From 9fd6ae9e88cb8e8c29bec816c11e3a1fd6ab7eb537824b8cca06b0d70cc8a18c Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 17 Oct 2024 08:57:39 +0000 Subject: [PATCH] Add reproducibledate.patch (boo#1231667) OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=166 --- .gitattributes | 23 + .gitignore | 1 + ...-s390x-assembly-pack-perlasm-support.patch | 3089 ++++ ...asm-chacha-s390x.pl-add-vx-code-path.patch | 867 ++ ...asm-poly1305-s390x.pl-add-vx-code-pa.patch | 1006 ++ ...ack-fix-formal-interface-bug-in-chac.patch | 31 + ...ack-import-chacha-from-cryptogams-re.patch | 1094 ++ ...ack-import-poly-from-cryptogams-repo.patch | 1631 +++ baselibs.conf | 10 + bsc1185319-FIPS-KAT-for-ECDSA.patch | 399 + bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch | 13 + openssl-1.1.0-issuer-hash.patch | 12 + openssl-1.1.0-no-html.patch | 13 + openssl-1.1.1-evp-kdf.patch | 5278 +++++++ openssl-1.1.1-fips-crng-test.patch | 414 + openssl-1.1.1-fips-fix-memory-leaks.patch | 80 + openssl-1.1.1-fips-post-rand.patch | 194 + openssl-1.1.1-fips.patch | 11992 ++++++++++++++++ openssl-1.1.1-ssh-kdf.patch | 5583 +++++++ openssl-1.1.1-system-cipherlist.patch | 312 + openssl-1.1.1w.tar.gz | 3 + openssl-1.1.1w.tar.gz.asc | 16 + ...nce-optimzation-with-stitched-method.patch | 1588 ++ ...ssl-1_1-FIPS-PBKDF2-KAT-requirements.patch | 45 + openssl-1_1-FIPS-fix-error-reason-codes.patch | 38 + openssl-1_1-FIPS_drbg-rewire.patch | 182 + openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch | 208 + ...l-statement-testing-64-and-256-bytes.patch | 103 + openssl-1_1-Fixed-counter-overflow.patch | 136 + openssl-1_1-Optimize-AES-GCM-uarchs.patch | 7709 ++++++++++ openssl-1_1-Optimize-AES-XTS-aarch64.patch | 1616 +++ openssl-1_1-Optimize-RSA-armv8.patch | 575 + openssl-1_1-Optimize-ppc64.patch | 2308 +++ openssl-1_1-Zeroization.patch | 25 + ...ance-optimizations-for-ppc64le-with-.patch | 1535 ++ openssl-1_1-disable-test_srp-sslapi.patch | 13 + ...190652_release_num_in_version_string.patch | 23 + ...ps-bsc1215215_fips_in_version_string.patch | 46 + openssl-1_1-fips-drbg-selftest.patch | 588 + ...pproved-digest-and-pubkey-algorithms.patch | 117 + openssl-1_1-jitterentropy-3.4.0.patch | 203 + openssl-1_1-openssl-config.patch | 556 + ...ssl-1_1-ossl-sli-000-fix-build-error.patch | 10 + ...01-fix-faults-preventing-make-update.patch | 111 + ...ssl-1_1-ossl-sli-002-ran-make-update.patch | 946 ++ openssl-1_1-ossl-sli-003-add-sli.patch | 3333 +++++ ...l-1_1-ossl-sli-004-allow-aes-xts-256.patch | 39 + ...1_1-ossl-sli-005-EC_group_order_bits.patch | 24 + ...l-1_1-ossl-sli-006-rsa_pkcs1_padding.patch | 52 + openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch | 14 + ...l-sli-008-pbkdf2-salt_pass_iteration.patch | 136 + openssl-1_1-paramgen-default_to_rfc7919.patch | 88 + openssl-1_1-seclevel.patch | 160 + ...sl-1_1-serialize-jitterentropy-calls.patch | 80 + openssl-1_1-shortcut-test_afalg_aes_cbc.patch | 14 + openssl-1_1-use-include-directive.patch | 29 + openssl-1_1-use-seclevel2-in-tests.patch | 38 + openssl-1_1.changes | 3980 +++++ openssl-1_1.spec | 549 + openssl-CVE-2023-5678.patch | 174 + openssl-CVE-2024-0727.patch | 158 + openssl-CVE-2024-2511.patch | 118 + openssl-CVE-2024-4741.patch | 41 + openssl-CVE-2024-5535.patch | 234 + openssl-DEFAULT_SUSE_cipher.patch | 63 + openssl-DH.patch | 3294 +++++ ...fific-ECDSA-implementations-via-EC_M.patch | 533 + openssl-FIPS-KAT-before-integrity-tests.patch | 26 + ...-9bf682f-which-broke-nistp224_method.patch | 57 + ...nce-for-6x-unrolling-with-vpermxor-i.patch | 495 + ...0xcap.pod-list-msa9-facility-bit-155.patch | 30 + openssl-Skip_SHA1-test-in-FIPS-mode.patch | 15 + ...ack-accelerate-scalar-multiplication.patch | 311 + ...pass-zero-length-input-to-EVP_Cipher.patch | 16 + ...-Limb-Solinas-Strategy-for-secp384r1.patch | 2197 +++ ...nkage-on-nistp521-felem_-square-mul-.patch | 65 + ...dd-asm-implementation-of-felem_-squa.patch | 410 + ...-extraneous-parentheses-in-secp384r1.patch | 76 + ...l-fips-DH_selftest_shared_secret_KAT.patch | 82 + openssl-fips-add-SHA3-selftest.patch | 347 + openssl-fips-clearerror.patch | 12 + openssl-fips-ignore_broken_atexit_test.patch | 22 + openssl-fips-kdf-hkdf-selftest.patch | 103 + ...lftests_only_when_module_is_complete.patch | 24 + openssl-fips-selftests_in_nonfips_mode.patch | 74 + openssl-fips_mode.patch | 20 + openssl-fips_selftest_upstream_drbg.patch | 1825 +++ openssl-kdf-selftest.patch | 131 + openssl-kdf-ssh-selftest.patch | 122 + openssl-kdf-tls-selftest.patch | 99 + openssl-pkgconfig.patch | 22 + ...c-Fix-stack-allocation-secp384r1-asm.patch | 96 + openssl-ppc64-config.patch | 18 + openssl-riscv64-config.patch | 12 + ...s390x-assembly-pack-accelerate-ECDSA.patch | 278 + ...lerate-X25519-X448-Ed25519-and-Ed448.patch | 1467 ++ ...ack-add-OPENSSL_s390xcap-environment.patch | 673 + ...y-pack-add-OPENSSL_s390xcap-man-page.patch | 208 + ...ack-add-support-for-pcc-and-kma-inst.patch | 377 + ...y-pack-cleanse-only-sensitive-fields.patch | 41 + ...ack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch | 46 + ...ly-pack-fix-msa3-stfle-bit-detection.patch | 26 + ...embly-pack-update-OPENSSL_s390xcap-3.patch | 67 + ...est-vector-ctime-for-x25519-and-x448.patch | 127 + openssl-s390xcpuid.pl-fix-comment.patch | 38 + openssl-s_client-check-ocsp-status.patch | 492 + openssl-ship_fips_standalone_hmac.patch | 13 + openssl-truststore.patch | 17 + openssl-unknown_dgst.patch | 15 + openssl.keyring | 305 + reproducibledate.patch | 13 + showciphers.c | 27 + 112 files changed, 74830 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 0001-s390x-assembly-pack-perlasm-support.patch create mode 100644 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch create mode 100644 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch create mode 100644 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch create mode 100644 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch create mode 100644 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch create mode 100644 baselibs.conf create mode 100644 bsc1185319-FIPS-KAT-for-ECDSA.patch create mode 100644 bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch create mode 100644 openssl-1.1.0-issuer-hash.patch create mode 100644 openssl-1.1.0-no-html.patch create mode 100644 openssl-1.1.1-evp-kdf.patch create mode 100644 openssl-1.1.1-fips-crng-test.patch create mode 100644 openssl-1.1.1-fips-fix-memory-leaks.patch create mode 100644 openssl-1.1.1-fips-post-rand.patch create mode 100644 openssl-1.1.1-fips.patch create mode 100644 openssl-1.1.1-ssh-kdf.patch create mode 100644 openssl-1.1.1-system-cipherlist.patch create mode 100644 openssl-1.1.1w.tar.gz create mode 100644 openssl-1.1.1w.tar.gz.asc create mode 100644 openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch create mode 100644 openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch create mode 100644 openssl-1_1-FIPS-fix-error-reason-codes.patch create mode 100644 openssl-1_1-FIPS_drbg-rewire.patch create mode 100644 openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch create mode 100644 openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch create mode 100644 openssl-1_1-Fixed-counter-overflow.patch create mode 100644 openssl-1_1-Optimize-AES-GCM-uarchs.patch create mode 100644 openssl-1_1-Optimize-AES-XTS-aarch64.patch create mode 100644 openssl-1_1-Optimize-RSA-armv8.patch create mode 100644 openssl-1_1-Optimize-ppc64.patch create mode 100644 openssl-1_1-Zeroization.patch create mode 100644 openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch create mode 100644 openssl-1_1-disable-test_srp-sslapi.patch create mode 100644 openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch create mode 100644 openssl-1_1-fips-bsc1215215_fips_in_version_string.patch create mode 100644 openssl-1_1-fips-drbg-selftest.patch create mode 100644 openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch create mode 100644 openssl-1_1-jitterentropy-3.4.0.patch create mode 100644 openssl-1_1-openssl-config.patch create mode 100644 openssl-1_1-ossl-sli-000-fix-build-error.patch create mode 100644 openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch create mode 100644 openssl-1_1-ossl-sli-002-ran-make-update.patch create mode 100644 openssl-1_1-ossl-sli-003-add-sli.patch create mode 100644 openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch create mode 100644 openssl-1_1-ossl-sli-005-EC_group_order_bits.patch create mode 100644 openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch create mode 100644 openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch create mode 100644 openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch create mode 100644 openssl-1_1-paramgen-default_to_rfc7919.patch create mode 100644 openssl-1_1-seclevel.patch create mode 100644 openssl-1_1-serialize-jitterentropy-calls.patch create mode 100644 openssl-1_1-shortcut-test_afalg_aes_cbc.patch create mode 100644 openssl-1_1-use-include-directive.patch create mode 100644 openssl-1_1-use-seclevel2-in-tests.patch create mode 100644 openssl-1_1.changes create mode 100644 openssl-1_1.spec create mode 100644 openssl-CVE-2023-5678.patch create mode 100644 openssl-CVE-2024-0727.patch create mode 100644 openssl-CVE-2024-2511.patch create mode 100644 openssl-CVE-2024-4741.patch create mode 100644 openssl-CVE-2024-5535.patch create mode 100644 openssl-DEFAULT_SUSE_cipher.patch create mode 100644 openssl-DH.patch create mode 100644 openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch create mode 100644 openssl-FIPS-KAT-before-integrity-tests.patch create mode 100644 openssl-Fix-9bf682f-which-broke-nistp224_method.patch create mode 100644 openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch create mode 100644 openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch create mode 100644 openssl-Skip_SHA1-test-in-FIPS-mode.patch create mode 100644 openssl-assembly-pack-accelerate-scalar-multiplication.patch create mode 100644 openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch create mode 100644 openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch create mode 100644 openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch create mode 100644 openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch create mode 100644 openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch create mode 100644 openssl-fips-DH_selftest_shared_secret_KAT.patch create mode 100644 openssl-fips-add-SHA3-selftest.patch create mode 100644 openssl-fips-clearerror.patch create mode 100644 openssl-fips-ignore_broken_atexit_test.patch create mode 100644 openssl-fips-kdf-hkdf-selftest.patch create mode 100644 openssl-fips-run_selftests_only_when_module_is_complete.patch create mode 100644 openssl-fips-selftests_in_nonfips_mode.patch create mode 100644 openssl-fips_mode.patch create mode 100644 openssl-fips_selftest_upstream_drbg.patch create mode 100644 openssl-kdf-selftest.patch create mode 100644 openssl-kdf-ssh-selftest.patch create mode 100644 openssl-kdf-tls-selftest.patch create mode 100644 openssl-pkgconfig.patch create mode 100644 openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch create mode 100644 openssl-ppc64-config.patch create mode 100644 openssl-riscv64-config.patch create mode 100644 openssl-s390x-assembly-pack-accelerate-ECDSA.patch create mode 100644 openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch create mode 100644 openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch create mode 100644 openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch create mode 100644 openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch create mode 100644 openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch create mode 100644 openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch create mode 100644 openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch create mode 100644 openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch create mode 100644 openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch create mode 100644 openssl-s390xcpuid.pl-fix-comment.patch create mode 100644 openssl-s_client-check-ocsp-status.patch create mode 100644 openssl-ship_fips_standalone_hmac.patch create mode 100644 openssl-truststore.patch create mode 100644 openssl-unknown_dgst.patch create mode 100644 openssl.keyring create mode 100644 reproducibledate.patch create mode 100644 showciphers.c diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/0001-s390x-assembly-pack-perlasm-support.patch b/0001-s390x-assembly-pack-perlasm-support.patch new file mode 100644 index 0000000..e4f3a16 --- /dev/null +++ b/0001-s390x-assembly-pack-perlasm-support.patch @@ -0,0 +1,3089 @@ +From c66bb88cb08adbc848271dd388aa9695c7e200be Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Wed, 7 Dec 2016 12:58:34 +0100 +Subject: [PATCH] s390x assembly pack: perlasm support. + +Added crypto/perlasm/s390x.pm Perl module. Its primary use is to be +independent of binutils version, that is to write byte codes of +instructions that are not part of the base instruction set. +Currently only gas format is supported. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Tim Hudson +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/6919) +--- + crypto/perlasm/s390x.pm | 3060 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 3060 insertions(+) + create mode 100644 crypto/perlasm/s390x.pm + +diff --git a/crypto/perlasm/s390x.pm b/crypto/perlasm/s390x.pm +new file mode 100644 +index 0000000000..5f3a49dd0c +--- /dev/null ++++ b/crypto/perlasm/s390x.pm +@@ -0,0 +1,3060 @@ ++#!/usr/bin/env perl ++# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the OpenSSL license (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# Copyright IBM Corp. 2018 ++# Author: Patrick Steuer ++ ++package perlasm::s390x; ++ ++use strict; ++use warnings; ++use Carp qw(confess); ++use Exporter qw(import); ++ ++our @EXPORT=qw(PERLASM_BEGIN PERLASM_END); ++our @EXPORT_OK=qw(AUTOLOAD LABEL INCLUDE stfle); ++our %EXPORT_TAGS=( ++ MSA => [qw(kmac km kmc kimd klmd)], ++ MSA4 => [qw(kmf kmo pcc kmctr)], ++ MSA5 => [qw(ppno prno)], ++ MSA8 => [qw(kma)], ++ VX => [qw(vgef vgeg vgbm vzero vone vgm vgmb vgmh vgmf vgmg ++ vl vlr vlrep vlrepb vlreph vlrepf vlrepg vleb vleh vlef vleg vleib ++ vleih vleif vleig vlgv vlgvb vlgvh vlgvf vlgvg vllez vllezb vllezh ++ vllezf vllezg vlm vlbb vlvg vlvgb vlvgh vlvgf vlvgg vlvgp ++ vll vmrh vmrhb vmrhh vmrhf vmrhg vmrl vmrlb vmrlh vmrlf vmrlg vpk ++ vpkh vpkf vpkg vpks vpksh vpksf vpksg vpkshs vpksfs vpksgs vpkls ++ vpklsh vpklsf vpklsg vpklshs vpklsfs vpklsgs vperm vpdi vrep vrepb ++ vreph vrepf vrepg vrepi vrepib vrepih vrepif vrepig vscef vsceg ++ vsel vseg vsegb vsegh vsegf vst vsteb vsteh vstef vsteg vstm vstl ++ vuph vuphb vuphh vuphf vuplh vuplhb vuplhh vuplhf vupl vuplb vuplhw ++ vuplf vupll vupllb vupllh vupllf va vab vah vaf vag vaq vacc vaccb ++ vacch vaccf vaccg vaccq vac vacq vaccc vacccq vn vnc vavg vavgb ++ vavgh vavgf vavgg vavgl vavglb vavglh vavglf vavglg vcksm vec_ vecb ++ vech vecf vecg vecl veclb veclh veclf veclg vceq vceqb vceqh vceqf ++ vceqg vceqbs vceqhs vceqfs vceqgs vch vchb vchh vchf vchg vchbs ++ vchhs vchfs vchgs vchl vchlb vchlh vchlf vchlg vchlbs vchlhs vchlfs ++ vchlgs vclz vclzb vclzh vclzf vclzg vctz vctzb vctzh vctzf vctzg ++ vx vgfm vgfmb vgfmh vgfmf vgfmg vgfma vgfmab vgfmah vgfmaf vgfmag ++ vlc vlcb vlch vlcf vlcg vlp vlpb vlph vlpf vlpg vmx vmxb vmxh vmxf ++ vmxg vmxl vmxlb vmxlh vmxlf vmxlg vmn vmnb vmnh vmnf vmng vmnl ++ vmnlb vmnlh vmnlf vmnlg vmal vmalb vmalhw vmalf vmah vmahb vmahh ++ vmahf vmalh vmalhb vmalhh vmalhf vmae vmaeb vmaeh vmaef vmale ++ vmaleb vmaleh vmalef vmao vmaob vmaoh vmaof vmalo vmalob vmaloh ++ vmalof vmh vmhb vmhh vmhf vmlh vmlhb vmlhh vmlhf vml vmlb vmlhw ++ vmlf vme vmeb vmeh vmef vmle vmleb vmleh vmlef vmo vmob vmoh vmof ++ vmlo vmlob vmloh vmlof vno vnot vo vpopct verllv verllvb verllvh ++ verllvf verllvg verll verllb verllh verllf verllg verim verimb ++ verimh verimf verimg veslv veslvb veslvh veslvf veslvg vesl veslb ++ veslh veslf veslg vesrav vesravb vesravh vesravf vesravg vesra ++ vesrab vesrah vesraf vesrag vesrlv vesrlvb vesrlvh vesrlvf vesrlvg ++ vesrl vesrlb vesrlh vesrlf vesrlg vsl vslb vsldb vsra vsrab vsrl ++ vsrlb vs vsb vsh vsf vsg vsq vscbi vscbib vscbih vscbif vscbig ++ vscbiq vsbi vsbiq vsbcbi vsbcbiq vsumg vsumgh vsumgf vsumq vsumqf ++ vsumqg vsum vsumb vsumh vtm vfae vfaeb vfaeh vfaef vfaebs vfaehs ++ vfaefs vfaezb vfaezh vfaezf vfaezbs vfaezhs vfaezfs vfee vfeeb ++ vfeeh vfeef vfeebs vfeehs vfeefs vfeezb vfeezh vfeezf vfeezbs ++ vfeezhs vfeezfs vfene vfeneb vfeneh vfenef vfenebs vfenehs vfenefs ++ vfenezb vfenezh vfenezf vfenezbs vfenezhs vfenezfs vistr vistrb ++ vistrh vistrf vistrbs vistrhs vistrfs vstrc vstrcb vstrch vstrcf ++ vstrcbs vstrchs vstrcfs vstrczb vstrczh vstrczf vstrczbs vstrczhs ++ vstrczfs vfa vfadb wfadb wfc wfcdb wfk wfkdb vfce vfcedb wfcedb ++ vfcedbs wfcedbs vfch vfchdb wfchdb vfchdbs wfchdbs vfche vfchedb ++ wfchedb vfchedbs wfchedbs vcdg vcdgb wcdgb vcdlg vcdlgb wcdlgb vcgd ++ vcgdb wcgdb vclgd vclgdb wclgdb vfd vfddb wfddb vfi vfidb wfidb ++ vlde vldeb wldeb vled vledb wledb vfm vfmdb wfmdb vfma vfmadb ++ wfmadb vfms vfmsdb wfmsdb vfpso vfpsodb wfpsodb vflcdb wflcdb ++ vflndb wflndb vflpdb wflpdb vfsq vfsqdb wfsqdb vfs vfsdb wfsdb ++ vftci vftcidb wftcidb)], ++ VXE => [qw(vbperm vllezlf vmsl vmslg vnx vnn voc vpopctb vpopcth ++ vpopctf vpopctg vfasb wfasb wfaxb wfcsb wfcxb wfksb wfkxb vfcesb ++ vfcesbs wfcesb wfcesbs wfcexb wfcexbs vfchsb vfchsbs wfchsb wfchsbs ++ wfchxb wfchxbs vfchesb vfchesbs wfchesb wfchesbs wfchexb wfchexbs ++ vfdsb wfdsb wfdxb vfisb wfisb wfixb vfll vflls wflls wflld vflr ++ vflrd wflrd wflrx vfmax vfmaxsb vfmaxdb wfmaxsb wfmaxdb wfmaxxb ++ vfmin vfminsb vfmindb wfminsb wfmindb wfminxb vfmsb wfmsb wfmxb ++ vfnma vfnms vfmasb wfmasb wfmaxb vfmssb wfmssb wfmsxb vfnmasb ++ vfnmadb wfnmasb wfnmadb wfnmaxb vfnmssb vfnmsdb wfnmssb wfnmsdb ++ wfnmsxb vfpsosb wfpsosb vflcsb wflcsb vflnsb wflnsb vflpsb wflpsb ++ vfpsoxb wfpsoxb vflcxb wflcxb vflnxb wflnxb vflpxb wflpxb vfsqsb ++ wfsqsb wfsqxb vfssb wfssb wfsxb vftcisb wftcisb wftcixb)], ++ VXD => [qw(vlrlr vlrl vstrlr vstrl vap vcp vcvb vcvbg vcvd vcvdg vdp ++ vlip vmp vmsp vpkz vpsop vrp vsdp vsrp vsp vtp vupkz)], ++); ++Exporter::export_ok_tags(qw(MSA MSA4 MSA5 MSA8 VX VXE VXD)); ++ ++our $AUTOLOAD; ++ ++my $GR='(?:%r)?([0-9]|1[0-5])'; ++my $VR='(?:%v)?([0-9]|1[0-9]|2[0-9]|3[0-1])'; ++ ++my ($file,$out); ++ ++sub PERLASM_BEGIN ++{ ++ ($file,$out)=(shift,""); ++} ++sub PERLASM_END ++{ ++ if (defined($file)) { ++ open(my $fd,'>',$file)||die("can't open $file: $!"); ++ print({$fd}$out); ++ close($fd); ++ } else { ++ print($out); ++ } ++} ++ ++sub AUTOLOAD { ++ confess(err("PARSE")) if (grep(!defined($_),@_)); ++ my $token; ++ for ($AUTOLOAD) { ++ $token=".$1" if (/^.*::([A-Z_]+)$/); # uppercase: directive ++ $token="\t$1" if (/^.*::([a-z]+)$/); # lowercase: mnemonic ++ confess(err("PARSE")) if (!defined($token)); ++ } ++ $token.="\t" if ($#_>=0); ++ $out.=$token.join(',',@_)."\n"; ++} ++ ++sub LABEL { # label directive ++ confess(err("ARGNUM")) if ($#_!=0); ++ my ($label)=@_; ++ $out.="$label:\n"; ++} ++ ++sub INCLUDE { ++ confess(err("ARGNUM")) if ($#_!=0); ++ my ($file)=@_; ++ $out.="#include \"$file\"\n"; ++} ++ ++# ++# Mnemonics ++# ++ ++sub stfle { ++ confess(err("ARGNUM")) if ($#_!=0); ++ S(0xb2b0,@_); ++} ++ ++# MSA ++ ++sub kmac { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb91e,@_); ++} ++ ++sub km { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb92e,@_); ++} ++ ++sub kmc { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb92f,@_); ++} ++ ++sub kimd { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb93e,@_); ++} ++ ++sub klmd { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb93f,@_); ++} ++ ++# MSA4 ++ ++sub kmf { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb92a,@_); ++} ++ ++sub kmo { ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb92b,@_); ++} ++ ++sub pcc { ++ confess(err("ARGNUM")) if ($#_!=-1); ++ RRE(0xb92c,@_); ++} ++ ++sub kmctr { ++ confess(err("ARGNUM")) if ($#_!=2); ++ RRFb(0xb92d,@_); ++} ++ ++# MSA5 ++ ++sub prno { ++ ppno(@_); ++} ++ ++sub ppno { # deprecated, use prno ++ confess(err("ARGNUM")) if ($#_!=1); ++ RRE(0xb93c,@_); ++} ++ ++# MSA8 ++ ++sub kma { ++ confess(err("ARGNUM")) if ($#_!=2); ++ RRFb(0xb929,@_); ++} ++ ++# VX - Support Instructions ++ ++sub vgef { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRV(0xe713,@_); ++} ++sub vgeg { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRV(0xe712,@_); ++} ++ ++sub vgbm { ++ confess(err("ARGNUM")) if ($#_!=1); ++ VRIa(0xe744,@_); ++} ++sub vzero { ++ vgbm(@_,0); ++} ++sub vone { ++ vgbm(@_,0xffff); ++} ++ ++sub vgm { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRIb(0xe746,@_); ++} ++sub vgmb { ++ vgm(@_,0); ++} ++sub vgmh { ++ vgm(@_,1); ++} ++sub vgmf { ++ vgm(@_,2); ++} ++sub vgmg { ++ vgm(@_,3); ++} ++ ++sub vl { ++ confess(err("ARGNUM")) if ($#_!=1); ++ VRX(0xe706,@_); ++} ++ ++sub vlr { ++ confess(err("ARGNUM")) if ($#_!=1); ++ VRRa(0xe756,@_); ++} ++ ++sub vlrep { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe705,@_); ++} ++sub vlrepb { ++ vlrep(@_,0); ++} ++sub vlreph { ++ vlrep(@_,1); ++} ++sub vlrepf { ++ vlrep(@_,2); ++} ++sub vlrepg { ++ vlrep(@_,3); ++} ++ ++sub vleb { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe700,@_); ++} ++sub vleh { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe701,@_); ++} ++sub vlef { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe703,@_); ++} ++sub vleg { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe702,@_); ++} ++ ++sub vleib { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRIa(0xe740,@_); ++} ++sub vleih { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRIa(0xe741,@_); ++} ++sub vleif { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRIa(0xe743,@_); ++} ++sub vleig { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRIa(0xe742,@_); ++} ++ ++sub vlgv { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRSc(0xe721,@_); ++} ++sub vlgvb { ++ vlgv(@_,0); ++} ++sub vlgvh { ++ vlgv(@_,1); ++} ++sub vlgvf { ++ vlgv(@_,2); ++} ++sub vlgvg { ++ vlgv(@_,3); ++} ++ ++sub vllez { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe704,@_); ++} ++sub vllezb { ++ vllez(@_,0); ++} ++sub vllezh { ++ vllez(@_,1); ++} ++sub vllezf { ++ vllez(@_,2); ++} ++sub vllezg { ++ vllez(@_,3); ++} ++ ++sub vlm { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRSa(0xe736,@_); ++} ++ ++sub vlbb { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe707,@_); ++} ++ ++sub vlvg { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRSb(0xe722,@_); ++} ++sub vlvgb { ++ vlvg(@_,0); ++} ++sub vlvgh { ++ vlvg(@_,1); ++} ++sub vlvgf { ++ vlvg(@_,2); ++} ++sub vlvgg { ++ vlvg(@_,3); ++} ++ ++sub vlvgp { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRf(0xe762,@_); ++} ++ ++sub vll { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRSb(0xe737,@_); ++} ++ ++sub vmrh { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe761,@_); ++} ++sub vmrhb { ++ vmrh(@_,0); ++} ++sub vmrhh { ++ vmrh(@_,1); ++} ++sub vmrhf { ++ vmrh(@_,2); ++} ++sub vmrhg { ++ vmrh(@_,3); ++} ++ ++sub vmrl { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe760,@_); ++} ++sub vmrlb { ++ vmrl(@_,0); ++} ++sub vmrlh { ++ vmrl(@_,1); ++} ++sub vmrlf { ++ vmrl(@_,2); ++} ++sub vmrlg { ++ vmrl(@_,3); ++} ++ ++sub vpk { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe794,@_); ++} ++sub vpkh { ++ vpk(@_,1); ++} ++sub vpkf { ++ vpk(@_,2); ++} ++sub vpkg { ++ vpk(@_,3); ++} ++ ++sub vpks { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRb(0xe797,@_); ++} ++sub vpksh { ++ vpks(@_,1,0); ++} ++sub vpksf { ++ vpks(@_,2,0); ++} ++sub vpksg { ++ vpks(@_,3,0); ++} ++sub vpkshs { ++ vpks(@_,1,1); ++} ++sub vpksfs { ++ vpks(@_,2,1); ++} ++sub vpksgs { ++ vpks(@_,3,1); ++} ++ ++sub vpkls { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRb(0xe795,@_); ++} ++sub vpklsh { ++ vpkls(@_,1,0); ++} ++sub vpklsf { ++ vpkls(@_,2,0); ++} ++sub vpklsg { ++ vpkls(@_,3,0); ++} ++sub vpklshs { ++ vpkls(@_,1,1); ++} ++sub vpklsfs { ++ vpkls(@_,2,1); ++} ++sub vpklsgs { ++ vpkls(@_,3,1); ++} ++ ++sub vperm { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRe(0xe78c,@_); ++} ++ ++sub vpdi { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe784,@_); ++} ++ ++sub vrep { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRIc(0xe74d,@_); ++} ++sub vrepb { ++ vrep(@_,0); ++} ++sub vreph { ++ vrep(@_,1); ++} ++sub vrepf { ++ vrep(@_,2); ++} ++sub vrepg { ++ vrep(@_,3); ++} ++ ++sub vrepi { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRIa(0xe745,@_); ++} ++sub vrepib { ++ vrepi(@_,0); ++} ++sub vrepih { ++ vrepi(@_,1); ++} ++sub vrepif { ++ vrepi(@_,2); ++} ++sub vrepig { ++ vrepi(@_,3); ++} ++ ++sub vscef { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRV(0xe71b,@_); ++} ++sub vsceg { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRV(0xe71a,@_); ++} ++ ++sub vsel { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRe(0xe78d,@_); ++} ++ ++sub vseg { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe75f,@_); ++} ++sub vsegb { ++ vseg(@_,0); ++} ++sub vsegh { ++ vseg(@_,1); ++} ++sub vsegf { ++ vseg(@_,2); ++} ++ ++sub vst { ++ confess(err("ARGNUM")) if ($#_!=1); ++ VRX(0xe70e,@_); ++} ++ ++sub vsteb { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe708,@_); ++} ++sub vsteh { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe709,@_); ++} ++sub vstef { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe70b,@_); ++} ++sub vsteg { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRX(0xe70a,@_); ++} ++ ++sub vstm { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRSa(0xe73e,@_); ++} ++ ++sub vstl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRSb(0xe73f,@_); ++} ++ ++sub vuph { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7d7,@_); ++} ++sub vuphb { ++ vuph(@_,0); ++} ++sub vuphh { ++ vuph(@_,1); ++} ++sub vuphf { ++ vuph(@_,2); ++} ++ ++sub vuplh { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7d5,@_); ++} ++sub vuplhb { ++ vuplh(@_,0); ++} ++sub vuplhh { ++ vuplh(@_,1); ++} ++sub vuplhf { ++ vuplh(@_,2); ++} ++ ++sub vupl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7d6,@_); ++} ++sub vuplb { ++ vupl(@_,0); ++} ++sub vuplhw { ++ vupl(@_,1); ++} ++sub vuplf { ++ vupl(@_,2); ++} ++ ++sub vupll { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7d4,@_); ++} ++sub vupllb { ++ vupll(@_,0); ++} ++sub vupllh { ++ vupll(@_,1); ++} ++sub vupllf { ++ vupll(@_,2); ++} ++ ++# VX - Integer Instructions ++ ++sub va { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7f3,@_); ++} ++sub vab { ++ va(@_,0); ++} ++sub vah { ++ va(@_,1); ++} ++sub vaf { ++ va(@_,2); ++} ++sub vag { ++ va(@_,3); ++} ++sub vaq { ++ va(@_,4); ++} ++ ++sub vacc { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7f1,@_); ++} ++sub vaccb { ++ vacc(@_,0); ++} ++sub vacch { ++ vacc(@_,1); ++} ++sub vaccf { ++ vacc(@_,2); ++} ++sub vaccg { ++ vacc(@_,3); ++} ++sub vaccq { ++ vacc(@_,4); ++} ++ ++sub vac { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7bb,@_); ++} ++sub vacq { ++ vac(@_,4); ++} ++ ++sub vaccc { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7b9,@_); ++} ++sub vacccq { ++ vaccc(@_,4); ++} ++ ++sub vn { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe768,@_); ++} ++ ++sub vnc { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe769,@_); ++} ++ ++sub vavg { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7f2,@_); ++} ++sub vavgb { ++ vavg(@_,0); ++} ++sub vavgh { ++ vavg(@_,1); ++} ++sub vavgf { ++ vavg(@_,2); ++} ++sub vavgg { ++ vavg(@_,3); ++} ++ ++sub vavgl { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7f0,@_); ++} ++sub vavglb { ++ vavgl(@_,0); ++} ++sub vavglh { ++ vavgl(@_,1); ++} ++sub vavglf { ++ vavgl(@_,2); ++} ++sub vavglg { ++ vavgl(@_,3); ++} ++ ++sub vcksm { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe766,@_); ++} ++ ++sub vec_ { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7db,@_); ++} ++sub vecb { ++ vec_(@_,0); ++} ++sub vech { ++ vec_(@_,1); ++} ++sub vecf { ++ vec_(@_,2); ++} ++sub vecg { ++ vec_(@_,3); ++} ++ ++sub vecl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7d9,@_); ++} ++sub veclb { ++ vecl(@_,0); ++} ++sub veclh { ++ vecl(@_,1); ++} ++sub veclf { ++ vecl(@_,2); ++} ++sub veclg { ++ vecl(@_,3); ++} ++ ++sub vceq { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRb(0xe7f8,@_); ++} ++sub vceqb { ++ vceq(@_,0,0); ++} ++sub vceqh { ++ vceq(@_,1,0); ++} ++sub vceqf { ++ vceq(@_,2,0); ++} ++sub vceqg { ++ vceq(@_,3,0); ++} ++sub vceqbs { ++ vceq(@_,0,1); ++} ++sub vceqhs { ++ vceq(@_,1,1); ++} ++sub vceqfs { ++ vceq(@_,2,1); ++} ++sub vceqgs { ++ vceq(@_,3,1); ++} ++ ++sub vch { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRb(0xe7fb,@_); ++} ++sub vchb { ++ vch(@_,0,0); ++} ++sub vchh { ++ vch(@_,1,0); ++} ++sub vchf { ++ vch(@_,2,0); ++} ++sub vchg { ++ vch(@_,3,0); ++} ++sub vchbs { ++ vch(@_,0,1); ++} ++sub vchhs { ++ vch(@_,1,1); ++} ++sub vchfs { ++ vch(@_,2,1); ++} ++sub vchgs { ++ vch(@_,3,1); ++} ++ ++sub vchl { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRb(0xe7f9,@_); ++} ++sub vchlb { ++ vchl(@_,0,0); ++} ++sub vchlh { ++ vchl(@_,1,0); ++} ++sub vchlf { ++ vchl(@_,2,0); ++} ++sub vchlg { ++ vchl(@_,3,0); ++} ++sub vchlbs { ++ vchl(@_,0,1); ++} ++sub vchlhs { ++ vchl(@_,1,1); ++} ++sub vchlfs { ++ vchl(@_,2,1); ++} ++sub vchlgs { ++ vchl(@_,3,1); ++} ++ ++sub vclz { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe753,@_); ++} ++sub vclzb { ++ vclz(@_,0); ++} ++sub vclzh { ++ vclz(@_,1); ++} ++sub vclzf { ++ vclz(@_,2); ++} ++sub vclzg { ++ vclz(@_,3); ++} ++ ++sub vctz { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe752,@_); ++} ++sub vctzb { ++ vctz(@_,0); ++} ++sub vctzh { ++ vctz(@_,1); ++} ++sub vctzf { ++ vctz(@_,2); ++} ++sub vctzg { ++ vctz(@_,3); ++} ++ ++sub vx { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe76d,@_); ++} ++ ++sub vgfm { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7b4,@_); ++} ++sub vgfmb { ++ vgfm(@_,0); ++} ++sub vgfmh { ++ vgfm(@_,1); ++} ++sub vgfmf { ++ vgfm(@_,2); ++} ++sub vgfmg { ++ vgfm(@_,3); ++} ++ ++sub vgfma { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7bc,@_); ++} ++sub vgfmab { ++ vgfma(@_,0); ++} ++sub vgfmah { ++ vgfma(@_,1); ++} ++sub vgfmaf { ++ vgfma(@_,2); ++} ++sub vgfmag { ++ vgfma(@_,3); ++} ++ ++sub vlc { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7de,@_); ++} ++sub vlcb { ++ vlc(@_,0); ++} ++sub vlch { ++ vlc(@_,1); ++} ++sub vlcf { ++ vlc(@_,2); ++} ++sub vlcg { ++ vlc(@_,3); ++} ++ ++sub vlp { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe7df,@_); ++} ++sub vlpb { ++ vlp(@_,0); ++} ++sub vlph { ++ vlp(@_,1); ++} ++sub vlpf { ++ vlp(@_,2); ++} ++sub vlpg { ++ vlp(@_,3); ++} ++ ++sub vmx { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7ff,@_); ++} ++sub vmxb { ++ vmx(@_,0); ++} ++sub vmxh { ++ vmx(@_,1); ++} ++sub vmxf { ++ vmx(@_,2); ++} ++sub vmxg { ++ vmx(@_,3); ++} ++ ++sub vmxl { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7fd,@_); ++} ++sub vmxlb { ++ vmxl(@_,0); ++} ++sub vmxlh { ++ vmxl(@_,1); ++} ++sub vmxlf { ++ vmxl(@_,2); ++} ++sub vmxlg { ++ vmxl(@_,3); ++} ++ ++sub vmn { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7fe,@_); ++} ++sub vmnb { ++ vmn(@_,0); ++} ++sub vmnh { ++ vmn(@_,1); ++} ++sub vmnf { ++ vmn(@_,2); ++} ++sub vmng { ++ vmn(@_,3); ++} ++ ++sub vmnl { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7fc,@_); ++} ++sub vmnlb { ++ vmnl(@_,0); ++} ++sub vmnlh { ++ vmnl(@_,1); ++} ++sub vmnlf { ++ vmnl(@_,2); ++} ++sub vmnlg { ++ vmnl(@_,3); ++} ++ ++sub vmal { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7aa,@_); ++} ++sub vmalb { ++ vmal(@_,0); ++} ++sub vmalhw { ++ vmal(@_,1); ++} ++sub vmalf { ++ vmal(@_,2); ++} ++ ++sub vmah { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7ab,@_); ++} ++sub vmahb { ++ vmah(@_,0); ++} ++sub vmahh { ++ vmah(@_,1); ++} ++sub vmahf { ++ vmah(@_,2); ++} ++ ++sub vmalh { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7a9,@_); ++} ++sub vmalhb { ++ vmalh(@_,0); ++} ++sub vmalhh { ++ vmalh(@_,1); ++} ++sub vmalhf { ++ vmalh(@_,2); ++} ++ ++sub vmae { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7ae,@_); ++} ++sub vmaeb { ++ vmae(@_,0); ++} ++sub vmaeh { ++ vmae(@_,1); ++} ++sub vmaef { ++ vmae(@_,2); ++} ++ ++sub vmale { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7ac,@_); ++} ++sub vmaleb { ++ vmale(@_,0); ++} ++sub vmaleh { ++ vmale(@_,1); ++} ++sub vmalef { ++ vmale(@_,2); ++} ++ ++sub vmao { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7af,@_); ++} ++sub vmaob { ++ vmao(@_,0); ++} ++sub vmaoh { ++ vmao(@_,1); ++} ++sub vmaof { ++ vmao(@_,2); ++} ++ ++sub vmalo { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7ad,@_); ++} ++sub vmalob { ++ vmalo(@_,0); ++} ++sub vmaloh { ++ vmalo(@_,1); ++} ++sub vmalof { ++ vmalo(@_,2); ++} ++ ++sub vmh { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a3,@_); ++} ++sub vmhb { ++ vmh(@_,0); ++} ++sub vmhh { ++ vmh(@_,1); ++} ++sub vmhf { ++ vmh(@_,2); ++} ++ ++sub vmlh { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a1,@_); ++} ++sub vmlhb { ++ vmlh(@_,0); ++} ++sub vmlhh { ++ vmlh(@_,1); ++} ++sub vmlhf { ++ vmlh(@_,2); ++} ++ ++sub vml { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a2,@_); ++} ++sub vmlb { ++ vml(@_,0); ++} ++sub vmlhw { ++ vml(@_,1); ++} ++sub vmlf { ++ vml(@_,2); ++} ++ ++sub vme { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a6,@_); ++} ++sub vmeb { ++ vme(@_,0); ++} ++sub vmeh { ++ vme(@_,1); ++} ++sub vmef { ++ vme(@_,2); ++} ++ ++sub vmle { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a4,@_); ++} ++sub vmleb { ++ vmle(@_,0); ++} ++sub vmleh { ++ vmle(@_,1); ++} ++sub vmlef { ++ vmle(@_,2); ++} ++ ++sub vmo { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a7,@_); ++} ++sub vmob { ++ vmo(@_,0); ++} ++sub vmoh { ++ vmo(@_,1); ++} ++sub vmof { ++ vmo(@_,2); ++} ++ ++sub vmlo { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7a5,@_); ++} ++sub vmlob { ++ vmlo(@_,0); ++} ++sub vmloh { ++ vmlo(@_,1); ++} ++sub vmlof { ++ vmlo(@_,2); ++} ++ ++sub vno { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe76b,@_); ++} ++sub vnot { ++ vno(@_,$_[1]); ++} ++ ++sub vo { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe76a,@_); ++} ++ ++sub vpopct { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRa(0xe750,@_); ++} ++ ++sub verllv { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe773,@_); ++} ++sub verllvb { ++ verllv(@_,0); ++} ++sub verllvh { ++ verllv(@_,1); ++} ++sub verllvf { ++ verllv(@_,2); ++} ++sub verllvg { ++ verllv(@_,3); ++} ++ ++sub verll { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRSa(0xe733,@_); ++} ++sub verllb { ++ verll(@_,0); ++} ++sub verllh { ++ verll(@_,1); ++} ++sub verllf { ++ verll(@_,2); ++} ++sub verllg { ++ verll(@_,3); ++} ++ ++sub verim { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRId(0xe772,@_); ++} ++sub verimb { ++ verim(@_,0); ++} ++sub verimh { ++ verim(@_,1); ++} ++sub verimf { ++ verim(@_,2); ++} ++sub verimg { ++ verim(@_,3); ++} ++ ++sub veslv { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe770,@_); ++} ++sub veslvb { ++ veslv(@_,0); ++} ++sub veslvh { ++ veslv(@_,1); ++} ++sub veslvf { ++ veslv(@_,2); ++} ++sub veslvg { ++ veslv(@_,3); ++} ++ ++sub vesl { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRSa(0xe730,@_); ++} ++sub veslb { ++ vesl(@_,0); ++} ++sub veslh { ++ vesl(@_,1); ++} ++sub veslf { ++ vesl(@_,2); ++} ++sub veslg { ++ vesl(@_,3); ++} ++ ++sub vesrav { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe77a,@_); ++} ++sub vesravb { ++ vesrav(@_,0); ++} ++sub vesravh { ++ vesrav(@_,1); ++} ++sub vesravf { ++ vesrav(@_,2); ++} ++sub vesravg { ++ vesrav(@_,3); ++} ++ ++sub vesra { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRSa(0xe73a,@_); ++} ++sub vesrab { ++ vesra(@_,0); ++} ++sub vesrah { ++ vesra(@_,1); ++} ++sub vesraf { ++ vesra(@_,2); ++} ++sub vesrag { ++ vesra(@_,3); ++} ++ ++sub vesrlv { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe778,@_); ++} ++sub vesrlvb { ++ vesrlv(@_,0); ++} ++sub vesrlvh { ++ vesrlv(@_,1); ++} ++sub vesrlvf { ++ vesrlv(@_,2); ++} ++sub vesrlvg { ++ vesrlv(@_,3); ++} ++ ++sub vesrl { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRSa(0xe738,@_); ++} ++sub vesrlb { ++ vesrl(@_,0); ++} ++sub vesrlh { ++ vesrl(@_,1); ++} ++sub vesrlf { ++ vesrl(@_,2); ++} ++sub vesrlg { ++ vesrl(@_,3); ++} ++ ++sub vsl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe774,@_); ++} ++ ++sub vslb { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe775,@_); ++} ++ ++sub vsldb { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRId(0xe777,@_); ++} ++ ++sub vsra { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe77e,@_); ++} ++ ++sub vsrab { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe77f,@_); ++} ++ ++sub vsrl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe77c,@_); ++} ++ ++sub vsrlb { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe77d,@_); ++} ++ ++sub vs { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7f7,@_); ++} ++sub vsb { ++ vs(@_,0); ++} ++sub vsh { ++ vs(@_,1); ++} ++sub vsf { ++ vs(@_,2); ++} ++sub vsg { ++ vs(@_,3); ++} ++sub vsq { ++ vs(@_,4); ++} ++ ++sub vscbi { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe7f5,@_); ++} ++sub vscbib { ++ vscbi(@_,0); ++} ++sub vscbih { ++ vscbi(@_,1); ++} ++sub vscbif { ++ vscbi(@_,2); ++} ++sub vscbig { ++ vscbi(@_,3); ++} ++sub vscbiq { ++ vscbi(@_,4); ++} ++ ++sub vsbi { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7bf,@_); ++} ++sub vsbiq { ++ vsbi(@_,4); ++} ++ ++sub vsbcbi { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRd(0xe7bd,@_); ++} ++sub vsbcbiq { ++ vsbcbi(@_,4); ++} ++ ++sub vsumg { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe765,@_); ++} ++sub vsumgh { ++ vsumg(@_,1); ++} ++sub vsumgf { ++ vsumg(@_,2); ++} ++ ++sub vsumq { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe767,@_); ++} ++sub vsumqf { ++ vsumq(@_,2); ++} ++sub vsumqg { ++ vsumq(@_,3); ++} ++ ++sub vsum { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRc(0xe764,@_); ++} ++sub vsumb { ++ vsum(@_,0); ++} ++sub vsumh { ++ vsum(@_,1); ++} ++ ++sub vtm { ++ confess(err("ARGNUM")) if ($#_!=1); ++ VRRa(0xe7d8,@_); ++} ++ ++# VX - String Instructions ++ ++sub vfae { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ VRRb(0xe782,@_); ++} ++sub vfaeb { ++ vfae(@_[0..2],0,$_[3]); ++} ++sub vfaeh { ++ vfae(@_[0..2],1,$_[3]); ++} ++sub vfaef { ++ vfae(@_[0..2],2,$_[3]); ++} ++sub vfaebs { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],0,0x1|$_[3]); ++} ++sub vfaehs { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],1,0x1|$_[3]); ++} ++sub vfaefs { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],2,0x1|$_[3]); ++} ++sub vfaezb { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],0,0x2|$_[3]); ++} ++sub vfaezh { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],1,0x2|$_[3]); ++} ++sub vfaezf { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],2,0x2|$_[3]); ++} ++sub vfaezbs { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],0,0x3|$_[3]); ++} ++sub vfaezhs { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],1,0x3|$_[3]); ++} ++sub vfaezfs { ++ $_[3]=0 if (!defined($_[3])); ++ vfae(@_[0..2],2,0x3|$_[3]); ++} ++ ++sub vfee { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ VRRb(0xe780,@_); ++} ++sub vfeeb { ++ vfee(@_[0..2],0,$_[3]); ++} ++sub vfeeh { ++ vfee(@_[0..2],1,$_[3]); ++} ++sub vfeef { ++ vfee(@_[0..2],2,$_[3]); ++} ++sub vfeebs { ++ vfee(@_,0,1); ++} ++sub vfeehs { ++ vfee(@_,1,1); ++} ++sub vfeefs { ++ vfee(@_,2,1); ++} ++sub vfeezb { ++ vfee(@_,0,2); ++} ++sub vfeezh { ++ vfee(@_,1,2); ++} ++sub vfeezf { ++ vfee(@_,2,2); ++} ++sub vfeezbs { ++ vfee(@_,0,3); ++} ++sub vfeezhs { ++ vfee(@_,1,3); ++} ++sub vfeezfs { ++ vfee(@_,2,3); ++} ++ ++sub vfene { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ VRRb(0xe781,@_); ++} ++sub vfeneb { ++ vfene(@_[0..2],0,$_[3]); ++} ++sub vfeneh { ++ vfene(@_[0..2],1,$_[3]); ++} ++sub vfenef { ++ vfene(@_[0..2],2,$_[3]); ++} ++sub vfenebs { ++ vfene(@_,0,1); ++} ++sub vfenehs { ++ vfene(@_,1,1); ++} ++sub vfenefs { ++ vfene(@_,2,1); ++} ++sub vfenezb { ++ vfene(@_,0,2); ++} ++sub vfenezh { ++ vfene(@_,1,2); ++} ++sub vfenezf { ++ vfene(@_,2,2); ++} ++sub vfenezbs { ++ vfene(@_,0,3); ++} ++sub vfenezhs { ++ vfene(@_,1,3); ++} ++sub vfenezfs { ++ vfene(@_,2,3); ++} ++ ++sub vistr { ++ confess(err("ARGNUM")) if ($#_<2||$#_>3); ++ VRRa(0xe75c,@_[0..2],0,$_[3]); ++} ++sub vistrb { ++ vistr(@_[0..1],0,$_[2]); ++} ++sub vistrh { ++ vistr(@_[0..1],1,$_[2]); ++} ++sub vistrf { ++ vistr(@_[0..1],2,$_[2]); ++} ++sub vistrbs { ++ vistr(@_,0,1); ++} ++sub vistrhs { ++ vistr(@_,1,1); ++} ++sub vistrfs { ++ vistr(@_,2,1); ++} ++ ++sub vstrc { ++ confess(err("ARGNUM")) if ($#_<4||$#_>5); ++ VRRd(0xe78a,@_); ++} ++sub vstrcb { ++ vstrc(@_[0..3],0,$_[4]); ++} ++sub vstrch { ++ vstrc(@_[0..3],1,$_[4]); ++} ++sub vstrcf { ++ vstrc(@_[0..3],2,$_[4]); ++} ++sub vstrcbs { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],0,0x1|$_[4]); ++} ++sub vstrchs { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],1,0x1|$_[4]); ++} ++sub vstrcfs { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],2,0x1|$_[4]); ++} ++sub vstrczb { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],0,0x2|$_[4]); ++} ++sub vstrczh { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],1,0x2|$_[4]); ++} ++sub vstrczf { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],2,0x2|$_[4]); ++} ++sub vstrczbs { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],0,0x3|$_[4]); ++} ++sub vstrczhs { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],1,0x3|$_[4]); ++} ++sub vstrczfs { ++ $_[4]=0 if (!defined($_[4])); ++ vstrc(@_[0..3],2,0x3|$_[4]); ++} ++ ++# VX - Floating-point Instructions ++ ++sub vfa { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRc(0xe7e3,@_); ++} ++sub vfadb { ++ vfa(@_,3,0); ++} ++sub wfadb { ++ vfa(@_,3,8); ++} ++ ++sub wfc { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRa(0xe7cb,@_); ++} ++sub wfcdb { ++ wfc(@_,3,0); ++} ++ ++sub wfk { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRa(0xe7ca,@_); ++} ++sub wfksb { ++ wfk(@_,2,0); ++} ++sub wfkdb { ++ wfk(@_,3,0); ++} ++sub wfkxb { ++ wfk(@_,4,0); ++} ++ ++sub vfce { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRc(0xe7e8,@_); ++} ++sub vfcedb { ++ vfce(@_,3,0,0); ++} ++sub vfcedbs { ++ vfce(@_,3,0,1); ++} ++sub wfcedb { ++ vfce(@_,3,8,0); ++} ++sub wfcedbs { ++ vfce(@_,3,8,1); ++} ++ ++sub vfch { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRc(0xe7eb,@_); ++} ++sub vfchdb { ++ vfch(@_,3,0,0); ++} ++sub vfchdbs { ++ vfch(@_,3,0,1); ++} ++sub wfchdb { ++ vfch(@_,3,8,0); ++} ++sub wfchdbs { ++ vfch(@_,3,8,1); ++} ++ ++sub vfche { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRc(0xe7ea,@_); ++} ++sub vfchedb { ++ vfche(@_,3,0,0); ++} ++sub vfchedbs { ++ vfche(@_,3,0,1); ++} ++sub wfchedb { ++ vfche(@_,3,8,0); ++} ++sub wfchedbs { ++ vfche(@_,3,8,1); ++} ++ ++sub vcdg { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7c3,@_); ++} ++sub vcdgb { ++ vcdg(@_[0..1],3,@_[2..3]); ++} ++sub wcdgb { ++ vcdg(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++ ++sub vcdlg { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7c1,@_); ++} ++sub vcdlgb { ++ vcdlg(@_[0..1],3,@_[2..3]); ++} ++sub wcdlgb { ++ vcdlg(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++ ++sub vcgd { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7c2,@_); ++} ++sub vcgdb { ++ vcgd(@_[0..1],3,@_[2..3]); ++} ++sub wcgdb { ++ vcgd(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++ ++sub vclgd { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7c0,@_); ++} ++sub vclgdb { ++ vclgd(@_[0..1],3,@_[2..3]); ++} ++sub wclgdb { ++ vclgd(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++ ++sub vfd { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRc(0xe7e5,@_); ++} ++sub vfddb { ++ vfd(@_,3,0); ++} ++sub wfddb { ++ vfd(@_,3,8); ++} ++ ++sub vfi { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7c7,@_); ++} ++sub vfidb { ++ vfi(@_[0..1],3,@_[2..3]); ++} ++sub wfidb { ++ vfi(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++ ++sub vlde { # deprecated, use vfll ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRa(0xe7c4,@_); ++} ++sub vldeb { # deprecated, use vflls ++ vlde(@_,2,0); ++} ++sub wldeb { # deprecated, use wflls ++ vlde(@_,2,8); ++} ++ ++sub vled { # deprecated, use vflr ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7c5,@_); ++} ++sub vledb { # deprecated, use vflrd ++ vled(@_[0..1],3,@_[2..3]); ++} ++sub wledb { # deprecated, use wflrd ++ vled(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++ ++sub vfm { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRc(0xe7e7,@_); ++} ++sub vfmdb { ++ vfm(@_,3,0); ++} ++sub wfmdb { ++ vfm(@_,3,8); ++} ++ ++sub vfma { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRe(0xe78f,@_); ++} ++sub vfmadb { ++ vfma(@_,0,3); ++} ++sub wfmadb { ++ vfma(@_,8,3); ++} ++ ++sub vfms { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRe(0xe78e,@_); ++} ++sub vfmsdb { ++ vfms(@_,0,3); ++} ++sub wfmsdb { ++ vfms(@_,8,3); ++} ++ ++sub vfpso { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRa(0xe7cc,@_); ++} ++sub vfpsodb { ++ vfpso(@_[0..1],3,0,$_[2]); ++} ++sub wfpsodb { ++ vfpso(@_[0..1],3,8,$_[2]); ++} ++sub vflcdb { ++ vfpso(@_,3,0,0); ++} ++sub wflcdb { ++ vfpso(@_,3,8,0); ++} ++sub vflndb { ++ vfpso(@_,3,0,1); ++} ++sub wflndb { ++ vfpso(@_,3,8,1); ++} ++sub vflpdb { ++ vfpso(@_,3,0,2); ++} ++sub wflpdb { ++ vfpso(@_,3,8,2); ++} ++ ++sub vfsq { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRRa(0xe7ce,@_); ++} ++sub vfsqdb { ++ vfsq(@_,3,0); ++} ++sub wfsqdb { ++ vfsq(@_,3,8); ++} ++ ++sub vfs { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRRc(0xe7e2,@_); ++} ++sub vfsdb { ++ vfs(@_,3,0); ++} ++sub wfsdb { ++ vfs(@_,3,8); ++} ++ ++sub vftci { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIe(0xe74a,@_); ++} ++sub vftcidb { ++ vftci(@_,3,0); ++} ++sub wftcidb { ++ vftci(@_,3,8); ++} ++ ++# VXE - Support Instructions ++ ++sub vbperm { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe785,@_); ++} ++ ++sub vllezlf { ++ vllez(@_,6); ++} ++ ++# VXE - Integer Instructions ++ ++sub vmsl { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRd(0xe7b8,@_); ++} ++sub vmslg { ++ vmsl(@_[0..3],3,$_[4]); ++} ++ ++sub vnx { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe76c,@_); ++} ++ ++sub vnn { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe76e,@_); ++} ++ ++sub voc { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRc(0xe76f,@_); ++} ++ ++sub vpopctb { ++ vpopct(@_,0); ++} ++sub vpopcth { ++ vpopct(@_,1); ++} ++sub vpopctf { ++ vpopct(@_,2); ++} ++sub vpopctg { ++ vpopct(@_,3); ++} ++ ++# VXE - Floating-Point Instructions ++ ++sub vfasb { ++ vfa(@_,2,0); ++} ++sub wfasb { ++ vfa(@_,2,8); ++} ++sub wfaxb { ++ vfa(@_,4,8); ++} ++ ++sub wfcsb { ++ wfc(@_,2,0); ++} ++sub wfcxb { ++ wfc(@_,4,0); ++} ++ ++sub vfcesb { ++ vfce(@_,2,0,0); ++} ++sub vfcesbs { ++ vfce(@_,2,0,1); ++} ++sub wfcesb { ++ vfce(@_,2,8,0); ++} ++sub wfcesbs { ++ vfce(@_,2,8,1); ++} ++sub wfcexb { ++ vfce(@_,4,8,0); ++} ++sub wfcexbs { ++ vfce(@_,4,8,1); ++} ++ ++sub vfchsb { ++ vfch(@_,2,0,0); ++} ++sub vfchsbs { ++ vfch(@_,2,0,1); ++} ++sub wfchsb { ++ vfch(@_,2,8,0); ++} ++sub wfchsbs { ++ vfch(@_,2,8,1); ++} ++sub wfchxb { ++ vfch(@_,4,8,0); ++} ++sub wfchxbs { ++ vfch(@_,4,8,1); ++} ++ ++sub vfchesb { ++ vfche(@_,2,0,0); ++} ++sub vfchesbs { ++ vfche(@_,2,0,1); ++} ++sub wfchesb { ++ vfche(@_,2,8,0); ++} ++sub wfchesbs { ++ vfche(@_,2,8,1); ++} ++sub wfchexb { ++ vfche(@_,4,8,0); ++} ++sub wfchexbs { ++ vfche(@_,4,8,1); ++} ++ ++sub vfdsb { ++ vfd(@_,2,0); ++} ++sub wfdsb { ++ vfd(@_,2,8); ++} ++sub wfdxb { ++ vfd(@_,4,8); ++} ++ ++sub vfisb { ++ vfi(@_[0..1],2,@_[2..3]); ++} ++sub wfisb { ++ vfi(@_[0..1],2,0x8|$_[2],$_[3]); ++} ++sub wfixb { ++ vfi(@_[0..1],4,0x8|$_[2],$_[3]); ++} ++ ++sub vfll { ++ vlde(@_); ++} ++sub vflls { ++ vfll(@_,2,0); ++} ++sub wflls { ++ vfll(@_,2,8); ++} ++sub wflld { ++ vfll(@_,3,8); ++} ++ ++sub vflr { ++ vled(@_); ++} ++sub vflrd { ++ vflr(@_[0..1],3,@_[2..3]); ++} ++sub wflrd { ++ vflr(@_[0..1],3,0x8|$_[2],$_[3]); ++} ++sub wflrx { ++ vflr(@_[0..1],4,0x8|$_[2],$_[3]); ++} ++ ++sub vfmax { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRc(0xe7ef,@_); ++} ++sub vfmaxsb { ++ vfmax(@_[0..2],2,0,$_[3]); ++} ++sub vfmaxdb { ++ vfmax(@_[0..2],3,0,$_[3]); ++} ++sub wfmaxsb { ++ vfmax(@_[0..2],2,8,$_[3]); ++} ++sub wfmaxdb { ++ vfmax(@_[0..2],3,8,$_[3]); ++} ++sub wfmaxxb { ++ vfmax(@_[0..2],4,8,$_[3]); ++} ++ ++sub vfmin { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRc(0xe7ee,@_); ++} ++sub vfminsb { ++ vfmin(@_[0..2],2,0,$_[5]); ++} ++sub vfmindb { ++ vfmin(@_[0..2],3,0,$_[5]); ++} ++sub wfminsb { ++ vfmin(@_[0..2],2,8,$_[5]); ++} ++sub wfmindb { ++ vfmin(@_[0..2],3,8,$_[5]); ++} ++sub wfminxb { ++ vfmin(@_[0..2],4,8,$_[5]); ++} ++ ++sub vfmsb { ++ vfm(@_,2,0); ++} ++sub wfmsb { ++ vfm(@_,2,8); ++} ++sub wfmxb { ++ vfm(@_,4,8); ++} ++ ++sub vfmasb { ++ vfma(@_,0,2); ++} ++sub wfmasb { ++ vfma(@_,8,2); ++} ++sub wfmaxb { ++ vfma(@_,8,4); ++} ++ ++sub vfmssb { ++ vfms(@_,0,2); ++} ++sub wfmssb { ++ vfms(@_,8,2); ++} ++sub wfmsxb { ++ vfms(@_,8,4); ++} ++ ++sub vfnma { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRe(0xe79f,@_); ++} ++sub vfnmasb { ++ vfnma(@_,0,2); ++} ++sub vfnmadb { ++ vfnma(@_,0,3); ++} ++sub wfnmasb { ++ vfnma(@_,8,2); ++} ++sub wfnmadb { ++ vfnma(@_,8,3); ++} ++sub wfnmaxb { ++ vfnma(@_,8,4); ++} ++ ++sub vfnms { ++ confess(err("ARGNUM")) if ($#_!=5); ++ VRRe(0xe79e,@_); ++} ++sub vfnmssb { ++ vfnms(@_,0,2); ++} ++sub vfnmsdb { ++ vfnms(@_,0,3); ++} ++sub wfnmssb { ++ vfnms(@_,8,2); ++} ++sub wfnmsdb { ++ vfnms(@_,8,3); ++} ++sub wfnmsxb { ++ vfnms(@_,8,4); ++} ++ ++sub vfpsosb { ++ vfpso(@_[0..1],2,0,$_[2]); ++} ++sub wfpsosb { ++ vfpso(@_[0..1],2,8,$_[2]); ++} ++sub vflcsb { ++ vfpso(@_,2,0,0); ++} ++sub wflcsb { ++ vfpso(@_,2,8,0); ++} ++sub vflnsb { ++ vfpso(@_,2,0,1); ++} ++sub wflnsb { ++ vfpso(@_,2,8,1); ++} ++sub vflpsb { ++ vfpso(@_,2,0,2); ++} ++sub wflpsb { ++ vfpso(@_,2,8,2); ++} ++sub vfpsoxb { ++ vfpso(@_[0..1],4,0,$_[2]); ++} ++sub wfpsoxb { ++ vfpso(@_[0..1],4,8,$_[2]); ++} ++sub vflcxb { ++ vfpso(@_,4,0,0); ++} ++sub wflcxb { ++ vfpso(@_,4,8,0); ++} ++sub vflnxb { ++ vfpso(@_,4,0,1); ++} ++sub wflnxb { ++ vfpso(@_,4,8,1); ++} ++sub vflpxb { ++ vfpso(@_,4,0,2); ++} ++sub wflpxb { ++ vfpso(@_,4,8,2); ++} ++ ++sub vfsqsb { ++ vfsq(@_,2,0); ++} ++sub wfsqsb { ++ vfsq(@_,2,8); ++} ++sub wfsqxb { ++ vfsq(@_,4,8); ++} ++ ++sub vfssb { ++ vfs(@_,2,0); ++} ++sub wfssb { ++ vfs(@_,2,8); ++} ++sub wfsxb { ++ vfs(@_,4,8); ++} ++ ++sub vftcisb { ++ vftci(@_,2,0); ++} ++sub wftcisb { ++ vftci(@_,2,8); ++} ++sub wftcixb { ++ vftci(@_,4,8); ++} ++ ++# VXD - Support Instructions ++ ++sub vlrlr { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRSd(0xe637,@_); ++} ++ ++sub vlrl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VSI(0xe635,@_); ++} ++ ++sub vstrlr { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRSd(0xe63f,@_); ++} ++ ++sub vstrl { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VSI(0xe63d,@_); ++} ++ ++sub vap { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe671,@_); ++} ++ ++sub vcp { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRh(0xe677,@_); ++} ++ ++sub vcvb { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRi(0xe650,@_); ++} ++ ++sub vcvbg { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRRi(0xe652,@_); ++} ++ ++sub vcvd { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRIi(0xe658,@_); ++} ++ ++sub vcvdg { ++ confess(err("ARGNUM")) if ($#_!=3); ++ VRIi(0xe65a,@_); ++} ++ ++sub vdp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe67a,@_); ++} ++ ++sub vlip { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VRIh(0xe649,@_); ++} ++ ++sub vmp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe678,@_); ++} ++ ++sub vmsp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe679,@_); ++} ++ ++sub vpkz { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VSI(0xe634,@_); ++} ++ ++sub vpsop { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIg(0xe65b,@_); ++} ++ ++sub vrp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe67b,@_); ++} ++ ++sub vsdp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe67e,@_); ++} ++ ++sub vsrp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIg(0xe659,@_); ++} ++ ++sub vsp { ++ confess(err("ARGNUM")) if ($#_!=4); ++ VRIf(0xe673,@_); ++} ++ ++sub vtp { ++ confess(err("ARGNUM")) if ($#_!=0); ++ VRRg(0xe65f,@_); ++} ++ ++sub vupkz { ++ confess(err("ARGNUM")) if ($#_!=2); ++ VSI(0xe63c,@_); ++} ++ ++# ++# Instruction Formats ++# ++ ++sub RRE { ++ confess(err("ARGNUM")) if ($#_<0||2<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$r2)=(shift,get_R(shift),get_R(shift)); ++ ++ $out.="\t.long\t".sprintf("%#010x",($opcode<<16|$r1<<4|$r2)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub RRFb { ++ confess(err("ARGNUM")) if ($#_<3||4<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$r3,$r2,$m4)=(shift,get_R(shift),get_R(shift) ++ ,get_R(shift),get_M(shift)); ++ ++ $out.="\t.long\t" ++ .sprintf("%#010x",($opcode<<16|$r3<<12|$m4<<8|$r1<<4|$r2)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub S { ++ confess(err("ARGNUM")) if ($#_<0||1<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$d2,$b2)=(shift,get_DB(shift)); ++ ++ $out.="\t.long\t".sprintf("%#010x",($opcode<<16|$b2<<12|$d2)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIa { ++ confess(err("ARGNUM")) if ($#_<2||3<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$i2,$m3)=(shift,get_V(shift),get_I(shift,16), ++ get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).","; ++ $out.=sprintf("%#06x",$i2).","; ++ $out.=sprintf("%#06x",($m3<<12|RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIb { ++ confess(err("ARGNUM")) if ($#_!=4); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$i2,$i3,$m4)=(shift,get_V(shift),get_I(shift,8), ++ ,get_I(shift,8),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).","; ++ $out.=sprintf("%#06x",($i2<<8|$i3)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIc { ++ confess(err("ARGNUM")) if ($#_!=4); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v3,$i2,$m4)=(shift,get_V(shift),get_V(shift), ++ ,get_I(shift,16),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v3&0xf)).","; ++ $out.=sprintf("%#06x",$i2).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRId { ++ confess(err("ARGNUM")) if ($#_<4||$#_>5); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$v3,$i4,$m5)=(shift,get_V(shift),get_V(shift), ++ ,get_V(shift),get_I(shift,8),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).","; ++ $out.=sprintf("%#06x",(($v3&0xf)<<12|$i4)).","; ++ $out.=sprintf("%#06x",($m5<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIe { ++ confess(err("ARGNUM")) if ($#_!=5); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$i3,$m4,$m5)=(shift,get_V(shift),get_V(shift), ++ ,get_I(shift,12),get_M(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).","; ++ $out.=sprintf("%#06x",($i3<<4|$m5)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIf { ++ confess(err("ARGNUM")) if ($#_!=5); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$v3,$i4,$m5)=(shift,get_V(shift),get_V(shift), ++ ,get_V(shift),get_I(shift,8),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).","; ++ $out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<4)|$i4>>4).","; ++ $out.=sprintf("%#06x",(($i4&0xf)<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIg { ++ confess(err("ARGNUM")) if ($#_!=5); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$i3,$i4,$m5)=(shift,get_V(shift),get_V(shift), ++ ,get_I(shift,8),get_I(shift,8),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).","; ++ $out.=sprintf("%#06x",($i4<<8|$m5<<4|$i3>>4)).","; ++ $out.=sprintf("%#06x",(($i3&0xf)<<12|RXB($v1,$v2)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIh { ++ confess(err("ARGNUM")) if ($#_!=3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$i2,$i3)=(shift,get_V(shift),get_I(shift,16), ++ get_I(shift,4)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).","; ++ $out.=sprintf("%#06x",$i2).","; ++ $out.=sprintf("%#06x",($i3<<12|RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRIi { ++ confess(err("ARGNUM")) if ($#_!=4); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$r2,$i3,$m4)=(shift,get_V(shift),get_R(shift), ++ ,get_I(shift,8),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|$r2).","; ++ $out.=sprintf("%#06x",($m4<<4|$i3>>4)).","; ++ $out.=sprintf("%#06x",(($i3&0xf)<<12|RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRa { ++ confess(err("ARGNUM")) if ($#_<2||5<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$m3,$m4,$m5)=(shift,get_V(shift),get_V(shift), ++ get_M(shift),get_M(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",($m5<<4|$m4)).","; ++ $out.=sprintf("%#06x",($m3<<12|RXB($v1,$v2)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRb { ++ confess(err("ARGNUM")) if ($#_<3||5<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$v3,$m4,$m5)=(shift,get_V(shift),get_V(shift), ++ get_V(shift),get_M(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<4)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRc { ++ confess(err("ARGNUM")) if ($#_<3||6<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$v3,$m4,$m5,$m6)=(shift,get_V(shift),get_V(shift), ++ get_V(shift),get_M(shift),get_M(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",(($v3&0xf)<<12|$m6<<4|$m5)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRd { ++ confess(err("ARGNUM")) if ($#_<4||6<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$v3,$v4,$m5,$m6)=(shift,get_V(shift),get_V(shift), ++ get_V(shift),get_V(shift),get_M(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<8|$m6<<4)).","; ++ $out.=sprintf("%#06x",(($v4&0xf)<<12|RXB($v1,$v2,$v3,$v4)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRe { ++ confess(err("ARGNUM")) if ($#_<4||6<$#_); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$v3,$v4,$m5,$m6)=(shift,get_V(shift),get_V(shift), ++ get_V(shift),get_V(shift),get_M(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",(($v3&0xf)<<12|$m6<<8|$m5)).","; ++ $out.=sprintf("%#06x",(($v4&0xf)<<12|RXB($v1,$v2,$v3,$v4)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRf { ++ confess(err("ARGNUM")) if ($#_!=3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$r2,$r3)=(shift,get_V(shift),get_R(shift), ++ get_R(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|$r2)).","; ++ $out.=sprintf("%#06x",($r3<<12)).","; ++ $out.=sprintf("%#06x",(RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRg { ++ confess(err("ARGNUM")) if ($#_!=1); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1)=(shift,get_V(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf))).","; ++ $out.=sprintf("%#06x",0x0000).","; ++ $out.=sprintf("%#06x",(RXB(0,$v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRh { ++ confess(err("ARGNUM")) if ($#_<2||$#_>3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v2,$m3)=(shift,get_V(shift),get_V(shift), ++ get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf))).","; ++ $out.=sprintf("%#06x",(($v2&0xf)<<12|$m3<<4)).","; ++ $out.=sprintf("%#06x",(RXB(0,$v1,$v2)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRRi { ++ confess(err("ARGNUM")) if ($#_!=3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$v2,$m3)=(shift,get_R(shift),get_V(shift), ++ get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|$r1<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",($m3<<4))."\,"; ++ $out.=sprintf("%#06x",(RXB(0,$v2)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRSa { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$v3,$d2,$b2,$m4)=(shift,get_V(shift),get_V(shift), ++ get_DB(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v3&0xf))).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRSb { ++ confess(err("ARGNUM")) if ($#_<3||$#_>4); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$r3,$d2,$b2,$m4)=(shift,get_V(shift),get_R(shift), ++ get_DB(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|$r3)).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRSc { ++ confess(err("ARGNUM")) if ($#_!=4); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$r1,$v3,$d2,$b2,$m4)=(shift,get_R(shift),get_V(shift), ++ get_DB(shift),get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|$r1<<4|($v3&0xf))).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",($m4<<12|RXB(0,$v3)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRSd { ++ confess(err("ARGNUM")) if ($#_!=3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$r3,$d2,$b2)=(shift,get_V(shift),get_R(shift), ++ get_DB(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|$r3)).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",(($v1&0xf)<<12|RXB(0,0,0,$v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRV { ++ confess(err("ARGNUM")) if ($#_<2||$#_>3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$d2,$v2,$b2,$m3)=(shift,get_V(shift),get_DVB(shift), ++ get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",($m3<<12|RXB($v1,$v2)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VRX { ++ confess(err("ARGNUM")) if ($#_<2||$#_>3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$d2,$x2,$b2,$m3)=(shift,get_V(shift),get_DXB(shift), ++ get_M(shift)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($x2))).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",($m3<<12|RXB($v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++sub VSI { ++ confess(err("ARGNUM")) if ($#_!=3); ++ my $ops=join(',',@_[1..$#_]); ++ my $memn=(caller(1))[3]; ++ $memn=~s/^.*:://; ++ my ($opcode,$v1,$d2,$b2,$i3)=(shift,get_V(shift),get_DB(shift), ++ get_I(shift,8)); ++ ++ $out.="\t.word\t"; ++ $out.=sprintf("%#06x",($opcode&0xff00|$i3)).","; ++ $out.=sprintf("%#06x",($b2<<12|$d2)).","; ++ $out.=sprintf("%#06x",(($v1&0xf)<<12|RXB(0,0,0,$v1)<<8|$opcode&0xff)); ++ $out.="\t# $memn\t$ops\n" ++} ++ ++# ++# Internal ++# ++ ++sub get_R { ++ confess(err("ARGNUM")) if ($#_!=0); ++ my $r; ++ ++ for (shift) { ++ if (!defined) { ++ $r=0; ++ } elsif (/^$GR$/) { ++ $r=$1; ++ } else { ++ confess(err("PARSE")); ++ } ++ } ++ confess(err("ARGRANGE")) if ($r&~0xf); ++ ++ return $r; ++} ++ ++sub get_V { ++ confess(err("ARGNUM")) if ($#_!=0); ++ my $v; ++ ++ for (shift) { ++ if (!defined) { ++ $v=0; ++ } elsif (/^$VR$/) { ++ $v=$1; ++ } else { ++ confess(err("PARSE")); ++ } ++ } ++ confess(err("ARGRANGE")) if ($v&~0x1f); ++ ++ return $v; ++} ++ ++sub get_I { ++ confess(err("ARGNUM")) if ($#_!=1); ++ my ($i,$bits)=(shift,shift); ++ ++ $i=defined($i)?(eval($i)):(0); ++ confess(err("PARSE")) if (!defined($i)); ++ confess(err("ARGRANGE")) if (abs($i)&~(2**$bits-1)); ++ ++ return $i&(2**$bits-1); ++} ++ ++sub get_M { ++ confess(err("ARGNUM")) if ($#_!=0); ++ my $m=shift; ++ ++ $m=defined($m)?(eval($m)):(0); ++ confess(err("PARSE")) if (!defined($m)); ++ confess(err("ARGRANGE")) if ($m&~0xf); ++ ++ return $m; ++} ++ ++sub get_DB ++{ ++ confess(err("ARGNUM")) if ($#_!=0); ++ my ($d,$b); ++ ++ for (shift) { ++ if (!defined) { ++ ($d,$b)=(0,0); ++ } elsif (/^(.+)\($GR\)$/) { ++ ($d,$b)=(eval($1),$2); ++ confess(err("PARSE")) if (!defined($d)); ++ } elsif (/^(.+)$/) { ++ ($d,$b)=(eval($1),0); ++ confess(err("PARSE")) if (!defined($d)); ++ } else { ++ confess(err("PARSE")); ++ } ++ } ++ confess(err("ARGRANGE")) if ($d&~0xfff||$b&~0xf); ++ ++ return ($d,$b); ++} ++ ++sub get_DVB ++{ ++ confess(err("ARGNUM")) if ($#_!=0); ++ my ($d,$v,$b); ++ ++ for (shift) { ++ if (!defined) { ++ ($d,$v,$b)=(0,0,0); ++ } elsif (/^(.+)\($VR,$GR\)$/) { ++ ($d,$v,$b)=(eval($1),$2,$3); ++ confess(err("PARSE")) if (!defined($d)); ++ } elsif (/^(.+)\($GR\)$/) { ++ ($d,$v,$b)=(eval($1),0,$2); ++ confess(err("PARSE")) if (!defined($d)); ++ } elsif (/^(.+)$/) { ++ ($d,$v,$b)=(eval($1),0,0); ++ confess(err("PARSE")) if (!defined($d)); ++ } else { ++ confess(err("PARSE")); ++ } ++ } ++ confess(err("ARGRANGE")) if ($d&~0xfff||$v&~0x1f||$b&~0xf); ++ ++ return ($d,$v,$b); ++} ++ ++sub get_DXB ++{ ++ confess(err("ARGNUM")) if ($#_!=0); ++ my ($d,$x,$b); ++ ++ for (shift) { ++ if (!defined) { ++ ($d,$x,$b)=(0,0,0); ++ } elsif (/^(.+)\($GR,$GR\)$/) { ++ ($d,$x,$b)=(eval($1),$2,$3); ++ confess(err("PARSE")) if (!defined($d)); ++ } elsif (/^(.+)\($GR\)$/) { ++ ($d,$x,$b)=(eval($1),0,$2); ++ confess(err("PARSE")) if (!defined($d)); ++ } elsif (/^(.+)$/) { ++ ($d,$x,$b)=(eval($1),0,0); ++ confess(err("PARSE")) if (!defined($d)); ++ } else { ++ confess(err("PARSE")); ++ } ++ } ++ confess(err("ARGRANGE")) if ($d&~0xfff||$x&~0xf||$b&~0xf); ++ ++ return ($d,$x,$b); ++} ++ ++sub RXB ++{ ++ confess(err("ARGNUM")) if ($#_<0||3<$#_); ++ my $rxb=0; ++ ++ $rxb|=0x08 if (defined($_[0])&&($_[0]&0x10)); ++ $rxb|=0x04 if (defined($_[1])&&($_[1]&0x10)); ++ $rxb|=0x02 if (defined($_[2])&&($_[2]&0x10)); ++ $rxb|=0x01 if (defined($_[3])&&($_[3]&0x10)); ++ ++ return $rxb; ++} ++ ++sub err { ++ my %ERR = ++ ( ++ ARGNUM => 'Wrong number of arguments', ++ ARGRANGE=> 'Argument out of range', ++ PARSE => 'Parse error', ++ ); ++ confess($ERR{ARGNUM}) if ($#_!=0); ++ ++ return $ERR{$_[0]}; ++} ++ ++1; +-- +2.21.0 + diff --git a/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch b/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch new file mode 100644 index 0000000..9903091 --- /dev/null +++ b/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch @@ -0,0 +1,867 @@ +From f760137b2144740916afd9ff381451fa16c710de Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Sat, 4 Aug 2018 00:10:06 +0200 +Subject: [PATCH] crypto/chacha/asm/chacha-s390x.pl: add vx code path. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Tim Hudson +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/6919) +--- + crypto/chacha/asm/chacha-s390x.pl | 816 ++++++++++++++++++++---------- + crypto/chacha/build.info | 1 + + 2 files changed, 558 insertions(+), 259 deletions(-) + +Index: openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl +=================================================================== +--- openssl-1.1.1e.orig/crypto/chacha/asm/chacha-s390x.pl 2020-03-19 11:43:25.650616856 +0100 ++++ openssl-1.1.1e/crypto/chacha/asm/chacha-s390x.pl 2020-03-19 11:43:40.614692484 +0100 +@@ -20,41 +20,46 @@ + # + # 3 times faster than compiler-generated code. + +-$flavour = shift; ++# ++# August 2018 ++# ++# Add vx code path. ++# ++# Copyright IBM Corp. 2018 ++# Author: Patrick Steuer ++ ++use strict; ++use FindBin qw($Bin); ++use lib "$Bin/../.."; ++use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE); ++ ++my $flavour = shift; + ++my ($z,$SIZE_T); + if ($flavour =~ /3[12]/) { ++ $z=0; # S/390 ABI + $SIZE_T=4; +- $g=""; + } else { ++ $z=1; # zSeries ABI + $SIZE_T=8; +- $g="g"; + } + ++my $output; + while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} +-open STDOUT,">$output"; +- +-sub AUTOLOAD() # thunk [simplified] x86-style perlasm +-{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; +- $code .= "\t$opcode\t".join(',',@_)."\n"; +-} + + my $sp="%r15"; +- + my $stdframe=16*$SIZE_T+4*8; +-my $frame=$stdframe+4*20; +- +-my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6)); + + my @x=map("%r$_",(0..7,"x","x","x","x",(10..13))); + my @t=map("%r$_",(8,9)); ++my @v=map("%v$_",(16..31)); + + sub ROUND { + my ($a0,$b0,$c0,$d0)=@_; + my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); + my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); + my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); +-my ($xc,$xc_)=map("\"$_\"",@t); +-my @x=map("\"$_\"",@x); ++my ($xc,$xc_)=map("$_",@t); + + # Consider order in which variables are addressed by their + # index: +@@ -78,249 +83,542 @@ my @x=map("\"$_\"",@x); + # 'c' stores and loads in the middle, but none in the beginning + # or end. + +- ( +- "&alr (@x[$a0],@x[$b0])", # Q1 +- "&alr (@x[$a1],@x[$b1])", # Q2 +- "&xr (@x[$d0],@x[$a0])", +- "&xr (@x[$d1],@x[$a1])", +- "&rll (@x[$d0],@x[$d0],16)", +- "&rll (@x[$d1],@x[$d1],16)", +- +- "&alr ($xc,@x[$d0])", +- "&alr ($xc_,@x[$d1])", +- "&xr (@x[$b0],$xc)", +- "&xr (@x[$b1],$xc_)", +- "&rll (@x[$b0],@x[$b0],12)", +- "&rll (@x[$b1],@x[$b1],12)", +- +- "&alr (@x[$a0],@x[$b0])", +- "&alr (@x[$a1],@x[$b1])", +- "&xr (@x[$d0],@x[$a0])", +- "&xr (@x[$d1],@x[$a1])", +- "&rll (@x[$d0],@x[$d0],8)", +- "&rll (@x[$d1],@x[$d1],8)", +- +- "&alr ($xc,@x[$d0])", +- "&alr ($xc_,@x[$d1])", +- "&xr (@x[$b0],$xc)", +- "&xr (@x[$b1],$xc_)", +- "&rll (@x[$b0],@x[$b0],7)", +- "&rll (@x[$b1],@x[$b1],7)", +- +- "&stm ($xc,$xc_,'$stdframe+4*8+4*$c0($sp)')", # reload pair of 'c's +- "&lm ($xc,$xc_,'$stdframe+4*8+4*$c2($sp)')", +- +- "&alr (@x[$a2],@x[$b2])", # Q3 +- "&alr (@x[$a3],@x[$b3])", # Q4 +- "&xr (@x[$d2],@x[$a2])", +- "&xr (@x[$d3],@x[$a3])", +- "&rll (@x[$d2],@x[$d2],16)", +- "&rll (@x[$d3],@x[$d3],16)", +- +- "&alr ($xc,@x[$d2])", +- "&alr ($xc_,@x[$d3])", +- "&xr (@x[$b2],$xc)", +- "&xr (@x[$b3],$xc_)", +- "&rll (@x[$b2],@x[$b2],12)", +- "&rll (@x[$b3],@x[$b3],12)", +- +- "&alr (@x[$a2],@x[$b2])", +- "&alr (@x[$a3],@x[$b3])", +- "&xr (@x[$d2],@x[$a2])", +- "&xr (@x[$d3],@x[$a3])", +- "&rll (@x[$d2],@x[$d2],8)", +- "&rll (@x[$d3],@x[$d3],8)", +- +- "&alr ($xc,@x[$d2])", +- "&alr ($xc_,@x[$d3])", +- "&xr (@x[$b2],$xc)", +- "&xr (@x[$b3],$xc_)", +- "&rll (@x[$b2],@x[$b2],7)", +- "&rll (@x[$b3],@x[$b3],7)" +- ); +-} +- +-$code.=<<___; +-.text +- +-.globl ChaCha20_ctr32 +-.type ChaCha20_ctr32,\@function +-.align 32 +-ChaCha20_ctr32: +- lt${g}r $len,$len # $len==0? +- bzr %r14 +- a${g}hi $len,-64 +- l${g}hi %r1,-$frame +- stm${g} %r6,%r15,`6*$SIZE_T`($sp) +- sl${g}r $out,$inp # difference +- la $len,0($inp,$len) # end of input minus 64 +- larl %r7,.Lsigma +- lgr %r0,$sp +- la $sp,0(%r1,$sp) +- st${g} %r0,0($sp) +- +- lmg %r8,%r11,0($key) # load key +- lmg %r12,%r13,0($counter) # load counter +- lmg %r6,%r7,0(%r7) # load sigma constant +- +- la %r14,0($inp) +- st${g} $out,$frame+3*$SIZE_T($sp) +- st${g} $len,$frame+4*$SIZE_T($sp) +- stmg %r6,%r13,$stdframe($sp) # copy key schedule to stack +- srlg @x[12],%r12,32 # 32-bit counter value +- j .Loop_outer +- +-.align 16 +-.Loop_outer: +- lm @x[0],@x[7],$stdframe+4*0($sp) # load x[0]-x[7] +- lm @t[0],@t[1],$stdframe+4*10($sp) # load x[10]-x[11] +- lm @x[13],@x[15],$stdframe+4*13($sp) # load x[13]-x[15] +- stm @t[0],@t[1],$stdframe+4*8+4*10($sp) # offload x[10]-x[11] +- lm @t[0],@t[1],$stdframe+4*8($sp) # load x[8]-x[9] +- st @x[12],$stdframe+4*12($sp) # save counter +- st${g} %r14,$frame+2*$SIZE_T($sp) # save input pointer +- lhi %r14,10 +- j .Loop +- +-.align 4 +-.Loop: +-___ +- foreach (&ROUND(0, 4, 8,12)) { eval; } +- foreach (&ROUND(0, 5,10,15)) { eval; } +-$code.=<<___; +- brct %r14,.Loop +- +- l${g} %r14,$frame+2*$SIZE_T($sp) # pull input pointer +- stm @t[0],@t[1],$stdframe+4*8+4*8($sp) # offload x[8]-x[9] +- lm${g} @t[0],@t[1],$frame+3*$SIZE_T($sp) +- +- al @x[0],$stdframe+4*0($sp) # accumulate key schedule +- al @x[1],$stdframe+4*1($sp) +- al @x[2],$stdframe+4*2($sp) +- al @x[3],$stdframe+4*3($sp) +- al @x[4],$stdframe+4*4($sp) +- al @x[5],$stdframe+4*5($sp) +- al @x[6],$stdframe+4*6($sp) +- al @x[7],$stdframe+4*7($sp) +- lrvr @x[0],@x[0] +- lrvr @x[1],@x[1] +- lrvr @x[2],@x[2] +- lrvr @x[3],@x[3] +- lrvr @x[4],@x[4] +- lrvr @x[5],@x[5] +- lrvr @x[6],@x[6] +- lrvr @x[7],@x[7] +- al @x[12],$stdframe+4*12($sp) +- al @x[13],$stdframe+4*13($sp) +- al @x[14],$stdframe+4*14($sp) +- al @x[15],$stdframe+4*15($sp) +- lrvr @x[12],@x[12] +- lrvr @x[13],@x[13] +- lrvr @x[14],@x[14] +- lrvr @x[15],@x[15] +- +- la @t[0],0(@t[0],%r14) # reconstruct output pointer +- cl${g}r %r14,@t[1] +- jh .Ltail +- +- x @x[0],4*0(%r14) # xor with input +- x @x[1],4*1(%r14) +- st @x[0],4*0(@t[0]) # store output +- x @x[2],4*2(%r14) +- st @x[1],4*1(@t[0]) +- x @x[3],4*3(%r14) +- st @x[2],4*2(@t[0]) +- x @x[4],4*4(%r14) +- st @x[3],4*3(@t[0]) +- lm @x[0],@x[3],$stdframe+4*8+4*8($sp) # load x[8]-x[11] +- x @x[5],4*5(%r14) +- st @x[4],4*4(@t[0]) +- x @x[6],4*6(%r14) +- al @x[0],$stdframe+4*8($sp) +- st @x[5],4*5(@t[0]) +- x @x[7],4*7(%r14) +- al @x[1],$stdframe+4*9($sp) +- st @x[6],4*6(@t[0]) +- x @x[12],4*12(%r14) +- al @x[2],$stdframe+4*10($sp) +- st @x[7],4*7(@t[0]) +- x @x[13],4*13(%r14) +- al @x[3],$stdframe+4*11($sp) +- st @x[12],4*12(@t[0]) +- x @x[14],4*14(%r14) +- st @x[13],4*13(@t[0]) +- x @x[15],4*15(%r14) +- st @x[14],4*14(@t[0]) +- lrvr @x[0],@x[0] +- st @x[15],4*15(@t[0]) +- lrvr @x[1],@x[1] +- lrvr @x[2],@x[2] +- lrvr @x[3],@x[3] +- lhi @x[12],1 +- x @x[0],4*8(%r14) +- al @x[12],$stdframe+4*12($sp) # increment counter +- x @x[1],4*9(%r14) +- st @x[0],4*8(@t[0]) +- x @x[2],4*10(%r14) +- st @x[1],4*9(@t[0]) +- x @x[3],4*11(%r14) +- st @x[2],4*10(@t[0]) +- st @x[3],4*11(@t[0]) +- +- cl${g}r %r14,@t[1] # done yet? +- la %r14,64(%r14) +- jl .Loop_outer +- +-.Ldone: +- xgr %r0,%r0 +- xgr %r1,%r1 +- xgr %r2,%r2 +- xgr %r3,%r3 +- stmg %r0,%r3,$stdframe+4*4($sp) # wipe key copy +- stmg %r0,%r3,$stdframe+4*12($sp) +- +- lm${g} %r6,%r15,`$frame+6*$SIZE_T`($sp) +- br %r14 +- +-.align 16 +-.Ltail: +- la @t[1],64($t[1]) +- stm @x[0],@x[7],$stdframe+4*0($sp) +- sl${g}r @t[1],%r14 +- lm @x[0],@x[3],$stdframe+4*8+4*8($sp) +- l${g}hi @x[6],0 +- stm @x[12],@x[15],$stdframe+4*12($sp) +- al @x[0],$stdframe+4*8($sp) +- al @x[1],$stdframe+4*9($sp) +- al @x[2],$stdframe+4*10($sp) +- al @x[3],$stdframe+4*11($sp) +- lrvr @x[0],@x[0] +- lrvr @x[1],@x[1] +- lrvr @x[2],@x[2] +- lrvr @x[3],@x[3] +- stm @x[0],@x[3],$stdframe+4*8($sp) +- +-.Loop_tail: +- llgc @x[4],0(@x[6],%r14) +- llgc @x[5],$stdframe(@x[6],$sp) +- xr @x[5],@x[4] +- stc @x[5],0(@x[6],@t[0]) +- la @x[6],1(@x[6]) +- brct @t[1],.Loop_tail +- +- j .Ldone +-.size ChaCha20_ctr32,.-ChaCha20_ctr32 +- +-.align 32 +-.Lsigma: +-.long 0x61707865,0x3320646e,0x79622d32,0x6b206574 # endian-neutral +-.asciz "ChaCha20 for s390x, CRYPTOGAMS by " +-.align 4 +-___ ++ alr (@x[$a0],@x[$b0]); # Q1 ++ alr (@x[$a1],@x[$b1]); # Q2 ++ xr (@x[$d0],@x[$a0]); ++ xr (@x[$d1],@x[$a1]); ++ rll (@x[$d0],@x[$d0],16); ++ rll (@x[$d1],@x[$d1],16); ++ ++ alr ($xc,@x[$d0]); ++ alr ($xc_,@x[$d1]); ++ xr (@x[$b0],$xc); ++ xr (@x[$b1],$xc_); ++ rll (@x[$b0],@x[$b0],12); ++ rll (@x[$b1],@x[$b1],12); ++ ++ alr (@x[$a0],@x[$b0]); ++ alr (@x[$a1],@x[$b1]); ++ xr (@x[$d0],@x[$a0]); ++ xr (@x[$d1],@x[$a1]); ++ rll (@x[$d0],@x[$d0],8); ++ rll (@x[$d1],@x[$d1],8); ++ ++ alr ($xc,@x[$d0]); ++ alr ($xc_,@x[$d1]); ++ xr (@x[$b0],$xc); ++ xr (@x[$b1],$xc_); ++ rll (@x[$b0],@x[$b0],7); ++ rll (@x[$b1],@x[$b1],7); ++ ++ stm ($xc,$xc_,"$stdframe+4*8+4*$c0($sp)"); # reload pair of 'c's ++ lm ($xc,$xc_,"$stdframe+4*8+4*$c2($sp)"); ++ ++ alr (@x[$a2],@x[$b2]); # Q3 ++ alr (@x[$a3],@x[$b3]); # Q4 ++ xr (@x[$d2],@x[$a2]); ++ xr (@x[$d3],@x[$a3]); ++ rll (@x[$d2],@x[$d2],16); ++ rll (@x[$d3],@x[$d3],16); ++ ++ alr ($xc,@x[$d2]); ++ alr ($xc_,@x[$d3]); ++ xr (@x[$b2],$xc); ++ xr (@x[$b3],$xc_); ++ rll (@x[$b2],@x[$b2],12); ++ rll (@x[$b3],@x[$b3],12); ++ ++ alr (@x[$a2],@x[$b2]); ++ alr (@x[$a3],@x[$b3]); ++ xr (@x[$d2],@x[$a2]); ++ xr (@x[$d3],@x[$a3]); ++ rll (@x[$d2],@x[$d2],8); ++ rll (@x[$d3],@x[$d3],8); ++ ++ alr ($xc,@x[$d2]); ++ alr ($xc_,@x[$d3]); ++ xr (@x[$b2],$xc); ++ xr (@x[$b3],$xc_); ++ rll (@x[$b2],@x[$b2],7); ++ rll (@x[$b3],@x[$b3],7); ++} ++ ++sub VX_ROUND { ++my ($a0,$b0,$c0,$d0)=@_; ++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); ++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); ++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++ ++ vaf (@v[$a0],@v[$a0],@v[$b0]); ++ vaf (@v[$a1],@v[$a1],@v[$b1]); ++ vaf (@v[$a2],@v[$a2],@v[$b2]); ++ vaf (@v[$a3],@v[$a3],@v[$b3]); ++ vx (@v[$d0],@v[$d0],@v[$a0]); ++ vx (@v[$d1],@v[$d1],@v[$a1]); ++ vx (@v[$d2],@v[$d2],@v[$a2]); ++ vx (@v[$d3],@v[$d3],@v[$a3]); ++ verllf (@v[$d0],@v[$d0],16); ++ verllf (@v[$d1],@v[$d1],16); ++ verllf (@v[$d2],@v[$d2],16); ++ verllf (@v[$d3],@v[$d3],16); ++ ++ vaf (@v[$c0],@v[$c0],@v[$d0]); ++ vaf (@v[$c1],@v[$c1],@v[$d1]); ++ vaf (@v[$c2],@v[$c2],@v[$d2]); ++ vaf (@v[$c3],@v[$c3],@v[$d3]); ++ vx (@v[$b0],@v[$b0],@v[$c0]); ++ vx (@v[$b1],@v[$b1],@v[$c1]); ++ vx (@v[$b2],@v[$b2],@v[$c2]); ++ vx (@v[$b3],@v[$b3],@v[$c3]); ++ verllf (@v[$b0],@v[$b0],12); ++ verllf (@v[$b1],@v[$b1],12); ++ verllf (@v[$b2],@v[$b2],12); ++ verllf (@v[$b3],@v[$b3],12); ++ ++ vaf (@v[$a0],@v[$a0],@v[$b0]); ++ vaf (@v[$a1],@v[$a1],@v[$b1]); ++ vaf (@v[$a2],@v[$a2],@v[$b2]); ++ vaf (@v[$a3],@v[$a3],@v[$b3]); ++ vx (@v[$d0],@v[$d0],@v[$a0]); ++ vx (@v[$d1],@v[$d1],@v[$a1]); ++ vx (@v[$d2],@v[$d2],@v[$a2]); ++ vx (@v[$d3],@v[$d3],@v[$a3]); ++ verllf (@v[$d0],@v[$d0],8); ++ verllf (@v[$d1],@v[$d1],8); ++ verllf (@v[$d2],@v[$d2],8); ++ verllf (@v[$d3],@v[$d3],8); ++ ++ vaf (@v[$c0],@v[$c0],@v[$d0]); ++ vaf (@v[$c1],@v[$c1],@v[$d1]); ++ vaf (@v[$c2],@v[$c2],@v[$d2]); ++ vaf (@v[$c3],@v[$c3],@v[$d3]); ++ vx (@v[$b0],@v[$b0],@v[$c0]); ++ vx (@v[$b1],@v[$b1],@v[$c1]); ++ vx (@v[$b2],@v[$b2],@v[$c2]); ++ vx (@v[$b3],@v[$b3],@v[$c3]); ++ verllf (@v[$b0],@v[$b0],7); ++ verllf (@v[$b1],@v[$b1],7); ++ verllf (@v[$b2],@v[$b2],7); ++ verllf (@v[$b3],@v[$b3],7); ++} ++ ++PERLASM_BEGIN($output); + +-foreach (split("\n",$code)) { +- s/\`([^\`]*)\`/eval $1/ge; ++INCLUDE ("s390x_arch.h"); ++TEXT (); + +- print $_,"\n"; ++################ ++# void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, size_t len, ++# const unsigned int key[8], const unsigned int counter[4]) ++{ ++my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6)); ++ ++# VX CODE PATH ++{ ++my $off=$z*8*16+8; # offset(initial state) ++my $frame=$stdframe+4*16+$off; ++ ++GLOBL ("ChaCha20_ctr32"); ++TYPE ("ChaCha20_ctr32","\@function"); ++ALIGN (32); ++LABEL ("ChaCha20_ctr32"); ++ larl ("%r1","OPENSSL_s390xcap_P"); ++ ++ lghi ("%r0",64); ++&{$z? \&cgr:\&cr} ($len,"%r0"); ++ jle ("_s390x_chacha_novx"); ++ ++ lg ("%r0","S390X_STFLE+16(%r1)"); ++ tmhh ("%r0",0x4000); # check for vector facility ++ jz ("_s390x_chacha_novx"); ++ ++if (!$z) { ++ llgfr ($len,$len); ++ std ("%f4","16*$SIZE_T+2*8($sp)"); ++ std ("%f6","16*$SIZE_T+3*8($sp)"); ++} ++&{$z? \&stmg:\&stm} ("%r6","%r7","6*$SIZE_T($sp)"); ++ ++ lghi ("%r1",-$frame); ++ lgr ("%r0",$sp); ++ la ($sp,"0(%r1,$sp)"); # allocate stack frame ++ ++ larl ("%r7",".Lsigma"); ++&{$z? \&stg:\&st} ("%r0","0($sp)"); # backchain ++ ++ vstm ("%v8","%v15","8($sp)") if ($z); ++ ++ vlm ("%v1","%v2","0($key)"); # load key ++ vl ("%v0","0(%r7)"); # load sigma constant ++ vl ("%v3","0($counter)"); # load iv (counter||nonce) ++ l ("%r0","0($counter)"); # load counter ++ vstm ("%v0","%v3","$off($sp)"); # copy initial state to stack ++ ++ srlg ("%r1",$len,8); ++ ltgr ("%r1","%r1"); ++ jz (".Lvx_4x_done"); ++ ++ALIGN (16); # process 4 64-byte blocks ++LABEL (".Lvx_4x"); ++ vlrepf ("%v$_",($_*4)."+$off($sp)") for (0..15); # load initial ++ # state ++ vl ("%v31","16(%r7)"); ++ vaf ("%v12","%v12","%v31"); # increment counter ++ ++ vlr (@v[$_],"%v$_") for (0..15); # copy initial state ++ ++ lhi ("%r6",10); ++ j (".Loop_vx_4x"); ++ ++ALIGN (16); ++LABEL (".Loop_vx_4x"); ++ VX_ROUND( 0, 4, 8,12); # column round ++ VX_ROUND( 0, 5,10,15); # diagonal round ++ brct ("%r6",".Loop_vx_4x"); ++ ++ vaf (@v[$_],@v[$_],"%v$_") for (0..15); # state += initial ++ # state (mod 32) ++ vlm ("%v6","%v7","32(%r7)"); # load vperm operands ++ ++for (0..3) { # blocks 1,2 ++ vmrhf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) ++ vmrhf ("%v1",@v[$_*4+2],@v[$_*4+3]); ++ vperm ("%v".($_+ 8),"%v0","%v1","%v6"); ++ vperm ("%v".($_+12),"%v0","%v1","%v7"); ++} ++ vlm ("%v0","%v7","0($inp)"); # load in ++ vx ("%v$_","%v$_","%v".($_+8)) for (0..7); # out = in ^ ks ++ vstm ("%v0","%v7","0($out)"); # store out ++ ++ vlm ("%v6","%v7","32(%r7)"); # restore vperm operands ++ ++for (0..3) { # blocks 2,3 ++ vmrlf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) ++ vmrlf ("%v1",@v[$_*4+2],@v[$_*4+3]); ++ vperm ("%v".($_+ 8),"%v0","%v1","%v6"); ++ vperm ("%v".($_+12),"%v0","%v1","%v7"); ++} ++ vlm ("%v0","%v7","128($inp)"); # load in ++ vx ("%v$_","%v$_","%v".($_+8)) for (0..7); # out = in ^ ks ++ vstm ("%v0","%v7","128($out)"); # store out ++ ++ ahi ("%r0",4); ++ st ("%r0","48+$off($sp)"); # update initial state ++ ++ la ($inp,"256($inp)"); ++ la ($out,"256($out)"); ++ brctg ("%r1",".Lvx_4x"); ++ ++ALIGN (16); ++LABEL (".Lvx_4x_done"); ++ lghi ("%r1",0xff); ++ ngr ($len,"%r1"); ++ jnz (".Lvx_rem"); ++ ++ALIGN (16); ++LABEL (".Lvx_done"); ++ vzero ("%v$_") for (16..31); # wipe ks and key copy ++ vstm ("%v16","%v17","16+$off($sp)"); ++ vlm ("%v8","%v15","8($sp)") if ($z); ++ ++ la ($sp,"$frame($sp)"); ++&{$z? \&lmg:\&lm} ("%r6","%r7","6*$SIZE_T($sp)"); ++ ++if (!$z) { ++ ld ("%f4","16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","16*$SIZE_T+3*8($sp)"); ++ vzero ("%v$_") for (8..15); ++} ++ br ("%r14"); ++ALIGN (16); ++LABEL (".Lvx_rem"); ++ lhi ("%r0",64); ++ ++ sr ($len,"%r0"); ++ brc (2,".Lvx_rem_g64"); # cc==2? ++ ++ lghi ("%r1",-$stdframe); ++ ++ la ($counter,"48+$off($sp)"); # load updated iv ++ ar ($len,"%r0"); # restore len ++ ++ lgr ("%r7",$counter); ++&{$z? \&stg:\&st} ("%r14","14*$SIZE_T+$frame($sp)"); ++ la ($sp,"0(%r1,$sp)"); ++ ++ bras ("%r14","_s390x_chacha_novx"); ++ ++ la ($sp,"$stdframe($sp)"); ++&{$z? \&lg:\&l} ("%r14","14*$SIZE_T+$frame($sp)"); ++ lgr ($counter,"%r7"); ++ j (".Lvx_done"); ++ ++ALIGN (16); ++LABEL (".Lvx_rem_g64"); ++ vlrepf ("%v$_",($_*4)."+$off($sp)") for (0..15); # load initial ++ # state ++ vl ("%v31","16(%r7)"); ++ vaf ("%v12","%v12","%v31"); # increment counter ++ ++ vlr (@v[$_],"%v$_") for (0..15); # state = initial state ++ ++ lhi ("%r6",10); ++ j (".Loop_vx_rem"); ++ ++ALIGN (16); ++LABEL (".Loop_vx_rem"); ++ VX_ROUND( 0, 4, 8,12); # column round ++ VX_ROUND( 0, 5,10,15); # diagonal round ++ brct ("%r6",".Loop_vx_rem"); ++ ++ vaf (@v[$_],@v[$_],"%v$_") for (0..15); # state += initial ++ # state (mod 32) ++ vlm ("%v6","%v7","32(%r7)"); # load vperm operands ++ ++for (0..3) { # blocks 1,2 ++ vmrhf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) ++ vmrhf ("%v1",@v[$_*4+2],@v[$_*4+3]); ++ vperm ("%v".($_+8),"%v0","%v1","%v6"); ++ vperm ("%v".($_+12),"%v0","%v1","%v7"); ++} ++ vlm ("%v0","%v3","0($inp)"); # load in ++ vx ("%v$_","%v$_","%v".($_+8)) for (0..3); # out = in ^ ks ++ vstm ("%v0","%v3","0($out)"); # store out ++ ++ la ($inp,"64($inp)"); ++ la ($out,"64($out)"); ++ ++ sr ($len,"%r0"); ++ brc (4,".Lvx_tail"); # cc==4? ++ ++ vlm ("%v0","%v3","0($inp)"); # load in ++ vx ("%v$_","%v$_","%v".($_+12)) for (0..3); # out = in ^ ks ++ vstm ("%v0","%v3","0($out)"); # store out ++ jz (".Lvx_done"); ++ ++for (0..3) { # blocks 3,4 ++ vmrlf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) ++ vmrlf ("%v1",@v[$_*4+2],@v[$_*4+3]); ++ vperm ("%v".($_+12),"%v0","%v1","%v6"); ++ vperm ("%v".($_+8),"%v0","%v1","%v7"); ++} ++ la ($inp,"64($inp)"); ++ la ($out,"64($out)"); ++ ++ sr ($len,"%r0"); ++ brc (4,".Lvx_tail"); # cc==4? ++ ++ vlm ("%v0","%v3","0($inp)"); # load in ++ vx ("%v$_","%v$_","%v".($_+12)) for (0..3); # out = in ^ ks ++ vstm ("%v0","%v3","0($out)"); # store out ++ jz (".Lvx_done"); ++ ++ la ($inp,"64($inp)"); ++ la ($out,"64($out)"); ++ ++ sr ($len,"%r0"); ++ vlr ("%v".($_+4),"%v$_") for (8..11); ++ j (".Lvx_tail"); ++ ++ALIGN (16); ++LABEL (".Lvx_tail"); ++ ar ($len,"%r0"); # restore $len ++ ahi ($len,-1); ++ ++ lhi ("%r0",16); ++for (0..2) { ++ vll ("%v0",$len,($_*16)."($inp)"); ++ vx ("%v0","%v0","%v".($_+12)); ++ vstl ("%v0",$len,($_*16)."($out)"); ++ sr ($len,"%r0"); ++ brc (4,".Lvx_done"); # cc==4? ++} ++ vll ("%v0",$len,"3*16($inp)"); ++ vx ("%v0","%v0","%v15"); ++ vstl ("%v0",$len,"3*16($out)"); ++ j (".Lvx_done"); ++SIZE ("ChaCha20_ctr32",".