBC7C311D16CAB23CC6BC68677828BE3E482BC5FF6F4CB989F68BE135F8F660126641BBA34293B780CD9992145CD7C576A4348BA989617E781F73B0DE5B7FD658C0B54F3D9F6272C3D54F60EDB4D90DB76A4CB5DF5F20C7A58F5B05B5678CD02E8756ED5A8F2FB35A13EACA51170DC31539186B3BAE5DBFAE1FCE6D52BC86AE9FA087FB87EE36CFC578542D0EDED773ECADC24C062C70A672DEDB815EF52BBE30E999389AFA60D7752E97AC54C08E79912D527E7AC79838D912E5E8C5ABEE5D14A8FD9D5878A14F2C3D039E6559C958C7913D3D4240573E86F1A13C398D0488CCFCF61E29561ACE6AA4CEC1F61F2A8A5F1F75DA24AB5A1AC726E363470BE3EAFF09BD8FD428783D6B51E89C6B1E557A54F8481D7803827A8CDA46A1938620433139E05B898F72973CEDEDB725D6F50DC876F9775F2514EF65471F56BFB52B59191E73502C1DE14E6F97328CF2F7C19C210656BEDF4951A48A1C797ADDD22E7F7AD0AEE77316041F35C8B0B0C9AEFBDEC1ED28EE24A639C7F5E676203D271710480C3BFEC6838959F47B550901578B004CA6A1F4F2768BA6CF757AFC7FF89A9AD1B21854AF388563E22B64B04D093D70D2E628C7B1F8D25060EB274BE77B75592BA2023ED86DF6656E53EDC4D6FC91F6C16267E551B63CE3F0E0C295ADE3B7DFE03BACEEFFFED34ADB7A8DFEDCC3313380D53FAF4B6594D891023DABB8C1EFF +Ctrl.hexinfo = hexinfo:432903D58D9751683BC3FB3AA0ED992E5045B8BCACE2A455AC2D139857E4B8549770 +Ctrl.hexsalt = hexsalt:39AD847AA8DC2B8AFB913F1A6D3D10372090F8D9D07DA3094E46E367F7D9CA8802989E19C1960BDBE3685473122B9BA4FFE2153F154189D7C64610B3B80EF24F05514508E10F1A36CF0E1B59556A505FFA9B75EA29CFDA47A18028DCCCDAE9FEC1A9DD628A954074CC3F0EEF892A58EE22DD8EA10CB4F9E2B4D09E2184E675DEFEA483AD59733D883D829E22B28E1840A2ACC342B8E7A3455736D5C71E7DF76B61C17EA16AFA9BE5204789AFFA50198A97BD9F7B51D79F7C46EEA8F4595DD0C6329873CC18B0FE4127151A5863E934FF2B2E24EF +Output = 8C8F535C8F888948514A3C3FC042694BB3458A0A8A0A8FF2A006247DBE9E19119112AD0034EB18CED6E77E172E8EBA01D0A1B8AFCEA8086A2EDBE5F72C32DB6F26201108C8A52A525DF03562193C9D73EB54F15A576CFB5B96812FE17552BE5BAC82F847EF00F3350F7FECADAB434BD11F7F7FF226D39E2F0DF119527B1A64E6BE61E5EB59F5FF204E6598D43525B7E7ACE224C1E52C9D7FF5881FDCB3A3C7E140E2B0E36590DB836C7F8110E84EB8F6EE65B4D3EA2E6F4DCA0D8283C586E3CC20C8B62C280ECD290D6C02103DE5FACA4039FDA764D4F374346A3015AD7BC9B8E4244DAD1AF5101DF9849B08FBB879A51BBE6D49BC8D34B16060963FA1AE6C2857549FE2A453CF13DBDA57FC28696C5BB676572D56CEC338D82A2570995E45E05ECD4E37D1658C593C042183C3FAC5319FE06F96960D405A3232FAF1635B6C77EFAF81D856F008D39C05C5DAB9DD8063EE19E4A1F6BBF1D0B5B199C989E2D9B55DC6E15B3BB919CA81F1FFA6BF1505702423867B43F4CCF6679AC9476F2B97EFF3CCE2125765BBF83F26FA4C966CA185F93D0C93BB5E6156ACE21E2CBF896CFB83333CF641C747684DE9B717474FF79252873D387B38C17C5996809793E4FC6153D4A7F0F47F388FFB4F0F50FACB1B6679AB6CA9688716BA08A9AFA42097F0DB432D7D524BA2618E1F4FB2520E9B7F + +# 69 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:B226226C3761777B02FC1E9159E3E382A1298DF1BAD4A92488A004A3F9F37BA181EEE77594EFD45A65EAAE1EAE92C631A5728CE3BF44979A9CB65B0CBBDD66B0 +Ctrl.hexinfo = hexinfo:BC2E70940A98752F0C0F61D7D45CFF72EDF1FBDC0F2931C8F6EF69614CAF0843EA5D461DB8F288EEBD88D5FAA7E99BD213AE950F1F8B94024C2887938733B7E10909C16F2E122182011B68A32C7EF17E83F0950391124DABCC742FD9758A0A262C017898681EC2A8 +Ctrl.hexsalt = hexsalt:689F77D056E2E19F0E8575847CF600863C25E9BC6A80EF0099143EDA4BFFB16D69D441C965A2054E7B00525C48548D5886A830C2822E8CA969DC735C305CA061E2BED9094F862F6DE76BEBF62958DD0C716F37EB61942C42DE90509510EDB966F67CB52660FEC8BD949156AE716A39BA71834AEAC396DD97E439071744C3FF3E1A5C6063134F8FBB5AFA823E2B117CE6A895580F2BD4C257DFC976F0B922B816D082BFED50E250CA9276BE85EDBC605B2AC13AFDD9CFC0D94AB14563192131188070FB8C6CA6A8E29332DEECAD0C08252D9011EB3B3986CB0E2B94F8C4E3FC70626C92F6E28DEB3CAD7536609ACF04DEAA0A47169293841366DD1A57E25558C99378BBB2EBB23074A6A47EC04CEDA92982774E1DAD8FE91D1E7EA9120292E02B35824E43F88755F828F4A67BB0A3910FF01DE9C3818D4CE1BCB33941AA58694D202F63DDFD99466C3ACFABF971A5D158C0536B6CE0005B995F4BDD3FF490C7D3EE182182FC51635C89C9C4DC27AC2D99F32ED2712B586542B25F2E60F6D036FEACD2A59E3FC48692C597C445420DF98EACD3102A8F73A594B6604782E329F34E0F07EA203BD96C035861E5D1EC1CA2F9E21289E91E450596F2E078ABC8DEF3AB68B162E507DBA136 +Output = 7F16BBBF60D0FFD8DDAA6D6679B675EA55C6C958904A8326234533B3118BA34DA1F1C10A9F8FE4A39D3574EBA2463DD9ED25B2029DC93B23301A57CD466A4216CB7DC7A5D9D5FBE8B5BB32742B0D5A2C3CBB53AA4E64725406254DBE7B28E8E819F59A50ED7B5719F14F2BAE9AE1D96EDC6BB2174497B97A143AE28CA40D67AEC8FE60F2F5514E824062A73242DA39CDC06221642C54D94F074CFF4288F90AA12D485013D604A6AFF2847B93411DB060CE9602708A0BD1AA11CF160B211251554D3CBF123EFD213FB08CA101A35118D6F4EA13E355A8B3C0986F226D86E88EF55CB4913DC605DB2607BA7DB8027C24EA15FE683DEA32EDD3D568D5205226B4231DBA7DD9100536C741EF24CC70C541AEB9846C498A8B708EF4B54ADF3FAD449EE995CF3453EFE2BB66458DD625C3338396D16A3A53996D43277859B1EEFAC91D19A148F36E090F3EF50B80103320DCF53D43D4C10C217A0283A2B11CB1A5C927B043B17D9F5C1B8B17FE5FB876DBEC171CE1E73B2C55BA300C4B4253AC512CE0E6A9B80A538EECB6459452C0817739A2577EA480C82EE6A6F95FC97EE0C3DE0B575A18CEDD35BD9F537CD3DAE81B65929B52B5CB7F6C4A7488046ED484B1336D38ADE5FDB3E47A3C1EE23690119996FAC1526D5C81276E3E85CAB3 + +# 70 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:AB848C0EF89AC4C1DF9D9AC399E5FC8049F46FA785AA77445C51D163CA838CEFF1240EE61C455B53C925017A696F9B9E5D2C899D033049BA6BA95354EE8DE7E018033234835AADD39272D7CE65E2EDAFA5BFF1B264A4F324599141CA18EEC6A1F4665D571F415D4FDEEE42F654A24CAC736B42B42FDB47755B5175E1A98CC1D4692B70B18F611BE874208DAC1A4E75CE72EB56DAC22FCC6418ECB93A29D1706C9B5C45C971BF97CA4605E4FC405F62148C9EB219F95C31AEF5E170272C62ED581CCD0C7D63026D25045037F3DEC2468814E59C162A8C3AA7D9A9CBDEE49C1A7DF8C3BE87E876FA29B5DDA633040A57C1C055C346DFE61CDB55F4F45E2B2202AB843BFE368307DDD72C7CFC46688F9BCD07F701E7489EB8F7FA428EC54E26A5B1230FC39FD85FB8C23C0CE598DD161DE3BA4284D1D426BA47DBD7953CC91AE41215DA5D867356108BC8D60E03E694CF907E57E03238BB8C80 +Ctrl.hexinfo = hexinfo:50FEF47B92989B4CD9B4A9AAB1D02388DC83A3FC69DFD2D692EEA9BEDCE73B6DDF7682D8858089C2BA1F1D6416CE9B868569E964F38BB0D2D77AFC1B5A556CF619BF794C56A9F2C6E796871AB2A9508F0A041449DD542C58C2D88178467158413ACF0E665DA58A99B3C7B820E373AB58F2438DB397A7C52726D6F2E043A58D9FB66A8E5D0243D297B7ABF1A37C532FB5B9C41DD4110FACC82C11A9303D4145A46A34731228641D10189EC34470F139D0062F22894AF8D42A7DB7C22053EB357AF06194B52335E4DC4D68CDE53A2A80EE31FD1B72BC3606FFE997480D416B78E683FD6EF0E06ACD22A2DFBF50F8BDC2C6C4038BCCD1B9775E52751FF15887BB0CB8C6A3FCF044F1BDC9EC2C349458740989A095FD7831AC26F95E35D227970FCE1353A96DC64B66590004FD7DDF71BD874746896756CF6061336A47579EF2C1C76A0CA552E0BC501308EBCCD993DF9041B6D3C4E85F79DAB9A68929165E6F44CDDD915C70B2745B0B2FE9E0308807EB5D81A6C6E3C09E59C67C58C63BC87FFCE81C55E07E3C11E87CB78487B84057116DC4F1965B586022BD0F99829AF01290B6A220889974AF4E17021E44E25C6960FFF2B74E58369F09A4EE552E8B29EA9BFB67E322A0560325134ACDFA610511133E24 +Ctrl.hexsalt = hexsalt:A64A8429E02306404BA5C4B02F7E99A3E7865FB8BCFF15FE065C7297AFBC61B349BDF007D0F069AAFD5D954504FB42581DD837F51E62AB965254194ACD049EE0EAC9AB72D6B77C1F7B7E1A6796685320A63F9C4E9D4B7CF52FC7BF4D0FE52818C42BAD581BE998B926D5419B57DA5D11A1292FF61D620C9821C75B6E70A3F4BC197242F47AF549D635B9B0AAE49EBC8A352FF004A1428A0720274D65BFCD73D77F253913659341922DD138A86A2CC06F2D1A3CE47B74E25386A887BB8777A76E611BD7A40DE9A572136B78839611AFA8E3D5DC663CD4F256C947FD0B0555FEA555CFB919D4A344098179B96DCAAB9A84B38D10851CFC3D1B34AB4751F327EBCCD9422F30956335F45BF9637AF027021198F132F122D7E885FF4E7C0A979F03E5F3A995CDBD3375E67F335D04813D69B1B6DFF1F70CDF766E10ED640B49B427B8FEE5B859D8B9F08AE83FD09846F8726459C5BFBE5801CAAC026E86AEBD5E2550CBA3FDF4A2C377769E49F8D78B78DC969B22696E04F35CFBD95A1C502F8FD4E1165C11238F0E86C334C4B2B4FCA4061FBEB63D923F3CACDCC78D022886AB3A +Output = 326F3A6809DF49590DAD2FDD992D2B2ED91021C5FD2692D8FA60AD098A921AF189119D2C3C4BB41243D7B266CDC40B55A46880D2F217A206F2CB8564718D7C1E084F9247A2D894A7B02DB85B35798D78C865D9CA9A2FF3C9F65DA4BBC297A26394BA27495054C1FFC1131C51A472B692CEBBC3D546F6D52A55E1397EE36C240933FBD817D162E49A9BFE0241944E613F208C544FC788EC8F4916A6C1DECBCAAFB6FE0F45A6F895AC12AAC35AC646E08AB21CABC35DFD2922789BF0AA4BE658C0D54B4CF7D434807FECAB72B5B3E97D1AEEB6BD91DED92E160D73C67302E95BEF7FEF4E53A12FFBD9E95A604765354661E5AC216275279124F4B502B5F80B2AA49562A6627EBC50D65F1BB7EC4E168E8342 + +# 71 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:19470EC37B657274B7BC2A09DE8714E3B15A593CFE80CB567862EDFDBBC8DC04E176FA8E53E28CDA00EED77C2F5B42B15941B566722E0A13D662A5084072638E395A6520396E2567C1CB6B0894A1B81E6B2E701F57155E469633FD794A4DA66BF66C1EE779ADDFCA610D7CD074A147D3DBEF56E6DD5AFB5741DECE193886753D9CE0AADC74930DC2154E79536D9F24654D35FFBF8B424BA148927B8770F418DA60EA7099069508DAAEE22929FB44EABD663E0E5060D5280D7AB1717D6EBCA53E777497585D8BA45B865F94B450C552BA10EA4315338F4EF742CD25ABF08F3A43967AEF4DFEFBA7AA5441E0AECD6ADB9F5C620DA9FF3BB866C196530435F89D670E621E2B64AE1C1D934351ECF60F8E95D25AA38EF649A5B5A553FB1B183AEDA52ED6BE5B00ADF900F004F2A5F15EBABDB26B3F239ECB3ECDBD1FD95EAE0D2185E9424BB1CD4001117D425A351663D47EB2A9293AC0D7E879888B9B02BE76424A390809C5DD6C67DBA6FFFA8745C658592197D4F0575A8DF208281D341BA81077C99FFB6EBDF616879A80954EC9F1A2A5BFB7AACFEE0CE93477C6BCF3F3015C3B4DC478E76C1811CB66C3FC418F04B9C41C113678E35D3C41876787CEC27D4A97C2245383B5BEB7F52F8E2D2A4D719B +Ctrl.hexinfo = hexinfo:EACBE436E552C3EEF8A80C65D0C60DA242F1B9E81C480BD1D03395A3E80D7DE74163DBEDACEFF3A1BF0F47B40BC9A81FFCB75502C34138C5B99126D9F482FE405C172E79E60A5A98F47C2A550EC463F70C8A26E64ED9FE70DCC1F80788E71EE96555786EC0B5AA239DA3DCC2B11587B198AEC1136C6396D485EF2E902DF83BD03EDB6A9576FBA6CE9D9249E4AE84600A5226FFC3B85DC4CFEAEE6A678347B5E7888B47111FD9D798727970303281C3F057B1D8E3DFC35C85ED8A6E4D94 +Ctrl.hexsalt = hexsaltutput = 46617645E86547C4CB2E20821F89A21762785EA7CC91F8284CA6DE80A25F1BE5F27E8861325CCA22C6AD51A9E0F5AE4F5F134C0DF9E09E3D48F30A62853547D4C504E06AF2749A3C06DE5DE2080403CEC47E8651628A9BE7301A228043E8B10C1814B3305CF0D05A49437D7229735BB42AF46787F28A3882D0FB32D93BEDFE3D4642684D99D16F41FC6D19189188FFE46F5CDB7FB2C18BAA12E5D3263EF784C5BEE1406B0EDFB084AB3FFBDD5A0834D6AEC8B4F255B9B77AD5DEEDCE8E532D8C8FDD644D0E21E36B07CFC06709395D87BCB95723FD03C05C86083E61BDB23B33D980EA5B68207971D119E4C861893F7ABE51F069A10ED55829E8CA8786A116272D5598EE43FB3B8F1146E76838E3C2EAE133B1B6BF0709B05B3A263E94AC + +# 72 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:CD322ABEBEED79D448D66D731940DF2BF0FD11F483352B68A6E1A1900EA7726ECA61FDB340900E2B1295C6880CAFB26A3445FB6CB11C1ECBE56A4FCC188B6A0F5E7923CBAB1371EB69C211A200 +Ctrl.hexinfo = hexinfo:459873FD7F9FA24910BCC8BC0C5DC1C607C1A5802657D4665C1A1BF907CCD95651EC95EC2AB18D30C53B84734311DAED0DFC5F01CEAE38DB849EAF0CCF6884942F0BCEE64ACFC366C3732E5F3358040C27EA618C6108621FD3E0BBEE1850A3F49BB7CC481D01D86F89C00A30CE0CBC408CC85D735C204CFB53ECE8223E4D27CDA4FC6CEF9991D4845DBEACAD04B60BBC03FA3B401E47F107A765D9F286352D356E0EE7D9C8BF3AC8087BBA4E27F3612DDE6E586C8395DC8BD635AED35ADD00180CD3A165E3EA2B5B66BED6FAD3C83C563934CF864E3A091074CBC4F41BA187DE768E16634A9A61AEF5A7A68CA551569B29CA74E1BC77A62237EB00459921030D4B7B4C29636520AD158CFDF55D41FC74105D151EAED25AC2B779C96A48773BF39C03CEA2C667F93EE822B417395E9C015648BCD415A0101A1E12915CA308D0C9A33753F94252BD +Ctrl.hexsalt = hexsalt:D79F7231B526F963E9422CEBA17FFF1D99A6DD63EB68AFBE8D0D44A1DC6D7A8CF895A718C8CA1494074C3DF0C3AEFD0C453CD65EF07E1E7FB73AFBCABA01B02633F0999F8C44596F05CEE20AE766F989D8FFA38C94AE7C9234335D22391962EA572557BD37D50CE8C96B0C6D1053B3145D34E41DEB074C8AADD175982D23DA123CF25E9A7B56BDBC1C8E94E0382A63AACC8A45142C9EDCB5C0D214F59228775D4B +Output = CE5C7067970BEA9FD6BF00920219 + +# 73 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:2FA0B1A7A9FD3B2641F8A9D8B65FD6C039C9D742D55F82317A46554873A8C1235C87127A911083D2AFEA65C5CAE56DEF152BA995254930411A42B82CCFEB10A6BD73BD244EEBECE25EFD8B05A19D7432732533844F7F971AAB61667EF2E1CF3AEF06623E18E11448AFF814BC63DBA380C0AA0E9F2500AD20B2D50563349CDB72BAEEE0441D35DD82C55884FC9F49F0B1C49A1ACD548929D04A8074F564D9A134F5B406538C671BDB7863294ED1F8A027CB6A3DD5D0D027C0426DAB391056E6EEA656F43F71BB1B0170EA9E7C4A6B3EF6B9854C4AC8478AE9F4780FA7698BC617DF74B90FEE59AC18B4051D5BBA1B38521515C4D76DC5636065E3991ED4CF078D45589883BD540C7D5C +Ctrl.hexinfo = hexinfo:A8 +Ctrl.hexsalt = hexsalt:2143200647396B3D4AB02FBABE6A5DB282179DFA6436C423F2C545F7588C3BA5CC62432A34FD74077C562C24F90998205BC60B4A5B7D35656E5403BC40E89376D428C4568BB9798E62F977999B3277F58185DFEB0210CD90B9CEE3AD8BD700F4EFC75671FF19A63BB20E5B290DEE3351028F9341DC823E2B99C37031F42B9DBD228587CE847A8414C7BC6E413B675329FFD8D9289423797796DAEB842E6DF7205096906118322ADCB8286456F9D50584479E9EEB4CEE54B3E6A001AE563D3C2C12681741EC9BC89EC42617E8D65F17988941C16A990A8867D87CFCE0D1EE02CF103BB6116D8FC6080838F6D5552C2FE280D29D580C4D67C97984D0B2A4D0D6BAFB6C150642986A2699CDB800D302EC +Output = 6FAF9F7086C6035CA1FE068CC47E3DAF271E28ED53A7BF1E5012C54475AB532A90008D0F4BDA4D0DA9B60F3D77637F9424389CA1DA37A232D8AE331D20D4B149289B8595E823DA47754101FBECC18FCD7A5EBDF83CADDADE64A9F050726FF8ABD0E7B70BEB347B61367A681602E6D3EB3FADC06A12ACAD767C5B8D098F9AE29BB5CB3197D6606622ADD153F26BE8448A4B4D7C8DE2523BAD6F0958EC4AA176C6A5 + +# 74 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:74D869E949DA44BC512AC14DA070BF6118053AA9E70182AFC61DBDE7536DD5FCBBE3212A41EB984DC90F0CBEE2C6B0A80079C7AF8AEEA39502AAD5E1270ECB5EE8A4145119BFDADFB4C4988B96855A9BFFE4F61ECCBEA0CF343AEA1CCA4C11619AA3443C62AF8DF698936D2ABED8CFEDC6A02E397065012CE17601A6B6727221EF56636673213B2D1E6684CDEA814635E1A08E3D6E01B8FE09B75E9DDDAB5D1C6157AC050EB08D55DD9C3A28640BE33F14DE52148FD4799B5B7217007619C9598FE8D8CDC15A1433B41D11E79C147020B7D5B7A605EC0539256D5F22E44273EF83D73CD42B9B14CB84570094 +Ctrl.hexinfo = hexinfo:65AAFF7D90EC24BE08758E3D2D53C67DC46D8916B6C7249446EE8F4D0D85A63BBE2CAC75278DAA46DCD4E2A3971CAB3A6D42B06AE0D3921220270B3B320092EB182559D98D33C0 +Ctrl.hexsalt = hexsalt:F942456744EBD068F162BC0D842ED0BF13F30CFA8B4A8F481F30DC5C4A01BE7C1059FC427CED56E663882DF855932B351C57D77ADA5BF2F584C1559AD233F01F5A11A0AF64EC16EB6DE7557D3F140974CAAF903A20198DB009602F93D9C3CEB9056D0C5E07F6E4AC92F893680CFB55B4542E5EA0EDF68C6770A8A64999A9E3014F627995C85DA3294F7D31AC81FE59AFA9C93CBDC51D1B7E02D5BCAB1F342AC4A51466 +Output = 317A522F2D49058C1E39EF0AFE0A96E4179B3C9F2333EF146102A9B30C1464FD1CF83AD1D995C87F114290D89A4DBA188CA39DB70358363D4C + +# 75 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:E24ADFB3D2C3F9DF44E0DA09732059C676EDE15B2BE29890885A7CCAD9E9852516A2C8E1D927DC08F183574AFFD320C6BCBAD9C2E4046CAA2CB8DAAECCEA629C2ADADC93E6168050B0C65F988CC449630948B53C85B0FFF235AEF75A778CCF501CE40F4836290E71F65F72E4F7A2592413523B9B3B7F803A22 +Ctrl.hexinfo = hexinfo:ED5B849DA276AB83CDB38D8E7DDB7A104FCBD37DEBFE043DFDE023ABCC76FAD39BA7141F84FEC67FCCCFA1FA70742CEAC121C8ABD7F3DF027B099B69F578536FADFD03A9C63C321876AA70CA007F46984919231FE5A8D19E51DB5BB6163D293D9AA27AB60D7603E441AE53A89130DDD7C0B1A71FB5ED1127B41020CA2073C6CA5202FBDE560649F138D80CF7D085AE71A57C2ADC087C3F9580D0BD57673CBD4EA6232D40A28354EA8DAF9CF58292F871678807DEC26CEE80429D61AAF1D7A0D5CE8F8AC8F716FAAC5BEC49F6FD8132E17BAE2F08128BDD30EC25569C2FAFD7D7A59976B57474209691196A9F9CDAA6993A915AC9AF466F4444FE3C18AD8CC6C58CE6D0A31A6D72D677DE4F81D0212E293D0429F67464BD763D9122E64A9875E09B3AC1CB03E49D6387CF2D6CBDADD666E587B0226D61004EB1D488B8D0FAA5A54A0D2FA78813B0EE26965775B26E4BC54AF2E1EF3DBFEDCA +Ctrl.hexsalt = hexsalt:3371966FDF0022F94DAE52B211DAA65BF2A87296E2A2A87D8AECF5F92540B9B1E0DC292F934D7A160E1A170CAA68BD4A0DB4B610EEA6CA5CA02ABC5917301364BBFC1ACF25B410A8B8603DACFF48A847460C2A39A474AEFBAC4FE3A3F633774CC7165552B0035737 +Output = 05ED9EE7784E93D767AF301D3391021BC9F46EB204805F76B68C09BEA42566E490E44F82598340E345CF63F4283EF3764939DE9724E96BB34EC0B25F95FC020C86AFA33A418CA5945DEDF2C930E18B996995C6A345585122BB4FC43610EE0D198265EBB0BAA225C4A7940EBBEF2DD0F4001F67B773C15C83E61946F40AE466652FF00DAAAB25411713AA599198F19929440BE3E0F9C2C245FA2E1FDFF29CBB8DF9C422C2C3745E13CE73C915E4897E1565786E3C9576D8FEE6DE1299B47FC0C044EDD34934CE91914720422395CB9C580121DC82DD24CF83FF8665AB7A377D35910B508B28802802CB816C3094F38025DEF7C5F3DE24E72A4FB3AA46948AF66904A7E12A016165F2BB5221D0DCEF95D9301D332F06 + +# 76 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:7256CFCAFB0D33D6E8E183F43248D61C52282A69964CDE9D469F9D94C72BDCB26C8674559108D18739776DA71E57BEE128D305524E42D8E7AB61D2CC946C4D5688A24BF12AFEEF587A79AB6F338AFE196C320015826455B7789F5381604C01E4E6A1311C702A1428E887B7A4FA5186FFE23219955134F8BABFBB1C3E27D8DF311DA5C0BA8AE04C85C851497A1E147395DD7B59407D1E8AA75BBCFDBCB0DC7A3201D6B96DE6647A3B7296B4DBDB5376BC78CC1AA20BE107D613A71E051CBE1B7D2D25CD95D1EC61F81D642285F59E4E7AC1197BCC59A858CF6B8B5A485C97A0941CAA792ACE37D6F398744A63B173616DEF7B9DBC533828A6509BCDA8E0FA6D67C8D3F8570B3EF55ED6CF04814EA96B38333A42CAFF68 +Ctrl.hexinfo = hexinfo:8D05F6F07F68FF94AABA27B4375717BC06EF09636A31DDF152A82D863AF23F33EAA86BCCF6798AF66F925571F44BEBFC1A95DACA856953F8D2EC69095E6E27002C1B0023543152E0BA8FCDBD2AAFDDBBB18CF461F36C4FEBCBBFFE485944853C508020D2079D890FF7CD36D4551FB8D034C34EE4AB78804DEE07C0DD4049AEF16422DDE27F127F00719FD973B93DF38C9D3E910736E95F2D63A0E4869EFAAED140F01248AC550FC6CB84CE0AA5E3EED28E5ED8EF1BEFE1766A89388FD84A853FA97F57A70F81EB762DADF61760C9B69B30BCD1233A5850989721CA97CB3D73C29C2FD45C7F1E8F608213476C877998352004CC4C0D226E7DDCD6C59EE26E8975197E90F9FED7A0FC09DF45A9D62D6E5DC0AC0555B38C402D28D3341F1A983FC8BC1E99F5D659E1265A7FD94D4F975110F6E03721364694B2736752E0FEFA7CE22D9441273D643EF7CE3C9B473FB4947BB3321A977A6C5DFE46D65A1451AF63F6C61802E31304421077B18E9344DA88CD7CA49061F043FB2F78542C7F75B5A95DD0E021C881101F44930BDA769BD552 +Ctrl.hexsalt = hexsalt:9B8D47574BF6BCAC470554DD5980991314A1927724A24B2CA172A7A8108DCFA815DE3FBE2BBD671C6FBF2CBF6BEE3E02A80E17765A9C6FDB4C7215B2132C6C73C4C0CB978341222C17EC13937E979FB624BBD47D009468E076C3004DE97F098353AA560AA462BD7D8C180AC27CE59E4CC0FF311CAFC01D1BCA70FA40BEAE4522AF90781CE35FB556D8843D1EB033507003BFFC2EA2B913CCC63A6A5AB99501C937BBF6CD55A20BBD2DD3D6C38CE45635CAB3D6C0787CDDA65DCEBEEF1CE32AAE47CA0206681B24D97F75AA7F5F719B8429873EE344499439C15FE87A7B8A32D8533534286980BD08971A090DB59F0546483A7A4FBC7DE47CF26B862623BBF48882601F64B7E4BFA3D7FA6128C587A548850C367013B539729AEC0C28249403F943CE945BE78A527EAA +Output = 5527D0C14BD98C6EBB603B9526F3E949AEB756DCAF21A45C5F9EE0D65F102C0400C342ABA1B8CB30C607818D8CB284618C81628BC17B4E680CED08829C8E93FA34F5E9AA166E0D4FACF7A6695C4F617F501C1C78E894D07B4EB1D277E1795A2CD201548769AD57AE095C6E88F44145F56C1C0B774E19213B9C590913D750C23BB72EF897951F06987126A5F70B9DCC09F52A20B799A0A119AF7A710A53F7258ED91415EABD122214D8A5AF53655DDBE4EC967E2A7CC1C9816A518DD1C588B34FBE411D65E74AD8175A0403C7FCDE498989D9F782376683AAD9555FEE7DAF7F2B87A1BD53E47D6043BC0093BB3073FDC2D2C7E365C20EB7865C28E798D9453717687A61DD2EEBAE29F2F0F1D123D7843765EC8B97A5CFAE7F0BED70E165126116CFFE904507C12A62A2124F561BF2888A9A58DACEB8F46AEB32B3BC5068CEF42B98F8F906300E88FD5A5D49C2DE4EAF84CD5DDFA85AC10A6BC3725A2564814BD0FC0B9D3057FD3CF5C3C4C7E5E4B10AC77B10D12C3283C60AD768A214BE47A08E8EA799C48135B5E3E1B8DD26799E6FEAFE41FDDA51DD38B5798A2696FF891E7A426FEDB32B2FEEA83C7542F20610432D50DD16D2B09BC6CF + +# 77 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:7266E7D0F5814C01239774BDBE0B8B8433A515566E368232A625F3DE7841A0066359159A2A46613C74D07FE5BF88E39B966F3FA8EE75B48800121756BDC1D1A27C3346A2A722F3734E03CB22BF8244BD7CB19F4AE31D3AA9FCBDBC1EBAAF3F3FF33E680346604D36B923C6281EB045BC30D105FD00C4E1E4378C02F559AD97142BE9D3053F748F82AEA00FC5027135FEB215CB52C36B28C643A777D5E2FCD7C8E9C89954AFF8D2FB24C968298A258CAE62E5F1307581DDC43D82FD116FB44B17C99AEB8F1F98E4A44541D4A030664841B9E7892D14A162D457B8EC939D183CF869998FD3674696EB1306D1D856347D29169B2AACACB5B0596D52D5B683F7AA17192AD5AD905FDCE39336E3C5FAD0272D6E708A472F56233F462032432A2922F6CBCCA97D62EC9AA0E25902D0F4F77AA096FFDFA6ED75E3C3A8379A2AFFBF3D9607D8BC7571BD2C4E1678BD1219CB76E14A320367C029CE87411B3B8F3BB019A06C1C9C6BD9C5D399669FD0BCFD24DEE3C6D6DB1960A9B2A343963A445693EEE634BB37F8AF3DB7264C631172CC121D7B5F92222A974D5CA4144BA991EB1FFD77129DCE1BA03E75E9007267BC +Ctrl.hexinfo = hexinfo:8FB4576F0E4844DFC8B34AA1E855658E10393BA1CA5EB570F88DADED3F3E53477CB6384B43BA2D600157F28E65789F474503C63434D0A3C7009A2A3CA84637BB42B01A879CAB91D66D6F716D26B50B22C9563377F996F7963ED5F6D4919BD073C51943709B699D797AC0CA2C67E19CF66FBBD879B9FDD58620B5F13A240B97389BD94FC3AC7ADEA1CFEC74CE1C184C2F0F1BDF29D46C4C14DDEFEA7A0B6D66EF8FE744B310AC114FE4ACE50512B2760B30FCA78BFA261FE08C6070BDC9C34EB5F2878192237C2BB7A6DA4FF44CD9744DADB43D59225976117968303C63B82934A131DF870024BF6D55CAE470379948BD9CD476F3F8EFE6D10E82B6E3EA81818A4B878E9496112124A73549092A8493304B1ABDE54375BC2FC67598214867A39FD30EF5CAC994D75AB9B968B41FAD47A7A4FF4B8E215499405257286E6BDADD10EA68B6722B372F97A8DF3ADCB50E87EFE404FC26778E088A812102F92B8039F3961EC2A69D2BABA025C31C29DE1A61545154EFA5CE732EAD0F539DD7D8545AC50819F71763D843D3AACB9AA53B17DE1EF8DA4D8545420C8D35267EE1FF556CBF695741BD395A2E9FD935E7DA0163D38E349D2D4414C31C4AD6307291771D0891A59B090EA513BB261E6249628CE2BDA8B8F6FE08E7115A +Ctrl.hexsalt = hexsalt:FE9FCAD56DC1E61567645FCDED68ECCC9B7725A2EAF7DE2DBDC38A31EC2860B6026C1C93A30C0B720BE5682D54016BA80D47F9F9EB00B41B336EE27834F2FACF92B3CE5811F913947110A29E12129B9F3CBE23E7F8F26AD1C52E8DB6A17C83AE837B3FEFA0A767312EF1EB56D17949C02583F5B7A17D4AD1A36F00782B42865D6674185CD3C0233175C56542C30D41C6A6B8F828D9EA239BD712AFC4D9DCF69334AF631240F0791DABCEA2C41922E45234DA5521D5BB0CCA87584D4CDECF0018897E65A85F75A0FCDACEE3E6B5AAF4255F8D94D9F57F129958C388E0ED54EC +Output = 9C948D2150A93647532D58C26E96119819066AFBE42E0DCFC473D95CF414361D415F36AFA78A950C5730567BAC280D0BC01C68357BCD654C0D9DA1967D73ACA336EA290EBC63F5352D154F4C208375153C3883C94FC134684961DCDD05279BA0C24D398F6B80E61871 + +# 78 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:2A1BA021A0AEC6859962BD8645AA5E753419CF18E1D4E6509FDB2D25CFD78D5BA3A8B4AA697C81A7F403267818D0ACE1D876955A837E64DEC6099E2255BA88C0DAD557F18B36EBCA73539645B3AD5A3DFE83E058986731FA9A3FE15546F5FA8A48DA25720EAA64B8CE2DC2B578FE1EA75EE5185045D09AFF48659CF0EEBAF836080E43D254B82317D4252832677A5F362FD0103F2C03998CAC7A2B31C139DDF760292FD8354E776E244453DE5C467973965E29CCB2586037E77820CC27475B28048578E0EDF694599CC2978C3B8004CC4652781D61E27DD90A1DCFC9A71431BBD08F5F6113C0C60F7B8AAE30316A54B642C8E159032CB763E78CA1B40610E34BF3C9F69037479528AB7C4A18466565ABD1D5DA8B602485C71F96A9A8E8728BC5A2F4959715268B1C53417D88F3D6FA9034892691D6864088600CB6C264E86A29043DEE40F59935F766B011A0ADE5D3D5590D91529B900391358B304B1EF2CD65E22A6EC7AC539D +Ctrl.hexinfo = hexinfo:946FAB8AB2F534F717D45CBBE6CF29A6962937823DCB944D377BFA6B603D85627DCC7E9EE7002B805550CA230D5147B5DC7410212F1DCC130E928BDD768A48E1F86A0C2E85061AA74A66A009DEA2DFC25870F5A81E7ECC8AFB04A402A875E6F65AA8C6ED13A026D21D2F9FFCA7C717B39533535D80A289BE5820CFACD838D6E96347D0F55575F6ABCD764BA83C25AACAB07D3A7F5F4A3E2A9E1C630A4CF44868D7DC225191C731D0B3B2A7BECD27DBBB +Ctrl.hexsalt = hexsalt:6920B0AC61E418459BA11914B892C28D69E33D3625A2ADC804376925B105C2E5AE75416A0149D213FE8FC019CCBB7013D39BCD9FFF +Output = BA3C7892AFF583D91802A93C52F5090AEDD30B7DAF395D7C6AC51034FBAA4B442959B62C219CAFE783174F00BCC6821F1C601D4A2EA395AAD662F2C0CCCEC600B379B6EF1AAFC260EE51CB8C28CAF509F0A53633D5860DA8EAE2D73E092CEA46CBE18EE198DDE814FD3F9C6622B9BD965A1DB5B8348FA7DD3C1FB58E3A45A15D8344274E041471E28C322E4E75F41E41B61738584D04BFA2542403BF4B64A7F1E881C1B6A777E89F3B3993656D74980DBFBDF8E5EC18B6F4A2779D2428BD5A4B3E52C528AA51C38D42FF66A2D299EBCD941E7C0778178B37999CB5469A0A1F8370745804311FCF410AC751C26548E06A9EAD522569E487B5941B31A9B023E094D0A908A792F63B3CCC016F386E7B75B15C0F84398F21B9F979AD1A06C6042CABA036ED7757C2E5F457073F44018AADD0DBC5EA32BDC4083693389649 + +# 79 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:39F8AEE3B3C0F19C0898E3403A62480ABBBB89EDAF7685FD657A593E78AB1B79E102D531309DCE9FD86D4853322DAFC15BE7066CC498A30E2ADF808260CA0951EC156DEA23A3F1C1274E855385AFDDE5FCBA0882FC078F4FECF9D5225FF6EE5EC0CE030F13AC7B6369027353E890070002E0784E28C91FEF2580969E075BC49BA16EE38DAFDFC57408314B1BF6B4D08298DD7E23918FCCA35BB3EFD8208495B51E6A08B8129FDD800309DEF56C7AA21459B7239D11E306AA27F62D8D60C97EE727B89699C92A39BB7A8F069739F399884050A29F6BBC6EB504D2E24C5B58100AA118E90603E365FC568E5A7F980A7C094288E671D420FF10BE9A7C2E26904AD40F9FA2B6FDDC1026C177BF6BCC2D4F800009DCA52D1FA943CEE6E21409267316FA26ACE78B7C131F2D13917E64CEF6A1AE865599A644FBBB862D3310FB3E3A53F52439C3CEFD0756A283E929DB307101F7DE53437A683A34EA7BE592D3B6A2173C6CAED5D0EE7F01CACF02E178E5366BBF06C69E5677C0A3F909B14EFFD125A564620F119B3008BE7CA9BA3A0C333D9BC9E463F95B07794B7E4A05D8ACFBAB850A +Ctrl.hexinfo = hexinfo:B1F5EB00F07CA8E989BCB284C1AC6A4F4AD1755C87BD341D292AC8FE2F19F5CFCA311CF72B4C6180D80D4B947B1DC51EC747E18A944B14CDEC174D52FD81F7D4502EA187CA31972B5B09A89C8B2034777CC67F26ED46FD6CB9E629C278BD8A80A9D6B5B09442E5466ECFD092B8CEB415D9C60F8802A0AA06DE36C9AF7805FA2B9B606A3F360D3D8C4F81C6984CDCA28296A1C773E926E11315EBBDD1CE34C835671C6E5A514AB6A1 +Ctrl.hexsalt = hexsalt:8A873C40DF0B6B2C7BD968EF043DEED0A1051D5CFD36CC0646B01BDADA28CE594E250E0B2A7EAF0EFA05CE95DCA0CAAC16729141F06AFA999367BF8F1966314A6E448FCFEA044332460DC6F7CF5F6E064035400B723D9EDEF4F8106DB1F61BC0FC9DF54AA60BE1567E047F8E48EE91A4D4708635262EE7638E36DBCB5BC137C59B0EE660034276C76A67395AA12D14CFC46C2EE8BCB7CFE2FEF88C1DD34CBEB85F20BB5DBE5610035843ECF611E65C1B53AE18197996E6576CA4B61446CF0A565D4A40FD49687DDC86A87EA20E3C87B50DD3ECDDA31B029F1E04C53C3296ABD7E5FA32989B69EF408BBB357C36045B32E0E9ABF2A7F0518FE3DC6738A80997BC24B4A66A6E689EB8C593CDF4ABE67C853C6E46CA52D08C8C65A1003A22B4D359B0E162B28A98A027B3FEC2337CB731E4168AEC7C63479D876731030F8F52B688C64AABDCCA930F29EAA911F057F3BD68B0908DD83C9AA45CBD2D459AC28BD0C5EE1A263A1FE174A462291607A35AB4ADCBC59B6018A4A2ED85CBBE3F37725301B1B54A0CA0892E4BF0A57DDE8829277C6C7D0D158C817B3926C6C44D2D6549E0089F30CBD6202AD8DB27E193DEC8B44919EBA480535BA0E180212DCA620973D2385BA73C73416710FE60712D63FC5B53912656A137813CB0DBA40C3E3128394C55458F391C456F708DDB02900B7B868D605EF39B55C918C894C481E3 +Output = D0BB7819AFFC66DC5E8F05147B8449649DC919903538A48705ECE26F5160D928C28C28EB181C553857A044095367328D1EC314396E56F433C651D3027CBFB47AA4A0ACC55057E5CCC21DF74BE7E1490E0AEDC9C2262BA3745CDE5B49F6EA4AF18E1C3F2BC6D348A084F17FCE10258A6A574D64A3F853F390974AAD7CED1AC4FC77A8BD1C9A3A8CDAB34B15BDAB6C160FF5114BBE59675BFAB54FB9732DD12F6298E8D70615CA2B94F3C4618C969D9338294D8A3B02FFC50FEF10E0F43D51971A1B91F1AC8DDF0AEB972FED0CA6801DA3B50CA95128E78CB9C988AC7A01A8126F3E97995A02A729822714C48FC6AFD80BE020AFC5572631094009B000CB98397B97AD0B14E1AD7BE845106E03E996222759711F915111861656A51C80F0 + +# 80 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:678FFEB9FDB4EF56C869669EA1E7F3B285BF71B850F319C527D52D59E6F0898BA9FD313BC7B40AA0E2806100B30CA96FCA4C62681A210598CAC56D0854D2D6296919AA4A56BEFFE8288CDA558CE38B94DD822BBD1AF2A4534888F9C69C332CBDD6EDE33EA187F1F5097C5BBF754D20C38C0A3C818FAC174D574BD248B40865844B4FA2ADA7189F1A03BA6A +Ctrl.hexsalt = hexsalt:CFC082EFF8C1B5BE38CB98CB13C19E03E43816A9A7F2FC8210AD4A671C8CB1828905EF77C81B5557A915438DF057E357FF3C486F4C63BDBF374A0B4D195FD37B588922F7199D402DA8630C65B234CD1BFB63C6EF08090CACFC08150848FDBBB67AF5C1BD72DEBBC62C5179590FBAC74C53534BD4164D711A4795D5D4646C7E22BD1C207980206F4638DC3D7A245341D2DC7975C71F78D29A6F42DEE225F3A369CC9DAC518DA4C6C81B6B4CE9E8E05D2577FBC808D64BC0696DAD1D47E98BB285C5255B8178B9CEA5814C12DFE240478C89C76DD779698F271F250A5B4947142E4B2F29306DE7EDE5D341716672DF8F7808 +Output = 6FBAE96F32C6FD4802AB82BDF54ACC46905E950C8342E9EDBD39F15EE5A9A0C80F57BD3C08B54065C3F929DEA70EBBAFF5D51DEA38C686E4595C1AA23135BC + +# 81 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:0191F36E8DEAFCFE937A5A8F980B11EEE561802FF465FE5D2320CEFDFFCB2556815B9690ED093E70A2BDD16FF7E1FED540DABCF84011189722E177CB5B9FBB64EA517196E051C8A25AC1410DFD213E9AEC299DBB2F0FA8F2F277E2B6AB9931E3CACE91357BEAFFDD95EC08E9030B0F059722658D8385337B87EC80E02F5D8E63AA44180C26D5BD51B62040628A30DE7357111339FCDC28E2DBB70A383BB6FDD5 +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:BC543BDC711C375CCE250DB8C7C6A760A43D829D5D0CCCAEB23948A7B045374186118DCBF6AD4EEF5E77E3F3A8E7F2D0124EFAFD4F13C94A20328AC00C95D4B118B59FB996B9AF9E3BD1B12656ECE13CF9543D84F750F625CA2484A64C89C00F9D39E08A23EB244FD3F14E4538946EA5D8D74ACDA471EBF93FC2A5BB0882908917E9BAC592BA134321E1F6E34936E76FE08D28DD13D8F958FF7244372F4631C9D4977B20044F3301B45DA59DCAEB6B84F9D401394C6520920ABF14C5BBC8A1C67FC1CEB4BAE144E2C77443336B0317143800FFD10CB08BA34B36014831FA76F89010A1E2FFA384F9A60EEAD7096CC90C0846C031C132D620A3CD583EDBEAF0B14C4C9F340F1F5AF832C003E2D12E70A475DD3321ACC2453044B002599BB6BAA9F1BB0679103EE93B676CF406631AD1A526F4F59694E16D52C6B072F85BC26426C666FDA2D496986A73C80319150BE0B7A95D1B00DD8110EE5EDA10A8A95C046B85091144D17A0341F4D217A4D0CB2DD6591B555F2DE92FD7AACF1CD8D8 +Output = 58218764C2DF043B4243F95DFA3DBBDC5F48600FB9E761F8DDACBFC4 + +# 82 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:6257152E5BB9BE20E1BB9CB20529BB208BDCB403AA5CCEC8C4E8A39467A00C79E6C4FFCCE6A2E724BD8943000ED34E4500EFD11AA873D46124FBD043DD7BA925BBAA86546FBB105CF65D767FBDF2C4942B811011C6C8246C186E88F6FEDE81330801F2D2687AC6110197E3CDE0ECD0ACF1CF215FAFB227AE7DEFCF36CC11F3D92B566C8E9EB5644DE0C0C4ED77A25CE7A55407F2B8AC8A758F9188CCC8A7D1C5845A6F3CD47501F9C1DA0B3A27B64005BB97DD9ED678349A9340 +Ctrl.hexinfo = hexinfo:B7954071BD5159518C454F164F490441FA8856A39F884F985ACD85769AFA76B3968CEAD647BF51DD33BED511C5170B6FBADEE732450F66A16B88300E2F8D10 +Ctrl.hexsalt = hexsalt:6A31F79D469879062AB92B3331C111BA95114DD4E552DDEAD371D4B132F4F90864D8C37B4A87E4A998018C41963128BAF61C3D1B6953152DAD42252B411108B7FBC2655A7C08D6D22DB627FB7F8B2DF99C16C33BACF4CAC9323F83215A115FC0FD0CCCC42AC5D1B957E910331C486D30647F3DA1D205C4C8868F1F4DC22DBC3DEA4444EDBB9278D9 +Output = E995BF3CCA19F971F7BBD8AE18B77EB73578E61C98F79DED754D503F2FFDBD462F24BB13034C9C59C7D3468CB0B7F27AE69A25D4D833A8D9627E98BDFA01ABC3BE8B2BF3601C3CB2B321964DF477ACA4AA6C2A99864614225DF7AAF401B3725210DFCA57B976DA0A1B675F6E8B262FDA78398EEF19D61303B98489C6F5D982D38FD8020BAE318C0E3B680F509A9A8E919BE254A616FF07E06A0AFD8095118A894DC9CCBB34004F833B343BC5D62A1653A98A11FADDB2BD3B96B831D3FA0349754EE2C8514F85DD09B3A901D00740054A28BB0623155AAD4D7E15EED8C5777097AA92B74630F868F5DA9B926D13467E6A5A9CBA94DF40D97EF9669A18462166551E3D66ED8D7AD8D9A3E5714D9674D6C80023CF0D0EEF7EC541E8A8CD92FC34DE86830AF6927E47B24FCB52228483A5D3831BE10B44D5C45D17ACEE1671F96B75AAD7F763EE052BD99E5AF56038BE8C3B5B8256D3F0B0FE6A30E08C006FABED475C88F63848D29DB6C36578C3575DCDA7B2C01D2AD11C5E90AA36A486ACF9FAF51D9745DE1DB4942DE1F791EAB1DC456506172CFA9DB56735A5629DBCBBF8B2387C5C35857BD9508E0D776415D7C6E2654E5C011E23319BA66CB5D1A42E65558B80F163FB9D2D5F58C6C3375E7F4702F63DB6B3E06BE48A76C9756E1E8EE931E6 + +# 83 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:11C4771C4942059C11166B496EDA4A31E63A2E8B6CA8674AA7D3663F7C8D0A42960909F9FB6A58FD612326D43A1E03D33C4C157701A12C1BBE7286A23F66BF38EBA56872AD867EFCB12F2D98C325BD2D75A6A53CC5F5E8FE7BB67F79660A2C8EBCEAFAF74C7979E188DB6DE9A0A7D23EEBEDAC6CF47C22E59CB4EB276807D71F19CD409563A81B22129AB8E7DB85B366DEE8803D2A455BFD7F5D9F679B8C7C41C3486E530EB0266C2BD6B25079A2423C1C87B4E4489A6888214E46891446F9C5EB328A1DC2D0EE92CDC9D792CD7D4CC5E7B4AE955267734D663124FC42F335036980CEC5682AF1CB1C064BBCE7CFB9454B887D4A496245B9F8F247B39B0A981886BF6287C3974E64FEF8F897206B +Ctrl.hexinfo = hexinfo:C2F10D78E7BD88E216AD982A742FE593A87CD23F6D4E605DCD6F814A96A2D38A8A233ADF7BF4D64D9A2FAEC9841ECED5B67E6DEF772F6DFCD0886CBE0A22 +Ctrl.hexsalt = hexsalt:6E769A2F87D15135564329D2B956C7A731F972FFEBD94DED2EF4C03710265B5778172429FEA52286402BB34B2A550082015E22EF45DBC4939F98D4A9589160098F5328B9D9C90553E9B7DAB06CED85039D18C87130EAAAA1D0FEF203F90B3E1BDB2039B0599E9BCACF53D9F07C9591919CCEB596AC3C2AC80382577493D5A7C2A75745FE7F21D152AF75AD5AB2AE23287286D9A0CEE672201EB8D12BF14B407DAE8C9E9FBD0417756E837D1F5D4880D5AD48BFD453554E46F60203979740D62D950AA33284D170325A2DF51C2D6923224F696BC778D58851BE23712D3771A3649FAA88806ACF3E190F38A9DBA70D6968303A093AA476D71D8B0E02C2EB806A03089C2A96D1535C58A3103D50F31360C0E55CAEA275AB00CA415AD4C728E22A4C889CEF07CE4FC5DEDC7EE6A540197860D62AA515CDF2A0F8A4F8E6963239D78AB57D696B7336EB8B727B9516A3A5C228F00700FF6DE0CAF108633EB9DB375A71958A4B03416967D62912F597E4A95BE3B2C1CE8CAA6C140080AAD4DB0D149E681279BFFF8875E9BF93AB6B81E04A9CDC3E4BCE799F6CEB5489D3782B28FB829594D6E280869A2E813B6DF996C19ED4F9D5FCD68FAA323EF4FA4599B7F6252C8D412C20B54471D915DB79ACDE61E59A238B6F505488C4C2B48C26F25FAF0AFAE74B5A7B5BC2606926515E546CE7CA1BECA549 +Output = 5FF64B0DFD627308678500C03B03D2EBE5E0F861721A865FC2B9FEEF4B858504A9AE081E02255231F34B6BCB0D38B8D61D032C4674079A0790ABA4ED90750417DC3F75ABAFDBABAB78111290A2F8D3E5FCF2DDB36584A667A7BD5DCCA2D2B3B08302BD6E046ACA21DE87D06F10BE17FFA436102F6316830C01C750EA3D6EEF59EB49C1C2B631963FC2925EF162C7A62FE098D30592DF0D35823611224C7C9366712CB723CB65F99DF94B55C2D7636684A5080E65D01C845FE62036E82963647165DB5059995DBB31A4029E6B807410D5FDEFBA7DE59B5E8C34449DD45B8D69B5F55948D95E33791062BC31B91B9F4F67997D388022B42A3E + +# 84 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:15A8819AF2E55081ED5CE62EACB170E73B6886267925D53854405D7536D7C1A0F32F4C69AB07D9EB55A811D0ED02ED450B784ACD10B0AF61112CA1CBD1A529FE2CD43199F67C5F863697D72987E765F60B2F1B60D6EE7424C942E60A8D10832DD299B753F8F87527D821BC85D478A4F8372FDB55D3FC98E42729926BA338A7F31CACA22BDF9D25E784EE5D6ED39B4E5BAE89433403A0DA75C497F01EE0F9153590902122D452827A63DEF5AD715D7C17487265B96E37833ECF777E611789C67A9BCECB50B396CE1443B16C86DEA9EC43F907A7A674B1045BE0D4B9A366C52BD065D3575EA0751FF019D96A72936412881BE52743592C4EF22C6CC6D286E8EDAD23FFEBF0320729204B01D3C2A431C7A7A63F8C54734FCF51C48965C9966AF1EC9B0EA35A0BB9C8A73A9A92297D137C92355C3D78D589BCC75AF7AAFBAF63BADE2A50D521C3FD03E4B762DE2F1629486F85152C50491C3D712F67580F9D800918CAA953C68201A762AD869413FAEC2EB206487CB97B84887D1657226B5FB16B4C75D81C45DC4FB701CEA7D5D19954C852D2B8C008CC7FF0E6EF2F153902760A83582D67C33F016BC75148386B6B77AD2C9125E16A34C3 +Ctrl.hexinfo = hexinfo:5ACE153EDE0C1BE3DD429FE254F5C47FE0CDB7227913C095B01C028208B443E38A45DCFB1F0B27B1546F0F7342BBE124C8DBA639DCF39137C9344906BD7052ECB6E29E35198C5A870693150A4A8ACAFA22BFF25BA1F9C5287BF6887A922E446A7A59FE0DB603E4BA374833A21B0C2D52AFDC3402DACC46B4EF5439FD4792CF3935311777DC7AD657C2CC28E7ADB47DB4F4D00C62687A9B91D1DA878D5AA6875F30E05698C02122BC3E9C7C755E178E76E293A4CFF2001A8CCAD799FF3615F33E4286FF3C2B5F48989FFF62820665696BDABEA34EE5CAE62F1D81F708BAC1BBA11F83DBC783683585E28999D830380EC2E054C1F2B713C21E4D82A560E42A2138D792BA152749BF9BB15A62A7E834B2C3E2DC33DCFA9334DA9803104204E6DF4431810CE2FBF09E1330BB85EBED5B215EC5A946C36F53B9E475B605C65DEF5637454F030992786D289FA22FB477AA909EC96D315A1D2594348A9F5A68193EB65F6FFD957DFAEBCCF70463E903874484D01E1E04134EC634DBCDFDF45F6F718C89A6B6F9FC7AAFBDCE818020510161327FFFCADAA5C75C1668FA102DB7B94D7825B5EA65B9C4839AF8C4CC70652F2FECFAB4AEADE79641730B70BD7F +Ctrl.hexsalt = hexsalt:937E9E359B0FCFF7E1181079AD3A827693BAE5D526868FF203DBD96A48B444643D81AF7250B6A7CAE8D0E5BE13C2E463365AA2C52FC7D043F1EEEC43DAB8C8C6D6233B919DB8D03580159CF7C981E1EF1EB422107B1B8778124D2B21EC28E085C8AF3FF4B20217596B1DE1B73FE3911C10D86BBA3D90751618ED93B5113B5361CDDCDA5B9DF1C8896E60A1F0319F65A6023C5D3F8AAE61A30ADDE67A8C86BA0D0D1357A58A93596D17F5689F347FF3FE67203BCB496074258164EEF75FDF7FD700D670259ECDC63D08A6A0FED3E308F9D4455A0C5DBAE37D38F57250D16214B7F43C833C78C743C12C99862CDEAD1AF4B5C059739774148312E9EDE18EF2D68FD37EACEED7BDB92EB8F180723EF56725D70143A8F1E736A02A5AFA32F5FCB3AC0BC42245D2F2F5F9684B +Output = D8689D19A5C258EA3288CE6B1DCC72989C702136BF8592856F9F68432ADDF7F344D4D2D40AD3DCBC2A5C68CBE08218C1F09663AE819DB9578BEE4E3121F8CB18BF65F1C5CEB13E50ED006494CEB1C2BB73AE58CDE803600176B802F7E9E5766CFF02917B7922CB69FBA7E783787AB537D950C6E898E8516A3315378F4D36C3960AF070F0A9827372143F411BBD96A260D7D56A5760CA9DC53C787ABDFD9178616642DEFEE747AAFACE63CFE27F121813D3BD41B49E0752B6C186980E692D57C6DD14D431F0F6470D581BD166B422770DA93DFB5C83E550C18B0DD36917F0869BB58809540545F5337E59C845FE01DBF61F24ECA04316838FABABC7B82967C6E0423EFC5183F327027D30FBD9DD0D5975B26A01C3F096BB3CED09E30EB2A9B5E8288D7A2644CEA65B4BDE6C505F1DF1C85B4F6091A99C2F707B3208D479C4E7F1F88A56115F5A59B78CF466D6EA00B1F61ADA492ACB535F01FD45E874B332321DE734976DE74962A4F9BD33BA501BFB8D425DC450E92839812C39E27A828C6546A7745DA3831535CE34DFB9BD05C6B04B74D82DE129E7C8E07FEBF6C9FC4ACADE92 + +# 85 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:23CCE07D22693C26A24139E9FF5289056187DED479064094D788A942B29814587DFEC996F8F0C3B812DA76F5E7CFE05A1D3D5DE405B607ED62D96DE6224F00183720B9E0ADA742BF6CE48A80F3A36E456FCC92B2B14B7937DE773D3AAF2F9D9D5A6A9955154F27AFF00F307FEEE665A0141D15BFED5B83D076CF2FD45632CE9C63786658448263858C7F0E341CEF070E4C946D7ECC0016C1C2DDD778D4B32EFE434D6EF5F5B134819CE2C0031C46AE4E480488853012EAD26D5B0A7903FF674C822B7ACB3D4F13D41A9E91B6D2841DCD57DB783C00B129BE18AC4408854E1F2E99938739130529C04188375AD1027EB2648FC8232E00E00A658ED16710545C51F863B95136815C1FFFA63DE0BC8E4CE914545DE2A0189152E5BEBB6F2529677E69F3E91EEC9207C171683BBF53C5C920FEF69077D3C545E181A5E43D43CE883B6590A685AF4AE0A5CC31A8E5F912F8C9FCFE3EAD64CD0F0F799868CC37D3F31A4E35D14C8FC51F3CA3F545E3D5BE79EA721B1136E8D67037DC354BCE87839A12147DA473FC6BE50E352783D505EC45C566F050D2E50797F2A9CEB774D4546327CA4AD01A84E0DAC3EEF73E80C8190694A92022EBAB655CE4982853D62ED30673A74CEF0B80EFE589DBFC3742EC301BFDA4E547DAC80B74BA5650096A69B5BF253A2BB0E417AB79F1FBEBF6201FB235A292BD8CEDF9409F583006B6FAE1E074 +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:EBC42CA8BABBA129B5198EC8101F5E2DA46BAE48693A0DA5F86682BDBDF0A9C1F0737389DF923CA17AAA059107F8C7078258FCA3C46BC85E4E0B3AF65D1BD4BBAB96C1D726E086A10F73B332995CB0325DDFD991AB5558B14B9A6A65334B142DDC9EEEB82B24E65BEAA7F91C1D14F9B8706D427248B05A994EEDFC0D3B7049088FD046921421A09F51214205EFA79F48A8A5D57C54A4FE233102DACCC4387D2CADE8C3BC5CA15E46EA961647D38B9C29BAC146B89CF6F0538DA33373688B36686815908BD05909EE5E727344F88BC665764258FAA1E6423E739416668FBDB85DDB0FD299F0126B12BCE79FDF3464E7A309C33021E911783BAF819D3B6CC5D6FE51A7A9E02FCF28A663410C1921F2BF11CF832C65BB0A0584EF016919B9CE54C901C0D1F375B7273529EC2BEE9668 +Output = 5C57868FF9C68D190C846C98F1FF7910CB3B24860AA9F8427AEC3215D8795EDCA6795B3F997F6F28A1C242D2A584B9B62C3C4810833B21D614B0DD9C8BF03698635D7779FA7CCE025CA81033C91784FA0056AD5FC9CE85438AD5732CBBB1F56A26A480A19C2E8F09BF9909F22633A00985E739DA004D3323883EB3F7ED8C8FEEB78C4BC72A72FE8AFF34CF7650A98B15758E5BE99224F6AEE9D31C0E5D83BD0AA109D91D8710BAD5089AE37B210809D488400DE5C4125D009A8997D0A13FFDCDA6AF57E2912B986973484FBF1F23A22FCEF4E6F252060FE49C384FEBAC1C607EC5D2FBEFD98F3FAD7FC751C85988BDC94DB18BB50B53CBD35752AE7930D549280E36F2A99517E1699BA88A378D695C + +# 86 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:05F0DCA65380FDDBB6047C3AFB85597810D4F775BE9BFEDF81B1DD3D77221869EF64988D0EDAEB4B43DF7E9E061A1B656E82E1D3B309799D7DEB813ECC41BA35A2835517EBC7FBF1A7AA7F37387CCB02EFA97E3258BBEC447B83540ACC92F6C217B71AD21D0B0FECB4398E9F4EF420D2F54DD1C204D2EDBD557222FAB3B02B354ACE2C584FC150C16C8204457842B79E7D08BAF7C8409044106A936DCC7B6FB97F07E106939DDAB04599039416FD27E9E0EF752369AB3C2CD4BFF62A71955B6F171A43A02B978EF22B23A2046D65040694040228EA86D3C2A70D +Ctrl.hexinfo = hexinfo:5245D627798A577C79A94068C0EAFAE28CBAF7C450D5DBB01F623E84BD4386D330E184D035FFFF7350F6FDA351BBFE22310FE298AF9814D7160C2779FDA772764D9124BF0C2BF26E52A65C64ACF2BC47DB3B2B2FBAD36455A091FC276E5119AD5BA9960D02DA5D5C3F9C6B14EDB568123495CA1754CD20E39F27996A88310ABEBA4A1A14 +Ctrl.hexsalt = hexsalt:0E9E08BB94FB43EA094D30CCBD0469D526988BB5B22086A5CF041CFBBFC1F336B9C23E8E4386BB70F8250F0A7C0CD94796D48C788EBA574C2D4B424F6B3C0F1957ADD9964CFFA9B3111970096CB3F112548837CEDA4BE392598A8EED3ACC89682E7CBE6D1E2DD0CEA267C4714CB0D7BB397C1BF5A43D96161BF8C41CCE4C1BD68BBCB9436F2A8E6F7DDC0C7061FF8A1DA75C3955A21525E8C02D98AD9D4DAAAFD82671D6CE7E1772D2BE0BC9255643B3A5616A78FBF3FCFC9387C2869C602E88A632C7A5B32F7F11D535499F12B87083B4350ECBD650E19FCB24064D90ECA81B5D1D8295D9F7E8B32D40C9DC92C8219AD55373447C8BA528C8A09C9BE3AC529F12DB6733 +Output = 