-ChaCha20_ctr32"); ++} ++ ++# NOVX CODE PATH ++{ ++my $frame=$stdframe+4*20; ++ ++TYPE ("_s390x_chacha_novx","\@function"); ++ALIGN (32); ++LABEL ("_s390x_chacha_novx"); ++&{$z? \<gr:\<r} ($len,$len); # $len==0? ++ bzr ("%r14"); ++&{$z? \&aghi:\&ahi} ($len,-64); ++&{$z? \&lghi:\&lhi} ("%r1",-$frame); ++&{$z? \&stmg:\&stm} ("%r6","%r15","6*$SIZE_T($sp)"); ++&{$z? \&slgr:\&slr} ($out,$inp); # difference ++ la ($len,"0($inp,$len)"); # end of input minus 64 ++ larl ("%r7",".Lsigma"); ++ lgr ("%r0",$sp); ++ la ($sp,"0(%r1,$sp)"); ++&{$z? \&stg:\&st} ("%r0","0($sp)"); ++ ++ lmg ("%r8","%r11","0($key)"); # load key ++ lmg ("%r12","%r13","0($counter)"); # load counter ++ lmg ("%r6","%r7","0(%r7)"); # load sigma constant ++ ++ la ("%r14","0($inp)"); ++&{$z? \&stg:\&st} ($out,"$frame+3*$SIZE_T($sp)"); ++&{$z? \&stg:\&st} ($len,"$frame+4*$SIZE_T($sp)"); ++ stmg ("%r6","%r13","$stdframe($sp)");# copy key schedule to stack ++ srlg (@x[12],"%r12",32); # 32-bit counter value ++ j (".Loop_outer"); ++ ++ALIGN (16); ++LABEL (".Loop_outer"); ++ lm (@x[0],@x[7],"$stdframe+4*0($sp)"); # load x[0]-x[7] ++ lm (@t[0],@t[1],"$stdframe+4*10($sp)"); # load x[10]-x[11] ++ lm (@x[13],@x[15],"$stdframe+4*13($sp)"); # load x[13]-x[15] ++ stm (@t[0],@t[1],"$stdframe+4*8+4*10($sp)");# offload x[10]-x[11] ++ lm (@t[0],@t[1],"$stdframe+4*8($sp)"); # load x[8]-x[9] ++ st (@x[12],"$stdframe+4*12($sp)"); # save counter ++&{$z? \&stg:\&st} ("%r14","$frame+2*$SIZE_T($sp)");# save input pointer ++ lhi ("%r14",10); ++ j (".Loop"); ++ ++ALIGN (4); ++LABEL (".Loop"); ++ ROUND (0, 4, 8,12); ++ ROUND (0, 5,10,15); ++ brct ("%r14",".Loop"); ++ ++&{$z? \&lg:\&l} ("%r14","$frame+2*$SIZE_T($sp)");# pull input pointer ++ stm (@t[0],@t[1],"$stdframe+4*8+4*8($sp)"); # offload x[8]-x[9] ++&{$z? \&lmg:\&lm} (@t[0],@t[1],"$frame+3*$SIZE_T($sp)"); ++ ++ al (@x[0],"$stdframe+4*0($sp)"); # accumulate key schedule ++ al (@x[1],"$stdframe+4*1($sp)"); ++ al (@x[2],"$stdframe+4*2($sp)"); ++ al (@x[3],"$stdframe+4*3($sp)"); ++ al (@x[4],"$stdframe+4*4($sp)"); ++ al (@x[5],"$stdframe+4*5($sp)"); ++ al (@x[6],"$stdframe+4*6($sp)"); ++ al (@x[7],"$stdframe+4*7($sp)"); ++ lrvr (@x[0],@x[0]); ++ lrvr (@x[1],@x[1]); ++ lrvr (@x[2],@x[2]); ++ lrvr (@x[3],@x[3]); ++ lrvr (@x[4],@x[4]); ++ lrvr (@x[5],@x[5]); ++ lrvr (@x[6],@x[6]); ++ lrvr (@x[7],@x[7]); ++ al (@x[12],"$stdframe+4*12($sp)"); ++ al (@x[13],"$stdframe+4*13($sp)"); ++ al (@x[14],"$stdframe+4*14($sp)"); ++ al (@x[15],"$stdframe+4*15($sp)"); ++ lrvr (@x[12],@x[12]); ++ lrvr (@x[13],@x[13]); ++ lrvr (@x[14],@x[14]); ++ lrvr (@x[15],@x[15]); ++ ++ la (@t[0],"0(@t[0],%r14)"); # reconstruct output pointer ++&{$z? \&clgr:\&clr} ("%r14",@t[1]); ++ jh (".Ltail"); ++ ++ x (@x[0],"4*0(%r14)"); # xor with input ++ x (@x[1],"4*1(%r14)"); ++ st (@x[0],"4*0(@t[0])"); # store output ++ x (@x[2],"4*2(%r14)"); ++ st (@x[1],"4*1(@t[0])"); ++ x (@x[3],"4*3(%r14)"); ++ st (@x[2],"4*2(@t[0])"); ++ x (@x[4],"4*4(%r14)"); ++ st (@x[3],"4*3(@t[0])"); ++ lm (@x[0],@x[3],"$stdframe+4*8+4*8($sp)"); # load x[8]-x[11] ++ x (@x[5],"4*5(%r14)"); ++ st (@x[4],"4*4(@t[0])"); ++ x (@x[6],"4*6(%r14)"); ++ al (@x[0],"$stdframe+4*8($sp)"); ++ st (@x[5],"4*5(@t[0])"); ++ x (@x[7],"4*7(%r14)"); ++ al (@x[1],"$stdframe+4*9($sp)"); ++ st (@x[6],"4*6(@t[0])"); ++ x (@x[12],"4*12(%r14)"); ++ al (@x[2],"$stdframe+4*10($sp)"); ++ st (@x[7],"4*7(@t[0])"); ++ x (@x[13],"4*13(%r14)"); ++ al (@x[3],"$stdframe+4*11($sp)"); ++ st (@x[12],"4*12(@t[0])"); ++ x (@x[14],"4*14(%r14)"); ++ st (@x[13],"4*13(@t[0])"); ++ x (@x[15],"4*15(%r14)"); ++ st (@x[14],"4*14(@t[0])"); ++ lrvr (@x[0],@x[0]); ++ st (@x[15],"4*15(@t[0])"); ++ lrvr (@x[1],@x[1]); ++ lrvr (@x[2],@x[2]); ++ lrvr (@x[3],@x[3]); ++ lhi (@x[12],1); ++ x (@x[0],"4*8(%r14)"); ++ al (@x[12],"$stdframe+4*12($sp)"); # increment counter ++ x (@x[1],"4*9(%r14)"); ++ st (@x[0],"4*8(@t[0])"); ++ x (@x[2],"4*10(%r14)"); ++ st (@x[1],"4*9(@t[0])"); ++ x (@x[3],"4*11(%r14)"); ++ st (@x[2],"4*10(@t[0])"); ++ st (@x[3],"4*11(@t[0])"); ++ ++&{$z? \&clgr:\&clr} ("%r14",@t[1]); # done yet? ++ la ("%r14","64(%r14)"); ++ jl (".Loop_outer"); ++ ++LABEL (".Ldone"); ++ xgr ("%r0","%r0"); ++ xgr ("%r1","%r1"); ++ xgr ("%r2","%r2"); ++ xgr ("%r3","%r3"); ++ stmg ("%r0","%r3","$stdframe+4*4($sp)"); # wipe key copy ++ stmg ("%r0","%r3","$stdframe+4*12($sp)"); ++ ++&{$z? \&lmg:\&lm} ("%r6","%r15","$frame+6*$SIZE_T($sp)"); ++ br ("%r14"); ++ ++ALIGN (16); ++LABEL (".Ltail"); ++ la (@t[1],"64($t[1])"); ++ stm (@x[0],@x[7],"$stdframe+4*0($sp)"); ++&{$z? \&slgr:\&slr} (@t[1],"%r14"); ++ lm (@x[0],@x[3],"$stdframe+4*8+4*8($sp)"); ++&{$z? \&lghi:\&lhi} (@x[6],0); ++ stm (@x[12],@x[15],"$stdframe+4*12($sp)"); ++ al (@x[0],"$stdframe+4*8($sp)"); ++ al (@x[1],"$stdframe+4*9($sp)"); ++ al (@x[2],"$stdframe+4*10($sp)"); ++ al (@x[3],"$stdframe+4*11($sp)"); ++ lrvr (@x[0],@x[0]); ++ lrvr (@x[1],@x[1]); ++ lrvr (@x[2],@x[2]); ++ lrvr (@x[3],@x[3]); ++ stm (@x[0],@x[3],"$stdframe+4*8($sp)"); ++ ++LABEL (".Loop_tail"); ++ llgc (@x[4],"0(@x[6],%r14)"); ++ llgc (@x[5],"$stdframe(@x[6],$sp)"); ++ xr (@x[5],@x[4]); ++ stc (@x[5],"0(@x[6],@t[0])"); ++ la (@x[6],"1(@x[6])"); ++ brct (@t[1],".Loop_tail"); ++ ++ j (".Ldone"); ++SIZE ("_s390x_chacha_novx",".-_s390x_chacha_novx"); ++} + } +-close STDOUT or die "error closing STDOUT: $!"; ++################ ++ ++ALIGN (64); ++LABEL (".Lsigma"); ++LONG (0x61707865,0x3320646e,0x79622d32,0x6b206574); # endian-neutral sigma ++LONG (0x00000000,0x00000001,0x00000002,0x00000003); # vaf counter increment ++LONG (0x03020100,0x07060504,0x13121110,0x17161514); # vperm serialization ++LONG (0x0b0a0908,0x0f0e0d0c,0x1b1a1918,0x1f1e1d1c); # vperm serialization ++ASCIZ ("\"ChaCha20 for s390x, CRYPTOGAMS by \""); ++ALIGN (4); ++ ++PERLASM_END(); diff --git a/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch b/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch new file mode 100644 index 0000000..e013da1 --- /dev/null +++ b/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch @@ -0,0 +1,1006 @@ +From d6f4b0a8bfbe901c72294d8923eb5b6f54ca7732 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Mon, 6 Feb 2017 10:54:54 +0100 +Subject: [PATCH] crypto/poly1305/asm/poly1305-s390x.pl: add vx code path. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/7991) +--- + crypto/poly1305/asm/poly1305-s390x.pl | 944 +++++++++++++++++++++----- + 1 file changed, 780 insertions(+), 164 deletions(-) + +diff --git a/crypto/poly1305/asm/poly1305-s390x.pl b/crypto/poly1305/asm/poly1305-s390x.pl +index 21ca86055e..390f9eefe7 100755 +--- a/crypto/poly1305/asm/poly1305-s390x.pl ++++ b/crypto/poly1305/asm/poly1305-s390x.pl +@@ -24,204 +24,820 @@ + # + # On side note, z13 enables vector base 2^26 implementation... + +-$flavour = shift; ++# ++# January 2019 ++# ++# Add vx code path (base 2^26). ++# ++# Copyright IBM Corp. 2019 ++# Author: Patrick Steuer + ++use strict; ++use FindBin qw($Bin); ++use lib "$Bin/../.."; ++use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL); ++ ++my $flavour = shift; ++ ++my ($z,$SIZE_T); + if ($flavour =~ /3[12]/) { ++ $z=0; # S/390 ABI + $SIZE_T=4; +- $g=""; + } else { ++ $z=1; # zSeries ABI + $SIZE_T=8; +- $g="g"; + } + ++my $output; + while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} +-open STDOUT,">$output"; + +-$sp="%r15"; ++my $sp="%r15"; ++ ++# novx code path ctx layout ++# --------------------------------- ++# var value base off ++# --------------------------------- ++# u64 h[3] hash 2^64 0 ++# u32 pad[2] ++# u64 r[2] key 2^64 32 ++ ++# vx code path ctx layout ++# --------------------------------- ++# var value base off ++# --------------------------------- ++# u32 acc1[5] r^2-acc 2^26 0 ++# u32 pad ++# u32 acc2[5] r-acc 2^26 24 ++# u32 pad ++# u32 r1[5] r 2^26 48 ++# u32 r15[5] 5*r 2^26 68 ++# u32 r2[5] r^2 2^26 88 ++# u32 r25[5] 5*r^2 2^26 108 ++# u32 r4[5] r^4 2^26 128 ++# u32 r45[5] 5*r^4 2^26 148 ++ ++PERLASM_BEGIN($output); ++ ++TEXT (); ++ ++################ ++# static void poly1305_init(void *ctx, const unsigned char key[16]) ++{ ++my ($ctx,$key)=map("%r$_",(2..3)); ++my ($r0,$r1,$r2)=map("%r$_",(9,11,13)); + +-my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5)); ++sub MUL_RKEY { # r*=key ++my ($d0hi,$d0lo,$d1hi,$d1lo)=map("%r$_",(4..7)); ++my ($t0,$t1,$s1)=map("%r$_",(8,10,12)); ++ ++ lg ("%r0","32($ctx)"); ++ lg ("%r1","40($ctx)"); ++ ++ srlg ($s1,"%r1",2); ++ algr ($s1,"%r1"); ++ ++ lgr ($d0lo,$r0); ++ lgr ($d1lo,$r1); ++ ++ mlgr ($d0hi,"%r0"); ++ lgr ($r1,$d1lo); ++ mlgr ($d1hi,$s1); ++ ++ mlgr ($t0,"%r1"); ++ mlgr ($t1,"%r0"); ++ ++ algr ($d0lo,$d1lo); ++ lgr ($d1lo,$r2); ++ alcgr ($d0hi,$d1hi); ++ lghi ($d1hi,0); ++ ++ algr ($r1,$r0); ++ alcgr ($t1,$t0); ++ ++ msgr ($d1lo,$s1); ++ msgr ($r2,"%r0"); ++ ++ algr ($r1,$d1lo); ++ alcgr ($t1,$d1hi); ++ ++ algr ($r1,$d0hi); ++ alcgr ($r2,$t1); ++ ++ lghi ($r0,-4); ++ ngr ($r0,$r2); ++ srlg ($t0,$r2,2); ++ algr ($r0,$t0); ++ lghi ($t1,3); ++ ngr ($r2,$t1); ++ ++ algr ($r0,$d0lo); ++ alcgr ($r1,$d1hi); ++ alcgr ($r2,$d1hi); ++} ++ ++sub ST_R5R { # store r,5*r -> base 2^26 ++my @d=map("%r$_",(4..8)); ++my @off=@_; ++ ++ lgr (@d[2],$r0); ++ lr ("%r1",@d[2]); ++ nilh ("%r1",1023); ++ lgr (@d[3],$r1); ++ lr (@d[0],"%r1"); ++ srlg ("%r1",@d[2],52); ++ lgr (@d[4],$r2); ++ srlg ("%r0",@d[2],26); ++ sll (@d[4],24); ++ lr (@d[2],@d[3]); ++ nilh ("%r0",1023); ++ sll (@d[2],12); ++ lr (@d[1],"%r0"); ++ &or (@d[2],"%r1"); ++ srlg ("%r1",@d[3],40); ++ nilh (@d[2],1023); ++ &or (@d[4],"%r1"); ++ srlg (@d[3],@d[3],14); ++ nilh (@d[4],1023); ++ nilh (@d[3],1023); ++ ++ stm (@d[0],@d[4],"@off[0]($ctx)"); ++ mhi (@d[$_],5) for (0..4); ++ stm (@d[0],@d[4],"@off[1]($ctx)"); ++} + +-$code.=<<___; +-.text +- +-.globl poly1305_init +-.type poly1305_init,\@function +-.align 16 +-poly1305_init: +- lghi %r0,0 +- lghi %r1,-1 +- stg %r0,0($ctx) # zero hash value +- stg %r0,8($ctx) +- stg %r0,16($ctx) +- +- cl${g}r $inp,%r0 +- je .Lno_key +- +- lrvg %r4,0($inp) # load little-endian key +- lrvg %r5,8($inp) +- +- nihl %r1,0xffc0 # 0xffffffc0ffffffff +- srlg %r0,%r1,4 # 0x0ffffffc0fffffff +- srlg %r1,%r1,4 +- nill %r1,0xfffc # 0x0ffffffc0ffffffc +- +- ngr %r4,%r0 +- ngr %r5,%r1 +- +- stg %r4,32($ctx) +- stg %r5,40($ctx) +- +-.Lno_key: +- lghi %r2,0 +- br %r14 +-.size poly1305_init,.-poly1305_init +-___ ++GLOBL ("poly1305_init"); ++TYPE ("poly1305_init","\@function"); ++ALIGN (16); ++LABEL ("poly1305_init"); ++ lghi ("%r0",0); ++ lghi ("%r1",-1); ++ stg ("%r0","0($ctx)"); # zero hash value / acc1 ++ stg ("%r0","8($ctx)"); ++ stg ("%r0","16($ctx)"); ++ ++&{$z? \&clgr:\&clr} ($key,"%r0"); ++ je (".Ldone"); ++ ++ lrvg ("%r4","0($key)"); # load little-endian key ++ lrvg ("%r5","8($key)"); ++ ++ nihl ("%r1",0xffc0); # 0xffffffc0ffffffff ++ srlg ("%r0","%r1",4); # 0x0ffffffc0fffffff ++ srlg ("%r1","%r1",4); ++ nill ("%r1",0xfffc); # 0x0ffffffc0ffffffc ++ ++ ngr ("%r4","%r0"); ++ ngr ("%r5","%r1"); ++ ++ stg ("%r4","32($ctx)"); ++ stg ("%r5","40($ctx)"); ++ ++ larl ("%r1","OPENSSL_s390xcap_P"); ++ lg ("%r0","16(%r1)"); ++ tmhh ("%r0",0x4000); # check for vector facility ++ jz (".Ldone"); ++ ++ larl ("%r4","poly1305_blocks_vx"); ++ larl ("%r5","poly1305_emit_vx"); ++ ++&{$z? \&stmg:\&stm} ("%r6","%r13","6*$SIZE_T($sp)"); ++&{$z? \&stmg:\&stm} ("%r4","%r5","4*$z+228($ctx)"); ++ ++ lg ($r0,"32($ctx)"); ++ lg ($r1,"40($ctx)"); ++ lghi ($r2,0); ++ ++ ST_R5R (48,68); # store r,5*r ++ ++ MUL_RKEY(); ++ ST_R5R (88,108); # store r^2,5*r^2 ++ ++ MUL_RKEY(); ++ MUL_RKEY(); ++ ST_R5R (128,148); # store r^4,5*r^4 ++ ++ lghi ("%r0",0); ++ stg ("%r0","24($ctx)"); # zero acc2 ++ stg ("%r0","32($ctx)"); ++ stg ("%r0","40($ctx)"); ++ ++&{$z? \&lmg:\&lm} ("%r6","%r13","6*$SIZE_T($sp)"); ++ lghi ("%r2",1); ++ br ("%r14"); ++ ++LABEL (".Ldone"); ++ lghi ("%r2",0); ++ br ("%r14"); ++SIZE ("poly1305_init",".-poly1305_init"); ++} ++ ++# VX CODE PATH + { +-my ($d0hi,$d0lo,$d1hi,$d1lo,$t0,$h0,$t1,$h1,$h2) = map("%r$_",(6..14)); +-my ($r0,$r1,$s1) = map("%r$_",(0..2)); ++my $frame=8*16; ++my @m01=map("%v$_",(0..4)); ++my @m23=map("%v$_",(5..9)); ++my @tmp=@m23; ++my @acc=map("%v$_",(10..14)); ++my @r=map("%v$_",(15..19)); ++my @r5=map("%v$_",(20..24)); ++my $padvec="%v26"; ++my $mask4="%v27"; ++my @vperm=map("%v$_",(28..30)); ++my $mask="%v31"; ++ ++sub REDUCE { ++ vesrlg (@tmp[0],@acc[0],26); ++ vesrlg (@tmp[3],@acc[3],26); ++ vn (@acc[0],@acc[0],$mask); ++ vn (@acc[3],@acc[3],$mask); ++ vag (@acc[1],@acc[1],@tmp[0]); # carry 0->1 ++ vag (@acc[4],@acc[4],@tmp[3]); # carry 3->4 ++ ++ vesrlg (@tmp[1],@acc[1],26); ++ vesrlg (@tmp[4],@acc[4],26); ++ vn (@acc[1],@acc[1],$mask); ++ vn (@acc[4],@acc[4],$mask); ++ veslg (@tmp[0],@tmp[4],2); ++ vag (@tmp[4],@tmp[4],@tmp[0]); # h[4]*=5 ++ vag (@acc[2],@acc[2],@tmp[1]); # carry 1->2 ++ vag (@acc[0],@acc[0],@tmp[4]); # carry 4->0 ++ ++ vesrlg (@tmp[2],@acc[2],26); ++ vesrlg (@tmp[0],@acc[0],26); ++ vn (@acc[2],@acc[2],$mask); ++ vn (@acc[0],@acc[0],$mask); ++ vag (@acc[3],@acc[3],@tmp[2]); # carry 2->3 ++ vag (@acc[1],@acc[1],@tmp[0]); # carry 0->1 ++ ++ vesrlg (@tmp[3],@acc[3],26); ++ vn (@acc[3],@acc[3],$mask); ++ vag (@acc[4],@acc[4],@tmp[3]); # carry 3->4 ++} + +-$code.=<<___; +-.globl poly1305_blocks +-.type poly1305_blocks,\@function +-.align 16 +-poly1305_blocks: +- srl${g} $len,4 # fixed-up in 64-bit build +- lghi %r0,0 +- cl${g}r $len,%r0 +- je .Lno_data ++################ ++# static void poly1305_blocks_vx(void *ctx, const unsigned char *inp, ++# size_t len, u32 padbit) ++{ ++my ($ctx,$inp,$len) = map("%r$_",(2..4)); ++my $padbit="%r0"; ++ ++GLOBL ("poly1305_blocks_vx"); ++TYPE ("poly1305_blocks_vx","\@function"); ++ALIGN (16); ++LABEL ("poly1305_blocks_vx"); ++if ($z) { ++ aghi ($sp,-$frame); ++ vstm ("%v8","%v15","0($sp)"); ++} else { ++ std ("%f4","16*$SIZE_T+2*8($sp)"); ++ std ("%f6","16*$SIZE_T+3*8($sp)"); ++ llgfr ($len,$len); ++} ++ llgfr ($padbit,"%r5"); ++ vlef (@acc[$_],"4*$_($ctx)",1) for (0..4); # load acc1 ++ larl ("%r5",".Lconst"); ++ vlef (@acc[$_],"24+4*$_($ctx)",3) for (0..4); # load acc2 ++ sllg ($padbit,$padbit,24); ++ vlm (@vperm[0],$mask,"0(%r5)"); # load vperm ops, mask ++ vgbm ($mask4,0x0707); ++ vlvgp ($padvec,$padbit,$padbit); ++ ++ srlg ("%r1",$len,6); ++ ltgr ("%r1","%r1"); ++ jz (".Lvx_4x_done"); ++ ++ALIGN (16); ++LABEL (".Lvx_4x"); ++ vlm ("%v20","%v23","0($inp)"); # load m0,m1,m2,m3 ++ ++ # m01,m23 -> base 2^26 ++ ++ vperm (@m01[0],"%v20","%v21",@vperm[0]); ++ vperm (@m23[0],"%v22","%v23",@vperm[0]); ++ vperm (@m01[2],"%v20","%v21",@vperm[1]); ++ vperm (@m23[2],"%v22","%v23",@vperm[1]); ++ vperm (@m01[4],"%v20","%v21",@vperm[2]); ++ vperm (@m23[4],"%v22","%v23",@vperm[2]); ++ ++ vesrlg (@m01[1],@m01[0],26); ++ vesrlg (@m23[1],@m23[0],26); ++ vesrlg (@m01[3],@m01[2],30); ++ vesrlg (@m23[3],@m23[2],30); ++ vesrlg (@m01[2],@m01[2],4); ++ vesrlg (@m23[2],@m23[2],4); ++ ++ vn (@m01[4],@m01[4],$mask4); ++ vn (@m23[4],@m23[4],$mask4); ++for (0..3) { ++ vn (@m01[$_],@m01[$_],$mask); ++ vn (@m23[$_],@m23[$_],$mask); ++} ++ vaf (@m01[4],@m01[4],$padvec); # pad m01 ++ vaf (@m23[4],@m23[4],$padvec); # pad m23 ++ ++ # acc = acc * r^4 + m01 * r^2 + m23 ++ ++ vlrepf (@r5[$_],"4*$_+108($ctx)") for (0..4); # load 5*r^2 ++ vlrepf (@r[$_],"4*$_+88($ctx)") for (0..4); # load r^2 ++ ++ vmalof (@tmp[0],@m01[4],@r5[1],@m23[0]); ++ vmalof (@tmp[1],@m01[4],@r5[2],@m23[1]); ++ vmalof (@tmp[2],@m01[4],@r5[3],@m23[2]); ++ vmalof (@tmp[3],@m01[4],@r5[4],@m23[3]); ++ vmalof (@tmp[4],@m01[4],@r[0],@m23[4]); ++ ++ vmalof (@tmp[0],@m01[3],@r5[2],@tmp[0]); ++ vmalof (@tmp[1],@m01[3],@r5[3],@tmp[1]); ++ vmalof (@tmp[2],@m01[3],@r5[4],@tmp[2]); ++ vmalof (@tmp[3],@m01[3],@r[0],@tmp[3]); ++ vmalof (@tmp[4],@m01[3],@r[1],@tmp[4]); ++ ++ vmalof (@tmp[0],@m01[2],@r5[3],@tmp[0]); ++ vmalof (@tmp[1],@m01[2],@r5[4],@tmp[1]); ++ vmalof (@tmp[2],@m01[2],@r[0],@tmp[2]); ++ vmalof (@tmp[3],@m01[2],@r[1],@tmp[3]); ++ vmalof (@tmp[4],@m01[2],@r[2],@tmp[4]); ++ ++ vmalof (@tmp[0],@m01[1],@r5[4],@tmp[0]); ++ vmalof (@tmp[1],@m01[1],@r[0],@tmp[1]); ++ vmalof (@tmp[2],@m01[1],@r[1],@tmp[2]); ++ vmalof (@tmp[3],@m01[1],@r[2],@tmp[3]); ++ vmalof (@tmp[4],@m01[1],@r[3],@tmp[4]); ++ ++ vmalof (@tmp[0],@m01[0],@r[0],@tmp[0]); ++ vmalof (@tmp[1],@m01[0],@r[1],@tmp[1]); ++ vmalof (@tmp[2],@m01[0],@r[2],@tmp[2]); ++ vmalof (@tmp[3],@m01[0],@r[3],@tmp[3]); ++ vmalof (@tmp[4],@m01[0],@r[4],@tmp[4]); ++ ++ vlrepf (@r5[$_],"4*$_+148($ctx)") for (0..4); # load 5*r^4 ++ vlrepf (@r[$_],"4*$_+128($ctx)") for (0..4); # load r^4 ++ ++ vmalof (@tmp[0],@acc[4],@r5[1],@tmp[0]); ++ vmalof (@tmp[1],@acc[4],@r5[2],@tmp[1]); ++ vmalof (@tmp[2],@acc[4],@r5[3],@tmp[2]); ++ vmalof (@tmp[3],@acc[4],@r5[4],@tmp[3]); ++ vmalof (@tmp[4],@acc[4],@r[0],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); ++ vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); ++ vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); ++ vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); ++ vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); ++ vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); ++ vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); ++ vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); ++ vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); ++ vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); ++ vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); ++ vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); ++ vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); ++ ++ vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); ++ vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); ++ vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); ++ vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); ++ vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); ++ ++ REDUCE (); ++ ++ la ($inp,"64($inp)"); ++ brctg ("%r1",".Lvx_4x"); ++ ++ALIGN (16); ++LABEL (".Lvx_4x_done"); ++ tml ($len,32); ++ jz (".Lvx_2x_done"); ++ ++ vlm ("%v20","%v21","0($inp)"); # load m0,m1 ++ ++ # m01 -> base 2^26 ++ ++ vperm (@m01[0],"%v20","%v21",@vperm[0]); ++ vperm (@m01[2],"%v20","%v21",@vperm[1]); ++ vperm (@m01[4],"%v20","%v21",@vperm[2]); ++ ++ vesrlg (@m01[1],@m01[0],26); ++ vesrlg (@m01[3],@m01[2],30); ++ vesrlg (@m01[2],@m01[2],4); ++ ++ vn (@m01[4],@m01[4],$mask4); ++ vn (@m01[$_],@m01[$_],$mask) for (0..3); ++ ++ vaf (@m01[4],@m01[4],$padvec); # pad m01 ++ ++ # acc = acc * r^2+ m01 ++ ++ vlrepf (@r5[$_],"4*$_+108($ctx)") for (0..4); # load 5*r^2 ++ vlrepf (@r[$_],"4*$_+88($ctx)") for (0..4); # load r^2 ++ ++ vmalof (@tmp[0],@acc[4],@r5[1],@m01[0]); ++ vmalof (@tmp[1],@acc[4],@r5[2],@m01[1]); ++ vmalof (@tmp[2],@acc[4],@r5[3],@m01[2]); ++ vmalof (@tmp[3],@acc[4],@r5[4],@m01[3]); ++ vmalof (@tmp[4],@acc[4],@r[0],@m01[4]); ++ ++ vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); ++ vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); ++ vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); ++ vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); ++ vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); ++ vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); ++ vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); ++ vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); ++ vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); ++ vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); ++ vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); ++ vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); ++ vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); ++ ++ vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); ++ vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); ++ vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); ++ vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); ++ vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); ++ ++ REDUCE (); ++ ++ la ($inp,"32($inp)"); ++ ++ALIGN (16); ++LABEL (".Lvx_2x_done"); ++ tml ($len,16); ++ jz (".Lvx_done"); ++ ++ vleig ($padvec,0,0); ++ ++ vzero ("%v20"); ++ vl ("%v21","0($inp)"); # load m0 ++ ++ # m0 -> base 2^26 ++ ++ vperm (@m01[0],"%v20","%v21",@vperm[0]); ++ vperm (@m01[2],"%v20","%v21",@vperm[1]); ++ vperm (@m01[4],"%v20","%v21",@vperm[2]); ++ ++ vesrlg (@m01[1],@m01[0],26); ++ vesrlg (@m01[3],@m01[2],30); ++ vesrlg (@m01[2],@m01[2],4); ++ ++ vn (@m01[4],@m01[4],$mask4); ++ vn (@m01[$_],@m01[$_],$mask) for (0..3); ++ ++ vaf (@m01[4],@m01[4],$padvec); # pad m0 ++ ++ # acc = acc * r + m01 ++ ++ vlrepf (@r5[$_],"4*$_+68($ctx)") for (0..4); # load 5*r ++ vlrepf (@r[$_],"4*$_+48($ctx)") for (0..4); # load r ++ ++ vmalof (@tmp[0],@acc[4],@r5[1],@m01[0]); ++ vmalof (@tmp[1],@acc[4],@r5[2],@m01[1]); ++ vmalof (@tmp[2],@acc[4],@r5[3],@m01[2]); ++ vmalof (@tmp[3],@acc[4],@r5[4],@m01[3]); ++ vmalof (@tmp[4],@acc[4],@r[0],@m01[4]); ++ ++ vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); ++ vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); ++ vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); ++ vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); ++ vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); ++ vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); ++ vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); ++ vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); ++ vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); ++ vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); ++ vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); ++ vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); ++ vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); ++ ++ vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); ++ vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); ++ vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); ++ vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); ++ vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); ++ ++ REDUCE (); ++ ++ALIGN (16); ++LABEL (".Lvx_done"); ++ vstef (@acc[$_],"4*$_($ctx)",1) for (0..4); # store acc ++ vstef (@acc[$_],"24+4*$_($ctx)",3) for (0..4); ++ ++if ($z) { ++ vlm ("%v8","%v15","0($sp)"); ++ la ($sp,"$frame($sp)"); ++} else { ++ ld ("%f4","16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","16*$SIZE_T+3*8($sp)"); ++} ++ br ("%r14"); ++SIZE ("poly1305_blocks_vx",".-poly1305_blocks_vx"); ++} + +- stm${g} %r6,%r14,`6*$SIZE_T`($sp) ++################ ++# static void poly1305_emit_vx(void *ctx, unsigned char mac[16], ++# const u32 nonce[4]) ++{ ++my ($ctx,$mac,$nonce) = map("%r$_",(2..4)); ++ ++GLOBL ("poly1305_emit_vx"); ++TYPE ("poly1305_emit_vx","\@function"); ++ALIGN (16); ++LABEL ("poly1305_emit_vx"); ++if ($z) { ++ aghi ($sp,-$frame); ++ vstm ("%v8","%v15","0($sp)"); ++} else { ++ std ("%f4","16*$SIZE_T+2*8($sp)"); ++ std ("%f6","16*$SIZE_T+3*8($sp)"); ++} ++ larl ("%r5",".Lconst"); + +- llgfr $padbit,$padbit # clear upper half, much needed with ++ vlef (@acc[$_],"4*$_($ctx)",1) for (0..4); # load acc1 ++ vlef (@acc[$_],"24+4*$_($ctx)",3) for (0..4); # load acc2 ++ vlef (@r5[$_],"108+4*$_($ctx)",1) for (0..4); # load 5*r^2 ++ vlef (@r[$_],"88+4*$_($ctx)",1) for (0..4); # load r^2 ++ vlef (@r5[$_],"68+4*$_($ctx)",3) for (0..4); # load 5*r ++ vlef (@r[$_],"48+4*$_($ctx)",3) for (0..4); # load r ++ vl ($mask,"48(%r5)"); # load mask ++ ++ # acc = acc1 * r^2 + acc2 * r ++ ++ vmlof (@tmp[0],@acc[4],@r5[1]); ++ vmlof (@tmp[1],@acc[4],@r5[2]); ++ vmlof (@tmp[2],@acc[4],@r5[3]); ++ vmlof (@tmp[3],@acc[4],@r5[4]); ++ vmlof (@tmp[4],@acc[4],@r[0]); ++ ++ vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); ++ vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); ++ vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); ++ vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); ++ vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); ++ vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); ++ vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); ++ vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); ++ vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); ++ ++ vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); ++ vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); ++ vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); ++ vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); ++ vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); ++ ++ vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); ++ vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); ++ vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); ++ vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); ++ vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); ++ ++ vzero ("%v27"); ++ vsumqg (@acc[$_],@acc[$_],"%v27") for (0..4); ++ ++ REDUCE (); ++ ++ vesrlg (@tmp[1],@acc[1],26); ++ vn (@acc[1],@acc[1],$mask); ++ vag (@acc[2],@acc[2],@tmp[1]); # carry 1->2 ++ ++ vesrlg (@tmp[2],@acc[2],26); ++ vn (@acc[2],@acc[2],$mask); ++ vag (@acc[3],@acc[3],@tmp[2]); # carry 2->3 ++ ++ vesrlg (@tmp[3],@acc[3],26); ++ vn (@acc[3],@acc[3],$mask); ++ vag (@acc[4],@acc[4],@tmp[3]); # carry 3->4 ++ ++ # acc -> base 2^64 ++ vleib ("%v30",6*8,7); ++ vleib ("%v29",13*8,7); ++ vleib ("%v28",3*8,7); ++ ++ veslg (@acc[1],@acc[1],26); ++ veslg (@acc[3],@acc[3],26); ++ vo (@acc[0],@acc[0],@acc[1]); ++ vo (@acc[2],@acc[2],@acc[3]); ++ ++ veslg (@acc[2],@acc[2],4); ++ vslb (@acc[2],@acc[2],"%v30"); # <<52 ++ vo (@acc[0],@acc[0],@acc[2]); ++ ++ vslb (@tmp[4],@acc[4],"%v29"); # <<104 ++ vo (@acc[0],@acc[0],@tmp[4]); ++ ++ vsrlb (@acc[1],@acc[4],"%v28"); # >>24 ++ ++ # acc %= 2^130-5 ++ vone ("%v26"); ++ vleig ("%v27",5,1); ++ vone ("%v29"); ++ vleig ("%v26",-4,1); ++ ++ vaq (@tmp[0],@acc[0],"%v27"); ++ vaccq (@tmp[1],@acc[0],"%v27"); ++ ++ vaq (@tmp[1],@tmp[1],"%v26"); ++ vaccq (@tmp[1],@tmp[1],@acc[1]); ++ ++ vaq (@tmp[1],@tmp[1],"%v29"); ++ ++ vn (@tmp[2],@tmp[1],@acc[0]); ++ vnc (@tmp[3],@tmp[0],@tmp[1]); ++ vo (@acc[0],@tmp[2],@tmp[3]); ++ ++ # acc += nonce ++ vl (@vperm[0],"64(%r5)"); ++ vlef (@tmp[0],"4*$_($nonce)",3-$_) for (0..3); ++ ++ vaq (@acc[0],@acc[0],@tmp[0]); ++ ++ vperm (@acc[0],@acc[0],@acc[0],@vperm[0]); ++ vst (@acc[0],"0($mac)"); # store mac ++ ++if ($z) { ++ vlm ("%v8","%v15","0($sp)"); ++ la ($sp,"$frame($sp)"); ++} else { ++ ld ("%f4","16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","16*$SIZE_T+3*8($sp)"); ++} ++ br ("%r14"); ++SIZE ("poly1305_emit_vx",".-poly1305_emit_vx"); ++} ++} ++ ++# NOVX CODE PATH ++{ ++################ ++# static void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, ++# u32 padbit) ++{ ++my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5)); ++ ++my ($d0hi,$d0lo,$d1hi,$d1lo,$t0,$h0,$t1,$h1,$h2) = map("%r$_",(6..14)); ++my ($r0,$r1,$s1) = map("%r$_",(0..2)); ++GLOBL ("poly1305_blocks"); ++TYPE ("poly1305_blocks","\@function"); ++ALIGN (16); ++LABEL ("poly1305_blocks"); ++$z? srlg ($len,$len,4) :srl ($len,4); ++ lghi ("%r0",0); ++&{$z? \&clgr:\&clr} ($len,"%r0"); ++ je (".Lno_data"); ++ ++&{$z? \&stmg:\&stm} ("%r6","%r14","6*$SIZE_T($sp)"); ++ ++ llgfr ($padbit,$padbit); # clear upper half, much needed with + # non-64-bit ABI +- lg $r0,32($ctx) # load key +- lg $r1,40($ctx) ++ lg ($r0,"32($ctx)"); # load key ++ lg ($r1,"40($ctx)"); + +- lg $h0,0($ctx) # load hash value +- lg $h1,8($ctx) +- lg $h2,16($ctx) ++ lg ($h0,"0($ctx)"); # load hash value ++ lg ($h1,"8($ctx)"); ++ lg ($h2,"16($ctx)"); + +- st$g $ctx,`2*$SIZE_T`($sp) # off-load $ctx +- srlg $s1,$r1,2 +- algr $s1,$r1 # s1 = r1 + r1>>2 +- j .Loop ++&{$z? \&stg:\&st} ($ctx,"2*$SIZE_T($sp)"); # off-load $ctx ++ srlg ($s1,$r1,2); ++ algr ($s1,$r1); # s1 = r1 + r1>>2 ++ j (".Loop"); + +-.align 16 +-.Loop: +- lrvg $d0lo,0($inp) # load little-endian input +- lrvg $d1lo,8($inp) +- la $inp,16($inp) ++ALIGN (16); ++LABEL (".Loop"); ++ lrvg ($d0lo,"0($inp)"); # load little-endian input ++ lrvg ($d1lo,"8($inp)"); ++ la ($inp,"16($inp)"); + +- algr $d0lo,$h0 # accumulate input +- alcgr $d1lo,$h1 ++ algr ($d0lo,$h0); # accumulate input ++ alcgr ($d1lo,$h1); + +- lgr $h0,$d0lo +- mlgr $d0hi,$r0 # h0*r0 -> $d0hi:$d0lo +- lgr $h1,$d1lo +- mlgr $d1hi,$s1 # h1*5*r1 -> $d1hi:$d1lo ++ lgr ($h0,$d0lo); ++ mlgr ($d0hi,$r0); # h0*r0 -> $d0hi:$d0lo ++ lgr ($h1,$d1lo); ++ mlgr ($d1hi,$s1); # h1*5*r1 -> $d1hi:$d1lo + +- mlgr $t0,$r1 # h0*r1 -> $t0:$h0 +- mlgr $t1,$r0 # h1*r0 -> $t1:$h1 +- alcgr $h2,$padbit ++ mlgr ($t0,$r1); # h0*r1 -> $t0:$h0 ++ mlgr ($t1,$r0); # h1*r0 -> $t1:$h1 ++ alcgr ($h2,$padbit); + +- algr $d0lo,$d1lo +- lgr $d1lo,$h2 +- alcgr $d0hi,$d1hi +- lghi $d1hi,0 ++ algr ($d0lo,$d1lo); ++ lgr ($d1lo,$h2); ++ alcgr ($d0hi,$d1hi); ++ lghi ($d1hi,0); + +- algr $h1,$h0 +- alcgr $t1,$t0 ++ algr ($h1,$h0); ++ alcgr ($t1,$t0); + +- msgr $d1lo,$s1 # h2*s1 +- msgr $h2,$r0 # h2*r0 ++ msgr ($d1lo,$s1); # h2*s1 ++ msgr ($h2,$r0); # h2*r0 + +- algr $h1,$d1lo +- alcgr $t1,$d1hi # $d1hi is zero ++ algr ($h1,$d1lo); ++ alcgr ($t1,$d1hi); # $d1hi is zero + +- algr $h1,$d0hi +- alcgr $h2,$t1 ++ algr ($h1,$d0hi); ++ alcgr ($h2,$t1); + +- lghi $h0,-4 # final reduction step +- ngr $h0,$h2 +- srlg $t0,$h2,2 +- algr $h0,$t0 +- lghi $t1,3 +- ngr $h2,$t1 ++ lghi ($h0,-4); # final reduction step ++ ngr ($h0,$h2); ++ srlg ($t0,$h2,2); ++ algr ($h0,$t0); ++ lghi ($t1,3); ++ ngr ($h2,$t1); + +- algr $h0,$d0lo +- alcgr $h1,$d1hi # $d1hi is still zero +- alcgr $h2,$d1hi # $d1hi is still zero ++ algr ($h0,$d0lo); ++ alcgr ($h1,$d1hi); # $d1hi is still zero ++ alcgr ($h2,$d1hi); # $d1hi is still zero + +- brct$g $len,.Loop ++&{$z? \&brctg:\&brct} ($len,".Loop"); + +- l$g $ctx,`2*$SIZE_T`($sp) # restore $ctx ++&{$z? \&lg:\&l} ($ctx,"2*$SIZE_T($sp)");# restore $ctx + +- stg $h0,0($ctx) # store hash value +- stg $h1,8($ctx) +- stg $h2,16($ctx) ++ stg ($h0,"0($ctx)"); # store hash value ++ stg ($h1,"8($ctx)"); ++ stg ($h2,"16($ctx)"); + +- lm${g} %r6,%r14,`6*$SIZE_T`($sp) +-.Lno_data: +- br %r14 +-.size poly1305_blocks,.-poly1305_blocks +-___ ++&{$z? \&lmg:\&lm} ("%r6","%r14","6*$SIZE_T($sp)"); ++LABEL (".Lno_data"); ++ br ("%r14"); ++SIZE ("poly1305_blocks",".-poly1305_blocks"); + } ++ ++################ ++# static void poly1305_emit(void *ctx, unsigned char mac[16], ++# const u32 nonce[4]) + { +-my ($mac,$nonce)=($inp,$len); ++my ($ctx,$mac,$nonce) = map("%r$_",(2..4)); + my ($h0,$h1,$h2,$d0,$d1)=map("%r$_",(5..9)); + +-$code.=<<___; +-.globl poly1305_emit +-.type poly1305_emit,\@function +-.align 16 +-poly1305_emit: +- stm${g} %r6,%r9,`6*$SIZE_T`($sp) +- +- lg $h0,0($ctx) +- lg $h1,8($ctx) +- lg $h2,16($ctx) +- +- lghi %r0,5 +- lghi %r1,0 +- lgr $d0,$h0 +- lgr $d1,$h1 +- +- algr $h0,%r0 # compare to modulus +- alcgr $h1,%r1 +- alcgr $h2,%r1 +- +- srlg $h2,$h2,2 # did it borrow/carry? +- slgr %r1,$h2 # 0-$h2>>2 +- lg $h2,0($nonce) # load nonce +- lghi %r0,-1 +- lg $ctx,8($nonce) +- xgr %r0,%r1 # ~%r1 +- +- ngr $h0,%r1 +- ngr $d0,%r0 +- ngr $h1,%r1 +- ngr $d1,%r0 +- ogr $h0,$d0 +- rllg $d0,$h2,32 # flip nonce words +- ogr $h1,$d1 +- rllg $d1,$ctx,32 +- +- algr $h0,$d0 # accumulate nonce +- alcgr $h1,$d1 +- +- strvg $h0,0($mac) # write little-endian result +- strvg $h1,8($mac) +- +- lm${g} %r6,%r9,`6*$SIZE_T`($sp) +- br %r14 +-.size poly1305_emit,.-poly1305_emit +- +-.string "Poly1305 for s390x, CRYPTOGAMS by " +-___ +-} +- +-$code =~ s/\`([^\`]*)\`/eval $1/gem; +-$code =~ s/\b(srlg\s+)(%r[0-9]+\s*,)\s*([0-9]+)/$1$2$2$3/gm; +- +-print $code; +-close STDOUT or die "error closing STDOUT: $!"; ++GLOBL ("poly1305_emit"); ++TYPE ("poly1305_emit","\@function"); ++ALIGN (16); ++LABEL ("poly1305_emit"); ++&{$z? \&stmg:\&stm} ("%r6","%r9","6*$SIZE_T($sp)"); ++ ++ lg ($h0,"0($ctx)"); ++ lg ($h1,"8($ctx)"); ++ lg ($h2,"16($ctx)"); ++ ++ lghi ("%r0",5); ++ lghi ("%r1",0); ++ lgr ($d0,$h0); ++ lgr ($d1,$h1); ++ ++ algr ($h0,"%r0"); # compare to modulus ++ alcgr ($h1,"%r1"); ++ alcgr ($h2,"%r1"); ++ ++ srlg ($h2,$h2,2); # did it borrow/carry? ++ slgr ("%r1",$h2); # 0-$h2>>2 ++ lg ($h2,"0($nonce)"); # load nonce ++ lghi ("%r0",-1); ++ lg ($ctx,"8($nonce)"); ++ xgr ("%r0","%r1"); # ~%r1 ++ ++ ngr ($h0,"%r1"); ++ ngr ($d0,"%r0"); ++ ngr ($h1,"%r1"); ++ ngr ($d1,"%r0"); ++ ogr ($h0,$d0); ++ rllg ($d0,$h2,32); # flip nonce words ++ ogr ($h1,$d1); ++ rllg ($d1,$ctx,32); ++ ++ algr ($h0,$d0); # accumulate nonce ++ alcgr ($h1,$d1); ++ ++ strvg ($h0,"0($mac)"); # write little-endian result ++ strvg ($h1,"8($mac)"); ++ ++&{$z? \&lmg:\&lm} ("%r6","%r9","6*$SIZE_T($sp)"); ++ br ("%r14"); ++SIZE ("poly1305_emit",".-poly1305_emit"); ++} ++} ++################ ++ ++ALIGN (128); ++LABEL (".Lconst"); ++LONG (0x00060504,0x03020100,0x00161514,0x13121110); # vperm op[m[1],m[0]] ++LONG (0x000c0b0a,0x09080706,0x001c1b1a,0x19181716); # vperm op[m[3],m[2]] ++LONG (0x00000000,0x000f0e0d,0x00000000,0x001f1e1d); # vperm op[ - ,m[4]] ++LONG (0x00000000,0x03ffffff,0x00000000,0x03ffffff); # [0,2^26-1,0,2^26-1] ++LONG (0x0f0e0d0c,0x0b0a0908,0x07060504,0x03020100); # vperm op endian ++STRING ("\"Poly1305 for s390x, CRYPTOGAMS by \""); ++ ++PERLASM_END(); +-- +2.21.0 + diff --git a/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch b/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch new file mode 100644 index 0000000..d2d623d --- /dev/null +++ b/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch @@ -0,0 +1,31 @@ +From b2b580fe445e064da50c13d3e00f71022da16ece Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Fri, 15 Feb 2019 22:59:09 +0100 +Subject: [PATCH] s390x assembly pack: fix formal interface bug in chacha + module + +Signed-off-by: Patrick Steuer + +Reviewed-by: Tim Hudson +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8257) +--- + crypto/chacha/asm/chacha-s390x.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl +index 005c810e20..abf7283dd8 100755 +--- a/crypto/chacha/asm/chacha-s390x.pl ++++ b/crypto/chacha/asm/chacha-s390x.pl +@@ -225,7 +225,7 @@ LABEL ("ChaCha20_ctr32"); + larl ("%r1","OPENSSL_s390xcap_P"); + + lghi ("%r0",64); +-&{$z? \&cgr:\&cr} ($len,"%r0"); ++&{$z? \&clgr:\&clr} ($len,"%r0"); + jle ("_s390x_chacha_novx"); + + lg ("%r0","S390X_STFLE+16(%r1)"); +-- +2.21.0 + diff --git a/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch b/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch new file mode 100644 index 0000000..5f70331 --- /dev/null +++ b/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch @@ -0,0 +1,1094 @@ +From d1229190bfbb19439589557e4d65f9bccab09b2d Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Mon, 25 Feb 2019 18:55:04 +0100 +Subject: [PATCH] s390x assembly pack: import chacha from cryptogams repo + +featuring 6x"horizontal" code path which is up to 25% +faster than present 4x"vertical" for larger blocks. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8287) +--- + crypto/chacha/asm/chacha-s390x.pl | 1006 +++++++++++++++++++++-------- + 1 file changed, 719 insertions(+), 287 deletions(-) + +diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl +index abf7283dd8..51efe64408 100755 +--- a/crypto/chacha/asm/chacha-s390x.pl ++++ b/crypto/chacha/asm/chacha-s390x.pl +@@ -23,11 +23,20 @@ + # + # August 2018 + # +-# Add vx code path. ++# Add vx code path: 4x"vertical". + # + # Copyright IBM Corp. 2018 + # Author: Patrick Steuer + ++# ++# February 2019 ++# ++# Add 6x"horizontal" VX implementation. It's ~25% faster than IBM's ++# 4x"vertical" submission [on z13] and >3 faster than scalar code. ++# But to harness overheads revert to transliteration of VSX code path ++# from chacha-ppc module, which is also 4x"vertical", to handle inputs ++# not longer than 256 bytes. ++ + use strict; + use FindBin qw($Bin); + use lib "$Bin/../.."; +@@ -50,11 +59,9 @@ while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} + my $sp="%r15"; + my $stdframe=16*$SIZE_T+4*8; + ++sub ROUND { + my @x=map("%r$_",(0..7,"x","x","x","x",(10..13))); + my @t=map("%r$_",(8,9)); +-my @v=map("%v$_",(16..31)); +- +-sub ROUND { + my ($a0,$b0,$c0,$d0)=@_; + my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); + my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); +@@ -143,63 +150,92 @@ my ($xc,$xc_)=map("$_",@t); + rll (@x[$b3],@x[$b3],7); + } + +-sub VX_ROUND { ++sub VX_lane_ROUND { + my ($a0,$b0,$c0,$d0)=@_; + my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); + my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); + my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++my @x=map("%v$_",(0..15)); ++ ++ vaf (@x[$a0],@x[$a0],@x[$b0]); # Q1 ++ vx (@x[$d0],@x[$d0],@x[$a0]); ++ verllf (@x[$d0],@x[$d0],16); ++ vaf (@x[$a1],@x[$a1],@x[$b1]); # Q2 ++ vx (@x[$d1],@x[$d1],@x[$a1]); ++ verllf (@x[$d1],@x[$d1],16); ++ vaf (@x[$a2],@x[$a2],@x[$b2]); # Q3 ++ vx (@x[$d2],@x[$d2],@x[$a2]); ++ verllf (@x[$d2],@x[$d2],16); ++ vaf (@x[$a3],@x[$a3],@x[$b3]); # Q4 ++ vx (@x[$d3],@x[$d3],@x[$a3]); ++ verllf (@x[$d3],@x[$d3],16); ++ ++ vaf (@x[$c0],@x[$c0],@x[$d0]); ++ vx (@x[$b0],@x[$b0],@x[$c0]); ++ verllf (@x[$b0],@x[$b0],12); ++ vaf (@x[$c1],@x[$c1],@x[$d1]); ++ vx (@x[$b1],@x[$b1],@x[$c1]); ++ verllf (@x[$b1],@x[$b1],12); ++ vaf (@x[$c2],@x[$c2],@x[$d2]); ++ vx (@x[$b2],@x[$b2],@x[$c2]); ++ verllf (@x[$b2],@x[$b2],12); ++ vaf (@x[$c3],@x[$c3],@x[$d3]); ++ vx (@x[$b3],@x[$b3],@x[$c3]); ++ verllf (@x[$b3],@x[$b3],12); ++ ++ vaf (@x[$a0],@x[$a0],@x[$b0]); ++ vx (@x[$d0],@x[$d0],@x[$a0]); ++ verllf (@x[$d0],@x[$d0],8); ++ vaf (@x[$a1],@x[$a1],@x[$b1]); ++ vx (@x[$d1],@x[$d1],@x[$a1]); ++ verllf (@x[$d1],@x[$d1],8); ++ vaf (@x[$a2],@x[$a2],@x[$b2]); ++ vx (@x[$d2],@x[$d2],@x[$a2]); ++ verllf (@x[$d2],@x[$d2],8); ++ vaf (@x[$a3],@x[$a3],@x[$b3]); ++ vx (@x[$d3],@x[$d3],@x[$a3]); ++ verllf (@x[$d3],@x[$d3],8); ++ ++ vaf (@x[$c0],@x[$c0],@x[$d0]); ++ vx (@x[$b0],@x[$b0],@x[$c0]); ++ verllf (@x[$b0],@x[$b0],7); ++ vaf (@x[$c1],@x[$c1],@x[$d1]); ++ vx (@x[$b1],@x[$b1],@x[$c1]); ++ verllf (@x[$b1],@x[$b1],7); ++ vaf (@x[$c2],@x[$c2],@x[$d2]); ++ vx (@x[$b2],@x[$b2],@x[$c2]); ++ verllf (@x[$b2],@x[$b2],7); ++ vaf (@x[$c3],@x[$c3],@x[$d3]); ++ vx (@x[$b3],@x[$b3],@x[$c3]); ++ verllf (@x[$b3],@x[$b3],7); ++} + +- vaf (@v[$a0],@v[$a0],@v[$b0]); +- vaf (@v[$a1],@v[$a1],@v[$b1]); +- vaf (@v[$a2],@v[$a2],@v[$b2]); +- vaf (@v[$a3],@v[$a3],@v[$b3]); +- vx (@v[$d0],@v[$d0],@v[$a0]); +- vx (@v[$d1],@v[$d1],@v[$a1]); +- vx (@v[$d2],@v[$d2],@v[$a2]); +- vx (@v[$d3],@v[$d3],@v[$a3]); +- verllf (@v[$d0],@v[$d0],16); +- verllf (@v[$d1],@v[$d1],16); +- verllf (@v[$d2],@v[$d2],16); +- verllf (@v[$d3],@v[$d3],16); +- +- vaf (@v[$c0],@v[$c0],@v[$d0]); +- vaf (@v[$c1],@v[$c1],@v[$d1]); +- vaf (@v[$c2],@v[$c2],@v[$d2]); +- vaf (@v[$c3],@v[$c3],@v[$d3]); +- vx (@v[$b0],@v[$b0],@v[$c0]); +- vx (@v[$b1],@v[$b1],@v[$c1]); +- vx (@v[$b2],@v[$b2],@v[$c2]); +- vx (@v[$b3],@v[$b3],@v[$c3]); +- verllf (@v[$b0],@v[$b0],12); +- verllf (@v[$b1],@v[$b1],12); +- verllf (@v[$b2],@v[$b2],12); +- verllf (@v[$b3],@v[$b3],12); +- +- vaf (@v[$a0],@v[$a0],@v[$b0]); +- vaf (@v[$a1],@v[$a1],@v[$b1]); +- vaf (@v[$a2],@v[$a2],@v[$b2]); +- vaf (@v[$a3],@v[$a3],@v[$b3]); +- vx (@v[$d0],@v[$d0],@v[$a0]); +- vx (@v[$d1],@v[$d1],@v[$a1]); +- vx (@v[$d2],@v[$d2],@v[$a2]); +- vx (@v[$d3],@v[$d3],@v[$a3]); +- verllf (@v[$d0],@v[$d0],8); +- verllf (@v[$d1],@v[$d1],8); +- verllf (@v[$d2],@v[$d2],8); +- verllf (@v[$d3],@v[$d3],8); +- +- vaf (@v[$c0],@v[$c0],@v[$d0]); +- vaf (@v[$c1],@v[$c1],@v[$d1]); +- vaf (@v[$c2],@v[$c2],@v[$d2]); +- vaf (@v[$c3],@v[$c3],@v[$d3]); +- vx (@v[$b0],@v[$b0],@v[$c0]); +- vx (@v[$b1],@v[$b1],@v[$c1]); +- vx (@v[$b2],@v[$b2],@v[$c2]); +- vx (@v[$b3],@v[$b3],@v[$c3]); +- verllf (@v[$b0],@v[$b0],7); +- verllf (@v[$b1],@v[$b1],7); +- verllf (@v[$b2],@v[$b2],7); +- verllf (@v[$b3],@v[$b3],7); ++sub VX_ROUND { ++my @a=@_[0..5]; ++my @b=@_[6..11]; ++my @c=@_[12..17]; ++my @d=@_[18..23]; ++my $odd=@_[24]; ++ ++ vaf (@a[$_],@a[$_],@b[$_]) for (0..5); ++ vx (@d[$_],@d[$_],@a[$_]) for (0..5); ++ verllf (@d[$_],@d[$_],16) for (0..5); ++ ++ vaf (@c[$_],@c[$_],@d[$_]) for (0..5); ++ vx (@b[$_],@b[$_],@c[$_]) for (0..5); ++ verllf (@b[$_],@b[$_],12) for (0..5); ++ ++ vaf (@a[$_],@a[$_],@b[$_]) for (0..5); ++ vx (@d[$_],@d[$_],@a[$_]) for (0..5); ++ verllf (@d[$_],@d[$_],8) for (0..5); ++ ++ vaf (@c[$_],@c[$_],@d[$_]) for (0..5); ++ vx (@b[$_],@b[$_],@c[$_]) for (0..5); ++ verllf (@b[$_],@b[$_],7) for (0..5); ++ ++ vsldb (@c[$_],@c[$_],@c[$_],8) for (0..5); ++ vsldb (@b[$_],@b[$_],@b[$_],$odd?12:4) for (0..5); ++ vsldb (@d[$_],@d[$_],@d[$_],$odd?4:12) for (0..5); + } + + PERLASM_BEGIN($output); +@@ -210,13 +246,11 @@ TEXT (); + ################ + # void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, size_t len, + # const unsigned int key[8], const unsigned int counter[4]) +-{ + my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6)); +- +-# VX CODE PATH + { +-my $off=$z*8*16+8; # offset(initial state) +-my $frame=$stdframe+4*16+$off; ++my $frame=$stdframe+4*20; ++my @x=map("%r$_",(0..7,"x","x","x","x",(10..13))); ++my @t=map("%r$_",(8,9)); + + GLOBL ("ChaCha20_ctr32"); + TYPE ("ChaCha20_ctr32","\@function"); +@@ -225,230 +259,16 @@ LABEL ("ChaCha20_ctr32"); + larl ("%r1","OPENSSL_s390xcap_P"); + + lghi ("%r0",64); ++&{$z? \<gr:\<r} ($len,$len); # len==0? ++ bzr ("%r14"); ++ lg ("%r1","S390X_STFLE+16(%r1)"); + &{$z? \&clgr:\&clr} ($len,"%r0"); +- jle ("_s390x_chacha_novx"); +- +- lg ("%r0","S390X_STFLE+16(%r1)"); +- tmhh ("%r0",0x4000); # check for vector facility +- jz ("_s390x_chacha_novx"); +- +-if (!$z) { +- llgfr ($len,$len); +- std ("%f4","16*$SIZE_T+2*8($sp)"); +- std ("%f6","16*$SIZE_T+3*8($sp)"); +-} +-&{$z? \&stmg:\&stm} ("%r6","%r7","6*$SIZE_T($sp)"); ++ jle (".Lshort"); + +- lghi ("%r1",-$frame); +- lgr ("%r0",$sp); +- la ($sp,"0(%r1,$sp)"); # allocate stack frame ++ tmhh ("%r1",0x4000); # check for vx bit ++ jnz (".LChaCha20_ctr32_vx"); + +- larl ("%r7",".Lsigma"); +-&{$z? \&stg:\&st} ("%r0","0($sp)"); # backchain +- +- vstm ("%v8","%v15","8($sp)") if ($z); +- +- vlm ("%v1","%v2","0($key)"); # load key +- vl ("%v0","0(%r7)"); # load sigma constant +- vl ("%v3","0($counter)"); # load iv (counter||nonce) +- l ("%r0","0($counter)"); # load counter +- vstm ("%v0","%v3","$off($sp)"); # copy initial state to stack +- +- srlg ("%r1",$len,8); +- ltgr ("%r1","%r1"); +- jz (".Lvx_4x_done"); +- +-ALIGN (16); # process 4 64-byte blocks +-LABEL (".Lvx_4x"); +- vlrepf ("%v$_",($_*4)."+$off($sp)") for (0..15); # load initial +- # state +- vl ("%v31","16(%r7)"); +- vaf ("%v12","%v12","%v31"); # increment counter +- +- vlr (@v[$_],"%v$_") for (0..15); # copy initial state +- +- lhi ("%r6",10); +- j (".Loop_vx_4x"); +- +-ALIGN (16); +-LABEL (".Loop_vx_4x"); +- VX_ROUND( 0, 4, 8,12); # column round +- VX_ROUND( 0, 5,10,15); # diagonal round +- brct ("%r6",".Loop_vx_4x"); +- +- vaf (@v[$_],@v[$_],"%v$_") for (0..15); # state += initial +- # state (mod 32) +- vlm ("%v6","%v7","32(%r7)"); # load vperm operands +- +-for (0..3) { # blocks 1,2 +- vmrhf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) +- vmrhf ("%v1",@v[$_*4+2],@v[$_*4+3]); +- vperm ("%v".($_+ 8),"%v0","%v1","%v6"); +- vperm ("%v".($_+12),"%v0","%v1","%v7"); +-} +- vlm ("%v0","%v7","0($inp)"); # load in +- vx ("%v$_","%v$_","%v".($_+8)) for (0..7); # out = in ^ ks +- vstm ("%v0","%v7","0($out)"); # store out +- +- vlm ("%v6","%v7","32(%r7)"); # restore vperm operands +- +-for (0..3) { # blocks 2,3 +- vmrlf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) +- vmrlf ("%v1",@v[$_*4+2],@v[$_*4+3]); +- vperm ("%v".($_+ 8),"%v0","%v1","%v6"); +- vperm ("%v".($_+12),"%v0","%v1","%v7"); +-} +- vlm ("%v0","%v7","128($inp)"); # load in +- vx ("%v$_","%v$_","%v".($_+8)) for (0..7); # out = in ^ ks +- vstm ("%v0","%v7","128($out)"); # store out +- +- ahi ("%r0",4); +- st ("%r0","48+$off($sp)"); # update initial state +- +- la ($inp,"256($inp)"); +- la ($out,"256($out)"); +- brctg ("%r1",".Lvx_4x"); +- +-ALIGN (16); +-LABEL (".Lvx_4x_done"); +- lghi ("%r1",0xff); +- ngr ($len,"%r1"); +- jnz (".Lvx_rem"); +- +-ALIGN (16); +-LABEL (".Lvx_done"); +- vzero ("%v$_") for (16..31); # wipe ks and key copy +- vstm ("%v16","%v17","16+$off($sp)"); +- vlm ("%v8","%v15","8($sp)") if ($z); +- +- la ($sp,"$frame($sp)"); +-&{$z? \&lmg:\&lm} ("%r6","%r7","6*$SIZE_T($sp)"); +- +-if (!$z) { +- ld ("%f4","16*$SIZE_T+2*8($sp)"); +- ld ("%f6","16*$SIZE_T+3*8($sp)"); +- vzero ("%v$_") for (8..15); +-} +- br ("%r14"); +-ALIGN (16); +-LABEL (".Lvx_rem"); +- lhi ("%r0",64); +- +- sr ($len,"%r0"); +- brc (2,".Lvx_rem_g64"); # cc==2? +- +- lghi ("%r1",-$stdframe); +- +- la ($counter,"48+$off($sp)"); # load updated iv +- ar ($len,"%r0"); # restore len +- +- lgr ("%r7",$counter); +-&{$z? \&stg:\&st} ("%r14","14*$SIZE_T+$frame($sp)"); +- la ($sp,"0(%r1,$sp)"); +- +- bras ("%r14","_s390x_chacha_novx"); +- +- la ($sp,"$stdframe($sp)"); +-&{$z? \&lg:\&l} ("%r14","14*$SIZE_T+$frame($sp)"); +- lgr ($counter,"%r7"); +- j (".Lvx_done"); +- +-ALIGN (16); +-LABEL (".Lvx_rem_g64"); +- vlrepf ("%v$_",($_*4)."+$off($sp)") for (0..15); # load initial +- # state +- vl ("%v31","16(%r7)"); +- vaf ("%v12","%v12","%v31"); # increment counter +- +- vlr (@v[$_],"%v$_") for (0..15); # state = initial state +- +- lhi ("%r6",10); +- j (".Loop_vx_rem"); +- +-ALIGN (16); +-LABEL (".Loop_vx_rem"); +- VX_ROUND( 0, 4, 8,12); # column round +- VX_ROUND( 0, 5,10,15); # diagonal round +- brct ("%r6",".Loop_vx_rem"); +- +- vaf (@v[$_],@v[$_],"%v$_") for (0..15); # state += initial +- # state (mod 32) +- vlm ("%v6","%v7","32(%r7)"); # load vperm operands +- +-for (0..3) { # blocks 1,2 +- vmrhf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) +- vmrhf ("%v1",@v[$_*4+2],@v[$_*4+3]); +- vperm ("%v".($_+8),"%v0","%v1","%v6"); +- vperm ("%v".($_+12),"%v0","%v1","%v7"); +-} +- vlm ("%v0","%v3","0($inp)"); # load in +- vx ("%v$_","%v$_","%v".($_+8)) for (0..3); # out = in ^ ks +- vstm ("%v0","%v3","0($out)"); # store out +- +- la ($inp,"64($inp)"); +- la ($out,"64($out)"); +- +- sr ($len,"%r0"); +- brc (4,".Lvx_tail"); # cc==4? +- +- vlm ("%v0","%v3","0($inp)"); # load in +- vx ("%v$_","%v$_","%v".($_+12)) for (0..3); # out = in ^ ks +- vstm ("%v0","%v3","0($out)"); # store out +- jz (".Lvx_done"); +- +-for (0..3) { # blocks 3,4 +- vmrlf ("%v0",@v[$_*4+0],@v[$_*4+1]); # ks = serialize(state) +- vmrlf ("%v1",@v[$_*4+2],@v[$_*4+3]); +- vperm ("%v".($_+12),"%v0","%v1","%v6"); +- vperm ("%v".($_+8),"%v0","%v1","%v7"); +-} +- la ($inp,"64($inp)"); +- la ($out,"64($out)"); +- +- sr ($len,"%r0"); +- brc (4,".Lvx_tail"); # cc==4? +- +- vlm ("%v0","%v3","0($inp)"); # load in +- vx ("%v$_","%v$_","%v".($_+12)) for (0..3); # out = in ^ ks +- vstm ("%v0","%v3","0($out)"); # store out +- jz (".Lvx_done"); +- +- la ($inp,"64($inp)"); +- la ($out,"64($out)"); +- +- sr ($len,"%r0"); +- vlr ("%v".($_+4),"%v$_") for (8..11); +- j (".Lvx_tail"); +- +-ALIGN (16); +-LABEL (".Lvx_tail"); +- ar ($len,"%r0"); # restore $len +- ahi ($len,-1); +- +- lhi ("%r0",16); +-for (0..2) { +- vll ("%v0",$len,($_*16)."($inp)"); +- vx ("%v0","%v0","%v".($_+12)); +- vstl ("%v0",$len,($_*16)."($out)"); +- sr ($len,"%r0"); +- brc (4,".Lvx_done"); # cc==4? +-} +- vll ("%v0",$len,"3*16($inp)"); +- vx ("%v0","%v0","%v15"); +- vstl ("%v0",$len,"3*16($out)"); +- j (".Lvx_done"); +-SIZE ("ChaCha20_ctr32",".-ChaCha20_ctr32"); +-} +- +-# NOVX CODE PATH +-{ +-my $frame=$stdframe+4*20; +- +-TYPE ("_s390x_chacha_novx","\@function"); +-ALIGN (32); +-LABEL ("_s390x_chacha_novx"); +-&{$z? \<gr:\<r} ($len,$len); # $len==0? +- bzr ("%r14"); ++LABEL (".Lshort"); + &{$z? \&aghi:\&ahi} ($len,-64); + &{$z? \&lghi:\&lhi} ("%r1",-$frame); + &{$z? \&stmg:\&stm} ("%r6","%r15","6*$SIZE_T($sp)"); +@@ -607,17 +427,629 @@ LABEL (".Loop_tail"); + brct (@t[1],".Loop_tail"); + + j (".Ldone"); +-SIZE ("_s390x_chacha_novx",".-_s390x_chacha_novx"); ++SIZE ("ChaCha20_ctr32",".-ChaCha20_ctr32"); ++} ++ ++######################################################################## ++# 4x"vertical" layout minimizes amount of instructions, but pipeline ++# runs underutilized [because of vector instructions' high latency]. ++# On the other hand minimum amount of data it takes to fully utilize ++# the pipeline is higher, so that effectively, short inputs would be ++# processed slower. Hence this code path targeting <=256 bytes lengths. ++# ++{ ++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, ++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3)=map("%v$_",(0..15)); ++my @K=map("%v$_",(16..19)); ++my $CTR="%v26"; ++my ($xt0,$xt1,$xt2,$xt3)=map("%v$_",(27..30)); ++my $beperm="%v31"; ++my ($x00,$x10,$x20,$x30)=(0,map("r$_",(8..10))); ++my $FRAME=$stdframe+4*16; ++ ++ALIGN (32); ++LABEL ("ChaCha20_ctr32_4x"); ++LABEL (".LChaCha20_ctr32_4x"); ++&{$z? \&stmg:\&stm} ("%r6","%r7","6*$SIZE_T($sp)"); ++if (!$z) { ++ std ("%f4","16*$SIZE_T+2*8($sp)"); ++ std ("%f6","16*$SIZE_T+3*8($sp)"); ++} ++&{$z? \&lghi:\&lhi} ("%r1",-$FRAME); ++ lgr ("%r0",$sp); ++ la ($sp,"0(%r1,$sp)"); ++&{$z? \&stg:\&st} ("%r0","0($sp)"); # back-chain ++if ($z) { ++ std ("%f8","$stdframe+8*0($sp)"); ++ std ("%f9","$stdframe+8*1($sp)"); ++ std ("%f10","$stdframe+8*2($sp)"); ++ std ("%f11","$stdframe+8*3($sp)"); ++ std ("%f12","$stdframe+8*4($sp)"); ++ std ("%f13","$stdframe+8*5($sp)"); ++ std ("%f14","$stdframe+8*6($sp)"); ++ std ("%f15","$stdframe+8*7($sp)"); ++} ++ larl ("%r7",".Lsigma"); ++ lhi ("%r0",10); ++ lhi ("%r1",0); ++ ++ vl (@K[0],"0(%r7)"); # load sigma ++ vl (@K[1],"0($key)"); # load key ++ vl (@K[2],"16($key)"); ++ vl (@K[3],"0($counter)"); # load counter ++ ++ vl ($beperm,"0x40(%r7)"); ++ vl ($xt1,"0x50(%r7)"); ++ vrepf ($CTR,@K[3],0); ++ vlvgf (@K[3],"%r1",0); # clear @K[3].word[0] ++ vaf ($CTR,$CTR,$xt1); ++ ++#LABEL (".Loop_outer_4x"); ++ vlm ($xa0,$xa3,"0x60(%r7)"); # load [smashed] sigma ++ ++ vrepf ($xb0,@K[1],0); # smash the key ++ vrepf ($xb1,@K[1],1); ++ vrepf ($xb2,@K[1],2); ++ vrepf ($xb3,@K[1],3); ++ ++ vrepf ($xc0,@K[2],0); ++ vrepf ($xc1,@K[2],1); ++ vrepf ($xc2,@K[2],2); ++ vrepf ($xc3,@K[2],3); ++ ++ vlr ($xd0,$CTR); ++ vrepf ($xd1,@K[3],1); ++ vrepf ($xd2,@K[3],2); ++ vrepf ($xd3,@K[3],3); ++ ++LABEL (".Loop_4x"); ++ VX_lane_ROUND(0, 4, 8,12); ++ VX_lane_ROUND(0, 5,10,15); ++ brct ("%r0",".Loop_4x"); ++ ++ vaf ($xd0,$xd0,$CTR); ++ ++ vmrhf ($xt0,$xa0,$xa1); # transpose data ++ vmrhf ($xt1,$xa2,$xa3); ++ vmrlf ($xt2,$xa0,$xa1); ++ vmrlf ($xt3,$xa2,$xa3); ++ vpdi ($xa0,$xt0,$xt1,0b0000); ++ vpdi ($xa1,$xt0,$xt1,0b0101); ++ vpdi ($xa2,$xt2,$xt3,0b0000); ++ vpdi ($xa3,$xt2,$xt3,0b0101); ++ ++ vmrhf ($xt0,$xb0,$xb1); ++ vmrhf ($xt1,$xb2,$xb3); ++ vmrlf ($xt2,$xb0,$xb1); ++ vmrlf ($xt3,$xb2,$xb3); ++ vpdi ($xb0,$xt0,$xt1,0b0000); ++ vpdi ($xb1,$xt0,$xt1,0b0101); ++ vpdi ($xb2,$xt2,$xt3,0b0000); ++ vpdi ($xb3,$xt2,$xt3,0b0101); ++ ++ vmrhf ($xt0,$xc0,$xc1); ++ vmrhf ($xt1,$xc2,$xc3); ++ vmrlf ($xt2,$xc0,$xc1); ++ vmrlf ($xt3,$xc2,$xc3); ++ vpdi ($xc0,$xt0,$xt1,0b0000); ++ vpdi ($xc1,$xt0,$xt1,0b0101); ++ vpdi ($xc2,$xt2,$xt3,0b0000); ++ vpdi ($xc3,$xt2,$xt3,0b0101); ++ ++ vmrhf ($xt0,$xd0,$xd1); ++ vmrhf ($xt1,$xd2,$xd3); ++ vmrlf ($xt2,$xd0,$xd1); ++ vmrlf ($xt3,$xd2,$xd3); ++ vpdi ($xd0,$xt0,$xt1,0b0000); ++ vpdi ($xd1,$xt0,$xt1,0b0101); ++ vpdi ($xd2,$xt2,$xt3,0b0000); ++ vpdi ($xd3,$xt2,$xt3,0b0101); ++ ++ #vrepif ($xt0,4); ++ #vaf ($CTR,$CTR,$xt0); # next counter value ++ ++ vaf ($xa0,$xa0,@K[0]); ++ vaf ($xb0,$xb0,@K[1]); ++ vaf ($xc0,$xc0,@K[2]); ++ vaf ($xd0,$xd0,@K[3]); ++ ++ vperm ($xa0,$xa0,$xa0,$beperm); ++ vperm ($xb0,$xb0,$xb0,$beperm); ++ vperm ($xc0,$xc0,$xc0,$beperm); ++ vperm ($xd0,$xd0,$xd0,$beperm); ++ ++ #&{$z? \&clgfi:\&clfi} ($len,0x40); ++ #jl (".Ltail_4x"); ++ ++ vlm ($xt0,$xt3,"0($inp)"); ++ ++ vx ($xt0,$xt0,$xa0); ++ vx ($xt1,$xt1,$xb0); ++ vx ($xt2,$xt2,$xc0); ++ vx ($xt3,$xt3,$xd0); ++ ++ vstm ($xt0,$xt3,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ #je (".Ldone_4x"); ++ ++ vaf ($xa0,$xa1,@K[0]); ++ vaf ($xb0,$xb1,@K[1]); ++ vaf ($xc0,$xc1,@K[2]); ++ vaf ($xd0,$xd1,@K[3]); ++ ++ vperm ($xa0,$xa0,$xa0,$beperm); ++ vperm ($xb0,$xb0,$xb0,$beperm); ++ vperm ($xc0,$xc0,$xc0,$beperm); ++ vperm ($xd0,$xd0,$xd0,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_4x"); ++ ++ vlm ($xt0,$xt3,"0($inp)"); ++ ++ vx ($xt0,$xt0,$xa0); ++ vx ($xt1,$xt1,$xb0); ++ vx ($xt2,$xt2,$xc0); ++ vx ($xt3,$xt3,$xd0); ++ ++ vstm ($xt0,$xt3,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_4x"); ++ ++ vaf ($xa0,$xa2,@K[0]); ++ vaf ($xb0,$xb2,@K[1]); ++ vaf ($xc0,$xc2,@K[2]); ++ vaf ($xd0,$xd2,@K[3]); ++ ++ vperm ($xa0,$xa0,$xa0,$beperm); ++ vperm ($xb0,$xb0,$xb0,$beperm); ++ vperm ($xc0,$xc0,$xc0,$beperm); ++ vperm ($xd0,$xd0,$xd0,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_4x"); ++ ++ vlm ($xt0,$xt3,"0($inp)"); ++ ++ vx ($xt0,$xt0,$xa0); ++ vx ($xt1,$xt1,$xb0); ++ vx ($xt2,$xt2,$xc0); ++ vx ($xt3,$xt3,$xd0); ++ ++ vstm ($xt0,$xt3,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_4x"); ++ ++ vaf ($xa0,$xa3,@K[0]); ++ vaf ($xb0,$xb3,@K[1]); ++ vaf ($xc0,$xc3,@K[2]); ++ vaf ($xd0,$xd3,@K[3]); ++ ++ vperm ($xa0,$xa0,$xa0,$beperm); ++ vperm ($xb0,$xb0,$xb0,$beperm); ++ vperm ($xc0,$xc0,$xc0,$beperm); ++ vperm ($xd0,$xd0,$xd0,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_4x"); ++ ++ vlm ($xt0,$xt3,"0($inp)"); ++ ++ vx ($xt0,$xt0,$xa0); ++ vx ($xt1,$xt1,$xb0); ++ vx ($xt2,$xt2,$xc0); ++ vx ($xt3,$xt3,$xd0); ++ ++ vstm ($xt0,$xt3,"0($out)"); ++ ++ #la $inp,0x40($inp)); ++ #la $out,0x40($out)); ++ #lhi %r0,10); ++ #&{$z? \&aghi:\&ahi} $len,-0x40); ++ #jne .Loop_outer_4x); ++ ++LABEL (".Ldone_4x"); ++if (!$z) { ++ ld ("%f4","$FRAME+16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","$FRAME+16*$SIZE_T+3*8($sp)"); ++} else { ++ ld ("%f8","$stdframe+8*0($sp)"); ++ ld ("%f9","$stdframe+8*1($sp)"); ++ ld ("%f10","$stdframe+8*2($sp)"); ++ ld ("%f11","$stdframe+8*3($sp)"); ++ ld ("%f12","$stdframe+8*4($sp)"); ++ ld ("%f13","$stdframe+8*5($sp)"); ++ ld ("%f14","$stdframe+8*6($sp)"); ++ ld ("%f15","$stdframe+8*7($sp)"); ++} ++&{$z? \&lmg:\&lm} ("%r6","%r7","$FRAME+6*$SIZE_T($sp)"); ++ la ($sp,"$FRAME($sp)"); ++ br ("%r14"); ++ ++ALIGN (16); ++LABEL (".Ltail_4x"); ++if (!$z) { ++ vlr ($xt0,$xb0); ++ ld ("%f4","$FRAME+16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","$FRAME+16*$SIZE_T+3*8($sp)"); ++ ++ vst ($xa0,"$stdframe+0x00($sp)"); ++ vst ($xt0,"$stdframe+0x10($sp)"); ++ vst ($xc0,"$stdframe+0x20($sp)"); ++ vst ($xd0,"$stdframe+0x30($sp)"); ++} else { ++ vlr ($xt0,$xc0); ++ ld ("%f8","$stdframe+8*0($sp)"); ++ ld ("%f9","$stdframe+8*1($sp)"); ++ ld ("%f10","$stdframe+8*2($sp)"); ++ ld ("%f11","$stdframe+8*3($sp)"); ++ vlr ($xt1,$xd0); ++ ld ("%f12","$stdframe+8*4($sp)"); ++ ld ("%f13","$stdframe+8*5($sp)"); ++ ld ("%f14","$stdframe+8*6($sp)"); ++ ld ("%f15","$stdframe+8*7($sp)"); ++ ++ vst ($xa0,"$stdframe+0x00($sp)"); ++ vst ($xb0,"$stdframe+0x10($sp)"); ++ vst ($xt0,"$stdframe+0x20($sp)"); ++ vst ($xt1,"$stdframe+0x30($sp)"); + } ++ lghi ("%r1",0); ++ ++LABEL (".Loop_tail_4x"); ++ llgc ("%r5","0(%r1,$inp)"); ++ llgc ("%r6","$stdframe(%r1,$sp)"); ++ xr ("%r6","%r5"); ++ stc ("%r6","0(%r1,$out)"); ++ la ("%r1","1(%r1)"); ++ brct ($len,".Loop_tail_4x"); ++ ++&{$z? \&lmg:\&lm} ("%r6","%r7","$FRAME+6*$SIZE_T($sp)"); ++ la ($sp,"$FRAME($sp)"); ++ br ("%r14"); ++SIZE ("ChaCha20_ctr32_4x",".-ChaCha20_ctr32_4x"); ++} ++ ++######################################################################## ++# 6x"horizontal" layout is optimal fit for the platform in its current ++# shape, more specifically for given vector instructions' latency. Well, ++# computational part of 8x"vertical" would be faster, but it consumes ++# all registers and dealing with that will diminish the return... ++# ++{ ++my ($a0,$b0,$c0,$d0, $a1,$b1,$c1,$d1, ++ $a2,$b2,$c2,$d2, $a3,$b3,$c3,$d3, ++ $a4,$b4,$c4,$d4, $a5,$b5,$c5,$d5)=map("%v$_",(0..23)); ++my @K=map("%v$_",(27,24..26)); ++my ($t0,$t1,$t2,$t3)=map("%v$_",27..30); ++my $beperm="%v31"; ++my $FRAME=$stdframe + 4*16; ++ ++GLOBL ("ChaCha20_ctr32_vx"); ++ALIGN (32); ++LABEL ("ChaCha20_ctr32_vx"); ++LABEL (".LChaCha20_ctr32_vx"); ++&{$z? \&clgfi:\&clfi} ($len,256); ++ jle (".LChaCha20_ctr32_4x"); ++&{$z? \&stmg:\&stm} ("%r6","%r7","6*$SIZE_T($sp)"); ++if (!$z) { ++ std ("%f4","16*$SIZE_T+2*8($sp)"); ++ std ("%f6","16*$SIZE_T+3*8($sp)"); ++} ++&{$z? \&lghi:\&lhi} ("%r1",-$FRAME); ++ lgr ("%r0",$sp); ++ la ($sp,"0(%r1,$sp)"); ++&{$z? \&stg:\&st} ("%r0","0($sp)"); # back-chain ++if ($z) { ++ std ("%f8","$FRAME-8*8($sp)"); ++ std ("%f9","$FRAME-8*7($sp)"); ++ std ("%f10","$FRAME-8*6($sp)"); ++ std ("%f11","$FRAME-8*5($sp)"); ++ std ("%f12","$FRAME-8*4($sp)"); ++ std ("%f13","$FRAME-8*3($sp)"); ++ std ("%f14","$FRAME-8*2($sp)"); ++ std ("%f15","$FRAME-8*1($sp)"); ++} ++ larl ("%r7",".Lsigma"); ++ lhi ("%r0",10); ++ ++ vlm (@K[1],@K[2],"0($key)"); # load key ++ vl (@K[3],"0($counter)"); # load counter ++ ++ vlm (@K[0],"$beperm","0(%r7)"); # load sigma, increments, ... ++ ++LABEL (".Loop_outer_vx"); ++ vlr ($a0,@K[0]); ++ vlr ($b0,@K[1]); ++ vlr ($a1,@K[0]); ++ vlr ($b1,@K[1]); ++ vlr ($a2,@K[0]); ++ vlr ($b2,@K[1]); ++ vlr ($a3,@K[0]); ++ vlr ($b3,@K[1]); ++ vlr ($a4,@K[0]); ++ vlr ($b4,@K[1]); ++ vlr ($a5,@K[0]); ++ vlr ($b5,@K[1]); ++ ++ vlr ($d0,@K[3]); ++ vaf ($d1,@K[3],$t1); # K[3]+1 ++ vaf ($d2,@K[3],$t2); # K[3]+2 ++ vaf ($d3,@K[3],$t3); # K[3]+3 ++ vaf ($d4,$d2,$t2); # K[3]+4 ++ vaf ($d5,$d2,$t3); # K[3]+5 ++ ++ vlr ($c0,@K[2]); ++ vlr ($c1,@K[2]); ++ vlr ($c2,@K[2]); ++ vlr ($c3,@K[2]); ++ vlr ($c4,@K[2]); ++ vlr ($c5,@K[2]); ++ ++ vlr ($t1,$d1); ++ vlr ($t2,$d2); ++ vlr ($t3,$d3); ++ ++ALIGN (4); ++LABEL (".Loop_vx"); ++ ++ VX_ROUND($a0,$a1,$a2,$a3,$a4,$a5, ++ $b0,$b1,$b2,$b3,$b4,$b5, ++ $c0,$c1,$c2,$c3,$c4,$c5, ++ $d0,$d1,$d2,$d3,$d4,$d5, ++ 0); ++ ++ VX_ROUND($a0,$a1,$a2,$a3,$a4,$a5, ++ $b0,$b1,$b2,$b3,$b4,$b5, ++ $c0,$c1,$c2,$c3,$c4,$c5, ++ $d0,$d1,$d2,$d3,$d4,$d5, ++ 1); ++ ++ brct ("%r0",".Loop_vx"); ++ ++ vaf ($a0,$a0,@K[0]); ++ vaf ($b0,$b0,@K[1]); ++ vaf ($c0,$c0,@K[2]); ++ vaf ($d0,$d0,@K[3]); ++ vaf ($a1,$a1,@K[0]); ++ vaf ($d1,$d1,$t1); # +K[3]+1 ++ ++ vperm ($a0,$a0,$a0,$beperm); ++ vperm ($b0,$b0,$b0,$beperm); ++ vperm ($c0,$c0,$c0,$beperm); ++ vperm ($d0,$d0,$d0,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_vx"); ++ ++ vaf ($d2,$d2,$t2); # +K[3]+2 ++ vaf ($d3,$d3,$t3); # +K[3]+3 ++ vlm ($t0,$t3,"0($inp)"); ++ ++ vx ($a0,$a0,$t0); ++ vx ($b0,$b0,$t1); ++ vx ($c0,$c0,$t2); ++ vx ($d0,$d0,$t3); ++ ++ vlm (@K[0],$t3,"0(%r7)"); # re-load sigma and increments ++ ++ vstm ($a0,$d0,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_vx"); ++ ++ vaf ($b1,$b1,@K[1]); ++ vaf ($c1,$c1,@K[2]); ++ ++ vperm ($a0,$a1,$a1,$beperm); ++ vperm ($b0,$b1,$b1,$beperm); ++ vperm ($c0,$c1,$c1,$beperm); ++ vperm ($d0,$d1,$d1,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_vx"); ++ ++ vlm ($a1,$d1,"0($inp)"); ++ ++ vx ($a0,$a0,$a1); ++ vx ($b0,$b0,$b1); ++ vx ($c0,$c0,$c1); ++ vx ($d0,$d0,$d1); ++ ++ vstm ($a0,$d0,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_vx"); ++ ++ vaf ($a2,$a2,@K[0]); ++ vaf ($b2,$b2,@K[1]); ++ vaf ($c2,$c2,@K[2]); ++ ++ vperm ($a0,$a2,$a2,$beperm); ++ vperm ($b0,$b2,$b2,$beperm); ++ vperm ($c0,$c2,$c2,$beperm); ++ vperm ($d0,$d2,$d2,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_vx"); ++ ++ vlm ($a1,$d1,"0($inp)"); ++ ++ vx ($a0,$a0,$a1); ++ vx ($b0,$b0,$b1); ++ vx ($c0,$c0,$c1); ++ vx ($d0,$d0,$d1); ++ ++ vstm ($a0,$d0,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_vx"); ++ ++ vaf ($a3,$a3,@K[0]); ++ vaf ($b3,$b3,@K[1]); ++ vaf ($c3,$c3,@K[2]); ++ vaf ($d2,@K[3],$t3); # K[3]+3 ++ ++ vperm ($a0,$a3,$a3,$beperm); ++ vperm ($b0,$b3,$b3,$beperm); ++ vperm ($c0,$c3,$c3,$beperm); ++ vperm ($d0,$d3,$d3,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_vx"); ++ ++ vaf ($d3,$d2,$t1); # K[3]+4 ++ vlm ($a1,$d1,"0($inp)"); ++ ++ vx ($a0,$a0,$a1); ++ vx ($b0,$b0,$b1); ++ vx ($c0,$c0,$c1); ++ vx ($d0,$d0,$d1); ++ ++ vstm ($a0,$d0,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_vx"); ++ ++ vaf ($a4,$a4,@K[0]); ++ vaf ($b4,$b4,@K[1]); ++ vaf ($c4,$c4,@K[2]); ++ vaf ($d4,$d4,$d3); # +K[3]+4 ++ vaf ($d3,$d3,$t1); # K[3]+5 ++ vaf (@K[3],$d2,$t3); # K[3]+=6 ++ ++ vperm ($a0,$a4,$a4,$beperm); ++ vperm ($b0,$b4,$b4,$beperm); ++ vperm ($c0,$c4,$c4,$beperm); ++ vperm ($d0,$d4,$d4,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_vx"); ++ ++ vlm ($a1,$d1,"0($inp)"); ++ ++ vx ($a0,$a0,$a1); ++ vx ($b0,$b0,$b1); ++ vx ($c0,$c0,$c1); ++ vx ($d0,$d0,$d1); ++ ++ vstm ($a0,$d0,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ je (".Ldone_vx"); ++ ++ vaf ($a5,$a5,@K[0]); ++ vaf ($b5,$b5,@K[1]); ++ vaf ($c5,$c5,@K[2]); ++ vaf ($d5,$d5,$d3); # +K[3]+5 ++ ++ vperm ($a0,$a5,$a5,$beperm); ++ vperm ($b0,$b5,$b5,$beperm); ++ vperm ($c0,$c5,$c5,$beperm); ++ vperm ($d0,$d5,$d5,$beperm); ++ ++&{$z? \&clgfi:\&clfi} ($len,0x40); ++ jl (".Ltail_vx"); ++ ++ vlm ($a1,$d1,"0($inp)"); ++ ++ vx ($a0,$a0,$a1); ++ vx ($b0,$b0,$b1); ++ vx ($c0,$c0,$c1); ++ vx ($d0,$d0,$d1); ++ ++ vstm ($a0,$d0,"0($out)"); ++ ++ la ($inp,"0x40($inp)"); ++ la ($out,"0x40($out)"); ++ lhi ("%r0",10); ++&{$z? \&aghi:\&ahi} ($len,-0x40); ++ jne (".Loop_outer_vx"); ++ ++LABEL (".Ldone_vx"); ++if (!$z) { ++ ld ("%f4","$FRAME+16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","$FRAME+16*$SIZE_T+3*8($sp)"); ++} else { ++ ld ("%f8","$FRAME-8*8($sp)"); ++ ld ("%f9","$FRAME-8*7($sp)"); ++ ld ("%f10","$FRAME-8*6($sp)"); ++ ld ("%f11","$FRAME-8*5($sp)"); ++ ld ("%f12","$FRAME-8*4($sp)"); ++ ld ("%f13","$FRAME-8*3($sp)"); ++ ld ("%f14","$FRAME-8*2($sp)"); ++ ld ("%f15","$FRAME-8*1($sp)"); ++} ++&{$z? \&lmg:\&lm} ("%r6","%r7","$FRAME+6*$SIZE_T($sp)"); ++ la ($sp,"$FRAME($sp)"); ++ br ("%r14"); ++ ++ALIGN (16); ++LABEL (".Ltail_vx"); ++if (!$z) { ++ ld ("%f4","$FRAME+16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","$FRAME+16*$SIZE_T+3*8($sp)"); ++} else { ++ ld ("%f8","$FRAME-8*8($sp)"); ++ ld ("%f9","$FRAME-8*7($sp)"); ++ ld ("%f10","$FRAME-8*6($sp)"); ++ ld ("%f11","$FRAME-8*5($sp)"); ++ ld ("%f12","$FRAME-8*4($sp)"); ++ ld ("%f13","$FRAME-8*3($sp)"); ++ ld ("%f14","$FRAME-8*2($sp)"); ++ ld ("%f15","$FRAME-8*1($sp)"); ++} ++ vstm ($a0,$d0,"$stdframe($sp)"); ++ lghi ("%r1",0); ++ ++LABEL (".Loop_tail_vx"); ++ llgc ("%r5","0(%r1,$inp)"); ++ llgc ("%r6","$stdframe(%r1,$sp)"); ++ xr ("%r6","%r5"); ++ stc ("%r6","0(%r1,$out)"); ++ la ("%r1","1(%r1)"); ++ brct ($len,".Loop_tail_vx"); ++ ++&{$z? \&lmg:\&lm} ("%r6","%r7","$FRAME+6*$SIZE_T($sp)"); ++ la ($sp,"$FRAME($sp)"); ++ br ("%r14"); ++SIZE ("ChaCha20_ctr32_vx",".-ChaCha20_ctr32_vx"); + } + ################ + +-ALIGN (64); ++ALIGN (32); + LABEL (".Lsigma"); + LONG (0x61707865,0x3320646e,0x79622d32,0x6b206574); # endian-neutral sigma +-LONG (0x00000000,0x00000001,0x00000002,0x00000003); # vaf counter increment +-LONG (0x03020100,0x07060504,0x13121110,0x17161514); # vperm serialization +-LONG (0x0b0a0908,0x0f0e0d0c,0x1b1a1918,0x1f1e1d1c); # vperm serialization ++LONG (1,0,0,0); ++LONG (2,0,0,0); ++LONG (3,0,0,0); ++LONG (0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c); # byte swap ++ ++LONG (0,1,2,3); ++LONG (0x61707865,0x61707865,0x61707865,0x61707865); # smashed sigma ++LONG (0x3320646e,0x3320646e,0x3320646e,0x3320646e); ++LONG (0x79622d32,0x79622d32,0x79622d32,0x79622d32); ++LONG (0x6b206574,0x6b206574,0x6b206574,0x6b206574); ++ + ASCIZ ("\"ChaCha20 for s390x, CRYPTOGAMS by \""); + ALIGN (4); + +-- +2.21.0 + diff --git a/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch b/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch new file mode 100644 index 0000000..ceec91a --- /dev/null +++ b/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch @@ -0,0 +1,1631 @@ +From 2e6b615f795e8ca8ae830a00079c4ea064eaae42 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Sat, 23 Mar 2019 00:03:24 +0100 +Subject: [PATCH] s390x assembly pack: import poly from cryptogams repo + +>=20% faster than present code. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8560) +--- + crypto/poly1305/asm/poly1305-s390x.pl | 1455 ++++++++++++++----------- + crypto/poly1305/build.info | 1 + + 2 files changed, 799 insertions(+), 657 deletions(-) + +Index: openssl-1.1.1c/crypto/poly1305/asm/poly1305-s390x.pl +=================================================================== +--- openssl-1.1.1c.orig/crypto/poly1305/asm/poly1305-s390x.pl 2019-06-06 12:18:53.384309579 +0200 ++++ openssl-1.1.1c/crypto/poly1305/asm/poly1305-s390x.pl 2019-06-06 12:18:54.556316994 +0200 +@@ -32,10 +32,20 @@ + # Copyright IBM Corp. 2019 + # Author: Patrick Steuer + ++# ++# January 2019 ++# ++# Add vector base 2^26 implementation. It's problematic to accurately ++# measure performance, because reference system is hardly idle. But ++# it's sub-cycle, i.e. less than 1 cycle per processed byte, and it's ++# >=20% faster than IBM's submission on long inputs, and much faster on ++# short ones, because calculation of key powers is postponed till we ++# know that input is long enough to justify the additional overhead. ++ + use strict; + use FindBin qw($Bin); + use lib "$Bin/../.."; +-use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL); ++use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE); + + my $flavour = shift; + +@@ -51,666 +61,98 @@ if ($flavour =~ /3[12]/) { + my $output; + while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} + ++my $stdframe=16*$SIZE_T+4*8; + my $sp="%r15"; + +-# novx code path ctx layout +-# --------------------------------- +-# var value base off +-# --------------------------------- +-# u64 h[3] hash 2^64 0 +-# u32 pad[2] +-# u64 r[2] key 2^64 32 +- +-# vx code path ctx layout +-# --------------------------------- +-# var value base off +-# --------------------------------- +-# u32 acc1[5] r^2-acc 2^26 0 +-# u32 pad +-# u32 acc2[5] r-acc 2^26 24 +-# u32 pad +-# u32 r1[5] r 2^26 48 +-# u32 r15[5] 5*r 2^26 68 +-# u32 r2[5] r^2 2^26 88 +-# u32 r25[5] 5*r^2 2^26 108 +-# u32 r4[5] r^4 2^26 128 +-# u32 r45[5] 5*r^4 2^26 148 ++my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5)); + + PERLASM_BEGIN($output); + ++INCLUDE ("s390x_arch.h"); + TEXT (); + + ################ + # static void poly1305_init(void *ctx, const unsigned char key[16]) + { +-my ($ctx,$key)=map("%r$_",(2..3)); +-my ($r0,$r1,$r2)=map("%r$_",(9,11,13)); +- +-sub MUL_RKEY { # r*=key +-my ($d0hi,$d0lo,$d1hi,$d1lo)=map("%r$_",(4..7)); +-my ($t0,$t1,$s1)=map("%r$_",(8,10,12)); +- +- lg ("%r0","32($ctx)"); +- lg ("%r1","40($ctx)"); +- +- srlg ($s1,"%r1",2); +- algr ($s1,"%r1"); +- +- lgr ($d0lo,$r0); +- lgr ($d1lo,$r1); +- +- mlgr ($d0hi,"%r0"); +- lgr ($r1,$d1lo); +- mlgr ($d1hi,$s1); +- +- mlgr ($t0,"%r1"); +- mlgr ($t1,"%r0"); +- +- algr ($d0lo,$d1lo); +- lgr ($d1lo,$r2); +- alcgr ($d0hi,$d1hi); +- lghi ($d1hi,0); +- +- algr ($r1,$r0); +- alcgr ($t1,$t0); +- +- msgr ($d1lo,$s1); +- msgr ($r2,"%r0"); +- +- algr ($r1,$d1lo); +- alcgr ($t1,$d1hi); +- +- algr ($r1,$d0hi); +- alcgr ($r2,$t1); +- +- lghi ($r0,-4); +- ngr ($r0,$r2); +- srlg ($t0,$r2,2); +- algr ($r0,$t0); +- lghi ($t1,3); +- ngr ($r2,$t1); +- +- algr ($r0,$d0lo); +- alcgr ($r1,$d1hi); +- alcgr ($r2,$d1hi); +-} +- +-sub ST_R5R { # store r,5*r -> base 2^26 +-my @d=map("%r$_",(4..8)); +-my @off=@_; +- +- lgr (@d[2],$r0); +- lr ("%r1",@d[2]); +- nilh ("%r1",1023); +- lgr (@d[3],$r1); +- lr (@d[0],"%r1"); +- srlg ("%r1",@d[2],52); +- lgr (@d[4],$r2); +- srlg ("%r0",@d[2],26); +- sll (@d[4],24); +- lr (@d[2],@d[3]); +- nilh ("%r0",1023); +- sll (@d[2],12); +- lr (@d[1],"%r0"); +- &or (@d[2],"%r1"); +- srlg ("%r1",@d[3],40); +- nilh (@d[2],1023); +- &or (@d[4],"%r1"); +- srlg (@d[3],@d[3],14); +- nilh (@d[4],1023); +- nilh (@d[3],1023); +- +- stm (@d[0],@d[4],"@off[0]($ctx)"); +- mhi (@d[$_],5) for (0..4); +- stm (@d[0],@d[4],"@off[1]($ctx)"); +-} +- + GLOBL ("poly1305_init"); + TYPE ("poly1305_init","\@function"); + ALIGN (16); + LABEL ("poly1305_init"); + lghi ("%r0",0); + lghi ("%r1",-1); +- stg ("%r0","0($ctx)"); # zero hash value / acc1 ++ stg ("%r0","0($ctx)"); # zero hash value + stg ("%r0","8($ctx)"); + stg ("%r0","16($ctx)"); ++ st ("%r0","24($ctx)"); # clear is_base2_26 ++ lgr ("%r5",$ctx); # reassign $ctx ++ lghi ("%r2",0); + +-&{$z? \&clgr:\&clr} ($key,"%r0"); +- je (".Ldone"); ++&{$z? \&clgr:\&clr} ($inp,"%r0"); ++ je (".Lno_key"); + +- lrvg ("%r4","0($key)"); # load little-endian key +- lrvg ("%r5","8($key)"); ++ lrvg ("%r2","0($inp)"); # load little-endian key ++ lrvg ("%r3","8($inp)"); + +- nihl ("%r1",0xffc0); # 0xffffffc0ffffffff +- srlg ("%r0","%r1",4); # 0x0ffffffc0fffffff ++ nihl ("%r1",0xffc0); # 0xffffffc0ffffffff ++ srlg ("%r0","%r1",4); # 0x0ffffffc0fffffff + srlg ("%r1","%r1",4); +- nill ("%r1",0xfffc); # 0x0ffffffc0ffffffc ++ nill ("%r1",0xfffc); # 0x0ffffffc0ffffffc + +- ngr ("%r4","%r0"); +- ngr ("%r5","%r1"); ++ ngr ("%r2","%r0"); ++ ngr ("%r3","%r1"); + +- stg ("%r4","32($ctx)"); +- stg ("%r5","40($ctx)"); ++ stmg ("%r2","%r3","32(%r5)"); + + larl ("%r1","OPENSSL_s390xcap_P"); + lg ("%r0","16(%r1)"); +- tmhh ("%r0",0x4000); # check for vector facility +- jz (".Ldone"); +- +- larl ("%r4","poly1305_blocks_vx"); +- larl ("%r5","poly1305_emit_vx"); +- +-&{$z? \&stmg:\&stm} ("%r6","%r13","6*$SIZE_T($sp)"); +-&{$z? \&stmg:\&stm} ("%r4","%r5","4*$z+228($ctx)"); +- +- lg ($r0,"32($ctx)"); +- lg ($r1,"40($ctx)"); +- lghi ($r2,0); +- +- ST_R5R (48,68); # store r,5*r +- +- MUL_RKEY(); +- ST_R5R (88,108); # store r^2,5*r^2 +- +- MUL_RKEY(); +- MUL_RKEY(); +- ST_R5R (128,148); # store r^4,5*r^4 +- +- lghi ("%r0",0); +- stg ("%r0","24($ctx)"); # zero acc2 +- stg ("%r0","32($ctx)"); +- stg ("%r0","40($ctx)"); +- +-&{$z? \&lmg:\&lm} ("%r6","%r13","6*$SIZE_T($sp)"); ++ srlg ("%r0","%r0",62); ++ nill ("%r0",1); # extract vx bit ++ lcgr ("%r0","%r0"); ++ larl ("%r1",".Lpoly1305_blocks"); ++ larl ("%r2",".Lpoly1305_blocks_vx"); ++ larl ("%r3",".Lpoly1305_emit"); ++&{$z? \&xgr:\&xr} ("%r2","%r1"); # select between scalar and vector ++&{$z? \&ngr:\&nr} ("%r2","%r0"); ++&{$z? \&xgr:\&xr} ("%r2","%r1"); ++&{$z? \&stmg:\&stm} ("%r2","%r3","0(%r4)"); + lghi ("%r2",1); +- br ("%r14"); +- +-LABEL (".Ldone"); +- lghi ("%r2",0); ++LABEL (".Lno_key"); + br ("%r14"); + SIZE ("poly1305_init",".-poly1305_init"); + } + +-# VX CODE PATH +-{ +-my $frame=8*16; +-my @m01=map("%v$_",(0..4)); +-my @m23=map("%v$_",(5..9)); +-my @tmp=@m23; +-my @acc=map("%v$_",(10..14)); +-my @r=map("%v$_",(15..19)); +-my @r5=map("%v$_",(20..24)); +-my $padvec="%v26"; +-my $mask4="%v27"; +-my @vperm=map("%v$_",(28..30)); +-my $mask="%v31"; +- +-sub REDUCE { +- vesrlg (@tmp[0],@acc[0],26); +- vesrlg (@tmp[3],@acc[3],26); +- vn (@acc[0],@acc[0],$mask); +- vn (@acc[3],@acc[3],$mask); +- vag (@acc[1],@acc[1],@tmp[0]); # carry 0->1 +- vag (@acc[4],@acc[4],@tmp[3]); # carry 3->4 +- +- vesrlg (@tmp[1],@acc[1],26); +- vesrlg (@tmp[4],@acc[4],26); +- vn (@acc[1],@acc[1],$mask); +- vn (@acc[4],@acc[4],$mask); +- veslg (@tmp[0],@tmp[4],2); +- vag (@tmp[4],@tmp[4],@tmp[0]); # h[4]*=5 +- vag (@acc[2],@acc[2],@tmp[1]); # carry 1->2 +- vag (@acc[0],@acc[0],@tmp[4]); # carry 4->0 +- +- vesrlg (@tmp[2],@acc[2],26); +- vesrlg (@tmp[0],@acc[0],26); +- vn (@acc[2],@acc[2],$mask); +- vn (@acc[0],@acc[0],$mask); +- vag (@acc[3],@acc[3],@tmp[2]); # carry 2->3 +- vag (@acc[1],@acc[1],@tmp[0]); # carry 0->1 +- +- vesrlg (@tmp[3],@acc[3],26); +- vn (@acc[3],@acc[3],$mask); +- vag (@acc[4],@acc[4],@tmp[3]); # carry 3->4 +-} +- + ################ +-# static void poly1305_blocks_vx(void *ctx, const unsigned char *inp, +-# size_t len, u32 padbit) ++# static void poly1305_blocks(void *ctx, const unsigned char *inp, ++# size_t len, u32 padbit) + { +-my ($ctx,$inp,$len) = map("%r$_",(2..4)); +-my $padbit="%r0"; +- +-GLOBL ("poly1305_blocks_vx"); +-TYPE ("poly1305_blocks_vx","\@function"); +-ALIGN (16); +-LABEL ("poly1305_blocks_vx"); +-if ($z) { +- aghi ($sp,-$frame); +- vstm ("%v8","%v15","0($sp)"); +-} else { +- std ("%f4","16*$SIZE_T+2*8($sp)"); +- std ("%f6","16*$SIZE_T+3*8($sp)"); +- llgfr ($len,$len); +-} +- llgfr ($padbit,"%r5"); +- vlef (@acc[$_],"4*$_($ctx)",1) for (0..4); # load acc1 +- larl ("%r5",".Lconst"); +- vlef (@acc[$_],"24+4*$_($ctx)",3) for (0..4); # load acc2 +- sllg ($padbit,$padbit,24); +- vlm (@vperm[0],$mask,"0(%r5)"); # load vperm ops, mask +- vgbm ($mask4,0x0707); +- vlvgp ($padvec,$padbit,$padbit); +- +- srlg ("%r1",$len,6); +- ltgr ("%r1","%r1"); +- jz (".Lvx_4x_done"); +- +-ALIGN (16); +-LABEL (".Lvx_4x"); +- vlm ("%v20","%v23","0($inp)"); # load m0,m1,m2,m3 +- +- # m01,m23 -> base 2^26 +- +- vperm (@m01[0],"%v20","%v21",@vperm[0]); +- vperm (@m23[0],"%v22","%v23",@vperm[0]); +- vperm (@m01[2],"%v20","%v21",@vperm[1]); +- vperm (@m23[2],"%v22","%v23",@vperm[1]); +- vperm (@m01[4],"%v20","%v21",@vperm[2]); +- vperm (@m23[4],"%v22","%v23",@vperm[2]); +- +- vesrlg (@m01[1],@m01[0],26); +- vesrlg (@m23[1],@m23[0],26); +- vesrlg (@m01[3],@m01[2],30); +- vesrlg (@m23[3],@m23[2],30); +- vesrlg (@m01[2],@m01[2],4); +- vesrlg (@m23[2],@m23[2],4); +- +- vn (@m01[4],@m01[4],$mask4); +- vn (@m23[4],@m23[4],$mask4); +-for (0..3) { +- vn (@m01[$_],@m01[$_],$mask); +- vn (@m23[$_],@m23[$_],$mask); +-} +- vaf (@m01[4],@m01[4],$padvec); # pad m01 +- vaf (@m23[4],@m23[4],$padvec); # pad m23 +- +- # acc = acc * r^4 + m01 * r^2 + m23 +- +- vlrepf (@r5[$_],"4*$_+108($ctx)") for (0..4); # load 5*r^2 +- vlrepf (@r[$_],"4*$_+88($ctx)") for (0..4); # load r^2 +- +- vmalof (@tmp[0],@m01[4],@r5[1],@m23[0]); +- vmalof (@tmp[1],@m01[4],@r5[2],@m23[1]); +- vmalof (@tmp[2],@m01[4],@r5[3],@m23[2]); +- vmalof (@tmp[3],@m01[4],@r5[4],@m23[3]); +- vmalof (@tmp[4],@m01[4],@r[0],@m23[4]); +- +- vmalof (@tmp[0],@m01[3],@r5[2],@tmp[0]); +- vmalof (@tmp[1],@m01[3],@r5[3],@tmp[1]); +- vmalof (@tmp[2],@m01[3],@r5[4],@tmp[2]); +- vmalof (@tmp[3],@m01[3],@r[0],@tmp[3]); +- vmalof (@tmp[4],@m01[3],@r[1],@tmp[4]); +- +- vmalof (@tmp[0],@m01[2],@r5[3],@tmp[0]); +- vmalof (@tmp[1],@m01[2],@r5[4],@tmp[1]); +- vmalof (@tmp[2],@m01[2],@r[0],@tmp[2]); +- vmalof (@tmp[3],@m01[2],@r[1],@tmp[3]); +- vmalof (@tmp[4],@m01[2],@r[2],@tmp[4]); +- +- vmalof (@tmp[0],@m01[1],@r5[4],@tmp[0]); +- vmalof (@tmp[1],@m01[1],@r[0],@tmp[1]); +- vmalof (@tmp[2],@m01[1],@r[1],@tmp[2]); +- vmalof (@tmp[3],@m01[1],@r[2],@tmp[3]); +- vmalof (@tmp[4],@m01[1],@r[3],@tmp[4]); +- +- vmalof (@tmp[0],@m01[0],@r[0],@tmp[0]); +- vmalof (@tmp[1],@m01[0],@r[1],@tmp[1]); +- vmalof (@tmp[2],@m01[0],@r[2],@tmp[2]); +- vmalof (@tmp[3],@m01[0],@r[3],@tmp[3]); +- vmalof (@tmp[4],@m01[0],@r[4],@tmp[4]); +- +- vlrepf (@r5[$_],"4*$_+148($ctx)") for (0..4); # load 5*r^4 +- vlrepf (@r[$_],"4*$_+128($ctx)") for (0..4); # load r^4 +- +- vmalof (@tmp[0],@acc[4],@r5[1],@tmp[0]); +- vmalof (@tmp[1],@acc[4],@r5[2],@tmp[1]); +- vmalof (@tmp[2],@acc[4],@r5[3],@tmp[2]); +- vmalof (@tmp[3],@acc[4],@r5[4],@tmp[3]); +- vmalof (@tmp[4],@acc[4],@r[0],@tmp[4]); +- +- vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); +- vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); +- vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); +- vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); +- vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); +- +- vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); +- vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); +- vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); +- vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); +- vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); +- +- vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); +- vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); +- vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); +- vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); +- vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); +- +- vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); +- vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); +- vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); +- vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); +- vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); +- +- REDUCE (); +- +- la ($inp,"64($inp)"); +- brctg ("%r1",".Lvx_4x"); +- +-ALIGN (16); +-LABEL (".Lvx_4x_done"); +- tml ($len,32); +- jz (".Lvx_2x_done"); +- +- vlm ("%v20","%v21","0($inp)"); # load m0,m1 +- +- # m01 -> base 2^26 +- +- vperm (@m01[0],"%v20","%v21",@vperm[0]); +- vperm (@m01[2],"%v20","%v21",@vperm[1]); +- vperm (@m01[4],"%v20","%v21",@vperm[2]); +- +- vesrlg (@m01[1],@m01[0],26); +- vesrlg (@m01[3],@m01[2],30); +- vesrlg (@m01[2],@m01[2],4); +- +- vn (@m01[4],@m01[4],$mask4); +- vn (@m01[$_],@m01[$_],$mask) for (0..3); +- +- vaf (@m01[4],@m01[4],$padvec); # pad m01 +- +- # acc = acc * r^2+ m01 +- +- vlrepf (@r5[$_],"4*$_+108($ctx)") for (0..4); # load 5*r^2 +- vlrepf (@r[$_],"4*$_+88($ctx)") for (0..4); # load r^2 +- +- vmalof (@tmp[0],@acc[4],@r5[1],@m01[0]); +- vmalof (@tmp[1],@acc[4],@r5[2],@m01[1]); +- vmalof (@tmp[2],@acc[4],@r5[3],@m01[2]); +- vmalof (@tmp[3],@acc[4],@r5[4],@m01[3]); +- vmalof (@tmp[4],@acc[4],@r[0],@m01[4]); +- +- vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); +- vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); +- vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); +- vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); +- vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); +- +- vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); +- vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); +- vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); +- vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); +- vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); +- +- vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); +- vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); +- vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); +- vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); +- vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); +- +- vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); +- vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); +- vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); +- vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); +- vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); +- +- REDUCE (); +- +- la ($inp,"32($inp)"); +- +-ALIGN (16); +-LABEL (".Lvx_2x_done"); +- tml ($len,16); +- jz (".Lvx_done"); +- +- vleig ($padvec,0,0); +- +- vzero ("%v20"); +- vl ("%v21","0($inp)"); # load m0 +- +- # m0 -> base 2^26 +- +- vperm (@m01[0],"%v20","%v21",@vperm[0]); +- vperm (@m01[2],"%v20","%v21",@vperm[1]); +- vperm (@m01[4],"%v20","%v21",@vperm[2]); +- +- vesrlg (@m01[1],@m01[0],26); +- vesrlg (@m01[3],@m01[2],30); +- vesrlg (@m01[2],@m01[2],4); +- +- vn (@m01[4],@m01[4],$mask4); +- vn (@m01[$_],@m01[$_],$mask) for (0..3); +- +- vaf (@m01[4],@m01[4],$padvec); # pad m0 +- +- # acc = acc * r + m01 +- +- vlrepf (@r5[$_],"4*$_+68($ctx)") for (0..4); # load 5*r +- vlrepf (@r[$_],"4*$_+48($ctx)") for (0..4); # load r +- +- vmalof (@tmp[0],@acc[4],@r5[1],@m01[0]); +- vmalof (@tmp[1],@acc[4],@r5[2],@m01[1]); +- vmalof (@tmp[2],@acc[4],@r5[3],@m01[2]); +- vmalof (@tmp[3],@acc[4],@r5[4],@m01[3]); +- vmalof (@tmp[4],@acc[4],@r[0],@m01[4]); +- +- vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); +- vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); +- vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); +- vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); +- vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); +- +- vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); +- vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); +- vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); +- vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); +- vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); +- +- vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); +- vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); +- vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); +- vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); +- vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); +- +- vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); +- vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); +- vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); +- vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); +- vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); +- +- REDUCE (); +- +-ALIGN (16); +-LABEL (".Lvx_done"); +- vstef (@acc[$_],"4*$_($ctx)",1) for (0..4); # store acc +- vstef (@acc[$_],"24+4*$_($ctx)",3) for (0..4); +- +-if ($z) { +- vlm ("%v8","%v15","0($sp)"); +- la ($sp,"$frame($sp)"); +-} else { +- ld ("%f4","16*$SIZE_T+2*8($sp)"); +- ld ("%f6","16*$SIZE_T+3*8($sp)"); +-} +- br ("%r14"); +-SIZE ("poly1305_blocks_vx",".-poly1305_blocks_vx"); +-} +- +-################ +-# static void poly1305_emit_vx(void *ctx, unsigned char mac[16], +-# const u32 nonce[4]) +-{ +-my ($ctx,$mac,$nonce) = map("%r$_",(2..4)); +- +-GLOBL ("poly1305_emit_vx"); +-TYPE ("poly1305_emit_vx","\@function"); +-ALIGN (16); +-LABEL ("poly1305_emit_vx"); +-if ($z) { +- aghi ($sp,-$frame); +- vstm ("%v8","%v15","0($sp)"); +-} else { +- std ("%f4","16*$SIZE_T+2*8($sp)"); +- std ("%f6","16*$SIZE_T+3*8($sp)"); +-} +- larl ("%r5",".Lconst"); +- +- vlef (@acc[$_],"4*$_($ctx)",1) for (0..4); # load acc1 +- vlef (@acc[$_],"24+4*$_($ctx)",3) for (0..4); # load acc2 +- vlef (@r5[$_],"108+4*$_($ctx)",1) for (0..4); # load 5*r^2 +- vlef (@r[$_],"88+4*$_($ctx)",1) for (0..4); # load r^2 +- vlef (@r5[$_],"68+4*$_($ctx)",3) for (0..4); # load 5*r +- vlef (@r[$_],"48+4*$_($ctx)",3) for (0..4); # load r +- vl ($mask,"48(%r5)"); # load mask +- +- # acc = acc1 * r^2 + acc2 * r +- +- vmlof (@tmp[0],@acc[4],@r5[1]); +- vmlof (@tmp[1],@acc[4],@r5[2]); +- vmlof (@tmp[2],@acc[4],@r5[3]); +- vmlof (@tmp[3],@acc[4],@r5[4]); +- vmlof (@tmp[4],@acc[4],@r[0]); +- +- vmalof (@tmp[0],@acc[3],@r5[2],@tmp[0]); +- vmalof (@tmp[1],@acc[3],@r5[3],@tmp[1]); +- vmalof (@tmp[2],@acc[3],@r5[4],@tmp[2]); +- vmalof (@tmp[3],@acc[3],@r[0],@tmp[3]); +- vmalof (@tmp[4],@acc[3],@r[1],@tmp[4]); +- +- vmalof (@tmp[0],@acc[2],@r5[3],@tmp[0]); +- vmalof (@tmp[1],@acc[2],@r5[4],@tmp[1]); +- vmalof (@tmp[2],@acc[2],@r[0],@tmp[2]); +- vmalof (@tmp[3],@acc[2],@r[1],@tmp[3]); +- vmalof (@tmp[4],@acc[2],@r[2],@tmp[4]); +- +- vmalof (@tmp[0],@acc[1],@r5[4],@tmp[0]); +- vmalof (@tmp[1],@acc[1],@r[0],@tmp[1]); +- vmalof (@tmp[2],@acc[1],@r[1],@tmp[2]); +- vmalof (@tmp[3],@acc[1],@r[2],@tmp[3]); +- vmalof (@tmp[4],@acc[1],@r[3],@tmp[4]); +- +- vmalof (@acc[1],@acc[0],@r[1],@tmp[1]); +- vmalof (@acc[2],@acc[0],@r[2],@tmp[2]); +- vmalof (@acc[3],@acc[0],@r[3],@tmp[3]); +- vmalof (@acc[4],@acc[0],@r[4],@tmp[4]); +- vmalof (@acc[0],@acc[0],@r[0],@tmp[0]); +- +- vzero ("%v27"); +- vsumqg (@acc[$_],@acc[$_],"%v27") for (0..4); +- +- REDUCE (); +- +- vesrlg (@tmp[1],@acc[1],26); +- vn (@acc[1],@acc[1],$mask); +- vag (@acc[2],@acc[2],@tmp[1]); # carry 1->2 +- +- vesrlg (@tmp[2],@acc[2],26); +- vn (@acc[2],@acc[2],$mask); +- vag (@acc[3],@acc[3],@tmp[2]); # carry 2->3 +- +- vesrlg (@tmp[3],@acc[3],26); +- vn (@acc[3],@acc[3],$mask); +- vag (@acc[4],@acc[4],@tmp[3]); # carry 3->4 +- +- # acc -> base 2^64 +- vleib ("%v30",6*8,7); +- vleib ("%v29",13*8,7); +- vleib ("%v28",3*8,7); +- +- veslg (@acc[1],@acc[1],26); +- veslg (@acc[3],@acc[3],26); +- vo (@acc[0],@acc[0],@acc[1]); +- vo (@acc[2],@acc[2],@acc[3]); +- +- veslg (@acc[2],@acc[2],4); +- vslb (@acc[2],@acc[2],"%v30"); # <<52 +- vo (@acc[0],@acc[0],@acc[2]); +- +- vslb (@tmp[4],@acc[4],"%v29"); # <<104 +- vo (@acc[0],@acc[0],@tmp[4]); +- +- vsrlb (@acc[1],@acc[4],"%v28"); # >>24 +- +- # acc %= 2^130-5 +- vone ("%v26"); +- vleig ("%v27",5,1); +- vone ("%v29"); +- vleig ("%v26",-4,1); +- +- vaq (@tmp[0],@acc[0],"%v27"); +- vaccq (@tmp[1],@acc[0],"%v27"); +- +- vaq (@tmp[1],@tmp[1],"%v26"); +- vaccq (@tmp[1],@tmp[1],@acc[1]); +- +- vaq (@tmp[1],@tmp[1],"%v29"); +- +- vn (@tmp[2],@tmp[1],@acc[0]); +- vnc (@tmp[3],@tmp[0],@tmp[1]); +- vo (@acc[0],@tmp[2],@tmp[3]); +- +- # acc += nonce +- vl (@vperm[0],"64(%r5)"); +- vlef (@tmp[0],"4*$_($nonce)",3-$_) for (0..3); +- +- vaq (@acc[0],@acc[0],@tmp[0]); +- +- vperm (@acc[0],@acc[0],@acc[0],@vperm[0]); +- vst (@acc[0],"0($mac)"); # store mac +- +-if ($z) { +- vlm ("%v8","%v15","0($sp)"); +- la ($sp,"$frame($sp)"); +-} else { +- ld ("%f4","16*$SIZE_T+2*8($sp)"); +- ld ("%f6","16*$SIZE_T+3*8($sp)"); +-} +- br ("%r14"); +-SIZE ("poly1305_emit_vx",".-poly1305_emit_vx"); +-} +-} +- +-# NOVX CODE PATH +-{ +-################ +-# static void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, +-# u32 padbit) +-{ +-my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5)); +- + my ($d0hi,$d0lo,$d1hi,$d1lo,$t0,$h0,$t1,$h1,$h2) = map("%r$_",(6..14)); + my ($r0,$r1,$s1) = map("%r$_",(0..2)); ++ + GLOBL ("poly1305_blocks"); + TYPE ("poly1305_blocks","\@function"); + ALIGN (16); + LABEL ("poly1305_blocks"); +-$z? srlg ($len,$len,4) :srl ($len,4); +- lghi ("%r0",0); +-&{$z? \&clgr:\&clr} ($len,"%r0"); +- je (".Lno_data"); ++LABEL (".Lpoly1305_blocks"); ++&{$z? \<gr:\<r} ("%r0",$len); ++ jz (".Lno_data"); + + &{$z? \&stmg:\&stm} ("%r6","%r14","6*$SIZE_T($sp)"); + +- llgfr ($padbit,$padbit); # clear upper half, much needed with +- # non-64-bit ABI +- lg ($r0,"32($ctx)"); # load key +- lg ($r1,"40($ctx)"); +- +- lg ($h0,"0($ctx)"); # load hash value ++ lg ($h0,"0($ctx)"); # load hash value + lg ($h1,"8($ctx)"); + lg ($h2,"16($ctx)"); + ++LABEL (".Lpoly1305_blocks_entry"); ++if ($z) { ++ srlg ($len,$len,4); ++} else { ++ srl ($len,4); ++} ++ llgfr ($padbit,$padbit); # clear upper half, much needed with ++ # non-64-bit ABI ++ lg ($r0,"32($ctx)"); # load key ++ lg ($r1,"40($ctx)"); ++ + &{$z? \&stg:\&st} ($ctx,"2*$SIZE_T($sp)"); # off-load $ctx + srlg ($s1,$r1,2); + algr ($s1,$r1); # s1 = r1 + r1>>2 +@@ -718,21 +160,21 @@ $z? srlg ($len,$len,4) :srl ($len,4); + + ALIGN (16); + LABEL (".Loop"); +- lrvg ($d0lo,"0($inp)"); # load little-endian input ++ lrvg ($d0lo,"0($inp)"); # load little-endian input + lrvg ($d1lo,"8($inp)"); + la ($inp,"16($inp)"); + +- algr ($d0lo,$h0); # accumulate input ++ algr ($d0lo,$h0); # accumulate input + alcgr ($d1lo,$h1); ++ alcgr ($h2,$padbit); + + lgr ($h0,$d0lo); +- mlgr ($d0hi,$r0); # h0*r0 -> $d0hi:$d0lo ++ mlgr ($d0hi,$r0); # h0*r0 -> $d0hi:$d0lo + lgr ($h1,$d1lo); +- mlgr ($d1hi,$s1); # h1*5*r1 -> $d1hi:$d1lo ++ mlgr ($d1hi,$s1); # h1*5*r1 -> $d1hi:$d1lo + +- mlgr ($t0,$r1); # h0*r1 -> $t0:$h0 +- mlgr ($t1,$r0); # h1*r0 -> $t1:$h1 +- alcgr ($h2,$padbit); ++ mlgr ($t0,$r1); # h0*r1 -> $t0:$h0 ++ mlgr ($t1,$r0); # h1*r0 -> $t1:$h1 + + algr ($d0lo,$d1lo); + lgr ($d1lo,$h2); +@@ -742,16 +184,16 @@ LABEL (".Loop"); + algr ($h1,$h0); + alcgr ($t1,$t0); + +- msgr ($d1lo,$s1); # h2*s1 +- msgr ($h2,$r0); # h2*r0 ++ msgr ($d1lo,$s1); # h2*s1 ++ msgr ($h2,$r0); # h2*r0 + + algr ($h1,$d1lo); +- alcgr ($t1,$d1hi); # $d1hi is zero ++ alcgr ($t1,$d1hi); # $d1hi is zero + + algr ($h1,$d0hi); + alcgr ($h2,$t1); + +- lghi ($h0,-4); # final reduction step ++ lghi ($h0,-4); # final reduction step + ngr ($h0,$h2); + srlg ($t0,$h2,2); + algr ($h0,$t0); +@@ -759,14 +201,14 @@ LABEL (".Loop"); + ngr ($h2,$t1); + + algr ($h0,$d0lo); +- alcgr ($h1,$d1hi); # $d1hi is still zero +- alcgr ($h2,$d1hi); # $d1hi is still zero ++ alcgr ($h1,$d1hi); # $d1hi is still zero ++ alcgr ($h2,$d1hi); # $d1hi is still zero + + &{$z? \&brctg:\&brct} ($len,".Loop"); + + &{$z? \&lg:\&l} ($ctx,"2*$SIZE_T($sp)");# restore $ctx + +- stg ($h0,"0($ctx)"); # store hash value ++ stg ($h0,"0($ctx)"); # store hash value + stg ($h1,"8($ctx)"); + stg ($h2,"16($ctx)"); + +@@ -777,67 +219,766 @@ SIZE ("poly1305_blocks",".-poly1305_bloc + } + + ################ ++# static void poly1305_blocks_vx(void *ctx, const unsigned char *inp, ++# size_t len, u32 padbit) ++{ ++my ($H0, $H1, $H2, $H3, $H4) = map("%v$_",(0..4)); ++my ($I0, $I1, $I2, $I3, $I4) = map("%v$_",(5..9)); ++my ($R0, $R1, $S1, $R2, $S2) = map("%v$_",(10..14)); ++my ($R3, $S3, $R4, $S4) = map("%v$_",(15..18)); ++my ($ACC0, $ACC1, $ACC2, $ACC3, $ACC4) = map("%v$_",(19..23)); ++my ($T1, $T2, $T3, $T4) = map("%v$_",(24..27)); ++my ($mask26,$bswaplo,$bswaphi,$bswapmi) = map("%v$_",(28..31)); ++ ++my ($d2,$d0,$h0,$d1,$h1,$h2)=map("%r$_",(9..14)); ++ ++TYPE ("poly1305_blocks_vx","\@function"); ++ALIGN (16); ++LABEL ("poly1305_blocks_vx"); ++LABEL (".Lpoly1305_blocks_vx"); ++&{$z? \&clgfi:\&clfi} ($len,128); ++ jhe ("__poly1305_blocks_vx"); ++ ++&{$z? \&stmg:\&stm} ("%r6","%r14","6*$SIZE_T($sp)"); ++ ++ lg ($d0,"0($ctx)"); ++ lg ($d1,"8($ctx)"); ++ lg ($d2,"16($ctx)"); ++ ++ llgfr ("%r0",$d0); # base 2^26 -> base 2^64 ++ srlg ($h0,$d0,32); ++ llgfr ("%r1",$d1); ++ srlg ($h1,$d1,32); ++ srlg ($h2,$d2,32); ++ ++ sllg ("%r0","%r0",26); ++ algr ($h0,"%r0"); ++ sllg ("%r0",$h1,52); ++ srlg ($h1,$h1,12); ++ sllg ("%r1","%r1",14); ++ algr ($h0,"%r0"); ++ alcgr ($h1,"%r1"); ++ sllg ("%r0",$h2,40); ++ srlg ($h2,$h2,24); ++ lghi ("%r1",0); ++ algr ($h1,"%r0"); ++ alcgr ($h2,"%r1"); ++ ++ llgf ("%r0","24($ctx)"); # is_base2_26 ++ lcgr ("%r0","%r0"); ++ ++ xgr ($h0,$d0); # choose between radixes ++ xgr ($h1,$d1); ++ xgr ($h2,$d2); ++ ngr ($h0,"%r0"); ++ ngr ($h1,"%r0"); ++ ngr ($h2,"%r0"); ++ xgr ($h0,$d0); ++ xgr ($h1,$d1); ++ xgr ($h2,$d2); ++ ++ lhi ("%r0",0); ++ st ("%r0","24($ctx)"); # clear is_base2_26 ++ ++ j (".Lpoly1305_blocks_entry"); ++SIZE ("poly1305_blocks_vx",".-poly1305_blocks_vx"); ++ ++TYPE ("__poly1305_mul","\@function"); ++ALIGN (16); ++LABEL ("__poly1305_mul"); ++ vmlof ($ACC0,$H0,$R0); ++ vmlof ($ACC1,$H0,$R1); ++ vmlof ($ACC2,$H0,$R2); ++ vmlof ($ACC3,$H0,$R3); ++ vmlof ($ACC4,$H0,$R4); ++ ++ vmalof ($ACC0,$H1,$S4,$ACC0); ++ vmalof ($ACC1,$H1,$R0,$ACC1); ++ vmalof ($ACC2,$H1,$R1,$ACC2); ++ vmalof ($ACC3,$H1,$R2,$ACC3); ++ vmalof ($ACC4,$H1,$R3,$ACC4); ++ ++ vmalof ($ACC0,$H2,$S3,$ACC0); ++ vmalof ($ACC1,$H2,$S4,$ACC1); ++ vmalof ($ACC2,$H2,$R0,$ACC2); ++ vmalof ($ACC3,$H2,$R1,$ACC3); ++ vmalof ($ACC4,$H2,$R2,$ACC4); ++ ++ vmalof ($ACC0,$H3,$S2,$ACC0); ++ vmalof ($ACC1,$H3,$S3,$ACC1); ++ vmalof ($ACC2,$H3,$S4,$ACC2); ++ vmalof ($ACC3,$H3,$R0,$ACC3); ++ vmalof ($ACC4,$H3,$R1,$ACC4); ++ ++ vmalof ($ACC0,$H4,$S1,$ACC0); ++ vmalof ($ACC1,$H4,$S2,$ACC1); ++ vmalof ($ACC2,$H4,$S3,$ACC2); ++ vmalof ($ACC3,$H4,$S4,$ACC3); ++ vmalof ($ACC4,$H4,$R0,$ACC4); ++ ++ ################################################################ ++ # lazy reduction ++ ++ vesrlg ($H4,$ACC3,26); ++ vesrlg ($H1,$ACC0,26); ++ vn ($H3,$ACC3,$mask26); ++ vn ($H0,$ACC0,$mask26); ++ vag ($H4,$H4,$ACC4); # h3 -> h4 ++ vag ($H1,$H1,$ACC1); # h0 -> h1 ++ ++ vesrlg ($ACC4,$H4,26); ++ vesrlg ($ACC1,$H1,26); ++ vn ($H4,$H4,$mask26); ++ vn ($H1,$H1,$mask26); ++ vag ($H0,$H0,$ACC4); ++ vag ($H2,$ACC2,$ACC1); # h1 -> h2 ++ ++ veslg ($ACC4,$ACC4,2); # <<2 ++ vesrlg ($ACC2,$H2,26); ++ vn ($H2,$H2,$mask26); ++ vag ($H0,$H0,$ACC4); # h4 -> h0 ++ vag ($H3,$H3,$ACC2); # h2 -> h3 ++ ++ vesrlg ($ACC0,$H0,26); ++ vesrlg ($ACC3,$H3,26); ++ vn ($H0,$H0,$mask26); ++ vn ($H3,$H3,$mask26); ++ vag ($H1,$H1,$ACC0); # h0 -> h1 ++ vag ($H4,$H4,$ACC3); # h3 -> h4 ++ br ("%r14"); ++SIZE ("__poly1305_mul",".-__poly1305_mul"); ++ ++TYPE ("__poly1305_blocks_vx","\@function"); ++ALIGN (16); ++LABEL ("__poly1305_blocks_vx"); ++&{$z? \&lgr:\&lr} ("%r0",$sp); ++&{$z? \&stmg:\&stm} ("%r10","%r15","10*$SIZE_T($sp)"); ++if (!$z) { ++ std ("%f4","16*$SIZE_T+2*8($sp)"); ++ std ("%f6","16*$SIZE_T+3*8($sp)"); ++ ahi ($sp,-$stdframe); ++ st ("%r0","0($sp)"); # back-chain ++ ++ llgfr ($len,$len); # so that srlg works on $len ++} else { ++ aghi ($sp,"-($stdframe+8*8)"); ++ stg ("%r0","0($sp)"); # back-chain ++ ++ std ("%f8","$stdframe+0*8($sp)"); ++ std ("%f9","$stdframe+1*8($sp)"); ++ std ("%f10","$stdframe+2*8($sp)"); ++ std ("%f11","$stdframe+3*8($sp)"); ++ std ("%f12","$stdframe+4*8($sp)"); ++ std ("%f13","$stdframe+5*8($sp)"); ++ std ("%f14","$stdframe+6*8($sp)"); ++ std ("%f15","$stdframe+7*8($sp)"); ++} ++ larl ("%r1",".Lconst"); ++ vgmg ($mask26,38,63); ++ vlm ($bswaplo,$bswapmi,"16(%r1)"); ++ ++ < ("%r0","24($ctx)"); # is_base2_26? ++ jnz (".Lskip_init"); ++ ++ lg ($h0,"32($ctx)"); # load key base 2^64 ++ lg ($h1,"40($ctx)"); ++ ++ risbg ($d0,$h0,38,0x80+63,38); # base 2^64 -> 2^26 ++ srlg ($d1,$h0,52); ++ risbg ($h0,$h0,38,0x80+63,0); ++ vlvgg ($R0,$h0,0); ++ risbg ($d1,$h1,38,51,12); ++ vlvgg ($R1,$d0,0); ++ risbg ($d0,$h1,38,63,50); ++ vlvgg ($R2,$d1,0); ++ srlg ($d1,$h1,40); ++ vlvgg ($R3,$d0,0); ++ vlvgg ($R4,$d1,0); ++ ++ veslg ($S1,$R1,2); ++ veslg ($S2,$R2,2); ++ veslg ($S3,$R3,2); ++ veslg ($S4,$R4,2); ++ vlr ($H0,$R0); ++ vlr ($H1,$R1); ++ vlr ($H2,$R2); ++ vlr ($H3,$R3); ++ vlr ($H4,$R4); ++ vag ($S1,$S1,$R1); # * 5 ++ vag ($S2,$S2,$R2); ++ vag ($S3,$S3,$R3); ++ vag ($S4,$S4,$R4); ++ ++ brasl ("%r14","__poly1305_mul"); # r^1:- * r^1:- ++ ++ vpdi ($R0,$H0,$R0,0); # r^2:r^1 ++ vpdi ($R1,$H1,$R1,0); ++ vpdi ($R2,$H2,$R2,0); ++ vpdi ($R3,$H3,$R3,0); ++ vpdi ($R4,$H4,$R4,0); ++ vpdi ($H0,$H0,$H0,0); # r^2:r^2 ++ vpdi ($H1,$H1,$H1,0); ++ vpdi ($H2,$H2,$H2,0); ++ vpdi ($H3,$H3,$H3,0); ++ vpdi ($H4,$H4,$H4,0); ++ veslg ($S1,$R1,2); ++ veslg ($S2,$R2,2); ++ veslg ($S3,$R3,2); ++ veslg ($S4,$R4,2); ++ vag ($S1,$S1,$R1); # * 5 ++ vag ($S2,$S2,$R2); ++ vag ($S3,$S3,$R3); ++ vag ($S4,$S4,$R4); ++ ++ brasl ("%r14,__poly1305_mul"); # r^2:r^2 * r^2:r^1 ++ ++ vl ($I0,"0(%r1)"); # borrow $I0 ++ vperm ($R0,$R0,$H0,$I0); # r^2:r^4:r^1:r^3 ++ vperm ($R1,$R1,$H1,$I0); ++ vperm ($R2,$R2,$H2,$I0); ++ vperm ($R3,$R3,$H3,$I0); ++ vperm ($R4,$R4,$H4,$I0); ++ veslf ($S1,$R1,2); ++ veslf ($S2,$R2,2); ++ veslf ($S3,$R3,2); ++ veslf ($S4,$R4,2); ++ vaf ($S1,$S1,$R1); # * 5 ++ vaf ($S2,$S2,$R2); ++ vaf ($S3,$S3,$R3); ++ vaf ($S4,$S4,$R4); ++ ++ lg ($h0,"0($ctx)"); # load hash base 2^64 ++ lg ($h1,"8($ctx)"); ++ lg ($h2,"16($ctx)"); ++ ++ vzero ($H0); ++ vzero ($H1); ++ vzero ($H2); ++ vzero ($H3); ++ vzero ($H4); ++ ++ risbg ($d0,$h0,38,0x80+63,38); # base 2^64 -> 2^26 ++ srlg ($d1,$h0,52); ++ risbg ($h0,$h0,38,0x80+63,0); ++ vlvgg ($H0,$h0,0); ++ risbg ($d1,$h1,38,51,12); ++ vlvgg ($H1,$d0,0); ++ risbg ($d0,$h1,38,63,50); ++ vlvgg ($H2,$d1,0); ++ srlg ($d1,$h1,40); ++ vlvgg ($H3,$d0,0); ++ risbg ($d1,$h2,37,39,24); ++ vlvgg ($H4,$d1,0); ++ ++ lhi ("%r0",1); ++ st ("%r0","24($ctx)"); # set is_base2_26 ++ ++ vstm ($R0,$S4,"48($ctx)"); # save key schedule base 2^26 ++ ++ vpdi ($R0,$R0,$R0,0); # broadcast r^2:r^4 ++ vpdi ($R1,$R1,$R1,0); ++ vpdi ($S1,$S1,$S1,0); ++ vpdi ($R2,$R2,$R2,0); ++ vpdi ($S2,$S2,$S2,0); ++ vpdi ($R3,$R3,$R3,0); ++ vpdi ($S3,$S3,$S3,0); ++ vpdi ($R4,$R4,$R4,0); ++ vpdi ($S4,$S4,$S4,0); ++ ++ j (".Loaded_hash"); ++ ++ALIGN (16); ++LABEL (".Lskip_init"); ++ vllezf ($H0,"0($ctx)"); # load hash base 2^26 ++ vllezf ($H1,"4($ctx)"); ++ vllezf ($H2,"8($ctx)"); ++ vllezf ($H3,"12($ctx)"); ++ vllezf ($H4,"16($ctx)"); ++ ++ vlrepg ($R0,"0x30($ctx)"); # broadcast r^2:r^4 ++ vlrepg ($R1,"0x40($ctx)"); ++ vlrepg ($S1,"0x50($ctx)"); ++ vlrepg ($R2,"0x60($ctx)"); ++ vlrepg ($S2,"0x70($ctx)"); ++ vlrepg ($R3,"0x80($ctx)"); ++ vlrepg ($S3,"0x90($ctx)"); ++ vlrepg ($R4,"0xa0($ctx)"); ++ vlrepg ($S4,"0xb0($ctx)"); ++ ++LABEL (".Loaded_hash"); ++ vzero ($I1); ++ vzero ($I3); ++ ++ vlm ($T1,$T4,"0x00($inp)"); # load first input block ++ la ($inp,"0x40($inp)"); ++ vgmg ($mask26,6,31); ++ vgmf ($I4,5,5); # padbit<<2 ++ ++ vperm ($I0,$T3,$T4,$bswaplo); ++ vperm ($I2,$T3,$T4,$bswapmi); ++ vperm ($T3,$T3,$T4,$bswaphi); ++ ++ verimg ($I1,$I0,$mask26,6); # >>26 ++ veslg ($I0,$I0,32); ++ veslg ($I2,$I2,28); # >>4 ++ verimg ($I3,$T3,$mask26,18); # >>14 ++ verimg ($I4,$T3,$mask26,58); # >>38 ++ vn ($I0,$I0,$mask26); ++ vn ($I2,$I2,$mask26); ++ vesrlf ($I4,$I4,2); # >>2 ++ ++ vgmg ($mask26,38,63); ++ vperm ($T3,$T1,$T2,$bswaplo); ++ vperm ($T4,$T1,$T2,$bswaphi); ++ vperm ($T2,$T1,$T2,$bswapmi); ++ ++ verimg ($I0,$T3,$mask26,0); ++ verimg ($I1,$T3,$mask26,38); # >>26 ++ verimg ($I2,$T2,$mask26,60); # >>4 ++ verimg ($I3,$T4,$mask26,50); # >>14 ++ vesrlg ($T4,$T4,40); ++ vo ($I4,$I4,$T4); ++ ++ srlg ("%r0",$len,6); ++&{$z? \&aghi:\&ahi} ("%r0",-1); ++ ++ALIGN (16); ++LABEL (".Loop_vx"); ++ vmlef ($ACC0,$I0,$R0); ++ vmlef ($ACC1,$I0,$R1); ++ vmlef ($ACC2,$I0,$R2); ++ vmlef ($ACC3,$I0,$R3); ++ vmlef ($ACC4,$I0,$R4); ++ ++ vmalef ($ACC0,$I1,$S4,$ACC0); ++ vmalef ($ACC1,$I1,$R0,$ACC1); ++ vmalef ($ACC2,$I1,$R1,$ACC2); ++ vmalef ($ACC3,$I1,$R2,$ACC3); ++ vmalef ($ACC4,$I1,$R3,$ACC4); ++ ++ vaf ($H2,$H2,$I2); ++ vaf ($H0,$H0,$I0); ++ vaf ($H3,$H3,$I3); ++ vaf ($H1,$H1,$I1); ++ vaf ($H4,$H4,$I4); ++ ++ vmalef ($ACC0,$I2,$S3,$ACC0); ++ vmalef ($ACC1,$I2,$S4,$ACC1); ++ vmalef ($ACC2,$I2,$R0,$ACC2); ++ vmalef ($ACC3,$I2,$R1,$ACC3); ++ vmalef ($ACC4,$I2,$R2,$ACC4); ++ ++ vlm ($T1,$T4,"0x00($inp)"); # load next input block ++ la ($inp,"0x40($inp)"); ++ vgmg ($mask26,6,31); ++ ++ vmalef ($ACC0,$I3,$S2,$ACC0); ++ vmalef ($ACC1,$I3,$S3,$ACC1); ++ vmalef ($ACC2,$I3,$S4,$ACC2); ++ vmalef ($ACC3,$I3,$R0,$ACC3); ++ vmalef ($ACC4,$I3,$R1,$ACC4); ++ ++ vperm ($I0,$T3,$T4,$bswaplo); ++ vperm ($I2,$T3,$T4,$bswapmi); ++ vperm ($T3,$T3,$T4,$bswaphi); ++ ++ vmalef ($ACC0,$I4,$S1,$ACC0); ++ vmalef ($ACC1,$I4,$S2,$ACC1); ++ vmalef ($ACC2,$I4,$S3,$ACC2); ++ vmalef ($ACC3,$I4,$S4,$ACC3); ++ vmalef ($ACC4,$I4,$R0,$ACC4); ++ ++ verimg ($I1,$I0,$mask26,6); # >>26 ++ veslg ($I0,$I0,32); ++ veslg ($I2,$I2,28); # >>4 ++ verimg ($I3,$T3,$mask26,18); # >>14 ++ ++ vmalof ($ACC0,$H0,$R0,$ACC0); ++ vmalof ($ACC1,$H0,$R1,$ACC1); ++ vmalof ($ACC2,$H0,$R2,$ACC2); ++ vmalof ($ACC3,$H0,$R3,$ACC3); ++ vmalof ($ACC4,$H0,$R4,$ACC4); ++ ++ vgmf ($I4,5,5); # padbit<<2 ++ verimg ($I4,$T3,$mask26,58); # >>38 ++ vn ($I0,$I0,$mask26); ++ vn ($I2,$I2,$mask26); ++ vesrlf ($I4,$I4,2); # >>2 ++ ++ vmalof ($ACC0,$H1,$S4,$ACC0); ++ vmalof ($ACC1,$H1,$R0,$ACC1); ++ vmalof ($ACC2,$H1,$R1,$ACC2); ++ vmalof ($ACC3,$H1,$R2,$ACC3); ++ vmalof ($ACC4,$H1,$R3,$ACC4); ++ ++ vgmg ($mask26,38,63); ++ vperm ($T3,$T1,$T2,$bswaplo); ++ vperm ($T4,$T1,$T2,$bswaphi); ++ vperm ($T2,$T1,$T2,$bswapmi); ++ ++ vmalof ($ACC0,$H2,$S3,$ACC0); ++ vmalof ($ACC1,$H2,$S4,$ACC1); ++ vmalof ($ACC2,$H2,$R0,$ACC2); ++ vmalof ($ACC3,$H2,$R1,$ACC3); ++ vmalof ($ACC4,$H2,$R2,$ACC4); ++ ++ verimg ($I0,$T3,$mask26,0); ++ verimg ($I1,$T3,$mask26,38); # >>26 ++ verimg ($I2,$T2,$mask26,60); # >>4 ++ ++ vmalof ($ACC0,$H3,$S2,$ACC0); ++ vmalof ($ACC1,$H3,$S3,$ACC1); ++ vmalof ($ACC2,$H3,$S4,$ACC2); ++ vmalof ($ACC3,$H3,$R0,$ACC3); ++ vmalof ($ACC4,$H3,$R1,$ACC4); ++ ++ verimg ($I3,$T4,$mask26,50); # >>14 ++ vesrlg ($T4,$T4,40); ++ vo ($I4,$I4,$T4); ++ ++ vmalof ($ACC0,$H4,$S1,$ACC0); ++ vmalof ($ACC1,$H4,$S2,$ACC1); ++ vmalof ($ACC2,$H4,$S3,$ACC2); ++ vmalof ($ACC3,$H4,$S4,$ACC3); ++ vmalof ($ACC4,$H4,$R0,$ACC4); ++ ++ ################################################################ ++ # lazy reduction as discussed in "NEON crypto" by D.J. Bernstein ++ # and P. Schwabe ++ ++ vesrlg ($H4,$ACC3,26); ++ vesrlg ($H1,$ACC0,26); ++ vn ($H3,$ACC3,$mask26); ++ vn ($H0,$ACC0,$mask26); ++ vag ($H4,$H4,$ACC4); # h3 -> h4 ++ vag ($H1,$H1,$ACC1); # h0 -> h1 ++ ++ vesrlg ($ACC4,$H4,26); ++ vesrlg ($ACC1,$H1,26); ++ vn ($H4,$H4,$mask26); ++ vn ($H1,$H1,$mask26); ++ vag ($H0,$H0,$ACC4); ++ vag ($H2,$ACC2,$ACC1); # h1 -> h2 ++ ++ veslg ($ACC4,$ACC4,2); # <<2 ++ vesrlg ($ACC2,$H2,26); ++ vn ($H2,$H2,$mask26); ++ vag ($H0,$H0,$ACC4); # h4 -> h0 ++ vag ($H3,$H3,$ACC2); # h2 -> h3 ++ ++ vesrlg ($ACC0,$H0,26); ++ vesrlg ($ACC3,$H3,26); ++ vn ($H0,$H0,$mask26); ++ vn ($H3,$H3,$mask26); ++ vag ($H1,$H1,$ACC0); # h0 -> h1 ++ vag ($H4,$H4,$ACC3); # h3 -> h4 ++ ++&{$z? \&brctg:\&brct} ("%r0",".Loop_vx"); ++ ++ vlm ($R0,$S4,"48($ctx)"); # load all powers ++ ++ lghi ("%r0",0x30); ++&{$z? \&lcgr:\&lcr} ($len,$len); ++&{$z? \&ngr:\&nr} ($len,"%r0"); ++&{$z? \&slgr:\&slr} ($inp,$len); ++ ++LABEL (".Last"); ++ vmlef ($ACC0,$I0,$R0); ++ vmlef ($ACC1,$I0,$R1); ++ vmlef ($ACC2,$I0,$R2); ++ vmlef ($ACC3,$I0,$R3); ++ vmlef ($ACC4,$I0,$R4); ++ ++ vmalef ($ACC0,$I1,$S4,$ACC0); ++ vmalef ($ACC1,$I1,$R0,$ACC1); ++ vmalef ($ACC2,$I1,$R1,$ACC2); ++ vmalef ($ACC3,$I1,$R2,$ACC3); ++ vmalef ($ACC4,$I1,$R3,$ACC4); ++ ++ vaf ($H0,$H0,$I0); ++ vaf ($H1,$H1,$I1); ++ vaf ($H2,$H2,$I2); ++ vaf ($H3,$H3,$I3); ++ vaf ($H4,$H4,$I4); ++ ++ vmalef ($ACC0,$I2,$S3,$ACC0); ++ vmalef ($ACC1,$I2,$S4,$ACC1); ++ vmalef ($ACC2,$I2,$R0,$ACC2); ++ vmalef ($ACC3,$I2,$R1,$ACC3); ++ vmalef ($ACC4,$I2,$R2,$ACC4); ++ ++ vmalef ($ACC0,$I3,$S2,$ACC0); ++ vmalef ($ACC1,$I3,$S3,$ACC1); ++ vmalef ($ACC2,$I3,$S4,$ACC2); ++ vmalef ($ACC3,$I3,$R0,$ACC3); ++ vmalef ($ACC4,$I3,$R1,$ACC4); ++ ++ vmalef ($ACC0,$I4,$S1,$ACC0); ++ vmalef ($ACC1,$I4,$S2,$ACC1); ++ vmalef ($ACC2,$I4,$S3,$ACC2); ++ vmalef ($ACC3,$I4,$S4,$ACC3); ++ vmalef ($ACC4,$I4,$R0,$ACC4); ++ ++ vmalof ($ACC0,$H0,$R0,$ACC0); ++ vmalof ($ACC1,$H0,$R1,$ACC1); ++ vmalof ($ACC2,$H0,$R2,$ACC2); ++ vmalof ($ACC3,$H0,$R3,$ACC3); ++ vmalof ($ACC4,$H0,$R4,$ACC4); ++ ++ vmalof ($ACC0,$H1,$S4,$ACC0); ++ vmalof ($ACC1,$H1,$R0,$ACC1); ++ vmalof ($ACC2,$H1,$R1,$ACC2); ++ vmalof ($ACC3,$H1,$R2,$ACC3); ++ vmalof ($ACC4,$H1,$R3,$ACC4); ++ ++ vmalof ($ACC0,$H2,$S3,$ACC0); ++ vmalof ($ACC1,$H2,$S4,$ACC1); ++ vmalof ($ACC2,$H2,$R0,$ACC2); ++ vmalof ($ACC3,$H2,$R1,$ACC3); ++ vmalof ($ACC4,$H2,$R2,$ACC4); ++ ++ vmalof ($ACC0,$H3,$S2,$ACC0); ++ vmalof ($ACC1,$H3,$S3,$ACC1); ++ vmalof ($ACC2,$H3,$S4,$ACC2); ++ vmalof ($ACC3,$H3,$R0,$ACC3); ++ vmalof ($ACC4,$H3,$R1,$ACC4); ++ ++ vmalof ($ACC0,$H4,$S1,$ACC0); ++ vmalof ($ACC1,$H4,$S2,$ACC1); ++ vmalof ($ACC2,$H4,$S3,$ACC2); ++ vmalof ($ACC3,$H4,$S4,$ACC3); ++ vmalof ($ACC4,$H4,$R0,$ACC4); ++ ++ ################################################################ ++ # horizontal addition ++ ++ vzero ($H0); ++ vsumqg ($ACC0,$ACC0,$H0); ++ vsumqg ($ACC1,$ACC1,$H0); ++ vsumqg ($ACC2,$ACC2,$H0); ++ vsumqg ($ACC3,$ACC3,$H0); ++ vsumqg ($ACC4,$ACC4,$H0); ++ ++ ################################################################ ++ # lazy reduction ++ ++ vesrlg ($H4,$ACC3,26); ++ vesrlg ($H1,$ACC0,26); ++ vn ($H3,$ACC3,$mask26); ++ vn ($H0,$ACC0,$mask26); ++ vag ($H4,$H4,$ACC4); # h3 -> h4 ++ vag ($H1,$H1,$ACC1); # h0 -> h1 ++ ++ vesrlg ($ACC4,$H4,26); ++ vesrlg ($ACC1,$H1,26); ++ vn ($H4,$H4,$mask26); ++ vn ($H1,$H1,$mask26); ++ vag ($H0,$H0,$ACC4); ++ vag ($H2,$ACC2,$ACC1); # h1 -> h2 ++ ++ veslg ($ACC4,$ACC4,2); # <<2 ++ vesrlg ($ACC2,$H2,26); ++ vn ($H2,$H2,$mask26); ++ vag ($H0,$H0,$ACC4); # h4 -> h0 ++ vag ($H3,$H3,$ACC2); # h2 -> h3 ++ ++ vesrlg ($ACC0,$H0,26); ++ vesrlg ($ACC3,$H3,26); ++ vn ($H0,$H0,$mask26); ++ vn ($H3,$H3,$mask26); ++ vag ($H1,$H1,$ACC0); # h0 -> h1 ++ vag ($H4,$H4,$ACC3); # h3 -> h4 ++ ++&{$z? \&clgfi:\&clfi} ($len,0); ++ je (".Ldone"); ++ ++ vlm ($T1,$T4,"0x00($inp)"); # load last partial block ++ vgmg ($mask26,6,31); ++ vgmf ($I4,5,5); # padbit<<2 ++ ++ vperm ($I0,$T3,$T4,$bswaplo); ++ vperm ($I2,$T3,$T4,$bswapmi); ++ vperm ($T3,$T3,$T4,$bswaphi); ++ ++ vl ($ACC0,"0x30($len,%r1)"); # borrow $ACC0,1 ++ vl ($ACC1,"0x60($len,%r1)"); ++ ++ verimg ($I1,$I0,$mask26,6); # >>26 ++ veslg ($I0,$I0,32); ++ veslg ($I2,$I2,28); # >>4 ++ verimg ($I3,$T3,$mask26,18); # >>14 ++ verimg ($I4,$T3,$mask26,58); # >>38 ++ vn ($I0,$I0,$mask26); ++ vn ($I2,$I2,$mask26); ++ vesrlf ($I4,$I4,2); # >>2 ++ ++ vgmg ($mask26,38,63); ++ vperm ($T3,$T1,$T2,$bswaplo); ++ vperm ($T4,$T1,$T2,$bswaphi); ++ vperm ($T2,$T1,$T2,$bswapmi); ++ ++ verimg ($I0,$T3,$mask26,0); ++ verimg ($I1,$T3,$mask26,38); # >>26 ++ verimg ($I2,$T2,$mask26,60); # >>4 ++ verimg ($I3,$T4,$mask26,50); # >>14 ++ vesrlg ($T4,$T4,40); ++ vo ($I4,$I4,$T4); ++ ++ vperm ($H0,$H0,$H0,$ACC0); # move hash to right lane ++ vn ($I0,$I0,$ACC1); # mask redundant lane[s] ++ vperm ($H1,$H1,$H1,$ACC0); ++ vn ($I1,$I1,$ACC1); ++ vperm ($H2,$H2,$H2,$ACC0); ++ vn ($I2,$I2,$ACC1); ++ vperm ($H3,$H3,$H3,$ACC0); ++ vn ($I3,$I3,$ACC1); ++ vperm ($H4,$H4,$H4,$ACC0); ++ vn ($I4,$I4,$ACC1); ++ ++ vaf ($I0,$I0,$H0); # accumulate hash ++ vzero ($H0); # wipe hash value ++ vaf ($I1,$I1,$H1); ++ vzero ($H1); ++ vaf ($I2,$I2,$H2); ++ vzero ($H2); ++ vaf ($I3,$I3,$H3); ++ vzero ($H3); ++ vaf ($I4,$I4,$H4); ++ vzero ($H4); ++ ++&{$z? \&lghi:\&lhi} ($len,0); ++ j (".Last"); ++ # I don't bother to tell apart cases when only one multiplication ++ # pass is sufficient, because I argue that mispredicted branch ++ # penalties are comparable to overhead of sometimes redundant ++ # multiplication pass... ++ ++LABEL (".Ldone"); ++ vstef ($H0,"0($ctx)",3); # store hash base 2^26 ++ vstef ($H1,"4($ctx)",3); ++ vstef ($H2,"8($ctx)",3); ++ vstef ($H3,"12($ctx)",3); ++ vstef ($H4,"16($ctx)",3); ++ ++if ($z) { ++ ld ("%f8","$stdframe+0*8($sp)"); ++ ld ("%f9","$stdframe+1*8($sp)"); ++ ld ("%f10","$stdframe+2*8($sp)"); ++ ld ("%f11","$stdframe+3*8($sp)"); ++ ld ("%f12","$stdframe+4*8($sp)"); ++ ld ("%f13","$stdframe+5*8($sp)"); ++ ld ("%f14","$stdframe+6*8($sp)"); ++ ld ("%f15","$stdframe+7*8($sp)"); ++&{$z? \&lmg:\&lm} ("%r10","%r15","$stdframe+8*8+10*$SIZE_T($sp)"); ++} else { ++ ld ("%f4","$stdframe+16*$SIZE_T+2*8($sp)"); ++ ld ("%f6","$stdframe+16*$SIZE_T+3*8($sp)"); ++&{$z? \&lmg:\&lm} ("%r10","%r15","$stdframe+10*$SIZE_T($sp)"); ++} ++ br ("%r14"); ++SIZE ("__poly1305_blocks_vx",".-__poly1305_blocks_vx"); ++} ++ ++################ + # static void poly1305_emit(void *ctx, unsigned char mac[16], + # const u32 nonce[4]) + { +-my ($ctx,$mac,$nonce) = map("%r$_",(2..4)); +-my ($h0,$h1,$h2,$d0,$d1)=map("%r$_",(5..9)); ++my ($mac,$nonce)=($inp,$len); ++my ($h0,$h1,$h2,$d0,$d1,$d2)=map("%r$_",(5..10)); + + GLOBL ("poly1305_emit"); + TYPE ("poly1305_emit","\@function"); + ALIGN (16); + LABEL ("poly1305_emit"); +-&{$z? \&stmg:\&stm} ("%r6","%r9","6*$SIZE_T($sp)"); ++LABEL (".Lpoly1305_emit"); ++&{$z? \&stmg:\&stm} ("%r6","%r10","6*$SIZE_T($sp)"); + +- lg ($h0,"0($ctx)"); +- lg ($h1,"8($ctx)"); +- lg ($h2,"16($ctx)"); ++ lg ($d0,"0($ctx)"); ++ lg ($d1,"8($ctx)"); ++ lg ($d2,"16($ctx)"); ++ ++ llgfr ("%r0",$d0); # base 2^26 -> base 2^64 ++ srlg ($h0,$d0,32); ++ llgfr ("%r1",$d1); ++ srlg ($h1,$d1,32); ++ srlg ($h2,$d2,32); ++ ++ sllg ("%r0","%r0",26); ++ algr ($h0,"%r0"); ++ sllg ("%r0",$h1,52); ++ srlg ($h1,$h1,12); ++ sllg ("%r1","%r1",14); ++ algr ($h0,"%r0"); ++ alcgr ($h1,"%r1"); ++ sllg ("%r0",$h2,40); ++ srlg ($h2,$h2,24); ++ lghi ("%r1",0); ++ algr ($h1,"%r0"); ++ alcgr ($h2,"%r1"); ++ ++ llgf ("%r0","24($ctx)"); # is_base2_26 ++ lcgr ("%r0","%r0"); ++ ++ xgr ($h0,$d0); # choose between radixes ++ xgr ($h1,$d1); ++ xgr ($h2,$d2); ++ ngr ($h0,"%r0"); ++ ngr ($h1,"%r0"); ++ ngr ($h2,"%r0"); ++ xgr ($h0,$d0); ++ xgr ($h1,$d1); ++ xgr ($h2,$d2); + + lghi ("%r0",5); +- lghi ("%r1",0); + lgr ($d0,$h0); + lgr ($d1,$h1); + +- algr ($h0,"%r0"); # compare to modulus ++ algr ($h0,"%r0"); # compare to modulus + alcgr ($h1,"%r1"); + alcgr ($h2,"%r1"); + +- srlg ($h2,$h2,2); # did it borrow/carry? +- slgr ("%r1",$h2); # 0-$h2>>2 +- lg ($h2,"0($nonce)"); # load nonce +- lghi ("%r0",-1); ++ srlg ($h2,$h2,2); # did it borrow/carry? ++ slgr ("%r1",$h2); # 0-$h2>>2 ++ lg ($d2,"0($nonce)"); # load nonce + lg ($ctx,"8($nonce)"); +- xgr ("%r0","%r1"); # ~%r1 + ++ xgr ($h0,$d0); ++ xgr ($h1,$d1); + ngr ($h0,"%r1"); +- ngr ($d0,"%r0"); + ngr ($h1,"%r1"); +- ngr ($d1,"%r0"); +- ogr ($h0,$d0); +- rllg ($d0,$h2,32); # flip nonce words +- ogr ($h1,$d1); ++ xgr ($h0,$d0); ++ rllg ($d0,$d2,32); # flip nonce words ++ xgr ($h1,$d1); + rllg ($d1,$ctx,32); + +- algr ($h0,$d0); # accumulate nonce ++ algr ($h0,$d0); # accumulate nonce + alcgr ($h1,$d1); + +- strvg ($h0,"0($mac)"); # write little-endian result ++ strvg ($h0,"0($mac)"); # write little-endian result + strvg ($h1,"8($mac)"); + +-&{$z? \&lmg:\&lm} ("%r6","%r9","6*$SIZE_T($sp)"); ++&{$z? \&lmg:\&lm} ("%r6","%r10","6*$SIZE_T($sp)"); + br ("%r14"); + SIZE ("poly1305_emit",".-poly1305_emit"); + } +-} ++ + ################ + +-ALIGN (128); ++ALIGN (16); + LABEL (".Lconst"); +-LONG (0x00060504,0x03020100,0x00161514,0x13121110); # vperm op[m[1],m[0]] +-LONG (0x000c0b0a,0x09080706,0x001c1b1a,0x19181716); # vperm op[m[3],m[2]] +-LONG (0x00000000,0x000f0e0d,0x00000000,0x001f1e1d); # vperm op[ - ,m[4]] +-LONG (0x00000000,0x03ffffff,0x00000000,0x03ffffff); # [0,2^26-1,0,2^26-1] +-LONG (0x0f0e0d0c,0x0b0a0908,0x07060504,0x03020100); # vperm op endian ++LONG (0x04050607,0x14151617,0x0c0d0e0f,0x1c1d1e1f); # merge odd ++LONG (0x07060504,0x03020100,0x17161514,0x13121110); # byte swap masks ++LONG (0x0f0e0d0c,0x0b0a0908,0x1f1e1d1c,0x1b1a1918); ++LONG (0x00000000,0x09080706,0x00000000,0x19181716); ++ ++LONG (0x00000000,0x00000000,0x00000000,0x0c0d0e0f); # magic tail masks ++LONG (0x0c0d0e0f,0x00000000,0x00000000,0x00000000); ++LONG (0x00000000,0x00000000,0x0c0d0e0f,0x00000000); ++ ++LONG (0xffffffff,0x00000000,0xffffffff,0xffffffff); ++LONG (0xffffffff,0x00000000,0xffffffff,0x00000000); ++LONG (0x00000000,0x00000000,0xffffffff,0x00000000); ++ + STRING ("\"Poly1305 for s390x, CRYPTOGAMS by \""); + + PERLASM_END(); +Index: openssl-1.1.1c/crypto/poly1305/build.info +=================================================================== +--- openssl-1.1.1c.orig/crypto/poly1305/build.info 2019-06-06 12:18:54.556316994 +0200 ++++ openssl-1.1.1c/crypto/poly1305/build.info 2019-06-06 12:19:24.232504722 +0200 +@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305- + INCLUDE[poly1305-armv8.o]=.. + GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME) + INCLUDE[poly1305-mips.o]=.. ++INCLUDE[poly1305-s390x.o]=.. + GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME) + + BEGINRAW[Makefile(unix)] diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..c77f565 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,10 @@ +libopenssl1_1 + obsoletes "libopenssl1_1_0-" + provides "libopenssl1_1-hmac- = -%release" + obsoletes "libopenssl1_1-hmac- < -%release" +libopenssl-1_1-devel + provides "libopenssl-devel- = " + conflicts "otherproviders(libopenssl-devel-)" + conflicts "libopenssl-3-devel-" + requires -"openssl-1_1-" + requires "libopenssl1_1- = " diff --git a/bsc1185319-FIPS-KAT-for-ECDSA.patch b/bsc1185319-FIPS-KAT-for-ECDSA.patch new file mode 100644 index 0000000..60bd3a0 --- /dev/null +++ b/bsc1185319-FIPS-KAT-for-ECDSA.patch @@ -0,0 +1,399 @@ +diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c +index 9895aa8..77a1c77 100644 +--- a/crypto/fips/fips_ecdsa_selftest.c ++++ b/crypto/fips/fips_ecdsa_selftest.c +@@ -65,102 +65,319 @@ + #include + + #ifdef OPENSSL_FIPS ++#include ++#include "internal/nelem.h" ++#include "fips_locl.h" + +-static const char P_256_name[] = "ECDSA P-256"; ++/* functions to change the RAND_METHOD */ ++static int fbytes(unsigned char *buf, int num); + +-static const unsigned char P_256_d[] = { +- 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, +- 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, +- 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 +-}; ++static RAND_METHOD fake_rand; ++static const RAND_METHOD *old_rand; ++static int use_fake = 0; ++static const unsigned char *numbers[2]; ++static int numbers_len[2]; + +-static const unsigned char P_256_qx[] = { +- 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, +- 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, +- 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 +-}; ++static int change_rand(void) ++{ ++ /* save old rand method */ ++ old_rand = RAND_get_rand_method(); ++ if (!old_rand) ++ return 0; ++ ++ fake_rand = *old_rand; ++ /* use own random function */ ++ fake_rand.bytes = fbytes; ++ /* set new RAND_METHOD */ ++ if (!RAND_set_rand_method(&fake_rand)) ++ return 0; ++ ++ return 1; ++} + +-static const unsigned char P_256_qy[] = { +- 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, +- 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, +- 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb +-}; ++static int restore_rand(void) ++{ ++ if (!RAND_set_rand_method(old_rand)) ++ return 0; ++ ++ return 1; ++} ++ ++static int fbytes(unsigned char *buf, int num) ++{ ++ int ret = 0; ++ static int fbytes_counter = 0; ++ ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ ++ if (fbytes_counter >= OSSL_NELEM(numbers)) ++ goto err; ++ ++ if (numbers_len[fbytes_counter] > num) ++ goto err; ++ ++ /* first zero out the buffer */ ++ memset(buf, 0, num); ++ ++ /* Now set the "random" values */ ++ memcpy(buf + (num - numbers_len[fbytes_counter]), numbers[fbytes_counter], numbers_len[fbytes_counter]); ++ ++ fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); ++ ret = 1; ++err: ++ return ret; ++} ++ ++ ++ ++/*- ++ * NIST CAVP ECDSA KATs ++ * 2 X9.62 KATs; one for prime fields and one for binary fields. ++ * ++ * Taken from: ++ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-3ecdsatestvectors.zip ++ */ + + typedef struct { +- int curve; +- const char *name; +- const unsigned char *x; +- size_t xlen; +- const unsigned char *y; +- size_t ylen; +- const unsigned char *d; +- size_t dlen; +-} EC_SELFTEST_DATA; +- +-# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ +- pr##_qx, sizeof(pr##_qx), \ +- pr##_qy, sizeof(pr##_qy), \ +- pr##_d, sizeof(pr##_d)} +- +-static EC_SELFTEST_DATA test_ec_data[] = { +- make_ecdsa_test(NID_X9_62_prime256v1, P_256), +-}; ++ const int nid; /* curve NID */ ++ const int md_nid; /* hash function NID */ ++ const unsigned char *msg; /* message to sign */ ++ size_t msglen; ++ const unsigned char *d; /* ECDSA private key */ ++ size_t dlen; ++ const unsigned char *Q; /* ECDSA public key: (Qx,Qy) */ ++ size_t Qlen; ++ const unsigned char *k; /* ECDSA nonce */ ++ size_t klen; ++ const unsigned char *r; /* ECDSA signature (r,s) */ ++ size_t rlen; ++ const unsigned char *s; ++ size_t slen; ++} ECDSA_KAT_SELFTEST_DATA; + +-int FIPS_selftest_ecdsa() +-{ +- EC_KEY *ec = NULL; +- BIGNUM *x = NULL, *y = NULL, *d = NULL; +- EVP_PKEY *pk = NULL; +- int rv = 0; +- size_t i; + +- for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { +- EC_SELFTEST_DATA *ecd = test_ec_data + i; ++static const unsigned char data1_msg[] = { ++ 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, ++ 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, ++ 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, ++ 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, ++ 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, ++ 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, ++ 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, ++ 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, ++ 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, ++ 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, ++ 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, ++ 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, ++ 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, ++ 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, ++ 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, ++ 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8 ++}; + +- x = BN_bin2bn(ecd->x, ecd->xlen, x); +- y = BN_bin2bn(ecd->y, ecd->ylen, y); +- d = BN_bin2bn(ecd->d, ecd->dlen, d); ++static const unsigned char data1_d[] = { ++ 0x51, 0x9b, 0x42, 0x3d, 0x71, 0x5f, 0x8b, 0x58, ++ 0x1f, 0x4f, 0xa8, 0xee, 0x59, 0xf4, 0x77, 0x1a, ++ 0x5b, 0x44, 0xc8, 0x13, 0x0b, 0x4e, 0x3e, 0xac, ++ 0xca, 0x54, 0xa5, 0x6d, 0xda, 0x72, 0xb4, 0x64 ++}; + +- if (!x || !y || !d) +- goto err; ++static const unsigned char data1_Q[] = { ++ 0x04, 0x0c, 0xec, 0x02, 0x8e, 0xe0, 0x8d, 0x09, ++ 0xe0, 0x26, 0x72, 0xa6, 0x83, 0x10, 0x81, 0x43, ++ 0x54, 0xf9, 0xea, 0xbf, 0xff, 0x0d, 0xe6, 0xda, ++ 0xcc, 0x1c, 0xd3, 0xa7, 0x74, 0x49, 0x60, 0x76, ++ 0xae, 0xef, 0xf4, 0x71, 0xfb, 0xa0, 0x40, 0x98, ++ 0x97, 0xb6, 0xa4, 0x8e, 0x88, 0x01, 0xad, 0x12, ++ 0xf9, 0x5d, 0x00, 0x09, 0xb7, 0x53, 0xcf, 0x8f, ++ 0x51, 0xc1, 0x28, 0xbf, 0x6b, 0x0b, 0xd2, 0x7f, ++ 0xbd ++}; + +- ec = EC_KEY_new_by_curve_name(ecd->curve); +- if (!ec) +- goto err; ++static const unsigned char data1_k[] = { ++ 0x94, 0xa1, 0xbb, 0xb1, 0x4b, 0x90, 0x6a, 0x61, ++ 0xa2, 0x80, 0xf2, 0x45, 0xf9, 0xe9, 0x3c, 0x7f, ++ 0x3b, 0x4a, 0x62, 0x47, 0x82, 0x4f, 0x5d, 0x33, ++ 0xb9, 0x67, 0x07, 0x87, 0x64, 0x2a, 0x68, 0xde ++}; + +- if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) +- goto err; ++static const unsigned char data1_r[] = { ++ 0xe3, 0x95, 0xf6, 0xdb, 0x12, 0x71, 0x90, 0xfa, ++ 0x70, 0xa6, 0x80, 0xeb, 0xf6, 0x8a, 0x18, 0x35, ++ 0x6f, 0xef, 0xf2, 0x36, 0x65, 0xb9, 0x31, 0xc3, ++ 0xa2, 0x14, 0x80, 0xdf, 0x86, 0xc4, 0xec, 0xbc ++}; + +- if (!EC_KEY_set_private_key(ec, d)) +- goto err; ++static const unsigned char data1_s[] = { ++ 0xa5, 0x01, 0x04, 0x78, 0x93, 0xd9, 0x60, 0xcc, ++ 0x20, 0xce, 0xbd, 0xbb, 0x6f, 0x79, 0xb9, 0x7e, ++ 0x45, 0x23, 0x80, 0x73, 0x87, 0x83, 0x53, 0x63, ++ 0xe3, 0x80, 0x2b, 0x68, 0xcf, 0x32, 0xa1, 0xa2 ++}; + +- if ((pk = EVP_PKEY_new()) == NULL) +- goto err; + +- EVP_PKEY_assign_EC_KEY(pk, ec); ++# define make_ecdsa_kat_test(nid, md_nid, pr) { \ ++nid, md_nid, \ ++pr##_msg, sizeof(pr##_msg), \ ++pr##_d, sizeof(pr##_d), \ ++pr##_Q, sizeof(pr##_Q), \ ++pr##_k, sizeof(pr##_k), \ ++pr##_r, sizeof(pr##_r), \ ++pr##_s, sizeof(pr##_s) \ ++} + +- if (!fips_pkey_signature_test(pk, NULL, 0, +- NULL, 0, EVP_sha256(), 0, ecd->name)) +- goto err; +- } ++static ECDSA_KAT_SELFTEST_DATA test_ecdsa_data[] = { ++ make_ecdsa_kat_test(NID_secp256k1, NID_sha256, data1) ++}; + +- rv = 1; ++int FIPS_selftest_ecdsa() ++{ ++ int rv; ++ size_t i, siglen, p_len; ++ ++ for (i = 0; i < sizeof(test_ecdsa_data) / sizeof(ECDSA_KAT_SELFTEST_DATA); i++) { ++ EC_KEY *ec = NULL; ++ BIGNUM *r = NULL, *s = NULL; ++ BIGNUM *sig_r = NULL, *sig_s = NULL; ++ EVP_PKEY *pk = NULL; ++ unsigned char *sig = NULL; ++ unsigned char *tsig = NULL; ++ unsigned char *p_buf = NULL; ++ ECDSA_SIG *dsa_sig = NULL; ++ rv = 0; ++ ++ ECDSA_KAT_SELFTEST_DATA *ecd = test_ecdsa_data + i; ++ ++ /* Create the Message Digest Context */ ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); ++ if (!mdctx) goto err; ++ ++ r = BN_bin2bn(ecd->r, ecd->rlen, r); ++ s = BN_bin2bn(ecd->s, ecd->slen, s); ++ ++ if (!r || !s) ++ goto err; ++ ++ /* d[] will be used to generate a key. */ ++ /* k[] will be used for signature generation. */ ++ numbers[0] = ecd->d; ++ numbers_len[0] = ecd->dlen; ++ numbers[1] = ecd->k; ++ numbers_len[1] = ecd->klen; ++ /* swap the RNG source */ ++ if (!change_rand()) ++ goto err; ++ ++ ec = EC_KEY_new_by_curve_name(ecd->nid); ++ if (!ec) ++ goto err; ++ ++ /* Use d[] to generate key. */ ++ use_fake = 1; ++ if (EC_KEY_generate_key(ec) != 1) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_EC_KEY(pk, ec); ++ ++ p_len = EC_KEY_key2buf(ec, POINT_CONVERSION_UNCOMPRESSED, &p_buf, NULL); ++ if (!p_len) ++ goto err; ++ ++ /* Make sure generated public key matches */ ++ if (p_len != ecd->Qlen) ++ goto err; ++ if (memcmp(p_buf, ecd->Q, p_len)) ++ goto err; ++ ++ /* Initialise the DigestSign operation */ ++ if(1 != EVP_DigestSignInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk)) ++ goto err; ++ ++ /* Call update with the message */ ++ if(1 != EVP_DigestSignUpdate(mdctx, ecd->msg, ecd->msglen)) ++ goto err; ++ ++ /* Finalise the DigestSign operation */ ++ /* First call EVP_DigestSignFinal with a NULL sig parameter to */ ++ /* obtain the length of the signature. Length is returned in slen */ ++ if(1 != EVP_DigestSignFinal(mdctx, NULL, &siglen)) ++ goto err; ++ ++ /* Allocate memory for the signature based on size in slen */ ++ if(!(sig = OPENSSL_malloc(siglen))) ++ goto err; ++ ++ /* Use k[] for signature. */ ++ use_fake = 1; ++ ++ /* Obtain the signature */ ++ if(1 != EVP_DigestSignFinal(mdctx, sig, &siglen)) ++ goto err; + +- err: ++ /* extract r and s */ ++ tsig = sig; ++ dsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **) &tsig, siglen); ++ if (dsa_sig == NULL) ++ goto err; ++ ++ sig_r = ECDSA_SIG_get0_r(dsa_sig); ++ sig_s = ECDSA_SIG_get0_s(dsa_sig); ++ if ((sig_r == NULL) || (sig_s == NULL)) ++ goto err; + +- if (x) +- BN_clear_free(x); +- if (y) +- BN_clear_free(y); +- if (d) +- BN_clear_free(d); ++ /* Compare r and s against known. */ ++ if ((BN_cmp(sig_r, r) != 0) || (BN_cmp(sig_s, s) != 0)) ++ goto err; ++ ++ /* Verify signature */ ++ if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk)) ++ goto err; ++ ++ if (EVP_DigestVerify(mdctx, sig, siglen, ecd->msg, ecd->msglen) != 1) ++ goto err; ++ ++ if (1 != restore_rand()) ++ goto err; ++ ++ /* Success */ ++ rv = 1; ++ ++ ++ err: ++ ++ if (mdctx) ++ EVP_MD_CTX_free(mdctx); ++ if (r) ++ BN_clear_free(r); ++ if (s) ++ BN_clear_free(s); ++ if (sig) ++ OPENSSL_free(sig); ++ if (dsa_sig) ++ ECDSA_SIG_free(dsa_sig); ++ if (p_buf) ++ OPENSSL_free(p_buf); + if (pk) +- EVP_PKEY_free(pk); ++ EVP_PKEY_free(pk); + else if (ec) +- EC_KEY_free(ec); +- +- return rv; ++ EC_KEY_free(ec); ++ ++ if (rv != 1) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_ECDSA, FIPS_R_SELFTEST_FAILED); ++ break; ++ } ++ ++ } + ++ return rv; ++ + } + ++ + #endif + diff --git a/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch new file mode 100644 index 0000000..16b9623 --- /dev/null +++ b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch @@ -0,0 +1,13 @@ +diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c +index 80de6f6..46003d1 100644 +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -72,7 +72,7 @@ + int FIPS_selftest(void) + { + int rv = 1; +- if (!FIPS_selftest_drbg()) ++ if (!FIPS_selftest_drbg_all()) + rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch new file mode 100644 index 0000000..f10e676 --- /dev/null +++ b/openssl-1.1.0-issuer-hash.patch @@ -0,0 +1,12 @@ +Index: openssl-1.1.1j/crypto/x509/x509_cmp.c +=================================================================== +--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c ++++ openssl-1.1.1j/crypto/x509/x509_cmp.c +@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has + + if (ctx == NULL) + goto err; ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); + if (f == NULL) + goto err; diff --git a/openssl-1.1.0-no-html.patch b/openssl-1.1.0-no-html.patch new file mode 100644 index 0000000..2d7ab85 --- /dev/null +++ b/openssl-1.1.0-no-html.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1f/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-1.1.1f.orig/Configurations/unix-Makefile.tmpl 2020-03-31 16:07:11.764502217 +0200 ++++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-03-31 16:07:45.036664229 +0200 +@@ -544,7 +544,7 @@ install_sw: install_dev install_engines + + uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev + +-install_docs: install_man_docs install_html_docs ++install_docs: install_man_docs + + uninstall_docs: uninstall_man_docs uninstall_html_docs + $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch new file mode 100644 index 0000000..d4f407a --- /dev/null +++ b/openssl-1.1.1-evp-kdf.patch @@ -0,0 +1,5278 @@ +Index: openssl-1.1.1n/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1n.orig/crypto/err/openssl.txt ++++ openssl-1.1.1n/crypto/err/openssl.txt +@@ -754,6 +754,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn + EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate + EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex + EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate ++EVP_F_EVP_KDF_CTRL:224:EVP_KDF_ctrl ++EVP_F_EVP_KDF_CTRL_STR:225:EVP_KDF_ctrl_str ++EVP_F_EVP_KDF_CTX_NEW_ID:226:EVP_KDF_CTX_new_id + EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex + EVP_F_EVP_MD_SIZE:162:EVP_MD_size + EVP_F_EVP_OPENINIT:102:EVP_OpenInit +@@ -816,11 +819,13 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k + EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen + EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen + EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen ++EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl + EVP_F_PKEY_SET_TYPE:158:pkey_set_type + EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth + EVP_F_RC5_CTRL:125:rc5_ctrl + EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key + EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl ++EVP_F_SCRYPT_ALG:228:scrypt_alg + EVP_F_UPDATE:173:update + FIPS_F_DH_BUILTIN_GENPARAMS:100:dh_builtin_genparams + FIPS_F_DRBG_RESEED:121:drbg_reseed +@@ -873,6 +878,23 @@ FIPS_F_RSA_OSSL_PRIVATE_DECRYPT:117:rsa_ + FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT:118:rsa_ossl_private_encrypt + FIPS_F_RSA_OSSL_PUBLIC_DECRYPT:119:rsa_ossl_public_decrypt + FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT:120:rsa_ossl_public_encrypt ++KDF_F_HKDF_EXTRACT:112:HKDF_Extract ++KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive ++KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new ++KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size ++KDF_F_KDF_MD2CTRL:116:kdf_md2ctrl ++KDF_F_KDF_PBKDF2_CTRL_STR:117:kdf_pbkdf2_ctrl_str ++KDF_F_KDF_PBKDF2_DERIVE:118:kdf_pbkdf2_derive ++KDF_F_KDF_PBKDF2_NEW:119:kdf_pbkdf2_new ++KDF_F_KDF_SCRYPT_CTRL_STR:120:kdf_scrypt_ctrl_str ++KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint32 ++KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64 ++KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive ++KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new ++KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str ++KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive ++KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new ++KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf + KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str + KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive + KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init +@@ -884,6 +906,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc + KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str + KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive + KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init ++KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf + KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg + OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object + OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid +@@ -2344,6 +2367,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on + EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ + operation not supported for this keytype + EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized ++EVP_R_PARAMETER_TOO_LARGE:187:parameter too large + EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow + EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers + EVP_R_PBKDF2_ERROR:181:pbkdf2 error +@@ -2436,6 +2460,7 @@ KDF_R_MISSING_SEED:106:missing seed + KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type + KDF_R_VALUE_ERROR:108:value error + KDF_R_VALUE_MISSING:102:value missing ++KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size + OBJ_R_OID_EXISTS:102:oid exists + OBJ_R_UNKNOWN_NID:101:unknown nid + OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error +Index: openssl-1.1.1n/crypto/evp/build.info +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/build.info ++++ openssl-1.1.1n/crypto/evp/build.info +@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ + p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ + bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ + c_allc.c c_alld.c evp_lib.c bio_ok.c \ +- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \ ++ evp_pkey.c kdf_lib.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \ ++ pkey_kdf.c \ + e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ + e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ + e_chacha20_poly1305.c cmeth_lib.c +Index: openssl-1.1.1n/crypto/evp/evp_err.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1n/crypto/evp/evp_err.c +@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), + "EVP_EncryptFinal_ex"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL, 0), "EVP_KDF_ctrl"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL_STR, 0), "EVP_KDF_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTX_NEW_ID, 0), "EVP_KDF_CTX_new_id"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"}, +@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun + "PKCS5_v2_PBKDF2_keyivgen"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0), + "PKCS5_v2_scrypt_keyivgen"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_KDF_CTRL, 0), "pkey_kdf_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0), + "r_32_12_16_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"}, + {0, NULL} + }; +@@ -241,6 +246,8 @@ static const ERR_STRING_DATA EVP_str_rea + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), + "operaton not initialized"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), ++ "parameter too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), + "output would overflow"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), +Index: openssl-1.1.1n/crypto/evp/evp_local.h +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/evp_local.h ++++ openssl-1.1.1n/crypto/evp/evp_local.h +@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { + unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ + } /* EVP_CIPHER_CTX */ ; + ++struct evp_kdf_ctx_st { ++ const EVP_KDF_METHOD *kmeth; ++ EVP_KDF_IMPL *impl; /* Algorithm-specific data */ ++} /* EVP_KDF_CTX */ ; ++ + int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, + int passlen, ASN1_TYPE *param, + const EVP_CIPHER *c, const EVP_MD *md, +Index: openssl-1.1.1n/crypto/evp/evp_pbe.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/evp_pbe.c ++++ openssl-1.1.1n/crypto/evp/evp_pbe.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include "crypto/evp.h" + #include "evp_local.h" + + /* Password based encryption (PBE) functions */ +Index: openssl-1.1.1n/crypto/evp/kdf_lib.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/evp/kdf_lib.c +@@ -0,0 +1,165 @@ ++/* ++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "internal/cryptlib.h" ++#include ++#include ++#include ++#include ++#include "crypto/asn1.h" ++#include "crypto/evp.h" ++#include "internal/numbers.h" ++#include "evp_local.h" ++ ++typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); ++ ++/* This array needs to be in order of NIDs */ ++static const EVP_KDF_METHOD *standard_methods[] = { ++ &pbkdf2_kdf_meth, ++#ifndef OPENSSL_NO_SCRYPT ++ &scrypt_kdf_meth, ++#endif ++ &tls1_prf_kdf_meth, ++ &hkdf_kdf_meth ++}; ++ ++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, ++ kmeth); ++ ++static int kmeth_cmp(const EVP_KDF_METHOD *const *a, ++ const EVP_KDF_METHOD *const *b) ++{ ++ return ((*a)->type - (*b)->type); ++} ++ ++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, ++ kmeth); ++ ++static const EVP_KDF_METHOD *kdf_meth_find(int type) ++{ ++ EVP_KDF_METHOD tmp; ++ const EVP_KDF_METHOD *t = &tmp, **ret; ++ ++ tmp.type = type; ++ ret = OBJ_bsearch_kmeth(&t, standard_methods, ++ OSSL_NELEM(standard_methods)); ++ if (ret == NULL || *ret == NULL) ++ return NULL; ++ ++ return *ret; ++} ++ ++EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id) ++{ ++ EVP_KDF_CTX *ret; ++ const EVP_KDF_METHOD *kmeth; ++ ++ kmeth = kdf_meth_find(id); ++ if (kmeth == NULL) { ++ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, EVP_R_UNSUPPORTED_ALGORITHM); ++ return NULL; ++ } ++ ++ ret = OPENSSL_zalloc(sizeof(*ret)); ++ if (ret == NULL) { ++ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ ++ if (kmeth->new != NULL && (ret->impl = kmeth->new()) == NULL) { ++ EVP_KDF_CTX_free(ret); ++ return NULL; ++ } ++ ++ ret->kmeth = kmeth; ++ return ret; ++} ++ ++void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return; ++ ++ ctx->kmeth->free(ctx->impl); ++ OPENSSL_free(ctx); ++} ++ ++void EVP_KDF_reset(EVP_KDF_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return; ++ ++ if (ctx->kmeth->reset != NULL) ++ ctx->kmeth->reset(ctx->impl); ++} ++ ++int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...) ++{ ++ int ret; ++ va_list args; ++ ++ va_start(args, cmd); ++ ret = EVP_KDF_vctrl(ctx, cmd, args); ++ va_end(args); ++ ++ if (ret == -2) ++ EVPerr(EVP_F_EVP_KDF_CTRL, EVP_R_COMMAND_NOT_SUPPORTED); ++ ++ return ret; ++} ++ ++int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args) ++{ ++ if (ctx == NULL) ++ return 0; ++ ++ return ctx->kmeth->ctrl(ctx->impl, cmd, args); ++} ++ ++int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value) ++{ ++ int ret; ++ ++ if (ctx == NULL) ++ return 0; ++ ++ if (ctx->kmeth->ctrl_str == NULL) { ++ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED); ++ return -2; ++ } ++ ++ ret = ctx->kmeth->ctrl_str(ctx->impl, type, value); ++ if (ret == -2) ++ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED); ++ ++ return ret; ++} ++ ++size_t EVP_KDF_size(EVP_KDF_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return 0; ++ ++ if (ctx->kmeth->size == NULL) ++ return SIZE_MAX; ++ ++ return ctx->kmeth->size(ctx->impl); ++} ++ ++int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen) ++{ ++ if (ctx == NULL) ++ return 0; ++ ++ return ctx->kmeth->derive(ctx->impl, key, keylen); ++} ++ +Index: openssl-1.1.1n/crypto/evp/p5_crpt2.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/p5_crpt2.c ++++ openssl-1.1.1n/crypto/evp/p5_crpt2.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -10,105 +10,51 @@ + #include + #include + #include "internal/cryptlib.h" +-# include +-# include +-# include +-# include "evp_local.h" ++#include ++#include ++#include ++#include ++#include "crypto/evp.h" ++#include "evp_local.h" + + /* set this to print out info about the keygen algorithm */ + /* #define OPENSSL_DEBUG_PKCS5V2 */ + +-# ifdef OPENSSL_DEBUG_PKCS5V2 ++#ifdef OPENSSL_DEBUG_PKCS5V2 + static void h__dump(const unsigned char *p, int len); +-# endif +- +-/* +- * This is an implementation of PKCS#5 v2.0 password based encryption key +- * derivation function PBKDF2. SHA1 version verified against test vectors +- * posted by Peter Gutmann to the PKCS-TNG mailing list. +- */ ++#endif + + int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, + const EVP_MD *digest, int keylen, unsigned char *out) + { + const char *empty = ""; +- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; +- int cplen, j, k, tkeylen, mdlen; +- unsigned long i = 1; +- HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; +- +- mdlen = EVP_MD_size(digest); +- if (mdlen < 0) +- return 0; ++ int rv = 1; ++ EVP_KDF_CTX *kctx; + +- hctx_tpl = HMAC_CTX_new(); +- if (hctx_tpl == NULL) +- return 0; +- p = out; +- tkeylen = keylen; ++ /* Keep documented behaviour. */ + if (pass == NULL) { + pass = empty; + passlen = 0; + } else if (passlen == -1) { + passlen = strlen(pass); + } +- if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) { +- HMAC_CTX_free(hctx_tpl); +- return 0; +- } +- hctx = HMAC_CTX_new(); +- if (hctx == NULL) { +- HMAC_CTX_free(hctx_tpl); ++ if (salt == NULL && saltlen == 0) ++ salt = (unsigned char *)empty; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) + return 0; +- } +- while (tkeylen) { +- if (tkeylen > mdlen) +- cplen = mdlen; +- else +- cplen = tkeylen; +- /* +- * We are unlikely to ever use more than 256 blocks (5120 bits!) but +- * just in case... +- */ +- itmp[0] = (unsigned char)((i >> 24) & 0xff); +- itmp[1] = (unsigned char)((i >> 16) & 0xff); +- itmp[2] = (unsigned char)((i >> 8) & 0xff); +- itmp[3] = (unsigned char)(i & 0xff); +- if (!HMAC_CTX_copy(hctx, hctx_tpl)) { +- HMAC_CTX_free(hctx); +- HMAC_CTX_free(hctx_tpl); +- return 0; +- } +- if (!HMAC_Update(hctx, salt, saltlen) +- || !HMAC_Update(hctx, itmp, 4) +- || !HMAC_Final(hctx, digtmp, NULL)) { +- HMAC_CTX_free(hctx); +- HMAC_CTX_free(hctx_tpl); +- return 0; +- } +- memcpy(p, digtmp, cplen); +- for (j = 1; j < iter; j++) { +- if (!HMAC_CTX_copy(hctx, hctx_tpl)) { +- HMAC_CTX_free(hctx); +- HMAC_CTX_free(hctx_tpl); +- return 0; +- } +- if (!HMAC_Update(hctx, digtmp, mdlen) +- || !HMAC_Final(hctx, digtmp, NULL)) { +- HMAC_CTX_free(hctx); +- HMAC_CTX_free(hctx_tpl); +- return 0; +- } +- for (k = 0; k < cplen; k++) +- p[k] ^= digtmp[k]; +- } +- tkeylen -= cplen; +- i++; +- p += cplen; +- } +- HMAC_CTX_free(hctx); +- HMAC_CTX_free(hctx_tpl); ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, ++ salt, (size_t)saltlen) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, iter) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, digest) != 1 ++ || EVP_KDF_derive(kctx, out, keylen) != 1) ++ rv = 0; ++ ++ EVP_KDF_CTX_free(kctx); ++ + # ifdef OPENSSL_DEBUG_PKCS5V2 + fprintf(stderr, "Password:\n"); + h__dump(pass, passlen); +@@ -118,7 +64,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + fprintf(stderr, "Key:\n"); + h__dump(out, keylen); + # endif +- return 1; ++ return rv; + } + + int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, +Index: openssl-1.1.1n/crypto/evp/pbe_scrypt.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/pbe_scrypt.c ++++ openssl-1.1.1n/crypto/evp/pbe_scrypt.c +@@ -7,135 +7,12 @@ + * https://www.openssl.org/source/license.html + */ + +-#include +-#include +-#include + #include + #include +-#include "internal/numbers.h" ++#include + + #ifndef OPENSSL_NO_SCRYPT + +-#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) +-static void salsa208_word_specification(uint32_t inout[16]) +-{ +- int i; +- uint32_t x[16]; +- memcpy(x, inout, sizeof(x)); +- for (i = 8; i > 0; i -= 2) { +- x[4] ^= R(x[0] + x[12], 7); +- x[8] ^= R(x[4] + x[0], 9); +- x[12] ^= R(x[8] + x[4], 13); +- x[0] ^= R(x[12] + x[8], 18); +- x[9] ^= R(x[5] + x[1], 7); +- x[13] ^= R(x[9] + x[5], 9); +- x[1] ^= R(x[13] + x[9], 13); +- x[5] ^= R(x[1] + x[13], 18); +- x[14] ^= R(x[10] + x[6], 7); +- x[2] ^= R(x[14] + x[10], 9); +- x[6] ^= R(x[2] + x[14], 13); +- x[10] ^= R(x[6] + x[2], 18); +- x[3] ^= R(x[15] + x[11], 7); +- x[7] ^= R(x[3] + x[15], 9); +- x[11] ^= R(x[7] + x[3], 13); +- x[15] ^= R(x[11] + x[7], 18); +- x[1] ^= R(x[0] + x[3], 7); +- x[2] ^= R(x[1] + x[0], 9); +- x[3] ^= R(x[2] + x[1], 13); +- x[0] ^= R(x[3] + x[2], 18); +- x[6] ^= R(x[5] + x[4], 7); +- x[7] ^= R(x[6] + x[5], 9); +- x[4] ^= R(x[7] + x[6], 13); +- x[5] ^= R(x[4] + x[7], 18); +- x[11] ^= R(x[10] + x[9], 7); +- x[8] ^= R(x[11] + x[10], 9); +- x[9] ^= R(x[8] + x[11], 13); +- x[10] ^= R(x[9] + x[8], 18); +- x[12] ^= R(x[15] + x[14], 7); +- x[13] ^= R(x[12] + x[15], 9); +- x[14] ^= R(x[13] + x[12], 13); +- x[15] ^= R(x[14] + x[13], 18); +- } +- for (i = 0; i < 16; ++i) +- inout[i] += x[i]; +- OPENSSL_cleanse(x, sizeof(x)); +-} +- +-static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) +-{ +- uint64_t i, j; +- uint32_t X[16], *pB; +- +- memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); +- pB = B; +- for (i = 0; i < r * 2; i++) { +- for (j = 0; j < 16; j++) +- X[j] ^= *pB++; +- salsa208_word_specification(X); +- memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); +- } +- OPENSSL_cleanse(X, sizeof(X)); +-} +- +-static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, +- uint32_t *X, uint32_t *T, uint32_t *V) +-{ +- unsigned char *pB; +- uint32_t *pV; +- uint64_t i, k; +- +- /* Convert from little endian input */ +- for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { +- *pV = *pB++; +- *pV |= *pB++ << 8; +- *pV |= *pB++ << 16; +- *pV |= (uint32_t)*pB++ << 24; +- } +- +- for (i = 1; i < N; i++, pV += 32 * r) +- scryptBlockMix(pV, pV - 32 * r, r); +- +- scryptBlockMix(X, V + (N - 1) * 32 * r, r); +- +- for (i = 0; i < N; i++) { +- uint32_t j; +- j = X[16 * (2 * r - 1)] % N; +- pV = V + 32 * r * j; +- for (k = 0; k < 32 * r; k++) +- T[k] = X[k] ^ *pV++; +- scryptBlockMix(X, T, r); +- } +- /* Convert output to little endian */ +- for (i = 0, pB = B; i < 32 * r; i++) { +- uint32_t xtmp = X[i]; +- *pB++ = xtmp & 0xff; +- *pB++ = (xtmp >> 8) & 0xff; +- *pB++ = (xtmp >> 16) & 0xff; +- *pB++ = (xtmp >> 24) & 0xff; +- } +-} +- +-#ifndef SIZE_MAX +-# define SIZE_MAX ((size_t)-1) +-#endif +- +-/* +- * Maximum power of two that will fit in uint64_t: this should work on +- * most (all?) platforms. +- */ +- +-#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) +- +-/* +- * Maximum value of p * r: +- * p <= ((2^32-1) * hLen) / MFLen => +- * p <= ((2^32-1) * 32) / (128 * r) => +- * p * r <= (2^30-1) +- * +- */ +- +-#define SCRYPT_PR_MAX ((1 << 30) - 1) +- + /* + * Maximum permitted memory allow this to be overridden with Configuration + * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible. +@@ -160,107 +37,43 @@ int EVP_PBE_scrypt(const char *pass, siz + uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, + unsigned char *key, size_t keylen) + { +- int rv = 0; +- unsigned char *B; +- uint32_t *X, *V, *T; +- uint64_t i, Blen, Vlen; +- +- /* Sanity check parameters */ +- /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ +- if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) +- return 0; +- /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ +- if (p > SCRYPT_PR_MAX / r) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); +- return 0; +- } +- +- /* +- * Need to check N: if 2^(128 * r / 8) overflows limit this is +- * automatically satisfied since N <= UINT64_MAX. +- */ +- +- if (16 * r <= LOG2_UINT64_MAX) { +- if (N >= (((uint64_t)1) << (16 * r))) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); +- return 0; +- } +- } ++ const char *empty = ""; ++ int rv = 1; ++ EVP_KDF_CTX *kctx; + +- /* Memory checks: check total allocated buffer size fits in uint64_t */ +- +- /* +- * B size in section 5 step 1.S +- * Note: we know p * 128 * r < UINT64_MAX because we already checked +- * p * r < SCRYPT_PR_MAX +- */ +- Blen = p * 128 * r; +- /* +- * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would +- * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] +- */ +- if (Blen > INT_MAX) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ if (r > UINT32_MAX || p > UINT32_MAX) { ++ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE); + return 0; + } + +- /* +- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t +- * This is combined size V, X and T (section 4) +- */ +- i = UINT64_MAX / (32 * sizeof(uint32_t)); +- if (N + 2 > i / r) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); +- return 0; ++ /* Maintain existing behaviour. */ ++ if (pass == NULL) { ++ pass = empty; ++ passlen = 0; + } +- Vlen = 32 * r * (N + 2) * sizeof(uint32_t); +- +- /* check total allocated size fits in uint64_t */ +- if (Blen > UINT64_MAX - Vlen) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); +- return 0; ++ if (salt == NULL) { ++ salt = (const unsigned char *)empty; ++ saltlen = 0; + } +- + if (maxmem == 0) + maxmem = SCRYPT_MAX_MEM; + +- /* Check that the maximum memory doesn't exceed a size_t limits */ +- if (maxmem > SIZE_MAX) +- maxmem = SIZE_MAX; +- +- if (Blen + Vlen > maxmem) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT); ++ if (kctx == NULL) + return 0; +- } + +- /* If no key return to indicate parameters are OK */ +- if (key == NULL) +- return 1; +- +- B = OPENSSL_malloc((size_t)(Blen + Vlen)); +- if (B == NULL) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); +- return 0; +- } +- X = (uint32_t *)(B + Blen); +- T = X + 32 * r; +- V = T + 32 * r; +- if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), +- (int)Blen, B) == 0) +- goto err; +- +- for (i = 0; i < p; i++) +- scryptROMix(B + 128 * r * i, r, N, X, T, V); +- +- if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), +- keylen, key) == 0) +- goto err; +- rv = 1; +- err: +- if (rv == 0) +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, ++ salt, (size_t)saltlen) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)r) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)p) != 1 ++ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1 ++ || EVP_KDF_derive(kctx, key, keylen) != 1) ++ rv = 0; + +- OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); ++ EVP_KDF_CTX_free(kctx); + return rv; + } ++ + #endif +Index: openssl-1.1.1n/crypto/evp/pkey_kdf.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/evp/pkey_kdf.c +@@ -0,0 +1,255 @@ ++/* ++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include ++#include "crypto/evp.h" ++ ++static int pkey_kdf_init(EVP_PKEY_CTX *ctx) ++{ ++ EVP_KDF_CTX *kctx; ++ ++ kctx = EVP_KDF_CTX_new_id(ctx->pmeth->pkey_id); ++ if (kctx == NULL) ++ return 0; ++ ++ ctx->data = kctx; ++ return 1; ++} ++ ++static void pkey_kdf_cleanup(EVP_PKEY_CTX *ctx) ++{ ++ EVP_KDF_CTX *kctx = ctx->data; ++ ++ EVP_KDF_CTX_free(kctx); ++} ++ ++static int pkey_kdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) ++{ ++ EVP_KDF_CTX *kctx = ctx->data; ++ uint64_t u64_value; ++ int cmd; ++ int ret; ++ ++ switch (type) { ++ case EVP_PKEY_CTRL_PASS: ++ cmd = EVP_KDF_CTRL_SET_PASS; ++ break; ++ case EVP_PKEY_CTRL_HKDF_SALT: ++ case EVP_PKEY_CTRL_SCRYPT_SALT: ++ cmd = EVP_KDF_CTRL_SET_SALT; ++ break; ++ case EVP_PKEY_CTRL_TLS_MD: ++ case EVP_PKEY_CTRL_HKDF_MD: ++ cmd = EVP_KDF_CTRL_SET_MD; ++ break; ++ case EVP_PKEY_CTRL_TLS_SECRET: ++ cmd = EVP_KDF_CTRL_SET_TLS_SECRET; ++ ret = EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_RESET_TLS_SEED); ++ if (ret < 1) ++ return ret; ++ break; ++ case EVP_PKEY_CTRL_TLS_SEED: ++ cmd = EVP_KDF_CTRL_ADD_TLS_SEED; ++ break; ++ case EVP_PKEY_CTRL_HKDF_KEY: ++ cmd = EVP_KDF_CTRL_SET_KEY; ++ break; ++ case EVP_PKEY_CTRL_HKDF_INFO: ++ cmd = EVP_KDF_CTRL_ADD_HKDF_INFO; ++ break; ++ case EVP_PKEY_CTRL_HKDF_MODE: ++ cmd = EVP_KDF_CTRL_SET_HKDF_MODE; ++ break; ++ case EVP_PKEY_CTRL_SCRYPT_N: ++ cmd = EVP_KDF_CTRL_SET_SCRYPT_N; ++ break; ++ case EVP_PKEY_CTRL_SCRYPT_R: ++ cmd = EVP_KDF_CTRL_SET_SCRYPT_R; ++ break; ++ case EVP_PKEY_CTRL_SCRYPT_P: ++ cmd = EVP_KDF_CTRL_SET_SCRYPT_P; ++ break; ++ case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES: ++ cmd = EVP_KDF_CTRL_SET_MAXMEM_BYTES; ++ break; ++ default: ++ return -2; ++ } ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_PASS: ++ case EVP_KDF_CTRL_SET_SALT: ++ case EVP_KDF_CTRL_SET_KEY: ++ case EVP_KDF_CTRL_SET_TLS_SECRET: ++ case EVP_KDF_CTRL_ADD_TLS_SEED: ++ case EVP_KDF_CTRL_ADD_HKDF_INFO: ++ return EVP_KDF_ctrl(kctx, cmd, (const unsigned char *)p2, (size_t)p1); ++ ++ case EVP_KDF_CTRL_SET_MD: ++ return EVP_KDF_ctrl(kctx, cmd, (const EVP_MD *)p2); ++ ++ case EVP_KDF_CTRL_SET_HKDF_MODE: ++ return EVP_KDF_ctrl(kctx, cmd, (int)p1); ++ ++ case EVP_KDF_CTRL_SET_SCRYPT_R: ++ case EVP_KDF_CTRL_SET_SCRYPT_P: ++ u64_value = *(uint64_t *)p2; ++ if (u64_value > UINT32_MAX) { ++ EVPerr(EVP_F_PKEY_KDF_CTRL, EVP_R_PARAMETER_TOO_LARGE); ++ return 0; ++ } ++ ++ return EVP_KDF_ctrl(kctx, cmd, (uint32_t)u64_value); ++ ++ case EVP_KDF_CTRL_SET_SCRYPT_N: ++ case EVP_KDF_CTRL_SET_MAXMEM_BYTES: ++ return EVP_KDF_ctrl(kctx, cmd, *(uint64_t *)p2); ++ ++ default: ++ return 0; ++ } ++} ++ ++static int pkey_kdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, ++ const char *value) ++{ ++ EVP_KDF_CTX *kctx = ctx->data; ++ ++ if (strcmp(type, "md") == 0) ++ return EVP_KDF_ctrl_str(kctx, "digest", value); ++ return EVP_KDF_ctrl_str(kctx, type, value); ++} ++ ++static int pkey_kdf_derive_init(EVP_PKEY_CTX *ctx) ++{ ++ EVP_KDF_CTX *kctx = ctx->data; ++ ++ EVP_KDF_reset(kctx); ++ return 1; ++} ++ ++/* ++ * For fixed-output algorithms the keylen parameter is an "out" parameter ++ * otherwise it is an "in" parameter. ++ */ ++static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ EVP_KDF_CTX *kctx = ctx->data; ++ size_t outlen = EVP_KDF_size(kctx); ++ ++ if (outlen == 0 || outlen == SIZE_MAX) { ++ /* Variable-output algorithm */ ++ if (key == NULL) ++ return 0; ++ } else { ++ /* Fixed-output algorithm */ ++ *keylen = outlen; ++ if (key == NULL) ++ return 1; ++ } ++ return EVP_KDF_derive(kctx, key, *keylen); ++} ++ ++#ifndef OPENSSL_NO_SCRYPT ++const EVP_PKEY_METHOD scrypt_pkey_meth = { ++ EVP_PKEY_SCRYPT, ++ 0, ++ pkey_kdf_init, ++ 0, ++ pkey_kdf_cleanup, ++ ++ 0, 0, ++ 0, 0, ++ ++ 0, ++ 0, ++ ++ 0, ++ 0, ++ ++ 0, 0, ++ ++ 0, 0, 0, 0, ++ ++ 0, 0, ++ ++ 0, 0, ++ ++ pkey_kdf_derive_init, ++ pkey_kdf_derive, ++ pkey_kdf_ctrl, ++ pkey_kdf_ctrl_str ++}; ++#endif ++ ++const EVP_PKEY_METHOD tls1_prf_pkey_meth = { ++ EVP_PKEY_TLS1_PRF, ++ EVP_PKEY_FLAG_FIPS, ++ pkey_kdf_init, ++ 0, ++ pkey_kdf_cleanup, ++ ++ 0, 0, ++ 0, 0, ++ ++ 0, ++ 0, ++ ++ 0, ++ 0, ++ ++ 0, 0, ++ ++ 0, 0, 0, 0, ++ ++ 0, 0, ++ ++ 0, 0, ++ ++ pkey_kdf_derive_init, ++ pkey_kdf_derive, ++ pkey_kdf_ctrl, ++ pkey_kdf_ctrl_str ++}; ++ ++const EVP_PKEY_METHOD hkdf_pkey_meth = { ++ EVP_PKEY_HKDF, ++ EVP_PKEY_FLAG_FIPS, ++ pkey_kdf_init, ++ 0, ++ pkey_kdf_cleanup, ++ ++ 0, 0, ++ 0, 0, ++ ++ 0, ++ 0, ++ ++ 0, ++ 0, ++ ++ 0, 0, ++ ++ 0, 0, 0, 0, ++ ++ 0, 0, ++ ++ 0, 0, ++ ++ pkey_kdf_derive_init, ++ pkey_kdf_derive, ++ pkey_kdf_ctrl, ++ pkey_kdf_ctrl_str ++}; ++ +Index: openssl-1.1.1n/include/crypto/evp.h +=================================================================== +--- openssl-1.1.1n.orig/include/crypto/evp.h ++++ openssl-1.1.1n/include/crypto/evp.h +@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m + extern const EVP_PKEY_METHOD poly1305_pkey_meth; + extern const EVP_PKEY_METHOD siphash_pkey_meth; + ++/* struct evp_kdf_impl_st is defined by the implementation */ ++typedef struct evp_kdf_impl_st EVP_KDF_IMPL; ++typedef struct { ++ int type; ++ EVP_KDF_IMPL *(*new) (void); ++ void (*free) (EVP_KDF_IMPL *impl); ++ void (*reset) (EVP_KDF_IMPL *impl); ++ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args); ++ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); ++ size_t (*size) (EVP_KDF_IMPL *impl); ++ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); ++} EVP_KDF_METHOD; ++ ++extern const EVP_KDF_METHOD pbkdf2_kdf_meth; ++extern const EVP_KDF_METHOD scrypt_kdf_meth; ++extern const EVP_KDF_METHOD tls1_prf_kdf_meth; ++extern const EVP_KDF_METHOD hkdf_kdf_meth; ++ + struct evp_md_st { + int type; + int pkey_type; +Index: openssl-1.1.1n/crypto/kdf/build.info +=================================================================== +--- openssl-1.1.1n.orig/crypto/kdf/build.info ++++ openssl-1.1.1n/crypto/kdf/build.info +@@ -1,3 +1,3 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- tls1_prf.c kdf_err.c hkdf.c scrypt.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c +Index: openssl-1.1.1n/crypto/kdf/hkdf.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/kdf/hkdf.c ++++ openssl-1.1.1n/crypto/kdf/hkdf.c +@@ -8,32 +8,33 @@ + */ + + #include ++#include + #include + #include +-#include + #include ++#include + #include "internal/cryptlib.h" + #include "crypto/evp.h" ++#include "kdf_local.h" + + #define HKDF_MAXBUF 1024 + +-static unsigned char *HKDF(const EVP_MD *evp_md, +- const unsigned char *salt, size_t salt_len, +- const unsigned char *key, size_t key_len, +- const unsigned char *info, size_t info_len, +- unsigned char *okm, size_t okm_len); +- +-static unsigned char *HKDF_Extract(const EVP_MD *evp_md, +- const unsigned char *salt, size_t salt_len, +- const unsigned char *key, size_t key_len, +- unsigned char *prk, size_t *prk_len); +- +-static unsigned char *HKDF_Expand(const EVP_MD *evp_md, +- const unsigned char *prk, size_t prk_len, +- const unsigned char *info, size_t info_len, +- unsigned char *okm, size_t okm_len); ++static void kdf_hkdf_reset(EVP_KDF_IMPL *impl); ++static int HKDF(const EVP_MD *evp_md, ++ const unsigned char *salt, size_t salt_len, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *info, size_t info_len, ++ unsigned char *okm, size_t okm_len); ++static int HKDF_Extract(const EVP_MD *evp_md, ++ const unsigned char *salt, size_t salt_len, ++ const unsigned char *key, size_t key_len, ++ unsigned char *prk, size_t prk_len); ++static int HKDF_Expand(const EVP_MD *evp_md, ++ const unsigned char *prk, size_t prk_len, ++ const unsigned char *info, size_t info_len, ++ unsigned char *okm, size_t okm_len); + +-typedef struct { ++struct evp_kdf_impl_st { + int mode; + const EVP_MD *md; + unsigned char *salt; +@@ -42,230 +43,208 @@ typedef struct { + size_t key_len; + unsigned char info[HKDF_MAXBUF]; + size_t info_len; +-} HKDF_PKEY_CTX; ++}; + +-static int pkey_hkdf_init(EVP_PKEY_CTX *ctx) ++static EVP_KDF_IMPL *kdf_hkdf_new(void) + { +- HKDF_PKEY_CTX *kctx; +- +- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) { +- KDFerr(KDF_F_PKEY_HKDF_INIT, ERR_R_MALLOC_FAILURE); +- return 0; +- } ++ EVP_KDF_IMPL *impl; + +- ctx->data = kctx; ++ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) ++ KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return impl; ++} + +- return 1; ++static void kdf_hkdf_free(EVP_KDF_IMPL *impl) ++{ ++ kdf_hkdf_reset(impl); ++ OPENSSL_free(impl); + } + +-static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx) ++static void kdf_hkdf_reset(EVP_KDF_IMPL *impl) + { +- HKDF_PKEY_CTX *kctx = ctx->data; +- OPENSSL_clear_free(kctx->salt, kctx->salt_len); +- OPENSSL_clear_free(kctx->key, kctx->key_len); +- OPENSSL_cleanse(kctx->info, kctx->info_len); +- OPENSSL_free(kctx); ++ OPENSSL_free(impl->salt); ++ OPENSSL_clear_free(impl->key, impl->key_len); ++ OPENSSL_cleanse(impl->info, impl->info_len); ++ memset(impl, 0, sizeof(*impl)); + } + +-static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) ++static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) + { +- HKDF_PKEY_CTX *kctx = ctx->data; ++ const unsigned char *p; ++ size_t len; ++ const EVP_MD *md; + +- switch (type) { +- case EVP_PKEY_CTRL_HKDF_MD: +- if (p2 == NULL) ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_MD: ++ md = va_arg(args, const EVP_MD *); ++ if (md == NULL) + return 0; + +- kctx->md = p2; ++ impl->md = md; + return 1; + +- case EVP_PKEY_CTRL_HKDF_MODE: +- kctx->mode = p1; ++ case EVP_KDF_CTRL_SET_HKDF_MODE: ++ impl->mode = va_arg(args, int); + return 1; + +- case EVP_PKEY_CTRL_HKDF_SALT: +- if (p1 == 0 || p2 == NULL) ++ case EVP_KDF_CTRL_SET_SALT: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ if (len == 0 || p == NULL) + return 1; + +- if (p1 < 0) +- return 0; +- +- if (kctx->salt != NULL) +- OPENSSL_clear_free(kctx->salt, kctx->salt_len); +- +- kctx->salt = OPENSSL_memdup(p2, p1); +- if (kctx->salt == NULL) ++ OPENSSL_free(impl->salt); ++ impl->salt = OPENSSL_memdup(p, len); ++ if (impl->salt == NULL) + return 0; + +- kctx->salt_len = p1; ++ impl->salt_len = len; + return 1; + +- case EVP_PKEY_CTRL_HKDF_KEY: +- if (p1 < 0) ++ case EVP_KDF_CTRL_SET_KEY: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(impl->key, impl->key_len); ++ impl->key = OPENSSL_memdup(p, len); ++ if (impl->key == NULL) + return 0; + +- if (kctx->key != NULL) +- OPENSSL_clear_free(kctx->key, kctx->key_len); +- +- kctx->key = OPENSSL_memdup(p2, p1); +- if (kctx->key == NULL) +- return 0; ++ impl->key_len = len; ++ return 1; + +- kctx->key_len = p1; ++ case EVP_KDF_CTRL_RESET_HKDF_INFO: ++ OPENSSL_cleanse(impl->info, impl->info_len); ++ impl->info_len = 0; + return 1; + +- case EVP_PKEY_CTRL_HKDF_INFO: +- if (p1 == 0 || p2 == NULL) ++ case EVP_KDF_CTRL_ADD_HKDF_INFO: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ if (len == 0 || p == NULL) + return 1; + +- if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len)) ++ if (len > (HKDF_MAXBUF - impl->info_len)) + return 0; + +- memcpy(kctx->info + kctx->info_len, p2, p1); +- kctx->info_len += p1; ++ memcpy(impl->info + impl->info_len, p, len); ++ impl->info_len += len; + return 1; + + default: + return -2; +- + } + } + +-static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, +- const char *value) ++static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, ++ const char *value) + { + if (strcmp(type, "mode") == 0) { + int mode; + + if (strcmp(value, "EXTRACT_AND_EXPAND") == 0) +- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND; ++ mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; + else if (strcmp(value, "EXTRACT_ONLY") == 0) +- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; ++ mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; + else if (strcmp(value, "EXPAND_ONLY") == 0) +- mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; ++ mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; + else + return 0; + +- return EVP_PKEY_CTX_hkdf_mode(ctx, mode); ++ return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode); + } + +- if (strcmp(type, "md") == 0) +- return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE, +- EVP_PKEY_CTRL_HKDF_MD, value); ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); + + if (strcmp(type, "salt") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value); ++ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); + + if (strcmp(type, "hexsalt") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value); ++ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); + + if (strcmp(type, "key") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value); ++ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); + + if (strcmp(type, "hexkey") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value); ++ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); + + if (strcmp(type, "info") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value); ++ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, ++ value); + + if (strcmp(type, "hexinfo") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value); ++ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, ++ value); + +- KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); + return -2; + } + +-static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx) ++static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl) + { +- HKDF_PKEY_CTX *kctx = ctx->data; +- +- OPENSSL_clear_free(kctx->key, kctx->key_len); +- OPENSSL_clear_free(kctx->salt, kctx->salt_len); +- OPENSSL_cleanse(kctx->info, kctx->info_len); +- memset(kctx, 0, sizeof(*kctx)); ++ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) ++ return SIZE_MAX; + +- return 1; ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); ++ return 0; ++ } ++ return EVP_MD_size(impl->md); + } + +-static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, +- size_t *keylen) ++static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, ++ size_t keylen) + { +- HKDF_PKEY_CTX *kctx = ctx->data; +- +- if (kctx->md == NULL) { +- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } +- if (kctx->key == NULL) { +- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY); ++ if (impl->key == NULL) { ++ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY); + return 0; + } + +- switch (kctx->mode) { +- case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND: +- return HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key, +- kctx->key_len, kctx->info, kctx->info_len, key, +- *keylen) != NULL; +- +- case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY: +- if (key == NULL) { +- *keylen = EVP_MD_size(kctx->md); +- return 1; +- } +- return HKDF_Extract(kctx->md, kctx->salt, kctx->salt_len, kctx->key, +- kctx->key_len, key, keylen) != NULL; +- +- case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY: +- return HKDF_Expand(kctx->md, kctx->key, kctx->key_len, kctx->info, +- kctx->info_len, key, *keylen) != NULL; ++ switch (impl->mode) { ++ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: ++ return HKDF(impl->md, impl->salt, impl->salt_len, impl->key, ++ impl->key_len, impl->info, impl->info_len, key, ++ keylen); ++ ++ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: ++ return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key, ++ impl->key_len, key, keylen); ++ ++ case EVP_KDF_HKDF_MODE_EXPAND_ONLY: ++ return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info, ++ impl->info_len, key, keylen); + + default: + return 0; + } + } + +-const EVP_PKEY_METHOD hkdf_pkey_meth = { +- EVP_PKEY_HKDF, +- 0, +- pkey_hkdf_init, +- 0, +- pkey_hkdf_cleanup, +- +- 0, 0, +- 0, 0, +- +- 0, +- 0, +- +- 0, +- 0, +- +- 0, 0, +- +- 0, 0, 0, 0, +- +- 0, 0, +- +- 0, 0, +- +- pkey_hkdf_derive_init, +- pkey_hkdf_derive, +- pkey_hkdf_ctrl, +- pkey_hkdf_ctrl_str ++const EVP_KDF_METHOD hkdf_kdf_meth = { ++ EVP_KDF_HKDF, ++ kdf_hkdf_new, ++ kdf_hkdf_free, ++ kdf_hkdf_reset, ++ kdf_hkdf_ctrl, ++ kdf_hkdf_ctrl_str, ++ kdf_hkdf_size, ++ kdf_hkdf_derive + }; + +-static unsigned char *HKDF(const EVP_MD *evp_md, +- const unsigned char *salt, size_t salt_len, +- const unsigned char *key, size_t key_len, +- const unsigned char *info, size_t info_len, +- unsigned char *okm, size_t okm_len) ++static int HKDF(const EVP_MD *evp_md, ++ const unsigned char *salt, size_t salt_len, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *info, size_t info_len, ++ unsigned char *okm, size_t okm_len) + { + unsigned char prk[EVP_MAX_MD_SIZE]; +- unsigned char *ret; +- size_t prk_len; ++ int ret; ++ size_t prk_len = EVP_MD_size(evp_md); + +- if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len)) +- return NULL; ++ if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, prk_len)) ++ return 0; + + ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); + OPENSSL_cleanse(prk, sizeof(prk)); +@@ -273,43 +252,38 @@ static unsigned char *HKDF(const EVP_MD + return ret; + } + +-static unsigned char *HKDF_Extract(const EVP_MD *evp_md, +- const unsigned char *salt, size_t salt_len, +- const unsigned char *key, size_t key_len, +- unsigned char *prk, size_t *prk_len) ++static int HKDF_Extract(const EVP_MD *evp_md, ++ const unsigned char *salt, size_t salt_len, ++ const unsigned char *key, size_t key_len, ++ unsigned char *prk, size_t prk_len) + { +- unsigned int tmp_len; +- +- if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len)) +- return NULL; +- +- *prk_len = tmp_len; +- return prk; ++ if (prk_len != (size_t)EVP_MD_size(evp_md)) { ++ KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); ++ return 0; ++ } ++ return HMAC(evp_md, salt, salt_len, key, key_len, prk, NULL) != NULL; + } + +-static unsigned char *HKDF_Expand(const EVP_MD *evp_md, +- const unsigned char *prk, size_t prk_len, +- const unsigned char *info, size_t info_len, +- unsigned char *okm, size_t okm_len) ++static int HKDF_Expand(const EVP_MD *evp_md, ++ const unsigned char *prk, size_t prk_len, ++ const unsigned char *info, size_t info_len, ++ unsigned char *okm, size_t okm_len) + { + HMAC_CTX *hmac; +- unsigned char *ret = NULL; +- ++ int ret = 0; + unsigned int i; +- + unsigned char prev[EVP_MAX_MD_SIZE]; +- + size_t done_len = 0, dig_len = EVP_MD_size(evp_md); +- + size_t n = okm_len / dig_len; ++ + if (okm_len % dig_len) + n++; + + if (n > 255 || okm == NULL) +- return NULL; ++ return 0; + + if ((hmac = HMAC_CTX_new()) == NULL) +- return NULL; ++ return 0; + + if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) + goto err; +@@ -343,7 +317,7 @@ static unsigned char *HKDF_Expand(const + + done_len += copy_len; + } +- ret = okm; ++ ret = 1; + + err: + OPENSSL_cleanse(prev, sizeof(prev)); +Index: openssl-1.1.1n/crypto/kdf/kdf_err.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/kdf/kdf_err.c ++++ openssl-1.1.1n/crypto/kdf/kdf_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -14,6 +14,29 @@ + #ifndef OPENSSL_NO_ERR + + static const ERR_STRING_DATA KDF_str_functs[] = { ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_MD2CTRL, 0), "kdf_md2ctrl"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_CTRL_STR, 0), ++ "kdf_pbkdf2_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_DERIVE, 0), "kdf_pbkdf2_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_NEW, 0), "kdf_pbkdf2_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_STR, 0), ++ "kdf_scrypt_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT32, 0), ++ "kdf_scrypt_ctrl_uint32"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT64, 0), ++ "kdf_scrypt_ctrl_uint64"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0), ++ "kdf_tls1_prf_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0), ++ "kdf_tls1_prf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"}, +@@ -30,6 +53,7 @@ static const ERR_STRING_DATA KDF_str_fun + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_DERIVE, 0), + "pkey_tls1_prf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"}, + {0, NULL} + }; +@@ -50,6 +74,8 @@ static const ERR_STRING_DATA KDF_str_rea + "unknown parameter type"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE), ++ "wrong output buffer size"}, + {0, NULL} + }; + +Index: openssl-1.1.1n/crypto/kdf/kdf_local.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/kdf/kdf_local.h +@@ -0,0 +1,22 @@ ++/* ++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ EVP_KDF_IMPL *impl, int cmd, ...); ++int kdf_str2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *str); ++int kdf_hex2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *hex); ++int kdf_md2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *md_name); ++ +Index: openssl-1.1.1n/crypto/kdf/kdf_util.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/kdf/kdf_util.c +@@ -0,0 +1,73 @@ ++/* ++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include ++#include "internal/cryptlib.h" ++#include "crypto/evp.h" ++#include "internal/numbers.h" ++#include "kdf_local.h" ++ ++int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ EVP_KDF_IMPL *impl, int cmd, ...) ++{ ++ int ret; ++ va_list args; ++ ++ va_start(args, cmd); ++ ret = ctrl(impl, cmd, args); ++ va_end(args); ++ ++ return ret; ++} ++ ++/* Utility functions to send a string or hex string to a ctrl */ ++ ++int kdf_str2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *str) ++{ ++ return call_ctrl(ctrl, impl, cmd, (const unsigned char *)str, strlen(str)); ++} ++ ++int kdf_hex2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *hex) ++{ ++ unsigned char *bin; ++ long binlen; ++ int ret = -1; ++ ++ bin = OPENSSL_hexstr2buf(hex, &binlen); ++ if (bin == NULL) ++ return 0; ++ ++ if (binlen <= INT_MAX) ++ ret = call_ctrl(ctrl, impl, cmd, bin, (size_t)binlen); ++ OPENSSL_free(bin); ++ return ret; ++} ++ ++/* Pass a message digest to a ctrl */ ++int kdf_md2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *md_name) ++{ ++ const EVP_MD *md; ++ ++ if (md_name == NULL || (md = EVP_get_digestbyname(md_name)) == NULL) { ++ KDFerr(KDF_F_KDF_MD2CTRL, KDF_R_INVALID_DIGEST); ++ return 0; ++ } ++ return call_ctrl(ctrl, impl, cmd, md); ++} ++ +Index: openssl-1.1.1n/crypto/kdf/pbkdf2.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/kdf/pbkdf2.c +@@ -0,0 +1,264 @@ ++/* ++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "internal/cryptlib.h" ++#include "crypto/evp.h" ++#include "kdf_local.h" ++ ++static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl); ++static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl); ++static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, unsigned char *key, ++ size_t keylen); ++ ++struct evp_kdf_impl_st { ++ unsigned char *pass; ++ size_t pass_len; ++ unsigned char *salt; ++ size_t salt_len; ++ int iter; ++ const EVP_MD *md; ++}; ++ ++static EVP_KDF_IMPL *kdf_pbkdf2_new(void) ++{ ++ EVP_KDF_IMPL *impl; ++ ++ impl = OPENSSL_zalloc(sizeof(*impl)); ++ if (impl == NULL) { ++ KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ kdf_pbkdf2_init(impl); ++ return impl; ++} ++ ++static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl) ++{ ++ kdf_pbkdf2_reset(impl); ++ OPENSSL_free(impl); ++} ++ ++static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl) ++{ ++ OPENSSL_free(impl->salt); ++ OPENSSL_clear_free(impl->pass, impl->pass_len); ++ memset(impl, 0, sizeof(*impl)); ++ kdf_pbkdf2_init(impl); ++} ++ ++static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl) ++{ ++ impl->iter = PKCS5_DEFAULT_ITER; ++ impl->md = EVP_sha1(); ++} ++ ++static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, ++ const unsigned char *new_buffer, ++ size_t new_buflen) ++{ ++ if (new_buffer == NULL) ++ return 1; ++ ++ OPENSSL_clear_free(*buffer, *buflen); ++ ++ if (new_buflen > 0) { ++ *buffer = OPENSSL_memdup(new_buffer, new_buflen); ++ } else { ++ *buffer = OPENSSL_malloc(1); ++ } ++ if (*buffer == NULL) { ++ KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ *buflen = new_buflen; ++ return 1; ++} ++ ++static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) ++{ ++ int iter; ++ const unsigned char *p; ++ size_t len; ++ const EVP_MD *md; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_PASS: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len); ++ ++ case EVP_KDF_CTRL_SET_SALT: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len); ++ ++ case EVP_KDF_CTRL_SET_ITER: ++ iter = va_arg(args, int); ++ if (iter < 1) ++ return 0; ++ ++ impl->iter = iter; ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_MD: ++ md = va_arg(args, const EVP_MD *); ++ if (md == NULL) ++ return 0; ++ ++ impl->md = md; ++ return 1; ++ ++ default: ++ return -2; ++ } ++} ++ ++static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "pass") == 0) ++ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, ++ value); ++ ++ if (strcmp(type, "hexpass") == 0) ++ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, ++ value); ++ ++ if (strcmp(type, "salt") == 0) ++ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, ++ value); ++ ++ if (strcmp(type, "hexsalt") == 0) ++ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, ++ value); ++ ++ if (strcmp(type, "iter") == 0) ++ return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER, ++ atoi(value)); ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ return -2; ++} ++ ++static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key, ++ size_t keylen) ++{ ++ if (impl->pass == NULL) { ++ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS); ++ return 0; ++ } ++ ++ if (impl->salt == NULL) { ++ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT); ++ return 0; ++ } ++ ++ return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, ++ impl->salt, impl->salt_len, impl->iter, ++ impl->md, key, keylen); ++} ++ ++const EVP_KDF_METHOD pbkdf2_kdf_meth = { ++ EVP_KDF_PBKDF2, ++ kdf_pbkdf2_new, ++ kdf_pbkdf2_free, ++ kdf_pbkdf2_reset, ++ kdf_pbkdf2_ctrl, ++ kdf_pbkdf2_ctrl_str, ++ NULL, ++ kdf_pbkdf2_derive ++}; ++ ++/* ++ * This is an implementation of PKCS#5 v2.0 password based encryption key ++ * derivation function PBKDF2. SHA1 version verified against test vectors ++ * posted by Peter Gutmann to the PKCS-TNG mailing list. ++ */ ++ ++static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, unsigned char *key, ++ size_t keylen) ++{ ++ int ret = 0; ++ unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; ++ int cplen, j, k, tkeylen, mdlen; ++ unsigned long i = 1; ++ HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; ++ ++ mdlen = EVP_MD_size(digest); ++ if (mdlen < 0) ++ return 0; ++ ++ hctx_tpl = HMAC_CTX_new(); ++ if (hctx_tpl == NULL) ++ return 0; ++ p = key; ++ tkeylen = keylen; ++ if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) ++ goto err; ++ hctx = HMAC_CTX_new(); ++ if (hctx == NULL) ++ goto err; ++ while (tkeylen) { ++ if (tkeylen > mdlen) ++ cplen = mdlen; ++ else ++ cplen = tkeylen; ++ /* ++ * We are unlikely to ever use more than 256 blocks (5120 bits!) but ++ * just in case... ++ */ ++ itmp[0] = (unsigned char)((i >> 24) & 0xff); ++ itmp[1] = (unsigned char)((i >> 16) & 0xff); ++ itmp[2] = (unsigned char)((i >> 8) & 0xff); ++ itmp[3] = (unsigned char)(i & 0xff); ++ if (!HMAC_CTX_copy(hctx, hctx_tpl)) ++ goto err; ++ if (!HMAC_Update(hctx, salt, saltlen) ++ || !HMAC_Update(hctx, itmp, 4) ++ || !HMAC_Final(hctx, digtmp, NULL)) ++ goto err; ++ memcpy(p, digtmp, cplen); ++ for (j = 1; j < iter; j++) { ++ if (!HMAC_CTX_copy(hctx, hctx_tpl)) ++ goto err; ++ if (!HMAC_Update(hctx, digtmp, mdlen) ++ || !HMAC_Final(hctx, digtmp, NULL)) ++ goto err; ++ for (k = 0; k < cplen; k++) ++ p[k] ^= digtmp[k]; ++ } ++ tkeylen -= cplen; ++ i++; ++ p += cplen; ++ } ++ ret = 1; ++ ++err: ++ HMAC_CTX_free(hctx); ++ HMAC_CTX_free(hctx_tpl); ++ return ret; ++} +Index: openssl-1.1.1n/crypto/kdf/scrypt.