8EC710D08D60572E7A12C50C2D0678745322A060FA1ECBC956B1A478CAE6D0EEFE2F6221E57C53527892BF9A722A5ECF7030D135F57245F57F1B5DFC79A9020FCEBBF9EC16E8072A5B0935ACDBF5B268EE053CDDA138419F97086A7C06A902F4DAAF166ECB64D6FC3B8119C2FFEB8A9E0FC2C12DB38EC0BADD9B68F7E4A9E083F78A25DF5CB8A37C8DDF3C4C76A7817698DCB1F9EC0CBEBA7C8F0B360BB2B8DA7B80F71723834FD7411099E89A16736EA18849CF4B253E63BADAE488C7EC439D70E38874392162F50B0C29632AE59DDDEAD2E23B7CB943C1403019983C2226D4E55D6731E239161D7FC3E52C8836A92E926A3961E0DAD7BE48833690CB10FB07E06BCC0C3C1266B0CD4B6F9C1C1675307D5CD068D5BE4D838AEEB2BF901EA7DD7861ED3D69349B43BD19A0B223EF0CCE336980CF62DF04784E4A34024ABE08869392E1F847FF0A14 + +# 87 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:CFA01753F9BF46589AFD424783541C3AC1FF0A8BD8AA5ACF5973EDF445F7A628A99EBEA51E144BC70058223787FE037CE37965843995278E463567448746B0BD34C94587D000B427844421FF38A005C0B8743BF6B5DBF2EF268FA5D33BD00B21585BD78CBEBCF01E701A602C844D1DEB09A315936709180C560443C11F2542E470A64D568C0F64CD07A3FFCDE849F36951C4F87DB57CC7A5B1649B2389F8C170E8487578B76FB00121CA0F2F +Ctrl.hexinfo = hexinfo:701FBB3FF3C14E2A81799A47376532D4ACCFCC47C2BB54028141FCA782FD8B03DE65EBBE43EBCE13E174A28504CD29DB143B885BBE26A35BDEFE2BC2D5309E23FF9F1561414710352A8B6D65173201AC03D2D821208AA2F3C62D065321F99E4FDAB9B8057A2DADEC5DA9E6611A6988E4524CBC748078DCB7A48F8EEF346DDE11EC88 +Ctrl.hexsalt = hexsalt:1B21FF11FE834B3547424D3A59587C1269962D868B6E3FFF479AB2E631024BE8DF6CB98BCFBB483E +Output = B7B975385B84F6C29FDAEC8E33C22948DD08BED6655BB1F1B3CCA86FE72F37402BA9FCF8CBA9265CB740D0E48C12ADBA8F8F0844B76A61D4915C51A2F1CFCB49578963D2111A85D0AB6AB056539D25AF7F809BE5E4A77A507C1C55E0964298CE7F5E859264429509E0EA7A6BC400B05EEC012D6B8F45CB91DE55F29E61AEC05D4577694DB4405E6B14BD4F9D6E3FB4A8A19B73ADF76DD65B5C4BC04A78A7011ACB0514356399DA1527BC85676891B0F35F9B35CDE076EF687EA0935FB70B57D66B1B1B4CFC + +# 88 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:7D6438E02A2895E2F002E050AC6F501B153209C3752E55869022E26CC7B11AEE8889D7606382055D31288126CBB1607C938EB6A39259DA54C49B633085C70A7128AB010CECE3AACCD69B1C4F831A22F3536833D123439A8996C3430D4FDBF94E780440EEA4B3E5C760D9E62CE2711808A9B20C7F168276699AA6C0D1AB0BA5BCC8FFC09B22CBA660E8495499AC34305794EE18F498C14E39A063BA4B14CD11B572936113C8ADF7C2A6A54164BB16CC54F1D49FBCC0185029138948198E4C0529AE10AF7989212B34ABD90DE8EB61C2E87C489819F7BFC6220CEA35F4E1A29BB48E2CC67EFF499C89EE967C863B5C14487D2ABB2A019355758EAFC225AB1ACA27604845FFAA3F13377299AD4C3555D2CF10E00EACC9FBFDD32C70BD12810F229BE3B1 +Ctrl.hexinfo = hexinfotrl.hexsalt = hexsalt:115DBA9EC1FF37A98044E1AA8B95C28F1A58EAA668A580769F8F421DDEB30062408C8F18DB01F027C1CB51CF9EA5267C4E2F29D03857B1A076969FB126F874D1148050B11110BE442923FD1946F60C3F416916538415E3903EA0299A45194BBEE597C6ABE568E56582AEE51CE7EF419F30E5CB72B75968DA2C3519F77641F20F3FE40987963C240DDBCDACEDEF10C558989FDB38298BA3EE1F5CE80975C1332F9CD52CAC48D93F0C1DF4FD5A488837143E8FB8A9718EE56C915261D6494202D828F575272404E850494DC70EF734408033314B789A5B2412FC50B0302A8859E403F48E89086A468A07520495A1E1BD42828C5EA22705CDB67E7E916A8EF0A34EE268F0B476C30D91D4737D6712A3908EBB3F20CED73C4DF3A8054C15FC1A +Output = DB8FC861395EEB7CBA1865E25FB10B0103BF99040C1D545B2785 + +# 89 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:51564F357E910BEC48F17DE71423A20A7A09AA9024095E956C01D1D42100DA4996D7C4C7A5FCB455BD013438BBB46921A1C2B605A0C79A161EF53233E7C8EE7C29389B7E4444CD300F4A58BF207C8A9E35B89C0F7D04813255090C722DC3A015C054B445529EDA3ED2340A22F9EF202A6860F787DEAFD0DE7EEE1C1F839F65196C52AE40A7F2FF2C407BBE4DE3FF2071298F1292DD0D676F945C3852CA1BB99081EE221A6149BA7AF3D494461E653BB640E73A3D30E7078E6C0F8A626CF201D5C1DCB31FB6605863CC4279E59CD47E1FBEA544CBF07B6D350DD87ABAAD87BC6DB9301A9D84FA5B85B32AB89E1C1467E7C938E92960BA05DB7A381911E50C8E85E096FA03BB4858A7CEA586F657E76D26E960C63C0C9D03B334D5E5DDA2292A3A200F86893B50478F75F5C6646E39B15F15BB3B0F46AF946620355403D8CD9D9509F530084782E224700CEBA10323E988D8BDAA3FBF332F5118CD0C1D75B89C6096CA8858C28A1DBFFAFA437500AD342C53C9BB742E33 +Ctrl.hexinfo = hexinfo:1F91CFF83BE3FF0E1D7DFEF24A9777D2508EBB91D7CCC119B147D582B402C57E9204DE8AA8460B44FF87ED3BB672E219F1A1D56450FDD4FE1B783E4627FF960AB8B5642CB1687325F20B8EABCADD91F08DFC814B0C7E34F73090F21B6BFD508E33B71847626F1673ECE1E284F4058E0E93AA44778DC9C2D1FCC79CC8DC6007D59083B059EB249AD1740F14CE4F30BECD58CE7B73D3E011E310046CFD418A8201B032B5B3D2E6DD0F1D17579FADD2D569C4DE535E61B7074536833FC934B8E9CCAEC2A1249A82ABAB2DDD2ADA25486750CDA1B52A5731C3 +Ctrl.hexsalt = hexsalt:B8A099044F41B8F8FD0411315C09E67609892FBC48B488B90C2B1F021EA08F98995BF1D3B04FB74E98F248E8441F6E0BF208EF788E9E48A9734954068F51EA45ED5651CA15D97FF902BD5A905DFC036132AE5309E67DEFEA2607AC3049B90BF283A6E54880A0BA4612D5F57D886EB020799DC09B436EECD29FD16ACF +Output = F9ECE826BF8A742E53AC2BA2103600491CE60BFBD58C96808D3C4FF15C9F73656947537A45ECC61D78F7A8AA129630F068CE62129268474E2760713FE0B013FBC19766791D53DDCD245FFF0CEC53A50EE02201F45F + +# 90 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:6D0BC0F3F0F4929BB4C6300E2717F077D8423361508A285DD301BA883E35B3E57ADC248580A15557AA7A65904F846CEDB131A930749D5D92904194454C3D161A5780939405A2A98173A7FFAD1CB99E674706C6544F0A660D7029272A23C8FEAA28824AEEECB4F37786F93ADAABCEBCB86BB70E4AE73E9CA16E7F48F8192F7BAE82AA7CD9720A1F5551AE93ECABD48DB92241599E768154A45BBCF80B0A442519E6E6AF3887DEF9C55685CC3CE2F85D668B523D3E49629431E303B76BCF76DB1DEA75E5083B190C6080A3010BB238A71328C781E561108FCCEFEA52943F7A6857907E748A0C852E0D389F4FD92E841B3598F6E638CD6C +Ctrl.hexinfo = hexinfo:9D90727FF8F42123A162097599EA723DDD90298DDA6195326E4B70C832504D1280CF39F28B446BF1E368F471FE7E435EB7ED2D4D40979FD682FEC463E5058C96D308F3DD492A2A0ADE69257937183132AF56CEBEE6201A73AC821CB64E495A09E12C8930B0F3B585AC136E5A0B4B589EB412AD400E6EC25D38A3D0FEAFD71E4CC430C490B7E6455D97DC2DA97E52177D81CB8D6D961F39A6BD4116F5504D61D9BDECAD22C8DA6A4280445F4814809F4E98214B11B0DC3971538D6A2228C5A1F72441291DA1B09ECCDD3D49CF918C3428633FBAF244861AE70A4FD367A64780CA13F0D549A8028D53139098CBC343C126F41169A890B5E8F98AD1202F03B25D75080D1352B3293ACDE74AA72D80A5B92B7ED61904BC88D827438872E2D0759EBBBD18717D6F40FD0E15263168DC2B82FDB4F0A5A26D1A8D798B8292B0374FF419B3835902A36D1C2479861E4A0263AAD639A932C48F513F161A14EA8B647695347134CB8601BBA7E6B534F4AC31A88E750EF727CC84654D7E0A5BBE4A54D1586D324FF290D9B8CD6176B62ADDD04971D95E3F5DBDE4C88463C5A43ECF1C1D9DDF11C5F5A281ECB56BB40C9409C91223492ADB67F1B16A3328F2747D8E2381 +Ctrl.hexsalt = hexsalt:6C79FCE5CFC0F68E6ACFA445C77D076877DD3F2061EEEF6760B0996396C5BFF392CFF473145AE2714D6E216C328EB3596407FD155BB3D361EC113FB13143FD8B3BD7D37AD76C6F74F39AD4354FDB799F62CBA69351FBCA6549CBDF84CFD60B21A47148AC2D16240A9A4E1125191D2CCB950E873D64A1FD83830190FB770AC305BFEE537CA60EAEEA080B354E7F4D66DAC7568E93DBCB10F7EDEEBADC002D16D0 +Output = 465CF02C6A990BAA347D2DE3A716CD8B704F4C9DA076700AE55C8A05B1F96C2ACBECDE44AD87E008D8065D4EF470371B226046C5316AD464777DC66172EC4CF3406F272EB0C7646309002EC3A925292196437DC8F121B6F5C3BB2CCC9D39659632432E64423C22CA6AB15649B501F4638CFE491E181386A2A9AD490075DCEC03311CC363834011ECC8D5DF9344C9D6D9610CFFC5C7AB637B63510832D01F51D5C19D53106103661CE58C50E6E5E60104717C7E836FC7570420C062BBD540EAAFD66F4386D1F98D06E82030213D47692C8B7A62DF3D3B8C23F77B68E0D58440C4FDCA6CFD749B8C9CC1D717FBE5A989B36578CD21033077B5C69692323A5B15A9145D9DE2CDF3C08747E8E4E675A919EA9ECE9B02F7EF13BAD5BC6B7E4F688F14C63435833DB7EDCBD8F15BC8072164B536B45CB2173C558F7038576EC30C116D09D5FD1014AFAE9DFB653D640849C799F3B97F7EAA34101603182206DC8CAA9210E18D + +# 91 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:7C34F3905CC64175DA92BEBAA2DEBBED29258003F2197A92F842D82038E3407F140125C3ED0F5EBD4D92297161301AEED9946116674714A2F7E1A0BA848F0803041FEABDCC94828A3BE84A07BB727499FD5DAF41E7459EFFBFF158709A99A6989AE5E4D5C9184B88D5485B0646D39450523A542A27A2E8E8F5B4D5171D58D397EF91DB50C2C6D35187D6E4CF2E94B3950975C96E3195297535A79C9C6AD25FB918899BF9689DC61BA885BF50181D8F92503FE97C12EC218A8A44ED89E27CD74627FCECBE2604D4F3F2DB5A5220B4BA22307E18411987B60547C1FD3D91B9F702D8DF05D340C01169810204C9F1694C88827E42D97FB0262DD02C7E376D56F6F6A54BBB6C3D3CA1725898F23FB48731C6F96B9487B09C4E944B4210E13369017442B850232F45F41706F276CD447270E00EB2A16FCB39AFF56FEBB13253A865CF6637B2246740789ADB5FC05F92BD7FFD75648A983868ABF4DDB763A8DFD076C752088BC46FE544984ADAD8762D8CADD3939003CA6FB7D7F1FB2109ABD9C374B4D6EEEC3F90138E782EF95010 +Ctrl.hexinfo = hexinfo:68E70516606E6C78A3B36365AA556FCCC7999EEA1E6267870F0F0BF261BE3FA2A13A145056F0083CB88BFE5F919702FC1173B34F130D2D7D385C0668AA2404A113F5FCAD5181407AE9B2F74BE09FE41678B517656053979EE766D1966BF1EEAFD7DEFF75AD7AB128D913A3ABAB15E30AF2715A99D4DB80126AA92803AA198E8C5DA360C3A9D787D24FEB41E0650247106A7CB0F97E4C5338A2A84C344D01141AF409ADF3254E86A36BD8E6281422BBB6DE7504BF3482960B978511307AF2AB3514550221B826856F3BE57C1458EABEB4D8C627F8362970F72A6619AABDC288E7ED3E12D2D6937D056E3BE8A47AC072B030CFF202DA98742727D9B4362CF3AA2489F6D5CA9BEE83CAC90291AA5097D0DF9C469E67E612DEC309AEC1595E460800E6383C4AA00FF7CF37D815B95C7ED5E83213 +Ctrl.hexsalt = hexsalt:6A3B8F2DE111B433E20572AF81EBEF5D80FFCC4B318E683A158B322CC4A9A5D55F202AFC0F37EF1B1EBC979213DC87329BAEFD7E663D7294379E65D12CD2EF7997858C091D8A0B7D7D3389A323A0D87A5C5EFFB3233C5BEB2A48861AB56D4EA75FBA32EB57E4909A6121BAC1299CDCBEB91B3E7B7A4E33C971E3EDAE256C9F38F4B23FFF5E92969BDA79025706CCCF17F6AC8755A5435A9EBA907EED7F6B146478C18EF8B3D36A4170E4BED5EDED5AF0D16C1A3AD117F982ABF3D3C9D3067F994FF04561BDA08410E6596C9FC506928D5952F3FE046355BD224B9838E4509ADD8384DB7F7BB442C56A1E9D26D51CCD442BB7196EE3021D2A70C015FF65EE2F848041BB934ABD4473C1D700228EC57D384AFE2713D51A1E3E18263DC028039C6B412CEC5354184252CBEE8902403651AE803E03015A70B06C9410AC8D100F624AD94058DF73FE764E0081848587B34EC4B34DCF8B4E76AB9A0C6051CB6742D34F7410B68FFB05FC50C95178050ABDCCE6DB13D0E45ED75A90D054E56F4E40A078878E4354992AD884312E62A8067CEEF1D09F0C07BB5ADDB86450B9D3892D7F2CFA7F82F9AF9D85E81B8B3E3C8FBFE089286E9DCD6C9BF80987F2F11F12F410706BF2 +Output = CE1E94EB49FFF9C76ECB7E37E9EF184D198431B7CA93FE170129341C2E973216CD529B5023942C24B9CF304A43683D9B29732F28702326EC48DB3CA71130B9B267807317 + +# 92 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:57D11A96B02847BA82B7A03BC5020DEF462F2C68E8B0CE4F5551ECB4C004A2DE08664C1F72950A4AE897D3605D +Ctrl.hexinfo = hexinfo:E8DCB4AC8EFC4CCDFF3084DED032F6F0AC44A1849439BDB54E7E1CB412A8CDFC3FA14E610C8511871E2C063414B98162A3C0BF1E66ED89363DC0329F836BFA06649898519599B16C6308721D70FA75801E9F200CAF3295D7F3E3FBBDF2748F904A772F89399F02C3CD6F50FCC57C1A387D241412FC447D9422D1F1985D7EDBB404379A8A33F2A432B21C502CC6B8A9E57C583BCD2893C8E401627CDED2B4DF1E9C17B46E619690B9F13CA6C4287FF79EB0C44C3C9D77CBB8A5FB21C4AB966F58E079ACBD5659A9C995D844F44C6DE023262875410CBF9848D50BC70A5F26923631F23108A21EC6250659FC35BFA0C36D0681EA3DCDA04A12824EDB1D7FAF22910E04940FDBE6A4106543E2 +Ctrl.hexsalt = hexsaltutput = DE076E3261E8196B9A358D508953C2EDC93EBF3959200AD46083E262E78E1A2F8B57F998A83F4F9E3077D7C119A1D6075AE9E75049DF9DBA393F4C68BF939A8A4516A69E703903389671FA82671F5737DB170910F41E720C37D2FCD187B1CEFE23A2C258BEC7768687F1A332F2AB351B75E350FFF08D8FF861EEB319521CEC7781D4AA5A18A06FB2BC849FC1B6379659263843D37D4B44D54E97 + +# 93 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:FE5930559ED4EFC3474386C5E1DF180B4F86EACB0BCA7112C04DC82D1DC8D6B5CCD63E482BC285E682C32A23BE6F820856C644DEE930F13CA25B1824BA71867266443464E76ED29465D3FCFC07146ED871829FA43A3CFA013A26B7FD56EBB97EC031372D48F48BF56A7F +Ctrl.hexinfo = hexinfo:421D20693DAAC8789443FF6AABF8BB752FE7FF6075B06BDFE2E854421E92EA4151F811D326540312D708B10AC92AEED088101B044F9A0053F047BE40BCA080454EC89599C943854BEB4FFB75045C26A02911E29FD8390AE692DB16ACA0EF62D37EB667F0CB17E26BAFF33D5A81922F07F45E301F73FFFCB6B860B1ABAE353F28A97C0833641B +Ctrl.hexsalt = hexsalt:FAD205AE791F2C3A8467CA992844232BEBEB1A80BF09DA20F4B8B66039BEDE02F646680B7595D19420D13015226A85B5C45A2AB59D664D63DE7A444BB34C0BB47DED04AEFAE88616A1B8E60C6CB89B38036AAC44735CEFFBF563F4FBAC734C07DD9CCEBEA38920719F9D128D6142C6D276F0BE0054E8514BACA8381A5A25B4B345484E338B1229C16B012DC4A89BA32D7E4E21602692502CD059D1CC4B8B73CC62BA29056F45209750E493A51521A57D7483A6CDF1176D6E4EBE78ABAA79A6FEA642E64D1918B1241C127793009EEA48057B46F189190E4907 +Output = A12775793F4DECC198FC859AEE17F1ED57F06689DC33F2A2915958715DC9C292AD1319EF040A15E04EDDC31DF3DD1454F19C2D91FA6BDCE5B799D30DADEAEAF5467A42376C892DFEFF9E9D08F9DA0A367FFD997B707E52E706FFED9984091BF086DAC23F0FA5F49AD0B5ADB39258E923F34F6B821A07BFD3F96D830F1E95F4A3D53AEB753829A2CF0A9AD216BE91FFFD12048A1EF87E8B59B75912A3E20F9F28A9CDC59230EB405FED82C0CA8C97DC8009E8ADE1F3786201510FEEDE63395788289E2B9E135449965FBD62A78D97CD30D1CD4C8CE80163CF6139ECE484D51682B2B5C1209B2EAE02855AFBB7769CD105DEB672BCECE5ABD4224B06482074C5DD2FF93A52581A8C41F95A724C61B51D36614272FB2BB92C0D1A1F0722FF57A278B4E973DAC1F31C591668FADC4BC1F852F6C4 + +# 94 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:E93B6BF82D56A9B52CCA30F3AE58316464D13DBF695D56E96651694D4288B12206F4852D57D3199937791C6B77C0FCF98A89019E99C56D6F68 +Ctrl.hexsalt = hexsalt:BC92AC7D4C5E61CCDC4256BEB7DC05E33F1973E7ED31507A426505D583649576204BF90FEC867C97BB1E0684AA32BC3F7889E4F931A56DB5A29803C8F51CEAE3C601F0731B7E6D2413A48C5BE6F213452DFBF26E485C7710BF148D5AAA8F3C4779ED76BE78 +Outputversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkeytrl.hexinfo = hexinfo:017BE4C0A835695F896E9C051250F29D2EBC766AC8DA3CB5D933EE9E212673F6C9B1B185AF775E3815C34299A42C066F701793529E555BB3009438076E7F22CC08413218BF62B5C10F14C0238D3D49113A5D1D44F27B37FBCA71E864396D4DD5E6D0D6ED3E40CC8D5B86CDD5502524E9F87174BC55099DDF2E70598CF01148DCEA1149B2264282AE19724D8F5A656C24FED876814A +Ctrl.hexsalt = hexsalt:678BDA3EC93D81D77171EFC75CAB720580D9271BF0FD05EA3F64A59F71CCC08936DDB8CCFC3B1A2C8C7E6F87C0035BF2BDA6D8640685EF2058D779E36A0E56E1F9AFCBB79D30AB583E2DA1DF1D5EC2B8470FADC7ADBA38019555FDA89358592D5E8DE582BBA3016B6D851F3E87847555800D3CC33BB46EDE31865B9F9B19DE5D6C286493B342C583D3E97B1C996A88F0F498C272B6C556C22099C48127D554E8A2B8A90F7569EE427FF28992768F77F6088274F00280151538D9FDA18445765D7BF2AB106091736988C4F3CCDB8E9B1E3A48C79D33D0DB4DC809A0E8D3770673BE642112ADB23ECF1FA8C0DDCEDE1FD9C1D0188AB934C29D0459C39F60931149A1C2AAFA685CEE53D380D2F56DDFA78CA9 +Outputversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:F302A7FC6CCF99DA990DC02FE5AE +Ctrl.hexinfo = hexinfo:E3B36E8AA97D2F6D1ADD40CEC32CF2A7A9F82264D4E2BB470300FBE7EEB55F885760C1AEDD20B9B3047E62DB258330AB0D1A9FCF072E52A4624BAA623134EB7DB96552F4D800C249C8299226871D93AE632C1BD93218EDA95599AF9F6981DD97A5EAF9B83194D829F4D2E8F4D8A73E11EB13E40ECB9068B21E8488B02AB61BB01D6BCEC52E7FC2483BE66A9ACA0B2DDD4AD9568432FB0273B02737F4DC13105F6CB300068588EA42981609CD0418DA557864C43A1688631E71544E19C15A5E44B46FB2A461A6420F146C0C961973C7FE41F84F3B57C4CE1F5861ACC898FFAFA5AC2240CC171B4EC7A01CFFE4A7BC7F1D1CE61870000B66F43BCAC0B06DE22B1351B4529891E4E55A694F46BEB909E919111AAAC312005AFFBBD1B0FD76B816E6DBB8EE91D59138C7AA2B715A0A22C6EBC7376884C906CC3F46272AC9AB9086DAA951E07FF5B150799F74CADE40A026E59B5B8DFD92C038BB38E343250AD73B740AB1FA310762465434FA4502C20423894D35A1E605918BA483E8E13C058474E4768CE3642A741A3C41928E1E65BCA41A2048AA7FBCB101EE1525A5229E88E7C219AABE661E43D2F7B45D98067FA1C9290A80C5EC478D8F34 +Ctrl.hexsalt = hexsaltutput = 8200937605C0C5C1F70FBBD07CC678E499926C70059BECEC5B7FFCDB2E10A5ED8F1C78505C6271B8A4608673966854C461CBFCAF6C84CA38FD64E8E0F57F8C8D71E1630AE95FEA03DE9FED4D0063F75202DAD7E429D9AB98CF4FF721F200D60502041BDFB11ED8FE15298A5E79D1B0507AC65C83E904AF3D1DF6E7134479006E0DB596B871BEFEAA1FBE6F0AB501887FC6D4F84092762C9D5A232364191E228E4F2938F201DEC050479DBFA53A00C2DD212C1D61E8624E45291B07B2907A59D1B53A4350C7413150612058654595CFC1D0EE9E1E979F680E6EBDA4B57DC7914748F8A3724E72CE42EF47DB914BB72C07080EA0CA4CF2C2186B67A015E11076E009D698BF731BF7DD59B126120EB70B84C125CA96AF652BE258E7291065F722FD64A032ECBC84A0E07D570D6FBBDC723105B0E3BB557BED41A5A1AA794D8BFD69246F26FD8346 + +# 97 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:45B18CA5E999F07AD90422572660EE2FFDE5ECB001EDC6227B0EC81B7D68A028BB7F139B5A2360E9CB55BF379A062181F96A74C31FE78D584DE6C84983BCD0983BBD5D48E1E89A71A80B978E46130943584BD84D01DCE519C7F583F49408F563E4054AA34A7ACDD1B8759F0401554ED1DB5D527820B49E8660A8C2AFBA52E7480F98E495E4E4A0AAC4F8029F6246C18AA53E477C5105FCC99A2F88EB2591CABA15024BC2E0F40F22D9A37D1D7E39B6E993E841840CFD4A5A5BC489F3077A4E411580D9192F5572E6C2547A9B60588D24238F6573D3DF3AEF1B7A1752DAD177543EDD750B5DD979F95B156347ED65D5731764C57ECE8D1F8A8B37F2A84ECEFB269B670135CBA488E80E3401F36AC5260E236621D6F812BB401340AFE6C2872D5D08CE0D1373F9D9383ABD918ACD32CB3B1DB4307C2B04F4A87B752FA5DCC3A69FBECE26360144C254E24DDAEDBB36B542E68CA96827EC2B2E040E57364DBC8515AA4CC08275B1C7C61D57685732F9B7D2AB7C6162D851EC7F519CE7C80AE0AB4BA40DE6720961BF47EE81BA136B7DCAECD66217F9072A2291BFCAE335F9B548D86BD4D5FDE58D35C376698CFBE3AB4A35D1E17E52B81620790BCC003F2436B17A7C9DBFB6B39CCD55B5D00F28A32D5EBF09086BAA30C4752A8A889AB3E2EA9386913028416B543D3D8BAF172E40AB01A580E329B7BC43AB +Ctrl.hexinfo = hexinfo:76F97BCF85C874B879DBEA7AC72BC6404847BF9A515981A7F75034F445F44FAB05AF54972AE887398C609FCCE817B9F127FE497ABD6B8BCB91A5B80D01011818A7D292801CEE3E91C27C05DC24124DB05D35F55E0DF77E97307185697A49B6923CC4DE36C717271D5C57723B02BB3D160F3257B79355DD86085A97440C9BE835B8089861295CE2B4EC89B3EA7E87F2C8B69105627F6E9BD5250893AACC14A71041F0C2F483F3A81495D6252F2A028E9B056458B3AC2A257AFD1B54D171788B12B8DEED0C22F72C0E +Ctrl.hexsalt = hexsalt:841CFEE449E317308ABC3C63AC22CBBD9863C213F89D51B22BD8B64FDBF24C29902E464E82A93291A95A5E6D9387F31CAE3476E3872C27CA6B808D7B74C18AE829D0EAA03F79F20E464A402068BD32B9542A1166DB +Output = 402C3CC085FAB4BB2ABED987A4D19C7164DE7309EF2FEC14BA8C37C30FF365C8 + +# 98 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:ED6465A8D7BA6D27D1074E8E810592D9D812D84F73983D5AA1257673572093660C43960EA622614EB88B0398BCEFB20ABCC66A02F079A683730BCA390826B3D49F0B7D34104EA04314C8C91A1CB0656C5F7F990AF432718A77A65D4665761782A51F48225B118A55D15F3561041E2AD05130AF20A858F3E82DD8459AA471A24A2ACD384681B79C0E9F4163E81B9E63BD4102B708C04150DE66C9D9F82029973448500067DC6CD209397061F8375AB206D066C43CA5EA9A2A3414B253C0D57E013A9A42CDA53423063E5CF35B6C84F2191D9ACD9F2BD2CE8A1DA59BFF7210662CCBCE7D2973CFA09E05EF0E7475B8D0D014256426024AD0B8C4B59C46D229F64CD069133D55073E82C0D0E9FB8A9240BAEB6E29685C3795DE0CD230B151616EEFEB9806B672BC3E3D8EC15D9729DC8BF567EEA74118E1E4D71F85F99344CC431E6712D71587A8A993AF424A410EB5640566757E9580D602C2AE8E5E1B50EE7FD8036C4C8DE2F16AE58328181AA492667EA14981C4A5468BB4A0B907F28E2DBBC85CEED47433064FE83A23DB0B8AA27CB580ED480CB6DCC6D7E1809431D9 +Ctrl.hexinfo = hexinfo:561E42A3EE43DE2FCE6E23161348472DEFB16CE044F43CC53BD5EF0B0F5F978F5F5EC0F8F9BBAA4D80CC60C3A6401FD456B3A125FD7EB817163C5E99905EFC2F31CA57331D9DE090D66A5EFD0C53019A6E806A0C8FC959B691DE96DA4C81B7DECA6C16A8DB8E55C0BF30EE57344AF5AD16AA1A483DC79C487232C1735DA0C1C5C293480100174589C9A7D32B12CCE85351F37A0D467A72126E17C020171E67925B01231D9D47A090B761C2AFD90B603252D991C5321DC6E5B0E549A1A8FDEA8C57AD3672FE3B2CE3B9AD2A0D5F22F8B8B9681D02ABBF4092742258C92A5A3DE26F22D2D2C31A9B70DB3C8572AF3A0708AF74FCE6DF5AAE297FFA8C9AAB08203E1FDA48672BA72CB64EFD5C59E9BF8D01BC04D14A995DBCB88AFD79F0D0EA6E38966E323D3CC40C80BF95439B123927F9EA5D841A40B6AD5217842C3728EB4B92986F9210B9785E411E120146B0D33DB635A2DB1B7D06A7297EEBB59A062A93C0DCF46F4FEF5C9BC6790121E8E02B3ECD1F3262BBAC278608BE826D543ED7433FFBE272EEA15CE8985D8743030F66ACEC40F471496A8EA34EE210ABD8F5F94EBC05304F8C177EC2907BCC4A4F7669186A5B624D8C94496F4A6E8A6D63 +Ctrl.hexsalt = hexsalt:47EE382E402A378113B4421FD4E1DF9DCE675F6C63391DC3B16302D610DF6D76D7F5633EA762E84111C963FC89AD24FEC0EA9E1E8298E6AB2DE090296B484A77B1CCCCF9E0A0876C86E1044AE54AA3418D6E1F5A +Output = CD9B83A9F69AF78076B7E3E14701CE7850801391860D76DE2469F012BE3AA411A4F1E5FAC8AE27AB1D479CC771C95058B30B62536608416B84A70D96E18B3666640B60DFDD0D42BAD90CDB12CA876105786AA84EF8AF69F3BC291489E0DEEB4FB8B09807E5EA600696DF463B22BBA6ED5911BB72C6B8E539CAD420F3CD8D3B11B412B6C3E85DB5F555B407530E95D8E03884C39A55C2FF13C01CBDA9A135FA9E0BD3A91B182A6F8979AC6AD35BF41128D1F8F1C66F151CC59A08A9AA3886636683AAC8D3EE9191DDE69F42F4800B47A2A0F4076B83995AD989A06F08A9D3C7ABDF4CFA4A098F660532EF84DE88A7FDA11E86617409270824509FC186F7AD639D3A1FCC52B06BEDF669086421A98C098672CAE7B3EFB3B88B3BE9BAB9148A2995D9F6AC1C7C56D4CBEEDDEF112B64D77C1AF57384991A0AEFF64A6195DE7AA803C3A61355D10445396D9BC7D2ECBB0197A53DFA5E9B0FB04A0C04B3FE27ADD64DBF35065859140649B6C749DCA40AE29E0B4A3518B5272516C0F42FB11614 + +# 99 +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:93D800730AAAE6D19A0590A786DD801EDB58468822A7C67EB82D4CF1F20BDC2EDC4935E5C70C87319033E6B72CF90BCD25BAF96ACB14E7C8BEC87F91DB770481BCBCA191ABA5D9D4C3129C0A70844637BE2768F78C99EB7EDBE08BA0E14A432D3D563B7331C9F58DB28603B792C2A9496960DB1FA441D7 +Ctrl.hexinfo = hexinfo:77790D259986BBC6CB79E90AA47FD9139EEA5154FFFD9CEBAA2818F417B6427E15D6D6DFC5962656F1B8765E1E20BE78D9EA2E4F7FDE2E4E59D2BCC0DDAD7E41D7072B62F7B2FDCD3AD0332E4BF5BE67E9F5A196F81A854039CD92C364602724E6C153DC87A76E7A802769051F681BEB95212104D165032BE3B209652D7EF5A3D5529666E154880AFA72FCFC4569F34233BF415904FD767D28353010B268ED7C23AF6E12AA4FAAD77A250247E32C6014C3BBCE1AFB1953446441B68B2B0330FDBADF28A67DB7FE02DA3C725742DBBFDEC05B13E266A85C4C56ECC9A9518413ED7D4423A20B2170D79E34C35765A9312EEB07103EF1AD41DD8133C8EE8E9C379D +Ctrl.hexsalt = hexsalt:F0C6EDCF38405C2FE9DB3D921E1AFDCF5238F59AF711B0348C4BB44243DAAD04E95E40238E5D9D7D0C863B905787D70F5553D1DC10712D30E97B2CD5BD69B6246C951AF62952232314060C25429AB0B92171ABF9FE199903546A75B180B28319AB7D2B0841F981004CCFF6AA75829B5F2DAD88418261A1979D5BEFAA5370F30BB181A8DDFADE67A9B22D5AA0B1365F4415C92173BD349A535A26E6A8A2342EA76FA8E1D4C7B0294F2145761CB5FCBE830492DF811762B392556F8D232D88EF294A109C70BA63D6F44B39D670C7F0C2E84A1331925D78B70C189B389DA47488F8B63D0D77E5089636243CFACF6FCB2E8E0C3298B681A56657878178509AFA304609453CF57ECF1BE2C9B238C3D03F8E91ECD298D5BA923EF3338C4700EB60E85C00CB0FFD5C1A60A5085348BF999AE4CF8263B18357301119439910DF7524361271D15DB50F10F49D55F006CCAB818D436BBD2521725A2D5E801F0E51B8B5950E20F44026DD508CA78523DD858E923851EBC8950B325606B2F73B059CB879C13375955FE4D2780C01C857 +Output = 6612DE0151CC3651716AA4C7DB2B502ABD2C05CBFAD62747F89CDC31ECC23ADD7A38FF403469 + +FIPSversion = >=3.1.0 +KDF = KBKDF +Ctrl.mac = mac:KMAC256 +Ctrl.hexkey = hexkey:C20388EF0DD7846578800D67AE371BDF83C40D435A1824ABF49EE8E6FCF1B936BD6DF942559BDF66F29D38FC27C621E6096A887F468168BC45DD8BEC3D7702B07D342DD01E244A0B4353C4C3D56A89808B265EFFA2376BEB3E1867A0A723BAB7610D67B046AC0C676A2AB7B26CA7D4AC7E320FF82E64BEE4E5747D2A8CB536FB05316AAA1707B29A1F8D64601C5060BB42F455DE1EC0E8CBB77EB7F9472BF4CE8BD302CD6217A0D4102EB8172F75639C6EC5568184C1CE08FECDC1B8DBC3C9D7A493D67FEDCF819975DA9FECC8E698793692BD100399626153EF9CE4B116AEB01A81FDC8EE9A2F2CD65A1AE72322F89AB173CE8974E359A25CC51A1CFB57F490C1C30EC1814AEC051C32F45D3BBF266D0C973BA6A76F7329437F13DBA04C5ECAB856A649900432EC1976F9E80D9C216FA0BA695921ADE6680D9EC6B337067B151B02FA5C2FC72875F15D538DD781C809334AE11B6279CCB3B2D511B87A +Ctrl.hexinfo = hexinfo:B6FE11FAFEE7DFF548EE70F73E8BE7CFFDC979BFF854D63C83A4AD145113B9126319CDB4319DDD5C389A9A5DB8751E69CB7B42F02C8D3484B34297DB44188FE34B286D5CF5B34A3FB9A54C2CD8897F1A80F22CE1F7053BD076C3687CDC960284C673E737909E5CF75C39F5685DAA471BBF7471479C56573360FEFB51ABA778AE0EAAD620A53E8FF139C9374E389BCE711413245544112F9D948D751F9096C194872D042C1C5C2FE3C9B658CBF3EBC0D61D8CE76C3B00DC12D6F37DD52159A892952A3AF871ECFEFC805F552123059011629778392856BFC22675181A59AF431FD87BD183FD226D96C510C3FA +Ctrl.hexsalt = hexsalt:6880828E58B6A49BF1D9AEDA6C27E8D59C28A67B2EBCC1CD09C964AD6516729CBAD08183E4C5A9AF5069D3F682CC636A77BF407431AF5AE90466530166F405C4CF30A6CF925F94DC9DD72B88A6C6345CCBCBA26BDA42CD619F14E378A246877BF279BCB6292E36192A1B +Output = B53FE7F63A41A69BAE048E78F620084D98BCDF8A2C2B825971634B376A365831F0D2F935B857E053EA97C0FB58299963212934AC992FD7C826C8C065DDA024E2A5942A34B78B4CDE76A2B10FA2D5243DE267D1034104DE1931161C8016FC9BBF90C56885BFA922F362AC1C14FE656C9D96076CFFA0EEAAAAA04847EB8251AD2B6924A9E44F2E5E301E6BB9152CD143B05DC12F9D12FD3E072C332264A692C88E2EB3CBAB4960E365CF3F4817C27922A8B0B7DF09E93F353B106C043F6E885A3306DDB308D64D83BB88DC501B1099C29D36FD92F803B59C260D11521ADC91C2DD1F576CBDBD740A22A37402F1613ABCAC979C0BCF2D36E6BBA39137E9B2927DCAFE376F552E861FCD0306FCE09FBDC4A95AB81B00DD17956E519D47BBFCDCE32447AF6BD74D7A6A3AE9677512D46CAA235043216D1CB1C1F7B8FA59FC7C01FD5FCAD64F2AE849E19280D817263E40024EBADDBAF68125DA352957BCD2897B9CD17B0E242D42159D32D1B3EBF1140269ED6758C251376C diff --git a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt index 3f5972407..01bb4fdfa 100644 --- a/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt +++ b/test/recipes/30-test_evp_data/evpkdf_pbkdf2.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -130,6 +130,38 @@ Ctrl.iter = iter:4096 Ctrl.digest = digest:sha512 Output = 9d9e9c4cd21fe4be24d5b8244c759665 +KDF = PBKDF2 +Ctrl.pkcs5 = pkcs5:1 +Ctrl.pass = pass:password +Ctrl.salt = salt:salt +Ctrl.iter = iter:4096 +Ctrl.digest = digest:sha3-224 +Output = 691292bc3683d7d41ea2910f5b3eed23 + +KDF = PBKDF2 +Ctrl.pkcs5 = pkcs5:1 +Ctrl.pass = pass:password +Ctrl.salt = salt:salt +Ctrl.iter = iter:4096 +Ctrl.digest = digest:sha3-256 +Output = 778b6e237a0f49621549ff70d218d208 + +KDF = PBKDF2 +Ctrl.pkcs5 = pkcs5:1 +Ctrl.pass = pass:password +Ctrl.salt = salt:salt +Ctrl.iter = iter:4096 +Ctrl.digest = digest:sha3-384 +Output = 9a5f1e45e8b83f1b259ba72d11c59087 + +KDF = PBKDF2 +Ctrl.pkcs5 = pkcs5:1 +Ctrl.pass = pass:password +Ctrl.salt = salt:salt +Ctrl.iter = iter:4096 +Ctrl.digest = digest:sha3-512 +Output = 2bfaf2d5ceb6d10f5e262cd902488cfd + Title = PBKDF2 tests for empty inputs KDF = PBKDF2 diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt index a7300fd01..93195df97 100644 --- a/test/recipes/30-test_evp_data/evpmac_common.txt +++ b/test/recipes/30-test_evp_data/evpmac_common.txt @@ -259,6 +259,13 @@ Key = 0B122AC8F34ED1FE082A3625D157561454167AC145A10BBF77C6A70596D574F1 Input = 498B53FDEC87EDCBF07097DCCDE93A084BAD7501A224E388DF349CE18959FE8485F8AD1537F0D896EA73BEDC7214713F Output = F62C46329B41085625669BAF51DEA66A +FIPSversion = >3.0.99 +MAC = CMAC +Algorithm = AES-256-ECB +Key = 0B122AC8F34ED1FE082A3625D157561454167AC145A10BBF77C6A70596D574F1 +Input = 498B53FDEC87EDCBF07097DCCDE93A084BAD7501A224E388DF349CE18959FE8485F8AD1537F0D896EA73BEDC7214713F +Result = MAC_INIT_ERROR + Title = GMAC Tests (from NIST) MAC = GMAC @@ -326,6 +333,12 @@ IV = 7AE8E2CA4EC500012E58495C Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 Output = 00BDA1B7E87608BCBF470F12157F4C07 +MAC = GMAC +Algorithm = AES-256-CBC +Key = 4C973DBC7364621674F8B5B89E5C15511FCED9216490FB1C1A2CAA0FFE0407E5 +IV = 7AE8E2CA4EC500012E58495C +Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 +Result = MAC_INIT_ERROR Title = KMAC Tests (From NIST) MAC = KMAC128 diff --git a/test/recipes/30-test_evp_data/evppbe_pbkdf2.txt b/test/recipes/30-test_evp_data/evppbe_pbkdf2.txt index 3304179ec..178657f25 100644 --- a/test/recipes/30-test_evp_data/evppbe_pbkdf2.txt +++ b/test/recipes/30-test_evp_data/evppbe_pbkdf2.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -118,6 +118,34 @@ iter = 4096 MD = sha512 Key = 9d9e9c4cd21fe4be24d5b8244c759665 +PBE = pbkdf2 +Password = "password" +Salt = "salt" +iter = 4096 +MD = sha3-224 +Key = 691292bc3683d7d41ea2910f5b3eed23 + +PBE = pbkdf2 +Password = "password" +Salt = "salt" +iter = 4096 +MD = sha3-256 +Key = 778b6e237a0f49621549ff70d218d208 + +PBE = pbkdf2 +Password = "password" +Salt = "salt" +iter = 4096 +MD = sha3-384 +Key = 9a5f1e45e8b83f1b259ba72d11c59087 + +PBE = pbkdf2 +Password = "password" +Salt = "salt" +iter = 4096 +MD = sha3-512 +Key = 2bfaf2d5ceb6d10f5e262cd902488cfd + Title = PBKDF2 tests for empty and NULL inputs PBE = pbkdf2 diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt index 24ec6a4f7..8680797b9 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt @@ -1,5 +1,5 @@ # -# Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t index 318c9235b..74ac8e79a 100644 --- a/test/recipes/70-test_sslrecords.t +++ b/test/recipes/70-test_sslrecords.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -88,7 +88,7 @@ use constant { }; # The TLSv1.2 in SSLv2 ClientHello need to run at security level 0 -# because in a SSLv2 ClientHello we can't send extentions to indicate +# because in a SSLv2 ClientHello we can't send extensions to indicate # which signature algorithm we want to use, and the default is SHA1. #Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 0ca547354..e045f29c4 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -52,7 +52,7 @@ my @app = qw(openssl cmp); # the CMP server configuration consists of: my $ca_dn; # The CA's Distinguished Name my $server_dn; # The server's Distinguished Name -my $server_host;# The server's host name or IP address +my $server_host;# The server's hostname or IP address my $server_port;# The server's port my $server_tls; # The server's TLS port, if any, or 0 my $server_path;# The server's CMP alias diff --git a/test/recipes/80-test_cmp_http_data/Mock/issuing.crt b/test/recipes/80-test_cmp_http_data/Mock/issuing.crt index ebecbb79c..1ec737748 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/issuing.crt +++ b/test/recipes/80-test_cmp_http_data/Mock/issuing.crt @@ -20,26 +20,3 @@ mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg== -----END CERTIFICATE----- - -Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = interCA ------BEGIN CERTIFICATE----- -MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV -BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa -Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 -YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT -B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO -nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6 -iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo -D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm -H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+ -2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6 -hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5 -j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239 -MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ -4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9 -Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U -7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/ -e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU -wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb ------END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/issuing_expired.crt b/test/recipes/80-test_cmp_http_data/Mock/issuing_expired.crt new file mode 100644 index 000000000..c2168edda --- /dev/null +++ b/test/recipes/80-test_cmp_http_data/Mock/issuing_expired.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjzCCAnegAwIBAgIUdQqeLAGVa/bud7qeTcfwfhpeKdQwDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoT +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAxMHaW50ZXJDQTAeFw0y +MzAxMjcxNzUyMzhaFw0yMzAxMjYxNzUyMzhaMFoxCzAJBgNVBAYTAkFVMRMwEQYD +VQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM +dGQxEzARBgNVBAMMCnN1YmludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQD/NCO+FtTtFYOxFoSRVQFlZH8+pnj0agT2nc7JE3imS3VzXJvYBFWR +hk/l72AdvTjA9XPb4VjL7aY2SX64BltwrnDl9Y7dYkgSfnuF7gyRa7d7DWcl5K/e +dryDI6gKF4briRZVsDZgv3aZHtChIKjhI/tGbKQuvCPpOUPGqAfoPEpIP8Kl0IcT +cMoDMCKuLcZVz3Q4kCzNgeWN7j+ZpUg5rIZE5URPfFrlxu1EmXwgGCaqEzLC3PiG +Fj9dlO90Sfb3RovznseTsmOiADuYsqLTvIrOSczEdX6TolfvEkS22Rw1BEUc41Zk +bVPiZFjUOuHpVskZv7QY0iV00tCqKCR/AgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8w +HQYDVR0OBBYEFOlnfRB0wZquuEw/CT4ccBXdHxpPMB8GA1UdIwQYMBaAFBj61iO5 +j11dE30+j6iRx9lhwBcuMA0GCSqGSIb3DQEBCwUAA4IBAQAb20F/gBkHu8E7Jg1e +dhRBia9GaXARuKidZ0D9OnT0eYpY4TjpMli21avVJF+eNOBvEGdlVaYdnUKGkyk4 +8mjPq0vZj1ikK2CBprhv08/Lqxt2aDBsGZ14LbP2BAvckiFBDmBcD+AClmnuTIOI +O/3v5IwQCNQF6duBp3T7RbfY2ACg7TNf405atmfmrJcVOtLNbDYvUhUuK7W9wiRX +nKnWsrThw7pCTp/ZAOnH5L5/rcoys28hOXm+GAlQaIDsg9NXcNtUJvjaLQTNib7c +iFCIUsQB7u8+hUJOZR/mIFPgh3M+amCaTTCihQzlUx/aJV3yovw+oVt06esoZBKd +poqi +-----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/root_expired.crt b/test/recipes/80-test_cmp_http_data/Mock/root_expired.crt new file mode 100644 index 000000000..f3939af29 --- /dev/null +++ b/test/recipes/80-test_cmp_http_data/Mock/root_expired.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDaTCCAlGgAwIBAgIUBUv9qdSv5TiDPA9vqqcKeo5H4SUwDQYJKoZIhvcNAQEL +BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGcm9vdENBMB4XDTIz +MDEyNzE4MjgxOVoXDTIzMDEyNjE4MjgxOVowVjELMAkGA1UEBhMCQVUxEzARBgNV +BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 +ZDEPMA0GA1UEAwwGcm9vdENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAwPFrd4isNd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/m8TJEtHkC0WX +5QbNZjrh4OIr36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyDXq5CknSlK+cA +wanc1bFTBw9z946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7w6jBiLJ3/5zb +/GpERET3hewILNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTMuR4hoGzEq1mw +QDm7+Yit/d+NtAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXVddTFezpANQaf +xIS0bJMMrzdar7ZBTSYjHLgCswIDAQABoy8wLTAMBgNVHRMEBTADAQH/MB0GA1Ud +DgQWBBSFVok14p8AGuGGAwtLr3YSazNt/TANBgkqhkiG9w0BAQsFAAOCAQEAVvAx +iBaBKxY/oN48TSbu4yUJeb9scFqBwto0SdCKPie4y17fgcssmcxfU0+/RV/NeQhN +JxNDWnTOsAd9HGPeOYPYwNLv8fb0psZ2B+EM+k3WZRLiFrzKw+qWcl1koyqVAjRg +RNpAH/vcDK5MMBxYjLuAsdvTMVjlXVjmguCNhaFQbm4FY7aU61G+okaAsY73bpwJ +pA9aHFVYQj+nlA+EfVP2UFYNWi5qBkL1+iSZspl2iK9c99174BA+nYiEma1ihAXG +tN/v3L8jccZoZTSpDdIykqRLW78JOnUx34lQS4DFCFn5LPnVDQZM3bN3PlLHthbC +hMlygwUn44JvTKI50w== +-----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.crt b/test/recipes/80-test_cmp_http_data/Mock/server.crt index 31d9cc9c0..07eab2e63 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.crt +++ b/test/recipes/80-test_cmp_http_data/Mock/server.crt @@ -1,19 +1,24 @@ - Subject: O = openssl_cmp - Issuer: O = openssl_cmp + Issuer: CN=Root CA + Validity + Not Before: Jan 14 22:29:46 2016 GMT + Not After : Jan 15 22:29:46 2116 GMT + Subject: CN=server.example -----BEGIN CERTIFICATE----- -MIICpTCCAY2gAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQKDAtvcGVu -c3NsX2NtcDAeFw0xNzEyMjAxMzA0MDBaFw0xODEyMjAxMzA0MDBaMBYxFDASBgNV -BAoMC29wZW5zc2xfY21wMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -4ckRrH0UWmIJFj99kBqvCipGjJRAaPkdvWjdDQLglTpI3eZAJHnq0ypW/PZccrWj -o7mxuvAStEYWF+5Jx6ZFmAsC1K0NNebSAZQoLWYZqiOzkfVVpLicMnItNFElfCoh -BzPCYmF5UlC5yp9PSUEfNwPJqDIRMtw+IlVUV3AJw9TJ3uuWq/vWW9r96/gBKKdd -mj/q2gGT8RC6LxEaolTbhfPbHaA1DFpv1WQFb3oAV3Wq14SOZf9bH1olBVsmBMsU -shFEw5MXVrNCv2moM4HtITMyjvZe7eIwHzSzf6dvQjERG6GvZ/i5KOhaqgJCnRKd -HHzijz9cLec5p9NSOuC1OwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQDGUXpFCBkV -WgPrBfZyBwt6VCjWB/e67q4IdcKMfDa4hwSquah1AyXHI0PlC/qitnoSx2+7f7pY -TEOay/3eEPUl1J5tdPF2Vg56Dw8jdhSkMwO7bXKDEE3R6o6jaa4ECgxwQtdGHmNU -A41PgKX76yEXku803ptO39/UR7i7Ye3MbyAmWE+PvixJYUbxd3fqz5fsaJqTCzAy -AT9hrr4uu8J7m3LYaYXo4LVL4jw5UsP5bIYtpmmEBfy9GhpUqH5/LzBNij7y3ziE -T59wHkzawAQDHsBPuCe07DFtlzqWWvaih0TQAw9MZ2tbyK9jt7P80Rqt9CwpM/i9 -jQYqSl/ix5hn +MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD +DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 +o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV +3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ +8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 +rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 +cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS +T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud +EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 +YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI +RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk +iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK +8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi +X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q +YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= -----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.key b/test/recipes/80-test_cmp_http_data/Mock/server.key index 232426679..0d7e4049f 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.key +++ b/test/recipes/80-test_cmp_http_data/Mock/server.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA4ckRrH0UWmIJFj99kBqvCipGjJRAaPkdvWjdDQLglTpI3eZA -JHnq0ypW/PZccrWjo7mxuvAStEYWF+5Jx6ZFmAsC1K0NNebSAZQoLWYZqiOzkfVV -pLicMnItNFElfCohBzPCYmF5UlC5yp9PSUEfNwPJqDIRMtw+IlVUV3AJw9TJ3uuW -q/vWW9r96/gBKKddmj/q2gGT8RC6LxEaolTbhfPbHaA1DFpv1WQFb3oAV3Wq14SO -Zf9bH1olBVsmBMsUshFEw5MXVrNCv2moM4HtITMyjvZe7eIwHzSzf6dvQjERG6Gv -Z/i5KOhaqgJCnRKdHHzijz9cLec5p9NSOuC1OwIDAQABAoIBAGiYVO+rIfqc38jG -sMxJED2NSBFnvE7k2LoeEgktBA0daxQgziYXtIkOXC3jkwAw1RXLuGH5RTDuJt3/ -LX6nsCW3NCCB6lTGERNaJyKg4dLHpzA+juY3/2P/MKHD1bGncpV7jNk2fpV7gBY1 -pu0wld1Oi+S3DPCaxs3w6Zl39Y4Z7oSNf6DRO5lGN3Asc8TSVjIOWpAl8LIg+P2B -ZvFeHRANVXaV9YmF2uEi7iMgH4vGrK2svsmM9VThVO4ArGcTRTvGYn7aw3/H4Pt+ -lYuhERdpkKBT0tCgIpO5IJXMl4/5RSDTtcBwiJcReN5IHUAItBIPSHcMflNSKG/I -aQf4u0ECgYEA8+PAyzn096Y2UrKzE75yuadCveLjsUWx2NN5ZMohQru99F4k7Pab -/Te4qOe5zlxHAPK3LRwvbwUWo5mLfs45wFrSgZoRlYcCuL+JaX0y2oXMMF9E+UkY -tljMt/HpLo1SfSjN2Sae4LVhC7rWJ43LtyRepptzBPGqd26eLPGAMr8CgYEA7P8u -RGkMOrMzEKAb0A9smrzq2xW88T1VejqEt6R8mUcNt8PFHMgjuzVU4zDysrlb7G/0 -VSkQWnJxBh1yNGc1Av7YgwicIgApr4ty0hZhLcnKX2VrNw+L/sSe/cnwVAc6RtPK -RR6xQubuLlrCGcbYXmyn5Jv+nlY0S3uCyDFHqIUCgYAwtpLxhJf7RwWeqva9wNJl -ZpUcHE9iPwtwxXx/tyfBjoI4Zv11HyS1BQYrJm2kXCYKeHBB4FlREXEeKDMGluZO -F1XocP+GIDtY71jg6xLXNtY76yt5pzH6ae4p53WtyKhrO1UyRFaDh3bkwuK3b8j6 -wZbuLCpjGGn2BPAvBeWXPQKBgEewKN6op/pZmmi9Bay5/bAQ1TnQKYcPdnuyl9K0 -/ruespeTsFw0bhqC11qhw8gsKZIri0z3TusNEwM2hQU08uQlEnkQcaoXQoTHOcQy -4NJo575Tf0r4ePBnqXA7VWcViJtEFTszPYtvLzz2VyBU9b4aP+73AN4EVW0/vx+v -SG3BAoGBAMzESFA2TXwUFmozK5zowIszc995Xqpi7mXKk77WESOpoS1dQ1wF1dSg -XOwxzFoYovLxcc1K9lqOrod8BV+qGuEfc/PIJ2aiXjvEDeZYX2eWaANNmj4OSLoJ -MNYj9tZxbq56slD7snf7AgUBnwKz0Pj6H6UsbE3gdJqZWCDyw/bB ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDVXWBq3/xh7kiq +jBFIQ6VttlJdqphJsWGSNbH8OgQlDG15/7TVyelcHDvgq7O4faPebb3g3ddavxRH +EUJepoLQYcF/3RNG5gmFBw7y1PwaZNIKrSCrIGuW8K3MxBlTVdwBHaSz74q0SVNd +igUc8dzhRL/F1+J3GVdclwt17ohDcQ/KbMG0slCnd0ZsWA8Rv/F2JFquOUK3UWcp +4dBVMG8X5JHqrfgowkNvomSp+52YkmJIPusNT4JKiv8/cu6Wta6hwZi6732QdW3/ +WlKeq/XAftCHQ9uFBwcPfTh6/dHT7mUd0+o5aoc37krT4A1u9XCswr3xbvOSlV6p +8KFllZONAgMBAAECggEADLTt7A+A2Vg2jamf0dztejY0e42QWjstI2b9PZc67fXq +gyx+WYkX07t+uWegYWliG/oPJ9guXiIpE/5sJHToL37S5kmFP2CtynVcJ4wVo4DD +nY0n9+kLX0bgIuS+2V6wpoRcbbbjXM9NHrH8kfe5ftT4UtEDlLI2qLX6IcDd7p4u +OYjILChR8GSGTw96yIy2Ws/1Uq9PMw64JoT4RcK5QqnkcPMDFRH1SeLOL+zXP2c4 +nEl9yOy3HauZKxwl/Ry/XK1s3DdjopIAU29ut+hAuMiTb06kzZnumL9NoplKoZtU +otw/gVcCKhT+Ep+p6i8InLF0XEME8A0qUR0niWebgQKBgQD6vkxR49B8ZZQrzjw4 +XKs1lI9cP7cgPiuWlDHMNjYou3WbOaGrMeScvbB1Ldh9A8pjAhxlw8AaV/xs4qcA +trmVmSISVMVyc1wSGlJXWi2nUzTNs9OE3vj22SyStihf8UUZtWwX2b5Y4JrYhA/V ++ThGGqHR03oLNLShNLtJc2c7YQKBgQDZ1nkibEyrepexw/fnwkw61IJKq9wRIh1G +PREakhbe9wU5ie0knuf9razt7awzQiwFmlixmWqsM7UEtLuXNnNPciwdrKhhbvrd +vD/rkbIEHEPllIhFlDtOzn3hRBWTzWmXFjpou/2LvHTSbVis4IYVZymTp2jb1ZLs +7VbiG9JTrQKBgQDc6n75g1szzpdehQT/r33U5j/syeJBUSU8NPMu9fB/sLHsgjlT +SNEf2+y1QSBE/Or6kmiMrIv7advn30W+Vj9qc5HWTsPrk4HiHTjA553jl2alebN5 +lK4LZspjtIQcC8mS3goPdXPEgJdM/gWpwzr2YQ6DfOxBJT2j7n64NyoT4QKBgH7/ +yx+GhCx1DHtXBPDZFhg2TL+78lEK0oZgk9gp06up2CHzh44SFq6O0oLkTcCUk5Ww +poTkLIy4mJBlzfgahp+KsK2cO46SZS9g0ONFzcMXt33hWpE2Gl2XhUwPpYTF/QlY +rDTjZK5S8Mi9dzVSsNlJi7PJphiEK2R1+nFYRwcBAoGBANWoIG85jpXAOnq/Kcgx +Rl3YivR0Ke6r1tFlP58rT7X3EkiboXyQl5vLIFCAwUte6RGrLl1dy3Qyh80B9ySL +Jx6vj42CK7vgv6A96TuVYhnXTnEI6ZvwAQ2VGaw4BizhjALs/kdSE/og9aSCs3ws +KQypwAFz0tbHxaNag/bSAN0J +-----END PRIVATE KEY----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/test.cnf b/test/recipes/80-test_cmp_http_data/Mock/test.cnf index 87dd575a8..c68095661 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/test.