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/kdf/scrypt.c ++++ openssl-1.1.1n/crypto/kdf/scrypt.c +@@ -8,25 +8,34 @@ + */ + + #include ++#include + #include +-#include +-#include + #include +-#include "internal/cryptlib.h" ++#include ++#include + #include "crypto/evp.h" ++#include "internal/numbers.h" ++#include "kdf_local.h" + + #ifndef OPENSSL_NO_SCRYPT + ++static void kdf_scrypt_reset(EVP_KDF_IMPL *impl); ++static void kdf_scrypt_init(EVP_KDF_IMPL *impl); + static int atou64(const char *nptr, uint64_t *result); ++static int scrypt_alg(const char *pass, size_t passlen, ++ const unsigned char *salt, size_t saltlen, ++ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, ++ unsigned char *key, size_t keylen); + +-typedef struct { ++struct evp_kdf_impl_st { + unsigned char *pass; + size_t pass_len; + unsigned char *salt; + size_t salt_len; +- uint64_t N, r, p; ++ uint64_t N; ++ uint32_t r, p; + uint64_t maxmem_bytes; +-} SCRYPT_PKEY_CTX; ++}; + + /* Custom uint64_t parser since we do not have strtoull */ + static int atou64(const char *nptr, uint64_t *result) +@@ -53,51 +62,53 @@ static int atou64(const char *nptr, uint + return 1; + } + +-static int pkey_scrypt_init(EVP_PKEY_CTX *ctx) ++static EVP_KDF_IMPL *kdf_scrypt_new(void) + { +- SCRYPT_PKEY_CTX *kctx; ++ EVP_KDF_IMPL *impl; + +- kctx = OPENSSL_zalloc(sizeof(*kctx)); +- if (kctx == NULL) { +- KDFerr(KDF_F_PKEY_SCRYPT_INIT, ERR_R_MALLOC_FAILURE); +- return 0; ++ impl = OPENSSL_zalloc(sizeof(*impl)); ++ if (impl == NULL) { ++ KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; + } ++ kdf_scrypt_init(impl); ++ return impl; ++} + +- /* Default values are the most conservative recommendation given in the +- * original paper of C. Percival. Derivation uses roughly 1 GiB of memory +- * for this parameter choice (approx. 128 * r * (N + p) bytes). +- */ +- kctx->N = 1 << 20; +- kctx->r = 8; +- kctx->p = 1; +- kctx->maxmem_bytes = 1025 * 1024 * 1024; +- +- ctx->data = kctx; +- +- return 1; ++static void kdf_scrypt_free(EVP_KDF_IMPL *impl) ++{ ++ kdf_scrypt_reset(impl); ++ OPENSSL_free(impl); + } + +-static void pkey_scrypt_cleanup(EVP_PKEY_CTX *ctx) ++static void kdf_scrypt_reset(EVP_KDF_IMPL *impl) + { +- SCRYPT_PKEY_CTX *kctx = ctx->data; ++ OPENSSL_free(impl->salt); ++ OPENSSL_clear_free(impl->pass, impl->pass_len); ++ memset(impl, 0, sizeof(*impl)); ++ kdf_scrypt_init(impl); ++} + +- OPENSSL_clear_free(kctx->salt, kctx->salt_len); +- OPENSSL_clear_free(kctx->pass, kctx->pass_len); +- OPENSSL_free(kctx); ++static void kdf_scrypt_init(EVP_KDF_IMPL *impl) ++{ ++ /* Default values are the most conservative recommendation given in the ++ * original paper of C. Percival. Derivation uses roughly 1 GiB of memory ++ * for this parameter choice (approx. 128 * r * N * p bytes). ++ */ ++ impl->N = 1 << 20; ++ impl->r = 8; ++ impl->p = 1; ++ impl->maxmem_bytes = 1025 * 1024 * 1024; + } + +-static int pkey_scrypt_set_membuf(unsigned char **buffer, size_t *buflen, +- const unsigned char *new_buffer, +- const int new_buflen) ++static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, ++ const unsigned char *new_buffer, ++ size_t new_buflen) + { + if (new_buffer == NULL) + return 1; + +- if (new_buflen < 0) +- return 0; +- +- if (*buffer != NULL) +- OPENSSL_clear_free(*buffer, *buflen); ++ OPENSSL_clear_free(*buffer, *buflen); + + if (new_buflen > 0) { + *buffer = OPENSSL_memdup(new_buffer, new_buflen); +@@ -105,7 +116,7 @@ static int pkey_scrypt_set_membuf(unsign + *buffer = OPENSSL_malloc(1); + } + if (*buffer == NULL) { +- KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE); ++ KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE); + return 0; + } + +@@ -118,149 +129,378 @@ static int is_power_of_two(uint64_t valu + return (value != 0) && ((value & (value - 1)) == 0); + } + +-static int pkey_scrypt_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) ++static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) + { +- SCRYPT_PKEY_CTX *kctx = ctx->data; + uint64_t u64_value; ++ uint32_t value; ++ const unsigned char *p; ++ size_t len; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_PASS: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len); ++ ++ case EVP_KDF_CTRL_SET_SALT: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len); + +- switch (type) { +- case EVP_PKEY_CTRL_PASS: +- return pkey_scrypt_set_membuf(&kctx->pass, &kctx->pass_len, p2, p1); +- +- case EVP_PKEY_CTRL_SCRYPT_SALT: +- return pkey_scrypt_set_membuf(&kctx->salt, &kctx->salt_len, p2, p1); +- +- case EVP_PKEY_CTRL_SCRYPT_N: +- u64_value = *((uint64_t *)p2); ++ case EVP_KDF_CTRL_SET_SCRYPT_N: ++ u64_value = va_arg(args, uint64_t); + if ((u64_value <= 1) || !is_power_of_two(u64_value)) + return 0; +- kctx->N = u64_value; ++ ++ impl->N = u64_value; + return 1; + +- case EVP_PKEY_CTRL_SCRYPT_R: +- u64_value = *((uint64_t *)p2); +- if (u64_value < 1) ++ case EVP_KDF_CTRL_SET_SCRYPT_R: ++ value = va_arg(args, uint32_t); ++ if (value < 1) + return 0; +- kctx->r = u64_value; ++ ++ impl->r = value; + return 1; + +- case EVP_PKEY_CTRL_SCRYPT_P: +- u64_value = *((uint64_t *)p2); +- if (u64_value < 1) ++ case EVP_KDF_CTRL_SET_SCRYPT_P: ++ value = va_arg(args, uint32_t); ++ if (value < 1) + return 0; +- kctx->p = u64_value; ++ ++ impl->p = value; + return 1; + +- case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES: +- u64_value = *((uint64_t *)p2); ++ case EVP_KDF_CTRL_SET_MAXMEM_BYTES: ++ u64_value = va_arg(args, uint64_t); + if (u64_value < 1) + return 0; +- kctx->maxmem_bytes = u64_value; ++ ++ impl->maxmem_bytes = u64_value; + return 1; + + default: + return -2; ++ } ++} + ++static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd, ++ const char *value) ++{ ++ int int_value = atoi(value); ++ ++ if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) { ++ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR); ++ return 0; + } ++ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value); + } + +-static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX *ctx, int type, +- const char *value) ++static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd, ++ const char *value) + { +- uint64_t int_value; ++ uint64_t u64_value; + +- if (!atou64(value, &int_value)) { +- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR); ++ if (!atou64(value, &u64_value)) { ++ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR); + return 0; + } +- return pkey_scrypt_ctrl(ctx, type, 0, &int_value); ++ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value); + } + +-static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, +- const char *value) ++static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type, ++ const char *value) + { + if (value == NULL) { +- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING); ++ KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING); + return 0; + } + + if (strcmp(type, "pass") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_PASS, value); ++ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, ++ value); + + if (strcmp(type, "hexpass") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_PASS, value); ++ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, ++ value); + + if (strcmp(type, "salt") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value); ++ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, ++ value); + + if (strcmp(type, "hexsalt") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value); ++ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, ++ value); + + if (strcmp(type, "N") == 0) +- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_N, value); ++ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_SCRYPT_N, value); + + if (strcmp(type, "r") == 0) +- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_R, value); ++ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_R, value); + + if (strcmp(type, "p") == 0) +- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_P, value); ++ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_P, value); + + if (strcmp(type, "maxmem_bytes") == 0) +- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, +- value); ++ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_MAXMEM_BYTES, ++ value); + +- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); + return -2; + } + +-static int pkey_scrypt_derive(EVP_PKEY_CTX *ctx, unsigned char *key, +- size_t *keylen) ++static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key, ++ size_t keylen) + { +- SCRYPT_PKEY_CTX *kctx = ctx->data; +- +- if (kctx->pass == NULL) { +- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_PASS); ++ if (impl->pass == NULL) { ++ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS); + return 0; + } + +- if (kctx->salt == NULL) { +- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_SALT); ++ if (impl->salt == NULL) { ++ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_SALT); + return 0; + } + +- return EVP_PBE_scrypt((char *)kctx->pass, kctx->pass_len, kctx->salt, +- kctx->salt_len, kctx->N, kctx->r, kctx->p, +- kctx->maxmem_bytes, key, *keylen); ++ return scrypt_alg((char *)impl->pass, impl->pass_len, impl->salt, ++ impl->salt_len, impl->N, impl->r, impl->p, ++ impl->maxmem_bytes, key, keylen); + } + +-const EVP_PKEY_METHOD scrypt_pkey_meth = { +- EVP_PKEY_SCRYPT, +- 0, +- pkey_scrypt_init, +- 0, +- pkey_scrypt_cleanup, ++const EVP_KDF_METHOD scrypt_kdf_meth = { ++ EVP_KDF_SCRYPT, ++ kdf_scrypt_new, ++ kdf_scrypt_free, ++ kdf_scrypt_reset, ++ kdf_scrypt_ctrl, ++ kdf_scrypt_ctrl_str, ++ NULL, ++ kdf_scrypt_derive ++}; + +- 0, 0, +- 0, 0, ++#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) ++static void salsa208_word_specification(uint32_t inout[16]) ++{ ++ int i; ++ uint32_t x[16]; + +- 0, +- 0, ++ memcpy(x, inout, sizeof(x)); ++ for (i = 8; i > 0; i -= 2) { ++ x[4] ^= R(x[0] + x[12], 7); ++ x[8] ^= R(x[4] + x[0], 9); ++ x[12] ^= R(x[8] + x[4], 13); ++ x[0] ^= R(x[12] + x[8], 18); ++ x[9] ^= R(x[5] + x[1], 7); ++ x[13] ^= R(x[9] + x[5], 9); ++ x[1] ^= R(x[13] + x[9], 13); ++ x[5] ^= R(x[1] + x[13], 18); ++ x[14] ^= R(x[10] + x[6], 7); ++ x[2] ^= R(x[14] + x[10], 9); ++ x[6] ^= R(x[2] + x[14], 13); ++ x[10] ^= R(x[6] + x[2], 18); ++ x[3] ^= R(x[15] + x[11], 7); ++ x[7] ^= R(x[3] + x[15], 9); ++ x[11] ^= R(x[7] + x[3], 13); ++ x[15] ^= R(x[11] + x[7], 18); ++ x[1] ^= R(x[0] + x[3], 7); ++ x[2] ^= R(x[1] + x[0], 9); ++ x[3] ^= R(x[2] + x[1], 13); ++ x[0] ^= R(x[3] + x[2], 18); ++ x[6] ^= R(x[5] + x[4], 7); ++ x[7] ^= R(x[6] + x[5], 9); ++ x[4] ^= R(x[7] + x[6], 13); ++ x[5] ^= R(x[4] + x[7], 18); ++ x[11] ^= R(x[10] + x[9], 7); ++ x[8] ^= R(x[11] + x[10], 9); ++ x[9] ^= R(x[8] + x[11], 13); ++ x[10] ^= R(x[9] + x[8], 18); ++ x[12] ^= R(x[15] + x[14], 7); ++ x[13] ^= R(x[12] + x[15], 9); ++ x[14] ^= R(x[13] + x[12], 13); ++ x[15] ^= R(x[14] + x[13], 18); ++ } ++ for (i = 0; i < 16; ++i) ++ inout[i] += x[i]; ++ OPENSSL_cleanse(x, sizeof(x)); ++} + +- 0, +- 0, ++static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) ++{ ++ uint64_t i, j; ++ uint32_t X[16], *pB; + +- 0, 0, ++ memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); ++ pB = B; ++ for (i = 0; i < r * 2; i++) { ++ for (j = 0; j < 16; j++) ++ X[j] ^= *pB++; ++ salsa208_word_specification(X); ++ memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); ++ } ++ OPENSSL_cleanse(X, sizeof(X)); ++} + +- 0, 0, 0, 0, ++static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, ++ uint32_t *X, uint32_t *T, uint32_t *V) ++{ ++ unsigned char *pB; ++ uint32_t *pV; ++ uint64_t i, k; ++ ++ /* Convert from little endian input */ ++ for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { ++ *pV = *pB++; ++ *pV |= *pB++ << 8; ++ *pV |= *pB++ << 16; ++ *pV |= (uint32_t)*pB++ << 24; ++ } + +- 0, 0, ++ for (i = 1; i < N; i++, pV += 32 * r) ++ scryptBlockMix(pV, pV - 32 * r, r); + +- 0, 0, ++ scryptBlockMix(X, V + (N - 1) * 32 * r, r); + +- 0, +- pkey_scrypt_derive, +- pkey_scrypt_ctrl, +- pkey_scrypt_ctrl_str +-}; ++ for (i = 0; i < N; i++) { ++ uint32_t j; ++ j = X[16 * (2 * r - 1)] % N; ++ pV = V + 32 * r * j; ++ for (k = 0; k < 32 * r; k++) ++ T[k] = X[k] ^ *pV++; ++ scryptBlockMix(X, T, r); ++ } ++ /* Convert output to little endian */ ++ for (i = 0, pB = B; i < 32 * r; i++) { ++ uint32_t xtmp = X[i]; ++ *pB++ = xtmp & 0xff; ++ *pB++ = (xtmp >> 8) & 0xff; ++ *pB++ = (xtmp >> 16) & 0xff; ++ *pB++ = (xtmp >> 24) & 0xff; ++ } ++} ++ ++#ifndef SIZE_MAX ++# define SIZE_MAX ((size_t)-1) ++#endif ++ ++/* ++ * Maximum power of two that will fit in uint64_t: this should work on ++ * most (all?) platforms. ++ */ ++ ++#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) ++ ++/* ++ * Maximum value of p * r: ++ * p <= ((2^32-1) * hLen) / MFLen => ++ * p <= ((2^32-1) * 32) / (128 * r) => ++ * p * r <= (2^30-1) ++ */ ++ ++#define SCRYPT_PR_MAX ((1 << 30) - 1) ++ ++static int scrypt_alg(const char *pass, size_t passlen, ++ const unsigned char *salt, size_t saltlen, ++ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, ++ unsigned char *key, size_t keylen) ++{ ++ int rv = 0; ++ unsigned char *B; ++ uint32_t *X, *V, *T; ++ uint64_t i, Blen, Vlen; ++ ++ /* Sanity check parameters */ ++ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ ++ if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) ++ return 0; ++ /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ ++ if (p > SCRYPT_PR_MAX / r) { ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ return 0; ++ } ++ ++ /* ++ * Need to check N: if 2^(128 * r / 8) overflows limit this is ++ * automatically satisfied since N <= UINT64_MAX. ++ */ ++ ++ if (16 * r <= LOG2_UINT64_MAX) { ++ if (N >= (((uint64_t)1) << (16 * r))) { ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ return 0; ++ } ++ } ++ ++ /* Memory checks: check total allocated buffer size fits in uint64_t */ ++ ++ /* ++ * B size in section 5 step 1.S ++ * Note: we know p * 128 * r < UINT64_MAX because we already checked ++ * p * r < SCRYPT_PR_MAX ++ */ ++ Blen = p * 128 * r; ++ /* ++ * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would ++ * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] ++ */ ++ if (Blen > INT_MAX) { ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ return 0; ++ } ++ ++ /* ++ * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t ++ * This is combined size V, X and T (section 4) ++ */ ++ i = UINT64_MAX / (32 * sizeof(uint32_t)); ++ if (N + 2 > i / r) { ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ return 0; ++ } ++ Vlen = 32 * r * (N + 2) * sizeof(uint32_t); ++ ++ /* check total allocated size fits in uint64_t */ ++ if (Blen > UINT64_MAX - Vlen) { ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ return 0; ++ } ++ ++ /* Check that the maximum memory doesn't exceed a size_t limits */ ++ if (maxmem > SIZE_MAX) ++ maxmem = SIZE_MAX; ++ ++ if (Blen + Vlen > maxmem) { ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); ++ return 0; ++ } ++ ++ /* If no key return to indicate parameters are OK */ ++ if (key == NULL) ++ return 1; ++ ++ B = OPENSSL_malloc((size_t)(Blen + Vlen)); ++ if (B == NULL) { ++ EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ X = (uint32_t *)(B + Blen); ++ T = X + 32 * r; ++ V = T + 32 * r; ++ if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), ++ (int)Blen, B) == 0) ++ goto err; ++ ++ for (i = 0; i < p; i++) ++ scryptROMix(B + 128 * r * i, r, N, X, T, V); ++ ++ if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), ++ keylen, key) == 0) ++ goto err; ++ rv = 1; ++ err: ++ if (rv == 0) ++ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR); ++ ++ OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); ++ return rv; ++} + + #endif +Index: openssl-1.1.1n/crypto/kdf/tls1_prf.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/kdf/tls1_prf.c ++++ openssl-1.1.1n/crypto/kdf/tls1_prf.c +@@ -8,11 +8,15 @@ + */ + + #include ++#include ++#include + #include "internal/cryptlib.h" +-#include + #include ++#include + #include "crypto/evp.h" ++#include "kdf_local.h" + ++static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl); + static int tls1_prf_alg(const EVP_MD *md, + const unsigned char *sec, size_t slen, + const unsigned char *seed, size_t seed_len, +@@ -20,9 +24,9 @@ static int tls1_prf_alg(const EVP_MD *md + + #define TLS1_PRF_MAXBUF 1024 + +-/* TLS KDF pkey context structure */ ++/* TLS KDF kdf context structure */ + +-typedef struct { ++struct evp_kdf_impl_st { + /* Digest to use for PRF */ + const EVP_MD *md; + /* Secret value to use for PRF */ +@@ -31,145 +35,137 @@ typedef struct { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; +-} TLS1_PRF_PKEY_CTX; ++}; + +-static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx) ++static EVP_KDF_IMPL *kdf_tls1_prf_new(void) + { +- TLS1_PRF_PKEY_CTX *kctx; ++ EVP_KDF_IMPL *impl; + +- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) { +- KDFerr(KDF_F_PKEY_TLS1_PRF_INIT, ERR_R_MALLOC_FAILURE); +- return 0; +- } +- ctx->data = kctx; ++ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) ++ KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE); ++ return impl; ++} + +- return 1; ++static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl) ++{ ++ kdf_tls1_prf_reset(impl); ++ OPENSSL_free(impl); + } + +-static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx) ++static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl) + { +- TLS1_PRF_PKEY_CTX *kctx = ctx->data; +- OPENSSL_clear_free(kctx->sec, kctx->seclen); +- OPENSSL_cleanse(kctx->seed, kctx->seedlen); +- OPENSSL_free(kctx); ++ OPENSSL_clear_free(impl->sec, impl->seclen); ++ OPENSSL_cleanse(impl->seed, impl->seedlen); ++ memset(impl, 0, sizeof(*impl)); + } + +-static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) ++static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) + { +- TLS1_PRF_PKEY_CTX *kctx = ctx->data; +- switch (type) { +- case EVP_PKEY_CTRL_TLS_MD: +- kctx->md = p2; +- return 1; ++ const unsigned char *p; ++ size_t len; ++ const EVP_MD *md; + +- case EVP_PKEY_CTRL_TLS_SECRET: +- if (p1 < 0) ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_MD: ++ md = va_arg(args, const EVP_MD *); ++ if (md == NULL) + return 0; +- if (kctx->sec != NULL) +- OPENSSL_clear_free(kctx->sec, kctx->seclen); +- OPENSSL_cleanse(kctx->seed, kctx->seedlen); +- kctx->seedlen = 0; +- kctx->sec = OPENSSL_memdup(p2, p1); +- if (kctx->sec == NULL) ++ ++ impl->md = md; ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_TLS_SECRET: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(impl->sec, impl->seclen); ++ impl->sec = OPENSSL_memdup(p, len); ++ if (impl->sec == NULL) + return 0; +- kctx->seclen = p1; ++ ++ impl->seclen = len; + return 1; + +- case EVP_PKEY_CTRL_TLS_SEED: +- if (p1 == 0 || p2 == NULL) ++ case EVP_KDF_CTRL_RESET_TLS_SEED: ++ OPENSSL_cleanse(impl->seed, impl->seedlen); ++ impl->seedlen = 0; ++ return 1; ++ ++ case EVP_KDF_CTRL_ADD_TLS_SEED: ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ if (len == 0 || p == NULL) + return 1; +- if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen)) ++ ++ if (len > (TLS1_PRF_MAXBUF - impl->seedlen)) + return 0; +- memcpy(kctx->seed + kctx->seedlen, p2, p1); +- kctx->seedlen += p1; ++ ++ memcpy(impl->seed + impl->seedlen, p, len); ++ impl->seedlen += len; + return 1; + + default: + return -2; +- + } + } + +-static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx, +- const char *type, const char *value) ++static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl, ++ const char *type, const char *value) + { + if (value == NULL) { +- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING); ++ KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING); + return 0; + } +- if (strcmp(type, "md") == 0) { +- TLS1_PRF_PKEY_CTX *kctx = ctx->data; ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value); + +- const EVP_MD *md = EVP_get_digestbyname(value); +- if (md == NULL) { +- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_INVALID_DIGEST); +- return 0; +- } +- kctx->md = md; +- return 1; +- } + if (strcmp(type, "secret") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value); ++ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, ++ EVP_KDF_CTRL_SET_TLS_SECRET, value); ++ + if (strcmp(type, "hexsecret") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value); ++ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, ++ EVP_KDF_CTRL_SET_TLS_SECRET, value); ++ + if (strcmp(type, "seed") == 0) +- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value); ++ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, ++ value); ++ + if (strcmp(type, "hexseed") == 0) +- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value); ++ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, ++ value); + +- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); + return -2; + } + +-static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, +- size_t *keylen) ++static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key, ++ size_t keylen) + { +- TLS1_PRF_PKEY_CTX *kctx = ctx->data; +- if (kctx->md == NULL) { +- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } +- if (kctx->sec == NULL) { +- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET); ++ if (impl->sec == NULL) { ++ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET); + return 0; + } +- if (kctx->seedlen == 0) { +- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); ++ if (impl->seedlen == 0) { ++ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); + return 0; + } +- return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen, +- kctx->seed, kctx->seedlen, +- key, *keylen); ++ return tls1_prf_alg(impl->md, impl->sec, impl->seclen, ++ impl->seed, impl->seedlen, ++ key, keylen); + } + +-const EVP_PKEY_METHOD tls1_prf_pkey_meth = { +- EVP_PKEY_TLS1_PRF, +- 0, +- pkey_tls1_prf_init, +- 0, +- pkey_tls1_prf_cleanup, +- +- 0, 0, +- 0, 0, +- +- 0, +- 0, +- +- 0, +- 0, +- +- 0, 0, +- +- 0, 0, 0, 0, +- +- 0, 0, +- +- 0, 0, +- +- 0, +- pkey_tls1_prf_derive, +- pkey_tls1_prf_ctrl, +- pkey_tls1_prf_ctrl_str ++const EVP_KDF_METHOD tls1_prf_kdf_meth = { ++ EVP_KDF_TLS1_PRF, ++ kdf_tls1_prf_new, ++ kdf_tls1_prf_free, ++ kdf_tls1_prf_reset, ++ kdf_tls1_prf_ctrl, ++ kdf_tls1_prf_ctrl_str, ++ NULL, ++ kdf_tls1_prf_derive + }; + + static int tls1_prf_P_hash(const EVP_MD *md, +@@ -249,12 +245,11 @@ static int tls1_prf_alg(const EVP_MD *md + const unsigned char *seed, size_t seed_len, + unsigned char *out, size_t olen) + { +- + if (EVP_MD_type(md) == NID_md5_sha1) { + size_t i; + unsigned char *tmp; + if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1), +- seed, seed_len, out, olen)) ++ seed, seed_len, out, olen)) + return 0; + + if ((tmp = OPENSSL_malloc(olen)) == NULL) { +@@ -262,7 +257,7 @@ static int tls1_prf_alg(const EVP_MD *md + return 0; + } + if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1), +- seed, seed_len, tmp, olen)) { ++ seed, seed_len, tmp, olen)) { + OPENSSL_clear_free(tmp, olen); + return 0; + } +Index: openssl-1.1.1n/doc/man3/EVP_KDF_CTX.pod +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/doc/man3/EVP_KDF_CTX.pod +@@ -0,0 +1,217 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_CTX, EVP_KDF_CTX_new_id, EVP_KDF_CTX_free, EVP_KDF_reset, ++EVP_KDF_ctrl, EVP_KDF_vctrl, EVP_KDF_ctrl_str, EVP_KDF_size, ++EVP_KDF_derive - EVP KDF routines ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ typedef struct evp_kdf_ctx_st EVP_KDF_CTX; ++ ++ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); ++ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); ++ void EVP_KDF_reset(EVP_KDF_CTX *ctx); ++ int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...); ++ int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args); ++ int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value); ++ size_t EVP_KDF_size(EVP_KDF_CTX *ctx); ++ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); ++ ++=head1 DESCRIPTION ++ ++The EVP KDF routines are a high level interface to Key Derivation Function ++algorithms and should be used instead of algorithm-specific functions. ++ ++After creating a C for the required algorithm using ++EVP_KDF_CTX_new_id(), inputs to the algorithm are supplied using calls to ++EVP_KDF_ctrl(), EVP_KDF_vctrl() or EVP_KDF_ctrl_str() before calling ++EVP_KDF_derive() to derive the key. ++ ++=head2 Types ++ ++B is a context type that holds the algorithm inputs. ++ ++=head2 Context manipulation functions ++ ++EVP_KDF_CTX_new_id() creates a KDF context for the algorithm identified by the ++specified NID. ++ ++EVP_KDF_CTX_free() frees up the context C. If C is C, nothing ++is done. ++ ++=head2 Computing functions ++ ++EVP_KDF_reset() resets the context to the default state as if the context ++had just been created. ++ ++EVP_KDF_ctrl() is used to provide inputs to the KDF algorithm prior to ++EVP_KDF_derive() being called. The inputs that may be provided will vary ++depending on the KDF algorithm or its implementation. This functions takes ++variable arguments, the exact expected arguments depend on C. ++See L below for a description of standard controls. ++ ++EVP_KDF_vctrl() is the variant of EVP_KDF_ctrl() that takes a C ++argument instead of variadic arguments. ++ ++EVP_KDF_ctrl_str() allows an application to send an algorithm specific control ++operation to a context C in string form. This is intended to be used for ++options specified on the command line or in text files. ++ ++EVP_KDF_size() returns the output size if the algorithm produces a fixed amount ++of output and C otherwise. If an error occurs then 0 is returned. ++For some algorithms an error may result if input parameters necessary to ++calculate a fixed output size have not yet been supplied. ++ ++EVP_KDF_derive() derives C bytes of key material and places it in the ++C buffer. If the algorithm produces a fixed amount of output then an ++error will occur unless the C parameter is equal to that output size, ++as returned by EVP_KDF_size(). ++ ++=head1 CONTROLS ++ ++The standard controls are: ++ ++=over 4 ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++Some KDF implementations require a password. For those KDF implementations ++that support it, this control sets the password. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "pass" ++ ++The value string is used as is. ++ ++=item "hexpass" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++Some KDF implementations can take a salt. For those KDF implementations that ++support it, this control sets the salt. ++ ++The default value, if any, is implementation dependent. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "salt" ++ ++The value string is used as is. ++ ++=item "hexsalt" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Some KDF implementations require an iteration count. For those KDF implementations that support it, this control sets the iteration count. ++ ++The default value, if any, is implementation dependent. ++ ++EVP_KDF_ctrl_str() type string: "iter" ++ ++The value string is expected to be a decimal number. ++ ++=item B ++ ++This control expects one argument: C ++ ++For MAC implementations that use a message digest as an underlying computation ++algorithm, this control set what the digest algorithm should be. ++ ++EVP_KDF_ctrl_str() type string: "md" ++ ++The value string is expected to be the name of a digest. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++Some KDF implementations require a key. For those KDF implementations that ++support it, this control sets the key. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "key" ++ ++The value string is used as is. ++ ++=item "hexkey" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Memory-hard password-based KDF algorithms, such as scrypt, use an amount of ++memory that depends on the load factors provided as input. For those KDF ++implementations that support it, this control sets an upper limit on the amount ++of memory that may be consumed while performing a key derivation. If this ++memory usage limit is exceeded because the load factors are chosen too high, ++the key derivation will fail. ++ ++The default value is implementation dependent. ++ ++EVP_KDF_ctrl_str() type string: "maxmem_bytes" ++ ++The value string is expected to be a decimal number. ++ ++=back ++ ++=head1 RETURN VALUES ++ ++EVP_KDF_CTX_new_id() returns either the newly allocated C ++structure or C if an error occurred. ++ ++EVP_KDF_CTX_free() and EVP_KDF_reset() do not return a value. ++ ++EVP_KDF_size() returns the output size. C is returned to indicate ++that the algorithm produces a variable amount of output; 0 to indicate failure. ++ ++The remaining functions return 1 for success and 0 or a negative value for ++failure. In particular, a return value of -2 indicates the operation is not ++supported by the KDF algorithm. ++ ++=head1 SEE ALSO ++ ++L ++ ++=head1 COPYRIGHT ++ ++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +Index: openssl-1.1.1n/doc/man7/EVP_KDF_HKDF.pod +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/doc/man7/EVP_KDF_HKDF.pod +@@ -0,0 +1,180 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_HKDF - The HKDF EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B KDF through the B API. ++ ++The EVP_KDF_HKDF algorithm implements the HKDF key derivation function. ++HKDF follows the "extract-then-expand" paradigm, where the KDF logically ++consists of two modules. The first stage takes the input keying material ++and "extracts" from it a fixed-length pseudorandom key K. The second stage ++"expands" the key K into several additional pseudorandom keys (the output ++of the KDF). ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++This control does not expect any arguments. ++ ++Resets the context info buffer to zero length. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++Sets the info value to the first B bytes of the buffer B. If a ++value is already set, the contents of the buffer are appended to the existing ++value. ++ ++The total length of the context info buffer cannot exceed 1024 bytes; ++this should be more than enough for any normal use of HKDF. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "info" ++ ++The value string is used as is. ++ ++=item "hexinfo" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mode for the HKDF operation. There are three modes that are currently ++defined: ++ ++=over 4 ++ ++=item EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND ++ ++This is the default mode. Calling L on an EVP_KDF_CTX set ++up for HKDF will perform an extract followed by an expand operation in one go. ++The derived key returned will be the result after the expand operation. The ++intermediate fixed-length pseudorandom key K is not returned. ++ ++In this mode the digest, key, salt and info values must be set before a key is ++derived otherwise an error will occur. ++ ++=item EVP_KDF_HKDF_MODE_EXTRACT_ONLY ++ ++In this mode calling L will just perform the extract ++operation. The value returned will be the intermediate fixed-length pseudorandom ++key K. The C parameter must match the size of K, which can be looked ++up by calling EVP_KDF_size() after setting the mode and digest. ++ ++The digest, key and salt values must be set before a key is derived otherwise ++an error will occur. ++ ++=item EVP_KDF_HKDF_MODE_EXPAND_ONLY ++ ++In this mode calling L will just perform the expand ++operation. The input key should be set to the intermediate fixed-length ++pseudorandom key K returned from a previous extract operation. ++ ++The digest, key and info values must be set before a key is derived otherwise ++an error will occur. ++ ++=back ++ ++EVP_KDF_ctrl_str() type string: "mode" ++ ++The value string is expected to be one of: "EXTRACT_AND_EXPAND", "EXTRACT_ONLY" ++or "EXPAND_ONLY". ++ ++=back ++ ++=head1 NOTES ++ ++A context for HKDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF); ++ ++The output length of an HKDF expand operation is specified via the C ++parameter to the L function. When using ++EVP_KDF_HKDF_MODE_EXTRACT_ONLY the C parameter must equal the size of ++the intermediate fixed-length pseudorandom key otherwise an error will occur. ++For that mode, the fixed output size can be looked up by calling EVP_KDF_size() ++after setting the mode and digest on the C. ++ ++=head1 EXAMPLE ++ ++This example derives 10 bytes using SHA-256 with the secret key "secret", ++salt value "salt" and info value "label": ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF); ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ error("EVP_KDF_CTRL_SET_MD"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ error("EVP_KDF_CTRL_SET_SALT"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ error("EVP_KDF_CTRL_SET_KEY"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label", (size_t)5) <= 0) { ++ error("EVP_KDF_CTRL_ADD_HKDF_INFO"); ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ error("EVP_KDF_derive"); ++ } ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++RFC 5869 ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 COPYRIGHT ++ ++Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +Index: openssl-1.1.1n/doc/man7/EVP_KDF_PBKDF2.pod +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/doc/man7/EVP_KDF_PBKDF2.pod +@@ -0,0 +1,78 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_PBKDF2 - The PBKDF2 EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B password-based KDF through the B ++API. ++ ++The EVP_KDF_PBKDF2 algorithm implements the PBKDF2 password-based key ++derivation function, as described in RFC 2898; it derives a key from a password ++using a salt and iteration count. ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++=item B ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++B is the iteration count and its value should be greater than or equal to ++1. RFC 2898 suggests an iteration count of at least 1000. The default value is ++2048. Any B less than 1 is treated as a single iteration. ++ ++=back ++ ++=head1 NOTES ++ ++A typical application of this algorithm is to derive keying material for an ++encryption algorithm from a password in the B, a salt in B, ++and an iteration count. ++ ++Increasing the B parameter slows down the algorithm which makes it ++harder for an attacker to perform a brute force attack using a large number ++of candidate passwords. ++ ++No assumption is made regarding the given password; it is simply treated as a ++byte sequence. ++ ++=head1 CONFORMING TO ++ ++RFC 2898 ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 COPYRIGHT ++ ++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +Index: openssl-1.1.1n/doc/man7/EVP_KDF_SCRYPT.pod +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/doc/man7/EVP_KDF_SCRYPT.pod +@@ -0,0 +1,149 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_SCRYPT - The scrypt EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B password-based KDF through the B ++API. ++ ++The EVP_KDF_SCRYPT algorithm implements the scrypt password-based key ++derivation function, as described in RFC 7914. It is memory-hard in the sense ++that it deliberately requires a significant amount of RAM for efficient ++computation. The intention of this is to render brute forcing of passwords on ++systems that lack large amounts of main memory (such as GPUs or ASICs) ++computationally infeasible. ++ ++scrypt provides three work factors that can be customized: N, r and p. N, which ++has to be a positive power of two, is the general work factor and scales CPU ++time in an approximately linear fashion. r is the block size of the internally ++used hash function and p is the parallelization factor. Both r and p need to be ++greater than zero. The amount of RAM that scrypt requires for its computation ++is roughly (128 * N * r * p) bytes. ++ ++In the original paper of Colin Percival ("Stronger Key Derivation via ++Sequential Memory-Hard Functions", 2009), the suggested values that give a ++computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = ++2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for ++this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5 ++GHz), this computation takes about 3 seconds. When N, r or p are not specified, ++they default to 1048576, 8, and 1, respectively. The maximum amount of RAM that ++may be used by scrypt defaults to 1025 MiB. ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++=item B ++ ++=item B ++ ++B expects one argument: C ++ ++B expects one argument: C ++ ++B expects one argument: C ++ ++These controls configure the scrypt work factors N, r and p. ++ ++EVP_KDF_ctrl_str() type strings: "N", "r" and "p", respectively. ++ ++The corresponding value strings are expected to be decimal numbers. ++ ++=back ++ ++=head1 NOTES ++ ++A context for scrypt can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT); ++ ++The output length of an scrypt key derivation is specified via the ++B parameter to the L function. ++ ++=head1 EXAMPLE ++ ++This example derives a 64-byte long test vector using scrypt with the password ++"password", salt "NaCl" and N = 1024, r = 8, p = 16. ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[64]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT); ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ error("EVP_KDF_CTRL_SET_PASS"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) { ++ error("EVP_KDF_CTRL_SET_SALT"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) { ++ error("EVP_KDF_CTRL_SET_SCRYPT_N"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) { ++ error("EVP_KDF_CTRL_SET_SCRYPT_R"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) { ++ error("EVP_KDF_CTRL_SET_SCRYPT_P"); ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ error("EVP_KDF_derive"); ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, ++ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, ++ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, ++ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, ++ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, ++ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, ++ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, ++ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 ++ }; ++ ++ assert(!memcmp(out, expected, sizeof(out))); ++ } ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++RFC 7914 ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 COPYRIGHT ++ ++Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +Index: openssl-1.1.1n/doc/man7/EVP_KDF_TLS1_PRF.pod +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/doc/man7/EVP_KDF_TLS1_PRF.pod +@@ -0,0 +1,142 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_TLS1_PRF - The TLS1 PRF EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B PRF through the B API. ++ ++The EVP_KDF_TLS1_PRF algorithm implements the PRF used by TLS versions up to ++and including TLS 1.2. ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++This control works as described in L. ++ ++The C control is used to set the message digest associated ++with the TLS PRF. EVP_md5_sha1() is treated as a special case which uses the ++PRF algorithm using both B and B as used in TLS 1.0 and 1.1. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++Sets the secret value of the TLS PRF to B bytes of the buffer B. ++Any existing secret value is replaced. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "secret" ++ ++The value string is used as is. ++ ++=item "hexsecret" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control does not expect any arguments. ++ ++Resets the context seed buffer to zero length. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++Sets the seed to B bytes of B. If a seed is already set it is ++appended to the existing value. ++ ++The total length of the context seed buffer cannot exceed 1024 bytes; ++this should be more than enough for any normal use of the TLS PRF. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "seed" ++ ++The value string is used as is. ++ ++=item "hexseed" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=back ++ ++=head1 NOTES ++ ++A context for the TLS PRF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF, NULL); ++ ++The digest, secret value and seed must be set before a key is derived otherwise ++an error will occur. ++ ++The output length of the PRF is specified by the C parameter to the ++EVP_KDF_derive() function. ++ ++=head1 EXAMPLE ++ ++This example derives 10 bytes using SHA-256 with the secret key "secret" ++and seed value "seed": ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF); ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ error("EVP_KDF_CTRL_SET_MD"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, ++ "secret", (size_t)6) <= 0) { ++ error("EVP_KDF_CTRL_SET_TLS_SECRET"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) { ++ error("EVP_KDF_CTRL_ADD_TLS_SEED"); ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ error("EVP_KDF_derive"); ++ } ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 COPYRIGHT ++ ++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +Index: openssl-1.1.1n/include/openssl/evperr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/evperr.h ++++ openssl-1.1.1n/include/openssl/evperr.h +@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); + # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 + # define EVP_F_EVP_ENCRYPTFINAL_EX 127 + # define EVP_F_EVP_ENCRYPTUPDATE 167 ++# define EVP_F_EVP_KDF_CTRL 224 ++# define EVP_F_EVP_KDF_CTRL_STR 225 ++# define EVP_F_EVP_KDF_CTX_NEW_ID 226 + # define EVP_F_EVP_MD_CTX_COPY_EX 110 + # define EVP_F_EVP_MD_SIZE 162 + # define EVP_F_EVP_OPENINIT 102 +@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void); + # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 + # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 + # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 ++# define EVP_F_PKEY_KDF_CTRL 227 + # define EVP_F_PKEY_SET_TYPE 158 + # define EVP_F_RC2_MAGIC_TO_METH 109 + # define EVP_F_RC5_CTRL 125 + # define EVP_F_R_32_12_16_INIT_KEY 242 + # define EVP_F_S390X_AES_GCM_CTRL 201 ++# define EVP_F_SCRYPT_ALG 228 + # define EVP_F_UPDATE 173 + + /* +@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 ++# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 + # define EVP_R_PARTIALLY_OVERLAPPING 162 + # define EVP_R_PBKDF2_ERROR 181 +Index: openssl-1.1.1n/include/openssl/kdferr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/kdferr.h ++++ openssl-1.1.1n/include/openssl/kdferr.h +@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); + /* + * KDF function codes. + */ ++# define KDF_F_HKDF_EXTRACT 112 ++# define KDF_F_KDF_HKDF_DERIVE 113 ++# define KDF_F_KDF_HKDF_NEW 114 ++# define KDF_F_KDF_HKDF_SIZE 115 ++# define KDF_F_KDF_MD2CTRL 116 ++# define KDF_F_KDF_PBKDF2_CTRL_STR 117 ++# define KDF_F_KDF_PBKDF2_DERIVE 118 ++# define KDF_F_KDF_PBKDF2_NEW 119 ++# define KDF_F_KDF_SCRYPT_CTRL_STR 120 ++# define KDF_F_KDF_SCRYPT_CTRL_UINT32 121 ++# define KDF_F_KDF_SCRYPT_CTRL_UINT64 122 ++# define KDF_F_KDF_SCRYPT_DERIVE 123 ++# define KDF_F_KDF_SCRYPT_NEW 124 ++# define KDF_F_KDF_TLS1_PRF_CTRL_STR 125 ++# define KDF_F_KDF_TLS1_PRF_DERIVE 126 ++# define KDF_F_KDF_TLS1_PRF_NEW 127 ++# define KDF_F_PBKDF2_SET_MEMBUF 128 + # define KDF_F_PKEY_HKDF_CTRL_STR 103 + # define KDF_F_PKEY_HKDF_DERIVE 102 + # define KDF_F_PKEY_HKDF_INIT 108 +@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void); + # define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100 + # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 + # define KDF_F_PKEY_TLS1_PRF_INIT 110 ++# define KDF_F_SCRYPT_SET_MEMBUF 129 + # define KDF_F_TLS1_PRF_ALG 111 + + /* +@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void); + # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 + # define KDF_R_VALUE_ERROR 108 + # define KDF_R_VALUE_MISSING 102 ++# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 + + #endif +Index: openssl-1.1.1n/include/openssl/kdf.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/kdf.h ++++ openssl-1.1.1n/include/openssl/kdf.h +@@ -10,10 +10,50 @@ + #ifndef HEADER_KDF_H + # define HEADER_KDF_H + ++# include + # include +-#ifdef __cplusplus ++# ifdef __cplusplus + extern "C" { +-#endif ++# endif ++ ++# define EVP_KDF_PBKDF2 NID_id_pbkdf2 ++# define EVP_KDF_SCRYPT NID_id_scrypt ++# define EVP_KDF_TLS1_PRF NID_tls1_prf ++# define EVP_KDF_HKDF NID_hkdf ++ ++EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); ++void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); ++ ++void EVP_KDF_reset(EVP_KDF_CTX *ctx); ++int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...); ++int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args); ++int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value); ++size_t EVP_KDF_size(EVP_KDF_CTX *ctx); ++int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); ++ ++ ++# define EVP_KDF_CTRL_SET_PASS 0x01 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_SALT 0x02 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_ITER 0x03 /* int */ ++# define EVP_KDF_CTRL_SET_MD 0x04 /* EVP_MD * */ ++# define EVP_KDF_CTRL_SET_KEY 0x05 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_MAXMEM_BYTES 0x06 /* uint64_t */ ++# define EVP_KDF_CTRL_SET_TLS_SECRET 0x07 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_RESET_TLS_SEED 0x08 ++# define EVP_KDF_CTRL_ADD_TLS_SEED 0x09 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_RESET_HKDF_INFO 0x0a ++# define EVP_KDF_CTRL_ADD_HKDF_INFO 0x0b /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_HKDF_MODE 0x0c /* int */ ++# define EVP_KDF_CTRL_SET_SCRYPT_N 0x0d /* uint64_t */ ++# define EVP_KDF_CTRL_SET_SCRYPT_R 0x0e /* uint32_t */ ++# define EVP_KDF_CTRL_SET_SCRYPT_P 0x0f /* uint32_t */ ++ ++# define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 ++# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 ++# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 ++ ++ ++/**** The legacy PKEY-based KDF API follows. ****/ + + # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) + # define EVP_PKEY_CTRL_TLS_SECRET (EVP_PKEY_ALG_CTRL + 1) +@@ -30,9 +70,12 @@ extern "C" { + # define EVP_PKEY_CTRL_SCRYPT_P (EVP_PKEY_ALG_CTRL + 12) + # define EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES (EVP_PKEY_ALG_CTRL + 13) + +-# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0 +-# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 1 +-# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 2 ++# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND \ ++ EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND ++# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY \ ++ EVP_KDF_HKDF_MODE_EXTRACT_ONLY ++# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY \ ++ EVP_KDF_HKDF_MODE_EXPAND_ONLY + + # define EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ +@@ -91,7 +134,7 @@ extern "C" { + EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, maxmem_bytes) + + +-# ifdef __cplusplus ++# ifdef __cplusplus + } + # endif + #endif +Index: openssl-1.1.1n/include/openssl/ossl_typ.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/ossl_typ.h ++++ openssl-1.1.1n/include/openssl/ossl_typ.h +@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E + typedef struct evp_pkey_method_st EVP_PKEY_METHOD; + typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; + ++typedef struct evp_kdf_ctx_st EVP_KDF_CTX; ++ + typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; + + typedef struct hmac_ctx_st HMAC_CTX; +Index: openssl-1.1.1n/test/build.info +=================================================================== +--- openssl-1.1.1n.orig/test/build.info ++++ openssl-1.1.1n/test/build.info +@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ + bio_callback_test bio_memleak_test \ + bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ +- pkey_meth_test pkey_meth_kdf_test uitest cipherbytes_test \ ++ pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \ ++ cipherbytes_test \ + asn1_encode_test asn1_decode_test asn1_string_table_test \ + x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ + recordlentest drbgtest sslbuffertest \ +@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + INCLUDE[pkey_meth_kdf_test]=../include + DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a + ++ SOURCE[evp_kdf_test]=evp_kdf_test.c ++ INCLUDE[evp_kdf_test]=../include ++ DEPEND[evp_kdf_test]=../libcrypto libtestutil.a ++ + SOURCE[x509_time_test]=x509_time_test.c + INCLUDE[x509_time_test]=../include + DEPEND[x509_time_test]=../libcrypto libtestutil.a +Index: openssl-1.1.1n/test/evp_kdf_test.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/test/evp_kdf_test.c +@@ -0,0 +1,237 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* Tests of the EVP_KDF_CTX APIs */ ++ ++#include ++#include ++ ++#include ++#include ++#include "testutil.h" ++ ++static int test_kdf_tls1_prf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[16]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) { ++ TEST_error("EVP_KDF_TLS1_PRF"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, ++ "secret", (size_t)6) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_TLS_SECRET"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) { ++ TEST_error("EVP_KDF_CTRL_ADD_TLS_SEED"); ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ TEST_error("EVP_KDF_derive"); ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0, ++ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc ++ }; ++ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_hkdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) { ++ TEST_error("EVP_KDF_HKDF"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, ++ "label", (size_t)5) <= 0) { ++ TEST_error("EVP_KDF_CTRL_ADD_HKDF_INFO"); ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ TEST_error("EVP_KDF_derive"); ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 ++ }; ++ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_pbkdf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[32]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { ++ TEST_error("EVP_KDF_PBKDF2"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_PASS"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_ITER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ TEST_error("EVP_KDF_derive"); ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, ++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, ++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, ++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ }; ++ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++#ifndef OPENSSL_NO_SCRYPT ++static int test_kdf_scrypt(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[64]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT)) == NULL) { ++ TEST_error("EVP_KDF_SCRYPT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_PASS"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_N"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_R"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_P"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, (uint64_t)16) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES"); ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) > 0) { ++ TEST_error("EVP_KDF_derive should have failed"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, ++ (uint64_t)(10 * 1024 * 1024)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES"); ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ TEST_error("EVP_KDF_derive"); ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, ++ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, ++ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, ++ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, ++ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, ++ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, ++ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, ++ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 ++ }; ++ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++#endif ++ ++int setup_tests(void) ++{ ++ ADD_TEST(test_kdf_tls1_prf); ++ ADD_TEST(test_kdf_hkdf); ++ ADD_TEST(test_kdf_pbkdf2); ++#ifndef OPENSSL_NO_SCRYPT ++ ADD_TEST(test_kdf_scrypt); ++#endif ++ return 1; ++} +Index: openssl-1.1.1n/test/evp_test.c +=================================================================== +--- openssl-1.1.1n.orig/test/evp_test.c ++++ openssl-1.1.1n/test/evp_test.c +@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test + encode_test_run, + }; + ++ + /** + *** KDF TESTS + **/ + + typedef struct kdf_data_st { + /* Context for this operation */ +- EVP_PKEY_CTX *ctx; ++ EVP_KDF_CTX *ctx; + /* Expected output */ + unsigned char *output; + size_t output_len; +@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co + + if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) + return 0; +- kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL); ++ kdata->ctx = EVP_KDF_CTX_new_id(kdf_nid); + if (kdata->ctx == NULL) { + OPENSSL_free(kdata); + return 0; + } +- if (EVP_PKEY_derive_init(kdata->ctx) <= 0) { +- EVP_PKEY_CTX_free(kdata->ctx); +- OPENSSL_free(kdata); +- return 0; +- } + t->data = kdata; + return 1; + } +@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t + { + KDF_DATA *kdata = t->data; + OPENSSL_free(kdata->output); +- EVP_PKEY_CTX_free(kdata->ctx); ++ EVP_KDF_CTX_free(kdata->ctx); ++} ++ ++static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, ++ const char *value) ++{ ++ int rv; ++ char *p, *tmpval; ++ ++ if (!TEST_ptr(tmpval = OPENSSL_strdup(value))) ++ return 0; ++ p = strchr(tmpval, ':'); ++ if (p != NULL) ++ *p++ = '\0'; ++ rv = EVP_KDF_ctrl_str(kctx, tmpval, p); ++ if (rv == -2) { ++ t->err = "KDF_CTRL_INVALID"; ++ rv = 1; ++ } else if (p != NULL && rv <= 0) { ++ /* If p has an OID and lookup fails assume disabled algorithm */ ++ int nid = OBJ_sn2nid(p); ++ ++ if (nid == NID_undef) ++ nid = OBJ_ln2nid(p); ++ if (nid != NID_undef ++ && EVP_get_digestbynid(nid) == NULL ++ && EVP_get_cipherbynid(nid) == NULL) { ++ t->skip = 1; ++ rv = 1; ++ } else { ++ t->err = "KDF_CTRL_ERROR"; ++ rv = 1; ++ } ++ } ++ OPENSSL_free(tmpval); ++ return rv > 0; + } + + static int kdf_test_parse(EVP_TEST *t, +@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t, + if (strcmp(keyword, "Output") == 0) + return parse_bin(value, &kdata->output, &kdata->output_len); + if (strncmp(keyword, "Ctrl", 4) == 0) +- return pkey_test_ctrl(t, kdata->ctx, value); ++ return kdf_test_ctrl(t, kdata->ctx, value); + return 0; + } + +@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t) + t->err = "INTERNAL_ERROR"; + goto err; + } +- if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) { ++ if (EVP_KDF_derive(expected->ctx, got, got_len) <= 0) { + t->err = "KDF_DERIVE_ERROR"; + goto err; + } +@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me + + + /** ++*** PKEY KDF TESTS ++**/ ++ ++typedef struct pkey_kdf_data_st { ++ /* Context for this operation */ ++ EVP_PKEY_CTX *ctx; ++ /* Expected output */ ++ unsigned char *output; ++ size_t output_len; ++} PKEY_KDF_DATA; ++ ++/* ++ * Perform public key operation setup: lookup key, allocated ctx and call ++ * the appropriate initialisation function ++ */ ++static int pkey_kdf_test_init(EVP_TEST *t, const char *name) ++{ ++ PKEY_KDF_DATA *kdata; ++ int kdf_nid = OBJ_sn2nid(name); ++ ++#ifdef OPENSSL_NO_SCRYPT ++ if (strcmp(name, "scrypt") == 0) { ++ t->skip = 1; ++ return 1; ++ } ++#endif ++ ++ if (kdf_nid == NID_undef) ++ kdf_nid = OBJ_ln2nid(name); ++ ++ if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) ++ return 0; ++ kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL); ++ if (kdata->ctx == NULL) { ++ OPENSSL_free(kdata); ++ return 0; ++ } ++ if (EVP_PKEY_derive_init(kdata->ctx) <= 0) { ++ EVP_PKEY_CTX_free(kdata->ctx); ++ OPENSSL_free(kdata); ++ return 0; ++ } ++ t->data = kdata; ++ return 1; ++} ++ ++static void pkey_kdf_test_cleanup(EVP_TEST *t) ++{ ++ PKEY_KDF_DATA *kdata = t->data; ++ OPENSSL_free(kdata->output); ++ EVP_PKEY_CTX_free(kdata->ctx); ++} ++ ++static int pkey_kdf_test_parse(EVP_TEST *t, ++ const char *keyword, const char *value) ++{ ++ PKEY_KDF_DATA *kdata = t->data; ++ ++ if (strcmp(keyword, "Output") == 0) ++ return parse_bin(value, &kdata->output, &kdata->output_len); ++ if (strncmp(keyword, "Ctrl", 4) == 0) ++ return pkey_test_ctrl(t, kdata->ctx, value); ++ return 0; ++} ++ ++static int pkey_kdf_test_run(EVP_TEST *t) ++{ ++ PKEY_KDF_DATA *expected = t->data; ++ unsigned char *got = NULL; ++ size_t got_len = expected->output_len; ++ ++ if (!TEST_ptr(got = OPENSSL_malloc(got_len))) { ++ t->err = "INTERNAL_ERROR"; ++ goto err; ++ } ++ if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) { ++ t->err = "KDF_DERIVE_ERROR"; ++ goto err; ++ } ++ if (!TEST_mem_eq(expected->output, expected->output_len, got, got_len)) { ++ t->err = "KDF_MISMATCH"; ++ goto err; ++ } ++ t->err = NULL; ++ ++ err: ++ OPENSSL_free(got); ++ return 1; ++} ++ ++static const EVP_TEST_METHOD pkey_kdf_test_method = { ++ "PKEYKDF", ++ pkey_kdf_test_init, ++ pkey_kdf_test_cleanup, ++ pkey_kdf_test_parse, ++ pkey_kdf_test_run ++}; ++ ++ ++/** + *** KEYPAIR TESTS + **/ + +@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l + &digestverify_test_method, + &encode_test_method, + &kdf_test_method, ++ &pkey_kdf_test_method, + &keypair_test_method, + &keygen_test_method, + &mac_test_method, +Index: openssl-1.1.1n/test/pkey_meth_kdf_test.c +=================================================================== +--- openssl-1.1.1n.orig/test/pkey_meth_kdf_test.c ++++ openssl-1.1.1n/test/pkey_meth_kdf_test.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -18,30 +18,34 @@ + + static int test_kdf_tls1_prf(void) + { ++ int ret = 0; + EVP_PKEY_CTX *pctx; + unsigned char out[16]; + size_t outlen = sizeof(out); +- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); + ++ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL)) == NULL) { ++ TEST_error("EVP_PKEY_TLS1_PRF"); ++ goto err; ++ } + if (EVP_PKEY_derive_init(pctx) <= 0) { + TEST_error("EVP_PKEY_derive_init"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0) { + TEST_error("EVP_PKEY_CTX_set_tls1_prf_md"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0) { + TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0) { + TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); +- return 0; ++ goto err; + } + if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { + TEST_error("EVP_PKEY_derive"); +- return 0; ++ goto err; + } + + { +@@ -50,43 +54,49 @@ static int test_kdf_tls1_prf(void) + 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc + }; + if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { +- return 0; ++ goto err; + } + } ++ ret = 1; ++err: + EVP_PKEY_CTX_free(pctx); +- return 1; ++ return ret; + } + + static int test_kdf_hkdf(void) + { ++ int ret = 0; + EVP_PKEY_CTX *pctx; + unsigned char out[10]; + size_t outlen = sizeof(out); +- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + ++ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) { ++ TEST_error("EVP_PKEY_HKDF"); ++ goto err; ++ } + if (EVP_PKEY_derive_init(pctx) <= 0) { + TEST_error("EVP_PKEY_derive_init"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) { + TEST_error("EVP_PKEY_CTX_set_hkdf_md"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) { + TEST_error("EVP_PKEY_CTX_set1_hkdf_salt"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) { + TEST_error("EVP_PKEY_CTX_set1_hkdf_key"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) { + TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); +- return 0; ++ goto err; + } + if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { + TEST_error("EVP_PKEY_derive"); +- return 0; ++ goto err; + } + + { +@@ -94,60 +104,66 @@ static int test_kdf_hkdf(void) + 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 + }; + if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { +- return 0; ++ goto err; + } + } ++ ret = 1; ++err: + EVP_PKEY_CTX_free(pctx); +- return 1; ++ return ret; + } + + #ifndef OPENSSL_NO_SCRYPT + static int test_kdf_scrypt(void) + { ++ int ret = 0; + EVP_PKEY_CTX *pctx; + unsigned char out[64]; + size_t outlen = sizeof(out); +- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); + ++ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL)) == NULL) { ++ TEST_error("EVP_PKEY_SCRYPT"); ++ goto err; ++ } + if (EVP_PKEY_derive_init(pctx) <= 0) { + TEST_error("EVP_PKEY_derive_init"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) { + TEST_error("EVP_PKEY_CTX_set1_pbe_pass"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) { + TEST_error("EVP_PKEY_CTX_set1_scrypt_salt"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) { + TEST_error("EVP_PKEY_CTX_set_scrypt_N"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) { + TEST_error("EVP_PKEY_CTX_set_scrypt_r"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) { + TEST_error("EVP_PKEY_CTX_set_scrypt_p"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 16) <= 0) { + TEST_error("EVP_PKEY_CTX_set_maxmem_bytes"); +- return 0; ++ goto err; + } + if (EVP_PKEY_derive(pctx, out, &outlen) > 0) { + TEST_error("EVP_PKEY_derive should have failed"); +- return 0; ++ goto err; + } + if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 10 * 1024 * 1024) <= 0) { + TEST_error("EVP_PKEY_CTX_set_maxmem_bytes"); +- return 0; ++ goto err; + } + if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { + TEST_error("EVP_PKEY_derive"); +- return 0; ++ goto err; + } + + { +@@ -162,11 +178,13 @@ static int test_kdf_scrypt(void) + 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 + }; + if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { +- return 0; ++ goto err; + } + } ++ ret = 1; ++err: + EVP_PKEY_CTX_free(pctx); +- return 1; ++ return ret; + } + #endif + +Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evpkdf.txt +=================================================================== +--- openssl-1.1.1n.orig/test/recipes/30-test_evp_data/evpkdf.txt ++++ openssl-1.1.1n/test/recipes/30-test_evp_data/evpkdf.txt +@@ -15,7 +15,7 @@ + Title = TLS1 PRF tests (from NIST test vectors) + + KDF=TLS1-PRF +-Ctrl.md = md:MD5-SHA1 ++Ctrl.digest = digest:MD5-SHA1 + Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0 + Ctrl.label = seed:master secret + Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693 +@@ -23,7 +23,7 @@ Ctrl.server_random = hexseed:135e4d557fd + Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 + + KDF=TLS1-PRF +-Ctrl.md = md:MD5-SHA1 ++Ctrl.digest = digest:MD5-SHA1 + Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 + Ctrl.label = seed:key expansion + Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be +@@ -31,7 +31,7 @@ Ctrl.client_random = hexseed:d58a7b1cd4f + Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d + + KDF=TLS1-PRF +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc + Ctrl.label = seed:master secret + Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c +@@ -39,7 +39,7 @@ Ctrl.server_random = hexseed:f6c9575ed7d + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + + KDF=TLS1-PRF +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + Ctrl.label = seed:key expansion + Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 +@@ -48,7 +48,7 @@ Output = d06139889fffac1e3a71865f504aa5d + + # As above but use long name for KDF + KDF=tls1-prf +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + Ctrl.label = seed:key expansion + Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 +@@ -64,7 +64,7 @@ Result = KDF_DERIVE_ERROR + + # Missing secret. + KDF=TLS1-PRF +-Ctrl.md = md:MD5-SHA1 ++Ctrl.digest = digest:MD5-SHA1 + Ctrl.Seed = hexseed:02 + Output = 03 + Result = KDF_DERIVE_ERROR +@@ -72,7 +72,7 @@ Result = KDF_DERIVE_ERROR + Title = HKDF tests (from RFC5869 test vectors) + + KDF = HKDF +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = hexsalt:000102030405060708090a0b0c + Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 +@@ -80,20 +80,20 @@ Output = 3cb25f25faacd57a90434f64d0362f2 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = hexsalt:000102030405060708090a0b0c + Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 + Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 + Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 + + KDF = HKDF +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f + Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf + Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +@@ -101,20 +101,20 @@ Output = b11e398dc80327a1c8e7f78c596a493 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f + Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf + Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 + Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff + Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 + + KDF = HKDF +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = salt: + Ctrl.info = info: +@@ -122,7 +122,7 @@ Output = 8da4e775a563c18f715f802a063c5a3 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = salt: + Ctrl.info = info: +@@ -130,13 +130,13 @@ Output = 19ef24a32c717b167f33a91d6f648bd + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA256 ++Ctrl.digest = digest:SHA256 + Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 + Ctrl.info = info: + Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = hexsalt:000102030405060708090a0b0c + Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 +@@ -144,20 +144,20 @@ Output = 085a01ea1b10f36933068b56efa5ad8 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = hexsalt:000102030405060708090a0b0c + Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 + Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 + Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f + Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf + Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +@@ -165,20 +165,20 @@ Output = 0bd770a74d1160f7c9f12cd5912a06e + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f + Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf + Output = 8adae09a2a307059478d309b26c4115a224cfaf6 + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6 + Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff + Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = salt: + Ctrl.info = info: +@@ -186,20 +186,20 @@ Output = 0ac1af7002b3d761d1e55298da9d050 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + Ctrl.salt = salt: + Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 + Ctrl.info = info: + Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c + Ctrl.salt = salt: + Ctrl.info = info: +@@ -207,14 +207,14 @@ Output = 2c91117204d745f3500d636a62f64f0 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c + Ctrl.salt = salt: + Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd + + KDF = HKDF + Ctrl.mode = mode:EXPAND_ONLY +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd + Ctrl.info = info: + Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 +@@ -227,27 +227,27 @@ Output = 00 + Result = KDF_DERIVE_ERROR + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.salt = salt: + Ctrl.info = info: + Output = 00 + Result = KDF_DERIVE_ERROR + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c + Ctrl.info = info: + Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 + + KDF = HKDF +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c + Ctrl.salt = salt: + Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 + + KDF = HKDF + Ctrl.mode = mode:EXTRACT_AND_EXPAND +-Ctrl.md = md:SHA1 ++Ctrl.digest = digest:SHA1 + Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c + Ctrl.salt = salt: + Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 +@@ -303,3 +303,133 @@ Ctrl.r = r:8 + Ctrl.p = p:1 + Result = KDF_DERIVE_ERROR + ++Title = PBKDF2 tests ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:1 ++Ctrl.digest = digest:sha1 ++Output = 0c60c80f961f0e71f3a9b524af6012062fe037a6 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:1 ++Ctrl.digest = digest:sha256 ++Output = 120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:1 ++Ctrl.digest = digest:sha512 ++Output = 867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252c02d470a285a0501bad999bfe943c08f050235d7d68b1da55e63f73b60a57fce ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:2 ++Ctrl.digest = digest:sha1 ++Output = ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:2 ++Ctrl.digest = digest:sha256 ++Output = ae4d0c95af6b46d32d0adff928f06dd02a303f8ef3c251dfd6e2d85a95474c43 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:2 ++Ctrl.digest = digest:sha512 ++Output = e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f0040713f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82be67335c77a6068e04112754f27ccf4e ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha1 ++Output = 4b007901b765489abead49d926f721d065a429c1 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha256 ++Output = c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:password ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha512 ++Output = d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:passwordPASSWORDpassword ++Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha1 ++Output = 3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:passwordPASSWORDpassword ++Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha256 ++Output = 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass:passwordPASSWORDpassword ++Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha512 ++Output = 8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b868c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30225c583a186cd82bd4daea9724a3d3b8 ++ ++KDF = PBKDF2 ++Ctrl.hexpass = hexpass:7061737300776f7264 ++Ctrl.hexsalt = hexsalt:7361006c74 ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha1 ++Output = 56fa6aa75548099dcc37d7f03425e0c3 ++ ++KDF = PBKDF2 ++Ctrl.hexpass = hexpass:7061737300776f7264 ++Ctrl.hexsalt = hexsalt:7361006c74 ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha256 ++Output = 89b69d0516f829893c696226650a8687 ++ ++KDF = PBKDF2 ++Ctrl.hexpass = hexpass:7061737300776f7264 ++Ctrl.hexsalt = hexsalt:7361006c74 ++Ctrl.iter = iter:4096 ++Ctrl.digest = digest:sha512 ++Output = 9d9e9c4cd21fe4be24d5b8244c759665 ++ ++Title = PBKDF2 tests for empty inputs ++ ++KDF = PBKDF2 ++Ctrl.pass = pass: ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:1 ++Ctrl.digest = digest:sha1 ++Output = a33dddc30478185515311f8752895d36ea4363a2 ++ ++KDF = PBKDF2 ++Ctrl.pass = pass: ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:1 ++Ctrl.digest = digest:sha256 ++Output = f135c27993baf98773c5cdb40a5706ce6a345cde ++ ++KDF = PBKDF2 ++Ctrl.pass = pass: ++Ctrl.salt = salt:salt ++Ctrl.iter = iter:1 ++Ctrl.digest = digest:sha512 ++Output = 00ef42cdbfc98d29db20976608e455567fdddf14 ++ +Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evppkey_kdf.txt +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/test/recipes/30-test_evp_data/evppkey_kdf.txt +@@ -0,0 +1,305 @@ ++# ++# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# Tests start with one of these keywords ++# Cipher Decrypt Derive Digest Encoding KDF PKEYKDF MAC PBE ++# PrivPubKeyPair Sign Verify VerifyRecover ++# and continue until a blank line. Lines starting with a pound sign, ++# like this prolog, are ignored. ++ ++Title = TLS1 PRF tests (from NIST test vectors) ++ ++PKEYKDF=TLS1-PRF ++Ctrl.md = md:MD5-SHA1 ++Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0 ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693 ++Ctrl.server_random = hexseed:135e4d557fdf3aa6406d82975d5c606a9734c9334b42136e96990fbd5358cdb2 ++Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 ++ ++PKEYKDF=TLS1-PRF ++Ctrl.md = md:MD5-SHA1 ++Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 ++Ctrl.label = seed:key expansion ++Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be ++Ctrl.client_random = hexseed:d58a7b1cd4fedaa232159df652ce188f9d997e061b9bf48e83b62990440931f6 ++Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d ++ ++PKEYKDF=TLS1-PRF ++Ctrl.md = md:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++ ++PKEYKDF=TLS1-PRF ++Ctrl.md = md:SHA256 ++Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Ctrl.label = seed:key expansion ++Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 ++Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616 ++Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928 ++ ++# As above but use long name for KDF ++PKEYKDF=tls1-prf ++Ctrl.md = md:SHA256 ++Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Ctrl.label = seed:key expansion ++Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 ++Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616 ++Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928 ++ ++# Missing digest. ++PKEYKDF=TLS1-PRF ++Ctrl.Secret = hexsecret:01 ++Ctrl.Seed = hexseed:02 ++Output = 03 ++Result = KDF_DERIVE_ERROR ++ ++# Missing secret. ++PKEYKDF=TLS1-PRF ++Ctrl.md = md:MD5-SHA1 ++Ctrl.Seed = hexseed:02 ++Output = 03 ++Result = KDF_DERIVE_ERROR ++ ++Title = HKDF tests (from RFC5869 test vectors) ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = hexsalt:000102030405060708090a0b0c ++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 ++Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = hexsalt:000102030405060708090a0b0c ++Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 ++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 ++Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f ++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf ++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f ++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf ++Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 ++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = salt: ++Ctrl.info = info: ++Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = salt: ++Ctrl.info = info: ++Output = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA256 ++Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 ++Ctrl.info = info: ++Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = hexsalt:000102030405060708090a0b0c ++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 ++Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = hexsalt:000102030405060708090a0b0c ++Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 ++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 ++Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f ++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf ++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f ++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf ++Output = 8adae09a2a307059478d309b26c4115a224cfaf6 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6 ++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = salt: ++Ctrl.info = info: ++Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b ++Ctrl.salt = salt: ++Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 ++Ctrl.info = info: ++Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c ++Ctrl.salt = salt: ++Ctrl.info = info: ++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c ++Ctrl.salt = salt: ++Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXPAND_ONLY ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd ++Ctrl.info = info: ++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 ++ ++PKEYKDF = HKDF ++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c ++Ctrl.salt = salt: ++Ctrl.info = info: ++Output = 00 ++Result = KDF_DERIVE_ERROR ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.salt = salt: ++Ctrl.info = info: ++Output = 00 ++Result = KDF_DERIVE_ERROR ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c ++Ctrl.info = info: ++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 ++ ++PKEYKDF = HKDF ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c ++Ctrl.salt = salt: ++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 ++ ++PKEYKDF = HKDF ++Ctrl.mode = mode:EXTRACT_AND_EXPAND ++Ctrl.md = md:SHA1 ++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c ++Ctrl.salt = salt: ++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 ++ ++Title = id-scrypt tests (from draft-josefsson-id-scrypt-kdf-03 and others) ++ ++PKEYKDF = scrypt ++Ctrl.pass = pass: ++Ctrl.salt = salt: ++Ctrl.N = N:16 ++Ctrl.r = r:1 ++Ctrl.p = p:1 ++Output = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906 ++ ++PKEYKDF = scrypt ++Ctrl.pass = pass:password ++Ctrl.salt = salt:NaCl ++Ctrl.N = N:1024 ++Ctrl.r = r:8 ++Ctrl.p = p:16 ++Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640 ++ ++PKEYKDF = scrypt ++Ctrl.hexpass = hexpass:70617373776f7264 ++Ctrl.salt = salt:NaCl ++Ctrl.N = N:1024 ++Ctrl.r = r:8 ++Ctrl.p = p:16 ++Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640 ++ ++PKEYKDF = scrypt ++Ctrl.pass = pass:password ++Ctrl.hexsalt = hexsalt:4e61436c ++Ctrl.N = N:1024 ++Ctrl.r = r:8 ++Ctrl.p = p:16 ++Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640 ++ ++PKEYKDF = scrypt ++Ctrl.pass = pass:pleaseletmein ++Ctrl.salt = salt:SodiumChloride ++Ctrl.N = N:16384 ++Ctrl.r = r:8 ++Ctrl.p = p:1 ++Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887 ++ ++# Out of memory ++PKEYKDF = scrypt ++Ctrl.pass = pass:pleaseletmein ++Ctrl.salt = salt:SodiumChloride ++Ctrl.N = N:1048576 ++Ctrl.r = r:8 ++Ctrl.p = p:1 ++Result = INTERNAL_ERROR ++ +Index: openssl-1.1.1n/test/recipes/30-test_evp_kdf.t +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/test/recipes/30-test_evp_kdf.t +@@ -0,0 +1,13 @@ ++#! /usr/bin/env perl ++# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++ ++use OpenSSL::Test::Simple; ++ ++simple_test("test_evp_kdf", "evp_kdf_test"); +Index: openssl-1.1.1n/test/recipes/30-test_evp.t +=================================================================== +--- openssl-1.1.1n.orig/test/recipes/30-test_evp.t ++++ openssl-1.1.1n/test/recipes/30-test_evp.t +@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ + setup("test_evp"); + + my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt", +- "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", ++ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", + "evpcase.txt", "evpccmcavs.txt" ); + + plan tests => scalar(@files); +Index: openssl-1.1.1n/util/libcrypto.num +=================================================================== +--- openssl-1.1.1n.orig/util/libcrypto.num ++++ openssl-1.1.1n/util/libcrypto.num +@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength + FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: + FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: + FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: ++EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION: ++EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION: ++EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION: ++EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION: ++EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: ++EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: ++EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: ++EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: +Index: openssl-1.1.1n/util/private.num +=================================================================== +--- openssl-1.1.1n.orig/util/private.num ++++ openssl-1.1.1n/util/private.num +@@ -22,6 +22,7 @@ CRYPTO_EX_dup + CRYPTO_EX_free datatype + CRYPTO_EX_new datatype + DTLS_timer_cb datatype ++EVP_KDF_CTX datatype + EVP_PKEY_gen_cb datatype + EVP_PKEY_METHOD datatype + EVP_PKEY_ASN1_METHOD datatype +Index: openssl-1.1.1n/crypto/evp/e_chacha20_poly1305.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/e_chacha20_poly1305.c ++++ openssl-1.1.1n/crypto/evp/e_chacha20_poly1305.c +@@ -14,8 +14,8 @@ + + # include + # include +-# include "evp_local.h" + # include "crypto/evp.h" ++# include "evp_local.h" + # include "crypto/chacha.h" + + typedef struct { +Index: openssl-1.1.1n/crypto/evp/encode.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/encode.c ++++ openssl-1.1.1n/crypto/evp/encode.c +@@ -11,8 +11,8 @@ + #include + #include "internal/cryptlib.h" + #include +-#include "evp_local.h" + #include "crypto/evp.h" ++#include "evp_local.h" + + static unsigned char conv_ascii2bin(unsigned char a, + const unsigned char *table); diff --git a/openssl-1.1.1-fips-crng-test.patch b/openssl-1.1.1-fips-crng-test.patch new file mode 100644 index 0000000..829313e --- /dev/null +++ b/openssl-1.1.1-fips-crng-test.patch @@ -0,0 +1,414 @@ +Index: openssl-1.1.1g/include/crypto/rand.h +=================================================================== +--- openssl-1.1.1g.orig/include/crypto/rand.h 2020-04-21 15:59:25.552654754 +0200 ++++ openssl-1.1.1g/include/crypto/rand.h 2020-04-21 15:59:27.208663772 +0200 +@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN + + void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); + ++/* CRNG test entropy filter callbacks. */ ++size_t rand_crngt_get_entropy(RAND_DRBG *drbg, ++ unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance); ++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen); ++ + /* + * RAND_POOL functions + */ +Index: openssl-1.1.1g/crypto/rand/build.info +=================================================================== +--- openssl-1.1.1g.orig/crypto/rand/build.info 2020-04-21 15:59:27.208663772 +0200 ++++ openssl-1.1.1g/crypto/rand/build.info 2020-04-21 16:00:32.869021309 +0200 +@@ -1,6 +1,6 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- randfile.c rand_lib.c rand_err.c rand_egd.c \ ++ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ + rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c + + INCLUDE[drbg_ctr.o]=../modes +Index: openssl-1.1.1g/crypto/rand/drbg_lib.c +=================================================================== +--- openssl-1.1.1g.orig/crypto/rand/drbg_lib.c 2020-04-21 15:59:25.552654754 +0200 ++++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-21 15:59:27.208663772 +0200 +@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg; + + + /* NIST SP 800-90A DRBG recommends the use of a personalization string. */ +-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG"; ++static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; + + static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT; + +@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu + drbg->parent = parent; + + if (parent == NULL) { ++#ifdef OPENSSL_FIPS ++ drbg->get_entropy = rand_crngt_get_entropy; ++ drbg->cleanup_entropy = rand_crngt_cleanup_entropy; ++#else + drbg->get_entropy = rand_drbg_get_entropy; + drbg->cleanup_entropy = rand_drbg_cleanup_entropy; ++#endif + #ifndef RAND_DRBG_GET_RANDOM_NONCE + drbg->get_nonce = rand_drbg_get_nonce; + drbg->cleanup_nonce = rand_drbg_cleanup_nonce; +Index: openssl-1.1.1g/crypto/rand/rand_crng_test.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-21 15:59:27.208663772 +0200 +@@ -0,0 +1,118 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests. ++ */ ++ ++#include ++#include ++#include "crypto/rand.h" ++#include "internal/thread_once.h" ++#include "rand_local.h" ++ ++static RAND_POOL *crngt_pool; ++static unsigned char crngt_prev[EVP_MAX_MD_SIZE]; ++ ++int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *) ++ = &rand_crngt_get_entropy_cb; ++ ++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size) ++{ ++ int r; ++ size_t n; ++ unsigned char *p; ++ ++ n = rand_pool_acquire_entropy(crngt_pool); ++ if (n >= CRNGT_BUFSIZ) { ++ p = rand_pool_detach(crngt_pool); ++ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); ++ if (r != 0) ++ memcpy(buf, p, CRNGT_BUFSIZ); ++ rand_pool_reattach(crngt_pool, p); ++ return r; ++ } ++ return 0; ++} ++ ++void rand_crngt_cleanup(void) ++{ ++ rand_pool_free(crngt_pool); ++ crngt_pool = NULL; ++} ++ ++int rand_crngt_init(void) ++{ ++ unsigned char buf[CRNGT_BUFSIZ]; ++ ++ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) ++ return 0; ++ if (crngt_get_entropy(buf, crngt_prev, NULL)) { ++ OPENSSL_cleanse(buf, sizeof(buf)); ++ return 1; ++ } ++ rand_crngt_cleanup(); ++ return 0; ++} ++ ++static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init) ++{ ++ return OPENSSL_init_crypto(0, NULL) ++ && rand_crngt_init() ++ && OPENSSL_atexit(&rand_crngt_cleanup); ++} ++ ++int rand_crngt_single_init(void) ++{ ++ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init); ++} ++ ++size_t rand_crngt_get_entropy(RAND_DRBG *drbg, ++ unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE]; ++ unsigned int sz; ++ RAND_POOL *pool; ++ size_t q, r = 0, s, t = 0; ++ int attempts = 3; ++ ++ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init)) ++ return 0; ++ ++ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) ++ return 0; ++ ++ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) { ++ s = q > sizeof(buf) ? sizeof(buf) : q; ++ if (!crngt_get_entropy(buf, md, &sz) ++ || memcmp(crngt_prev, md, sz) == 0 ++ || !rand_pool_add(pool, buf, s, s * 8)) ++ goto err; ++ memcpy(crngt_prev, md, sz); ++ t += s; ++ attempts++; ++ } ++ r = t; ++ *pout = rand_pool_detach(pool); ++err: ++ OPENSSL_cleanse(buf, sizeof(buf)); ++ rand_pool_free(pool); ++ return r; ++} ++ ++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, ++ unsigned char *out, size_t outlen) ++{ ++ OPENSSL_secure_clear_free(out, outlen); ++} +Index: openssl-1.1.1g/crypto/rand/rand_local.h +=================================================================== +--- openssl-1.1.1g.orig/crypto/rand/rand_local.h 2020-04-21 15:59:25.552654754 +0200 ++++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-21 15:59:27.208663772 +0200 +@@ -33,7 +33,15 @@ + # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ + # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ + +- ++/* ++ * The number of bytes that constitutes an atomic lump of entropy with respect ++ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat ++ * arbitrary, the smaller the value, the less entropy is consumed on first ++ * read but the higher the probability of the test failing by accident. ++ * ++ * The value is in bytes. ++ */ ++#define CRNGT_BUFSIZ 16 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) +@@ -44,6 +52,8 @@ + */ + # define DRBG_MAX_LENGTH INT32_MAX + ++/* The default nonce */ ++# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" + + /* + * Maximum allocation size for RANDOM_POOL buffers +@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG * + /* initializes the AES-CTR DRBG implementation */ + int drbg_ctr_init(RAND_DRBG *drbg); + ++/* ++ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. ++ * These need to be exposed for the unit tests. ++ */ ++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size); ++extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size); ++int rand_crngt_init(void); ++void rand_crngt_cleanup(void); ++ ++/* ++ * Expose the run once initialisation function for the unit tests because. ++ * they need to restart from scratch to validate the first block is skipped ++ * properly. ++ */ ++int rand_crngt_single_init(void); ++ + #endif +Index: openssl-1.1.1g/test/drbgtest.c +=================================================================== +--- openssl-1.1.1g.orig/test/drbgtest.c 2020-04-21 15:59:25.552654754 +0200 ++++ openssl-1.1.1g/test/drbgtest.c 2020-04-21 15:59:27.208663772 +0200 +@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, + return t->noncelen; + } + ++ /* ++ * Disable CRNG testing if it is enabled. ++ * If the DRBG is ready or in an error state, this means an instantiate cycle ++ * for which the default personalisation string is used. ++ */ ++static int disable_crngt(RAND_DRBG *drbg) ++{ ++ static const char pers[] = DRBG_DEFAULT_PERS_STRING; ++ const int instantiate = drbg->state != DRBG_UNINITIALISED; ++ ++ if (drbg->get_entropy != rand_crngt_get_entropy) ++ return 1; ++ ++ if ((instantiate && !RAND_DRBG_uninstantiate(drbg)) ++ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy, ++ &rand_drbg_cleanup_entropy, ++ &rand_drbg_get_nonce, ++ &rand_drbg_cleanup_nonce)) ++ || (instantiate ++ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers, ++ sizeof(pers) - 1))) ++ return 0; ++ return 1; ++} ++ + static int uninstantiate(RAND_DRBG *drbg) + { + int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); +@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA + if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) + return 0; + if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, +- kat_nonce, NULL))) { ++ kat_nonce, NULL)) ++ || !TEST_true(disable_crngt(drbg))) { + failures++; + goto err; + } +@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT + unsigned int reseed_counter_tmp; + int ret = 0; + +- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))) ++ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)) ++ || !TEST_true(disable_crngt(drbg))) + goto err; + + /* +@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void) + || !TEST_ptr_eq(private->parent, master)) + return 0; + ++ /* Disable CRNG testing for the master DRBG */ ++ if (!TEST_true(disable_crngt(master))) ++ return 0; ++ + /* uninstantiate the three global DRBGs */ + RAND_DRBG_uninstantiate(private); + RAND_DRBG_uninstantiate(public); +@@ -964,7 +995,8 @@ static int test_rand_seed(void) + size_t rand_buflen; + size_t required_seed_buflen = 0; + +- if (!TEST_ptr(master = RAND_DRBG_get0_master())) ++ if (!TEST_ptr(master = RAND_DRBG_get0_master()) ++ || !TEST_true(disable_crngt(master))) + return 0; + + #ifdef OPENSSL_RAND_SEED_NONE +@@ -1013,6 +1045,95 @@ static int test_rand_add(void) + return 1; + } + ++/* ++ * A list of the FIPS DRGB types. ++ */ ++static const struct s_drgb_types { ++ int nid; ++ int flags; ++} drgb_types[] = { ++ { NID_aes_128_ctr, 0 }, ++ { NID_aes_192_ctr, 0 }, ++ { NID_aes_256_ctr, 0 }, ++}; ++ ++/* Six cases for each covers seed sizes up to 32 bytes */ ++static const size_t crngt_num_cases = 6; ++ ++static size_t crngt_case, crngt_idx; ++ ++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size) ++{ ++ size_t i, z; ++ ++ if (!TEST_int_lt(crngt_idx, crngt_num_cases)) ++ return 0; ++ /* Generate a block of unique data unless this is the duplication point */ ++ z = crngt_idx++; ++ if (z > 0 && crngt_case == z) ++ z--; ++ for (i = 0; i < CRNGT_BUFSIZ; i++) ++ buf[i] = (unsigned char)(i + 'A' + z); ++ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); ++} ++ ++static int test_crngt(int n) ++{ ++ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases; ++ RAND_DRBG *drbg = NULL; ++ unsigned char buff[100]; ++ size_t ent; ++ int res = 0; ++ int expect; ++ ++ if (!TEST_true(rand_crngt_single_init())) ++ return 0; ++ rand_crngt_cleanup(); ++ ++ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL))) ++ return 0; ++ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ; ++ crngt_case = n % crngt_num_cases; ++ crngt_idx = 0; ++ crngt_get_entropy = &crngt_entropy_cb; ++ if (!TEST_true(rand_crngt_init())) ++ goto err; ++#ifndef OPENSSL_FIPS ++ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy, ++ &rand_crngt_cleanup_entropy, ++ &rand_drbg_get_nonce, ++ &rand_drbg_cleanup_nonce))) ++ goto err; ++#endif ++ expect = crngt_case == 0 || crngt_case > ent; ++ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect)) ++ goto err; ++ if (!expect) ++ goto fin; ++ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) ++ goto err; ++ ++ expect = crngt_case == 0 || crngt_case > 2 * ent; ++ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect)) ++ goto err; ++ if (!expect) ++ goto fin; ++ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) ++ goto err; ++ ++fin: ++ res = 1; ++err: ++ if (!res) ++ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases, ++ crngt_case, crngt_idx); ++ uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ crngt_get_entropy = &rand_crngt_get_entropy_cb; ++ return res; ++} ++ + int setup_tests(void) + { + app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); +@@ -1025,5 +1146,6 @@ int setup_tests(void) + #if defined(OPENSSL_THREADS) + ADD_TEST(test_multi_thread); + #endif ++ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types)); + return 1; + } diff --git a/openssl-1.1.1-fips-fix-memory-leaks.patch b/openssl-1.1.1-fips-fix-memory-leaks.patch new file mode 100644 index 0000000..4f6bc33 --- /dev/null +++ b/openssl-1.1.1-fips-fix-memory-leaks.patch @@ -0,0 +1,80 @@ +--- + crypto/fips/fips.c | 8 ++++++++ + crypto/fips/fips_drbg_rand.c | 6 ++++++ + crypto/init.c | 4 ++++ + include/crypto/fips_int.h | 1 + + include/openssl/fips_rand.h | 1 + + 5 files changed, 20 insertions(+) + +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -93,6 +93,14 @@ DEFINE_RUN_ONCE_STATIC(do_fips_lock_init + return fips_lock != NULL && fips_owning_lock != NULL; + } + ++void FIPS_owning_thread_lock_cleanup(void) ++{ ++ CRYPTO_THREAD_lock_free(fips_lock); ++ fips_lock = NULL; ++ CRYPTO_THREAD_lock_free(fips_owning_lock); ++ fips_owning_lock = NULL; ++} ++ + # define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) + # define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) + # define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) +--- a/crypto/fips/fips_drbg_rand.c ++++ b/crypto/fips/fips_drbg_rand.c +@@ -84,6 +84,12 @@ DRBG_CTX *FIPS_get_default_drbg(void) + return &ossl_dctx; + } + ++void FIPS_drbg_lock_cleanup(void) ++{ ++ CRYPTO_THREAD_lock_free(fips_rand_lock); ++ fips_rand_lock = NULL; ++} ++ + static int fips_drbg_bytes(unsigned char *out, int count) + { + DRBG_CTX *dctx = &ossl_dctx; +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -28,6 +28,8 @@ + #include "internal/dso.h" + #include "crypto/store.h" + #include "openssl/fips.h" ++#include "openssl/fips_rand.h" ++#include "crypto/fips_int.h" + + static int stopped = 0; + +@@ -591,6 +593,8 @@ void OPENSSL_cleanup(void) + conf_modules_free_int(); + #ifdef OPENSSL_FIPS + FIPS_entropy_cleanup(); ++ FIPS_drbg_lock_cleanup(); ++ FIPS_owning_thread_lock_cleanup(); + #endif + #ifndef OPENSSL_NO_ENGINE + engine_cleanup_int(); +--- a/include/crypto/fips_int.h ++++ b/include/crypto/fips_int.h +@@ -56,6 +56,7 @@ + + #ifdef OPENSSL_FIPS + ++void FIPS_owning_thread_lock_cleanup(void); + int FIPS_module_mode_set(int onoff); + int FIPS_module_mode(void); + int FIPS_module_installed(void); +--- a/include/openssl/fips_rand.h ++++ b/include/openssl/fips_rand.h +@@ -125,6 +125,7 @@ extern "C" { + + DRBG_CTX *FIPS_get_default_drbg(void); + const RAND_METHOD *FIPS_drbg_method(void); ++ void FIPS_drbg_lock_cleanup(void); + + int FIPS_rand_set_method(const RAND_METHOD *meth); + const RAND_METHOD *FIPS_rand_get_method(void); diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch new file mode 100644 index 0000000..8b0db97 --- /dev/null +++ b/openssl-1.1.1-fips-post-rand.patch @@ -0,0 +1,194 @@ +Index: openssl-1.1.1i/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1i.orig/crypto/fips/fips.c 2020-12-08 16:46:23.666760618 +0100 ++++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-08 16:46:25.626772700 +0100 +@@ -68,6 +68,7 @@ + + # include + # include "internal/thread_once.h" ++# include "crypto/rand.h" + + # ifndef PATH_MAX + # define PATH_MAX 1024 +@@ -76,6 +77,7 @@ + static int fips_selftest_fail = 0; + static int fips_mode = 0; + static int fips_started = 0; ++static int fips_post = 0; + + static int fips_is_owning_thread(void); + static int fips_set_owning_thread(void); +@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void) + fips_selftest_fail = 1; + } + ++int fips_in_post(void) ++{ ++ return fips_post; ++} ++ + /* we implement what libfipscheck does ourselves */ + + static int +@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff) + } + # endif + ++ fips_post = 1; ++ + if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; +@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff) + goto end; + } + ++ fips_post = 0; ++ + fips_set_mode(onoff); ++ /* force RNG reseed with entropy from getrandom() on next call */ ++ rand_force_reseed(); ++ + ret = 1; + goto end; + } +Index: openssl-1.1.1i/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1i.orig/include/crypto/fips_int.h 2020-12-08 16:46:23.666760618 +0100 ++++ openssl-1.1.1i/include/crypto/fips_int.h 2020-12-08 16:46:25.626772700 +0100 +@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + ++int fips_in_post(void); ++ + int fips_pkey_signature_test(EVP_PKEY *pkey, + const unsigned char *tbs, int tbslen, + const unsigned char *kat, +Index: openssl-1.1.1i/include/crypto/rand.h +=================================================================== +--- openssl-1.1.1i.orig/include/crypto/rand.h 2020-12-08 16:46:23.670760642 +0100 ++++ openssl-1.1.1i/include/crypto/rand.h 2020-12-08 16:46:25.626772700 +0100 +@@ -24,6 +24,7 @@ + typedef struct rand_pool_st RAND_POOL; + + void rand_cleanup_int(void); ++void rand_force_reseed(void); + void rand_drbg_cleanup_int(void); + void drbg_delete_thread_state(void); + +Index: openssl-1.1.1i/crypto/rand/drbg_lib.c +=================================================================== +--- openssl-1.1.1i.orig/crypto/rand/drbg_lib.c 2020-12-08 16:46:23.670760642 +0100 ++++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-08 16:46:25.626772700 +0100 +@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg + return min_entropy > min_entropylen ? min_entropy : min_entropylen; + } + ++void rand_force_reseed(void) ++{ ++ RAND_DRBG *drbg; ++ ++ drbg = RAND_DRBG_get0_master(); ++ drbg->fork_id = 0; ++ ++ drbg = RAND_DRBG_get0_private(); ++ drbg->fork_id = 0; ++ ++ drbg = RAND_DRBG_get0_public(); ++ drbg->fork_id = 0; ++} ++ + /* Implements the default OpenSSL RAND_add() method */ + static int drbg_add(const void *buf, int num, double randomness) + { +Index: openssl-1.1.1i/crypto/rand/rand_unix.c +=================================================================== +--- openssl-1.1.1i.orig/crypto/rand/rand_unix.c 2020-12-08 16:46:23.670760642 +0100 ++++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-08 16:47:33.695192297 +0100 +@@ -17,10 +17,12 @@ + #include + #include "rand_local.h" + #include "crypto/rand.h" ++#include "crypto/fips_int.h" + #include + #include "internal/dso.h" + #ifdef __linux + # include ++# include + # ifdef DEVRANDOM_WAIT + # include + # include +@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf, + * syscall_random(): Try to get random data using a system call + * returns the number of bytes returned in buf, or < 0 on error. + */ +-static ssize_t syscall_random(void *buf, size_t buflen) ++static ssize_t syscall_random(void *buf, size_t buflen, int nonblock) + { + /* + * Note: 'buflen' equals the size of the buffer which is used by the +@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf, + * Note: Sometimes getentropy() can be provided but not implemented + * internally. So we need to check errno for ENOSYS + */ ++# if 0 + # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) + extern int getentropy(void *buffer, size_t length) __attribute__((weak)); + +@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf, + if (p_getentropy.p != NULL) + return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; + # endif +- ++# endif + /* Linux supports this since version 3.17 */ +-# if defined(__linux) && defined(__NR_getrandom) +- return syscall(__NR_getrandom, buf, buflen, 0); ++# if defined(__linux) && defined(SYS_getrandom) ++ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0); + # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) + return sysctl_random(buf, buflen); + # else +@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO + size_t entropy_available; + + # if defined(OPENSSL_RAND_SEED_GETRANDOM) ++ int in_post; ++ ++ for (in_post = fips_in_post(); in_post >= 0; --in_post) { + { + size_t bytes_needed; + unsigned char *buffer; +@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO + bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); + while (bytes_needed != 0 && attempts-- > 0) { + buffer = rand_pool_add_begin(pool, bytes_needed); +- bytes = syscall_random(buffer, bytes_needed); ++ bytes = syscall_random(buffer, bytes_needed, in_post); + if (bytes > 0) { + rand_pool_add_end(pool, bytes, 8 * bytes); + bytes_needed -= bytes; +@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO + int attempts = 3; + const int fd = get_random_device(i); + +- if (fd == -1) ++ if (fd == -1) { ++ OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]); + continue; ++ } + + while (bytes_needed != 0 && attempts-- > 0) { + buffer = rand_pool_add_begin(pool, bytes_needed); +@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO + return entropy_available; + } + # endif +- ++# ifdef OPENSSL_RAND_SEED_GETRANDOM ++ } ++# endif + return rand_pool_entropy_available(pool); + # endif + } diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch new file mode 100644 index 0000000..7c4631f --- /dev/null +++ b/openssl-1.1.1-fips.patch @@ -0,0 +1,11992 @@ +Index: openssl-1.1.1n/apps/pkcs12.c +=================================================================== +--- openssl-1.1.1n.orig/apps/pkcs12.c ++++ openssl-1.1.1n/apps/pkcs12.c +@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv) + int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; + int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; + #ifndef OPENSSL_NO_RC2 +- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; ++ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC; + #else + int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + #endif +Index: openssl-1.1.1n/apps/speed.c +=================================================================== +--- openssl-1.1.1n.orig/apps/speed.c ++++ openssl-1.1.1n/apps/speed.c +@@ -1678,7 +1678,8 @@ int speed_main(int argc, char **argv) + continue; + if (strcmp(*argv, "rsa") == 0) { + for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) +- rsa_doit[loop] = 1; ++ if (!FIPS_mode() || loop != R_RSA_512) ++ rsa_doit[loop] = 1; + continue; + } + if (found(*argv, rsa_choices, &i)) { +@@ -1688,7 +1689,9 @@ int speed_main(int argc, char **argv) + #endif + #ifndef OPENSSL_NO_DSA + if (strcmp(*argv, "dsa") == 0) { +- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = ++ if (!FIPS_mode()) ++ dsa_doit[R_DSA_512] = 1; ++ dsa_doit[R_DSA_1024] = + dsa_doit[R_DSA_2048] = 1; + continue; + } +@@ -1719,19 +1722,21 @@ int speed_main(int argc, char **argv) + } + if (strcmp(*argv, "ecdh") == 0) { + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) +- ecdh_doit[loop] = 1; ++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) ++ ecdh_doit[loop] = 1; + continue; + } + if (found(*argv, ecdh_choices, &i)) { +- ecdh_doit[i] = 2; ++ if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448)) ++ ecdh_doit[i] = 2; + continue; + } +- if (strcmp(*argv, "eddsa") == 0) { ++ if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) { + for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) + eddsa_doit[loop] = 1; + continue; + } +- if (found(*argv, eddsa_choices, &i)) { ++ if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) { + eddsa_doit[i] = 2; + continue; + } +@@ -1820,23 +1825,31 @@ int speed_main(int argc, char **argv) + /* No parameters; turn on everything. */ + if ((argc == 0) && !doit[D_EVP]) { + for (i = 0; i < ALGOR_NUM; i++) +- if (i != D_EVP) ++ if (i != D_EVP && ++ (!FIPS_mode() || (i != D_WHIRLPOOL && ++ i != D_MD2 && i != D_MD4 && ++ i != D_MD5 && i != D_MDC2 && ++ i != D_RMD160))) + doit[i] = 1; + #ifndef OPENSSL_NO_RSA + for (i = 0; i < RSA_NUM; i++) +- rsa_doit[i] = 1; ++ if (!FIPS_mode() || i != R_RSA_512) ++ rsa_doit[i] = 1; + #endif + #ifndef OPENSSL_NO_DSA + for (i = 0; i < DSA_NUM; i++) +- dsa_doit[i] = 1; ++ if (!FIPS_mode() || i != R_DSA_512) ++ dsa_doit[i] = 1; + #endif + #ifndef OPENSSL_NO_EC + for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) + ecdsa_doit[loop] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) +- ecdh_doit[loop] = 1; +- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) +- eddsa_doit[loop] = 1; ++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) ++ ecdh_doit[loop] = 1; ++ if (!FIPS_mode()) ++ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) ++ eddsa_doit[loop] = 1; + #endif + } + for (i = 0; i < ALGOR_NUM; i++) +@@ -1884,30 +1897,46 @@ int speed_main(int argc, char **argv) + AES_set_encrypt_key(key24, 192, &aes_ks2); + AES_set_encrypt_key(key32, 256, &aes_ks3); + #ifndef OPENSSL_NO_CAMELLIA +- Camellia_set_key(key16, 128, &camellia_ks1); +- Camellia_set_key(ckey24, 192, &camellia_ks2); +- Camellia_set_key(ckey32, 256, &camellia_ks3); ++ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { ++ Camellia_set_key(key16, 128, &camellia_ks1); ++ Camellia_set_key(ckey24, 192, &camellia_ks2); ++ Camellia_set_key(ckey32, 256, &camellia_ks3); ++ } + #endif + #ifndef OPENSSL_NO_IDEA +- IDEA_set_encrypt_key(key16, &idea_ks); ++ if (doit[D_CBC_IDEA]) { ++ IDEA_set_encrypt_key(key16, &idea_ks); ++ } + #endif + #ifndef OPENSSL_NO_SEED +- SEED_set_key(key16, &seed_ks); ++ if (doit[D_CBC_SEED]) { ++ SEED_set_key(key16, &seed_ks); ++ } + #endif + #ifndef OPENSSL_NO_RC4 +- RC4_set_key(&rc4_ks, 16, key16); ++ if (doit[D_RC4]) { ++ RC4_set_key(&rc4_ks, 16, key16); ++ } + #endif + #ifndef OPENSSL_NO_RC2 +- RC2_set_key(&rc2_ks, 16, key16, 128); ++ if (doit[D_CBC_RC2]) { ++ RC2_set_key(&rc2_ks, 16, key16, 128); ++ } + #endif + #ifndef OPENSSL_NO_RC5 +- RC5_32_set_key(&rc5_ks, 16, key16, 12); ++ if (doit[D_CBC_RC5]) { ++ RC5_32_set_key(&rc5_ks, 16, key16, 12); ++ } + #endif + #ifndef OPENSSL_NO_BF +- BF_set_key(&bf_ks, 16, key16); ++ if (doit[D_CBC_BF]) { ++ BF_set_key(&bf_ks, 16, key16); ++ } + #endif + #ifndef OPENSSL_NO_CAST +- CAST_set_key(&cast_ks, 16, key16); ++ if (doit[D_CBC_CAST]) { ++ CAST_set_key(&cast_ks, 16, key16); ++ } + #endif + #ifndef SIGALRM + # ifndef OPENSSL_NO_DES +@@ -2205,6 +2234,7 @@ int speed_main(int argc, char **argv) + + for (i = 0; i < loopargs_len; i++) { + loopargs[i].hctx = HMAC_CTX_new(); ++ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + if (loopargs[i].hctx == NULL) { + BIO_printf(bio_err, "HMAC malloc failure, exiting..."); + exit(1); +Index: openssl-1.1.1n/Configure +=================================================================== +--- openssl-1.1.1n.orig/Configure ++++ openssl-1.1.1n/Configure +@@ -325,7 +325,7 @@ $config{sdirs} = [ + "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", + "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", + "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", +- "buffer", "bio", "stack", "lhash", "rand", "err", ++ "buffer", "bio", "stack", "lhash", "rand", "err", "fips", + "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", + "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" + ]; +Index: openssl-1.1.1n/crypto/cmac/cm_pmeth.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.1.1n/crypto/cmac/cm_pmeth.c +@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C + + const EVP_PKEY_METHOD cmac_pkey_meth = { + EVP_PKEY_CMAC, +- EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS, + pkey_cmac_init, + pkey_cmac_copy, + pkey_cmac_cleanup, +Index: openssl-1.1.1n/crypto/dh/dh_err.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dh/dh_err.c ++++ openssl-1.1.1n/crypto/dh/dh_err.c +@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), + "dh_cms_set_shared_info"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, +@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas + {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), + "not suitable generator"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, +Index: openssl-1.1.1n/crypto/dh/dh_gen.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1n/crypto/dh/dh_gen.c +@@ -16,6 +16,9 @@ + #include "internal/cryptlib.h" + #include + #include "dh_local.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + BN_GENCB *cb); +@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret, + int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, + BN_GENCB *cb) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) ++ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + if (ret->meth->generate_params) + return ret->meth->generate_params(ret, prime_len, generator, cb); + return dh_builtin_genparams(ret, prime_len, generator, cb); +@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret, + int g, ok = -1; + BN_CTX *ctx = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { ++ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +Index: openssl-1.1.1n/crypto/dh/dh_key.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1n/crypto/dh/dh_key.c +@@ -11,6 +11,9 @@ + #include "internal/cryptlib.h" + #include "dh_local.h" + #include "crypto/bn.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static int generate_key(DH *dh); + static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); +@@ -22,6 +25,13 @@ static int dh_finish(DH *dh); + + int DH_generate_key(DH *dh) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) ++ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + return dh->meth->generate_key(dh); + } + +@@ -31,6 +41,13 @@ int DH_generate_key(DH *dh) + */ + int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) ++ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } ++#endif + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + +@@ -59,7 +76,7 @@ int DH_compute_key_padded(unsigned char + int rv, pad; + + /* rv is constant unless compute_key is external */ +- rv = dh->meth->compute_key(key, pub_key, dh); ++ rv = DH_compute_key(key, pub_key, dh); + if (rv <= 0) + return rv; + pad = BN_num_bytes(dh->p) - rv; +@@ -109,6 +126,14 @@ static int generate_key(DH *dh) + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); + return 0; +@@ -206,6 +231,13 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); + goto err; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { ++ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif + + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -255,6 +287,9 @@ static int dh_bn_mod_exp(const DH *dh, B + + static int dh_init(DH *dh) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + dh->flags |= DH_FLAG_CACHE_MONT_P; + return 1; + } +Index: openssl-1.1.1n/crypto/dh/dh_pmeth.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.1.1n/crypto/dh/dh_pmeth.c +@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + + const EVP_PKEY_METHOD dh_pkey_meth = { + EVP_PKEY_DH, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_dh_init, + pkey_dh_copy, + pkey_dh_cleanup, +@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = { + + const EVP_PKEY_METHOD dhx_pkey_meth = { + EVP_PKEY_DHX, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_dh_init, + pkey_dh_copy, + pkey_dh_cleanup, +Index: openssl-1.1.1n/crypto/dsa/dsa_err.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dsa/dsa_err.c ++++ openssl-1.1.1n/crypto/dsa/dsa_err.c +@@ -16,12 +16,15 @@ + static const ERR_STRING_DATA DSA_str_functs[] = { + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0), + "dsa_builtin_paramgen"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0), + "dsa_builtin_paramgen2"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, +@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE), + "invalid digest type"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, +Index: openssl-1.1.1n/crypto/dsa/dsa_gen.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dsa/dsa_gen.c ++++ openssl-1.1.1n/crypto/dsa/dsa_gen.c +@@ -22,12 +22,22 @@ + #include + #include + #include "dsa_local.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + int DSA_generate_parameters_ex(DSA *ret, int bits, + const unsigned char *seed_in, int seed_len, + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb) + { ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) ++ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) { ++ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); ++ return 0; ++ } ++# endif + if (ret->meth->dsa_paramgen) + return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, + counter_ret, h_ret, cb); +@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret, + const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); + size_t qbits = EVP_MD_size(evpmd) * 8; + ++# ifdef OPENSSL_FIPS ++ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd, ++ seed_in, seed_len, -1, NULL, counter_ret, ++ h_ret, cb); ++# else + return dsa_builtin_paramgen(ret, bits, qbits, evpmd, + seed_in, seed_len, NULL, counter_ret, + h_ret, cb); ++# endif + } + } + +@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size + int *counter_ret, unsigned long *h_ret, + BN_GENCB *cb) + { +- int ok = -1; ++ int ok = 0; + unsigned char *seed = NULL, *seed_tmp = NULL; + unsigned char md[EVP_MAX_MD_SIZE]; + int mdsize; +@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size + goto err; + } + ++# ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (FIPS_mode() && ++ (L != 2048 || N != 224) && (L != 2048 || N != 256) && ++ (L != 3072 || N != 256)) { ++ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); ++ goto err; ++ } ++# endif ++ + if (evpmd == NULL) { + if (N == 160) + evpmd = EVP_sha1(); +@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size + goto err; + /* Provided seed didn't produce a prime: error */ + if (seed_in) { +- ok = 0; +- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME); +- goto err; ++ /* Different seed_out will indicate that seed_in ++ * did not generate primes. ++ */ ++ seed_in = NULL; + } + + /* do a callback call */ +@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size + if (counter >= (int)(4 * L)) + break; + } ++#if 0 ++ /* Cannot happen */ + if (seed_in) { + ok = 0; + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); + goto err; + } ++#endif + } + end: + if (!BN_GENCB_call(cb, 2, 1)) +@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size + BN_free(ret->g); + ret->g = BN_dup(g); + if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { +- ok = -1; ++ ok = 0; + goto err; + } + if (counter_ret != NULL) +@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size + EVP_MD_CTX_free(mctx); + return ok; + } ++ ++#ifdef OPENSSL_FIPS ++ ++int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, ++ const EVP_MD *evpmd, const unsigned char *seed_in, ++ size_t seed_len, int idx, unsigned char *seed_out, ++ int *counter_ret, unsigned long *h_ret, ++ BN_GENCB *cb) ++{ ++ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len, ++ idx, seed_out, counter_ret, h_ret, cb); ++} ++ ++int FIPS_dsa_paramgen_check_g(DSA *dsa) ++{ ++ BN_CTX *ctx; ++ BIGNUM *tmp; ++ BN_MONT_CTX *mont = NULL; ++ int rv = -1; ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ return -1; ++ if (BN_cmp(dsa->g, BN_value_one()) <= 0) ++ return 0; ++ if (BN_cmp(dsa->g, dsa->p) >= 0) ++ return 0; ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); ++ if (tmp == NULL) ++ goto err; ++ if ((mont=BN_MONT_CTX_new()) == NULL) ++ goto err; ++ if (!BN_MONT_CTX_set(mont,dsa->p,ctx)) ++ goto err; ++ /* Work out g^q mod p */ ++ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont)) ++ goto err; ++ if (!BN_cmp(tmp, BN_value_one())) ++ rv = 1; ++ else ++ rv = 0; ++ err: ++ BN_CTX_end(ctx); ++ BN_MONT_CTX_free(mont); ++ BN_CTX_free(ctx); ++ return rv; ++} ++ ++#endif +Index: openssl-1.1.1n/crypto/dsa/dsa_key.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dsa/dsa_key.c ++++ openssl-1.1.1n/crypto/dsa/dsa_key.c +@@ -13,10 +13,49 @@ + #include + #include "dsa_local.h" + ++#ifdef OPENSSL_FIPS ++# include ++# include "crypto/fips_int.h" ++ ++static int fips_check_dsa(DSA *dsa) ++{ ++ EVP_PKEY *pk; ++ unsigned char tbs[] = "DSA Pairwise Check Data"; ++ int ret = 0; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_DSA(pk, dsa); ++ ++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) ++ ret = 1; ++ ++ err: ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED); ++ fips_set_selftest_fail(); ++ } ++ ++ if (pk) ++ EVP_PKEY_free(pk); ++ ++ return ret; ++} ++ ++#endif ++ + static int dsa_builtin_keygen(DSA *dsa); + + int DSA_generate_key(DSA *dsa) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) ++ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { ++ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); ++ return 0; ++ } ++#endif + if (dsa->meth->dsa_keygen) + return dsa->meth->dsa_keygen(dsa); + return dsa_builtin_keygen(dsa); +@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa) + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { ++ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); ++ goto err; ++ } ++#endif ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; + +@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa) + + dsa->priv_key = priv_key; + dsa->pub_key = pub_key; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !fips_check_dsa(dsa)) { ++ dsa->pub_key = NULL; ++ dsa->priv_key = NULL; ++ goto err; ++ } ++#endif + ok = 1; + + err: +Index: openssl-1.1.1n/crypto/dsa/dsa_ossl.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dsa/dsa_ossl.c ++++ openssl-1.1.1n/crypto/dsa/dsa_ossl.c +@@ -14,6 +14,9 @@ + #include + #include "dsa_local.h" + #include ++#ifdef OPENSSL_FIPS ++# include ++#endif + + static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); + static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, +@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign + goto err; + } + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++ ++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { ++ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); ++ return NULL; ++ } ++#endif ++ + ret = DSA_SIG_new(); + if (ret == NULL) + goto err; +@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); + return -1; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { ++ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++#endif + + if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { + DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); +@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned + + static int dsa_init(DSA *dsa) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + dsa->flags |= DSA_FLAG_CACHE_MONT_P; + return 1; + } +Index: openssl-1.1.1n/crypto/dsa/dsa_pmeth.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.1.1n/crypto/dsa/dsa_pmeth.c +@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT + BN_GENCB_free(pcb); + return 0; + } +- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, +- NULL, 0, NULL, NULL, NULL, pcb); ++ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd, ++ NULL, 0, -1, NULL, NULL, NULL, pcb); + BN_GENCB_free(pcb); + if (ret) + EVP_PKEY_assign_DSA(pkey, dsa); +@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX + + const EVP_PKEY_METHOD dsa_pkey_meth = { + EVP_PKEY_DSA, +- EVP_PKEY_FLAG_AUTOARGLEN, ++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_dsa_init, + pkey_dsa_copy, + pkey_dsa_cleanup, +Index: openssl-1.1.1n/crypto/ec/ecdh_ossl.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1n/crypto/ec/ecdh_ossl.c +@@ -19,9 +19,20 @@ + #include + #include "ec_local.h" + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ + int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, + const EC_POINT *pub_key, const EC_KEY *ecdh) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++#endif ++ + if (ecdh->group->meth->ecdh_compute_key == NULL) { + ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); + return 0; +Index: openssl-1.1.1n/crypto/ec/ecdsa_ossl.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1n/crypto/ec/ecdsa_ossl.c +@@ -14,6 +14,11 @@ + #include "crypto/bn.h" + #include "ec_local.h" + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ ++ + int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp) + { +@@ -198,6 +203,13 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const u + ECDSA_SIG *ret; + const BIGNUM *priv_key; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++#endif ++ + group = EC_KEY_get0_group(eckey); + priv_key = EC_KEY_get0_private_key(eckey); + +@@ -360,6 +372,13 @@ int ecdsa_simple_verify_sig(const unsign + const EC_GROUP *group; + const EC_POINT *pub_key; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++#endif ++ + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { +Index: openssl-1.1.1n/crypto/ec/ec_key.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1n/crypto/ec/ec_key.c +@@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY + return eckey->engine; + } + ++#ifdef OPENSSL_FIPS ++ ++# include ++# include "crypto/fips_int.h" ++ ++static int fips_check_ec(EC_KEY *key) ++{ ++ EVP_PKEY *pk; ++ unsigned char tbs[] = "ECDSA Pairwise Check Data"; ++ int ret = 0; ++ ++ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */ ++ return 1; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_EC_KEY(pk, key); ++ ++ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) ++ ret = 1; ++ ++ err: ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); ++ fips_set_selftest_fail(); ++ } ++ if (pk) ++ EVP_PKEY_free(pk); ++ return ret; ++} ++ ++#endif ++ + int EC_KEY_generate_key(EC_KEY *eckey) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED); ++ return 0; ++ } ++#endif + if (eckey == NULL || eckey->group == NULL) { + ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } +- if (eckey->meth->keygen != NULL) +- return eckey->meth->keygen(eckey); ++ if (eckey->meth->keygen != NULL) { ++ int rv = eckey->meth->keygen(eckey); ++ ++#ifdef OPENSSL_FIPS ++ if (rv > 0 && FIPS_mode()) { ++ rv = fips_check_ec(eckey); ++ } ++#endif ++ return rv; ++ } + ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); + return 0; + } +Index: openssl-1.1.1n/crypto/ec/ec_pmeth.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.1.1n/crypto/ec/ec_pmeth.c +@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + + const EVP_PKEY_METHOD ec_pkey_meth = { + EVP_PKEY_EC, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_ec_init, + pkey_ec_copy, + pkey_ec_cleanup, +Index: openssl-1.1.1n/crypto/evp/c_allc.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/c_allc.c ++++ openssl-1.1.1n/crypto/evp/c_allc.c +@@ -17,6 +17,9 @@ + void openssl_add_all_ciphers_int(void) + { + ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) { ++#endif + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); +@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void) + EVP_add_cipher(EVP_chacha20_poly1305()); + # endif + #endif ++#ifdef OPENSSL_FIPS ++ } else { ++# ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede3_cfb()); ++ ++ EVP_add_cipher(EVP_des_ede3_ofb()); ++ ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); ++ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); ++ ++ EVP_add_cipher(EVP_des_ede3()); ++ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB"); ++ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb"); ++ EVP_add_cipher(EVP_des_ede3_wrap()); ++ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); ++# endif ++ ++# ifndef OPENSSL_NO_AES ++ EVP_add_cipher(EVP_aes_128_ecb()); ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_128_cfb()); ++ EVP_add_cipher(EVP_aes_128_cfb1()); ++ EVP_add_cipher(EVP_aes_128_cfb8()); ++ EVP_add_cipher(EVP_aes_128_ofb()); ++ EVP_add_cipher(EVP_aes_128_ctr()); ++ EVP_add_cipher(EVP_aes_128_gcm()); ++ EVP_add_cipher(EVP_aes_128_xts()); ++ EVP_add_cipher(EVP_aes_128_ccm()); ++ EVP_add_cipher(EVP_aes_128_wrap()); ++ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); ++ EVP_add_cipher(EVP_aes_128_wrap_pad()); ++ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); ++ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); ++ EVP_add_cipher(EVP_aes_192_ecb()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_192_cfb()); ++ EVP_add_cipher(EVP_aes_192_cfb1()); ++ EVP_add_cipher(EVP_aes_192_cfb8()); ++ EVP_add_cipher(EVP_aes_192_ofb()); ++ EVP_add_cipher(EVP_aes_192_ctr()); ++ EVP_add_cipher(EVP_aes_192_gcm()); ++ EVP_add_cipher(EVP_aes_192_ccm()); ++ EVP_add_cipher(EVP_aes_192_wrap()); ++ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); ++ EVP_add_cipher(EVP_aes_192_wrap_pad()); ++ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); ++ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); ++ EVP_add_cipher(EVP_aes_256_ecb()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_256_cfb()); ++ EVP_add_cipher(EVP_aes_256_cfb1()); ++ EVP_add_cipher(EVP_aes_256_cfb8()); ++ EVP_add_cipher(EVP_aes_256_ofb()); ++ EVP_add_cipher(EVP_aes_256_ctr()); ++ EVP_add_cipher(EVP_aes_256_gcm()); ++ EVP_add_cipher(EVP_aes_256_xts()); ++ EVP_add_cipher(EVP_aes_256_ccm()); ++ EVP_add_cipher(EVP_aes_256_wrap()); ++ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); ++ EVP_add_cipher(EVP_aes_256_wrap_pad()); ++ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); ++ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); ++# endif ++ } ++#endif + } +Index: openssl-1.1.1n/crypto/evp/c_alld.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/c_alld.c ++++ openssl-1.1.1n/crypto/evp/c_alld.c +@@ -16,6 +16,9 @@ + + void openssl_add_all_digests_int(void) + { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) { ++#endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); + #endif +@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void) + EVP_add_digest(EVP_sha3_512()); + EVP_add_digest(EVP_shake128()); + EVP_add_digest(EVP_shake256()); ++#ifdef OPENSSL_FIPS ++ } else { ++ EVP_add_digest(EVP_md5_sha1()); ++ EVP_add_digest(EVP_sha1()); ++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++ EVP_add_digest(EVP_sha512_224()); ++ EVP_add_digest(EVP_sha512_256()); ++ EVP_add_digest(EVP_sha3_224()); ++ EVP_add_digest(EVP_sha3_256()); ++ EVP_add_digest(EVP_sha3_384()); ++ EVP_add_digest(EVP_sha3_512()); ++ EVP_add_digest(EVP_shake128()); ++ EVP_add_digest(EVP_shake256()); ++ } ++#endif + } +Index: openssl-1.1.1n/crypto/evp/digest.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/digest.c ++++ openssl-1.1.1n/crypto/evp/digest.c +@@ -14,6 +14,9 @@ + #include + #include "crypto/evp.h" + #include "evp_local.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + + static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force) +@@ -77,6 +80,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + { + EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif + #ifndef OPENSSL_NO_ENGINE + /* + * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so +@@ -131,6 +140,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + } + #endif + if (ctx->digest != type) { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (!(type->flags & EVP_MD_FLAG_FIPS) ++ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { ++ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); ++ return 0; ++ } ++ } ++#endif + cleanup_old_md_data(ctx, 1); + + ctx->digest = type; +@@ -160,6 +178,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c + + int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif ++ + if (count == 0) + return 1; + +@@ -180,6 +202,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, + { + int ret; + ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); + ret = ctx->digest->final(ctx, md); + if (size != NULL) +Index: openssl-1.1.1n/crypto/evp/e_aes.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/e_aes.c ++++ openssl-1.1.1n/crypto/evp/e_aes.c +@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } +@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } +@@ -2827,9 +2827,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX + return 1; + } + +-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0) +- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0) +- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0) ++BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) ++ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) ++ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) + + static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) + { +@@ -2863,6 +2863,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * + case EVP_CTRL_AEAD_SET_IVLEN: + if (arg <= 0) + return 0; ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) ++ && arg < 12) ++ return 0; ++# endif + /* Allocate memory for IV if needed */ + if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { + if (gctx->iv != c->iv) +@@ -3312,11 +3317,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH) + + BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + + static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { +@@ -3374,7 +3382,7 @@ static int aes_xts_init_key(EVP_CIPHER_C + * BEFORE using the keys in the XTS-AES algorithm to process + * data with them." + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; + } +@@ -3478,6 +3486,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX + return 0; + if (!out || !in || len < AES_BLOCK_SIZE) + return 0; ++# ifdef OPENSSL_FIPS ++ /* Requirement of SP800-38E */ ++ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && ++ (len > (1UL << 20) * 16)) { ++ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); ++ return 0; ++ } ++# endif + if (xctx->stream) + (*xctx->stream) (in, out, len, + xctx->xts.key1, xctx->xts.key2, +@@ -3495,8 +3511,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX + | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ + | EVP_CIPH_CUSTOM_COPY) + +-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) +- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) ++BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, ++ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) ++ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, ++ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) + + static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { +@@ -3766,11 +3784,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX + #define aes_ccm_cleanup NULL + + BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + + typedef struct { + union { +@@ -3863,7 +3881,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT + return rv ? (int)rv : -1; + } + +-#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ ++#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \ + | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ + | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) + +Index: openssl-1.1.1n/crypto/evp/e_des3.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/e_des3.c ++++ openssl-1.1.1n/crypto/evp/e_des3.c +@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, + # define des_ede3_cbc_cipher des_ede_cbc_cipher + # define des_ede3_ecb_cipher des_ede_ecb_cipher + BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, +- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, +- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) ++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | ++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, ++ des3_ctrl) + + BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, +- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, +- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) ++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | ++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, ++ NULL, des3_ctrl) + + BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, +- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, +- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) ++ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | ++ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, ++ NULL, des3_ctrl) + + static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +Index: openssl-1.1.1n/crypto/evp/e_null.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/e_null.c ++++ openssl-1.1.1n/crypto/evp/e_null.c +@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c + const unsigned char *in, size_t inl); + static const EVP_CIPHER n_cipher = { + NID_undef, +- 1, 0, 0, 0, ++ 1, 0, 0, ++ EVP_CIPH_FLAG_FIPS, + null_init_key, + null_cipher, + NULL, +Index: openssl-1.1.1n/crypto/evp/evp_enc.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/evp_enc.c ++++ openssl-1.1.1n/crypto/evp/evp_enc.c +@@ -18,10 +18,19 @@ + #include + #include "crypto/evp.h" + #include "evp_local.h" ++#ifdef OPENSSL_FIPS ++# include ++#endif + + int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) + { +- if (c == NULL) ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif ++ if (c == NULL) + return 1; + if (c->cipher != NULL) { + if (c->cipher->cleanup && !c->cipher->cleanup(c)) +@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX + + EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED); ++ return NULL; ++ } ++#endif + return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); + } + +@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + enc = 1; + ctx->encrypt = enc; + } ++#ifdef OPENSSL_FIPS ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++#endif + #ifndef OPENSSL_NO_ENGINE + /* + * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so +@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + } + ctx->key_len = cipher->key_len; + /* Preserve wrap enable flag, zero everything else */ +- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; ++ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW; + if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { + if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { + ctx->cipher = NULL; +@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + return 0; + } + } ++#ifdef OPENSSL_FIPS ++ /* After 'key' is set no further parameters changes are permissible. ++ * So only check for non FIPS enabling at this point. ++ */ ++ if (key && FIPS_mode()) { ++ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) ++ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) { ++ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); ++ return 0; ++ } ++ } ++#endif + + if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { + if (!ctx->cipher->init(ctx, key, iv, enc)) +Index: openssl-1.1.1n/crypto/evp/evp_err.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/evp_err.c ++++ openssl-1.1.1n/crypto/evp/evp_err.c +@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), + "aes_t4_xts_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, ++ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, +@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea + "different key types"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), + "different parameters"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), + "error loading section"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), +@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), + "private key encode error"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, +@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea + "wrap mode not allowed"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), + "wrong final block length"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), ++ "xts data unit is too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, + {0, NULL} +Index: openssl-1.1.1n/crypto/evp/evp_lib.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/evp_lib.c ++++ openssl-1.1.1n/crypto/evp/evp_lib.c +@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C + int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { ++#ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++#endif + return ctx->cipher->do_cipher(ctx, out, in, inl); + } + +Index: openssl-1.1.1n/crypto/evp/m_sha1.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/m_sha1.c ++++ openssl-1.1.1n/crypto/evp/m_sha1.c +@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { + NID_sha1, + NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init, + update, + final, +@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = { + NID_sha224, + NID_sha224WithRSAEncryption, + SHA224_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init224, + update224, + final224, +@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = { + NID_sha256, + NID_sha256WithRSAEncryption, + SHA256_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init256, + update256, + final256, +@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = { + NID_sha512_224, + NID_sha512_224WithRSAEncryption, + SHA224_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init512_224, + update512, + final512, +@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = { + NID_sha512_256, + NID_sha512_256WithRSAEncryption, + SHA256_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init512_256, + update512, + final512, +@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = { + NID_sha384, + NID_sha384WithRSAEncryption, + SHA384_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init384, + update384, + final384, +@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = { + NID_sha512, + NID_sha512WithRSAEncryption, + SHA512_DIGEST_LENGTH, +- EVP_MD_FLAG_DIGALGID_ABSENT, ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, + init512, + update512, + final512, +Index: openssl-1.1.1n/crypto/evp/m_sha3.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/m_sha3.c ++++ openssl-1.1.1n/crypto/evp/m_sha3.c +@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) + NID_sha3_##bitlen, \ + NID_RSA_SHA3_##bitlen, \ + bitlen / 8, \ +- EVP_MD_FLAG_DIGALGID_ABSENT, \ ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ + s390x_sha3_init, \ + s390x_sha3_update, \ + s390x_sha3_final, \ +@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) + NID_sha3_##bitlen, \ + NID_RSA_SHA3_##bitlen, \ + bitlen / 8, \ +- EVP_MD_FLAG_DIGALGID_ABSENT, \ ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ + sha3_init, \ + sha3_update, \ + sha3_final, \ +@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void) + NID_shake##bitlen, \ + 0, \ + bitlen / 8, \ +- EVP_MD_FLAG_XOF, \ ++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ + s390x_shake_init, \ + s390x_sha3_update, \ + s390x_shake_final, \ +@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void) + NID_shake##bitlen, \ + 0, \ + bitlen / 8, \ +- EVP_MD_FLAG_XOF, \ ++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ + shake_init, \ + sha3_update, \ + sha3_final, \ +@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) + NID_sha3_##bitlen, \ + NID_RSA_SHA3_##bitlen, \ + bitlen / 8, \ +- EVP_MD_FLAG_DIGALGID_ABSENT, \ ++ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ + sha3_init, \ + sha3_update, \ + sha3_final, \ +@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void) + NID_shake##bitlen, \ + 0, \ + bitlen / 8, \ +- EVP_MD_FLAG_XOF, \ ++ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ + shake_init, \ + sha3_update, \ + sha3_final, \ +Index: openssl-1.1.1n/crypto/evp/pmeth_lib.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.1.1n/crypto/evp/pmeth_lib.c +@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE + pmeth = ENGINE_get_pkey_meth(e, id); + else + #endif ++ { + pmeth = EVP_PKEY_meth_find(id); ++#ifdef OPENSSL_FIPS ++ if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) { ++ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS); ++ return NULL; ++ } ++#endif ++ } + + if (pmeth == NULL) { + #ifndef OPENSSL_NO_ENGINE +Index: openssl-1.1.1n/crypto/fips/build.info +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/build.info +@@ -0,0 +1,15 @@ ++LIBS=../../libcrypto ++SOURCE[../../libcrypto]=\ ++ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ ++ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ ++ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ ++ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ ++ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ ++ fips_dh_selftest.c fips_ers.c ++ ++PROGRAMS_NO_INST=\ ++ fips_standalone_hmac ++ ++SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c ++INCLUDE[fips_standalone_hmac]=../../include ++DEPEND[fips_standalone_hmac]=../../libcrypto +Index: openssl-1.1.1n/crypto/fips/fips_aes_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_aes_selftest.c +@@ -0,0 +1,372 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++# include "crypto/fips_int.h" ++#endif ++ ++#ifdef OPENSSL_FIPS ++static const struct { ++ const unsigned char key[16]; ++ const unsigned char plaintext[16]; ++ const unsigned char ciphertext[16]; ++} tests[] = { ++ { ++ { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, { ++ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, ++ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, { ++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30, ++ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},}; ++ ++int FIPS_selftest_aes() ++{ ++ int n; ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ for (n = 0; n < 1; ++n) { ++ unsigned char key[16]; ++ ++ memcpy(key, tests[n].key, sizeof(key)); ++ if (fips_cipher_test(ctx, EVP_aes_128_ecb(), ++ key, NULL, ++ tests[n].plaintext, ++ tests[n].ciphertext, 16) <= 0) ++ goto err; ++ } ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED); ++ return ret; ++} ++ ++/* AES-CCM test data from NIST public test vectors */ ++ ++static const unsigned char ccm_key[] = { ++ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6, ++ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8 ++}; ++ ++static const unsigned char ccm_nonce[] = { ++ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7 ++}; ++ ++static const unsigned char ccm_adata[] = { ++ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7, ++ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5, ++ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4 ++}; ++ ++static const unsigned char ccm_pt[] = { ++ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f, ++ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10 ++}; ++ ++static const unsigned char ccm_ct[] = { ++ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2, ++ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd ++}; ++ ++static const unsigned char ccm_tag[] = { ++ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44, ++ 0x14, 0xdb, 0x50, 0x6d ++}; ++ ++int FIPS_selftest_aes_ccm(void) ++{ ++ int ret = 0; ++ unsigned char out[128], tag[16]; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, ++ sizeof(ccm_nonce), NULL)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, ++ sizeof(ccm_tag), NULL)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct)) ++ goto err; ++ ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag)) ++ goto err; ++ if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) ++ || memcmp(out, ccm_ct, sizeof(ccm_ct))) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, ++ sizeof(ccm_nonce), NULL)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt)) ++ goto err; ++ ++ if (memcmp(out, ccm_pt, sizeof(ccm_pt))) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } else ++ return ret; ++ ++} ++ ++/* AES-GCM test data from NIST public test vectors */ ++ ++static const unsigned char gcm_key[] = { ++ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, ++ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, ++ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f ++}; ++ ++static const unsigned char gcm_iv[] = { ++ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84 ++}; ++ ++static const unsigned char gcm_pt[] = { ++ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, ++ 0xcc, 0x2b, 0xf2, 0xa5 ++}; ++ ++static const unsigned char gcm_aad[] = { ++ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43, ++ 0x7f, 0xec, 0x78, 0xde ++}; ++ ++static const unsigned char gcm_ct[] = { ++ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e, ++ 0xb9, 0xf2, 0x17, 0x36 ++}; ++ ++static const unsigned char gcm_tag[] = { ++ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62, ++ 0x98, 0xf7, 0x7e, 0x0c ++}; ++ ++int FIPS_selftest_aes_gcm(void) ++{ ++ int ret = 0; ++ unsigned char out[128], tag[16]; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ memset(tag, 0, sizeof(tag)); ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ++ sizeof(gcm_iv), NULL)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) ++ goto err; ++ ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) ++ goto err; ++ ++ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) ++ goto err; ++ ++ memset(out, 0, sizeof(out)); ++ ++ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ++ sizeof(gcm_iv), NULL)) ++ goto err; ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) ++ goto err; ++ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) ++ goto err; ++ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) ++ goto err; ++ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) ++ goto err; ++ ++ if (memcmp(out, gcm_pt, 16)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ ++ if (ret == 0) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } else ++ return ret; ++ ++} ++ ++static const unsigned char XTS_128_key[] = { ++ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38, ++ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18, ++ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f ++}; ++ ++static const unsigned char XTS_128_i[] = { ++ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01, ++ 0x3e, 0x76, 0x8a, 0xd5 ++}; ++ ++static const unsigned char XTS_128_pt[] = { ++ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39, ++ 0x07, 0x90, 0x31, 0x1c ++}; ++ ++static const unsigned char XTS_128_ct[] = { ++ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5, ++ 0xbe, 0x47, 0x1c, 0x63 ++}; ++ ++static const unsigned char XTS_256_key[] = { ++ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, ++ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, ++ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, ++ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, ++ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, ++ 0x2c, 0xf4, 0x1b, 0x08 ++}; ++ ++static const unsigned char XTS_256_i[] = { ++ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, ++ 0xa9, 0xf8, 0x75, 0x64 ++}; ++ ++static const unsigned char XTS_256_pt[] = { ++ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, ++ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, ++ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e ++}; ++ ++static const unsigned char XTS_256_ct[] = { ++ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, ++ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, ++ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb ++}; ++ ++int FIPS_selftest_aes_xts() ++{ ++ int ret = 1; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ if (fips_cipher_test(ctx, EVP_aes_128_xts(), ++ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct, ++ sizeof(XTS_128_pt)) <= 0) ++ ret = 0; ++ ++ if (fips_cipher_test(ctx, EVP_aes_256_xts(), ++ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct, ++ sizeof(XTS_256_pt)) <= 0) ++ ret = 0; ++ ++ EVP_CIPHER_CTX_free(ctx); ++ ++ err: ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED); ++ return ret; ++} ++ ++#endif +Index: openssl-1.1.1n/crypto/fips/fips.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips.c +@@ -0,0 +1,526 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++# include ++# include "internal/thread_once.h" ++ ++# ifndef PATH_MAX ++# define PATH_MAX 1024 ++# endif ++ ++static int fips_selftest_fail = 0; ++static int fips_mode = 0; ++static int fips_started = 0; ++ ++static int fips_is_owning_thread(void); ++static int fips_set_owning_thread(void); ++static int fips_clear_owning_thread(void); ++ ++static CRYPTO_RWLOCK *fips_lock = NULL; ++static CRYPTO_RWLOCK *fips_owning_lock = NULL; ++static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT; ++ ++DEFINE_RUN_ONCE_STATIC(do_fips_lock_init) ++{ ++ fips_lock = CRYPTO_THREAD_lock_new(); ++ fips_owning_lock = CRYPTO_THREAD_lock_new(); ++ return fips_lock != NULL && fips_owning_lock != NULL; ++} ++ ++# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) ++# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) ++# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) ++# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock) ++ ++static void fips_set_mode(int onoff) ++{ ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_started) { ++ if (!owning_thread) ++ fips_w_lock(); ++ fips_mode = onoff; ++ if (!owning_thread) ++ fips_w_unlock(); ++ } ++} ++ ++int FIPS_module_mode(void) ++{ ++ int ret = 0; ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (fips_started) { ++ if (!owning_thread) ++ fips_r_lock(); ++ ret = fips_mode; ++ if (!owning_thread) ++ fips_r_unlock(); ++ } ++ return ret; ++} ++ ++/* just a compat symbol - return NULL */ ++int FIPS_selftest_failed(void) ++{ ++ int ret = 0; ++ if (fips_started) { ++ int owning_thread = fips_is_owning_thread(); ++ ++ if (!owning_thread) ++ fips_r_lock(); ++ ret = fips_selftest_fail; ++ if (!owning_thread) ++ fips_r_unlock(); ++ } ++ return ret; ++} ++ ++/* Selftest failure fatal exit routine. This will be called ++ * during *any* cryptographic operation. It has the minimum ++ * overhead possible to avoid too big a performance hit. ++ */ ++ ++void FIPS_selftest_check(void) ++{ ++ if (fips_selftest_fail) { ++ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ } ++} ++ ++void fips_set_selftest_fail(void) ++{ ++ fips_selftest_fail = 1; ++} ++ ++/* we implement what libfipscheck does ourselves */ ++ ++static int ++get_library_path(const char *libname, const char *symbolname, char *path, ++ size_t pathlen) ++{ ++ Dl_info info; ++ void *dl, *sym; ++ int rv = -1; ++ ++ dl = dlopen(libname, RTLD_LAZY); ++ if (dl == NULL) { ++ return -1; ++ } ++ ++ sym = dlsym(dl, symbolname); ++ ++ if (sym != NULL && dladdr(sym, &info)) { ++ strncpy(path, info.dli_fname, pathlen - 1); ++ path[pathlen - 1] = '\0'; ++ rv = 0; ++ } ++ ++ dlclose(dl); ++ ++ return rv; ++} ++ ++static const char conv[] = "0123456789abcdef"; ++ ++static char *bin2hex(void *buf, size_t len) ++{ ++ char *hex, *p; ++ unsigned char *src = buf; ++ ++ hex = malloc(len * 2 + 1); ++ if (hex == NULL) ++ return NULL; ++ ++ p = hex; ++ ++ while (len > 0) { ++ unsigned c; ++ ++ c = *src; ++ src++; ++ ++ *p = conv[c >> 4]; ++ ++p; ++ *p = conv[c & 0x0f]; ++ ++p; ++ --len; ++ } ++ *p = '\0'; ++ return hex; ++} ++ ++# define HMAC_PREFIX "." ++# ifndef HMAC_SUFFIX ++# define HMAC_SUFFIX ".hmac" ++# endif ++# define READ_BUFFER_LENGTH 16384 ++ ++static char *make_hmac_path(const char *origpath) ++{ ++ char *path, *p; ++ const char *fn; ++ ++ path = ++ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); ++ if (path == NULL) { ++ return NULL; ++ } ++ ++ fn = strrchr(origpath, '/'); ++ if (fn == NULL) { ++ fn = origpath; ++ } else { ++ ++fn; ++ } ++ ++ strncpy(path, origpath, fn - origpath); ++ p = path + (fn - origpath); ++ p = stpcpy(p, HMAC_PREFIX); ++ p = stpcpy(p, fn); ++ p = stpcpy(p, HMAC_SUFFIX); ++ ++ return path; ++} ++ ++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ ++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) ++{ ++ FILE *f = NULL; ++ int rv = -1; ++ unsigned char rbuf[READ_BUFFER_LENGTH]; ++ size_t len; ++ unsigned int hlen; ++ HMAC_CTX *c; ++ ++ c = HMAC_CTX_new(); ++ if (c == NULL) ++ return rv; ++ ++ f = fopen(path, "r"); ++ ++ if (f == NULL) { ++ goto end; ++ } ++ ++ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) { ++ goto end; ++ } ++ ++ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) { ++ if (HMAC_Update(c, rbuf, len) <= 0) { ++ goto end; ++ } ++ } ++ ++ len = sizeof(rbuf); ++ /* reuse rbuf for hmac */ ++ if (HMAC_Final(c, rbuf, &hlen) <= 0) { ++ goto end; ++ } ++ ++ *buf = malloc(hlen); ++ if (*buf == NULL) { ++ goto end; ++ } ++ ++ *hmaclen = hlen; ++ ++ memcpy(*buf, rbuf, hlen); ++ ++ rv = 0; ++ end: ++ HMAC_CTX_free(c); ++ ++ if (f) ++ fclose(f); ++ ++ return rv; ++} ++ ++static int FIPSCHECK_verify(const char *path) ++{ ++ int rv = 0; ++ FILE *hf; ++ char *hmacpath, *p; ++ char *hmac = NULL; ++ size_t n; ++ ++ hmacpath = make_hmac_path(path); ++ if (hmacpath == NULL) ++ return 0; ++ ++ hf = fopen(hmacpath, "r"); ++ if (hf == NULL) { ++ free(hmacpath); ++ return 0; ++ } ++ ++ if (getline(&hmac, &n, hf) > 0) { ++ void *buf; ++ size_t hmaclen; ++ char *hex; ++ ++ if ((p = strchr(hmac, '\n')) != NULL) ++ *p = '\0'; ++ ++ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { ++ rv = -4; ++ goto end; ++ } ++ ++ if ((hex = bin2hex(buf, hmaclen)) == NULL) { ++ free(buf); ++ rv = -5; ++ goto end; ++ } ++ ++ if (strcmp(hex, hmac) != 0) { ++ rv = -1; ++ } ++ free(buf); ++ free(hex); ++ } else { ++ rv = -1; ++ } ++ ++ end: ++ free(hmac); ++ free(hmacpath); ++ fclose(hf); ++ ++ if (rv < 0) ++ return 0; ++ ++ /* check successful */ ++ return 1; ++} ++ ++static int verify_checksums(void) ++{ ++ int rv; ++ char path[PATH_MAX + 1]; ++ char *p; ++ ++ /* we need to avoid dlopening libssl, assume both libcrypto and libssl ++ are in the same directory */ ++ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, ++ "FIPS_mode_set", path, sizeof(path)); ++ if (rv < 0) ++ return 0; ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ ++ /* replace libcrypto with libssl */ ++ while ((p = strstr(path, "libcrypto.so")) != NULL) { ++ p = stpcpy(p, "libssl"); ++ memmove(p, p + 3, strlen(p + 2)); ++ } ++ ++ rv = FIPSCHECK_verify(path); ++ if (!rv) ++ return 0; ++ return 1; ++} ++ ++# ifndef FIPS_MODULE_PATH ++# define FIPS_MODULE_PATH "/etc/system-fips" ++# endif ++ ++int FIPS_module_installed(void) ++{ ++ int rv; ++ rv = access(FIPS_MODULE_PATH, F_OK); ++ if (rv < 0 && errno != ENOENT) ++ rv = 0; ++ ++ /* Installed == true */ ++ return !rv || FIPS_module_mode(); ++} ++ ++int FIPS_module_mode_set(int onoff) ++{ ++ int ret = 0; ++ ++ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init)) ++ return 0; ++ ++ fips_w_lock(); ++ fips_started = 1; ++ fips_set_owning_thread(); ++ ++ if (onoff) { ++ ++ fips_selftest_fail = 0; ++ ++ /* Don't go into FIPS mode twice, just so we can do automagic ++ seeding */ ++ if (FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FIPS_MODE_ALREADY_SET); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++# ifdef OPENSSL_IA32_SSE2 ++ { ++ extern unsigned int OPENSSL_ia32cap_P[2]; ++ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) != ++ (1 << 25 | 1 << 26)) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_UNSUPPORTED_PLATFORM); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ } ++# endif ++ ++ if (!FIPS_selftest()) { ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ ++ fips_set_mode(onoff); ++ ret = 1; ++ goto end; ++ } ++ fips_set_mode(0); ++ fips_selftest_fail = 0; ++ ret = 1; ++ end: ++ fips_clear_owning_thread(); ++ fips_w_unlock(); ++ return ret; ++} ++ ++static CRYPTO_THREAD_ID fips_threadid; ++static int fips_thread_set = 0; ++ ++static int fips_is_owning_thread(void) ++{ ++ int ret = 0; ++ ++ if (fips_started) { ++ CRYPTO_THREAD_read_lock(fips_owning_lock); ++ if (fips_thread_set) { ++ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); ++ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) ++ ret = 1; ++ } ++ CRYPTO_THREAD_unlock(fips_owning_lock); ++ } ++ return ret; ++} ++ ++int fips_set_owning_thread(void) ++{ ++ int ret = 0; ++ ++ if (fips_started) { ++ CRYPTO_THREAD_write_lock(fips_owning_lock); ++ if (!fips_thread_set) { ++ fips_threadid = CRYPTO_THREAD_get_current_id(); ++ ret = 1; ++ fips_thread_set = 1; ++ } ++ CRYPTO_THREAD_unlock(fips_owning_lock); ++ } ++ return ret; ++} ++ ++int fips_clear_owning_thread(void) ++{ ++ int ret = 0; ++ ++ if (fips_started) { ++ CRYPTO_THREAD_write_lock(fips_owning_lock); ++ if (fips_thread_set) { ++ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); ++ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) ++ fips_thread_set = 0; ++ } ++ CRYPTO_THREAD_unlock(fips_owning_lock); ++ } ++ return ret; ++} ++ ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_cmac_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_cmac_selftest.c +@@ -0,0 +1,156 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include "crypto/fips_int.h" ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++typedef struct { ++ int nid; ++ const unsigned char key[EVP_MAX_KEY_LENGTH]; ++ size_t keysize; ++ const unsigned char msg[64]; ++ size_t msgsize; ++ const unsigned char mac[32]; ++ size_t macsize; ++} CMAC_KAT; ++ ++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */ ++static const CMAC_KAT vector[] = { ++ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */ ++ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3, ++ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128, ++ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c, ++ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e, ++ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98, ++ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256, ++ {0xfb, 0xfe, 0xa4, 0x1b,}, 32}, ++ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */ ++ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9, ++ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86, ++ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192, ++ {0x0}, 0, ++ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef, ++ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128, ++ }, ++ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */ ++ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe, ++ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14, ++ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf, ++ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256, ++ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb, ++ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08, ++ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88, ++ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84, ++ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96, ++ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384, ++ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40, ++ }, ++ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */ ++ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37, ++ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5, ++ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192, ++ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e, ++ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2, ++ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0, ++ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256, ++ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64, ++ }, ++}; ++ ++int FIPS_selftest_cmac() ++{ ++ size_t n, outlen; ++ unsigned char out[32]; ++ const EVP_CIPHER *cipher; ++ CMAC_CTX *ctx = CMAC_CTX_new(); ++ const CMAC_KAT *t; ++ int rv = 1; ++ ++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { ++ cipher = EVP_get_cipherbynid(t->nid); ++ if (!cipher) { ++ rv = -1; ++ goto err; ++ } ++ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) { ++ rv = -1; ++ goto err; ++ } ++ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (!CMAC_Final(ctx, out, &outlen)) { ++ rv = -1; ++ goto err; ++ } ++ ++ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) { ++ rv = 0; ++ } ++ } ++ ++ err: ++ CMAC_CTX_free(ctx); ++ ++ if (rv == -1) { ++ rv = 0; ++ } ++ if (!rv) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED); ++ ++ return rv; ++} ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_des_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_des_selftest.c +@@ -0,0 +1,133 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++# include "crypto/fips_int.h" ++#endif ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static const struct { ++ const unsigned char key[16]; ++ const unsigned char plaintext[8]; ++ const unsigned char ciphertext[8]; ++} tests2[] = { ++ { ++ { ++ 0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec, ++ 0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, { ++ 0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, { ++ 0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd} ++ }, { ++ { ++ 0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34, ++ 0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, { ++ 0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, { ++ 0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},} ++}; ++ ++static const struct { ++ const unsigned char key[24]; ++ const unsigned char plaintext[8]; ++ const unsigned char ciphertext[8]; ++} tests3[] = { ++ { ++ { ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, ++ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, { ++ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, { ++ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, { ++ { ++ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, ++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, ++ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, { ++ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, { ++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},}; ++ ++int FIPS_selftest_des() ++{ ++ int n, ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ ++ /* Encrypt/decrypt with 2-key 3DES and compare to known answers */ ++ for (n = 0; n < 2; ++n) { ++ unsigned char plaintext[8]; ++ ++ memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext)); ++ if (!fips_cipher_test(ctx, EVP_des_ede_ecb(), ++ tests2[n].key, NULL, ++ plaintext, tests2[n].ciphertext, 8)) ++ goto err; ++ } ++ ++ /* Encrypt/decrypt with 3DES and compare to known answers */ ++ for (n = 0; n < 2; ++n) { ++ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(), ++ tests3[n].key, NULL, ++ tests3[n].plaintext, tests3[n].ciphertext, 8)) ++ goto err; ++ } ++ ret = 1; ++ err: ++ EVP_CIPHER_CTX_free(ctx); ++ if (ret == 0) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED); ++ ++ return ret; ++} ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_dh_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_dh_selftest.c +@@ -0,0 +1,180 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 2013 Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static const unsigned char dh_test_2048_p[] = { ++ 0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09, ++ 0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11, ++ 0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5, ++ 0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F, ++ 0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC, ++ 0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE, ++ 0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39, ++ 0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E, ++ 0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2, ++ 0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A, ++ 0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A, ++ 0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF, ++ 0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7, ++ 0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73, ++ 0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6, ++ 0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35, ++ 0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED, ++ 0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03, ++ 0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC, ++ 0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE, ++ 0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58, ++ 0x4B, 0xD8, 0x37, 0xEB ++}; ++ ++static const unsigned char dh_test_2048_g[] = { ++ 0x02 ++}; ++ ++static const unsigned char dh_test_2048_pub_key[] = { ++ 0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA, ++ 0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2, ++ 0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12, ++ 0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5, ++ 0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D, ++ 0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1, ++ 0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51, ++ 0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F, ++ 0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6, ++ 0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED, ++ 0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46, ++ 0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA, ++ 0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1, ++ 0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE, ++ 0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53, ++ 0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9, ++ 0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3, ++ 0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9, ++ 0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56, ++ 0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E, ++ 0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9, ++ 0x36, 0x9E, 0xDA, 0xD2 ++}; ++ ++static const unsigned char dh_test_2048_priv_key[] = { ++ 0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91, ++ 0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00, ++ 0xEC, 0x55, 0xF6, 0xCC ++}; ++ ++int FIPS_selftest_dh() ++{ ++ DH *dh = NULL; ++ int ret = 0; ++ void *pub_key_bin = NULL; ++ int len; ++ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; ++ const BIGNUM *pub_key; ++ ++ fips_load_key_component(p, dh_test_2048); ++ fips_load_key_component(g, dh_test_2048); ++ /* note that the private key is much shorter than normally used ++ * but still g ** priv_key > p ++ */ ++ fips_load_key_component(priv_key, dh_test_2048); ++ if ((tmp_pub_key = BN_new()) == NULL) ++ goto err; ++ ++ dh = DH_new(); ++ ++ if (dh == NULL) ++ goto err; ++ ++ DH_set0_pqg(dh, p, NULL, g); ++ DH_set0_key(dh, tmp_pub_key, priv_key); ++ ++ if (DH_generate_key(dh) <= 0) ++ goto err; ++ ++ DH_get0_key(dh, &pub_key, NULL); ++ ++ if (pub_key == NULL) ++ goto err; ++ ++ len = BN_num_bytes(pub_key); ++ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL) ++ goto err; ++ BN_bn2bin(pub_key, pub_key_bin); ++ ++ if (len != sizeof(dh_test_2048_pub_key) || ++ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (dh) ++ DH_free(dh); ++ else { ++ BN_free(p); ++ BN_free(g); ++ BN_free(priv_key); ++ BN_free(tmp_pub_key); ++ } ++ ++ OPENSSL_free(pub_key_bin); ++ return ret; ++} ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_drbg_ctr.