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/test.cnf @@ -15,7 +15,7 @@ policies = certificatePolicies ############################# server configurations [Mock] # the built-in OpenSSL CMP mock server -no_check_time = 1 +# no_check_time = 1 server_host = 127.0.0.1 # localhost # server_port = 0 means that the port is determined by the server server_port = 0 @@ -24,9 +24,9 @@ server_cert = server.crt server = $server_host:$server_port server_path = pkix/ path = $server_path -ca_dn = /O=openssl_cmp +ca_dn = /CN=Root CA recipient = $ca_dn -server_dn = /O=openssl_cmp +server_dn = /CN=server.example expect_sender = $server_dn subject = "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=leaf" newkey = signer.key diff --git a/test/recipes/80-test_cmp_http_data/Mock/trusted.crt b/test/recipes/80-test_cmp_http_data/Mock/trusted.crt index 31d9cc9c0..23406e998 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/trusted.crt +++ b/test/recipes/80-test_cmp_http_data/Mock/trusted.crt @@ -1,19 +1,23 @@ - Subject: O = openssl_cmp - Issuer: O = openssl_cmp + Issuer: CN=Root CA + Validity + Not Before: Jan 14 22:29:05 2016 GMT + Not After : Jan 15 22:29:05 2116 GMT + Subject: CN=Root CA -----BEGIN CERTIFICATE----- -MIICpTCCAY2gAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQKDAtvcGVu -c3NsX2NtcDAeFw0xNzEyMjAxMzA0MDBaFw0xODEyMjAxMzA0MDBaMBYxFDASBgNV -BAoMC29wZW5zc2xfY21wMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -4ckRrH0UWmIJFj99kBqvCipGjJRAaPkdvWjdDQLglTpI3eZAJHnq0ypW/PZccrWj -o7mxuvAStEYWF+5Jx6ZFmAsC1K0NNebSAZQoLWYZqiOzkfVVpLicMnItNFElfCoh -BzPCYmF5UlC5yp9PSUEfNwPJqDIRMtw+IlVUV3AJw9TJ3uuWq/vWW9r96/gBKKdd -mj/q2gGT8RC6LxEaolTbhfPbHaA1DFpv1WQFb3oAV3Wq14SOZf9bH1olBVsmBMsU -shFEw5MXVrNCv2moM4HtITMyjvZe7eIwHzSzf6dvQjERG6GvZ/i5KOhaqgJCnRKd -HHzijz9cLec5p9NSOuC1OwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQDGUXpFCBkV -WgPrBfZyBwt6VCjWB/e67q4IdcKMfDa4hwSquah1AyXHI0PlC/qitnoSx2+7f7pY -TEOay/3eEPUl1J5tdPF2Vg56Dw8jdhSkMwO7bXKDEE3R6o6jaa4ECgxwQtdGHmNU -A41PgKX76yEXku803ptO39/UR7i7Ye3MbyAmWE+PvixJYUbxd3fqz5fsaJqTCzAy -AT9hrr4uu8J7m3LYaYXo4LVL4jw5UsP5bIYtpmmEBfy9GhpUqH5/LzBNij7y3ziE -T59wHkzawAQDHsBPuCe07DFtlzqWWvaih0TQAw9MZ2tbyK9jt7P80Rqt9CwpM/i9 -jQYqSl/ix5hn +MIIC8TCCAdmgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNDIyMjkwNVoYDzIxMTYwMTE1MjIyOTA1WjASMRAwDgYDVQQD +DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5oV1s3N +us7SINg7omu5AxueEgK97mh5PU3hgZpliSFaESmL2qLGeP609oXs/68XDXVW4utU +LCOjLh0np+5Xy3i3GRDXgBZ72QDe23WqqQqqaBlQVVm1WxG+amRtZJEWdSIsiFBt +k+8dBElHh2WQDhDOWqHGHQarQgJPxGB97MRhMSlbTwK1T5KAWOlqi5mJW5L6vNrQ +7Tra/YceH70fU0fJYOXhBxM92NwD1bbVd9GPYFSqrdrVj19bvo63XsxZduex5QHr +RkWqT5w5mgAHaEgCqWrS/64q9TR9UEwrB8kiZZg3k9/im+zBwEULTZu0r8oMEkpj +bTlXLmt8EMBqxwIDAQABo1AwTjAdBgNVHQ4EFgQUcH8uroNoWZgEIyrN6z4XzSTd +AUkwHwYDVR0jBBgwFoAUcH8uroNoWZgEIyrN6z4XzSTdAUkwDAYDVR0TBAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEAuiLq2lhcOJHrwUP0txbHk2vy6rmGTPxqmcCo +CUQFZ3KrvUQM+rtRqqQ0+LzU4wSTFogBz9KSMfT03gPegY3b/7L2TOaMmUFRzTdd +c9PNT0lP8V3pNQrxp0IjKir791QkGe2Ux45iMKf/SXpeTWASp4zeMiD6/LXFzzaK +BfNS5IrIWRDev41lFasDzudK5/kmVaMvDOFyW51KkKkqb64VS4UA81JIEzClvz+3 +Vp3k1AXup5+XnTvhqu2nRhrLpJR5w8OXQpcn6qjKlVc2BXtb3xwci1/ibHlZy3CZ +n70e2NYihU5yYKccReP+fjLgVFsuhsDs/0hRML1u9bLp9nUbYA== -----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index 358521de2..ed0573392 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -73,7 +73,9 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val, 0,out_trusted is directory, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted2.pem,, -out_trusted,dir/,,BLANK,,BLANK,,, 0,out_trusted too many parameters, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted3.pem,, -out_trusted,abc,def,BLANK,,BLANK,,, 0,out_trusted empty certificate file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted4.pem,, -out_trusted,empty.txt,,BLANK,,BLANK,,, -0,out_trusted expired ca certificate, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted5.pem,, -out_trusted,root_expired.crt,,BLANK,,BLANK,,, +1,out_trusted accept issuing ca cert even with CRL check enabled by default, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted5.pem,, -out_trusted,issuing.crt,,BLANK,,BLANK,,,-partial_chain,-crl_check,-srvcert,server.crt +0,out_trusted expired issuing ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted5.pem,, -out_trusted,issuing_expired.crt,,BLANK,,BLANK,,,-partial_chain +0,out_trusted expired root ca cert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted5.pem,, -out_trusted,root_expired.crt,,BLANK,,BLANK,,, 0,out_trusted wrong ca, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted6.pem,, -out_trusted,signer.crt,,BLANK,,BLANK,,, 0,out_trusted random input, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_out_trusted7.pem,, -out_trusted,random.bin,,BLANK,,BLANK,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index abe299b6a..40dd585c1 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -452,10 +452,10 @@ my @smime_cms_cades_tests = ( my @smime_cms_cades_ko_tests = ( [ "sign content DER format, RSA key, not CAdES-BES compatible", [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", - "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], + "-certfile", $smroot, "-signer", $smrsa1, "-out", "cades-ko.cms" ], "fail to verify token since requiring CAdES-BES compatibility", - [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", - "-CAfile", $smroot, "-out", "{output}.txt" ], + [ @prov, "-verify", "-cades", "-in", "cades-ko.cms", "-inform", "DER", + "-CAfile", $smroot, "-out", "cades-ko.txt" ], \&final_compare ] ); @@ -636,6 +636,34 @@ my @smime_cms_param_tests = ( ] ); +my @smime_cms_param_tests_autodigestmax = ( + [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize < maximum salt length", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, "-md", "sha256", + "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax", + "-out", "{output}.cms" ], + # digest is SHA-256, which produces 32, bytes of output + sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 32; }, + [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], + + [ "signed content test streaming PEM format, RSA keys, PSS signature, saltlen=auto-digestmax, digestsize > maximum salt length", + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1024, "-md", "sha512", + "-keyopt", "rsa_padding_mode:pss", "-keyopt", "rsa_pss_saltlen:auto-digestmax", + "-out", "{output}.cms" ], + # digest is SHA-512, which produces 64, bytes of output, but an RSA-PSS + # signature with a 1024 bit RSA key can only accomodate 62 + sub { my %opts = @_; rsapssSaltlen("$opts{output}.cms") == 62; }, + [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", "-inform", "PEM", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ] +); + + my @contenttype_cms_test = ( [ "signed content test - check that content type is added to additional signerinfo, RSA keys", [ "{cmd1}", @prov, "-sign", "-binary", "-nodetach", "-stream", "-in", $smcont, @@ -733,7 +761,21 @@ subtest "CMS <=> CMS consistency tests\n" => sub { subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub { plan tests => - (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests); + (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests) + + (scalar @smime_cms_param_tests_autodigestmax) + 1; + + ok(run(app(["openssl", "cms", @prov, + "-sign", "-in", $smcont, + "-outform", "PEM", + "-nodetach", + "-signer", $smrsa1, + "-keyopt", "rsa_padding_mode:pss", + "-keyopt", "rsa_pss_saltlen:auto-digestmax", + "-out", "digestmaxtest.cms"]))); + # Providers that do not support rsa_pss_saltlen:auto-digestmax will parse + # it as 0 + my $no_autodigestmax = rsapssSaltlen("digestmaxtest.cms") == 0; + 1 while unlink "digestmaxtest.cms"; runner_loop(prefix => 'cms2cms-mod', cmd1 => 'cms', cmd2 => 'cms', tests => [ @smime_cms_param_tests ]); @@ -745,6 +787,15 @@ subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub { runner_loop(prefix => 'cms2cms-comp', cmd1 => 'cms', cmd2 => 'cms', tests => [ @smime_cms_comp_tests ]); } + + SKIP: { + skip("rsa_pss_saltlen:auto-digestmax not supported", + scalar @smime_cms_param_tests_autodigestmax) + if $no_autodigestmax; + + runner_loop(prefix => 'cms2cms-comp', 'cmd1' => 'cms', cmd2 => 'cms', + tests => [ @smime_cms_param_tests_autodigestmax ]); + } }; # Returns the number of matches of a Content Type Attribute in a binary file. @@ -894,6 +945,7 @@ subtest "CAdES ko tests\n" => sub { SKIP: { my $skip_reason = check_availability($$_[0]); skip $skip_reason, 1 if $skip_reason; + 1 while unlink "cades-ko.txt"; ok(run(app(["openssl", "cms", @{$$_[1]}])), $$_[0]); ok(!run(app(["openssl", "cms", @{$$_[3]}])), $$_[2]); @@ -989,7 +1041,7 @@ with({ exit_checker => sub { return shift == 6; } }, sub { ok(run(app(['openssl', 'cms', '-encrypt', '-in', srctop_file("test", "smcont.txt"), - '-stream', '-recip', + '-aes128', '-stream', '-recip', srctop_file("test/smime-certs", "badrsa.pem"), ])), "Check failure during BIO setup with -stream is handled correctly"); diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index fe0360741..0c6d6402d 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -31,15 +31,23 @@ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); -my @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in")); +my @conf_srcs = (); +if (defined $ENV{SSL_TESTS}) { + my @conf_list = split(' ', $ENV{SSL_TESTS}); + foreach my $conf_file (@conf_list) { + push (@conf_srcs, glob(srctop_file("test", "ssl-tests", $conf_file))); + } + plan tests => scalar @conf_srcs; +} else { + @conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in")); + # We hard-code the number of tests to double-check that the globbing above + # finds all files as expected. + plan tests => 30; +} map { s/;.*// } @conf_srcs if $^O eq "VMS"; my @conf_files = map { basename($_, ".in") } @conf_srcs; map { s/\^// } @conf_files if $^O eq "VMS"; -# We hard-code the number of tests to double-check that the globbing above -# finds all files as expected. -plan tests => 30; - # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. my $is_default_tls = (disabled("ssl3") && !disabled("tls1") && diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 8c52b637f..50b74a1e2 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -78,9 +78,10 @@ my $client_sess="client.ss"; # If you're adding tests here, you probably want to convert them to the # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. plan tests => - ($no_fips ? 0 : 5) # testssl with fips provider + ($no_fips ? 0 : 6) # testssl with fips provider + 1 # For testss + 5 # For the testssl with default provider + + 1 # For security level 0 failure tests ; subtest 'test_ss' => sub { @@ -345,7 +346,6 @@ sub testssl { $dsa_cert = 1; } - subtest 'standard SSL tests' => sub { ###################################################################### plan tests => 19; @@ -527,6 +527,44 @@ sub testssl { } }; + subtest 'SSL security level failure tests' => sub { + ###################################################################### + plan tests => 3; + + SKIP: { + skip "SSLv3 is not supported by this OpenSSL build", 1 + if disabled("ssl3"); + + skip "SSLv3 is not supported by the FIPS provider", 1 + if $provider eq "fips"; + + is(run(test([@ssltest, "-bio_pair", "-ssl3", "-cipher", '@SECLEVEL=1'])), + 0, "test sslv3 fails at security level 1, expecting failure"); + } + + SKIP: { + skip "TLSv1.0 is not supported by this OpenSSL build", 1 + if $no_tls1; + + skip "TLSv1.0 is not supported by the FIPS provider", 1 + if $provider eq "fips"; + + is(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", '@SECLEVEL=1'])), + 0, 'test tls1 fails at security level 1, expecting failure'); + } + + SKIP: { + skip "TLSv1.1 is not supported by this OpenSSL build", 1 + if $no_tls1_1; + + skip "TLSv1.1 is not supported by the FIPS provider", 1 + if $provider eq "fips"; + + is(run(test([@ssltest, "-bio_pair", "-tls1_1", "-cipher", '@SECLEVEL=1'])), + 0, 'test tls1.1 fails at security level 1, expecting failure'); + } + }; + subtest 'RSA/(EC)DHE/PSK tests' => sub { ###################################################################### @@ -579,14 +617,14 @@ sub testssl { } SKIP: { - skip "TLSv1.1 is not supported by this OpenSSL build", 4 - if $no_tls1_1; + skip "TLSv1.2 is not supported by this OpenSSL build", 4 + if $no_tls1_2; SKIP: { skip "skipping auto DHE PSK test at SECLEVEL 3", 1 if ($no_dh || $no_psk); - ok(run(test(['ssl_old_test', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), + ok(run(test(['ssl_old_test', '-tls1_2', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])), 'test auto DHE PSK meets security strength'); } @@ -594,7 +632,7 @@ sub testssl { skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1 if ($no_ec || $no_psk); - ok(run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), + ok(run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])), 'test auto ECDHE PSK meets security strength'); } @@ -602,7 +640,7 @@ sub testssl { skip "skipping no RSA PSK at SECLEVEL 3 test", 1 if ($no_rsa || $no_psk); - ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), + ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])), 'test auto RSA PSK does not meet security level 3 requirements (PFS)'); } @@ -610,7 +648,7 @@ sub testssl { skip "skipping no PSK at SECLEVEL 3 test", 1 if ($no_psk); - ok(!run(test(['ssl_old_test', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), + ok(!run(test(['ssl_old_test', '-tls1_2', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])), 'test auto PSK does not meet security level 3 requirements (PFS)'); } } diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t index 70fa7e50e..70d789d6c 100644 --- a/test/recipes/90-test_sslapi.t +++ b/test/recipes/90-test_sslapi.t @@ -1,12 +1,11 @@ #! /usr/bin/env perl -# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy # in the file LICENSE in the source distribution or at # https://www.openssl.org/source/license.html - use OpenSSL::Test::Utils; use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/; use File::Temp qw(tempfile); @@ -19,13 +18,22 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $fipsmodcfg_filename = "fipsmodule.cnf"; +my $fipsmodcfg = bldtop_file("providers", $fipsmodcfg_filename); + +my $provconf = srctop_file("test", "fips-and-base.cnf"); + +# A modified copy of "fipsmodule.cnf" +my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf"; +my $fipsmodcfgnew = bldtop_file("test", $fipsmodcfgnew_filename); + +# A modified copy of "fips-and-base.cnf" +my $provconfnew = bldtop_file("test", "temp.cnf"); plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); -plan tests => - ($no_fips ? 0 : 1) # sslapitest with fips - + 1; # sslapitest with default provider +plan tests => 3; (undef, my $tmpfilename) = tempfile(); @@ -39,16 +47,97 @@ ok(run(test(["sslapitest", srctop_dir("test", "certs"), "dhparams.pem")])), "running sslapitest"); -unless ($no_fips) { +SKIP: { + skip "Skipping FIPS tests", 2 + if $no_fips; + ok(run(test(["sslapitest", srctop_dir("test", "certs"), srctop_file("test", "recipes", "90-test_sslapi_data", "passwd.txt"), $tmpfilename, "fips", - srctop_file("test", "fips-and-base.cnf"), + $provconf, srctop_file("test", "recipes", "90-test_sslapi_data", "dhparams.pem")])), "running sslapitest"); + + run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + capture => 1, statusvar => \my $exit); + + skip "FIPS provider version is too old for TLS_PRF EMS option test", 1 + if !$exit; + + # Read in a text $infile and replace the regular expression in $srch with the + # value in $repl and output to a new file $outfile. + sub replace_line_file_internal { + + my ($infile, $srch, $repl, $outfile) = @_; + my $msg; + + open(my $in, "<", $infile) or return 0; + read($in, $msg, 1024); + close $in; + + $msg =~ s/$srch/$repl/; + + open(my $fh, ">", $outfile) or return 0; + print $fh $msg; + close $fh; + return 1; + } + + # Read in the text input file $infile + # and replace a single Key = Value line with a new value in $value. + # OR remove the Key = Value line if the passed in $value is empty. + # and then output a new file $outfile. + # $key is the Key to find + sub replace_kv_file { + my ($infile, $key, $value, $outfile) = @_; + my $srch = qr/$key\s*=\s*\S*\n/; + my $rep; + if ($value eq "") { + $rep = ""; + } else { + $rep = "$key = $value\n"; + } + return replace_line_file_internal($infile, $srch, $rep, $outfile); + } + + # Read in the text $input file + # and search for the $key and replace with $newkey + # and then output a new file $outfile. + sub replace_line_file { + my ($infile, $key, $newkey, $outfile) = @_; + my $srch = qr/$key/; + my $rep = "$newkey"; + return replace_line_file_internal($infile, + $srch, $rep, $outfile); + } + + # In order to enable the tls1-prf-ems-check=1 in a fips config file + # copy the existing fipsmodule.cnf and modify it. + # Then copy fips-and-base.cfg to make a file that includes the changed file + # NOTE that this just runs test_no_ems() to check that the connection + # fails if ems is not used and the fips check is enabled. + ok(replace_kv_file($fipsmodcfg, + 'tls1-prf-ems-check', '1', + $fipsmodcfgnew) + && replace_line_file($provconf, + $fipsmodcfg_filename, $fipsmodcfgnew_filename, + $provconfnew) + && run(test(["sslapitest", srctop_dir("test", "certs"), + srctop_file("test", "recipes", "90-test_sslapi_data", + "passwd.txt"), + $tmpfilename, "fips", + $provconfnew, + srctop_file("test", + "recipes", + "90-test_sslapi_data", + "dhparams.pem")])), + "running sslapitest"); + + unlink $fipsmodcfgnew; + unlink $provconfnew; } unlink $tmpfilename; diff --git a/test/recipes/90-test_threads.t b/test/recipes/90-test_threads.t index d373fcbd1..f90225161 100644 --- a/test/recipes/90-test_threads.t +++ b/test/recipes/90-test_threads.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -34,7 +34,7 @@ if ($no_fips) { } # Merge the configuration files into one filtering the contents so the failure -# condition is reproducable. A working FIPS configuration without the install +# condition is reproducible. A working FIPS configuration without the install # status is required. open CFGBASE, '<', $config_path; diff --git a/test/recipes/90-test_traceapi.t b/test/recipes/90-test_traceapi.t index a63bcf998..f2c64795d 100644 --- a/test/recipes/90-test_traceapi.t +++ b/test/recipes/90-test_traceapi.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/test/recipes/95-test_external_oqsprovider.t b/test/recipes/95-test_external_oqsprovider.t new file mode 100644 index 000000000..66b584f38 --- /dev/null +++ b/test/recipes/95-test_external_oqsprovider.t @@ -0,0 +1,28 @@ +#! /usr/bin/env perl +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT data_file bldtop_dir srctop_dir cmdstr/; + +setup("test_external_oqsprovider"); + +plan skip_all => "No external tests in this configuration" + if disabled("external-tests"); +plan skip_all => "oqsprovider tests not available on Windows or VMS" + if $^O =~ /^(VMS|MSWin32)$/; +plan skip_all => "oqsprovider tests only available in a shared build" + if disabled("shared"); +plan skip_all => "oqsprovider tests not supported in out of tree builds" + if bldtop_dir() ne srctop_dir(); + +plan tests => 1; + +ok(run(cmd(["sh", data_file("oqsprovider.sh")])), + "running oqsprovider tests"); diff --git a/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh new file mode 100755 index 000000000..23c1cb5f1 --- /dev/null +++ b/test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# OpenSSL external testing using the OQS provider +# +set -e + +PWD="$(pwd)" + +SRCTOP="$(cd $SRCTOP; pwd)" +BLDTOP="$(cd $BLDTOP; pwd)" + +if [ "$SRCTOP" != "$BLDTOP" ] ; then + echo "Out of tree builds not supported with oqsprovider test!" + exit 1 +fi + +O_EXE="$BLDTOP/apps" +O_BINC="$BLDTOP/include" +O_SINC="$SRCTOP/include" +O_LIB="$BLDTOP" + +unset OPENSSL_CONF + +export PATH="$O_EXE:$PATH" +export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH" +export OPENSSL_ROOT_DIR="$O_LIB" + +# Check/Set openssl version +OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '` + +echo "------------------------------------------------------------------" +echo "Testing OpenSSL using oqsprovider:" +echo " CWD: $PWD" +echo " SRCTOP: $SRCTOP" +echo " BLDTOP: $BLDTOP" +echo " OPENSSL_ROOT_DIR: $OPENSSL_ROOT_DIR" +echo " OpenSSL version: $OPENSSL_VERSION" +echo "------------------------------------------------------------------" + +if [ ! -d $SRCTOP/oqs-provider/oqs ]; then +# disable rainbow family by default; all further config options listed at +# https://github.com/open-quantum-safe/liboqs/wiki/Customizing-liboqs +( + cd $SRCTOP/oqs-provider \ + && git clone --depth 1 --branch 0.7.2 https://github.com/open-quantum-safe/liboqs.git \ + && cd liboqs \ + && mkdir build \ + && cd build \ + && cmake -DOQS_ENABLE_SIG_RAINBOW=OFF -DCMAKE_INSTALL_PREFIX=$SRCTOP/oqs-provider/oqs .. \ + && make \ + && make install + ) +fi + +echo " CWD: $PWD" +cmake $SRCTOP/oqs-provider -DCMAKE_INCLUDE_PATH=$SRCTOP/oqs-provider/oqs -DCMAKE_PREFIX_PATH=$SRCTOP/oqs-provider/oqs -DOPENSSL_ROOT_DIR="$OPENSSL_ROOT_DIR" -DOPENSSL_BLDTOP=$BLDTOP -B _build && cmake --build _build +export CTEST_OUTPUT_ON_FAILURE=1 +export HARNESS_OSSL_PREFIX='' +export OPENSSL_APP="$O_EXE/openssl" +if [ -z "$OQS_SKIP_TESTS" ]; then + export OQS_SKIP_TESTS="rainbow,111" +fi +export OPENSSL_MODULES=$PWD/_build/oqsprov +export OQS_PROVIDER_TESTSCRIPTS=$SRCTOP/oqs-provider +$SRCTOP/oqs-provider/scripts/runtests.sh diff --git a/test/recipes/95-test_external_tlsfuzzer.t b/test/recipes/95-test_external_tlsfuzzer.t new file mode 100644 index 000000000..6e72d0218 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer.t @@ -0,0 +1,28 @@ +#! /usr/bin/env perl +# Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test; +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT data_file data_dir bldtop_dir srctop_dir cmdstr/; +use Cwd qw(abs_path); + +setup("test_external_tlsfuzzer"); + +plan skip_all => "No external tests in this configuration" + if disabled("external-tests"); +plan skip_all => "TLSFuzzer tests not available on Windows or VMS" + if $^O =~ /^(VMS|MSWin32)$/; +plan skip_all => "TLSFuzzer is not properly checked out" + unless (-d srctop_dir("tlsfuzzer") && -d srctop_dir("tlsfuzzer", "tests")); + +$ENV{TESTDATADIR} = abs_path(data_dir()); +plan tests => 1; + +ok(run(cmd(["sh", data_file("tls-fuzzer-cert.sh")])), + "running TLSFuzzer tests"); diff --git a/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in new file mode 100644 index 000000000..febc9bace --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/cert.json.in @@ -0,0 +1,38 @@ +[ + {"server_command": ["@SERVER@", "s_server", "-www", + "-key", "tests/serverX509Key.pem", + "-cert", "tests/serverX509Cert.pem", + "-verify", "1", "-CAfile", "tests/clientX509Cert.pem"], + "comment": "Use ANY certificate just to ensure that server tries to authorise a client", + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-certificate-verify.py", + "arguments" : ["-k", "tests/clientX509Key.pem", + "-c", "tests/clientX509Cert.pem", + "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", + "-p", "@PORT@"]}, + {"name" : "test-tls13-ecdsa-in-certificate-verify.py", + "arguments" : ["-k", "tests/serverECKey.pem", + "-c", "tests/serverECCert.pem", + "-s", "ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 ed25519 ed448 rsa_pss_pss_sha256 rsa_pss_pss_sha384 rsa_pss_pss_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_sha224 rsa_pkcs1_sha224", + "-p", "@PORT@"]} + ] + }, + {"server_command": ["@SERVER@", "s_server", "-www", + "-key", "tests/serverX509Key.pem", + "-cert", "tests/serverX509Cert.pem"], + "environment": {"PYTHONPATH" : "."}, + "server_hostname": "localhost", + "server_port": @PORT@, + "tests" : [ + {"name" : "test-tls13-conversation.py", + "arguments" : ["-p", "@PORT@"]}, + {"name" : "test-conversation.py", + "arguments" : ["-p", "@PORT@", + "-d"]} + ] + } + +] diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh new file mode 100644 index 000000000..60bb8cffa --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/tls-fuzzer-cert.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +tls_fuzzer_prepare() { + +sed -e "s|@SERVER@|$SERV|g" -e "s/@PORT@/$PORT/g" -e "s/@PRIORITY@/$PRIORITY/g" ${TESTDATADIR}/cert.json.in >${TMPFILE} +} + +. "${TESTDATADIR}/tlsfuzzer.sh" + diff --git a/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh new file mode 100644 index 000000000..a9f781de3 --- /dev/null +++ b/test/recipes/95-test_external_tlsfuzzer_data/tlsfuzzer.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# OpenSSL external testing using the TLSFuzzer test suite +# +set -e + +PWD="$(pwd)" + +SRCTOP="$(cd $SRCTOP; pwd)" +BLDTOP="$(cd $BLDTOP; pwd)" + +if [ "$SRCTOP" != "$BLDTOP" ] ; then + echo "Out of tree builds not supported with TLSFuzzer test!" + exit 1 +fi + +O_EXE="$BLDTOP/apps" +O_BINC="$BLDTOP/include" +O_SINC="$SRCTOP/include" +O_LIB="$BLDTOP" + +export PATH="$O_EXE:$PATH" +export LD_LIBRARY_PATH="$O_LIB:$LD_LIBRARY_PATH" +export OPENSSL_ROOT_DIR="$O_LIB" + +# Check/Set openssl version +OPENSSL_VERSION=`openssl version | cut -f 2 -d ' '` + +CLI="${O_EXE}/openssl" +SERV="${O_EXE}/openssl" + +TMPFILE="${PWD}/tls-fuzzer.$$.tmp" +PSKFILE="${PWD}/tls-fuzzer.psk.$$.tmp" + +PYTHON=`which python` +PORT=4433 + +echo "------------------------------------------------------------------" +echo "Testing OpenSSL using TLSFuzzer:" +echo " CWD: $PWD" +echo " SRCTOP: $SRCTOP" +echo " BLDTOP: $BLDTOP" +echo " OPENSSL_ROOT_DIR: $OPENSSL_ROOT_DIR" +echo " Python: $PYTHON" +echo " TESTDATADIR: $TESTDATADIR" +echo "------------------------------------------------------------------" + +cd "${SRCTOP}/tlsfuzzer" + +test -L ecdsa || ln -s ../python-ecdsa/src/ecdsa ecdsa +test -L tlslite || ln -s ../tlslite-ng/tlslite tlslite 2>/dev/null + +retval=0 + +tls_fuzzer_prepare + +PYTHONPATH=. "${PYTHON}" tests/scripts_retention.py ${TMPFILE} ${SERV} 821 +retval=$? + +rm -f ${TMPFILE} +[ -f "${PSKFILE}" ] && rm -f ${PSKFILE} + +cd $PWD + +exit $retval diff --git a/test/secmemtest.c b/test/secmemtest.c index d0f9ba2e9..588f31ae6 100644 --- a/test/secmemtest.c +++ b/test/secmemtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,7 +10,7 @@ #include #include "testutil.h" -#include "../e_os.h" +#include "internal/e_os.h" static int test_sec_mem(void) { diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh index 76766a763..bc9ec9bea 100644 --- a/test/smime-certs/mksmime-certs.sh +++ b/test/smime-certs/mksmime-certs.sh @@ -34,6 +34,11 @@ CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -noenc \ $OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem +CN="Test S/MIME EE RSA 1024" $OPENSSL req -config ca.cnf -noenc \ + -keyout smrsa1024.pem -out req.pem -newkey rsa:1024 +$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \ + -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1024.pem + # Create DSA parameters $OPENSSL dsaparam -out dsap.pem 2048 diff --git a/test/smime-certs/smrsa1024.pem b/test/smime-certs/smrsa1024.pem new file mode 100644 index 000000000..aa58e6463 --- /dev/null +++ b/test/smime-certs/smrsa1024.pem @@ -0,0 +1,34 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAKuDWQObVMeON25c +MY1YprdkKdZhyJ3zisFHyJ1jmXQ13aMqaBlNYzx9ECAGQTSw2De6tsJF0jpX3IHO +X7OcZyhg8XkBdFJvJ2RsYwyghcWLvoAznCt/Pqi3m2HRgc+6FCHmh5wjK7McZ9sH +uGGbnh+5GJzuFmcitcwlVM8d1ctZAgMBAAECgYBL04ARFiU/LGLZSa0mnmDmh0Pv +4b8+BaP8m23YF2aKeB4Kuv7W4N3Uqj3sypcdYmnVCZku/otY++sjAEhTMfxwpexf +JtKKfdZiE1QYQRSZROVIayTePPKsROzb4cSeB42MbNawpc5EgVazJ1dNHAjp/nQ2 +r6G7QusGW/Xiu26qWQJBAN/Yd4easmM/AdE9YpnfIWMH83SP/qyyOeaTg9fmLSlo +gVSvoUvZqgmsA7uRPYcmDK0mFHvUTftEFuMypo5/WocCQQDEJnGkGq2h1q35uIyg +8lvD7i8oJLU6BaCrhdqzSmKu0iZ1pgdG8K7dukydb3/wlDlc7owEaVZy97IxSnE2 +I8MfAkBeWffICMS4YI57i8xL32lLPMa5kxhd4qHVNsiT8EmI8qvQ7lamihDKEt9f +6FBu7vLY6PwpVcuo5YJgMbFSzwtxAkBlcAws9a79luv5zLrNMQjL1o2EkRc3nlls +2pgzSDCof/1rsiTpRubnu8SLVnIvlDfmG2dFkMQoSHhajUjm2q+5AkBDqdYuYcC5 +A+DhYRjOvFtJLvH24hpozePDEbhaZ/n9/KifGay/DM4orsP+i8MAK0tDItOcBx8q ++trNS22a/OeZ +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIC9DCCAdygAwIBAgIUM31BmU3N68LYuXEBXyetpxj6VaAwDQYJKoZIhvcNAQEL +BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV +BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMTIwNTEyNTUzOFoYDzIxMjIx +MTExMTI1NTM4WjBHMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91 +cDEgMB4GA1UEAwwXVGVzdCBTL01JTUUgRUUgUlNBIDEwMjQwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBAKuDWQObVMeON25cMY1YprdkKdZhyJ3zisFHyJ1jmXQ1 +3aMqaBlNYzx9ECAGQTSw2De6tsJF0jpX3IHOX7OcZyhg8XkBdFJvJ2RsYwyghcWL +voAznCt/Pqi3m2HRgc+6FCHmh5wjK7McZ9sHuGGbnh+5GJzuFmcitcwlVM8d1ctZ +AgMBAAGjXTBbMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBS6 +gOltltAF44S/iXtMTCNb52A8GTAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/z +qXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAcpJNhv+YHXKqq0gHb64a7s96Szl2sbFv +VNuFDq2jAfxsIfhBbSfmA1+ivYsJ9E5nYxZapyW6oWuET7oCoybGlZTJoEx4YmHm +3f9tuBJeFsbKvP4OJJAzRy3OUvrEjFrngiMPb/IoSiZOG6BC1LWPydLvDvBs614G +2RbWeFQRalgtaBB4y1X2ohIOZAbZaacCbCAs827t3l1HoEmVJw9NSwTml0P98xyu +icfUFiyrqHHt8JmbH+GuZngJfwmIJ0YtfwY6y0ABv7MXsRkpWeqtdSc1Zff+LrTl +289mzFFOn/8wOb7ojhW4MQiTznIudj7ArVKHATHG6v/G1b1zdyIRow== +-----END CERTIFICATE----- diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf index 79dcd4c8f..819c72b5a 100644 --- a/test/ssl-tests/20-cert-select.cnf +++ b/test/ssl-tests/20-cert-select.cnf @@ -1119,11 +1119,11 @@ client = 34-Only RSA-PSS Certificate, TLS v1.1-client [34-Only RSA-PSS Certificate, TLS v1.1-server] Certificate = ${ENV::TEST_CERTS_DIR}/server-pss-cert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/server-pss-key.pem [34-Only RSA-PSS Certificate, TLS v1.1-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 MaxProtocol = TLSv1.1 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in index 30cde592c..f0bc80886 100644 --- a/test/ssl-tests/20-cert-select.cnf.in +++ b/test/ssl-tests/20-cert-select.cnf.in @@ -585,9 +585,14 @@ my @tests_pss = ( my @tests_tls_1_1 = ( { name => "Only RSA-PSS Certificate, TLS v1.1", - server => $server_pss_only, + server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + "Certificate" => test_pem("server-pss-cert.pem"), + "PrivateKey" => test_pem("server-pss-key.pem"), + }, client => { "MaxProtocol" => "TLSv1.1", + "CipherString" => "DEFAULT:\@SECLEVEL=0", }, test => { "ExpectedResult" => "ServerFail" diff --git a/test/ssl-tests/28-seclevel.cnf.in b/test/ssl-tests/28-seclevel.cnf.in index 945f4599d..a1d44a534 100644 --- a/test/ssl-tests/28-seclevel.cnf.in +++ b/test/ssl-tests/28-seclevel.cnf.in @@ -1,5 +1,5 @@ # -*- mode: perl; -*- -# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -36,7 +36,7 @@ our @tests_ec = ( { # The Ed448 signature algorithm will not be enabled. # Because of the config order, the certificate is first loaded, and - # then the security level is chaged. If you try this with s_server + # then the security level is changed. If you try this with s_server # the order will be reversed and it will instead fail to load the key. name => "SECLEVEL 5 server with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=5", @@ -48,7 +48,7 @@ our @tests_ec = ( }, { # The client will not sent the Ed448 signature algorithm, so the server - # doesn't have a useable signature algorithm for the certificate. + # doesn't have a usable signature algorithm for the certificate. name => "SECLEVEL 5 client with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=4", "Certificate" => test_pem("server-ed448-cert.pem"), diff --git a/test/ssl_cert_table_internal_test.c b/test/ssl_cert_table_internal_test.c index 1dc09c013..a6a6812c2 100644 --- a/test/ssl_cert_table_internal_test.c +++ b/test/ssl_cert_table_internal_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -35,7 +35,8 @@ static int do_test_cert_table(int nid, uint32_t amask, size_t idx, TEST_note("Expected %s, got %s\n", OBJ_nid2sn(nid), OBJ_nid2sn(clu->nid)); if (clu->amask != amask) - TEST_note("Expected auth mask 0x%x, got 0x%x\n", amask, clu->amask); + TEST_note("Expected auth mask 0x%x, got 0x%x\n", + (unsigned int)amask, (unsigned int)clu->amask); return 0; } diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 91c8b5b7b..d09d5ab3a 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -9,7 +9,7 @@ * https://www.openssl.org/source/license.html */ -#include "e_os.h" +#include "internal/e_os.h" /* Or gethostname won't be declared properly on Linux and GNU platforms. */ #ifndef _BSD_SOURCE diff --git a/test/sslapitest.c b/test/sslapitest.c index 1f63212f9..77d260aa0 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "helpers/ssltestlib.h" #include "testutil.h" @@ -97,6 +98,7 @@ static char *tmpfilename = NULL; static char *dhfile = NULL; static int is_fips = 0; +static int fips_ems_check = 0; #define LOG_BUFFER_SIZE 2048 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; @@ -794,7 +796,7 @@ static int test_no_ems(void) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; - int testresult = 0; + int testresult = 0, status; if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, TLS1_2_VERSION, @@ -810,19 +812,25 @@ static int test_no_ems(void) goto end; } - if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { - printf("Creating SSL connection failed\n"); - goto end; - } - - if (SSL_get_extms_support(serverssl)) { - printf("Server reports Extended Master Secret support\n"); - goto end; - } - - if (SSL_get_extms_support(clientssl)) { - printf("Client reports Extended Master Secret support\n"); - goto end; + status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); + if (fips_ems_check) { + if (status == 1) { + printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n"); + goto end; + } + } else { + if (!status) { + printf("Creating SSL connection failed\n"); + goto end; + } + if (SSL_get_extms_support(serverssl)) { + printf("Server reports Extended Master Secret support\n"); + goto end; + } + if (SSL_get_extms_support(clientssl)) { + printf("Client reports Extended Master Secret support\n"); + goto end; + } } testresult = 1; @@ -852,7 +860,7 @@ static int test_ccs_change_cipher(void) size_t readbytes; /* - * Create a conection so we can resume and potentially (but not) use + * Create a connection so we can resume and potentially (but not) use * a different cipher in the second connection. */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), @@ -10043,6 +10051,385 @@ static int test_load_dhfile(void) #endif } +#ifndef OSSL_NO_USABLE_TLS1_3 +/* Test that read_ahead works across a key change */ +static int test_read_ahead_key_change(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char *msg = "Hello World"; + size_t written, readbytes; + char buf[80]; + int i; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_3_VERSION, 0, + &sctx, &cctx, cert, privkey))) + goto end; + + SSL_CTX_set_read_ahead(sctx, 1); + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + /* Write some data, send a key update, write more data */ + if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written)) + || !TEST_size_t_eq(written, strlen(msg))) + goto end; + + if (!TEST_true(SSL_key_update(clientssl, SSL_KEY_UPDATE_NOT_REQUESTED))) + goto end; + + if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written)) + || !TEST_size_t_eq(written, strlen(msg))) + goto end; + + /* + * Since read_ahead is on the first read below should read the record with + * the first app data, the second record with the key update message, and + * the third record with the app data all in one go. We should be able to + * still process the read_ahead data correctly even though it crosses + * epochs + */ + for (i = 0; i < 2; i++) { + if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1, + &readbytes))) + goto end; + + buf[readbytes] = '\0'; + if (!TEST_str_eq(buf, msg)) + goto end; + } + + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} + +static size_t record_pad_cb(SSL *s, int type, size_t len, void *arg) +{ + int *called = arg; + + switch ((*called)++) { + case 0: + /* Add some padding to first record */ + return 512; + case 1: + /* Maximally pad the second record */ + return SSL3_RT_MAX_PLAIN_LENGTH - len; + case 2: + /* + * Exceeding the maximum padding should be fine. It should just pad to + * the maximum anyway + */ + return SSL3_RT_MAX_PLAIN_LENGTH + 1 - len; + case 3: + /* + * Very large padding should also be ok. Should just pad to the maximum + * allowed + */ + return SIZE_MAX; + default: + return 0; + } +} + +/* + * Test that setting record padding in TLSv1.3 works as expected + * Test 0: Record padding callback on the SSL_CTX + * Test 1: Record padding callback on the SSL + * Test 2: Record block padding on the SSL_CTX + * Test 3: Record block padding on the SSL + */ +static int test_tls13_record_padding(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + char *msg = "Hello World"; + size_t written, readbytes; + char buf[80]; + int i; + int called = 0; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_3_VERSION, 0, + &sctx, &cctx, cert, privkey))) + goto end; + + if (idx == 0) { + SSL_CTX_set_record_padding_callback(cctx, record_pad_cb); + SSL_CTX_set_record_padding_callback_arg(cctx, &called); + if (!TEST_ptr_eq(SSL_CTX_get_record_padding_callback_arg(cctx), &called)) + goto end; + } else if (idx == 2) { + /* Exceeding the max plain length should fail */ + if (!TEST_false(SSL_CTX_set_block_padding(cctx, + SSL3_RT_MAX_PLAIN_LENGTH + 1))) + goto end; + if (!TEST_true(SSL_CTX_set_block_padding(cctx, 512))) + goto end; + } + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + if (idx == 1) { + SSL_set_record_padding_callback(clientssl, record_pad_cb); + SSL_set_record_padding_callback_arg(clientssl, &called); + if (!TEST_ptr_eq(SSL_get_record_padding_callback_arg(clientssl), &called)) + goto end; + } else if (idx == 3) { + /* Exceeding the max plain length should fail */ + if (!TEST_false(SSL_set_block_padding(clientssl, + SSL3_RT_MAX_PLAIN_LENGTH + 1))) + goto end; + if (!TEST_true(SSL_set_block_padding(clientssl, 512))) + goto end; + } + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + called = 0; + /* + * Write some data, then check we can read it. Do this four times to check + * we can continue to write and read padded data after the initial record + * padding has been added. We don't actually check that the padding has + * been applied to the record - just that we can continue to communicate + * normally and that the callback has been called (if appropriate). + */ + for (i = 0; i < 4; i++) { + if (!TEST_true(SSL_write_ex(clientssl, msg, strlen(msg), &written)) + || !TEST_size_t_eq(written, strlen(msg))) + goto end; + + if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf) - 1, + &readbytes)) + || !TEST_size_t_eq(written, readbytes)) + goto end; + + buf[readbytes] = '\0'; + if (!TEST_str_eq(buf, msg)) + goto end; + } + + if ((idx == 0 || idx == 1) && !TEST_int_eq(called, 4)) + goto end; + + testresult = 1; +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} +#endif /* OSSL_NO_USABLE_TLS1_3 */ + +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) +/* + * Test TLSv1.2 with a pipeline capable cipher. TLSv1.3 and DTLS do not + * support this yet. The only pipeline capable cipher that we have is in the + * dasync engine (providers don't support this yet), so we have to use + * deprecated APIs for this test. + * + * Test 0: Client has pipelining enabled, server does not + * Test 1: Server has pipelining