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_ctr.c +@@ -0,0 +1,406 @@ ++/* fips/rand/fips_drbg_ctr.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++ ++static void inc_128(DRBG_CTR_CTX * cctx) ++{ ++ int i; ++ unsigned char c; ++ unsigned char *p = cctx->V + 15; ++ for (i = 0; i < 16; i++) { ++ c = *p; ++ c++; ++ *p = c; ++ if (c) ++ return; ++ p--; ++ } ++} ++ ++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in, ++ size_t inlen) ++{ ++ size_t i, n; ++ /* Any zero padding will have no effect on the result as we ++ * are XORing. So just process however much input we have. ++ */ ++ ++ if (!in || !inlen) ++ return; ++ ++ if (inlen < cctx->keylen) ++ n = inlen; ++ else ++ n = cctx->keylen; ++ ++ for (i = 0; i < n; i++) ++ cctx->K[i] ^= in[i]; ++ if (inlen <= cctx->keylen) ++ return; ++ ++ n = inlen - cctx->keylen; ++ /* Should never happen */ ++ if (n > 16) ++ n = 16; ++ for (i = 0; i < 16; i++) ++ cctx->V[i] ^= in[i + cctx->keylen]; ++} ++ ++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */ ++ ++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out, ++ const unsigned char *in) ++{ ++ int i; ++ for (i = 0; i < 16; i++) ++ out[i] ^= in[i]; ++ AES_encrypt(out, out, &cctx->df_ks); ++#if 0 ++ fprintf(stderr, "BCC in+out\n"); ++ BIO_dump_fp(stderr, in, 16); ++ BIO_dump_fp(stderr, out, 16); ++#endif ++} ++ ++/* Handle several BCC operations for as much data as we need for K and X */ ++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in) ++{ ++ ctr_BCC_block(cctx, cctx->KX, in); ++ ctr_BCC_block(cctx, cctx->KX + 16, in); ++ if (cctx->keylen != 16) ++ ctr_BCC_block(cctx, cctx->KX + 32, in); ++} ++ ++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: ++ * see 10.4.2 stage 7. ++ */ ++static void ctr_BCC_init(DRBG_CTR_CTX * cctx) ++{ ++ memset(cctx->KX, 0, 48); ++ memset(cctx->bltmp, 0, 16); ++ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); ++ cctx->bltmp[3] = 1; ++ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); ++ if (cctx->keylen != 16) { ++ cctx->bltmp[3] = 2; ++ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); ++ } ++} ++ ++/* Process several blocks into BCC algorithm, some possibly partial */ ++static void ctr_BCC_update(DRBG_CTR_CTX * cctx, ++ const unsigned char *in, size_t inlen) ++{ ++ if (!in || !inlen) ++ return; ++ /* If we have partial block handle it first */ ++ if (cctx->bltmp_pos) { ++ size_t left = 16 - cctx->bltmp_pos; ++ /* If we now have a complete block process it */ ++ if (inlen >= left) { ++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); ++ ctr_BCC_blocks(cctx, cctx->bltmp); ++ cctx->bltmp_pos = 0; ++ inlen -= left; ++ in += left; ++ } ++ } ++ /* Process zero or more complete blocks */ ++ while (inlen >= 16) { ++ ctr_BCC_blocks(cctx, in); ++ in += 16; ++ inlen -= 16; ++ } ++ /* Copy any remaining partial block to the temporary buffer */ ++ if (inlen > 0) { ++ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); ++ cctx->bltmp_pos += inlen; ++ } ++} ++ ++static void ctr_BCC_final(DRBG_CTR_CTX * cctx) ++{ ++ if (cctx->bltmp_pos) { ++ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); ++ ctr_BCC_blocks(cctx, cctx->bltmp); ++ } ++} ++ ++static void ctr_df(DRBG_CTR_CTX * cctx, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *in3, size_t in3len) ++{ ++ size_t inlen; ++ unsigned char *p = cctx->bltmp; ++ static unsigned char c80 = 0x80; ++ ++ ctr_BCC_init(cctx); ++ if (!in1) ++ in1len = 0; ++ if (!in2) ++ in2len = 0; ++ if (!in3) ++ in3len = 0; ++ inlen = in1len + in2len + in3len; ++ /* Initialise L||N in temporary block */ ++ *p++ = (inlen >> 24) & 0xff; ++ *p++ = (inlen >> 16) & 0xff; ++ *p++ = (inlen >> 8) & 0xff; ++ *p++ = inlen & 0xff; ++ /* NB keylen is at most 32 bytes */ ++ *p++ = 0; ++ *p++ = 0; ++ *p++ = 0; ++ *p = (unsigned char)((cctx->keylen + 16) & 0xff); ++ cctx->bltmp_pos = 8; ++ ctr_BCC_update(cctx, in1, in1len); ++ ctr_BCC_update(cctx, in2, in2len); ++ ctr_BCC_update(cctx, in3, in3len); ++ ctr_BCC_update(cctx, &c80, 1); ++ ctr_BCC_final(cctx); ++ /* Set up key K */ ++ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); ++ /* X follows key K */ ++ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); ++ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); ++ if (cctx->keylen != 16) ++ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); ++#if 0 ++ fprintf(stderr, "Output of ctr_df:\n"); ++ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16); ++#endif ++} ++ ++/* NB the no-df Update in SP800-90 specifies a constant input length ++ * of seedlen, however other uses of this algorithm pad the input with ++ * zeroes if necessary and have up to two parameters XORed together, ++ * handle both cases in this function instead. ++ */ ++ ++static void ctr_Update(DRBG_CTX *dctx, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *nonce, size_t noncelen) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ /* ks is already setup for correct key */ ++ inc_128(cctx); ++ AES_encrypt(cctx->V, cctx->K, &cctx->ks); ++ /* If keylen longer than 128 bits need extra encrypt */ ++ if (cctx->keylen != 16) { ++ inc_128(cctx); ++ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); ++ } ++ inc_128(cctx); ++ AES_encrypt(cctx->V, cctx->V, &cctx->ks); ++ /* If 192 bit key part of V is on end of K */ ++ if (cctx->keylen == 24) { ++ memcpy(cctx->V + 8, cctx->V, 8); ++ memcpy(cctx->V, cctx->K + 24, 8); ++ } ++ ++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { ++ /* If no input reuse existing derived value */ ++ if (in1 || nonce || in2) ++ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); ++ /* If this a reuse input in1len != 0 */ ++ if (in1len) ++ ctr_XOR(cctx, cctx->KX, dctx->seedlen); ++ } else { ++ ctr_XOR(cctx, in1, in1len); ++ ctr_XOR(cctx, in2, in2len); ++ } ++ ++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); ++#if 0 ++ fprintf(stderr, "K+V after update is:\n"); ++ BIO_dump_fp(stderr, cctx->K, cctx->keylen); ++ BIO_dump_fp(stderr, cctx->V, 16); ++#endif ++} ++ ++static int drbg_ctr_instantiate(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *nonce, size_t noncelen, ++ const unsigned char *pers, size_t perslen) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ memset(cctx->K, 0, sizeof(cctx->K)); ++ memset(cctx->V, 0, sizeof(cctx->V)); ++ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); ++ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen); ++ return 1; ++} ++ ++static int drbg_ctr_reseed(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *adin, size_t adinlen) ++{ ++ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0); ++ return 1; ++} ++ ++static int drbg_ctr_generate(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adinlen) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ if (adin && adinlen) { ++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); ++ /* This means we reuse derived value */ ++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { ++ adin = NULL; ++ adinlen = 1; ++ } ++ } else ++ adinlen = 0; ++ ++ for (;;) { ++ inc_128(cctx); ++ if (outlen < 16) { ++ /* Use K as temp space as it will be updated */ ++ AES_encrypt(cctx->V, cctx->K, &cctx->ks); ++ memcpy(out, cctx->K, outlen); ++ break; ++ } ++ AES_encrypt(cctx->V, out, &cctx->ks); ++ out += 16; ++ outlen -= 16; ++ if (outlen == 0) ++ break; ++ } ++ ++ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); ++ ++ return 1; ++ ++} ++ ++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) ++{ ++ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX)); ++ return 1; ++} ++ ++int fips_drbg_ctr_init(DRBG_CTX *dctx) ++{ ++ DRBG_CTR_CTX *cctx = &dctx->d.ctr; ++ ++ size_t keylen; ++ ++ switch (dctx->type) { ++ case NID_aes_128_ctr: ++ keylen = 16; ++ break; ++ ++ case NID_aes_192_ctr: ++ keylen = 24; ++ break; ++ ++ case NID_aes_256_ctr: ++ keylen = 32; ++ break; ++ ++ default: ++ return -2; ++ } ++ ++ dctx->instantiate = drbg_ctr_instantiate; ++ dctx->reseed = drbg_ctr_reseed; ++ dctx->generate = drbg_ctr_generate; ++ dctx->uninstantiate = drbg_ctr_uninstantiate; ++ ++ cctx->keylen = keylen; ++ dctx->strength = keylen * 8; ++ dctx->blocklength = 16; ++ dctx->seedlen = keylen + 16; ++ ++ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { ++ /* df initialisation */ ++ static unsigned char df_key[32] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f ++ }; ++ /* Set key schedule for df_key */ ++ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); ++ ++ dctx->min_entropy = cctx->keylen; ++ dctx->max_entropy = DRBG_MAX_LENGTH; ++ dctx->min_nonce = dctx->min_entropy / 2; ++ dctx->max_nonce = DRBG_MAX_LENGTH; ++ dctx->max_pers = DRBG_MAX_LENGTH; ++ dctx->max_adin = DRBG_MAX_LENGTH; ++ } else { ++ dctx->min_entropy = dctx->seedlen; ++ dctx->max_entropy = dctx->seedlen; ++ /* Nonce not used */ ++ dctx->min_nonce = 0; ++ dctx->max_nonce = 0; ++ dctx->max_pers = dctx->seedlen; ++ dctx->max_adin = dctx->seedlen; ++ } ++ ++ dctx->max_request = 1 << 16; ++ dctx->reseed_interval = 1 << 24; ++ ++ return 1; ++} +Index: openssl-1.1.1n/crypto/fips/fips_drbg_hash.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_hash.c +@@ -0,0 +1,354 @@ ++/* fips/rand/fips_drbg_hash.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include "crypto/fips_int.h" ++#include ++#include "fips_rand_lcl.h" ++ ++/* This is Hash_df from SP 800-90 10.4.1 */ ++ ++static int hash_df(DRBG_CTX *dctx, unsigned char *out, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *in3, size_t in3len, ++ const unsigned char *in4, size_t in4len) ++{ ++ EVP_MD_CTX *mctx = dctx->d.hash.mctx; ++ unsigned char *vtmp = dctx->d.hash.vtmp; ++ unsigned char tmp[6]; ++ /* Standard only ever needs seedlen bytes which is always less than ++ * maximum permitted so no need to check length. ++ */ ++ size_t outlen = dctx->seedlen; ++ tmp[0] = 1; ++ tmp[1] = ((outlen * 8) >> 24) & 0xff; ++ tmp[2] = ((outlen * 8) >> 16) & 0xff; ++ tmp[3] = ((outlen * 8) >> 8) & 0xff; ++ tmp[4] = (outlen * 8) & 0xff; ++ if (!in1) { ++ tmp[5] = (unsigned char)in1len; ++ in1 = tmp + 5; ++ in1len = 1; ++ } ++ for (;;) { ++ if (!FIPS_digestinit(mctx, dctx->d.hash.md)) ++ return 0; ++ if (!FIPS_digestupdate(mctx, tmp, 5)) ++ return 0; ++ if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) ++ return 0; ++ if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) ++ return 0; ++ if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) ++ return 0; ++ if (in4 && !FIPS_digestupdate(mctx, in4, in4len)) ++ return 0; ++ if (outlen < dctx->blocklength) { ++ if (!FIPS_digestfinal(mctx, vtmp, NULL)) ++ return 0; ++ memcpy(out, vtmp, outlen); ++ OPENSSL_cleanse(vtmp, dctx->blocklength); ++ return 1; ++ } else if (!FIPS_digestfinal(mctx, out, NULL)) ++ return 0; ++ ++ outlen -= dctx->blocklength; ++ if (outlen == 0) ++ return 1; ++ tmp[0]++; ++ out += dctx->blocklength; ++ } ++} ++ ++/* Add an unsigned buffer to the buf value, storing the result in buf. For ++ * this algorithm the length of input never exceeds the seed length. ++ */ ++ ++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf, ++ unsigned char *in, size_t inlen) ++{ ++ size_t i = inlen; ++ const unsigned char *q; ++ unsigned char c, *p; ++ p = buf + dctx->seedlen; ++ q = in + inlen; ++ ++ OPENSSL_assert(i <= dctx->seedlen); ++ ++ /* Special case: zero length, just increment buffer */ ++ if (i) ++ c = 0; ++ else ++ c = 1; ++ ++ while (i) { ++ int r; ++ p--; ++ q--; ++ r = *p + *q + c; ++ /* Carry */ ++ if (r > 0xff) ++ c = 1; ++ else ++ c = 0; ++ *p = r & 0xff; ++ i--; ++ } ++ ++ i = dctx->seedlen - inlen; ++ ++ /* If not adding whole buffer handle final carries */ ++ if (c && i) { ++ do { ++ p--; ++ c = *p; ++ c++; ++ *p = c; ++ if (c) ++ return; ++ } while (i--); ++ } ++} ++ ++/* Finalise and add hash to V */ ++ ++static int ctx_add_md(DRBG_CTX *dctx) ++{ ++ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL)) ++ return 0; ++ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength); ++ return 1; ++} ++ ++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ if (outlen == 0) ++ return 1; ++ memcpy(hctx->vtmp, hctx->V, dctx->seedlen); ++ for (;;) { ++ FIPS_digestinit(hctx->mctx, hctx->md); ++ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen); ++ if (outlen < dctx->blocklength) { ++ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL); ++ memcpy(out, hctx->vtmp, outlen); ++ return 1; ++ } else { ++ FIPS_digestfinal(hctx->mctx, out, NULL); ++ outlen -= dctx->blocklength; ++ if (outlen == 0) ++ return 1; ++ out += dctx->blocklength; ++ } ++ ctx_add_buf(dctx, hctx->vtmp, NULL, 0); ++ } ++} ++ ++static int drbg_hash_instantiate(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *nonce, size_t nonce_len, ++ const unsigned char *pstr, size_t pstr_len) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ if (!hash_df(dctx, hctx->V, ++ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0)) ++ return 0; ++ if (!hash_df(dctx, hctx->C, ++ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) ++ return 0; ++ ++#ifdef HASH_DRBG_TRACE ++ fprintf(stderr, "V+C after instantiate:\n"); ++ hexprint(stderr, hctx->V, dctx->seedlen); ++ hexprint(stderr, hctx->C, dctx->seedlen); ++#endif ++ return 1; ++} ++ ++static int drbg_hash_reseed(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *adin, size_t adin_len) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ /* V about to be updated so use C as output instead */ ++ if (!hash_df(dctx, hctx->C, ++ NULL, 1, hctx->V, dctx->seedlen, ++ ent, ent_len, adin, adin_len)) ++ return 0; ++ memcpy(hctx->V, hctx->C, dctx->seedlen); ++ if (!hash_df(dctx, hctx->C, NULL, 0, ++ hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) ++ return 0; ++#ifdef HASH_DRBG_TRACE ++ fprintf(stderr, "V+C after reseed:\n"); ++ hexprint(stderr, hctx->V, dctx->seedlen); ++ hexprint(stderr, hctx->C, dctx->seedlen); ++#endif ++ return 1; ++} ++ ++static int drbg_hash_generate(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adin_len) ++{ ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ EVP_MD_CTX *mctx = hctx->mctx; ++ unsigned char tmp[4]; ++ if (adin && adin_len) { ++ tmp[0] = 2; ++ if (!FIPS_digestinit(mctx, hctx->md)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, tmp, 1)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, adin, adin_len)) ++ return 0; ++ if (!ctx_add_md(dctx)) ++ return 0; ++ } ++ if (!hash_gen(dctx, out, outlen)) ++ return 0; ++ ++ tmp[0] = 3; ++ if (!FIPS_digestinit(mctx, hctx->md)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, tmp, 1)) ++ return 0; ++ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) ++ return 0; ++ ++ if (!ctx_add_md(dctx)) ++ return 0; ++ ++ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen); ++ ++ tmp[0] = (dctx->reseed_counter >> 24) & 0xff; ++ tmp[1] = (dctx->reseed_counter >> 16) & 0xff; ++ tmp[2] = (dctx->reseed_counter >> 8) & 0xff; ++ tmp[3] = dctx->reseed_counter & 0xff; ++ ctx_add_buf(dctx, hctx->V, tmp, 4); ++#ifdef HASH_DRBG_TRACE ++ fprintf(stderr, "V+C after generate:\n"); ++ hexprint(stderr, hctx->V, dctx->seedlen); ++ hexprint(stderr, hctx->C, dctx->seedlen); ++#endif ++ return 1; ++} ++ ++static int drbg_hash_uninstantiate(DRBG_CTX *dctx) ++{ ++ EVP_MD_CTX_free(dctx->d.hash.mctx); ++ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); ++ return 1; ++} ++ ++int fips_drbg_hash_init(DRBG_CTX *dctx) ++{ ++ const EVP_MD *md; ++ DRBG_HASH_CTX *hctx = &dctx->d.hash; ++ md = EVP_get_digestbynid(dctx->type); ++ if (!md) ++ return -2; ++ switch (dctx->type) { ++ case NID_sha1: ++ dctx->strength = 128; ++ break; ++ ++ case NID_sha224: ++ dctx->strength = 192; ++ break; ++ ++ default: ++ dctx->strength = 256; ++ break; ++ } ++ ++ dctx->instantiate = drbg_hash_instantiate; ++ dctx->reseed = drbg_hash_reseed; ++ dctx->generate = drbg_hash_generate; ++ dctx->uninstantiate = drbg_hash_uninstantiate; ++ ++ dctx->d.hash.md = md; ++ hctx->mctx = EVP_MD_CTX_new(); ++ if (hctx->mctx == NULL) ++ return -1; ++ ++ /* These are taken from SP 800-90 10.1 table 2 */ ++ ++ dctx->blocklength = EVP_MD_size(md); ++ if (dctx->blocklength > 32) ++ dctx->seedlen = 111; ++ else ++ dctx->seedlen = 55; ++ ++ dctx->min_entropy = dctx->strength / 8; ++ dctx->max_entropy = DRBG_MAX_LENGTH; ++ ++ dctx->min_nonce = dctx->min_entropy / 2; ++ dctx->max_nonce = DRBG_MAX_LENGTH; ++ ++ dctx->max_pers = DRBG_MAX_LENGTH; ++ dctx->max_adin = DRBG_MAX_LENGTH; ++ ++ dctx->max_request = 1 << 16; ++ dctx->reseed_interval = 1 << 24; ++ ++ return 1; ++} +Index: openssl-1.1.1n/crypto/fips/fips_drbg_hmac.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_hmac.c +@@ -0,0 +1,262 @@ ++/* fips/rand/fips_drbg_hmac.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++ ++static int drbg_hmac_update(DRBG_CTX *dctx, ++ const unsigned char *in1, size_t in1len, ++ const unsigned char *in2, size_t in2len, ++ const unsigned char *in3, size_t in3len) ++{ ++ static unsigned char c0 = 0, c1 = 1; ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ HMAC_CTX *hctx = hmac->hctx; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ if (!HMAC_Update(hctx, &c0, 1)) ++ return 0; ++ if (in1len && !HMAC_Update(hctx, in1, in1len)) ++ return 0; ++ if (in2len && !HMAC_Update(hctx, in2, in2len)) ++ return 0; ++ if (in3len && !HMAC_Update(hctx, in3, in3len)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->K, NULL)) ++ return 0; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->V, NULL)) ++ return 0; ++ ++ if (!in1len && !in2len && !in3len) ++ return 1; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ if (!HMAC_Update(hctx, &c1, 1)) ++ return 0; ++ if (in1len && !HMAC_Update(hctx, in1, in1len)) ++ return 0; ++ if (in2len && !HMAC_Update(hctx, in2, in2len)) ++ return 0; ++ if (in3len && !HMAC_Update(hctx, in3, in3len)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->K, NULL)) ++ return 0; ++ ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) ++ return 0; ++ ++ if (!HMAC_Final(hctx, hmac->V, NULL)) ++ return 0; ++ ++ return 1; ++ ++} ++ ++static int drbg_hmac_instantiate(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *nonce, size_t nonce_len, ++ const unsigned char *pstr, size_t pstr_len) ++{ ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ memset(hmac->K, 0, dctx->blocklength); ++ memset(hmac->V, 1, dctx->blocklength); ++ if (!drbg_hmac_update(dctx, ++ ent, ent_len, nonce, nonce_len, pstr, pstr_len)) ++ return 0; ++ ++#ifdef HMAC_DRBG_TRACE ++ fprintf(stderr, "K+V after instantiate:\n"); ++ hexprint(stderr, hmac->K, hmac->blocklength); ++ hexprint(stderr, hmac->V, hmac->blocklength); ++#endif ++ return 1; ++} ++ ++static int drbg_hmac_reseed(DRBG_CTX *dctx, ++ const unsigned char *ent, size_t ent_len, ++ const unsigned char *adin, size_t adin_len) ++{ ++ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0)) ++ return 0; ++ ++#ifdef HMAC_DRBG_TRACE ++ { ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ fprintf(stderr, "K+V after reseed:\n"); ++ hexprint(stderr, hmac->K, hmac->blocklength); ++ hexprint(stderr, hmac->V, hmac->blocklength); ++ } ++#endif ++ return 1; ++} ++ ++static int drbg_hmac_generate(DRBG_CTX *dctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adin_len) ++{ ++ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; ++ HMAC_CTX *hctx = hmac->hctx; ++ const unsigned char *Vtmp = hmac->V; ++ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) ++ return 0; ++ for (;;) { ++ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) ++ return 0; ++ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength)) ++ return 0; ++ if (outlen > dctx->blocklength) { ++ if (!HMAC_Final(hctx, out, NULL)) ++ return 0; ++ Vtmp = out; ++ } else { ++ if (!HMAC_Final(hctx, hmac->V, NULL)) ++ return 0; ++ memcpy(out, hmac->V, outlen); ++ break; ++ } ++ out += dctx->blocklength; ++ outlen -= dctx->blocklength; ++ } ++ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) ++ return 0; ++ ++ return 1; ++} ++ ++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx) ++{ ++ HMAC_CTX_free(dctx->d.hmac.hctx); ++ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX)); ++ return 1; ++} ++ ++int fips_drbg_hmac_init(DRBG_CTX *dctx) ++{ ++ const EVP_MD *md = NULL; ++ DRBG_HMAC_CTX *hctx = &dctx->d.hmac; ++ dctx->strength = 256; ++ switch (dctx->type) { ++ case NID_hmacWithSHA1: ++ md = EVP_sha1(); ++ dctx->strength = 128; ++ break; ++ ++ case NID_hmacWithSHA224: ++ md = EVP_sha224(); ++ dctx->strength = 192; ++ break; ++ ++ case NID_hmacWithSHA256: ++ md = EVP_sha256(); ++ break; ++ ++ case NID_hmacWithSHA384: ++ md = EVP_sha384(); ++ break; ++ ++ case NID_hmacWithSHA512: ++ md = EVP_sha512(); ++ break; ++ ++ default: ++ dctx->strength = 0; ++ return -2; ++ } ++ dctx->instantiate = drbg_hmac_instantiate; ++ dctx->reseed = drbg_hmac_reseed; ++ dctx->generate = drbg_hmac_generate; ++ dctx->uninstantiate = drbg_hmac_uninstantiate; ++ hctx->hctx = HMAC_CTX_new(); ++ if (hctx->hctx == NULL) ++ return -1; ++ hctx->md = md; ++ dctx->blocklength = M_EVP_MD_size(md); ++ dctx->seedlen = M_EVP_MD_size(md); ++ ++ dctx->min_entropy = dctx->strength / 8; ++ dctx->max_entropy = DRBG_MAX_LENGTH; ++ ++ dctx->min_nonce = dctx->min_entropy / 2; ++ dctx->max_nonce = DRBG_MAX_LENGTH; ++ ++ dctx->max_pers = DRBG_MAX_LENGTH; ++ dctx->max_adin = DRBG_MAX_LENGTH; ++ ++ dctx->max_request = 1 << 16; ++ dctx->reseed_interval = 1 << 24; ++ ++ return 1; ++} +Index: openssl-1.1.1n/crypto/fips/fips_drbg_lib.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_lib.c +@@ -0,0 +1,528 @@ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include "crypto/fips_int.h" ++#include ++#include "fips_locl.h" ++#include "fips_rand_lcl.h" ++ ++/* Support framework for SP800-90 DRBGs */ ++ ++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) ++{ ++ int rv; ++ memset(dctx, 0, sizeof(DRBG_CTX)); ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ dctx->xflags = flags; ++ dctx->type = type; ++ ++ dctx->iflags = 0; ++ dctx->entropy_blocklen = 0; ++ dctx->health_check_cnt = 0; ++ dctx->health_check_interval = DRBG_HEALTH_INTERVAL; ++ ++ rv = fips_drbg_hash_init(dctx); ++ ++ if (rv == -2) ++ rv = fips_drbg_ctr_init(dctx); ++ if (rv == -2) ++ rv = fips_drbg_hmac_init(dctx); ++ ++ if (rv <= 0) { ++ if (rv == -2) ++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE); ++ else ++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG); ++ } ++ ++ /* If not in test mode run selftests on DRBG of the same type */ ++ ++ if (!(dctx->xflags & DRBG_FLAG_TEST)) { ++ if (!FIPS_drbg_health_check(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); ++ return 0; ++ } ++ } ++ ++ return rv; ++} ++ ++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) ++{ ++ DRBG_CTX *dctx; ++ dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); ++ if (!dctx) { ++ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ ++ if (type == 0) { ++ memset(dctx, 0, sizeof(DRBG_CTX)); ++ dctx->type = 0; ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ return dctx; ++ } ++ ++ if (FIPS_drbg_init(dctx, type, flags) <= 0) { ++ OPENSSL_free(dctx); ++ return NULL; ++ } ++ ++ return dctx; ++} ++ ++void FIPS_drbg_free(DRBG_CTX *dctx) ++{ ++ if (dctx->uninstantiate) ++ dctx->uninstantiate(dctx); ++ /* Don't free up default DRBG */ ++ if (dctx == FIPS_get_default_drbg()) { ++ memset(dctx, 0, sizeof(DRBG_CTX)); ++ dctx->type = 0; ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ } else { ++ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d)); ++ OPENSSL_free(dctx); ++ } ++} ++ ++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ unsigned char *tout, *p; ++ size_t bl = dctx->entropy_blocklen, rv; ++ if (!dctx->get_entropy) ++ return 0; ++ if (dctx->xflags & DRBG_FLAG_TEST || !bl) ++ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); ++ rv = dctx->get_entropy(dctx, &tout, entropy + bl, ++ min_len + bl, max_len + bl); ++ if (tout == NULL) ++ return 0; ++ *pout = tout + bl; ++ if (rv < (min_len + bl) || (rv % bl)) ++ return 0; ++ /* Compare consecutive blocks for continuous PRNG test */ ++ for (p = tout; p < tout + rv - bl; p += bl) { ++ if (!memcmp(p, p + bl, bl)) { ++ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK); ++ return 0; ++ } ++ } ++ rv -= bl; ++ if (rv > max_len) ++ return max_len; ++ return rv; ++} ++ ++static void fips_cleanup_entropy(DRBG_CTX *dctx, ++ unsigned char *out, size_t olen) ++{ ++ size_t bl; ++ if (dctx->xflags & DRBG_FLAG_TEST) ++ bl = 0; ++ else ++ bl = dctx->entropy_blocklen; ++ /* Call cleanup with original arguments */ ++ dctx->cleanup_entropy(dctx, out - bl, olen + bl); ++} ++ ++int FIPS_drbg_instantiate(DRBG_CTX *dctx, ++ const unsigned char *pers, size_t perslen) ++{ ++ size_t entlen = 0, noncelen = 0; ++ unsigned char *nonce = NULL, *entropy = NULL; ++ ++#if 0 ++ /* Put here so error script picks them up */ ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, ++ FIPS_R_PERSONALISATION_STRING_TOO_LONG); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR); ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); ++#endif ++ ++ int r = 0; ++ ++ if (perslen > dctx->max_pers) { ++ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; ++ goto end; ++ } ++ ++ if (!dctx->instantiate) { ++ r = FIPS_R_DRBG_NOT_INITIALISED; ++ goto end; ++ } ++ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) { ++ if (dctx->status == DRBG_STATUS_ERROR) ++ r = FIPS_R_IN_ERROR_STATE; ++ else ++ r = FIPS_R_ALREADY_INSTANTIATED; ++ goto end; ++ } ++ ++ dctx->status = DRBG_STATUS_ERROR; ++ ++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, ++ dctx->min_entropy, dctx->max_entropy); ++ ++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { ++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; ++ goto end; ++ } ++ ++ if (dctx->max_nonce > 0 && dctx->get_nonce) { ++ noncelen = dctx->get_nonce(dctx, &nonce, ++ dctx->strength / 2, ++ dctx->min_nonce, dctx->max_nonce); ++ ++ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { ++ r = FIPS_R_ERROR_RETRIEVING_NONCE; ++ goto end; ++ } ++ ++ } ++ ++ if (!dctx->instantiate(dctx, ++ entropy, entlen, nonce, noncelen, pers, perslen)) { ++ r = FIPS_R_ERROR_INSTANTIATING_DRBG; ++ goto end; ++ } ++ ++ dctx->status = DRBG_STATUS_READY; ++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) ++ dctx->reseed_counter = 1; ++ ++ end: ++ ++ if (entropy && dctx->cleanup_entropy) ++ fips_cleanup_entropy(dctx, entropy, entlen); ++ ++ if (nonce && dctx->cleanup_nonce) ++ dctx->cleanup_nonce(dctx, nonce, noncelen); ++ ++ if (dctx->status == DRBG_STATUS_READY) ++ return 1; ++ ++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r); ++ ++ return 0; ++ ++} ++ ++static int drbg_reseed(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen, int hcheck) ++{ ++ unsigned char *entropy = NULL; ++ size_t entlen = 0; ++ int r = 0; ++ ++#if 0 ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++#endif ++ if (dctx->status != DRBG_STATUS_READY ++ && dctx->status != DRBG_STATUS_RESEED) { ++ if (dctx->status == DRBG_STATUS_ERROR) ++ r = FIPS_R_IN_ERROR_STATE; ++ else if (dctx->status == DRBG_STATUS_UNINITIALISED) ++ r = FIPS_R_NOT_INSTANTIATED; ++ goto end; ++ } ++ ++ if (!adin) ++ adinlen = 0; ++ else if (adinlen > dctx->max_adin) { ++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; ++ goto end; ++ } ++ ++ dctx->status = DRBG_STATUS_ERROR; ++ /* Peform health check on all reseed operations if not a prediction ++ * resistance request and not in test mode. ++ */ ++ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) { ++ if (!FIPS_drbg_health_check(dctx)) { ++ r = FIPS_R_SELFTEST_FAILURE; ++ goto end; ++ } ++ } ++ ++ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, ++ dctx->min_entropy, dctx->max_entropy); ++ ++ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { ++ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; ++ goto end; ++ } ++ ++ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) ++ goto end; ++ ++ dctx->status = DRBG_STATUS_READY; ++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) ++ dctx->reseed_counter = 1; ++ end: ++ ++ if (entropy && dctx->cleanup_entropy) ++ fips_cleanup_entropy(dctx, entropy, entlen); ++ ++ if (dctx->status == DRBG_STATUS_READY) ++ return 1; ++ ++ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_DRBG_RESEED, r); ++ ++ return 0; ++} ++ ++int FIPS_drbg_reseed(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ ++ return drbg_reseed(dctx, adin, adinlen, 1); ++} ++ ++static int fips_drbg_check(DRBG_CTX *dctx) ++{ ++ if (dctx->xflags & DRBG_FLAG_TEST) ++ return 1; ++ dctx->health_check_cnt++; ++ if (dctx->health_check_cnt >= dctx->health_check_interval) { ++ if (!FIPS_drbg_health_check(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE); ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ ++ int r = 0; ++ ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (!fips_drbg_check(dctx)) ++ return 0; ++ ++ if (dctx->status != DRBG_STATUS_READY ++ && dctx->status != DRBG_STATUS_RESEED) { ++ if (dctx->status == DRBG_STATUS_ERROR) ++ r = FIPS_R_IN_ERROR_STATE; ++ else if (dctx->status == DRBG_STATUS_UNINITIALISED) ++ r = FIPS_R_NOT_INSTANTIATED; ++ goto end; ++ } ++ ++ if (outlen > dctx->max_request) { ++ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG; ++ return 0; ++ } ++ ++ if (adinlen > dctx->max_adin) { ++ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; ++ goto end; ++ } ++ ++ if (dctx->iflags & DRBG_CUSTOM_RESEED) ++ dctx->generate(dctx, NULL, outlen, NULL, 0); ++ else if (dctx->reseed_counter >= dctx->reseed_interval) ++ dctx->status = DRBG_STATUS_RESEED; ++ ++ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { ++ /* If prediction resistance request don't do health check */ ++ int hcheck = prediction_resistance ? 0 : 1; ++ ++ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) { ++ r = FIPS_R_RESEED_ERROR; ++ goto end; ++ } ++ adin = NULL; ++ adinlen = 0; ++ } ++ ++ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) { ++ r = FIPS_R_GENERATE_ERROR; ++ dctx->status = DRBG_STATUS_ERROR; ++ goto end; ++ } ++ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) { ++ if (dctx->reseed_counter >= dctx->reseed_interval) ++ dctx->status = DRBG_STATUS_RESEED; ++ else ++ dctx->reseed_counter++; ++ } ++ ++ end: ++ if (r) { ++ if (!(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) ++{ ++ int rv; ++ if (!dctx->uninstantiate) ++ rv = 1; ++ else ++ rv = dctx->uninstantiate(dctx); ++ /* Although we'd like to cleanse here we can't because we have to ++ * test the uninstantiate really zeroes the data. ++ */ ++ memset(&dctx->d, 0, sizeof(dctx->d)); ++ dctx->status = DRBG_STATUS_UNINITIALISED; ++ /* If method has problems uninstantiating, return error */ ++ return rv; ++} ++ ++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, ++ size_t (*get_entropy) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_entropy) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t entropy_blocklen, ++ size_t (*get_nonce) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, size_t min_len, ++ size_t max_len), ++ void (*cleanup_nonce) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen)) ++{ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) ++ return 0; ++ dctx->entropy_blocklen = entropy_blocklen; ++ dctx->get_entropy = get_entropy; ++ dctx->cleanup_entropy = cleanup_entropy; ++ dctx->get_nonce = get_nonce; ++ dctx->cleanup_nonce = cleanup_nonce; ++ return 1; ++} ++ ++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, ++ size_t (*get_adin) (DRBG_CTX *ctx, ++ unsigned char **pout), ++ void (*cleanup_adin) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ int (*rand_seed_cb) (DRBG_CTX *ctx, ++ const void *buf, ++ int num), ++ int (*rand_add_cb) (DRBG_CTX *ctx, ++ const void *buf, int num, ++ double entropy)) ++{ ++ if (dctx->status != DRBG_STATUS_UNINITIALISED) ++ return 0; ++ dctx->get_adin = get_adin; ++ dctx->cleanup_adin = cleanup_adin; ++ dctx->rand_seed_cb = rand_seed_cb; ++ dctx->rand_add_cb = rand_add_cb; ++ return 1; ++} ++ ++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx) ++{ ++ return dctx->app_data; ++} ++ ++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data) ++{ ++ dctx->app_data = app_data; ++} ++ ++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx) ++{ ++ return dctx->blocklength; ++} ++ ++int FIPS_drbg_get_strength(DRBG_CTX *dctx) ++{ ++ return dctx->strength; ++} ++ ++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval) ++{ ++ dctx->health_check_interval = interval; ++} ++ ++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval) ++{ ++ dctx->reseed_interval = interval; ++} ++ ++void FIPS_drbg_stick(int onoff) ++{ ++ /* Just backwards compatibility API call with no effect. */ ++} +Index: openssl-1.1.1n/crypto/fips/fips_drbg_rand.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_rand.c +@@ -0,0 +1,185 @@ ++/* fips/rand/fips_drbg_rand.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include "internal/thread_once.h" ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++ ++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */ ++ ++/* Since we only have one global PRNG used at any time in OpenSSL use a global ++ * variable to store context. ++ */ ++ ++static DRBG_CTX ossl_dctx; ++ ++static CRYPTO_RWLOCK *fips_rand_lock = NULL; ++static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT; ++ ++DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init) ++{ ++ fips_rand_lock = CRYPTO_THREAD_lock_new(); ++ return fips_rand_lock != NULL; ++} ++ ++DRBG_CTX *FIPS_get_default_drbg(void) ++{ ++ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init)) ++ return NULL; ++ return &ossl_dctx; ++} ++ ++static int fips_drbg_bytes(unsigned char *out, int count) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ int rv = 0; ++ unsigned char *adin = NULL; ++ size_t adinlen = 0; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ do { ++ size_t rcnt; ++ if (count > (int)dctx->max_request) ++ rcnt = dctx->max_request; ++ else ++ rcnt = count; ++ if (dctx->get_adin) { ++ adinlen = dctx->get_adin(dctx, &adin); ++ if (adinlen && !adin) { ++ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, ++ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); ++ goto err; ++ } ++ } ++ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen); ++ if (adin) { ++ if (dctx->cleanup_adin) ++ dctx->cleanup_adin(dctx, adin, adinlen); ++ adin = NULL; ++ } ++ if (!rv) ++ goto err; ++ out += rcnt; ++ count -= rcnt; ++ } ++ while (count); ++ rv = 1; ++ err: ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return rv; ++} ++ ++static int fips_drbg_pseudo(unsigned char *out, int count) ++{ ++ if (fips_drbg_bytes(out, count) <= 0) ++ return -1; ++ return 1; ++} ++ ++static int fips_drbg_status(void) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ int rv; ++ CRYPTO_THREAD_read_lock(fips_rand_lock); ++ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return rv; ++} ++ ++static void fips_drbg_cleanup(void) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ FIPS_drbg_uninstantiate(dctx); ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++} ++ ++static int fips_drbg_seed(const void *seed, int seedlen) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ int ret = 1; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ if (dctx->rand_seed_cb) ++ ret = dctx->rand_seed_cb(dctx, seed, seedlen); ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return ret; ++} ++ ++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) ++{ ++ DRBG_CTX *dctx = &ossl_dctx; ++ int ret = 1; ++ CRYPTO_THREAD_write_lock(fips_rand_lock); ++ if (dctx->rand_add_cb) ++ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); ++ CRYPTO_THREAD_unlock(fips_rand_lock); ++ return ret; ++} ++ ++static const RAND_METHOD rand_drbg_meth = { ++ fips_drbg_seed, ++ fips_drbg_bytes, ++ fips_drbg_cleanup, ++ fips_drbg_add, ++ fips_drbg_pseudo, ++ fips_drbg_status ++}; ++ ++const RAND_METHOD *FIPS_drbg_method(void) ++{ ++ return &rand_drbg_meth; ++} +Index: openssl-1.1.1n/crypto/fips/fips_drbg_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_selftest.c +@@ -0,0 +1,828 @@ ++/* fips/rand/fips_drbg_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include "fips_rand_lcl.h" ++#include "fips_locl.h" ++ ++#include "fips_drbg_selftest.h" ++ ++typedef struct { ++ int post; ++ int nid; ++ unsigned int flags; ++ ++ /* KAT data for no PR */ ++ const unsigned char *ent; ++ size_t entlen; ++ const unsigned char *nonce; ++ size_t noncelen; ++ const unsigned char *pers; ++ size_t perslen; ++ const unsigned char *adin; ++ size_t adinlen; ++ const unsigned char *entreseed; ++ size_t entreseedlen; ++ const unsigned char *adinreseed; ++ size_t adinreseedlen; ++ const unsigned char *adin2; ++ size_t adin2len; ++ const unsigned char *kat; ++ size_t katlen; ++ const unsigned char *kat2; ++ size_t kat2len; ++ ++ /* KAT data for PR */ ++ const unsigned char *ent_pr; ++ size_t entlen_pr; ++ const unsigned char *nonce_pr; ++ size_t noncelen_pr; ++ const unsigned char *pers_pr; ++ size_t perslen_pr; ++ const unsigned char *adin_pr; ++ size_t adinlen_pr; ++ const unsigned char *entpr_pr; ++ size_t entprlen_pr; ++ const unsigned char *ading_pr; ++ size_t adinglen_pr; ++ const unsigned char *entg_pr; ++ size_t entglen_pr; ++ const unsigned char *kat_pr; ++ size_t katlen_pr; ++ const unsigned char *kat2_pr; ++ size_t kat2len_pr; ++ ++} DRBG_SELFTEST_DATA; ++ ++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \ ++ pr##_entropyinput, sizeof(pr##_entropyinput), \ ++ pr##_nonce, sizeof(pr##_nonce), \ ++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \ ++ pr##_additionalinput, sizeof(pr##_additionalinput), \ ++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ ++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ ++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \ ++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ ++ pr##_returnedbits, sizeof(pr##_returnedbits), \ ++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ ++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \ ++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ ++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ ++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ ++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ ++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ ++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ ++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \ ++ } ++ ++#define make_drbg_test_data_df(nid, pr, p) \ ++ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) ++ ++#define make_drbg_test_data_ec(curve, md, pr, p) \ ++ make_drbg_test_data((curve << 16) | md , 0, pr, p) ++ ++static DRBG_SELFTEST_DATA drbg_test[] = { ++ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), ++ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), ++ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), ++ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0), ++ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0), ++ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1), ++ make_drbg_test_data(NID_sha1, 0, sha1, 0), ++ make_drbg_test_data(NID_sha224, 0, sha224, 0), ++ make_drbg_test_data(NID_sha256, 0, sha256, 1), ++ make_drbg_test_data(NID_sha384, 0, sha384, 0), ++ make_drbg_test_data(NID_sha512, 0, sha512, 0), ++ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0), ++ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0), ++ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), ++ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), ++ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), ++ {0, 0, 0} ++}; ++ ++typedef struct { ++ const unsigned char *ent; ++ size_t entlen; ++ int entcnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_ENT; ++ ++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); ++ *pout = (unsigned char *)t->ent; ++ t->entcnt++; ++ return t->entlen; ++} ++ ++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); ++ *pout = (unsigned char *)t->nonce; ++ t->noncecnt++; ++ return t->noncelen; ++} ++ ++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, ++ int quick) ++{ ++ TEST_ENT t; ++ int rv = 0; ++ size_t adinlen; ++ unsigned char randout[1024]; ++ ++ /* Initial test without PR */ ++ ++ /* Instantiate DRBG with test entropy, nonce and personalisation ++ * string. ++ */ ++ ++ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) ++ return 0; ++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ return 0; ++ ++ FIPS_drbg_set_app_data(dctx, &t); ++ ++ t.ent = td->ent; ++ t.entlen = td->entlen; ++ t.nonce = td->nonce; ++ t.noncelen = td->noncelen; ++ t.entcnt = 0; ++ t.noncecnt = 0; ++ ++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) ++ goto err; ++ ++ /* Note for CTR without DF some additional input values ++ * ignore bytes after the keylength: so reduce adinlen ++ * to half to ensure invalid data is fed in. ++ */ ++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) ++ adinlen = td->adinlen / 2; ++ else ++ adinlen = td->adinlen; ++ ++ /* Generate with no PR and verify output matches expected data */ ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen)) ++ goto err; ++ ++ if (memcmp(randout, td->kat, td->katlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); ++ goto err2; ++ } ++ /* If abbreviated POST end of test */ ++ if (quick) { ++ rv = 1; ++ goto err; ++ } ++ /* Reseed DRBG with test entropy and additional input */ ++ t.ent = td->entreseed; ++ t.entlen = td->entreseedlen; ++ ++ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen)) ++ goto err; ++ ++ /* Generate with no PR and verify output matches expected data */ ++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, ++ td->adin2, td->adin2len)) ++ goto err; ++ ++ if (memcmp(randout, td->kat2, td->kat2len)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); ++ goto err2; ++ } ++ ++ FIPS_drbg_uninstantiate(dctx); ++ ++ /* Now test with PR */ ++ ++ /* Instantiate DRBG with test entropy, nonce and personalisation ++ * string. ++ */ ++ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) ++ return 0; ++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ return 0; ++ ++ FIPS_drbg_set_app_data(dctx, &t); ++ ++ t.ent = td->ent_pr; ++ t.entlen = td->entlen_pr; ++ t.nonce = td->nonce_pr; ++ t.noncelen = td->noncelen_pr; ++ t.entcnt = 0; ++ t.noncecnt = 0; ++ ++ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr)) ++ goto err; ++ ++ /* Now generate with PR: we need to supply entropy as this will ++ * perform a reseed operation. Check output matches expected value. ++ */ ++ ++ t.ent = td->entpr_pr; ++ t.entlen = td->entprlen_pr; ++ ++ /* Note for CTR without DF some additional input values ++ * ignore bytes after the keylength: so reduce adinlen ++ * to half to ensure invalid data is fed in. ++ */ ++ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) ++ adinlen = td->adinlen_pr / 2; ++ else ++ adinlen = td->adinlen_pr; ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1, ++ td->adin_pr, adinlen)) ++ goto err; ++ ++ if (memcmp(randout, td->kat_pr, td->katlen_pr)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); ++ goto err2; ++ } ++ ++ /* Now generate again with PR: supply new entropy again. ++ * Check output matches expected value. ++ */ ++ ++ t.ent = td->entg_pr; ++ t.entlen = td->entglen_pr; ++ ++ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1, ++ td->ading_pr, td->adinglen_pr)) ++ goto err; ++ ++ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); ++ goto err2; ++ } ++ /* All OK, test complete */ ++ rv = 1; ++ ++ err: ++ if (rv == 0) ++ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); ++ err2: ++ FIPS_drbg_uninstantiate(dctx); ++ ++ return rv; ++ ++} ++ ++/* Initialise a DRBG based on selftest data */ ++ ++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) ++{ ++ ++ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) ++ return 0; ++ ++ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) ++ return 0; ++ ++ FIPS_drbg_set_app_data(dctx, t); ++ ++ t->ent = td->ent; ++ t->entlen = td->entlen; ++ t->nonce = td->nonce; ++ t->noncelen = td->noncelen; ++ t->entcnt = 0; ++ t->noncecnt = 0; ++ return 1; ++} ++ ++/* Initialise and instantiate DRBG based on selftest data */ ++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, ++ TEST_ENT * t) ++{ ++ if (!do_drbg_init(dctx, td, t)) ++ return 0; ++ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) ++ return 0; ++ ++ return 1; ++} ++ ++/* This function performs extensive error checking as required by SP800-90. ++ * Induce several failure modes and check an error condition is set. ++ * This function along with fips_drbg_single_kat peforms the health checking ++ * operation. ++ */ ++ ++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td) ++{ ++ unsigned char randout[1024]; ++ TEST_ENT t; ++ size_t i; ++ unsigned int reseed_counter_tmp; ++ unsigned char *p = (unsigned char *)dctx; ++ ++ /* Initialise DRBG */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ /* Don't report induced errors */ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ /* Personalisation string tests */ ++ ++ /* Test detection of too large personlisation string */ ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_PERSONALISATION_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Entropy source tests */ ++ ++ /* Test entropy source failure detecion: i.e. returns no data */ ++ ++ t.entlen = 0; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Try to generate output from uninstantiated DRBG */ ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_GENERATE_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ /* Test insufficient entropy */ ++ ++ t.entlen = dctx->min_entropy - 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Test too much entropy */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.entlen = dctx->max_entropy + 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Nonce tests */ ++ ++ /* Test too small nonce */ ++ ++ if (dctx->min_nonce) { ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.noncelen = dctx->min_nonce - 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_NONCE_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ } ++ ++ /* Test too large nonce */ ++ ++ if (dctx->max_nonce) { ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.noncelen = dctx->max_nonce + 1; ++ ++ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_NONCE_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ } ++ ++ /* Instantiate with valid data. */ ++ if (!do_drbg_instantiate(dctx, td, &t)) ++ goto err; ++ ++ /* Check generation is now OK */ ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ /* Request too much data for one request */ ++ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Try too large additional input */ ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, dctx->max_adin + 1)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Check prediction resistance request fails if entropy source ++ * failure. ++ */ ++ ++ t.entlen = 0; ++ ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Instantiate again with valid data */ ++ ++ if (!do_drbg_instantiate(dctx, td, &t)) ++ goto err; ++ /* Test reseed counter works */ ++ /* Save initial reseed counter */ ++ reseed_counter_tmp = dctx->reseed_counter; ++ /* Set reseed counter to beyond interval */ ++ dctx->reseed_counter = dctx->reseed_interval; ++ ++ /* Generate output and check entropy has been requested for reseed */ ++ t.entcnt = 0; ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ if (t.entcnt != 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); ++ goto err; ++ } ++ /* Check reseed counter has been reset */ ++ if (dctx->reseed_counter != reseed_counter_tmp + 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Check prediction resistance request fails if entropy source ++ * failure. ++ */ ++ ++ t.entlen = 0; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, ++ td->adin, td->adinlen)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ if (!do_drbg_instantiate(dctx, td, &t)) ++ goto err; ++ /* Test reseed counter works */ ++ /* Save initial reseed counter */ ++ reseed_counter_tmp = dctx->reseed_counter; ++ /* Set reseed counter to beyond interval */ ++ dctx->reseed_counter = dctx->reseed_interval; ++ ++ /* Generate output and check entropy has been requested for reseed */ ++ t.entcnt = 0; ++ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ if (t.entcnt != 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); ++ goto err; ++ } ++ /* Check reseed counter has been reset */ ++ if (dctx->reseed_counter != reseed_counter_tmp + 1) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); ++ goto err; ++ } ++ ++ dctx->iflags &= ~DRBG_FLAG_NOERR; ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Explicit reseed tests */ ++ ++ /* Test explicit reseed with too large additional input */ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ /* Test explicit reseed with entropy source failure */ ++ ++ t.entlen = 0; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Test explicit reseed with too much entropy */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.entlen = dctx->max_entropy + 1; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ /* Test explicit reseed with too little entropy */ ++ ++ if (!do_drbg_init(dctx, td, &t)) ++ goto err; ++ ++ dctx->iflags |= DRBG_FLAG_NOERR; ++ ++ t.entlen = dctx->min_entropy - 1; ++ ++ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_ENTROPY_ERROR_UNDETECTED); ++ goto err; ++ } ++ ++ if (!FIPS_drbg_uninstantiate(dctx)) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); ++ goto err; ++ } ++ ++ p = (unsigned char *)&dctx->d; ++ /* Standard says we have to check uninstantiate really zeroes ++ * the data... ++ */ ++ for (i = 0; i < sizeof(dctx->d); i++) { ++ if (*p != 0) { ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, ++ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR); ++ goto err; ++ } ++ p++; ++ } ++ ++ return 1; ++ ++ err: ++ /* A real error as opposed to an induced one: underlying function will ++ * indicate the error. ++ */ ++ if (!(dctx->iflags & DRBG_FLAG_NOERR)) ++ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR); ++ FIPS_drbg_uninstantiate(dctx); ++ return 0; ++ ++} ++ ++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) ++{ ++ DRBG_SELFTEST_DATA *td; ++ flags |= DRBG_FLAG_TEST; ++ for (td = drbg_test; td->nid != 0; td++) { ++ if (td->nid == nid && td->flags == flags) { ++ if (!fips_drbg_single_kat(dctx, td, 0)) ++ return 0; ++ return fips_drbg_error_check(dctx, td); ++ } ++ } ++ return 0; ++} ++ ++int FIPS_drbg_health_check(DRBG_CTX *dctx) ++{ ++ int rv; ++ DRBG_CTX *tctx = NULL; ++ tctx = FIPS_drbg_new(0, 0); ++ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); ++ if (!tctx) ++ return 0; ++ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); ++ if (tctx) ++ FIPS_drbg_free(tctx); ++ if (rv) ++ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); ++ else ++ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); ++ if (!rv) ++ dctx->status = DRBG_STATUS_ERROR; ++ else ++ dctx->health_check_cnt = 0; ++ return rv; ++} ++ ++int FIPS_selftest_drbg(void) ++{ ++ DRBG_CTX *dctx; ++ DRBG_SELFTEST_DATA *td; ++ int rv = 1; ++ dctx = FIPS_drbg_new(0, 0); ++ if (!dctx) ++ return 0; ++ for (td = drbg_test; td->nid != 0; td++) { ++ if (td->post != 1) ++ continue; ++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 1; ++ if (!fips_drbg_single_kat(dctx, td, 1)) { ++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); ++ rv = 0; ++ continue; ++ } ++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 0; ++ } ++ FIPS_drbg_free(dctx); ++ return rv; ++} ++ ++int FIPS_selftest_drbg_all(void) ++{ ++ DRBG_CTX *dctx; ++ DRBG_SELFTEST_DATA *td; ++ int rv = 1; ++ dctx = FIPS_drbg_new(0, 0); ++ if (!dctx) ++ return 0; ++ for (td = drbg_test; td->nid != 0; td++) { ++ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 1; ++ if (!fips_drbg_single_kat(dctx, td, 0)) { ++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); ++ rv = 0; ++ continue; ++ } ++ if (!fips_drbg_error_check(dctx, td)) { ++ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); ++ rv = 0; ++ continue; ++ } ++ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) ++ return 0; ++ } ++ FIPS_drbg_free(dctx); ++ return rv; ++} +Index: openssl-1.1.1n/crypto/fips/fips_drbg_selftest.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_drbg_selftest.h +@@ -0,0 +1,1791 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++/* Selftest and health check data for the SP800-90 DRBG */ ++ ++#define __fips_constseg ++ ++/* AES-128 use df PR */ ++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = { ++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, ++ 0xc8, 0xdb, 0xff, 0x12 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = { ++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_personalizationstring[] = { ++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, ++ 0xd7, 0xd7, 0x01, 0x67 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_additionalinput[] = { ++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, ++ 0x9a, 0x47, 0x08, 0x76 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { ++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, ++ 0x09, 0xfb, 0xa3, 0xb6 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { ++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, ++ 0x66, 0x1c, 0xea, 0x5b ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_additionalinput2[] = { ++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, ++ 0x3f, 0x5e, 0x31, 0x06 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { ++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, ++ 0xa7, 0xe3, 0xa8, 0x67 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = { ++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, ++ 0x0f, 0x38, 0x43, 0xc6 ++}; ++ ++/* AES-128 use df No PR */ ++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = { ++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, ++ 0x9d, 0x7d, 0x1c, 0x9b ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = { ++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_personalizationstring[] = { ++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, ++ 0x38, 0x66, 0xba, 0x1b ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = { ++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, ++ 0xb5, 0xe2, 0xb2, 0x41 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = { ++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, ++ 0xe7, 0x57, 0x11, 0xb4 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_entropyinputreseed[] = { ++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, ++ 0xc7, 0xc4, 0x9e, 0x39 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_use_df_additionalinputreseed[] = { ++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, ++ 0xc8, 0x93, 0xfa, 0x84 ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = { ++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, ++ 0x06, 0x0c, 0x15, 0x2c ++}; ++ ++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = { ++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, ++ 0x46, 0x81, 0xc7, 0x19 ++}; ++ ++/* AES-192 use df PR */ ++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = { ++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, ++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = { ++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, ++ 0xd1, 0x80, 0x78, 0xfa ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_personalizationstring[] = { ++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, ++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, ++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_additionalinput[] = { ++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, ++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, ++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { ++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, ++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { ++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, ++ 0x19, 0x30, 0x6b, 0x67 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_additionalinput2[] = { ++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, ++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, ++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { ++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, ++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = { ++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, ++ 0x7e, 0x1a, 0x2b, 0x83 ++}; ++ ++/* AES-192 use df No PR */ ++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = { ++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, ++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = { ++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, ++ 0x77, 0xd7, 0x41, 0x0e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_personalizationstring[] = { ++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, ++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, ++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = { ++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, ++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, ++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = { ++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, ++ 0xb7, 0xed, 0xe9, 0xea ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_entropyinputreseed[] = { ++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, ++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_use_df_additionalinputreseed[] = { ++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, ++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, ++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = { ++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, ++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, ++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 ++}; ++ ++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = { ++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, ++ 0x1a, 0xf9, 0x13, 0x28 ++}; ++ ++/* AES-256 use df PR */ ++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = { ++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, ++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, ++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = { ++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, ++ 0x2b, 0x36, 0xff, 0xa4 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_personalizationstring[] = { ++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, ++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, ++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_additionalinput[] = { ++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, ++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, ++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { ++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, ++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, ++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { ++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, ++ 0x17, 0xab, 0x3c, 0x7a ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_additionalinput2[] = { ++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, ++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, ++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { ++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, ++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, ++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = { ++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, ++ 0xd9, 0xe2, 0x97, 0x00 ++}; ++ ++/* AES-256 use df No PR */ ++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = { ++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, ++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, ++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = { ++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, ++ 0x4c, 0x44, 0x84, 0x40 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_personalizationstring[] = { ++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, ++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, ++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = { ++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, ++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, ++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = { ++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, ++ 0x28, 0x0c, 0x3b, 0xc1 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_entropyinputreseed[] = { ++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, ++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, ++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_use_df_additionalinputreseed[] = { ++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, ++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, ++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = { ++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, ++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, ++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d ++}; ++ ++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = { ++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, ++ 0xfa, 0xfd, 0x35, 0x5e ++}; ++ ++/* AES-128 no df PR */ ++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = { ++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, ++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, ++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = { ++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_personalizationstring[] = { ++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, ++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, ++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_additionalinput[] = { ++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, ++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, ++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { ++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, ++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, ++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { ++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, ++ 0xaf, 0x19, 0x32, 0x16 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_additionalinput2[] = { ++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, ++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, ++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { ++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, ++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, ++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = { ++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, ++ 0x57, 0x82, 0x33, 0xaf ++}; ++ ++/* AES-128 no df No PR */ ++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = { ++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, ++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, ++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = { ++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_personalizationstring[] = { ++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, ++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, ++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = { ++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, ++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, ++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = { ++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, ++ 0xed, 0x3e, 0x65, 0xc2 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_entropyinputreseed[] = { ++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, ++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, ++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_128_no_df_additionalinputreseed[] = { ++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, ++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, ++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = { ++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, ++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, ++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 ++}; ++ ++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = { ++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, ++ 0x81, 0x37, 0x19, 0xd4 ++}; ++ ++/* AES-192 no df PR */ ++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = { ++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, ++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, ++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, ++ 0x17, 0x1f, 0x8d, 0x9a ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = { ++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, ++ 0x61, 0x5c, 0xee, 0x0f ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_personalizationstring[] = { ++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, ++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, ++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, ++ 0x57, 0x2e, 0xe7, 0x55 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_additionalinput[] = { ++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, ++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, ++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, ++ 0xe2, 0xd0, 0x0c, 0x2f ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { ++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, ++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, ++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, ++ 0x1d, 0x30, 0xb3, 0x78 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { ++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, ++ 0x7e, 0x3e, 0x0c, 0x26 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_additionalinput2[] = { ++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, ++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, ++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, ++ 0x0c, 0x4b, 0xee, 0x6e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { ++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, ++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, ++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, ++ 0x8e, 0x0a, 0x83, 0xdf ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = { ++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, ++ 0xb9, 0xa1, 0x21, 0x68 ++}; ++ ++/* AES-192 no df No PR */ ++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = { ++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, ++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, ++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, ++ 0x94, 0xc3, 0x59, 0x63 ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = { ++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, ++ 0x29, 0xfd, 0x45, 0x71 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_personalizationstring[] = { ++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, ++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, ++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, ++ 0x3b, 0x88, 0xce, 0x35 ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = { ++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, ++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, ++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, ++ 0x3e, 0xbe, 0xd4, 0x8e ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = { ++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, ++ 0x45, 0xe7, 0x4a, 0xc5 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_entropyinputreseed[] = { ++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, ++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, ++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, ++ 0x9b, 0xcb, 0x7e, 0x75 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_192_no_df_additionalinputreseed[] = { ++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, ++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, ++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, ++ 0x5d, 0x7a, 0x25, 0x79 ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = { ++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, ++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, ++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, ++ 0x91, 0x6a, 0xe3, 0x5f ++}; ++ ++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = { ++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, ++ 0x66, 0x67, 0x2c, 0x92 ++}; ++ ++/* AES-256 no df PR */ ++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = { ++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, ++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, ++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, ++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = { ++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, ++ 0xcc, 0x4b, 0xee, 0x2e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_personalizationstring[] = { ++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, ++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, ++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, ++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_additionalinput[] = { ++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, ++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, ++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, ++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { ++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, ++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, ++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, ++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { ++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, ++ 0x79, 0x60, 0x93, 0xcf ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_additionalinput2[] = { ++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, ++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, ++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, ++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { ++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, ++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, ++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, ++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = { ++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, ++ 0x2d, 0x5f, 0x4a, 0x46 ++}; ++ ++/* AES-256 no df No PR */ ++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = { ++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, ++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, ++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, ++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = { ++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, ++ 0x43, 0x96, 0xb9, 0xf0 ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_personalizationstring[] = { ++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, ++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, ++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, ++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = { ++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, ++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, ++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, ++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = { ++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, ++ 0xd2, 0x25, 0x75, 0x0e ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_entropyinputreseed[] = { ++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, ++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, ++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, ++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb ++}; ++ ++__fips_constseg ++ static const unsigned char aes_256_no_df_additionalinputreseed[] = { ++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, ++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, ++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, ++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = { ++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, ++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, ++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, ++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6 ++}; ++ ++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = { ++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, ++ 0xf6, 0x02, 0x32, 0xe2 ++}; ++ ++/* SHA-1 PR */ ++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = { ++ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, ++ 0x31, 0xa5, 0x91, 0x13 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_nonce[] = { ++ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = { ++ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, ++ 0xda, 0xea, 0x77, 0x52 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = { ++ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, ++ 0x6a, 0x51, 0xe3, 0xf8 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = { ++ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, ++ 0xcb, 0xa9, 0x36, 0x7a ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = { ++ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, ++ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = { ++ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, ++ 0x16, 0x03, 0x19, 0x47 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = { ++ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, ++ 0xae, 0xcd, 0x8c, 0xc4 ++}; ++ ++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = { ++ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, ++ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 ++}; ++ ++/* SHA-1 No PR */ ++__fips_constseg static const unsigned char sha1_entropyinput[] = { ++ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, ++ 0xe2, 0x7f, 0x4c, 0x7b ++}; ++ ++__fips_constseg static const unsigned char sha1_nonce[] = { ++ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 ++}; ++ ++__fips_constseg static const unsigned char sha1_personalizationstring[] = { ++ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, ++ 0x28, 0xec, 0x6d, 0xca ++}; ++ ++__fips_constseg static const unsigned char sha1_additionalinput[] = { ++ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, ++ 0xc0, 0x72, 0xca, 0x28 ++}; ++ ++__fips_constseg static const unsigned char sha1_int_returnedbits[] = { ++ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, ++ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea ++}; ++ ++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = { ++ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, ++ 0xd6, 0x99, 0x27, 0xed ++}; ++ ++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = { ++ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, ++ 0x84, 0x3d, 0xd4, 0xc0 ++}; ++ ++__fips_constseg static const unsigned char sha1_additionalinput2[] = { ++ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, ++ 0x52, 0x65, 0xcd, 0x96 ++}; ++ ++__fips_constseg static const unsigned char sha1_returnedbits[] = { ++ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, ++ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 ++}; ++ ++/* SHA-224 PR */ ++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = { ++ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, ++ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_nonce[] = { ++ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = { ++ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, ++ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = { ++ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, ++ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = { ++ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, ++ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = { ++ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, ++ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, ++ 0x54, 0x60, 0xee, 0x6a ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = { ++ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, ++ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = { ++ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, ++ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 ++}; ++ ++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = { ++ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, ++ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, ++ 0xdd, 0x11, 0x4c, 0xc4 ++}; ++ ++/* SHA-224 No PR */ ++__fips_constseg static const unsigned char sha224_entropyinput[] = { ++ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, ++ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb ++}; ++ ++__fips_constseg static const unsigned char sha224_nonce[] = { ++ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 ++}; ++ ++__fips_constseg static const unsigned char sha224_personalizationstring[] = { ++ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, ++ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c ++}; ++ ++__fips_constseg static const unsigned char sha224_additionalinput[] = { ++ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, ++ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f ++}; ++ ++__fips_constseg static const unsigned char sha224_int_returnedbits[] = { ++ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, ++ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, ++ 0x55, 0x22, 0x9a, 0xad ++}; ++ ++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = { ++ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, ++ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 ++}; ++ ++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = { ++ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, ++ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 ++}; ++ ++__fips_constseg static const unsigned char sha224_additionalinput2[] = { ++ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, ++ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 ++}; ++ ++__fips_constseg static const unsigned char sha224_returnedbits[] = { ++ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, ++ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, ++ 0x3b, 0xa7, 0x5c, 0x93 ++}; ++ ++/* SHA-256 PR */ ++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = { ++ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, ++ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, ++ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_nonce[] = { ++ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, ++ 0x2b, 0x91, 0x4d, 0x38 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = { ++ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, ++ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, ++ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = { ++ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, ++ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, ++ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = { ++ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, ++ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, ++ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = { ++ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, ++ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, ++ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = { ++ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, ++ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, ++ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = { ++ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, ++ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, ++ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 ++}; ++ ++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = { ++ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, ++ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, ++ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 ++}; ++ ++/* SHA-256 No PR */ ++__fips_constseg static const unsigned char sha256_entropyinput[] = { ++ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, ++ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, ++ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c ++}; ++ ++__fips_constseg static const unsigned char sha256_nonce[] = { ++ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, ++ 0x5d, 0x6f, 0x6d, 0x35 ++}; ++ ++__fips_constseg static const unsigned char sha256_personalizationstring[] = { ++ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, ++ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, ++ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c ++}; ++ ++__fips_constseg static const unsigned char sha256_additionalinput[] = { ++ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, ++ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, ++ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 ++}; ++ ++__fips_constseg static const unsigned char sha256_int_returnedbits[] = { ++ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, ++ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, ++ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 ++}; ++ ++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = { ++ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, ++ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, ++ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d ++}; ++ ++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = { ++ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, ++ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, ++ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 ++}; ++ ++__fips_constseg static const unsigned char sha256_additionalinput2[] = { ++ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, ++ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, ++ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda ++}; ++ ++__fips_constseg static const unsigned char sha256_returnedbits[] = { ++ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, ++ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, ++ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 ++}; ++ ++/* SHA-384 PR */ ++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = { ++ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, ++ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, ++ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_nonce[] = { ++ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, ++ 0x38, 0x3e, 0x2e, 0x56 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = { ++ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, ++ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, ++ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = { ++ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, ++ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, ++ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = { ++ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, ++ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, ++ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = { ++ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, ++ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, ++ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, ++ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = { ++ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, ++ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, ++ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = { ++ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, ++ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, ++ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 ++}; ++ ++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = { ++ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, ++ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, ++ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, ++ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 ++}; ++ ++/* SHA-384 No PR */ ++__fips_constseg static const unsigned char sha384_entropyinput[] = { ++ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, ++ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, ++ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 ++}; ++ ++__fips_constseg static const unsigned char