enabled, client does not + * Test 2: Client has pipelining enabled, server does not: not enough data to + * fill all the pipelines + * Test 3: Client has pipelining enabled, server does not: not enough data to + * fill all the pipelines by more than a full pipeline's worth + * Test 4: Client has pipelining enabled, server does not: more data than all + * the available pipelines can take + * Test 5: Client has pipelining enabled, server does not: Maximum size pipeline + */ +static int test_pipelining(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL, *peera, *peerb; + int testresult = 0, numreads; + /* A 55 byte message */ + unsigned char *msg = (unsigned char *) + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123"; + size_t written, readbytes, offset, msglen, fragsize = 10, numpipes = 5; + size_t expectedreads; + unsigned char *buf = NULL; + ENGINE *e; + + if (!TEST_ptr(e = ENGINE_by_id("dasync"))) + return 0; + + if (!TEST_true(ENGINE_init(e))) { + ENGINE_free(e); + return 0; + } + + if (!TEST_true(ENGINE_register_ciphers(e))) + goto end; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), 0, + TLS1_2_VERSION, &sctx, &cctx, cert, + privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + if (!TEST_true(SSL_set_cipher_list(clientssl, "AES128-SHA"))) + goto end; + + /* peera is always configured for pipelining, while peerb is not. */ + if (idx == 1) { + peera = serverssl; + peerb = clientssl; + + } else { + peera = clientssl; + peerb = serverssl; + } + + if (idx == 5) { + numpipes = 2; + /* Maximum allowed fragment size */ + fragsize = SSL3_RT_MAX_PLAIN_LENGTH; + msglen = fragsize * numpipes; + msg = OPENSSL_malloc(msglen); + if (!TEST_ptr(msg)) + goto end; + if (!TEST_int_gt(RAND_bytes_ex(libctx, msg, msglen, 0), 0)) + goto end; + } else if (idx == 4) { + msglen = 55; + } else { + msglen = 50; + } + if (idx == 2) + msglen -= 2; /* Send 2 less bytes */ + else if (idx == 3) + msglen -= 12; /* Send 12 less bytes */ + + buf = OPENSSL_malloc(msglen); + if (!TEST_ptr(buf)) + goto end; + + if (idx == 5) { + /* + * Test that setting a split send fragment longer than the maximum + * allowed fails + */ + if (!TEST_false(SSL_set_split_send_fragment(peera, fragsize + 1))) + goto end; + } + + /* + * In the normal case. We have 5 pipelines with 10 bytes per pipeline + * (50 bytes in total). This is a ridiculously small number of bytes - + * but sufficient for our purposes + */ + if (!TEST_true(SSL_set_max_pipelines(peera, numpipes)) + || !TEST_true(SSL_set_split_send_fragment(peera, fragsize))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + /* Write some data from peera to peerb */ + if (!TEST_true(SSL_write_ex(peera, msg, msglen, &written)) + || !TEST_size_t_eq(written, msglen)) + goto end; + + /* + * If the pipelining code worked, then we expect all |numpipes| pipelines to + * have been used - except in test 3 where only |numpipes - 1| pipelines + * will be used. This will result in |numpipes| records (|numpipes - 1| for + * test 3) having been sent to peerb. Since peerb is not using read_ahead we + * expect this to be read in |numpipes| or |numpipes - 1| separate + * SSL_read_ex calls. In the case of test 4, there is then one additional + * read for left over data that couldn't fit in the previous pipelines + */ + for (offset = 0, numreads = 0; + offset < msglen; + offset += readbytes, numreads++) { + if (!TEST_true(SSL_read_ex(peerb, buf + offset, + msglen - offset, &readbytes))) + goto end; + } + + expectedreads = idx == 4 ? numpipes + 1 + : (idx == 3 ? numpipes - 1 : numpipes); + if (!TEST_mem_eq(msg, msglen, buf, offset) + || !TEST_int_eq(numreads, expectedreads)) + goto end; + + /* + * Write some data from peerb to peera. We do this in up to |numpipes + 1| + * chunks to exercise the read pipelining code on peera. + */ + for (offset = 0; offset < msglen; offset += fragsize) { + size_t sendlen = msglen - offset; + + if (sendlen > fragsize) + sendlen = fragsize; + if (!TEST_true(SSL_write_ex(peerb, msg + offset, sendlen, &written)) + || !TEST_size_t_eq(written, sendlen)) + goto end; + } + + /* + * The data was written in |numpipes|, |numpipes - 1| or |numpipes + 1| + * separate chunks (depending on which test we are running). If the + * pipelining is working then we expect peera to read up to numpipes chunks + * and process them in parallel, giving back the complete result in a single + * call to SSL_read_ex + */ + if (!TEST_true(SSL_read_ex(peera, buf, msglen, &readbytes)) + || !TEST_size_t_le(readbytes, msglen)) + goto end; + + if (idx == 4) { + size_t readbytes2; + + if (!TEST_true(SSL_read_ex(peera, buf + readbytes, + msglen - readbytes, &readbytes2))) + goto end; + readbytes += readbytes2; + if (!TEST_size_t_le(readbytes, msglen)) + goto end; + } + + if (!TEST_mem_eq(msg, msglen, buf, readbytes)) + goto end; + + testresult = 1; +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + ENGINE_unregister_ciphers(e); + ENGINE_finish(e); + ENGINE_free(e); + OPENSSL_free(buf); + if (idx == 5) + OPENSSL_free(msg); + return testresult; +} +#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) */ + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") int setup_tests(void) @@ -10089,9 +10476,24 @@ int setup_tests(void) && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) return 0; - if (strcmp(modulename, "fips") == 0) + if (strcmp(modulename, "fips") == 0) { + OSSL_PROVIDER *prov = NULL; + OSSL_PARAM params[2]; + is_fips = 1; + prov = OSSL_PROVIDER_load(libctx, "fips"); + if (prov != NULL) { + /* Query the fips provider to check if the check ems option is enabled */ + params[0] = + OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, + &fips_ems_check); + params[1] = OSSL_PARAM_construct_end(); + OSSL_PROVIDER_get_params(prov, params); + OSSL_PROVIDER_unload(prov); + } + } + /* * We add, but don't load the test "tls-provider". We'll load it when we * need it. @@ -10165,6 +10567,12 @@ int setup_tests(void) if (privkey8192 == NULL) goto err; + if (fips_ems_check) { +#ifndef OPENSSL_NO_TLS1_2 + ADD_TEST(test_no_ems); +#endif + return 1; + } #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); @@ -10308,8 +10716,15 @@ int setup_tests(void) ADD_TEST(test_set_verify_cert_store_ssl); ADD_ALL_TESTS(test_session_timeout, 1); ADD_TEST(test_load_dhfile); +#ifndef OSSL_NO_USABLE_TLS1_3 + ADD_TEST(test_read_ahead_key_change); + ADD_ALL_TESTS(test_tls13_record_padding, 4); +#endif #if !defined(OPENSSL_NO_TLS1_2) && !defined(OSSL_NO_USABLE_TLS1_3) ADD_ALL_TESTS(test_serverinfo_custom, 4); +#endif +#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_DYNAMIC_ENGINE) + ADD_ALL_TESTS(test_pipelining, 6); #endif return 1; diff --git a/test/testutil/format_output.c b/test/testutil/format_output.c index e101a7ece..b0f17dfe3 100644 --- a/test/testutil/format_output.c +++ b/test/testutil/format_output.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,7 +13,6 @@ #include #include -#include "internal/nelem.h" /* The size of memory buffers to display on failure */ #define MEM_BUFFER_SIZE (2000) diff --git a/test/testutil/tests.c b/test/testutil/tests.c index ef7e224cd..32bf2b2b9 100644 --- a/test/testutil/tests.c +++ b/test/testutil/tests.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,6 @@ #include #include #include -#include "internal/nelem.h" #include /* diff --git a/test/threadstest.c b/test/threadstest.c index 289565c14..c4e86465e 100644 --- a/test/threadstest.c +++ b/test/threadstest.c @@ -7,8 +7,13 @@ * https://www.openssl.org/source/license.html */ -/* test_multi below tests the thread safety of a deprecated function */ -#define OPENSSL_SUPPRESS_DEPRECATED +/* + * The test_multi_downgrade_shared_pkey function tests the thread safety of a + * deprecated function. + */ +#ifndef OPENSSL_NO_DEPRECATED_3_0 +# define OPENSSL_SUPPRESS_DEPRECATED +#endif #if defined(_WIN32) # include @@ -18,7 +23,9 @@ #include #include #include -#include +#include +#include "internal/tsan_assist.h" +#include "internal/nelem.h" #include "testutil.h" #include "threadstest.h" @@ -32,7 +39,22 @@ static int do_fips = 0; static char *privkey; static char *config_file = NULL; static int multidefault_run = 0; + static const char *default_provider[] = { "default", NULL }; +static const char *fips_provider[] = { "fips", NULL }; +static const char *fips_and_default_providers[] = { "default", "fips", NULL }; + +/* Grab a globally unique integer value */ +static int get_new_uid(void) +{ + /* + * Start with a nice large number to avoid potential conflicts when + * we generate a new OID. + */ + static TSAN_QUALIFIER int current_uid = 1 << (sizeof(int) * 8 - 2); + + return tsan_counter(¤t_uid); +} static int test_lock(void) { @@ -432,21 +454,6 @@ static void thread_shared_evp_pkey(void) multi_success = 0; } -static void thread_downgrade_shared_evp_pkey(void) -{ -#ifndef OPENSSL_NO_DEPRECATED_3_0 - /* - * This test is only relevant for deprecated functions that perform - * downgrading - */ - if (EVP_PKEY_get0_RSA(shared_evp_pkey) == NULL) - multi_success = 0; -#else - /* Shouldn't ever get here */ - multi_success = 0; -#endif -} - static void thread_provider_load_unload(void) { OSSL_PROVIDER *deflt = OSSL_PROVIDER_load(multi_libctx, "default"); @@ -458,107 +465,99 @@ static void thread_provider_load_unload(void) OSSL_PROVIDER_unload(deflt); } -/* - * Do work in multiple worker threads at the same time. - * Test 0: General worker, using the default provider - * Test 1: General worker, using the fips provider - * Test 2: Simple fetch worker - * Test 3: Worker downgrading a shared EVP_PKEY - * Test 4: Worker using a shared EVP_PKEY - * Test 5: Worker loading and unloading a provider - */ -static int test_multi(int idx) +static int test_multi_general_worker_default_provider(void) { - thread_t thread1, thread2; - int testresult = 0; - OSSL_PROVIDER *prov = NULL, *prov2 = NULL; - void (*worker)(void) = NULL; - void (*worker2)(void) = NULL; - EVP_MD *sha256 = NULL; + return thread_run_test(&thread_general_worker, 2, &thread_general_worker, + 1, default_provider); +} - if (idx == 1 && !do_fips) +static int test_multi_general_worker_fips_provider(void) +{ + if (!do_fips) return TEST_skip("FIPS not supported"); + return thread_run_test(&thread_general_worker, 2, &thread_general_worker, + 1, fips_provider); +} -#ifdef OPENSSL_NO_DEPRECATED_3_0 - if (idx == 3) - return TEST_skip("Skipping tests for deprected functions"); -#endif +static int test_multi_fetch_worker(void) +{ + return thread_run_test(&thread_multi_simple_fetch, + 2, &thread_multi_simple_fetch, 1, default_provider); +} - multi_success = 1; - if (!TEST_true(test_get_libctx(&multi_libctx, NULL, config_file, - NULL, NULL))) - return 0; +static int test_multi_shared_pkey_common(void (*worker)(void)) +{ + int testresult = 0; - prov = OSSL_PROVIDER_load(multi_libctx, (idx == 1) ? "fips" : "default"); - if (!TEST_ptr(prov)) + multi_intialise(); + if (!thread_setup_libctx(1, do_fips ? fips_and_default_providers + : default_provider) + || !TEST_ptr(shared_evp_pkey = load_pkey_pem(privkey, multi_libctx)) + || !start_threads(1, &thread_shared_evp_pkey) + || !start_threads(1, worker)) goto err; - switch (idx) { - case 0: - case 1: - worker = thread_general_worker; - break; - case 2: - worker = thread_multi_simple_fetch; - break; - case 3: - worker2 = thread_downgrade_shared_evp_pkey; - /* fall through */ - case 4: - /* - * If available we have both the default and fips providers for this - * test - */ - if (do_fips - && !TEST_ptr(prov2 = OSSL_PROVIDER_load(multi_libctx, "fips"))) - goto err; - if (!TEST_ptr(shared_evp_pkey = load_pkey_pem(privkey, multi_libctx))) - goto err; - worker = thread_shared_evp_pkey; - break; - case 5: - /* - * We ensure we get an md from the default provider, and then unload the - * provider. This ensures the provider remains around but in a - * deactivated state. - */ - sha256 = EVP_MD_fetch(multi_libctx, "SHA2-256", NULL); - OSSL_PROVIDER_unload(prov); - prov = NULL; - worker = thread_provider_load_unload; - break; - default: - TEST_error("Invalid test index"); - goto err; - } - if (worker2 == NULL) - worker2 = worker; + thread_shared_evp_pkey(); - if (!TEST_true(run_thread(&thread1, worker)) - || !TEST_true(run_thread(&thread2, worker2))) + if (!teardown_threads() + || !TEST_true(multi_success)) goto err; - - worker(); - testresult = 1; + err: + EVP_PKEY_free(shared_evp_pkey); + thead_teardown_libctx(); + return testresult; +} + +#ifndef OPENSSL_NO_DEPRECATED_3_0 +static void thread_downgrade_shared_evp_pkey(void) +{ /* - * Don't combine these into one if statement; must wait for both threads. + * This test is only relevant for deprecated functions that perform + * downgrading */ - if (!TEST_true(wait_for_thread(thread1))) - testresult = 0; - if (!TEST_true(wait_for_thread(thread2))) - testresult = 0; - if (!TEST_true(multi_success)) - testresult = 0; + if (EVP_PKEY_get0_RSA(shared_evp_pkey) == NULL) + multi_success = 0; +} + +static int test_multi_downgrade_shared_pkey(void) +{ + return test_multi_shared_pkey_common(&thread_downgrade_shared_evp_pkey); +} +#endif + +static int test_multi_shared_pkey(void) +{ + return test_multi_shared_pkey_common(&thread_shared_evp_pkey); +} + +static int test_multi_load_unload_provider(void) +{ + EVP_MD *sha256 = NULL; + OSSL_PROVIDER *prov = NULL; + int testresult = 0; + multi_intialise(); + if (!thread_setup_libctx(1, NULL) + || !TEST_ptr(prov = OSSL_PROVIDER_load(multi_libctx, "default")) + || !TEST_ptr(sha256 = EVP_MD_fetch(multi_libctx, "SHA2-256", NULL)) + || !TEST_true(OSSL_PROVIDER_unload(prov))) + goto err; + prov = NULL; + + if (!start_threads(2, &thread_provider_load_unload)) + goto err; + + thread_provider_load_unload(); + + if (!teardown_threads() + || !TEST_true(multi_success)) + goto err; + testresult = 1; err: - EVP_MD_free(sha256); OSSL_PROVIDER_unload(prov); - OSSL_PROVIDER_unload(prov2); - OSSL_LIB_CTX_free(multi_libctx); - EVP_PKEY_free(shared_evp_pkey); - shared_evp_pkey = NULL; - multi_libctx = NULL; + EVP_MD_free(sha256); + thead_teardown_libctx(); return testresult; } @@ -580,10 +579,6 @@ static void test_multi_load_worker(void) static int test_multi_default(void) { - thread_t thread1, thread2; - int testresult = 0; - OSSL_PROVIDER *prov = NULL; - /* Avoid running this test twice */ if (multidefault_run) { TEST_skip("multi default test already run"); @@ -591,34 +586,13 @@ static int test_multi_default(void) } multidefault_run = 1; - multi_success = 1; - multi_libctx = NULL; - prov = OSSL_PROVIDER_load(multi_libctx, "default"); - if (!TEST_ptr(prov)) - goto err; - - if (!TEST_true(run_thread(&thread1, thread_multi_simple_fetch)) - || !TEST_true(run_thread(&thread2, thread_multi_simple_fetch))) - goto err; - - thread_multi_simple_fetch(); - - if (!TEST_true(wait_for_thread(thread1)) - || !TEST_true(wait_for_thread(thread2)) - || !TEST_true(multi_success)) - goto err; - - testresult = 1; - - err: - OSSL_PROVIDER_unload(prov); - return testresult; + return thread_run_test(&thread_multi_simple_fetch, + 2, &thread_multi_simple_fetch, 0, default_provider); } static int test_multi_load(void) { - thread_t threads[MULTI_LOAD_THREADS]; - int i, res = 1; + int res = 1; OSSL_PROVIDER *prov; /* The multidefault test must run prior to this test */ @@ -640,14 +614,29 @@ static int test_multi_load(void) } OSSL_PROVIDER_unload(prov); - multi_success = 1; - for (i = 0; i < MULTI_LOAD_THREADS; i++) - (void)TEST_true(run_thread(&threads[i], test_multi_load_worker)); + return thread_run_test(NULL, MULTI_LOAD_THREADS, &test_multi_load_worker, + 0, NULL) && res; +} - for (i = 0; i < MULTI_LOAD_THREADS; i++) - (void)TEST_true(wait_for_thread(threads[i])); +static void test_obj_create_one(void) +{ + char tids[12], oid[40], sn[30], ln[30]; + int id = get_new_uid(); + + BIO_snprintf(tids, sizeof(tids), "%d", id); + BIO_snprintf(oid, sizeof(oid), "1.3.6.1.4.1.16604.%s", tids); + BIO_snprintf(sn, sizeof(sn), "short-name-%s", tids); + BIO_snprintf(ln, sizeof(ln), "long-name-%s", tids); + if (!TEST_true(id = OBJ_create(oid, sn, ln)) + || !TEST_true(OBJ_add_sigid(id, NID_sha3_256, NID_rsa))) + multi_success = 0; +} - return res && multi_success; +static int test_obj_add(void) +{ + return thread_run_test(&test_obj_create_one, + MAXIMUM_THREADS, &test_obj_create_one, + 1, default_provider); } static void test_lib_ctx_load_config_worker(void) @@ -717,7 +706,15 @@ int setup_tests(void) ADD_TEST(test_thread_local); ADD_TEST(test_atomic); ADD_TEST(test_multi_load); - ADD_ALL_TESTS(test_multi, 6); + ADD_TEST(test_multi_general_worker_default_provider); + ADD_TEST(test_multi_general_worker_fips_provider); + ADD_TEST(test_multi_fetch_worker); + ADD_TEST(test_multi_shared_pkey); +#ifndef OPENSSL_NO_DEPRECATED_3_0 + ADD_TEST(test_multi_downgrade_shared_pkey); +#endif + ADD_TEST(test_multi_load_unload_provider); + ADD_TEST(test_obj_add); ADD_TEST(test_lib_ctx_load_config); return 1; } diff --git a/test/timing_load_creds.c b/test/timing_load_creds.c new file mode 100644 index 000000000..978523c2c --- /dev/null +++ b/test/timing_load_creds.c @@ -0,0 +1,215 @@ +/* + * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include + +#ifdef OPENSSL_SYS_UNIX +# include +# include +# include +# include +# include +# include +# include "internal/e_os.h" +# if defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L + +# ifndef timersub +/* struct timeval * subtraction; a must be greater than or equal to b */ +# define timersub(a, b, res) \ + do { \ + (res)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + if ((a)->tv_usec < (b)->tv_usec) { \ + (res)->tv_usec = (a)->tv_usec + 1000000 - (b)->tv_usec; \ + --(res)->tv_sec; \ + } else { \ + (res)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ + } \ + } while(0) +# endif + +static char *prog; + +static void readx509(const char *contents, int size) +{ + X509 *x = NULL; + BIO *b = BIO_new_mem_buf(contents, size); + + if (b == NULL) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } + PEM_read_bio_X509(b, &x, 0, NULL); + if (x == NULL) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } + X509_free(x); + BIO_free(b); +} + +static void readpkey(const char *contents, int size) +{ + BIO *b = BIO_new_mem_buf(contents, size); + EVP_PKEY *pkey; + + if (b == NULL) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } + pkey = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); + if (pkey == NULL) { + ERR_print_errors_fp(stderr); + exit(EXIT_FAILURE); + } + + EVP_PKEY_free(pkey); + BIO_free(b); +} + +static void print_timeval(const char *what, struct timeval *tp) +{ + printf("%s %d sec %d microsec\n", what, (int)tp->tv_sec, (int)tp->tv_usec); +} + +static void usage(void) +{ + fprintf(stderr, "Usage: %s [flags] pem-file\n", prog); + fprintf(stderr, "Flags, with the default being '-wc':\n"); + fprintf(stderr, " -c # Repeat count\n"); + fprintf(stderr, " -d Debugging output (minimal)\n"); + fprintf(stderr, " -w What to load T is a single character:\n"); + fprintf(stderr, " c for cert\n"); + fprintf(stderr, " p for private key\n"); + exit(EXIT_FAILURE); +} +# endif +#endif + +int main(int ac, char **av) +{ +#if defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L + int i, debug = 0, count = 100, what = 'c'; + struct stat sb; + FILE *fp; + char *contents; + struct rusage start, end, elapsed; + struct timeval e_start, e_end, e_elapsed; + + /* Parse JCL. */ + prog = av[0]; + while ((i = getopt(ac, av, "c:dw:")) != EOF) { + switch (i) { + default: + usage(); + break; + case 'c': + if ((count = atoi(optarg)) < 0) + usage(); + break; + case 'd': + debug = 1; + break; + case 'w': + if (optarg[1] != '\0') + usage(); + switch (*optarg) { + default: + usage(); + break; + case 'c': + case 'p': + what = *optarg; + break; + } + break; + } + } + ac -= optind; + av += optind; + + /* Read input file. */ + if (av[0] == NULL) + usage(); + if (stat(av[0], &sb) < 0) { + perror(av[0]); + exit(EXIT_FAILURE); + } + contents = OPENSSL_malloc(sb.st_size + 1); + if (contents == NULL) { + perror("malloc"); + exit(EXIT_FAILURE); + } + fp = fopen(av[0], "r"); + if ((long)fread(contents, 1, sb.st_size, fp) != sb.st_size) { + perror("fread"); + exit(EXIT_FAILURE); + } + contents[sb.st_size] = '\0'; + fclose(fp); + if (debug) + printf(">%s<\n", contents); + + /* Try to prep system cache, etc. */ + for (i = 10; i > 0; i--) { + switch (what) { + case 'c': + readx509(contents, (int)sb.st_size); + break; + case 'p': + readpkey(contents, (int)sb.st_size); + break; + } + } + + if (gettimeofday(&e_start, NULL) < 0) { + perror("elapsed start"); + exit(EXIT_FAILURE); + } + if (getrusage(RUSAGE_SELF, &start) < 0) { + perror("start"); + exit(EXIT_FAILURE); + } + for (i = count; i > 0; i--) { + switch (what) { + case 'c': + readx509(contents, (int)sb.st_size); + break; + case 'p': + readpkey(contents, (int)sb.st_size); + break; + } + } + if (getrusage(RUSAGE_SELF, &end) < 0) { + perror("getrusage"); + exit(EXIT_FAILURE); + } + if (gettimeofday(&e_end, NULL) < 0) { + perror("gettimeofday"); + exit(EXIT_FAILURE); + } + + timersub(&end.ru_utime, &start.ru_stime, &elapsed.ru_stime); + timersub(&end.ru_utime, &start.ru_utime, &elapsed.ru_utime); + timersub(&e_end, &e_start, &e_elapsed); + print_timeval("user ", &elapsed.ru_utime); + print_timeval("sys ", &elapsed.ru_stime); + if (debug) + print_timeval("elapsed??", &e_elapsed); + + OPENSSL_free(contents); + return EXIT_SUCCESS; +#else + fprintf(stderr, + "This tool is not supported on this platform for lack of POSIX1.2001 support\n"); + exit(EXIT_FAILURE); +#endif +} diff --git a/test/tls-provider.c b/test/tls-provider.c index 5c44b6812..adbe88da5 100644 --- a/test/tls-provider.c +++ b/test/tls-provider.c @@ -313,7 +313,7 @@ static const OSSL_DISPATCH xor_keyexch_functions[] = { static const OSSL_ALGORITHM tls_prov_keyexch[] = { /* - * Obviously this is not FIPS approved, but in order to test in conjuction + * Obviously this is not FIPS approved, but in order to test in conjunction * with the FIPS provider we pretend that it is. */ { "XOR", "provider=tls-provider,fips=yes", xor_keyexch_functions }, @@ -442,7 +442,7 @@ static const OSSL_DISPATCH xor_kem_functions[] = { static const OSSL_ALGORITHM tls_prov_kem[] = { /* - * Obviously this is not FIPS approved, but in order to test in conjuction + * Obviously this is not FIPS approved, but in order to test in conjunction * with the FIPS provider we pretend that it is. */ { "XOR", "provider=tls-provider,fips=yes", xor_kem_functions }, @@ -758,7 +758,7 @@ static const OSSL_DISPATCH xor_keymgmt_functions[] = { static const OSSL_ALGORITHM tls_prov_keymgmt[] = { /* - * Obviously this is not FIPS approved, but in order to test in conjuction + * Obviously this is not FIPS approved, but in order to test in conjunction * with the FIPS provider we pretend that it is. */ { "XOR", "provider=tls-provider,fips=yes", xor_keymgmt_functions }, diff --git a/test/trace_api_test.c b/test/trace_api_test.c index e6c4fdc28..ba9ba226c 100644 --- a/test/trace_api_test.c +++ b/test/trace_api_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -45,6 +45,7 @@ static int test_trace_categories(void) CASE(DECODER); CASE(ENCODER); CASE(REF_COUNT); + CASE(HTTP); #undef CASE default: is_cat_name_eq = TEST_ptr_null(cat_name); @@ -66,10 +67,10 @@ static int test_trace_categories(void) #ifndef OPENSSL_NO_TRACE static void put_trace_output(void) { - OSSL_TRACE_BEGIN(REF_COUNT) { + OSSL_TRACE_BEGIN(HTTP) { BIO_printf(trc_out, "Hello World\n"); BIO_printf(trc_out, "Good Bye Universe\n"); - } OSSL_TRACE_END(REF_COUNT); + } OSSL_TRACE_END(HTTP); } static int test_trace_channel(void) @@ -85,22 +86,22 @@ static int test_trace_channel(void) if (!TEST_ptr(bio)) goto end; - if (!TEST_int_eq(OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_REF_COUNT, bio), 1)) + if (!TEST_int_eq(OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_HTTP, bio), 1)) goto end; - if (!TEST_true(OSSL_trace_enabled(OSSL_TRACE_CATEGORY_REF_COUNT))) + if (!TEST_true(OSSL_trace_enabled(OSSL_TRACE_CATEGORY_HTTP))) goto end; - if (!TEST_int_eq(OSSL_trace_set_prefix(OSSL_TRACE_CATEGORY_REF_COUNT, "xyz-"), 1)) + if (!TEST_int_eq(OSSL_trace_set_prefix(OSSL_TRACE_CATEGORY_HTTP, "xyz-"), 1)) goto end; - if (!TEST_int_eq(OSSL_trace_set_suffix(OSSL_TRACE_CATEGORY_REF_COUNT, "-abc"), 1)) + if (!TEST_int_eq(OSSL_trace_set_suffix(OSSL_TRACE_CATEGORY_HTTP, "-abc"), 1)) goto end; put_trace_output(); len = BIO_get_mem_data(bio, &p_buf); if (!TEST_strn2_eq(p_buf, len, expected, expected_len)) goto end; - if (!TEST_int_eq(OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_REF_COUNT, NULL), 1)) + if (!TEST_int_eq(OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_HTTP, NULL), 1)) goto end; bio = NULL; diff --git a/test/upcallstest.c b/test/upcallstest.c index 76899fee3..179931f8a 100644 --- a/test/upcallstest.c +++ b/test/upcallstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -27,6 +27,7 @@ static const OSSL_DISPATCH obj_dispatch_table[] = { static OSSL_FUNC_core_obj_add_sigid_fn *c_obj_add_sigid = NULL; static OSSL_FUNC_core_obj_create_fn *c_obj_create = NULL; +/* test signature ids requiring digest */ #define SIG_OID "1.3.6.1.4.1.16604.998877.1" #define SIG_SN "my-sig" #define SIG_LN "my-sig-long" @@ -37,6 +38,14 @@ static OSSL_FUNC_core_obj_create_fn *c_obj_create = NULL; #define SIGALG_SN "my-sigalg" #define SIGALG_LN "my-sigalg-long" +/* test signature ids requiring no digest */ +#define NODIG_SIG_OID "1.3.6.1.4.1.16604.998877.4" +#define NODIG_SIG_SN "my-nodig-sig" +#define NODIG_SIG_LN "my-nodig-sig-long" +#define NODIG_SIGALG_OID "1.3.6.1.4.1.16604.998877.5" +#define NODIG_SIGALG_SN "my-nodig-sigalg" +#define NODIG_SIGALG_LN "my-nodig-sigalg-long" + static int obj_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, @@ -45,7 +54,7 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle, *provctx = (void *)handle; *out = obj_dispatch_table; - for (; in->function_id != 0; in++) { + for (; in->function_id != 0; in++) { switch (in->function_id) { case OSSL_FUNC_CORE_OBJ_ADD_SIGID: c_obj_add_sigid = OSSL_FUNC_core_obj_add_sigid(in); @@ -65,16 +74,18 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle, || !c_obj_create(handle, SIGALG_OID, SIGALG_SN, SIGALG_LN)) return 0; + if (!c_obj_create(handle, NODIG_SIG_OID, NODIG_SIG_SN, NODIG_SIG_LN) + || !c_obj_create(handle, NODIG_SIGALG_OID, NODIG_SIGALG_SN, NODIG_SIGALG_LN)) + return 0; + if (!c_obj_add_sigid(handle, SIGALG_OID, DIGEST_SN, SIG_LN)) return 0; /* additional tests checking empty digest algs are accepted, too */ - if (!c_obj_add_sigid(handle, SIGALG_OID, "", SIG_LN)) - return 0; - if (!c_obj_add_sigid(handle, SIGALG_OID, NULL, SIG_LN)) + if (!c_obj_add_sigid(handle, NODIG_SIGALG_OID, "", NODIG_SIG_LN)) return 0; /* checking wrong digest alg name is rejected: */ - if (c_obj_add_sigid(handle, SIGALG_OID, "NonsenseAlg", SIG_LN)) + if (c_obj_add_sigid(handle, NODIG_SIGALG_OID, "NonsenseAlg", NODIG_SIG_LN)) return 0; return 1; @@ -84,7 +95,7 @@ static int obj_create_test(void) { OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new(); OSSL_PROVIDER *objprov = NULL; - int sigalgnid, digestnid, signid; + int sigalgnid, digestnid, signid, foundsid; int testresult = 0; if (!TEST_ptr(libctx)) @@ -105,6 +116,40 @@ static int obj_create_test(void) || !TEST_int_eq(signid, OBJ_ln2nid(SIG_LN))) goto err; + /* Check empty digest alg storage capability */ + sigalgnid = OBJ_txt2nid(NODIG_SIGALG_OID); + if (!TEST_int_ne(sigalgnid, NID_undef) + || !TEST_true(OBJ_find_sigid_algs(sigalgnid, &digestnid, &signid)) + || !TEST_int_eq(digestnid, NID_undef) + || !TEST_int_ne(signid, NID_undef)) + goto err; + + /* Testing OBJ_find_sigid_by_algs */ + /* First check exact sig/digest recall: */ + sigalgnid = OBJ_sn2nid(SIGALG_SN); + digestnid = OBJ_sn2nid(DIGEST_SN); + signid = OBJ_ln2nid(SIG_LN); + if ((!OBJ_find_sigid_by_algs(&foundsid, digestnid, signid)) || + (foundsid != sigalgnid)) + return 0; + /* Check wrong signature/digest combination is rejected */ + if ((OBJ_find_sigid_by_algs(&foundsid, OBJ_sn2nid("SHA512"), signid)) && + (foundsid == sigalgnid)) + return 0; + /* Now also check signature not needing digest is found */ + /* a) when some digest is given */ + sigalgnid = OBJ_sn2nid(NODIG_SIGALG_SN); + digestnid = OBJ_sn2nid("SHA512"); + signid = OBJ_ln2nid(NODIG_SIG_LN); + if ((!OBJ_find_sigid_by_algs(&foundsid, digestnid, signid)) || + (foundsid != sigalgnid)) + return 0; + /* b) when NID_undef is passed */ + digestnid = NID_undef; + if ((!OBJ_find_sigid_by_algs(&foundsid, digestnid, signid)) || + (foundsid != sigalgnid)) + return 0; + testresult = 1; err: OSSL_PROVIDER_unload(objprov); diff --git a/test/x509_time_test.c b/test/x509_time_test.c index 711dfcb5b..6cd34203f 100644 --- a/test/x509_time_test.c +++ b/test/x509_time_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2017-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -72,7 +72,7 @@ static TESTDATA_FORMAT x509_format_tests[] = { "20170217180105.001Z", 0, 0, -1, NULL, }, { - /* time zone, check only */ + /* timezone, check only */ "20170217180105+0800", 0, 0, -1, NULL, }, { @@ -84,7 +84,7 @@ static TESTDATA_FORMAT x509_format_tests[] = { "20170217180105.001Z", 1, 0, -1, NULL, }, { - /* time zone, set string */ + /* timezone, set string */ "20170217180105+0800", 1, 0, -1, NULL, }, { @@ -113,7 +113,7 @@ static TESTDATA_FORMAT x509_format_tests[] = { "040229180101Z", 0, 1, -1, NULL, }, { - /* time zone, check only */ + /* timezone, check only */ "170217180154+0800", 0, 0, -1, NULL, }, { @@ -121,7 +121,7 @@ static TESTDATA_FORMAT x509_format_tests[] = { "1702171801Z", 1, 0, -1, NULL, }, { - /* time zone, set string */ + /* timezone, set string */ "170217180154+0800", 1, 0, -1, NULL, }, { diff --git a/test/x509aux.c b/test/x509aux.c index bb3523dde..f5eece76d 100644 --- a/test/x509aux.c +++ b/test/x509aux.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,7 +16,6 @@ #include #include #include -#include "internal/nelem.h" #include "testutil.h" static int test_certs(int num) diff --git a/tlsfuzzer b/tlsfuzzer new file mode 160000 index 000000000..dbd56c149 --- /dev/null +++ b/tlsfuzzer @@ -0,0 +1 @@ +Subproject commit dbd56c149072e656ca8d6a43a59588f3e7513da2 diff --git a/tlslite-ng b/tlslite-ng new file mode 160000 index 000000000..771e9f59d --- /dev/null +++ b/tlslite-ng @@ -0,0 +1 @@ +Subproject commit 771e9f59d639dbb0e2fa8e646c8e588405d3903e diff --git a/tools/c_rehash.in b/tools/c_rehash.in index 343cdc1e7..4dd1b4468 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -143,7 +143,7 @@ sub hash_dir { } } } - FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { + FILE: foreach $fname (grep {/\.(pem|crt|cer|crl)$/} @flist) { # Check to see if certificates and/or CRLs present. my ($cert, $crl) = check_file($fname); if (!$cert && !$crl) { diff --git a/util/add-depends.pl b/util/add-depends.pl index 599a267f6..5f21adecb 100644 --- a/util/add-depends.pl +++ b/util/add-depends.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -214,7 +214,7 @@ # # Hinweis: Einlesen der Datei: {whatever header file} # - # To accomodate, we need to use a very general regular expression + # To accommodate, we need to use a very general regular expression # to parse those lines. # # Since there's no object file name at all in that information, diff --git a/util/find-doc-nits b/util/find-doc-nits index 7244c589e..189aafcbf 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -105,7 +105,7 @@ my $ignored = qr/(?| ^i2d_ | ^sk_ | ^SKM_DEFINE_STACK_OF_INTERNAL | ^lh_ - | ^DEFINE_LHASH_OF_INTERNAL + | ^DEFINE_LHASH_OF_(INTERNAL|DEPRECATED) )/x; # A common regexp for C symbol names diff --git a/util/libcrypto.num b/util/libcrypto.num index 716aa0cb1..bcc0b2e23 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -1178,7 +1178,7 @@ OPENSSL_uni2asc 1205 3_0_0 EXIST::FUNCTION: SCT_validation_status_string 1206 3_0_0 EXIST::FUNCTION:CT PKCS7_add_attribute 1207 3_0_0 EXIST::FUNCTION: ENGINE_register_DSA 1208 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OPENSSL_LH_node_stats 1209 3_0_0 EXIST::FUNCTION:STDIO +OPENSSL_LH_node_stats 1209 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO X509_policy_tree_free 1210 3_0_0 EXIST::FUNCTION: EC_GFp_simple_method 1211 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC X509_it 1212 3_0_0 EXIST::FUNCTION: @@ -1317,7 +1317,7 @@ BIO_f_linebuffer 1346 3_0_0 EXIST::FUNCTION: ASN1_item_d2i_bio 1347 3_0_0 EXIST::FUNCTION: ENGINE_get_flags 1348 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE OCSP_resp_find 1349 3_0_0 EXIST::FUNCTION:OCSP -OPENSSL_LH_node_usage_stats_bio 1350 3_0_0 EXIST::FUNCTION: +OPENSSL_LH_node_usage_stats_bio 1350 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 EVP_PKEY_encrypt 1351 3_0_0 EXIST::FUNCTION: CRYPTO_cfb128_8_encrypt 1352 3_0_0 EXIST::FUNCTION: SXNET_get_id_INTEGER 1353 3_0_0 EXIST::FUNCTION: @@ -1790,7 +1790,7 @@ X509V3_EXT_REQ_add_conf 1832 3_0_0 EXIST::FUNCTION: ASN1_STRING_to_UTF8 1833 3_0_0 EXIST::FUNCTION: EVP_MD_meth_set_update 1835 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 EVP_camellia_192_cbc 1836 3_0_0 EXIST::FUNCTION:CAMELLIA -OPENSSL_LH_stats_bio 1837 3_0_0 EXIST::FUNCTION: +OPENSSL_LH_stats_bio 1837 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 PKCS7_set_signed_attributes 1838 3_0_0 EXIST::FUNCTION: EC_KEY_priv2buf 1839 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC BN_BLINDING_free 1840 3_0_0 EXIST::FUNCTION: @@ -1973,7 +1973,7 @@ i2d_TS_REQ_fp 2019 3_0_0 EXIST::FUNCTION:STDIO,TS i2d_OTHERNAME 2020 3_0_0 EXIST::FUNCTION: EC_KEY_get0_private_key 2021 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,EC SCT_get0_extensions 2022 3_0_0 EXIST::FUNCTION:CT -OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION: +OPENSSL_LH_node_stats_bio 2023 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1 i2d_DIRECTORYSTRING 2024 3_0_0 EXIST::FUNCTION: BN_X931_derive_prime_ex 2025 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 ENGINE_get_pkey_asn1_meth_str 2026 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE @@ -2553,7 +2553,7 @@ EVP_DecodeUpdate 2609 3_0_0 EXIST::FUNCTION: ENGINE_get_default_RAND 2610 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE ERR_peek_last_error_line 2611 3_0_0 EXIST::FUNCTION: ENGINE_get_ssl_client_cert_function 2612 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE -OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:STDIO +OPENSSL_LH_node_usage_stats 2613 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO DIRECTORYSTRING_it 2614 3_0_0 EXIST::FUNCTION: BIO_write 2615 3_0_0 EXIST::FUNCTION: OCSP_ONEREQ_get_ext_by_OBJ 2616 3_0_0 EXIST::FUNCTION:OCSP @@ -3073,7 +3073,7 @@ TXT_DB_free 3139 3_0_0 EXIST::FUNCTION: ASN1_STRING_set 3140 3_0_0 EXIST::FUNCTION: d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION: EVP_PKEY_meth_set_derive 3142 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 -OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:STDIO +OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_1,STDIO NCONF_dump_fp 3144 3_0_0 EXIST::FUNCTION:STDIO TS_STATUS_INFO_print_bio 3145 3_0_0 EXIST::FUNCTION:TS OPENSSL_sk_dup 3146 3_0_0 EXIST::FUNCTION: @@ -5428,3 +5428,9 @@ EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: OSSL_CMP_CTX_reset_geninfo_ITAVs 5558 3_0_8 EXIST::FUNCTION:CMP +EVP_RAND_CTX_up_ref 5559 3_1_0 EXIST::FUNCTION: +RAND_set0_public 5560 3_1_0 EXIST::FUNCTION: +RAND_set0_private 5561 3_1_0 EXIST::FUNCTION: +EVP_MD_CTX_dup 5562 3_1_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: +BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: diff --git a/util/missingmacro.txt b/util/missingmacro.txt index bc16c026d..3425e88bb 100644 --- a/util/missingmacro.txt +++ b/util/missingmacro.txt @@ -80,8 +80,6 @@ OPENSSL_add_all_algorithms_noconf(3) LHASH_HASH_FN(3) LHASH_COMP_FN(3) LHASH_DOALL_ARG_FN(3) -LHASH_OF(3) -DEFINE_LHASH_OF(3) int_implement_lhash_doall(3) OBJ_create_and_add_object(3) OBJ_bsearch(3) diff --git a/util/mkdef.pl b/util/mkdef.pl index d9534674c..3d86b0e8f 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -89,7 +89,7 @@ # 0x0000000000000001 (NEEDED) Shared library: [libcrypto-opt.so.1.1] # 0x000000000000000e (SONAME) Library soname: [libssl-opt.so.1.1] # -# We case-fold the variant tag to upper case and replace all non-alnum +# We case-fold the variant tag to uppercase and replace all non-alnum # characters with "_". This yields the following symbol versions: # # $ nm libcrypto.so | grep -w A diff --git a/util/mkerr.pl b/util/mkerr.pl index 1cb772c00..633894fed 100755 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -247,7 +247,7 @@ sub help # Scan each C source file and look for reason codes. This is done by # looking for strings that "look like" reason codes: basically anything -# consisting of all upper case and numerics which _R_ in it and which has +# consisting of all uppercase and numerics which _R_ in it and which has # the name of an error library at the start. Should there be anything else, # such as a type name, we add exceptions here. # If a code doesn't exist in list compiled from headers then mark it diff --git a/util/mktar.sh b/util/mktar.sh index 353ff716d..275eb24ae 100755 --- a/util/mktar.sh +++ b/util/mktar.sh @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy diff --git a/util/perl/OpenSSL/Ordinals.pm b/util/perl/OpenSSL/Ordinals.pm index f6c63d14c..4d8c616b5 100644 --- a/util/perl/OpenSSL/Ordinals.pm +++ b/util/perl/OpenSSL/Ordinals.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -349,7 +349,7 @@ sub _putback { croak "Duplicate entries for ".$items[0]->name()." from ". $items[0]->source()." and ".$items[1]->source()."\n" if $items[0]->name() eq $items[1]->name() - && $items[0]->type() eq $items[2]->type() + && $items[0]->type() eq $items[1]->type() && $items[0]->platforms() eq $items[1]->platforms(); # Check that all platforms exist in both items, and have opposite values diff --git a/util/perl/OpenSSL/ParseC.pm b/util/perl/OpenSSL/ParseC.pm index f98dd0e25..172826bcd 100644 --- a/util/perl/OpenSSL/ParseC.pm +++ b/util/perl/OpenSSL/ParseC.pm @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -292,7 +292,7 @@ EOF { regexp => qr/(.*)\bLHASH_OF<<<\((.*?)\)>>>(.*)/, massager => sub { return ("$1struct lhash_st_$2$3"); } }, - { regexp => qr/DEFINE_LHASH_OF(?:_INTERNAL)?<<<\((.*)\)>>>/, + { regexp => qr/DEFINE_LHASH_OF(?:_INTERNAL|_EX)?<<<\((.*)\)>>>/, massager => sub { return (<<"EOF"); static ossl_inline LHASH_OF($1) * lh_$1_new(unsigned long (*hfn)(const $1 *), diff --git a/util/perl/OpenSSL/config.pm b/util/perl/OpenSSL/config.pm index 2f1edcafb..c44a8dfb3 100755 --- a/util/perl/OpenSSL/config.pm +++ b/util/perl/OpenSSL/config.pm @@ -775,14 +775,17 @@ EOF disable => [ 'sse2' ] } ], [ 'alpha.*-.*-.*bsd.*', { target => "BSD-generic64", defines => [ 'L_ENDIAN' ] } ], - [ 'powerpc64-.*-.*bsd.*', { target => "BSD-generic64", - defines => [ 'B_ENDIAN' ] } ], + [ 'powerpc-.*-.*bsd.*', { target => "BSD-ppc" } ], + [ 'powerpc64-.*-.*bsd.*', { target => "BSD-ppc64" } ], + [ 'powerpc64le-.*-.*bsd.*', { target => "BSD-ppc64le" } ], [ 'riscv64-.*-.*bsd.*', { target => "BSD-riscv64" } ], [ 'sparc64-.*-.*bsd.*', { target => "BSD-sparc64" } ], [ 'ia64-.*-.*bsd.*', { target => "BSD-ia64" } ], [ 'x86_64-.*-dragonfly.*', { target => "BSD-x86_64" } ], [ 'amd64-.*-.*bsd.*', { target => "BSD-x86_64" } ], [ 'arm64-.*-.*bsd.*', { target => "BSD-aarch64" } ], + [ 'armv6-.*-.*bsd.*', { target => "BSD-armv4" } ], + [ 'armv7-.*-.*bsd.*', { target => "BSD-armv4" } ], [ '.*86.*-.*-.*bsd.*', sub { # mimic ld behaviour when it's looking for libc...