sha384_nonce[] = { ++ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, ++ 0x44, 0xaf, 0x2f, 0x09 ++}; ++ ++__fips_constseg static const unsigned char sha384_personalizationstring[] = { ++ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, ++ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, ++ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 ++}; ++ ++__fips_constseg static const unsigned char sha384_additionalinput[] = { ++ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, ++ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, ++ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 ++}; ++ ++__fips_constseg static const unsigned char sha384_int_returnedbits[] = { ++ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, ++ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, ++ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, ++ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a ++}; ++ ++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = { ++ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, ++ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, ++ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c ++}; ++ ++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = { ++ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, ++ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, ++ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 ++}; ++ ++__fips_constseg static const unsigned char sha384_additionalinput2[] = { ++ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, ++ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, ++ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 ++}; ++ ++__fips_constseg static const unsigned char sha384_returnedbits[] = { ++ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, ++ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, ++ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, ++ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 ++}; ++ ++/* SHA-512 PR */ ++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = { ++ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, ++ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, ++ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_nonce[] = { ++ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, ++ 0x88, 0xc7, 0xa2, 0xc4 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = { ++ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, ++ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, ++ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = { ++ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, ++ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, ++ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = { ++ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, ++ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, ++ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = { ++ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, ++ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, ++ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, ++ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, ++ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, ++ 0xe2, 0xc6, 0x8b, 0xc3 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = { ++ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, ++ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, ++ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = { ++ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, ++ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, ++ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 ++}; ++ ++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = { ++ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, ++ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, ++ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, ++ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, ++ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, ++ 0x67, 0xf7, 0x68, 0xdd ++}; ++ ++/* SHA-512 No PR */ ++__fips_constseg static const unsigned char sha512_entropyinput[] = { ++ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, ++ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, ++ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd ++}; ++ ++__fips_constseg static const unsigned char sha512_nonce[] = { ++ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, ++ 0x5a, 0x64, 0xf0, 0xf7 ++}; ++ ++__fips_constseg static const unsigned char sha512_personalizationstring[] = { ++ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, ++ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, ++ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 ++}; ++ ++__fips_constseg static const unsigned char sha512_additionalinput[] = { ++ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, ++ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, ++ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 ++}; ++ ++__fips_constseg static const unsigned char sha512_int_returnedbits[] = { ++ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, ++ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, ++ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, ++ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, ++ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, ++ 0x28, 0xd4, 0x39, 0x9a ++}; ++ ++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = { ++ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, ++ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, ++ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee ++}; ++ ++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = { ++ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, ++ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, ++ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 ++}; ++ ++__fips_constseg static const unsigned char sha512_additionalinput2[] = { ++ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, ++ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, ++ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 ++}; ++ ++__fips_constseg static const unsigned char sha512_returnedbits[] = { ++ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, ++ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, ++ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, ++ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, ++ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, ++ 0x68, 0xde, 0x42, 0xb5 ++}; ++ ++/* HMAC SHA-1 PR */ ++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = { ++ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, ++ 0x2c, 0x18, 0x17, 0x1b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = { ++ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha1_pr_personalizationstring[] = { ++ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, ++ 0x80, 0xe2, 0x7f, 0x2a ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = { ++ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, ++ 0xd7, 0xbb, 0x42, 0x09 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = { ++ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, ++ 0x23, 0x87, 0x2a, 0xed ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = { ++ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, ++ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = { ++ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, ++ 0xa0, 0x4b, 0x93, 0x6e ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = { ++ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, ++ 0x0f, 0xff, 0x2e, 0xaf ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = { ++ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, ++ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 ++}; ++ ++/* HMAC SHA-1 No PR */ ++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = { ++ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, ++ 0x17, 0xfe, 0x47, 0x70 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_nonce[] = { ++ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = { ++ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, ++ 0x72, 0xf7, 0xd3, 0x5e ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = { ++ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, ++ 0xbb, 0xe3, 0xaa, 0xea ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = { ++ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, ++ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = { ++ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, ++ 0x86, 0x52, 0x6d, 0x9c ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = { ++ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, ++ 0x79, 0xc5, 0x82, 0x28 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = { ++ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, ++ 0x8a, 0xca, 0xa4, 0x7f ++}; ++ ++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = { ++ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, ++ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 ++}; ++ ++/* HMAC SHA-224 PR */ ++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = { ++ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, ++ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = { ++ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha224_pr_personalizationstring[] = { ++ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, ++ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = { ++ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, ++ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = { ++ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, ++ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = { ++ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, ++ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, ++ 0x41, 0xfe, 0x99, 0xf2 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = { ++ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, ++ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = { ++ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, ++ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = { ++ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, ++ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, ++ 0x6d, 0xd8, 0x9e, 0x72 ++}; ++ ++/* HMAC SHA-224 No PR */ ++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = { ++ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, ++ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_nonce[] = { ++ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha224_personalizationstring[] = { ++ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, ++ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = { ++ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, ++ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = { ++ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, ++ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, ++ 0xcd, 0xd6, 0xa9, 0xcc ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = { ++ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, ++ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha224_additionalinputreseed[] = { ++ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, ++ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = { ++ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, ++ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = { ++ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, ++ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, ++ 0x45, 0x84, 0xa8, 0x94 ++}; ++ ++/* HMAC SHA-256 PR */ ++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = { ++ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, ++ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, ++ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = { ++ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, ++ 0xaa, 0xd3, 0x30, 0x9a ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha256_pr_personalizationstring[] = { ++ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, ++ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, ++ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = { ++ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, ++ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, ++ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = { ++ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, ++ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, ++ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = { ++ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, ++ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, ++ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = { ++ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, ++ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, ++ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = { ++ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, ++ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, ++ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = { ++ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, ++ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, ++ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e ++}; ++ ++/* HMAC SHA-256 No PR */ ++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = { ++ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, ++ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, ++ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_nonce[] = { ++ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, ++ 0xc7, 0xfc, 0xc2, 0x01 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha256_personalizationstring[] = { ++ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, ++ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, ++ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = { ++ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, ++ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, ++ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = { ++ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, ++ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, ++ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = { ++ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, ++ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, ++ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha256_additionalinputreseed[] = { ++ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, ++ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, ++ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = { ++ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, ++ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, ++ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = { ++ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, ++ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, ++ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 ++}; ++ ++/* HMAC SHA-384 PR */ ++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = { ++ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, ++ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, ++ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = { ++ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, ++ 0xee, 0x16, 0xc9, 0xde ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha384_pr_personalizationstring[] = { ++ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, ++ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, ++ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = { ++ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, ++ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, ++ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = { ++ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, ++ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, ++ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = { ++ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, ++ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, ++ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, ++ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = { ++ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, ++ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, ++ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = { ++ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, ++ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, ++ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = { ++ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, ++ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, ++ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, ++ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 ++}; ++ ++/* HMAC SHA-384 No PR */ ++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = { ++ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, ++ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, ++ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_nonce[] = { ++ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, ++ 0x38, 0xe3, 0xeb, 0x62 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha384_personalizationstring[] = { ++ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, ++ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, ++ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = { ++ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, ++ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, ++ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = { ++ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, ++ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, ++ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, ++ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = { ++ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, ++ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, ++ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha384_additionalinputreseed[] = { ++ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, ++ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, ++ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = { ++ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, ++ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, ++ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = { ++ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, ++ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, ++ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, ++ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb ++}; ++ ++/* HMAC SHA-512 PR */ ++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = { ++ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, ++ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, ++ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = { ++ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, ++ 0x86, 0xea, 0xaf, 0xa2 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha512_pr_personalizationstring[] = { ++ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, ++ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, ++ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = { ++ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, ++ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, ++ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = { ++ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, ++ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, ++ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = { ++ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, ++ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, ++ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, ++ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, ++ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, ++ 0x05, 0x17, 0xbe, 0x0d ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = { ++ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, ++ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, ++ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = { ++ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, ++ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, ++ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = { ++ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, ++ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, ++ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, ++ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, ++ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, ++ 0xb6, 0xaf, 0xbc, 0xd3 ++}; ++ ++/* HMAC SHA-512 No PR */ ++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = { ++ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, ++ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, ++ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_nonce[] = { ++ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, ++ 0xd9, 0xaf, 0x43, 0x3c ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha512_personalizationstring[] = { ++ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, ++ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, ++ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = { ++ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, ++ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, ++ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = { ++ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, ++ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, ++ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, ++ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, ++ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, ++ 0xb1, 0x57, 0x69, 0xe8 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = { ++ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, ++ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, ++ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 ++}; ++ ++__fips_constseg ++ static const unsigned char hmac_sha512_additionalinputreseed[] = { ++ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, ++ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, ++ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = { ++ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, ++ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, ++ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 ++}; ++ ++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = { ++ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, ++ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, ++ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, ++ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, ++ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, ++ 0xc2, 0xd6, 0xfd, 0xa5 ++}; +Index: openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c +@@ -0,0 +1,195 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include "crypto/fips_int.h" ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static const unsigned char dsa_test_2048_p[] = { ++ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, ++ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62, ++ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59, ++ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6, ++ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3, ++ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52, ++ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7, ++ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a, ++ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1, ++ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03, ++ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40, ++ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34, ++ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e, ++ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b, ++ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1, ++ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7, ++ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6, ++ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57, ++ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54, ++ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a, ++ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7, ++ 0xdb, 0xa0, 0x69, 0xe9 ++}; ++ ++static const unsigned char dsa_test_2048_q[] = { ++ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a, ++ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56, ++ 0x74, 0x41, 0xa0, 0xa5 ++}; ++ ++static const unsigned char dsa_test_2048_g[] = { ++ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5, ++ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8, ++ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19, ++ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba, ++ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b, ++ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a, ++ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53, ++ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b, ++ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5, ++ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a, ++ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e, ++ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23, ++ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96, ++ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7, ++ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16, ++ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a, ++ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f, ++ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95, ++ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69, ++ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e, ++ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91, ++ 0xb3, 0xc2, 0xa9, 0x66 ++}; ++ ++static const unsigned char dsa_test_2048_pub_key[] = { ++ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60, ++ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb, ++ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64, ++ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44, ++ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c, ++ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c, ++ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2, ++ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c, ++ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71, ++ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c, ++ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99, ++ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75, ++ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e, ++ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc, ++ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf, ++ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90, ++ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d, ++ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d, ++ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07, ++ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3, ++ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93, ++ 0xf7, 0xda, 0xb1, 0x4f ++}; ++ ++static const unsigned char dsa_test_2048_priv_key[] = { ++ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91, ++ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00, ++ 0xec, 0x55, 0xf6, 0xcc ++}; ++ ++int FIPS_selftest_dsa() ++{ ++ DSA *dsa = NULL; ++ EVP_PKEY *pk = NULL; ++ int ret = 0; ++ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; ++ ++ fips_load_key_component(p, dsa_test_2048); ++ fips_load_key_component(q, dsa_test_2048); ++ fips_load_key_component(g, dsa_test_2048); ++ fips_load_key_component(pub_key, dsa_test_2048); ++ fips_load_key_component(priv_key, dsa_test_2048); ++ ++ dsa = DSA_new(); ++ ++ if (dsa == NULL) ++ goto err; ++ ++ DSA_set0_pqg(dsa, p, q, g); ++ ++ DSA_set0_key(dsa, pub_key, priv_key); ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_DSA(pk, dsa); ++ ++ if (!fips_pkey_signature_test(pk, NULL, 0, ++ NULL, 0, EVP_sha256(), 0, "DSA SHA256")) ++ goto err; ++ ret = 1; ++ ++ err: ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (dsa) ++ DSA_free(dsa); ++ else { ++ BN_free(p); ++ BN_free(q); ++ BN_free(g); ++ BN_free(pub_key); ++ BN_free(priv_key); ++ } ++ return ret; ++} ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c +@@ -0,0 +1,242 @@ ++/* fips/ecdh/fips_ecdh_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2011. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++# include "fips_locl.h" ++ ++static const unsigned char p256_qcavsx[] = { ++ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, ++ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, ++ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 ++}; ++ ++static const unsigned char p256_qcavsy[] = { ++ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, ++ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, ++ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e ++}; ++ ++static const unsigned char p256_qiutx[] = { ++ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, ++ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, ++ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f ++}; ++ ++static const unsigned char p256_qiuty[] = { ++ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, ++ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, ++ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 ++}; ++ ++static const unsigned char p256_qiutd[] = { ++ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, ++ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, ++ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 ++}; ++ ++static const unsigned char p256_ziut[] = { ++ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, ++ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, ++ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f ++}; ++ ++typedef struct { ++ int curve; ++ const unsigned char *x1; ++ size_t x1len; ++ const unsigned char *y1; ++ size_t y1len; ++ const unsigned char *d1; ++ size_t d1len; ++ const unsigned char *x2; ++ size_t x2len; ++ const unsigned char *y2; ++ size_t y2len; ++ const unsigned char *z; ++ size_t zlen; ++} ECDH_SELFTEST_DATA; ++ ++# define make_ecdh_test(nid, pr) { nid, \ ++ pr##_qiutx, sizeof(pr##_qiutx), \ ++ pr##_qiuty, sizeof(pr##_qiuty), \ ++ pr##_qiutd, sizeof(pr##_qiutd), \ ++ pr##_qcavsx, sizeof(pr##_qcavsx), \ ++ pr##_qcavsy, sizeof(pr##_qcavsy), \ ++ pr##_ziut, sizeof(pr##_ziut) } ++ ++static ECDH_SELFTEST_DATA test_ecdh_data[] = { ++ make_ecdh_test(NID_X9_62_prime256v1, p256), ++}; ++ ++int FIPS_selftest_ecdh(void) ++{ ++ EC_KEY *ec1 = NULL, *ec2 = NULL; ++ const EC_POINT *ecp = NULL; ++ BIGNUM *x = NULL, *y = NULL, *d = NULL; ++ unsigned char *ztmp = NULL; ++ int rv = 1; ++ size_t i; ++ ++ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { ++ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; ++ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) ++ continue; ++ ztmp = OPENSSL_malloc(ecd->zlen); ++ ++ x = BN_bin2bn(ecd->x1, ecd->x1len, x); ++ y = BN_bin2bn(ecd->y1, ecd->y1len, y); ++ d = BN_bin2bn(ecd->d1, ecd->d1len, d); ++ ++ if (!x || !y || !d || !ztmp) { ++ rv = 0; ++ goto err; ++ } ++ ++ ec1 = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec1) { ++ rv = 0; ++ goto err; ++ } ++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { ++ rv = 0; ++ goto err; ++ } ++ ++ if (!EC_KEY_set_private_key(ec1, d)) { ++ rv = 0; ++ goto err; ++ } ++ ++ x = BN_bin2bn(ecd->x2, ecd->x2len, x); ++ y = BN_bin2bn(ecd->y2, ecd->y2len, y); ++ ++ if (!x || !y) { ++ rv = 0; ++ goto err; ++ } ++ ++ ec2 = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec2) { ++ rv = 0; ++ goto err; ++ } ++ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { ++ rv = 0; ++ goto err; ++ } ++ ++ ecp = EC_KEY_get0_public_key(ec2); ++ if (!ecp) { ++ rv = 0; ++ goto err; ++ } ++ ++ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { ++ rv = 0; ++ goto err; ++ } ++ ++ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) ++ ztmp[0] ^= 0x1; ++ ++ if (memcmp(ztmp, ecd->z, ecd->zlen)) { ++ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); ++ rv = 0; ++ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) ++ goto err; ++ ++ EC_KEY_free(ec1); ++ ec1 = NULL; ++ EC_KEY_free(ec2); ++ ec2 = NULL; ++ OPENSSL_free(ztmp); ++ ztmp = NULL; ++ } ++ ++ err: ++ ++ if (x) ++ BN_clear_free(x); ++ if (y) ++ BN_clear_free(y); ++ if (d) ++ BN_clear_free(d); ++ if (ec1) ++ EC_KEY_free(ec1); ++ if (ec2) ++ EC_KEY_free(ec2); ++ if (ztmp) ++ OPENSSL_free(ztmp); ++ ++ return rv; ++ ++} ++ ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_ecdsa_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_ecdsa_selftest.c +@@ -0,0 +1,166 @@ ++/* fips/ecdsa/fips_ecdsa_selftest.c */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project 2011. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include "crypto/fips_int.h" ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++static const char P_256_name[] = "ECDSA P-256"; ++ ++static const unsigned char P_256_d[] = { ++ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, ++ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, ++ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 ++}; ++ ++static const unsigned char P_256_qx[] = { ++ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, ++ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, ++ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 ++}; ++ ++static const unsigned char P_256_qy[] = { ++ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, ++ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, ++ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb ++}; ++ ++typedef struct { ++ int curve; ++ const char *name; ++ const unsigned char *x; ++ size_t xlen; ++ const unsigned char *y; ++ size_t ylen; ++ const unsigned char *d; ++ size_t dlen; ++} EC_SELFTEST_DATA; ++ ++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ ++ pr##_qx, sizeof(pr##_qx), \ ++ pr##_qy, sizeof(pr##_qy), \ ++ pr##_d, sizeof(pr##_d)} ++ ++static EC_SELFTEST_DATA test_ec_data[] = { ++ make_ecdsa_test(NID_X9_62_prime256v1, P_256), ++}; ++ ++int FIPS_selftest_ecdsa() ++{ ++ EC_KEY *ec = NULL; ++ BIGNUM *x = NULL, *y = NULL, *d = NULL; ++ EVP_PKEY *pk = NULL; ++ int rv = 0; ++ size_t i; ++ ++ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { ++ EC_SELFTEST_DATA *ecd = test_ec_data + i; ++ ++ x = BN_bin2bn(ecd->x, ecd->xlen, x); ++ y = BN_bin2bn(ecd->y, ecd->ylen, y); ++ d = BN_bin2bn(ecd->d, ecd->dlen, d); ++ ++ if (!x || !y || !d) ++ goto err; ++ ++ ec = EC_KEY_new_by_curve_name(ecd->curve); ++ if (!ec) ++ goto err; ++ ++ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) ++ goto err; ++ ++ if (!EC_KEY_set_private_key(ec, d)) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_EC_KEY(pk, ec); ++ ++ if (!fips_pkey_signature_test(pk, NULL, 0, ++ NULL, 0, EVP_sha256(), 0, ecd->name)) ++ goto err; ++ } ++ ++ rv = 1; ++ ++ err: ++ ++ if (x) ++ BN_clear_free(x); ++ if (y) ++ BN_clear_free(y); ++ if (d) ++ BN_clear_free(d); ++ if (pk) ++ EVP_PKEY_free(pk); ++ else if (ec) ++ EC_KEY_free(ec); ++ ++ return rv; ++ ++} ++ ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_err.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_err.h +@@ -0,0 +1,199 @@ ++/* crypto/fips_err.h */ ++/* ==================================================================== ++ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++/* ++ * NOTE: this file was auto generated by the mkerr.pl script: any changes ++ * made to it will be overwritten when the script next updates this file, ++ * only reason strings will be preserved. ++ */ ++ ++#include ++#include ++#include ++ ++/* BEGIN ERROR CODES */ ++#ifndef OPENSSL_NO_ERR ++ ++# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) ++# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) ++ ++static ERR_STRING_DATA FIPS_str_functs[] = { ++ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"}, ++ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"}, ++ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"}, ++ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, ++ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, ++ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, ++ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"}, ++ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"}, ++ {ERR_FUNC(FIPS_F_EVP_CIPHERINIT_EX), "EVP_CipherInit_ex"}, ++ {ERR_FUNC(FIPS_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, ++ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"}, ++ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, ++ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, ++ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"}, ++ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"}, ++ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"}, ++ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"}, ++ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, ++ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, ++ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"}, ++ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"}, ++ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"}, ++ {0, NULL} ++}; ++ ++static ERR_STRING_DATA FIPS_str_reasons[] = { ++ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), ++ "additional input error undetected"}, ++ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG), ++ "additional input too long"}, ++ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"}, ++ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, ++ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, ++ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, ++ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), ++ "entropy not requested for reseed"}, ++ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, ++ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"}, ++ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), ++ "error retrieving additional input"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"}, ++ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"}, ++ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH), ++ "fingerprint does not match"}, ++ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"}, ++ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"}, ++ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"}, ++ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"}, ++ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED), ++ "generate error undetected"}, ++ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, ++ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"}, ++ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"}, ++ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"}, ++ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"}, ++ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"}, ++ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"}, ++ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"}, ++ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"}, ++ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"}, ++ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"}, ++ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED), ++ "personalisation error undetected"}, ++ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG), ++ "personalisation string too long"}, ++ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, ++ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, ++ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), ++ "request length error undetected"}, ++ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), ++ "request too large for drbg"}, ++ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"}, ++ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"}, ++ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"}, ++ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"}, ++ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"}, ++ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"}, ++ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), ++ "uninstantiate zeroise error"}, ++ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"}, ++ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"}, ++ {0, NULL} ++}; ++ ++#endif ++ ++int ERR_load_FIPS_strings(void) ++{ ++#ifndef OPENSSL_NO_ERR ++ ++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { ++ ERR_load_strings(0, FIPS_str_functs); ++ ERR_load_strings(0, FIPS_str_reasons); ++ } ++#endif ++ return 1; ++} +Index: openssl-1.1.1n/crypto/fips/fips_ers.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_ers.c +@@ -0,0 +1,7 @@ ++#include ++ ++#ifdef OPENSSL_FIPS ++# include "fips_err.h" ++#else ++static void *dummy = &dummy; ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_hmac_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_hmac_selftest.c +@@ -0,0 +1,134 @@ ++/* ==================================================================== ++ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++#endif ++#include ++ ++#ifdef OPENSSL_FIPS ++typedef struct { ++ const EVP_MD *(*alg) (void); ++ const char *key, *iv; ++ unsigned char kaval[EVP_MAX_MD_SIZE]; ++} HMAC_KAT; ++ ++static const HMAC_KAT vector[] = { ++ {EVP_sha1, ++ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19, ++ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c, ++ 0xc6, 0xc7, 0x5d, 0x24} ++ }, ++ {EVP_sha224, ++ /* just keep extending the above... */ ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb, ++ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa, ++ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b, ++ 0x8c, 0x8d, 0x12, 0xc7} ++ }, ++ {EVP_sha256, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09, ++ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34, ++ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38, ++ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9} ++ }, ++ {EVP_sha384, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad, ++ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6, ++ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04, ++ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f, ++ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50, ++ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f} ++ }, ++ {EVP_sha512, ++ "0123456789:;<=>?@ABC", ++ "Sample #2", ++ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41, ++ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac, ++ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0, ++ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68, ++ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f, ++ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7, ++ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45, ++ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05} ++ }, ++}; ++ ++int FIPS_selftest_hmac() ++{ ++ int n; ++ unsigned int outlen; ++ unsigned char out[EVP_MAX_MD_SIZE]; ++ const EVP_MD *md; ++ const HMAC_KAT *t; ++ ++ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { ++ md = (*t->alg) (); ++ HMAC(md, t->key, strlen(t->key), ++ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen); ++ ++ if (memcmp(out, t->kaval, outlen)) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ } ++ return 1; ++} ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_locl.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_locl.h +@@ -0,0 +1,71 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#ifdef OPENSSL_FIPS ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define FIPS_MAX_CIPHER_TEST_SIZE 32 ++# define fips_load_key_component(comp, pre) \ ++ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \ ++ if (!comp) \ ++ goto err ++ ++# define fips_post_started(id, subid, ex) 1 ++# define fips_post_success(id, subid, ex) 1 ++# define fips_post_failed(id, subid, ex) 1 ++# define fips_post_corrupt(id, subid, ex) 1 ++# define fips_post_status() 1 ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_post.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_post.c +@@ -0,0 +1,224 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#define OPENSSL_FIPSAPI ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++ ++/* Power on self test (POST) support functions */ ++ ++# include ++# include "crypto/fips_int.h" ++# include "fips_locl.h" ++ ++/* Run all selftests */ ++int FIPS_selftest(void) ++{ ++ int rv = 1; ++ if (!FIPS_selftest_drbg()) ++ rv = 0; ++ if (!FIPS_selftest_sha1()) ++ rv = 0; ++ if (!FIPS_selftest_sha2()) ++ rv = 0; ++ if (!FIPS_selftest_sha3()) ++ rv = 0; ++ if (!FIPS_selftest_hmac()) ++ rv = 0; ++ if (!FIPS_selftest_cmac()) ++ rv = 0; ++ if (!FIPS_selftest_aes()) ++ rv = 0; ++ if (!FIPS_selftest_aes_ccm()) ++ rv = 0; ++ if (!FIPS_selftest_aes_gcm()) ++ rv = 0; ++ if (!FIPS_selftest_aes_xts()) ++ rv = 0; ++ if (!FIPS_selftest_des()) ++ rv = 0; ++ if (!FIPS_selftest_rsa()) ++ rv = 0; ++ if (!FIPS_selftest_ecdsa()) ++ rv = 0; ++ if (!FIPS_selftest_dsa()) ++ rv = 0; ++ if (!FIPS_selftest_dh()) ++ rv = 0; ++ if (!FIPS_selftest_ecdh()) ++ rv = 0; ++ return rv; ++} ++ ++/* Generalized public key test routine. Signs and verifies the data ++ * supplied in tbs using mesage digest md and setting option digest ++ * flags md_flags. If the 'kat' parameter is not NULL it will ++ * additionally check the signature matches it: a known answer test ++ * The string "fail_str" is used for identification purposes in case ++ * of failure. If "pkey" is NULL just perform a message digest check. ++ */ ++ ++int fips_pkey_signature_test(EVP_PKEY *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, unsigned int katlen, ++ const EVP_MD *digest, unsigned int flags, ++ const char *fail_str) ++{ ++ int ret = 0; ++ unsigned char sigtmp[256], *sig = sigtmp; ++ size_t siglen = sizeof(sigtmp); ++ EVP_MD_CTX *mctx; ++ EVP_PKEY_CTX *pctx; ++ ++ if (digest == NULL) ++ digest = EVP_sha256(); ++ ++ mctx = EVP_MD_CTX_new(); ++ ++ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA) ++ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) { ++ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey))); ++ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey)); ++ } ++ if (!sig || ! mctx) { ++ EVP_MD_CTX_free(mctx); ++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ if (tbslen == -1) ++ tbslen = strlen((char *)tbs); ++ ++ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0) ++ goto error; ++ ++ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { ++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); ++ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); ++ } ++ ++ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0) ++ goto error; ++ ++ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) ++ goto error; ++ ++ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) ++ goto error; ++ ++ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0) ++ goto error; ++ ++ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { ++ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); ++ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); ++ } ++ ++ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0) ++ goto error; ++ ++ ret = EVP_DigestVerifyFinal(mctx, sig, siglen); ++ ++ error: ++ if (sig != sigtmp) ++ OPENSSL_free(sig); ++ EVP_MD_CTX_free(mctx); ++ if (ret <= 0) { ++ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE); ++ if (fail_str) ++ ERR_add_error_data(2, "Type=", fail_str); ++ return 0; ++ } ++ return 1; ++} ++ ++/* Generalized symmetric cipher test routine. Encrypt data, verify result ++ * against known answer, decrypt and compare with original plaintext. ++ */ ++ ++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, int len) ++{ ++ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; ++ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; ++ ++ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); ++ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); ++ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); ++ ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) ++ return 0; ++ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0) ++ return 0; ++ if (memcmp(citmp, ciphertext, len)) ++ return 0; ++ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) ++ return 0; ++ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0) ++ return 0; ++ if (memcmp(pltmp, plaintext, len)) ++ return 0; ++ return 1; ++} ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_rand_lcl.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_rand_lcl.h +@@ -0,0 +1,203 @@ ++/* fips/rand/fips_rand_lcl.h */ ++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL ++ * project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * licensing@OpenSSL.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ */ ++ ++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; ++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; ++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; ++ ++/* 888 bits from 10.1 table 2 */ ++#define HASH_PRNG_MAX_SEEDLEN 111 ++ ++struct drbg_hash_ctx_st { ++ const EVP_MD *md; ++ EVP_MD_CTX *mctx; ++ unsigned char V[HASH_PRNG_MAX_SEEDLEN]; ++ unsigned char C[HASH_PRNG_MAX_SEEDLEN]; ++ /* Temporary value storage: should always exceed max digest length */ ++ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; ++}; ++ ++struct drbg_hmac_ctx_st { ++ const EVP_MD *md; ++ HMAC_CTX *hctx; ++ unsigned char K[EVP_MAX_MD_SIZE]; ++ unsigned char V[EVP_MAX_MD_SIZE]; ++}; ++ ++struct drbg_ctr_ctx_st { ++ AES_KEY ks; ++ size_t keylen; ++ unsigned char K[32]; ++ unsigned char V[16]; ++ /* Temp variables used by derivation function */ ++ AES_KEY df_ks; ++ AES_KEY df_kxks; ++ /* Temporary block storage used by ctr_df */ ++ unsigned char bltmp[16]; ++ size_t bltmp_pos; ++ unsigned char KX[48]; ++}; ++ ++/* DRBG internal flags */ ++ ++/* Functions shouldn't call err library */ ++#define DRBG_FLAG_NOERR 0x1 ++/* Custom reseed checking */ ++#define DRBG_CUSTOM_RESEED 0x2 ++ ++/* DRBG status values */ ++/* not initialised */ ++#define DRBG_STATUS_UNINITIALISED 0 ++/* ok and ready to generate random bits */ ++#define DRBG_STATUS_READY 1 ++/* reseed required */ ++#define DRBG_STATUS_RESEED 2 ++/* fatal error condition */ ++#define DRBG_STATUS_ERROR 3 ++ ++/* A default maximum length: larger than any reasonable value used in pratice */ ++ ++#define DRBG_MAX_LENGTH 0x7ffffff0 ++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes ++ * so use max digest length. ++ */ ++#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE ++ ++#define DRBG_HEALTH_INTERVAL (1 << 24) ++ ++/* DRBG context structure */ ++ ++struct drbg_ctx_st { ++ /* First types common to all implementations */ ++ /* DRBG type: a NID for the underlying algorithm */ ++ int type; ++ /* Various external flags */ ++ unsigned int xflags; ++ /* Various internal use only flags */ ++ unsigned int iflags; ++ /* Used for periodic health checks */ ++ int health_check_cnt, health_check_interval; ++ ++ /* The following parameters are setup by mechanism drbg_init() call */ ++ int strength; ++ size_t blocklength; ++ size_t max_request; ++ ++ size_t min_entropy, max_entropy; ++ size_t min_nonce, max_nonce; ++ size_t max_pers, max_adin; ++ unsigned int reseed_counter; ++ unsigned int reseed_interval; ++ size_t seedlen; ++ int status; ++ /* Application data: typically used by test get_entropy */ ++ void *app_data; ++ /* Implementation specific structures */ ++ union { ++ DRBG_HASH_CTX hash; ++ DRBG_HMAC_CTX hmac; ++ DRBG_CTR_CTX ctr; ++ } d; ++ /* Initialiase PRNG and setup callbacks below */ ++ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags); ++ /* Intantiate PRNG */ ++ int (*instantiate) (DRBG_CTX *ctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *nonce, size_t noncelen, ++ const unsigned char *pers, size_t perslen); ++ /* reseed */ ++ int (*reseed) (DRBG_CTX *ctx, ++ const unsigned char *ent, size_t entlen, ++ const unsigned char *adin, size_t adinlen); ++ /* generat output */ ++ int (*generate) (DRBG_CTX *ctx, ++ unsigned char *out, size_t outlen, ++ const unsigned char *adin, size_t adinlen); ++ /* uninstantiate */ ++ int (*uninstantiate) (DRBG_CTX *ctx); ++ ++ /* Entropy source block length */ ++ size_t entropy_blocklen; ++ ++ /* entropy gathering function */ ++ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len); ++ /* Indicates we have finished with entropy buffer */ ++ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ ++ /* nonce gathering function */ ++ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len); ++ /* Indicates we have finished with nonce buffer */ ++ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ ++ /* Callbacks used when called through RAND interface */ ++ /* Get any additional input for generate */ ++ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); ++ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); ++ /* Callback for RAND_seed(), RAND_add() */ ++ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); ++ int (*rand_add_cb) (DRBG_CTX *ctx, ++ const void *buf, int num, double entropy); ++}; ++ ++int fips_drbg_ctr_init(DRBG_CTX *dctx); ++int fips_drbg_hash_init(DRBG_CTX *dctx); ++int fips_drbg_hmac_init(DRBG_CTX *dctx); ++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags); ++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); ++ ++#define FIPS_digestinit EVP_DigestInit ++#define FIPS_digestupdate EVP_DigestUpdate ++#define FIPS_digestfinal EVP_DigestFinal ++#define M_EVP_MD_size EVP_MD_size +Index: openssl-1.1.1n/crypto/fips/fips_rand_lib.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_rand_lib.c +@@ -0,0 +1,234 @@ ++/* ==================================================================== ++ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't ++ be defined and gettimeofday() won't be declared with strict compilers ++ like DEC C in ANSI C mode. */ ++#ifndef _XOPEN_SOURCE_EXTENDED ++# define _XOPEN_SOURCE_EXTENDED 1 ++#endif ++ ++#include ++#include ++#include ++#include ++#include "crypto/fips_int.h" ++#include ++#include "e_os.h" ++ ++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) ++# include ++#endif ++#if defined(OPENSSL_SYS_VXWORKS) ++# include ++#endif ++#ifndef OPENSSL_SYS_WIN32 ++# ifdef OPENSSL_UNISTD ++# include OPENSSL_UNISTD ++# else ++# include ++# endif ++#endif ++ ++/* FIPS API for PRNG use. Similar to RAND functionality but without ++ * ENGINE and additional checking for non-FIPS rand methods. ++ */ ++ ++static const RAND_METHOD *fips_rand_meth = NULL; ++static int fips_approved_rand_meth = 0; ++static int fips_rand_bits = 0; ++ ++/* Allows application to override number of bits and uses non-FIPS methods */ ++void FIPS_rand_set_bits(int nbits) ++{ ++ fips_rand_bits = nbits; ++} ++ ++int FIPS_rand_set_method(const RAND_METHOD *meth) ++{ ++ if (!fips_rand_bits) { ++ if (meth == FIPS_drbg_method()) ++ fips_approved_rand_meth = 1; ++ else { ++ fips_approved_rand_meth = 0; ++ if (FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ } ++ } ++ fips_rand_meth = meth; ++ return 1; ++} ++ ++const RAND_METHOD *FIPS_rand_get_method(void) ++{ ++ return fips_rand_meth; ++} ++ ++void FIPS_rand_reset(void) ++{ ++ if (fips_rand_meth && fips_rand_meth->cleanup) ++ fips_rand_meth->cleanup(); ++} ++ ++int FIPS_rand_seed(const void *buf, int num) ++{ ++ if (!fips_approved_rand_meth && FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ if (fips_rand_meth && fips_rand_meth->seed) ++ fips_rand_meth->seed(buf, num); ++ return 1; ++} ++ ++int FIPS_rand_bytes(unsigned char *buf, int num) ++{ ++ if (!fips_approved_rand_meth && FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ if (fips_rand_meth && fips_rand_meth->bytes) ++ return fips_rand_meth->bytes(buf, num); ++ return 0; ++} ++ ++int FIPS_rand_status(void) ++{ ++ if (!fips_approved_rand_meth && FIPS_module_mode()) { ++ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); ++ return 0; ++ } ++ if (fips_rand_meth && fips_rand_meth->status) ++ return fips_rand_meth->status(); ++ return 0; ++} ++ ++/* Return instantiated strength of PRNG. For DRBG this is an internal ++ * parameter. Any other type of PRNG is not approved and returns 0 in ++ * FIPS mode and maximum 256 outside FIPS mode. ++ */ ++ ++int FIPS_rand_strength(void) ++{ ++ if (fips_rand_bits) ++ return fips_rand_bits; ++ if (fips_approved_rand_meth == 1) ++ return FIPS_drbg_get_strength(FIPS_get_default_drbg()); ++ else if (fips_approved_rand_meth == 0) { ++ if (FIPS_module_mode()) ++ return 0; ++ else ++ return 256; ++ } ++ return 0; ++} ++ ++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) ++{ ++# ifdef OPENSSL_SYS_WIN32 ++ FILETIME ft; ++# elif defined(OPENSSL_SYS_VXWORKS) ++ struct timespec ts; ++# else ++ struct timeval tv; ++# endif ++ ++# ifndef GETPID_IS_MEANINGLESS ++ unsigned long pid; ++# endif ++ ++# ifdef OPENSSL_SYS_WIN32 ++ GetSystemTimeAsFileTime(&ft); ++ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff); ++ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff); ++ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff); ++ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff); ++ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff); ++ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff); ++ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff); ++ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff); ++# elif defined(OPENSSL_SYS_VXWORKS) ++ clock_gettime(CLOCK_REALTIME, &ts); ++ buf[0] = (unsigned char)(ts.tv_sec & 0xff); ++ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff); ++ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff); ++ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff); ++ buf[4] = (unsigned char)(ts.tv_nsec & 0xff); ++ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff); ++ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff); ++ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff); ++# else ++ gettimeofday(&tv, NULL); ++ buf[0] = (unsigned char)(tv.tv_sec & 0xff); ++ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff); ++ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff); ++ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff); ++ buf[4] = (unsigned char)(tv.tv_usec & 0xff); ++ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff); ++ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff); ++ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff); ++# endif ++ buf[8] = (unsigned char)(*pctr & 0xff); ++ buf[9] = (unsigned char)((*pctr >> 8) & 0xff); ++ buf[10] = (unsigned char)((*pctr >> 16) & 0xff); ++ buf[11] = (unsigned char)((*pctr >> 24) & 0xff); ++ ++ (*pctr)++; ++ ++# ifndef GETPID_IS_MEANINGLESS ++ pid = (unsigned long)getpid(); ++ buf[12] = (unsigned char)(pid & 0xff); ++ buf[13] = (unsigned char)((pid >> 8) & 0xff); ++ buf[14] = (unsigned char)((pid >> 16) & 0xff); ++ buf[15] = (unsigned char)((pid >> 24) & 0xff); ++# endif ++} ++ +Index: openssl-1.1.1n/crypto/fips/fips_rsa_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_rsa_selftest.c +@@ -0,0 +1,338 @@ ++/* ==================================================================== ++ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++# include "crypto/fips_int.h" ++#endif ++#include ++#include ++#include ++#include ++#include "fips_locl.h" ++ ++#ifdef OPENSSL_FIPS ++ ++static int setrsakey(RSA *key) ++{ ++ static const unsigned char keydata_n[] = { ++ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a, ++ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00, ++ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca, ++ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a, ++ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba, ++ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe, ++ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1, ++ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75, ++ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f, ++ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc, ++ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e, ++ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1, ++ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9, ++ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4, ++ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40, ++ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4, ++ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e, ++ 0x03, 0x71 ++ }; ++ ++ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 }; ++ ++ static const unsigned char keydata_d[] = { ++ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23, ++ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58, ++ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06, ++ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4, ++ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53, ++ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde, ++ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe, ++ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b, ++ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3, ++ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76, ++ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6, ++ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c, ++ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44, ++ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34, ++ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32, ++ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20, ++ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d, ++ 0x01 ++ }; ++ ++ static const unsigned char keydata_p[] = { ++ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f, ++ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43, ++ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec, ++ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66, ++ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3, ++ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1, ++ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3, ++ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c, ++ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad ++ }; ++ ++ static const unsigned char keydata_q[] = { ++ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8, ++ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e, ++ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c, ++ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e, ++ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c, ++ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f, ++ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7, ++ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b, ++ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55 ++ }; ++ ++ static const unsigned char keydata_dmp1[] = { ++ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e, ++ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16, ++ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74, ++ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34, ++ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7, ++ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3, ++ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff, ++ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6, ++ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1 ++ }; ++ ++ static const unsigned char keydata_dmq1[] = { ++ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75, ++ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f, ++ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1, ++ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b, ++ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c, ++ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e, ++ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78, ++ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab, ++ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61 ++ }; ++ ++ static const unsigned char keydata_iqmp[] = { ++ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d, ++ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38, ++ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91, ++ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80, ++ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b, ++ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b, ++ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6, ++ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf, ++ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf ++ }; ++ ++ int rv = 0; ++ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; ++ ++ fips_load_key_component(n, keydata); ++ fips_load_key_component(e, keydata); ++ fips_load_key_component(d, keydata); ++ fips_load_key_component(p, keydata); ++ fips_load_key_component(q, keydata); ++ fips_load_key_component(dmp1, keydata); ++ fips_load_key_component(dmq1, keydata); ++ fips_load_key_component(iqmp, keydata); ++ ++ RSA_set0_key(key, n, e, d); ++ RSA_set0_factors(key, p, q); ++ RSA_set0_crt_params(key, dmp1, dmq1, iqmp); ++ ++ rv = 1; ++err: ++ if (!rv) { ++ BN_free(n); ++ BN_free(e); ++ BN_free(d); ++ BN_free(p); ++ BN_free(q); ++ BN_free(dmp1); ++ BN_free(dmq1); ++ BN_free(iqmp); ++ } ++ return rv; ++} ++ ++/* Known Answer Test (KAT) data for the above RSA private key signing ++ * kat_tbs. ++ */ ++ ++static const unsigned char kat_tbs[] = ++ "OpenSSL FIPS 140-2 Public Key RSA KAT"; ++ ++static const unsigned char kat_RSA_PSS_SHA256[] = { ++ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, ++ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, ++ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, ++ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, ++ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, ++ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, ++ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, ++ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, ++ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, ++ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, ++ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, ++ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, ++ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, ++ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, ++ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, ++ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, ++ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, ++ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, ++ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, ++ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, ++ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, ++ 0x2B, 0x31, 0xB9, 0x7D ++}; ++ ++static const unsigned char kat_RSA_SHA256[] = { ++ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, ++ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, ++ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, ++ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, ++ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, ++ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, ++ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, ++ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, ++ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, ++ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, ++ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, ++ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, ++ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, ++ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, ++ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, ++ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, ++ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, ++ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, ++ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, ++ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, ++ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, ++ 0x47, 0x9D, 0x18, 0xD7 ++}; ++ ++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, ++ int ptlen) ++{ ++ unsigned char *ctbuf = NULL, *ptbuf = NULL; ++ int ret = 0; ++ int len; ++ ++ ctbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ctbuf) ++ goto err; ++ ++ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); ++ if (len <= 0) ++ goto err; ++ /* Check ciphertext doesn't match plaintext */ ++ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) ++ goto err; ++ ++ ptbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ptbuf) ++ goto err; ++ ++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); ++ if (len != ptlen) ++ goto err; ++ if (memcmp(ptbuf, plaintext, len)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (ctbuf) ++ OPENSSL_free(ctbuf); ++ if (ptbuf) ++ OPENSSL_free(ptbuf); ++ return ret; ++} ++ ++int FIPS_selftest_rsa() ++{ ++ int ret = 0; ++ RSA *key; ++ EVP_PKEY *pk = NULL; ++ ++ if ((key = RSA_new()) == NULL) ++ goto err; ++ ++ if (!setrsakey(key)) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_RSA(pk, key); ++ ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), ++ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, ++ "RSA SHA256 PKCS#1")) ++ goto err; ++ ++ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, ++ kat_RSA_PSS_SHA256, ++ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(), ++ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS")) ++ goto err; ++ ++ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (pk) ++ EVP_PKEY_free(pk); ++ if (key) ++ RSA_free(key); ++ return ret; ++} ++ ++#endif /* def OPENSSL_FIPS */ +Index: openssl-1.1.1n/crypto/fips/fips_sha_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_sha_selftest.c +@@ -0,0 +1,223 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#ifdef OPENSSL_FIPS ++# include ++#endif ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++static const char test[][60] = { ++ "", ++ "abc", ++ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" ++}; ++ ++static const unsigned char ret[][SHA_DIGEST_LENGTH] = { ++ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, ++ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09}, ++ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, ++ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d}, ++ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae, ++ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1}, ++}; ++ ++int FIPS_selftest_sha1() ++{ ++ int n; ++ ++ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) { ++ unsigned char md[SHA_DIGEST_LENGTH]; ++ ++ EVP_Digest(test[n], strlen(test[n]), md, NULL, ++ EVP_sha1(), NULL); ++ if (memcmp(md, ret[n], sizeof md)) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++static const unsigned char msg_sha256[] = ++ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, ++ 0xfc ++}; ++ ++static const unsigned char dig_sha256[] = ++ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, ++ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, ++ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, ++ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a ++}; ++ ++static const unsigned char msg_sha512[] = ++ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, ++ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd ++}; ++ ++static const unsigned char dig_sha512[] = ++ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, ++ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, ++ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, ++ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, ++ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, ++ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, ++ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, ++ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 ++}; ++ ++int FIPS_selftest_sha2(void) ++{ ++ unsigned char md[SHA512_DIGEST_LENGTH]; ++ ++ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); ++ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); ++ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++static const unsigned char msg_sha3_256[] = { ++ 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6, ++ 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f, ++ 0x35, 0x23 ++}; ++ ++static const unsigned char dig_sha3_256[] = { ++ 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21, ++ 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0, ++ 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78, ++ 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed ++}; ++ ++static const unsigned char msg_sha3_512[] = { ++ 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73, ++ 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f, ++ 0x05, 0xf4 ++}; ++ ++static const unsigned char dig_sha3_512[] = { ++ 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2, ++ 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a, ++ 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f, ++ 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4, ++ 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd, ++ 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e, ++ 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c, ++ 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac ++}; ++ ++static const unsigned char msg_shake_128[] = { ++ 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f, ++ 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4, ++ 0x28, 0x98 ++}; ++ ++static const unsigned char dig_shake_128[] = { ++ 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a, ++ 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75 ++}; ++ ++static const unsigned char msg_shake_256[] = { ++ 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6, ++ 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23, ++ 0x9b, 0xfc ++}; ++ ++static const unsigned char dig_shake_256[] = { ++ 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5, ++ 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f, ++ 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd, ++ 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf ++}; ++ ++int FIPS_selftest_sha3(void) ++{ ++ unsigned char md[SHA512_DIGEST_LENGTH]; ++ ++ EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); ++ if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); ++ if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); ++ if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); ++ if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ return 1; ++} ++ ++#endif +Index: openssl-1.1.1n/crypto/fips/fips_standalone_hmac.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/crypto/fips/fips_standalone_hmac.c +@@ -0,0 +1,127 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++int main(int argc, char **argv) ++{ ++#ifdef OPENSSL_FIPS ++ static char key[] = "orboDeJITITejsirpADONivirpUkvarP"; ++ int n, binary = 0; ++ ++ if (argc < 2) { ++ fprintf(stderr, "%s []+\n", argv[0]); ++ exit(1); ++ } ++ ++ n = 1; ++ if (!strcmp(argv[n], "-binary")) { ++ n++; ++ binary = 1; /* emit binary fingerprint... */ ++ } ++ ++ for (; n < argc; ++n) { ++ FILE *f = fopen(argv[n], "rb"); ++ HMAC_CTX *hmac_ctx; ++ unsigned char mac[EVP_MAX_MD_SIZE]; ++ unsigned int len; ++ unsigned int i; ++ ++ if (!f) { ++ perror(argv[n]); ++ exit(2); ++ } ++ hmac_ctx = HMAC_CTX_new(); ++ if (!hmac_ctx) ++ exit(3); ++ ++ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) { ++ fprintf(stderr, "HMAC SHA256 initialization failed.\n"); ++ exit(4); ++ } ++ ++ for (;;) { ++ unsigned char buf[1024]; ++ size_t l = fread(buf, 1, sizeof buf, f); ++ ++ if (l == 0) { ++ if (ferror(f)) { ++ perror(argv[n]); ++ exit(3); ++ } else ++ break; ++ } ++ if (HMAC_Update(hmac_ctx, buf, l) <= 0) { ++ fprintf(stderr, "HMAC_Update() failed.\n"); ++ exit(4); ++ } ++ } ++ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) { ++ fprintf(stderr, "HMAC_Final() failed.\n"); ++ exit(4); ++ } ++ ++ if (binary) { ++ fwrite(mac, len, 1, stdout); ++ break; /* ... for single(!) file */ ++ } ++ ++/* printf("HMAC-SHA1(%s)= ",argv[n]); */ ++ for (i = 0; i < len; ++i) ++ printf("%02x", mac[i]); ++ printf("\n"); ++ } ++#endif ++ return 0; ++} +Index: openssl-1.1.1n/crypto/hmac/hmac.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/hmac/hmac.c ++++ openssl-1.1.1n/crypto/hmac/hmac.c +@@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + return 0; + + if (key != NULL) { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) ++ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) ++ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) ++ goto err; ++#endif + reset = 1; + + j = EVP_MD_block_size(md); +Index: openssl-1.1.1n/crypto/hmac/hm_pmeth.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.1.1n/crypto/hmac/hm_pmeth.c +@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C + + const EVP_PKEY_METHOD hmac_pkey_meth = { + EVP_PKEY_HMAC, +- 0, ++ EVP_PKEY_FLAG_FIPS, + pkey_hmac_init, + pkey_hmac_copy, + pkey_hmac_cleanup, +Index: openssl-1.1.1n/include/crypto/fips_int.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/include/crypto/fips_int.h +@@ -0,0 +1,98 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++# error FIPS is disabled. ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++int FIPS_module_mode_set(int onoff); ++int FIPS_module_mode(void); ++int FIPS_module_installed(void); ++int FIPS_selftest_sha1(void); ++int FIPS_selftest_sha2(void); ++int FIPS_selftest_sha3(void); ++int FIPS_selftest_aes_ccm(void); ++int FIPS_selftest_aes_gcm(void); ++int FIPS_selftest_aes_xts(void); ++int FIPS_selftest_aes(void); ++int FIPS_selftest_des(void); ++int FIPS_selftest_rsa(void); ++int FIPS_selftest_dsa(void); ++int FIPS_selftest_ecdsa(void); ++int FIPS_selftest_ecdh(void); ++int FIPS_selftest_dh(void); ++void FIPS_drbg_stick(int onoff); ++int FIPS_selftest_hmac(void); ++int FIPS_selftest_drbg(void); ++int FIPS_selftest_cmac(void); ++ ++int fips_pkey_signature_test(EVP_PKEY *pkey, ++ const unsigned char *tbs, int tbslen, ++ const unsigned char *kat, ++ unsigned int katlen, ++ const EVP_MD *digest, ++ unsigned int md_flags, const char *fail_str); ++ ++int fips_cipher_test(EVP_CIPHER_CTX *ctx, ++ const EVP_CIPHER *cipher, ++ const unsigned char *key, ++ const unsigned char *iv, ++ const unsigned char *plaintext, ++ const unsigned char *ciphertext, int len); ++ ++void fips_set_selftest_fail(void); ++ ++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); ++ ++#endif +Index: openssl-1.1.1n/crypto/o_fips.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/o_fips.c ++++ openssl-1.1.1n/crypto/o_fips.c +@@ -8,17 +8,28 @@ + */ + + #include "internal/cryptlib.h" ++#include "crypto/fips_int.h" + + int FIPS_mode(void) + { ++#ifdef OPENSSL_FIPS ++ return FIPS_module_mode(); ++#else + /* This version of the library does not support FIPS mode. */ + return 0; ++#endif + } + + int FIPS_mode_set(int r) + { ++#ifdef OPENSSL_FIPS ++ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ ++ return 1; ++ return FIPS_module_mode_set(r); ++#else + if (r == 0) + return 1; + CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); + return 0; ++#endif + } +Index: openssl-1.1.1n/crypto/o_init.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/o_init.c ++++ openssl-1.1.1n/crypto/o_init.c +@@ -7,8 +7,69 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include "e_os.h" + #include ++#ifdef OPENSSL_FIPS ++# include ++# include ++# include ++# include ++# include ++# include ++# include ++# include ++# include "crypto/fips_int.h" ++ ++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static void init_fips_mode(void) ++{ ++ char buf[2] = "0"; ++ int fd; ++ ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } ++ ++ if (buf[0] != '1' && !FIPS_module_installed()) ++ return; ++ ++ /* Ensure the selftests always run */ ++ /* XXX: TO SOLVE - premature initialization due to selftests */ ++ FIPS_mode_set(1); ++ ++ /* Failure reading the fips mode switch file means just not ++ * switching into FIPS mode. We would break too many things ++ * otherwise.. ++ */ ++ ++ if (buf[0] != '1') { ++ /* drop down to non-FIPS mode if it is not requested */ ++ FIPS_mode_set(0); ++ } else { ++ /* abort if selftest failed */ ++ FIPS_selftest_check(); ++ } ++} ++ ++/* ++ * Perform FIPS module power on selftest and automatic FIPS mode switch. ++ */ ++ ++void __attribute__ ((constructor)) OPENSSL_init_library(void) ++{ ++ static int done = 0; ++ if (done) ++ return; ++ done = 1; ++ init_fips_mode(); ++} ++#endif + + /* + * Perform any essential OpenSSL initialization operations. Currently does +Index: openssl-1.1.1n/crypto/rand/rand_lib.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rand/rand_lib.c ++++ openssl-1.1.1n/crypto/rand/rand_lib.c +@@ -963,3 +963,15 @@ int RAND_status(void) + return meth->status(); + return 0; + } ++ ++#ifdef OPENSSL_FIPS ++void RAND_set_fips_drbg_type(int type, int flags) ++{ /* just a stub for ABI compatibility */ ++} ++ ++int RAND_init_fips(void) ++{ ++ /* just a stub for ABI compatibility */ ++ return 1; ++} ++#endif +Index: openssl-1.1.1n/crypto/rsa/rsa_crpt.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_crpt.c ++++ openssl-1.1.1n/crypto/rsa/rsa_crpt.c +@@ -27,24 +27,52 @@ int RSA_size(const RSA *r) + int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, + RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding); + } + + int RSA_private_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, ++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding); + } + + int RSA_private_decrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding); + } + + int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, + RSA *rsa, int padding) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, ++ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); ++ return -1; ++ } ++#endif + return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); + } + +Index: openssl-1.1.1n/crypto/rsa/rsa_err.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_err.c ++++ openssl-1.1.1n/crypto/rsa/rsa_err.c +@@ -16,6 +16,8 @@ + static const ERR_STRING_DATA RSA_str_functs[] = { + {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0), ++ "fips_rsa_builtin_keygen"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0), + "old_rsa_priv_decode"}, +@@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), ++ "RSA_generate_multi_prime_key"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"}, +@@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), +@@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun + "RSA_verify_ASN1_OCTET_STRING"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), + "RSA_verify_PKCS1_PSS_mgf1"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, + {0, NULL} + }; +@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea + "mp exponent not congruent to d"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), + "null before block missing"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), +@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea + "n does not equal p q"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), + "oaep decoding error"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), ++ "operation not allowed in FIPS mode"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), +@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea + "unsupported mask algorithm"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER), + "unsupported mask parameter"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS), ++ "unsupported parameters"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), + "unsupported signature type"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, +Index: openssl-1.1.1n/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_gen.c ++++ openssl-1.1.1n/crypto/rsa/rsa_gen.c +@@ -18,6 +18,76 @@ + #include "internal/cryptlib.h" + #include + #include "rsa_local.h" ++#ifdef OPENSSL_FIPS ++# include ++# include "crypto/fips_int.h" ++ ++int fips_check_rsa(RSA *rsa) ++{ ++ const unsigned char tbs[] = "RSA Pairwise Check Data"; ++ unsigned char *ctbuf = NULL, *ptbuf = NULL; ++ int len, ret = 0; ++ EVP_PKEY *pk; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_set1_RSA(pk, rsa); ++ ++ /* Perform pairwise consistency signature test */ ++ if (!fips_pkey_signature_test(pk, tbs, -1, ++ NULL, 0, EVP_sha256(), ++ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) ++ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(), ++ EVP_MD_CTX_FLAG_PAD_PSS, NULL)) ++ goto err; ++ /* Now perform pairwise consistency encrypt/decrypt test */ ++ ctbuf = OPENSSL_malloc(RSA_size(rsa)); ++ if (!ctbuf) ++ goto err; ++ ++ len = ++ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, ++ RSA_PKCS1_PADDING); ++ if (len <= 0) ++ goto err; ++ /* Check ciphertext doesn't match plaintext */ ++ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) ++ goto err; ++ ptbuf = OPENSSL_malloc(RSA_size(rsa)); ++ ++ if (!ptbuf) ++ goto err; ++ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); ++ if (len != (sizeof(tbs) - 1)) ++ goto err; ++ if (memcmp(ptbuf, tbs, len)) ++ goto err; ++ ++ ret = 1; ++ ++ if (!ptbuf) ++ goto err; ++ ++ err: ++ if (ret == 0) { ++ fips_set_selftest_fail(); ++ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED); ++ } ++ ++ if (ctbuf) ++ OPENSSL_free(ctbuf); ++ if (ptbuf) ++ OPENSSL_free(ptbuf); ++ if (pk) ++ EVP_PKEY_free(pk); ++ ++ return ret; ++} ++ ++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ++ BN_GENCB *cb); ++#endif + + static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, + BN_GENCB *cb); +@@ -31,6 +101,13 @@ static int rsa_builtin_keygen(RSA *rsa, + */ + int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + if (rsa->meth->rsa_keygen != NULL) + return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); + +@@ -41,6 +118,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi + int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, + BIGNUM *e_value, BN_GENCB *cb) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + /* multi-prime is only supported with the builtin key generation */ + if (rsa->meth->rsa_multi_prime_keygen != NULL) { + return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes, +@@ -57,10 +141,285 @@ int RSA_generate_multi_prime_key(RSA *rs + else + return 0; + } +- ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (primes != 2) { ++ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS); ++ return 0; ++ } ++ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb); ++ } ++#endif + return rsa_builtin_keygen(rsa, bits, primes, e_value, cb); + } + ++#ifdef OPENSSL_FIPS ++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, ++ BN_GENCB *cb) ++{ ++ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; ++ BN_CTX *ctx = NULL; ++ int ok = -1; ++ int i; ++ int n = 0; ++ int test = 0; ++ int pbits = bits / 2; ++ unsigned long error = 0; ++ ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); ++ return 0; ++ } ++ ++ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS ++ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) { ++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); ++ return 0; ++ } ++ if ((pbits & 0xFF) != 0) { ++ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ BN_CTX_start(ctx); ++ r0 = BN_CTX_get(ctx); ++ r1 = BN_CTX_get(ctx); ++ r2 = BN_CTX_get(ctx); ++ r3 = BN_CTX_get(ctx); ++ ++ if (r3 == NULL) ++ goto err; ++ ++ /* We need the RSA components non-NULL */ ++ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) ++ goto err; ++ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) ++ goto err; ++ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) ++ goto err; ++ ++ if (!BN_set_word(r0, RSA_F4)) ++ goto err; ++ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { ++ ok = 0; /* we set our own err */ ++ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); ++ goto err; ++ } ++ ++ /* prepare approximate minimum p and q */ ++ if (!BN_set_word(r0, 0xB504F334)) ++ goto err; ++ if (!BN_lshift(r0, r0, pbits - 32)) ++ goto err; ++ ++ /* prepare minimum p and q difference */ ++ if (!BN_one(r3)) ++ goto err; ++ if (!BN_lshift(r3, r3, pbits - 100)) ++ goto err; ++ ++ BN_copy(rsa->e, e_value); ++ ++ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) ++ test = 1; ++ ++ BN_set_flags(r0, BN_FLG_CONSTTIME); ++ BN_set_flags(r1, BN_FLG_CONSTTIME); ++ BN_set_flags(r2, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); ++ ++ retry: ++ /* generate p and q */ ++ for (i = 0; i < 5 * pbits; i++) { ++ ploop: ++ if (!test) ++ if (!BN_rand(rsa->p, pbits, 0, 1)) ++ goto err; ++ if (BN_cmp(rsa->p, r0) < 0) { ++ if (test) ++ goto err; ++ goto ploop; ++ } ++ ++ if (!BN_sub(r2, rsa->p, BN_value_one())) ++ goto err; ++ ERR_set_mark(); ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ ++ int r; ++ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, ++ cb); ++ if (r == -1 || (test && r <= 0)) ++ goto err; ++ if (r > 0) ++ break; ++ } else { ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_pop_to_mark(); ++ } else { ++ goto err; ++ } ++ } ++ if (!BN_GENCB_call(cb, 2, n++)) ++ goto err; ++ } ++ ++ if (!BN_GENCB_call(cb, 3, 0)) ++ goto err; ++ ++ if (i >= 5 * pbits) ++ /* prime not found */ ++ goto err; ++ ++ for (i = 0; i < 5 * pbits; i++) { ++ qloop: ++ if (!test) ++ if (!BN_rand(rsa->q, pbits, 0, 1)) ++ goto err; ++ if (BN_cmp(rsa->q, r0) < 0) { ++ if (test) ++ goto err; ++ goto qloop; ++ } ++ if (!BN_sub(r2, rsa->q, rsa->p)) ++ goto err; ++ if (BN_ucmp(r2, r3) <= 0) { ++ if (test) ++ goto err; ++ goto qloop; ++ } ++ ++ if (!BN_sub(r2, rsa->q, BN_value_one())) ++ goto err; ++ ERR_set_mark(); ++ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { ++ /* GCD == 1 since inverse exists */ ++ int r; ++ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, ++ cb); ++ if (r == -1 || (test && r <= 0)) ++ goto err; ++ if (r > 0) ++ break; ++ } else { ++ error = ERR_peek_last_error(); ++ if (ERR_GET_LIB(error) == ERR_LIB_BN ++ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { ++ /* GCD != 1 */ ++ ERR_pop_to_mark(); ++ } else { ++ goto err; ++ } ++ } ++ if (!BN_GENCB_call(cb, 2, n++)) ++ goto err; ++ } ++ ++ if (!BN_GENCB_call(cb, 3, 1)) ++ goto err; ++ ++ if (i >= 5 * pbits) ++ /* prime not found */ ++ goto err; ++ ++ if (test) { ++ /* do not try to calculate the remaining key values */ ++ BN_clear(rsa->n); ++ ok = 1; ++ goto err; ++ } ++ ++ if (BN_cmp(rsa->p, rsa->q) < 0) { ++ tmp = rsa->p; ++ rsa->p = rsa->q; ++ rsa->q = tmp; ++ } ++ ++ /* calculate n */ ++ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) ++ goto err; ++ ++ /* calculate d */ ++ if (!BN_sub(r1, rsa->p, BN_value_one())) ++ goto err; /* p-1 */ ++ if (!BN_sub(r2, rsa->q, BN_value_one())) ++ goto err; /* q-1 */ ++ ++ /* note that computing gcd is not safe to timing attacks */ ++ if (!BN_gcd(r0, r1, r2, ctx)) ++ goto err; ++ ++ { ++ if (!BN_div(r0, NULL, r1, r0, ctx)) ++ goto err; ++ ++ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */ ++ goto err; ++ ++ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */ ++ goto err; ++ } ++ ++ if (BN_num_bits(rsa->d) < pbits) ++ goto retry; /* d is too small */ ++ ++ { ++ BIGNUM *d = BN_new(); ++ ++ if (d == NULL) ++ goto err; ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ ++ if (/* calculate d mod (p-1) */ ++ !BN_mod(rsa->dmp1, d, r1, ctx) ++ /* calculate d mod (q-1) */ ++ || !BN_mod(rsa->dmq1, d, r2, ctx)) { ++ BN_free(d); ++ goto err; ++ } ++ /* We MUST free d before any further use of rsa->d */ ++ BN_free(d); ++ } ++ ++ /* calculate inverse of q mod p */ ++ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) ++ goto err; ++ ++ if (!fips_check_rsa(rsa)) ++ goto err; ++ ++ ok = 1; ++ err: ++ if (ok == -1) { ++ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); ++ ok = 0; ++ } ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } ++ ++ return ok; ++} ++#endif ++ + static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, + BN_GENCB *cb) + { +Index: openssl-1.1.1n/crypto/rsa/rsa_lib.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_lib.c ++++ openssl-1.1.1n/crypto/rsa/rsa_lib.c +@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M + * to deal with which ENGINE it comes from. + */ + const RSA_METHOD *mtmp; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { ++ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + mtmp = rsa->meth; + if (mtmp->finish) + mtmp->finish(rsa); +@@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine) + + ret->meth = RSA_get_default_method(); + #ifndef OPENSSL_NO_ENGINE +- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; + if (engine) { + if (!ENGINE_init(engine)) { + RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); +@@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine) + } + } + #endif ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { ++ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD); ++# ifndef OPENSSL_NO_ENGINE ++ if (ret->engine) ++ ENGINE_finish(ret->engine); ++# endif ++ OPENSSL_free(ret); ++ return NULL; ++ } ++#endif + +- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; ++ ret->flags = ret->meth->flags; + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { + goto err; + } +Index: openssl-1.1.1n/crypto/rsa/rsa_ossl.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_ossl.c ++++ openssl-1.1.1n/crypto/rsa/rsa_ossl.c +@@ -12,6 +12,10 @@ + #include "rsa_local.h" + #include "internal/constant_time.h" + ++#ifdef OPENSSL_FIPS ++# include ++#endif ++ + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); + static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, +@@ -47,6 +51,12 @@ static const RSA_METHOD *default_RSA_met + + void RSA_set_default_method(const RSA_METHOD *meth) + { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { ++ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD); ++ return; ++ } ++#endif + default_RSA_meth = meth; + } + +@@ -73,6 +83,22 @@ static int rsa_ossl_public_encrypt(int f + unsigned char *buf = NULL; + BN_CTX *ctx = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { + RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; +@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ return -1; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if ((ctx = BN_CTX_new()) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f + unsigned char *buf = NULL; + BN_CTX *ctx = NULL; + ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ if (FIPS_selftest_failed()) { ++ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, ++ FIPS_R_FIPS_SELFTEST_FAILED); ++ goto err; ++ } ++ ++ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) ++ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { ++ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); ++ return -1; ++ } ++ } ++# endif ++ + if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { + RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); + return -1; +Index: openssl-1.1.1n/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1n/crypto/rsa/rsa_pmeth.c +@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + + const EVP_PKEY_METHOD rsa_pkey_meth = { + EVP_PKEY_RSA, +- EVP_PKEY_FLAG_AUTOARGLEN, ++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_rsa_init, + pkey_rsa_copy, + pkey_rsa_cleanup, +@@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c + + const EVP_PKEY_METHOD rsa_pss_pkey_meth = { + EVP_PKEY_RSA_PSS, +- EVP_PKEY_FLAG_AUTOARGLEN, ++ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_rsa_init, + pkey_rsa_copy, + pkey_rsa_cleanup, +Index: openssl-1.1.1n/crypto/rsa/rsa_sign.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/rsa/rsa_sign.c ++++ openssl-1.1.1n/crypto/rsa/rsa_sign.c +@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch + unsigned char *tmps = NULL; + const unsigned char *encoded = NULL; + ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) ++ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { ++ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); ++ return 0; ++ } ++#endif + if (rsa->meth->rsa_sign) { + return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); + } +@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch + RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); + goto err; + } +- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa, +- RSA_PKCS1_PADDING); ++ /* NB: call underlying method directly to avoid FIPS blocking */ ++ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa, ++ RSA_PKCS1_PADDING) : 0; + if (encrypt_len <= 0) + goto err; + +Index: openssl-1.1.1n/crypto/sha/sha256.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/sha/sha256.c ++++ openssl-1.1.1n/crypto/sha/sha256.c +@@ -18,6 +18,9 @@ + + int SHA224_Init(SHA256_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + memset(c, 0, sizeof(*c)); + c->h[0] = 0xc1059ed8UL; + c->h[1] = 0x367cd507UL; +@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c) + + int SHA256_Init(SHA256_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + memset(c, 0, sizeof(*c)); + c->h[0] = 0x6a09e667UL; + c->h[1] = 0xbb67ae85UL; +Index: openssl-1.1.1n/crypto/sha/sha512.c +=================================================================== +--- openssl-1.1.1n.orig/crypto/sha/sha512.c ++++ openssl-1.1.1n/crypto/sha/sha512.c +@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) + + int SHA384_Init(SHA512_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + c->h[0] = U64(0xcbbb9d5dc1059ed8); + c->h[1] = U64(0x629a292a367cd507); + c->h[2] = U64(0x9159015a3070dd17); +@@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c) + + int SHA512_Init(SHA512_CTX *c) + { ++# ifdef OPENSSL_FIPS ++ FIPS_selftest_check(); ++# endif + c->h[0] = U64(0x6a09e667f3bcc908); + c->h[1] = U64(0xbb67ae8584caa73b); + c->h[2] = U64(0x3c6ef372fe94f82b); +Index: openssl-1.1.1n/crypto/sha/sha_local.h +=================================================================== +--- openssl-1.1.1n.orig/crypto/sha/sha_local.h ++++ openssl-1.1.1n/crypto/sha/sha_local.h +@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c + + int HASH_INIT(SHA_CTX *c) + { ++#if defined(OPENSSL_FIPS) ++ FIPS_selftest_check(); ++#endif + memset(c, 0, sizeof(*c)); + c->h0 = INIT_DATA_h0; + c->h1 = INIT_DATA_h1; +Index: openssl-1.1.1n/doc/man3/DSA_generate_parameters.pod +=================================================================== +--- openssl-1.1.1n.orig/doc/man3/DSA_generate_parameters.pod ++++ openssl-1.1.1n/doc/man3/DSA_generate_parameters.pod +@@ -30,8 +30,10 @@ B is the length of the prime p to + For lengths under 2048 bits, the length of q is 160 bits; for lengths + greater than or equal to 2048 bits, the length of q is set to 256 bits. + +-If B is NULL, the primes will be generated at random. +-If B is less than the length of q, an error is returned. ++If B is NULL, or it does not generate primes, the primes will be ++generated at random. ++If B is less than the length of q, an error is returned ++if old DSA parameter generation method is used as a backend. + + DSA_generate_parameters_ex() places the iteration count in + *B and a counter used for finding a generator in +Index: openssl-1.1.1n/include/openssl/crypto.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/crypto.h ++++ openssl-1.1.1n/include/openssl/crypto.h +@@ -331,6 +331,11 @@ int OPENSSL_isservice(void); + int FIPS_mode(void); + int FIPS_mode_set(int r); + ++# ifdef OPENSSL_FIPS ++/* die if FIPS selftest failed */ ++void FIPS_selftest_check(void); ++# endif ++ + void OPENSSL_init(void); + # ifdef OPENSSL_SYS_UNIX + void OPENSSL_fork_prepare(void); +Index: openssl-1.1.1n/include/openssl/dherr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/dherr.h ++++ openssl-1.1.1n/include/openssl/dherr.h +@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 + # define DH_F_DH_CMS_SET_SHARED_INFO 116 ++# define DH_F_DH_COMPUTE_KEY 203 ++# define DH_F_DH_GENERATE_KEY 202 ++# define DH_F_DH_GENERATE_PARAMETERS_EX 201 + # define DH_F_DH_METH_DUP 117 + # define DH_F_DH_METH_NEW 118 + # define DH_F_DH_METH_SET1_NAME 119 +@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void); + # define DH_R_INVALID_PARAMETER_NID 114 + # define DH_R_INVALID_PUBKEY 102 + # define DH_R_KDF_PARAMETER_ERROR 112 ++# define DH_R_KEY_SIZE_TOO_SMALL 201 + # define DH_R_KEYS_NOT_SET 108 + # define DH_R_MISSING_PUBKEY 125 + # define DH_R_MODULUS_TOO_LARGE 103 + # define DH_R_NOT_SUITABLE_GENERATOR 120 + # define DH_R_NO_PARAMETERS_SET 107 + # define DH_R_NO_PRIVATE_VALUE 100 ++# define DH_R_NON_FIPS_METHOD 202 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 + # define DH_R_SHARED_INFO_ERROR 113 +Index: openssl-1.1.1n/include/openssl/dh.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/dh.h ++++ openssl-1.1.1n/include/openssl/dh.h +@@ -31,6 +31,7 @@ extern "C" { + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 ++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 + + # define DH_FLAG_CACHE_MONT_P 0x01 + +Index: openssl-1.1.1n/include/openssl/dsaerr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/dsaerr.h ++++ openssl-1.1.1n/include/openssl/dsaerr.h +@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); + */ + # define DSA_F_DSAPARAMS_PRINT 100 + # define DSA_F_DSAPARAMS_PRINT_FP 101 ++# define DSA_F_DSA_BUILTIN_KEYGEN 202 + # define DSA_F_DSA_BUILTIN_PARAMGEN 125 + # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 ++# define DSA_F_DSA_GENERATE_KEY 201 ++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 + # define DSA_F_DSA_DO_SIGN 112 + # define DSA_F_DSA_DO_VERIFY 113 + # define DSA_F_DSA_METH_DUP 127 +@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void); + # define DSA_R_DECODE_ERROR 104 + # define DSA_R_INVALID_DIGEST_TYPE 106 + # define DSA_R_INVALID_PARAMETERS 112 ++# define DSA_R_KEY_SIZE_INVALID 201 ++# define DSA_R_KEY_SIZE_TOO_SMALL 202 + # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MISSING_PRIVATE_KEY 111 + # define DSA_R_MODULUS_TOO_LARGE 103 + # define DSA_R_NO_PARAMETERS_SET 107 ++# define DSA_R_NON_FIPS_DSA_METHOD 200 + # define DSA_R_PARAMETER_ENCODING_ERROR 105 + # define DSA_R_Q_NOT_PRIME 113 + # define DSA_R_SEED_LEN_SMALL 110 +Index: openssl-1.1.1n/include/openssl/dsa.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/dsa.h ++++ openssl-1.1.1n/include/openssl/dsa.h +@@ -31,6 +31,7 @@ extern "C" { + # endif + + # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 ++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048 + + # define DSA_FLAG_CACHE_MONT_P 0x01 + # if OPENSSL_API_COMPAT < 0x10100000L +Index: openssl-1.1.1n/include/openssl/evperr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/evperr.h ++++ openssl-1.1.1n/include/openssl/evperr.h +@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void); + * EVP function codes. + */ + # define EVP_F_AESNI_INIT_KEY 165 +-# define EVP_F_AESNI_XTS_INIT_KEY 207 ++# define EVP_F_AESNI_XTS_INIT_KEY 233 + # define EVP_F_AES_GCM_CTRL 196 + # define EVP_F_AES_INIT_KEY 133 + # define EVP_F_AES_OCB_CIPHER 169 + # define EVP_F_AES_T4_INIT_KEY 178 +-# define EVP_F_AES_T4_XTS_INIT_KEY 208 ++# define EVP_F_AES_T4_XTS_INIT_KEY 234 + # define EVP_F_AES_WRAP_CIPHER 170 +-# define EVP_F_AES_XTS_INIT_KEY 209 ++# define EVP_F_AES_XTS_CIPHER 229 ++# define EVP_F_AES_XTS_INIT_KEY 235 + # define EVP_F_ALG_MODULE_INIT 177 + # define EVP_F_ARIA_CCM_INIT_KEY 175 + # define EVP_F_ARIA_GCM_CTRL 197 +@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 + # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 + # define EVP_R_DECODE_ERROR 114 ++# define EVP_R_DISABLED_FOR_FIPS 200 + # define EVP_R_DIFFERENT_KEY_TYPES 101 + # define EVP_R_DIFFERENT_PARAMETERS 153 + # define EVP_R_ERROR_LOADING_SECTION 165 +@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 + # define EVP_R_PUBLIC_KEY_NOT_RSA 106 ++# define EVP_R_TOO_LARGE 201 + # define EVP_R_UNKNOWN_CIPHER 160 + # define EVP_R_UNKNOWN_DIGEST 161 + # define EVP_R_UNKNOWN_OPTION 169 +@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void); + # define EVP_R_UNSUPPORTED_SALT_TYPE 126 + # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 + # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +-# define EVP_R_XTS_DUPLICATED_KEYS 183 ++# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 ++# define EVP_R_XTS_DUPLICATED_KEYS 192 + + #endif +Index: openssl-1.1.1n/include/openssl/evp.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/evp.h ++++ openssl-1.1.1n/include/openssl/evp.h +@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP + */ + # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 + ++/* Downstream modification, large value to avoid conflict */ ++# define EVP_PKEY_FLAG_FIPS 0x4000 ++ + const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); + EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); + void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, +Index: openssl-1.1.1n/include/openssl/fips.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/include/openssl/fips.h +@@ -0,0 +1,187 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#ifndef OPENSSL_FIPS ++# error FIPS is disabled. ++#endif ++ ++#ifdef OPENSSL_FIPS ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++ int FIPS_selftest(void); ++ int FIPS_selftest_failed(void); ++ int FIPS_selftest_drbg_all(void); ++ ++ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, ++ const EVP_MD *evpmd, const unsigned char *seed_in, ++ size_t seed_len, int idx, unsigned char *seed_out, ++ int *counter_ret, unsigned long *h_ret, ++ BN_GENCB *cb); ++ int FIPS_dsa_paramgen_check_g(DSA *dsa); ++ ++/* BEGIN ERROR CODES */ ++/* The following lines are auto generated by the script mkerr.pl. Any changes ++ * made after this point may be overwritten when the script is next run. ++ */ ++ int ERR_load_FIPS_strings(void); ++ ++/* Error codes for the FIPS functions. */ ++ ++/* Function codes. */ ++# define FIPS_F_DH_BUILTIN_GENPARAMS 100 ++# define FIPS_F_DRBG_RESEED 121 ++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 ++# define FIPS_F_DSA_DO_SIGN 102 ++# define FIPS_F_DSA_DO_VERIFY 103 ++# define FIPS_F_EVP_CIPHER_CTX_NEW 137 ++# define FIPS_F_EVP_CIPHER_CTX_RESET 122 ++# define FIPS_F_ECDH_COMPUTE_KEY 123 ++# define FIPS_F_EVP_CIPHERINIT_EX 124 ++# define FIPS_F_EVP_DIGESTINIT_EX 125 ++# define FIPS_F_FIPS_CHECK_DSA 104 ++# define FIPS_F_FIPS_CHECK_EC 142 ++# define FIPS_F_FIPS_CHECK_RSA 106 ++# define FIPS_F_FIPS_DRBG_BYTES 131 ++# define FIPS_F_FIPS_DRBG_CHECK 146 ++# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 ++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 ++# define FIPS_F_FIPS_DRBG_GENERATE 134 ++# define FIPS_F_FIPS_DRBG_INIT 135 ++# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 ++# define FIPS_F_FIPS_DRBG_NEW 139 ++# define FIPS_F_FIPS_DRBG_RESEED 140 ++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 ++# define FIPS_F_FIPS_GET_ENTROPY 147 ++# define FIPS_F_FIPS_MODULE_MODE_SET 108 ++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 ++# define FIPS_F_FIPS_RAND_BYTES 114 ++# define FIPS_F_FIPS_RAND_SEED 128 ++# define FIPS_F_FIPS_RAND_SET_METHOD 126 ++# define FIPS_F_FIPS_RAND_STATUS 127 ++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101 ++# define FIPS_F_FIPS_SELFTEST 150 ++# define FIPS_F_FIPS_SELFTEST_AES 110 ++# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 ++# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 ++# define FIPS_F_FIPS_SELFTEST_AES_XTS 144 ++# define FIPS_F_FIPS_SELFTEST_CMAC 130 ++# define FIPS_F_FIPS_SELFTEST_DES 111 ++# define FIPS_F_FIPS_SELFTEST_DSA 112 ++# define FIPS_F_FIPS_SELFTEST_ECDSA 133 ++# define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_SHA1 115 ++# define FIPS_F_FIPS_SELFTEST_SHA2 105 ++# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 ++# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 ++# define FIPS_F_RSA_BUILTIN_KEYGEN 116 ++# define FIPS_F_RSA_OSSL_INIT 149 ++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 ++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118 ++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119 ++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120 ++ ++/* Reason codes. */ ++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 ++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 ++# define FIPS_R_ALREADY_INSTANTIATED 134 ++# define FIPS_R_DRBG_NOT_INITIALISED 152 ++# define FIPS_R_DRBG_STUCK 103 ++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 ++# define FIPS_R_ENTROPY_SOURCE_STUCK 142 ++# define FIPS_R_ERROR_INITIALISING_DRBG 115 ++# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 ++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 ++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 ++# define FIPS_R_ERROR_RETRIEVING_NONCE 140 ++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 ++# define FIPS_R_FIPS_MODE_ALREADY_SET 102 ++# define FIPS_R_FIPS_SELFTEST_FAILED 106 ++# define FIPS_R_FUNCTION_ERROR 116 ++# define FIPS_R_GENERATE_ERROR 137 ++# define FIPS_R_GENERATE_ERROR_UNDETECTED 118 ++# define FIPS_R_INSTANTIATE_ERROR 119 ++# define FIPS_R_INTERNAL_ERROR 121 ++# define FIPS_R_INVALID_KEY_LENGTH 109 ++# define FIPS_R_IN_ERROR_STATE 123 ++# define FIPS_R_KEY_TOO_SHORT 108 ++# define FIPS_R_NONCE_ERROR_UNDETECTED 149 ++# define FIPS_R_NON_FIPS_METHOD 100 ++# define FIPS_R_NOPR_TEST1_FAILURE 145 ++# define FIPS_R_NOPR_TEST2_FAILURE 146 ++# define FIPS_R_NOT_INSTANTIATED 126 ++# define FIPS_R_PAIRWISE_TEST_FAILED 107 ++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 ++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 ++# define FIPS_R_PR_TEST1_FAILURE 147 ++# define FIPS_R_PR_TEST2_FAILURE 148 ++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 ++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 ++# define FIPS_R_RESEED_COUNTER_ERROR 132 ++# define FIPS_R_RESEED_ERROR 133 ++# define FIPS_R_SELFTEST_FAILED 101 ++# define FIPS_R_SELFTEST_FAILURE 135 ++# define FIPS_R_TEST_FAILURE 117 ++# define FIPS_R_UNINSTANTIATE_ERROR 141 ++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 ++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 ++# define FIPS_R_UNSUPPORTED_PLATFORM 113 ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +Index: openssl-1.1.1n/include/openssl/fips_rand.h +=================================================================== +--- /dev/null ++++ openssl-1.1.1n/include/openssl/fips_rand.h +@@ -0,0 +1,145 @@ ++/* ==================================================================== ++ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++#ifndef HEADER_FIPS_RAND_H ++# define HEADER_FIPS_RAND_H ++ ++# include ++# include ++# include ++# include ++ ++# ifdef OPENSSL_FIPS ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ typedef struct drbg_ctx_st DRBG_CTX; ++/* DRBG external flags */ ++/* Flag for CTR mode only: use derivation function ctr_df */ ++# define DRBG_FLAG_CTR_USE_DF 0x1 ++/* PRNG is in test state */ ++# define DRBG_FLAG_TEST 0x2 ++ ++ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); ++ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); ++ int FIPS_drbg_instantiate(DRBG_CTX *dctx, ++ const unsigned char *pers, size_t perslen); ++ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, ++ size_t adinlen); ++ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen); ++ ++ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); ++ void FIPS_drbg_free(DRBG_CTX *dctx); ++ ++ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, ++ size_t (*get_entropy) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_entropy) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ size_t entropy_blocklen, ++ size_t (*get_nonce) (DRBG_CTX *ctx, ++ unsigned char **pout, ++ int entropy, ++ size_t min_len, ++ size_t max_len), ++ void (*cleanup_nonce) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen)); ++ ++ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, ++ size_t (*get_adin) (DRBG_CTX *ctx, ++ unsigned char ++ **pout), ++ void (*cleanup_adin) (DRBG_CTX *ctx, ++ unsigned char *out, ++ size_t olen), ++ int (*rand_seed_cb) (DRBG_CTX *ctx, ++ const void *buf, ++ int num), ++ int (*rand_add_cb) (DRBG_CTX *ctx, ++ const void *buf, ++ int num, ++ double entropy)); ++ ++ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); ++ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); ++ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); ++ int FIPS_drbg_get_strength(DRBG_CTX *dctx); ++ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval); ++ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval); ++ ++ int FIPS_drbg_health_check(DRBG_CTX *dctx); ++ ++ DRBG_CTX *FIPS_get_default_drbg(void); ++ const RAND_METHOD *FIPS_drbg_method(void); ++ ++ int FIPS_rand_set_method(const RAND_METHOD *meth); ++ const RAND_METHOD *FIPS_rand_get_method(void); ++ ++ void FIPS_rand_set_bits(int nbits); ++ ++ int FIPS_rand_strength(void); ++ ++/* 1.0.0 compat functions */ ++ int FIPS_rand_seed(const void *buf, int num); ++ int FIPS_rand_bytes(unsigned char *out, int outlen); ++ void FIPS_rand_reset(void); ++ int FIPS_rand_status(void); ++# ifdef __cplusplus ++} ++# endif ++# endif ++#endif +Index: openssl-1.1.1n/include/openssl/opensslconf.h.in +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/opensslconf.h.in ++++ openssl-1.1.1n/include/openssl/opensslconf.h.in +@@ -155,6 +155,11 @@ extern "C" { + + #define RC4_INT {- $config{rc4_int} -} + ++/* Always build FIPS module */ ++#ifndef OPENSSL_FIPS ++# define OPENSSL_FIPS ++#endif ++ + #ifdef __cplusplus + } + #endif +Index: openssl-1.1.1n/include/openssl/randerr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/randerr.h ++++ openssl-1.1.1n/include/openssl/randerr.h +@@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void); + # define RAND_F_RAND_DRBG_SET 104 + # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 + # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 ++# define RAND_F_RAND_INIT_FIPS 200 + # define RAND_F_RAND_LOAD_FILE 111 + # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 + # define RAND_F_RAND_POOL_ADD 103 +Index: openssl-1.1.1n/include/openssl/rand.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/rand.h ++++ openssl-1.1.1n/include/openssl/rand.h +@@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void + DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) + # endif + ++# ifdef OPENSSL_FIPS ++/* just stubs for API compatibility */ ++void RAND_set_fips_drbg_type(int type, int flags); ++int RAND_init_fips(void); ++# endif + + #ifdef __cplusplus + } +Index: openssl-1.1.1n/include/openssl/rsaerr.h +=================================================================== +--- openssl-1.1.1n.orig/include/openssl/rsaerr.h ++++ openssl-1.1.1n/include/openssl/rsaerr.h +@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); + */ + # define RSA_F_CHECK_PADDING_MD 140 + # define RSA_F_ENCODE_PKCS1 146 ++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 + # define RSA_F_INT_RSA_VERIFY 145 + # define RSA_F_OLD_RSA_PRIV_DECODE 147 + # define RSA_F_PKEY_PSS_INIT 165 +@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_CHECK_KEY_EX 160 + # define RSA_F_RSA_CMS_DECRYPT 159 + # define RSA_F_RSA_CMS_VERIFY 158 ++# define RSA_F_RSA_GENERATE_KEY_EX 204 ++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 + # define RSA_F_RSA_ITEM_VERIFY 148 + # define RSA_F_RSA_METH_DUP 161 + # define RSA_F_RSA_METH_NEW 162 +@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_PRINT_FP 116 + # define RSA_F_RSA_PRIV_DECODE 150 + # define RSA_F_RSA_PRIV_ENCODE 138 ++# define RSA_F_RSA_PRIVATE_DECRYPT 200 ++# define RSA_F_RSA_PRIVATE_ENCRYPT 201 + # define RSA_F_RSA_PSS_GET_PARAM 151 + # define RSA_F_RSA_PSS_TO_CTX 155 + # define RSA_F_RSA_PUB_DECODE 139 ++# define RSA_F_RSA_PUBLIC_DECRYPT 202 ++# define RSA_F_RSA_PUBLIC_ENCRYPT 203 + # define RSA_F_RSA_SETUP_BLINDING 136 ++# define RSA_F_RSA_SET_DEFAULT_METHOD 205 ++# define RSA_F_RSA_SET_METHOD 204 + # define RSA_F_RSA_SIGN 117 + # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 + # define RSA_F_RSA_VERIFY 119 +@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void); + # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 + # define RSA_R_MP_R_NOT_PRIME 170 + # define RSA_R_NO_PUBLIC_EXPONENT 140 ++# define RSA_R_NON_FIPS_RSA_METHOD 200 + # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 + # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 + # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + # define RSA_R_OAEP_DECODING_ERROR 121 ++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 + # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 + # define RSA_R_PADDING_CHECK_FAILED 114 + # define RSA_R_PKCS_DECODING_ERROR 159 +@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void); + # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 + # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 + # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 ++# define RSA_R_UNSUPPORTED_PARAMETERS 202 + # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 + # define RSA_R_VALUE_MISSING 147 + # define RSA_R_WRONG_SIGNATURE_LENGTH 119 +Index: openssl-1.1.1n/ssl/s3_lib.c +=================================================================== +--- openssl-1.1.1n.orig/ssl/s3_lib.c ++++ openssl-1.1.1n/ssl/s3_lib.c +@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_HIGH, ++ SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, +@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_HIGH, ++ SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, +@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, +@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +Index: openssl-1.1.1n/ssl/ssl_ciph.c +=================================================================== +--- openssl-1.1.1n.orig/ssl/ssl_ciph.c ++++ openssl-1.1.1n/ssl/ssl_ciph.c +@@ -385,7 +385,7 @@ int ssl_load_ciphers(void) + } + } + /* Make sure we can access MD5 and SHA1 */ +- if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) ++ if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) + return 0; + if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL)) + return 0; +@@ -557,6 +557,9 @@ int ssl_cipher_get_evp(const SSL_SESSION + s->ssl_version < TLS1_VERSION) + return 1; + ++ if (FIPS_mode()) ++ return 1; ++ + if (c->algorithm_enc == SSL_RC4 && + c->algorithm_mac == SSL_MD5 && + (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) +@@ -665,6 +668,8 @@ static void ssl_cipher_collect_ciphers(c + /* drop those that use any of that is not available */ + if (c == NULL || !c->valid) + continue; ++ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS)) ++ continue; + if ((c->algorithm_mkey & disabled_mkey) || + (c->algorithm_auth & disabled_auth) || + (c->algorithm_enc & disabled_enc) || +@@ -1619,7 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * to the resulting precedence to the STACK_OF(SSL_CIPHER). + */ + for (curr = head; curr != NULL; curr = curr->next) { +- if (curr->active) { ++ if (curr->active ++ && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { + if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { + OPENSSL_free(co_list); + sk_SSL_CIPHER_free(cipherstack); +Index: openssl-1.1.1n/ssl/ssl_init.c +=================================================================== +--- openssl-1.1.1n.orig/ssl/ssl_init.c ++++ openssl-1.1.1n/ssl/ssl_init.c +@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas + fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " + "Adding SSL ciphers and digests\n"); + #endif ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode()) { ++#endif ++ + #ifndef OPENSSL_NO_DES + EVP_add_cipher(EVP_des_cbc()); + EVP_add_cipher(EVP_des_ede3_cbc()); +@@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas + EVP_add_digest(EVP_sha256()); + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); ++#ifdef OPENSSL_FIPS ++ } else { ++# ifndef OPENSSL_NO_DES ++ EVP_add_cipher(EVP_des_ede3_cbc()); ++# endif ++ EVP_add_cipher(EVP_aes_128_cbc()); ++ EVP_add_cipher(EVP_aes_192_cbc()); ++ EVP_add_cipher(EVP_aes_256_cbc()); ++ EVP_add_cipher(EVP_aes_128_gcm()); ++ EVP_add_cipher(EVP_aes_256_gcm()); ++ EVP_add_cipher(EVP_aes_128_ccm()); ++ EVP_add_cipher(EVP_aes_256_ccm()); ++# ifndef OPENSSL_NO_MD5 ++ /* needed even in the FIPS mode for TLS-1.0 */ ++ EVP_add_digest(EVP_md5_sha1()); ++# endif ++ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ ++ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); ++ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); ++ EVP_add_digest(EVP_sha224()); ++ EVP_add_digest(EVP_sha256()); ++ EVP_add_digest(EVP_sha384()); ++ EVP_add_digest(EVP_sha512()); ++ } ++#endif + #ifndef OPENSSL_NO_COMP + # ifdef OPENSSL_INIT_DEBUG + fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " +Index: openssl-1.1.1n/ssl/ssl_lib.c +=================================================================== +--- openssl-1.1.1n.orig/ssl/ssl_lib.c ++++ openssl-1.1.1n/ssl/ssl_lib.c +@@ -3025,6 +3025,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) + return NULL; + ++ if (FIPS_mode() && (meth->version < TLS1_VERSION)) { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE); ++ return NULL; ++ } ++ + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); + goto err; +@@ -3081,13 +3086,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + if (ret->param == NULL) + goto err; + +- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { +- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); +- goto err2; +- } +- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { +- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); +- goto err2; ++ if (!FIPS_mode()) { ++ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); ++ goto err2; ++ } ++ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { ++ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); ++ goto err2; ++ } ++ } else { ++ ret->min_proto_version = TLS1_VERSION; + } + + if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) +Index: openssl-1.1.1n/ssl/ssl_local.h +=================================================================== +--- openssl-1.1.1n.orig/ssl/ssl_local.h ++++ openssl-1.1.1n/ssl/ssl_local.h +@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st { + # define TLS_CURVE_PRIME 0x0 + # define TLS_CURVE_CHAR2 0x1 + # define TLS_CURVE_CUSTOM 0x2 ++# define TLS_CURVE_FIPS 0x80 + + typedef struct cert_pkey_st CERT_PKEY; + +Index: openssl-1.1.1n/ssl/t1_lib.c +=================================================================== +--- openssl-1.1.1n.orig/ssl/t1_lib.c ++++ openssl-1.1.1n/ssl/t1_lib.c +@@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] = + {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ + {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ + {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ +- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ ++ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */ + {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ +- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ +- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ +- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ ++ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */ ++ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */ ++ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */ + {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ + {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ + {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ +@@ -258,6 +258,8 @@ int tls_curve_allowed(SSL *s, uint16_t c + if (cinfo->flags & TLS_CURVE_CHAR2) + return 0; + # endif ++ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS)) ++ return 0; + ctmp[0] = curve >> 8; + ctmp[1] = curve & 0xff; + return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); +Index: openssl-1.1.1n/test/dsatest.c +=================================================================== +--- openssl-1.1.1n.orig/test/dsatest.c ++++ openssl-1.1.1n/test/dsatest.c +@@ -24,41 +24,42 @@ + #ifndef OPENSSL_NO_DSA + static int dsa_cb(int p, int n, BN_GENCB *arg); + +-/* +- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS +- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 +- */ + static unsigned char seed[20] = { +- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, +- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, ++ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, ++ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, + }; + + static unsigned char out_p[] = { +- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, +- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, +- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, +- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, +- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, +- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, +- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, +- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, ++ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, ++ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, ++ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, ++ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, ++ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, ++ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, ++ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, ++ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, ++ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, ++ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, ++ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, + }; + + static unsigned char out_q[] = { +- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, +- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, +- 0xda, 0xce, 0x91, 0x5f, ++ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, ++ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, + }; + + static unsigned char out_g[] = { +- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, +- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, +- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, +- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, +- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, +- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, +- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, +- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, ++ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, ++ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, ++ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, ++ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, ++ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, ++ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, ++ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, ++ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, ++ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, ++ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, ++ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, + }; + + static const unsigned char str1[] = "12345678901234567890"; +@@ -79,11 +80,11 @@ static int dsa_test(void) + + BN_GENCB_set(cb, dsa_cb, NULL); + if (!TEST_ptr(dsa = DSA_new()) +- || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20, ++ || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20, + &counter, &h, cb))) + goto end; + +- if (!TEST_int_eq(counter, 105)) ++ if (!TEST_int_eq(counter, 239)) + goto end; + if (!TEST_int_eq(h, 2)) + goto end; +Index: openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt +=================================================================== +--- openssl-1.1.1n.orig/test/recipes/30-test_evp_data/evpciph.txt ++++ openssl-1.1.1n/test/recipes/30-test_evp_data/evpciph.txt +@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 + IV = 00000000000000000000000000000000 + Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 + Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e ++Result = KEY_SET_ERROR + + Cipher = aes-128-xts + Key = 1111111111111111111111111111111122222222222222222222222222222222 +Index: openssl-1.1.1n/util/libcrypto.num +=================================================================== +--- openssl-1.1.1n.orig/util/libcrypto.num ++++ openssl-1.1.1n/util/libcrypto.num +@@ -4591,3 +4591,38 @@ X509_ALGOR_copy + X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: + X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: + EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC ++FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: ++FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: ++FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: ++FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION: ++FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION: ++FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION: ++FIPS_selftest 6360 1_1_0g EXIST::FUNCTION: ++FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION: ++FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION: ++FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION: ++FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION: ++FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION: ++ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION: ++FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION: ++FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION: ++RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION: ++RAND_init_fips 6376 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION: ++FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION: ++FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: ++FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: +Index: openssl-1.1.1n/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1n.orig/crypto/err/openssl.txt ++++ openssl-1.1.1n/crypto/err/openssl.txt +@@ -822,6 +822,57 @@ EVP_F_RC5_CTRL:125:rc5_ctrl + EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key + EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl + EVP_F_UPDATE:173:update ++FIPS_F_DH_BUILTIN_GENPARAMS:100:dh_builtin_genparams ++FIPS_F_DRBG_RESEED:121:drbg_reseed ++FIPS_F_DSA_BUILTIN_PARAMGEN2:107:dsa_builtin_paramgen2 ++FIPS_F_DSA_DO_SIGN:102:DSA_do_sign ++FIPS_F_DSA_DO_VERIFY:103:DSA_do_verify ++FIPS_F_ECDH_COMPUTE_KEY:123:ECDH_compute_key ++FIPS_F_EVP_CIPHER_CTX_NEW:137:EVP_CIPHER_CTX_new ++FIPS_F_EVP_CIPHER_CTX_RESET:122:EVP_CIPHER_CTX_reset ++FIPS_F_EVP_CIPHERINIT_EX:124:EVP_CipherInit_ex ++FIPS_F_EVP_DIGESTINIT_EX:125:EVP_DigestInit_ex ++FIPS_F_FIPS_CHECK_DSA:104:fips_check_dsa ++FIPS_F_FIPS_CHECK_EC:142:fips_check_ec ++FIPS_F_FIPS_CHECK_RSA:106:fips_check_rsa ++FIPS_F_FIPS_DRBG_BYTES:131:fips_drbg_bytes ++FIPS_F_FIPS_DRBG_CHECK:146:fips_drbg_check ++FIPS_F_FIPS_DRBG_CPRNG_TEST:132:fips_drbg_cprng_test ++FIPS_F_FIPS_DRBG_ERROR_CHECK:136:fips_drbg_error_check ++FIPS_F_FIPS_DRBG_GENERATE:134:FIPS_drbg_generate ++FIPS_F_FIPS_DRBG_INIT:138:FIPS_drbg_init ++FIPS_F_FIPS_DRBG_INSTANTIATE:138:FIPS_drbg_instantiate ++FIPS_F_FIPS_DRBG_NEW:139:FIPS_drbg_new ++FIPS_F_FIPS_DRBG_RESEED:140:FIPS_drbg_reseed ++FIPS_F_FIPS_DRBG_SINGLE_KAT:141:FIPS_DRBG_SINGLE_KAT ++FIPS_F_FIPS_GET_ENTROPY:147:fips_get_entropy ++FIPS_F_FIPS_MODULE_MODE_SET:108:FIPS_module_mode_set ++FIPS_F_FIPS_PKEY_SIGNATURE_TEST:109:fips_pkey_signature_test ++FIPS_F_FIPS_RAND_BYTES:114:FIPS_rand_bytes ++FIPS_F_FIPS_RAND_SEED:128:FIPS_rand_seed ++FIPS_F_FIPS_RAND_SET_METHOD:126:FIPS_rand_set_method ++FIPS_F_FIPS_RAND_STATUS:127:FIPS_rand_status ++FIPS_F_FIPS_RSA_BUILTIN_KEYGEN:101:fips_rsa_builtin_keygen ++FIPS_F_FIPS_SELFTEST:150:FIPS_selftest ++FIPS_F_FIPS_SELFTEST_AES:110:FIPS_selftest_aes ++FIPS_F_FIPS_SELFTEST_AES_CCM:145:FIPS_selftest_aes_ccm ++FIPS_F_FIPS_SELFTEST_AES_GCM:129:FIPS_selftest_aes_gcm ++FIPS_F_FIPS_SELFTEST_AES_XTS:144:FIPS_selftest_aes_xts ++FIPS_F_FIPS_SELFTEST_CMAC:130:FIPS_selftest_cmac ++FIPS_F_FIPS_SELFTEST_DES:111:FIPS_selftest_des ++FIPS_F_FIPS_SELFTEST_DSA:112:FIPS_selftest_dsa ++FIPS_F_FIPS_SELFTEST_ECDSA:133:FIPS_selftest_ecdsa ++FIPS_F_FIPS_SELFTEST_HMAC:113:FIPS_selftest_hmac ++FIPS_F_FIPS_SELFTEST_SHA1:115:FIPS_selftest_sha1 ++FIPS_F_FIPS_SELFTEST_SHA2:105:FIPS_selftest_sha2 ++FIPS_F_OSSL_ECDSA_SIGN_SIG:143:ossl_ecdsa_sign_sig ++FIPS_F_OSSL_ECDSA_VERIFY_SIG:148:ossl_ecdsa_verify_sig ++FIPS_F_RSA_BUILTIN_KEYGEN:116:rsa_builtin_keygen ++FIPS_F_RSA_OSSL_INIT:149:rsa_ossl_init ++FIPS_F_RSA_OSSL_PRIVATE_DECRYPT:117:rsa_ossl_private_decrypt ++FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT:118:rsa_ossl_private_encrypt ++FIPS_F_RSA_OSSL_PUBLIC_DECRYPT:119:rsa_ossl_public_decrypt ++FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT:120:rsa_ossl_public_encrypt + KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str + KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive + KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init +@@ -2318,6 +2369,61 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor + EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed + EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length + EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys ++FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED:150:\ ++ additional input error undetected ++FIPS_R_ADDITIONAL_INPUT_TOO_LONG:125:\ ++ additional input too long ++FIPS_R_ALREADY_INSTANTIATED:134:already instantiated ++FIPS_R_DRBG_NOT_INITIALISED:152:drbg not initialised ++FIPS_R_DRBG_STUCK:103:drbg stuck ++FIPS_R_ENTROPY_ERROR_UNDETECTED:104:entropy error undetected ++FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED:105:\ ++ entropy not requested for reseed ++FIPS_R_ENTROPY_SOURCE_STUCK:142:entropy source stuck ++FIPS_R_ERROR_INITIALISING_DRBG:115:error initialising drbg ++FIPS_R_ERROR_INSTANTIATING_DRBG:127:error instantiating drbg ++FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:124:\ ++ error retrieving additional input ++FIPS_R_ERROR_RETRIEVING_ENTROPY:122:error retrieving entropy ++FIPS_R_ERROR_RETRIEVING_NONCE:140:error retrieving nonce ++FIPS_R_FINGERPRINT_DOES_NOT_MATCH:110:\ ++ fingerprint does not match ++FIPS_R_FIPS_MODE_ALREADY_SET:102:fips mode already set ++FIPS_R_FIPS_SELFTEST_FAILED:106:fips selftest failed ++FIPS_R_FUNCTION_ERROR:116:function error ++FIPS_R_GENERATE_ERROR:137:generate error ++FIPS_R_GENERATE_ERROR_UNDETECTED:118:\ ++ generate error undetected ++FIPS_R_INSTANTIATE_ERROR:119:instantiate error ++FIPS_R_INTERNAL_ERROR:121:internal error ++FIPS_R_INVALID_KEY_LENGTH:109:invalid key length ++FIPS_R_IN_ERROR_STATE:123:in error state ++FIPS_R_KEY_TOO_SHORT:108:key too short ++FIPS_R_NONCE_ERROR_UNDETECTED:149:nonce error undetected ++FIPS_R_NON_FIPS_METHOD:100:non fips method ++FIPS_R_NOPR_TEST1_FAILURE:145:nopr test1 failure ++FIPS_R_NOPR_TEST2_FAILURE:146:nopr test2 failure ++FIPS_R_NOT_INSTANTIATED:126:not instantiated ++FIPS_R_PAIRWISE_TEST_FAILED:107:pairwise test failed ++FIPS_R_PERSONALISATION_ERROR_UNDETECTED:128:\ ++ personalisation error undetected ++FIPS_R_PERSONALISATION_STRING_TOO_LONG:129:\ ++ personalisation string too long ++FIPS_R_PR_TEST1_FAILURE:147:pr test1 failure ++FIPS_R_PR_TEST2_FAILURE:148:pr test2 failure ++FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED:130:\ ++ request length error undetected ++FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG:131:\ ++ request too large for drbg ++FIPS_R_RESEED_COUNTER_ERROR:132:reseed counter error ++FIPS_R_RESEED_ERROR:133:reseed error ++FIPS_R_SELFTEST_FAILED:101:selftest failed ++FIPS_R_SELFTEST_FAILURE:135:selftest failure ++FIPS_R_TEST_FAILURE:117:test failure ++FIPS_R_UNINSTANTIATE_ERROR:141:uninstantiate error ++FIPS_R_UNINSTANTIATE_ZEROISE_ERROR:138:uninstantiate zeroise error ++FIPS_R_UNSUPPORTED_DRBG_TYPE:139:unsupported drbg type ++FIPS_R_UNSUPPORTED_PLATFORM:113:unsupported platform + KDF_R_INVALID_DIGEST:100:invalid digest + KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count + KDF_R_MISSING_KEY:104:missing key diff --git a/openssl-1.1.1-ssh-kdf.patch b/openssl-1.1.1-ssh-kdf.patch new file mode 100644 index 0000000..44c6df4 --- /dev/null +++ b/openssl-1.1.1-ssh-kdf.patch @@ -0,0 +1,5583 @@ +commit 1e662a43f0420cfdc40d01cd70c27fa1c220a57e +Author: Simo Sorce +Date: Wed Sep 19 16:23:45 2018 -0400 + + Implement SSH KDF + + SSH's KDF is defined in RFC 4253 in Section 7.2 + + Signed-off-by: Simo Sorce + + Reviewed-by: Paul Dale + Reviewed-by: Matt Caswell + (Merged from https://github.com/openssl/openssl/pull/7290) + +Index: openssl-1.1.1d/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1d.orig/crypto/err/openssl.txt 2020-01-23 13:45:11.468634429 +0100 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2020-01-23 13:45:11.488634548 +0100 +@@ -839,6 +839,10 @@ KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scr + KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64 + KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive + KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new ++KDF_F_KDF_SSHKDF_CTRL:130:kdf_sshkdf_ctrl ++KDF_F_KDF_SSHKDF_CTRL_STR:131:kdf_sshkdf_ctrl_str ++KDF_F_KDF_SSHKDF_DERIVE:132:kdf_sshkdf_derive ++KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new + KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str + KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive + KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new +@@ -2337,6 +2341,9 @@ KDF_R_MISSING_PASS:110:missing pass + KDF_R_MISSING_SALT:111:missing salt + KDF_R_MISSING_SECRET:107:missing secret + KDF_R_MISSING_SEED:106:missing seed ++KDF_R_MISSING_SESSION_ID:113:missing session id ++KDF_R_MISSING_TYPE:114:missing type ++KDF_R_MISSING_XCGHASH:115:missing xcghash + KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type + KDF_R_VALUE_ERROR:108:value error + KDF_R_VALUE_MISSING:102:value missing +Index: openssl-1.1.1d/crypto/evp/kdf_lib.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/evp/kdf_lib.c 2020-01-23 13:45:11.468634429 +0100 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2020-01-23 13:45:11.488634548 +0100 +@@ -29,7 +29,8 @@ static const EVP_KDF_METHOD *standard_me + &scrypt_kdf_meth, + #endif + &tls1_prf_kdf_meth, +- &hkdf_kdf_meth ++ &hkdf_kdf_meth, ++ &sshkdf_kdf_meth, + }; + + DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, +Index: openssl-1.1.1d/include/crypto/evp.h +=================================================================== +--- openssl-1.1.1d.orig/include/crypto/evp.h 2020-01-23 13:45:11.468634429 +0100 ++++ openssl-1.1.1d/include/crypto/evp.h 2020-01-23 13:45:11.488634548 +0100 +@@ -129,6 +129,7 @@ extern const EVP_KDF_METHOD pbkdf2_kdf_m + extern const EVP_KDF_METHOD scrypt_kdf_meth; + extern const EVP_KDF_METHOD tls1_prf_kdf_meth; + extern const EVP_KDF_METHOD hkdf_kdf_meth; ++extern const EVP_KDF_METHOD sshkdf_kdf_meth; + + struct evp_md_st { + int type; +Index: openssl-1.1.1d/crypto/kdf/build.info +=================================================================== +--- openssl-1.1.1d.orig/crypto/kdf/build.info 2020-01-23 13:45:11.468634429 +0100 ++++ openssl-1.1.1d/crypto/kdf/build.info 2020-01-23 13:45:11.488634548 +0100 +@@ -1,3 +1,3 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c +Index: openssl-1.1.1d/crypto/kdf/kdf_err.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/kdf/kdf_err.c 2020-01-23 13:45:11.468634429 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2020-01-23 13:45:11.488634548 +0100 +@@ -31,6 +31,11 @@ static const ERR_STRING_DATA KDF_str_fun + "kdf_scrypt_ctrl_uint64"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_CTRL, 0), "kdf_sshkdf_ctrl"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_CTRL_STR, 0), ++ "kdf_sshkdf_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_DERIVE, 0), "kdf_sshkdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_NEW, 0), "kdf_sshkdf_new"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0), + "kdf_tls1_prf_ctrl_str"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0), +@@ -70,6 +75,9 @@ static const ERR_STRING_DATA KDF_str_rea + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SALT), "missing salt"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SECRET), "missing secret"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SEED), "missing seed"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SESSION_ID), "missing session id"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_TYPE), "missing type"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_XCGHASH), "missing xcghash"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_UNKNOWN_PARAMETER_TYPE), + "unknown parameter type"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, +Index: openssl-1.1.1d/crypto/kdf/sshkdf.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.1.1d/crypto/kdf/sshkdf.c 2020-01-23 13:45:11.496634596 +0100 +@@ -0,0 +1,291 @@ ++/* ++ * Copyright 2018-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include "internal/cryptlib.h" ++#include "crypto/evp.h" ++#include "kdf_local.h" ++ ++/* See RFC 4253, Section 7.2 */ ++ ++static void kdf_sshkdf_reset(EVP_KDF_IMPL *impl); ++static int SSHKDF(const EVP_MD *evp_md, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *xcghash, size_t xcghash_len, ++ const unsigned char *session_id, size_t session_id_len, ++ char type, unsigned char *okey, size_t okey_len); ++ ++struct evp_kdf_impl_st { ++ const EVP_MD *md; ++ unsigned char *key; /* K */ ++ size_t key_len; ++ unsigned char *xcghash; /* H */ ++ size_t xcghash_len; ++ char type; /* X */ ++ unsigned char *session_id; ++ size_t session_id_len; ++}; ++ ++static EVP_KDF_IMPL *kdf_sshkdf_new(void) ++{ ++ EVP_KDF_IMPL *impl; ++ ++ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) ++ KDFerr(KDF_F_KDF_SSHKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return impl; ++} ++ ++static void kdf_sshkdf_free(EVP_KDF_IMPL *impl) ++{ ++ kdf_sshkdf_reset(impl); ++ OPENSSL_free(impl); ++} ++ ++static void kdf_sshkdf_reset(EVP_KDF_IMPL *impl) ++{ ++ OPENSSL_clear_free(impl->key, impl->key_len); ++ OPENSSL_clear_free(impl->xcghash, impl->xcghash_len); ++ OPENSSL_clear_free(impl->session_id, impl->session_id_len); ++ memset(impl, 0, sizeof(*impl)); ++} ++ ++static int kdf_sshkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, ++ va_list args) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*dst, *dst_len); ++ *dst = OPENSSL_memdup(p, len); ++ if (*dst == NULL) ++ return 0; ++ ++ *dst_len = len; ++ return 1; ++} ++ ++static int kdf_sshkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) ++{ ++ int t; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_MD: ++ impl->md = va_arg(args, const EVP_MD *); ++ if (impl->md == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KEY: ++ return kdf_sshkdf_parse_buffer_arg(&impl->key, ++ &impl->key_len, args); ++ ++ case EVP_KDF_CTRL_SET_SSHKDF_XCGHASH: ++ return kdf_sshkdf_parse_buffer_arg(&impl->xcghash, ++ &impl->xcghash_len, args); ++ ++ case EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID: ++ return kdf_sshkdf_parse_buffer_arg(&impl->session_id, ++ &impl->session_id_len, args); ++ ++ case EVP_KDF_CTRL_SET_SSHKDF_TYPE: ++ t = va_arg(args, int); ++ if (t < 65 || t > 70) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ impl->type = (char)t; ++ return 1; ++ ++ default: ++ return -2; ++ ++ } ++} ++ ++static int kdf_sshkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ /* alias, for historical reasons */ ++ if (strcmp(type, "md") == 0) ++ return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ if (strcmp(type, "key") == 0) ++ return kdf_str2ctrl(impl, kdf_sshkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "xcghash") == 0) ++ return kdf_str2ctrl(impl, kdf_sshkdf_ctrl, ++ EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, value); ++ ++ if (strcmp(type, "hexxcghash") == 0) ++ return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl, ++ EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, value); ++ ++ if (strcmp(type, "session_id") == 0) ++ return kdf_str2ctrl(impl, kdf_sshkdf_ctrl, ++ EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, value); ++ ++ if (strcmp(type, "hexsession_id") == 0) ++ return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl, ++ EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, value); ++ ++ if (strcmp(type, "type") == 0) { ++ if (strlen(value) != 1) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kdf_sshkdf_ctrl, impl, EVP_KDF_CTRL_SET_SSHKDF_TYPE, ++ (int)value[0]); ++ } ++ ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); ++ return -2; ++} ++ ++static size_t kdf_sshkdf_size(EVP_KDF_IMPL *impl) ++{ ++ return SIZE_MAX; ++} ++ ++static int kdf_sshkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, ++ size_t keylen) ++{ ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); ++ return 0; ++ } ++ if (impl->key == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_KEY); ++ return 0; ++ } ++ if (impl->xcghash == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_XCGHASH); ++ return 0; ++ } ++ if (impl->session_id == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_SESSION_ID); ++ return 0; ++ } ++ if (impl->type == 0) { ++ KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE); ++ return 0; ++ } ++ return SSHKDF(impl->md, impl->key, impl->key_len, ++ impl->xcghash, impl->xcghash_len, ++ impl->session_id, impl->session_id_len, ++ impl->type, key, keylen); ++} ++ ++const EVP_KDF_METHOD sshkdf_kdf_meth = { ++ EVP_KDF_SSHKDF, ++ kdf_sshkdf_new, ++ kdf_sshkdf_free, ++ kdf_sshkdf_reset, ++ kdf_sshkdf_ctrl, ++ kdf_sshkdf_ctrl_str, ++ kdf_sshkdf_size, ++ kdf_sshkdf_derive, ++}; ++ ++static int SSHKDF(const EVP_MD *evp_md, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *xcghash, size_t xcghash_len, ++ const unsigned char *session_id, size_t session_id_len, ++ char type, unsigned char *okey, size_t okey_len) ++{ ++ EVP_MD_CTX *md = NULL; ++ unsigned char digest[EVP_MAX_MD_SIZE]; ++ unsigned int dsize = 0; ++ size_t cursize = 0; ++ int ret = 0; ++ ++ md = EVP_MD_CTX_new(); ++ if (md == NULL) ++ return 0; ++ ++ if (!EVP_DigestInit_ex(md, evp_md, NULL)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, key, key_len)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, xcghash, xcghash_len)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, &type, 1)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, session_id, session_id_len)) ++ goto out; ++ ++ if (!EVP_DigestFinal_ex(md, digest, &dsize)) ++ goto out; ++ ++ if (okey_len < dsize) { ++ memcpy(okey, digest, okey_len); ++ ret = 1; ++ goto out; ++ } ++ ++ memcpy(okey, digest, dsize); ++ ++ for (cursize = dsize; cursize < okey_len; cursize += dsize) { ++ ++ if (!EVP_DigestInit_ex(md, evp_md, NULL)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, key, key_len)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, xcghash, xcghash_len)) ++ goto out; ++ ++ if (!EVP_DigestUpdate(md, okey, cursize)) ++ goto out; ++ ++ if (!EVP_DigestFinal_ex(md, digest, &dsize)) ++ goto out; ++ ++ if (okey_len < cursize + dsize) { ++ memcpy(okey + cursize, digest, okey_len - cursize); ++ ret = 1; ++ goto out; ++ } ++ ++ memcpy(okey + cursize, digest, dsize); ++ } ++ ++ ret = 1; ++ ++out: ++ EVP_MD_CTX_free(md); ++ OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE); ++ return ret; ++} ++ +Index: openssl-1.1.1d/crypto/objects/obj_dat.h +=================================================================== +--- openssl-1.1.1d.orig/crypto/objects/obj_dat.h 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2020-01-23 13:45:11.492634571 +0100 +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1195 ++#define NUM_NID 1196 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2275,9 +2275,10 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"magma-mac", "magma-mac", NID_magma_mac}, + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, ++ {"SSHKDF", "sshkdf", NID_sshkdf}, + }; + +-#define NUM_SN 1186 ++#define NUM_SN 1187 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -2555,6 +2556,7 @@ static const unsigned int sn_objs[NUM_SN + 167, /* "SMIME-CAPS" */ + 100, /* "SN" */ + 1006, /* "SNILS" */ ++ 1195, /* "SSHKDF" */ + 16, /* "ST" */ + 143, /* "SXNetID" */ + 1062, /* "SipHash" */ +@@ -3467,7 +3469,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1186 ++#define NUM_LN 1187 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4609,6 +4611,7 @@ static const unsigned int ln_objs[NUM_LN + 1139, /* "sm4-ctr" */ + 1133, /* "sm4-ecb" */ + 1135, /* "sm4-ofb" */ ++ 1195, /* "sshkdf" */ + 16, /* "stateOrProvinceName" */ + 660, /* "streetAddress" */ + 498, /* "subtreeMaximumQuality" */ +Index: openssl-1.1.1d/crypto/objects/obj_mac.num +=================================================================== +--- openssl-1.1.1d.orig/crypto/objects/obj_mac.num 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2020-01-23 13:45:11.492634571 +0100 +@@ -1192,3 +1192,4 @@ magma_cfb 1191 + magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 ++sshkdf 1195 +Index: openssl-1.1.1d/crypto/objects/objects.txt +=================================================================== +--- openssl-1.1.1d.orig/crypto/objects/objects.txt 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/objects/objects.txt 2020-01-23 13:45:11.492634571 +0100 +@@ -1600,6 +1600,9 @@ secg-scheme 14 3 : dhSinglePass-cofactor + # NID for HKDF + : HKDF : hkdf + ++# NID for SSHKDF ++ : SSHKDF : sshkdf ++ + # RFC 4556 + 1 3 6 1 5 2 3 : id-pkinit + id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth +Index: openssl-1.1.1d/doc/man7/EVP_KDF_SSHKDF.pod +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_SSHKDF.pod 2020-01-23 13:45:11.492634571 +0100 +@@ -0,0 +1,175 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_SSHKDF - The SSHKDF EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B KDF through the B API. ++ ++The EVP_KDF_SSHKDF algorithm implements the SSHKDF key derivation function. ++It is defined in RFC 4253, section 7.2 and is used by SSH to derive IVs, ++encryption keys and integrity keys. ++Five inputs are required to perform key derivation: The hashing function ++(for example SHA256), the Initial Key, the Exchange Hash, the Session ID, ++and the derivation key type. ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++=item B ++ ++These controls expect two arguments: C, C ++ ++They set the respective values to the first B bytes of the buffer ++B. If a value is already set, the contents are replaced. ++ ++EVP_KDF_ctrl_str() takes two type strings for these controls: ++ ++=over 4 ++ ++=item "xcghash" ++ ++=item "session_id" ++ ++The value string is used as is. ++ ++=item "hexxcghash" ++ ++=item "hexsession_id" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the type for the SSHHKDF operation. There are six supported types: ++ ++=over 4 ++ ++=item EVP_KDF_SSHKDF_TYPE_ININITAL_IV_CLI_TO_SRV ++ ++The Initial IV from client to server. ++A single char of value 65 (ASCII char 'A'). ++ ++=item EVP_KDF_SSHKDF_TYPE_ININITAL_IV_SRV_TO_CLI ++ ++The Initial IV from server to client ++A single char of value 66 (ASCII char 'B'). ++ ++=item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV ++ ++The Encryption Key from client to server ++A single char of value 67 (ASCII char 'C'). ++ ++=item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI ++ ++The Encryption Key from server to client ++A single char of value 68 (ASCII char 'D'). ++ ++=item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV ++ ++The Integrity Key from client to server ++A single char of value 69 (ASCII char 'E'). ++ ++=item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI ++ ++The Integrity Key from client to server ++A single char of value 70 (ASCII char 'F'). ++ ++=back ++ ++EVP_KDF_ctrl_str() type string: "type" ++ ++The value is a string of length one character. The only valid values ++are the numerical values of the ASCII caracters: "A" (65) to "F" (70). ++ ++=back ++ ++=head1 NOTES ++ ++A context for SSHKDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); ++ ++The output length of the SSHKDF derivation is specified via the C ++parameter to the L function. ++Since the SSHKDF output length is variable, calling L ++to obtain the requisite length is not meaningful. The caller must ++allocate a buffer of the desired length, and pass that buffer to the ++L function along with the desired length. ++ ++=head1 EXAMPLE ++ ++This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate ++"xcghash" and "session_id" values: ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char key[1024] = "01234..."; ++ unsigned char xcghash[32] = "012345..."; ++ unsigned char session_id[32] = "012345..."; ++ unsigned char out[8]; ++ size_t outlen = sizeof(out); ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF); ++ ++ if (EVP_KDF_CTX_set_md(kctx, EVP_sha256()) <= 0) ++ /* Error */ ++ if (EVP_KDF_CTX_set1_key(kctx, key, 1024) <= 0) ++ /* Error */ ++ if (EVP_KDF_CTX_set1_sshkdf_xcghash(kctx, xcghash, 32) <= 0) ++ /* Error */ ++ if (EVP_KDF_CTX_set1_sshkdf_session_id(kctx, session_id, 32) <= 0) ++ /* Error */ ++ if (EVP_KDF_CTX_set_sshkdf_type(kctx, ++ EVP_KDF_SSHKDF_TYPE_ININITAL_IV_CLI_TO_SRV) <= 0) ++ /* Error */ ++ if (EVP_KDF_derive(kctx, out, &outlen) <= 0) ++ /* Error */ ++ ++ ++=head1 CONFORMING TO ++ ++RFC 4253 ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 COPYRIGHT ++ ++Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut ++ +Index: openssl-1.1.1d/include/openssl/kdf.h +=================================================================== +--- openssl-1.1.1d.orig/include/openssl/kdf.h 2020-01-23 13:45:11.472634451 +0100 ++++ openssl-1.1.1d/include/openssl/kdf.h 2020-01-23 13:45:11.492634571 +0100 +@@ -20,6 +20,7 @@ extern "C" { + # define EVP_KDF_SCRYPT NID_id_scrypt + # define EVP_KDF_TLS1_PRF NID_tls1_prf + # define EVP_KDF_HKDF NID_hkdf ++# define EVP_KDF_SSHKDF NID_sshkdf + + EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); + void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); +@@ -47,11 +48,20 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + # define EVP_KDF_CTRL_SET_SCRYPT_N 0x0d /* uint64_t */ + # define EVP_KDF_CTRL_SET_SCRYPT_R 0x0e /* uint32_t */ + # define EVP_KDF_CTRL_SET_SCRYPT_P 0x0f /* uint32_t */ ++# define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ + + # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 ++#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 ++#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 ++#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 68 ++#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 ++#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 + + /**** The legacy PKEY-based KDF API follows. ****/ + +Index: openssl-1.1.1d/include/openssl/kdferr.h +=================================================================== +--- openssl-1.1.1d.orig/include/openssl/kdferr.h 2020-01-23 13:45:11.472634451 +0100 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2020-01-23 13:45:11.492634571 +0100 +@@ -36,6 +36,10 @@ int ERR_load_KDF_strings(void); + # define KDF_F_KDF_SCRYPT_CTRL_UINT64 122 + # define KDF_F_KDF_SCRYPT_DERIVE 123 + # define KDF_F_KDF_SCRYPT_NEW 124 ++# define KDF_F_KDF_SSHKDF_CTRL 130 ++# define KDF_F_KDF_SSHKDF_CTRL_STR 131 ++# define KDF_F_KDF_SSHKDF_DERIVE 132 ++# define KDF_F_KDF_SSHKDF_NEW 133 + # define KDF_F_KDF_TLS1_PRF_CTRL_STR 125 + # define KDF_F_KDF_TLS1_PRF_DERIVE 126 + # define KDF_F_KDF_TLS1_PRF_NEW 127 +@@ -66,6 +70,9 @@ int ERR_load_KDF_strings(void); + # define KDF_R_MISSING_SALT 111 + # define KDF_R_MISSING_SECRET 107 + # define KDF_R_MISSING_SEED 106 ++# define KDF_R_MISSING_SESSION_ID 113 ++# define KDF_R_MISSING_TYPE 114 ++# define KDF_R_MISSING_XCGHASH 115 + # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 + # define KDF_R_VALUE_ERROR 108 + # define KDF_R_VALUE_MISSING 102 +Index: openssl-1.1.1d/include/openssl/obj_mac.h +=================================================================== +--- openssl-1.1.1d.orig/include/openssl/obj_mac.h 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/obj_mac.h 2020-01-23 13:45:11.492634571 +0100 +@@ -4970,6 +4970,10 @@ + #define LN_hkdf "hkdf" + #define NID_hkdf 1036 + ++#define SN_sshkdf "SSHKDF" ++#define LN_sshkdf "sshkdf" ++#define NID_sshkdf 1203 ++ + #define SN_id_pkinit "id-pkinit" + #define NID_id_pkinit 1031 + #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L +Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt +=================================================================== +--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evpkdf.txt 2020-01-23 13:45:11.476634476 +0100 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2020-01-23 13:45:11.496634596 +0100 +@@ -433,3 +433,4856 @@ Ctrl.iter = iter:1 + Ctrl.digest = digest:sha512 + Output = 00ef42cdbfc98d29db20976608e455567fdddf14 + ++Title = SSHKDF tests (from NIST CAVS 14.1 test vectors) ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:A ++Output = e2f627c0b43f1ac1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:B ++Output = 58471445f342b181 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:C ++Output = 1ca9d310f86d51f6cb8e7007cb2b220d55c5281ce680b533 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:D ++Output = 2c60df8603d34cc1dbb03c11f725a44b44008851c73d6844 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:E ++Output = 472eb8a26166ae6aa8e06868e45c3b26e6eeed06 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:F ++Output = e3e2fdb9d7bc21165a3dbe47e1eceb7764390bab ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208 ++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626 ++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a ++Ctrl.type = type:A ++Output = 55a1015757de84cb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208 ++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626 ++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a ++Ctrl.type = type:B ++Output = 7e57f61d5735f4fb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208 ++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626 ++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a ++Ctrl.type = type:C ++Output = dd1c24bde1af845e82207541e3e173aec822fb904a94ae3c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208 ++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626 ++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a ++Ctrl.type = type:D ++Output = cbbfdc9442af6db7f8c4dcaa4b0b5d0163e0e204476aa2a0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208 ++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626 ++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a ++Ctrl.type = type:E ++Output = e153e04886c0dc446dde9a9b3b13efb77151764d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208 ++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626 ++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a ++Ctrl.type = type:F ++Output = c8e4f61bd6b5abb2c6e06eca7b302349435e4842 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62 ++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2 ++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd ++Ctrl.type = type:A ++Output = 054eaf5d7dea31e7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62 ++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2 ++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd ++Ctrl.type = type:B ++Output = 6ce586c127da010f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62 ++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2 ++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd ++Ctrl.type = type:C ++Output = 7907bf3d7c58ce72714b2adb1a14f156194b14378a4a7c49 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62 ++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2 ++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd ++Ctrl.type = type:D ++Output = c34757dc104e7b811f6550bbc3888e1d4297578fd88b2ca5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62 ++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2 ++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd ++Ctrl.type = type:E ++Output = e463e05ef70e61f994ee3cd20d504cb6eddb9b1a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62 ++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2 ++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd ++Ctrl.type = type:F ++Output = 676cf1dfc887e122353eead2b1e644f9d9def944 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9 ++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586 ++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200 ++Ctrl.type = type:A ++Output = bc4b5164911bc87b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9 ++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586 ++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200 ++Ctrl.type = type:B ++Output = d791c5986b27257e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9 ++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586 ++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200 ++Ctrl.type = type:C ++Output = de8e99bb3f60ccf0583712528aa3dd0418fdb90d0a588012 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9 ++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586 ++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200 ++Ctrl.type = type:D ++Output = f37f75a685f1eaf4fd270b946d84734e96aa3b4ed130afc6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9 ++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586 ++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200 ++Ctrl.type = type:E ++Output = 658f04b0f59aab071b9e11ec9ff187ee10e80254 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9 ++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586 ++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200 ++Ctrl.type = type:F ++Output = b030809222ff7a12b0df35072d67f314ab1d5eda ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff ++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614 ++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d ++Ctrl.type = type:A ++Output = 7a74ec799ef16865 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff ++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614 ++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d ++Ctrl.type = type:B ++Output = 6e544fc6db0ca1ba ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff ++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614 ++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d ++Ctrl.type = type:C ++Output = 658226b1b10b2033fa88838b619572b18e81e80c76507918 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff ++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614 ++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d ++Ctrl.type = type:D ++Output = 327298c8660685efcb01c5c0df49faebb15c0e93b0f6c65d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff ++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614 ++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d ++Ctrl.type = type:E ++Output = 6b618a10aeaa12c9a8d2bcb10e975605582c00e5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff ++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614 ++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d ++Ctrl.type = type:F ++Output = 6d4ce50da9de90d6f746e812a2e74bcd921f5612 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3 ++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f ++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a ++Ctrl.type = type:A ++Output = b655839abcb1a7b8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3 ++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f ++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a ++Ctrl.type = type:B ++Output = 98f9ec980831a8bc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3 ++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f ++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a ++Ctrl.type = type:C ++Output = 31a63b64cfa8b6a12ba165096dad8d127cd3f3b67698b670 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3 ++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f ++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a ++Ctrl.type = type:D ++Output = 8bd79633967b92f0039a38a2d421e12840ea5c31b43c4e90 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3 ++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f ++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a ++Ctrl.type = type:E ++Output = 37eccade73b422d1108e390eaa28c646b554a721 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3 ++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f ++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a ++Ctrl.type = type:F ++Output = 013a20fc8f53ef08aae0a836b9410153a877983a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef ++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023 ++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114 ++Ctrl.type = type:A ++Output = 12f6c3ac60d6ee3b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef ++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023 ++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114 ++Ctrl.type = type:B ++Output = 536d106e00aec6fd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef ++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023 ++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114 ++Ctrl.type = type:C ++Output = 26b8ec66854d0f0aa98f6888be628ebc75900c3738d47894 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef ++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023 ++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114 ++Ctrl.type = type:D ++Output = d5d3b3817214eeb3bf292dffc77daeab062ac7fcd2e3a2bd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef ++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023 ++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114 ++Ctrl.type = type:E ++Output = 014613aef22194307bc0678f6edd1ccff240adfa ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef ++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023 ++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114 ++Ctrl.type = type:F ++Output = 5057b4cc2c300f7546d358a75daf58233b71da1a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983 ++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639 ++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606 ++Ctrl.type = type:A ++Output = d160f91f36027ff9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983 ++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639 ++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606 ++Ctrl.type = type:B ++Output = 0d02ec310663bbcc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983 ++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639 ++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606 ++Ctrl.type = type:C ++Output = 03b66f451ad93a01914dd3372d980bea3de94993e176ea01 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983 ++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639 ++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606 ++Ctrl.type = type:D ++Output = c2db767cbbdf2f839eb2f37ada87a041d220b9f58842d0db ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983 ++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639 ++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606 ++Ctrl.type = type:E ++Output = 0b2944c26dcf4cc877cdc55c4e9b1b8155e3874b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983 ++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639 ++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606 ++Ctrl.type = type:F ++Output = f7977d574c7d9e4f34ecd6b405c765963f0dfe57 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31 ++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929 ++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0 ++Ctrl.type = type:A ++Output = e4387818ab7f4fa6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31 ++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929 ++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0 ++Ctrl.type = type:B ++Output = 1daabebcc8a064df ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31 ++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929 ++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0 ++Ctrl.type = type:C ++Output = 9fffad3aec53cd719c1d500850c2f38d8eea04606f78b402 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31 ++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929 ++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0 ++Ctrl.type = type:D ++Output = 6b196bce2aa2bd912ffd67a94fc42dec1051376f73ec3ce2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31 ++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929 ++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0 ++Ctrl.type = type:E ++Output = beab583906e6bed005558c102a5b5fd6ee71485f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31 ++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929 ++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0 ++Ctrl.type = type:F ++Output = 105140594b5b9061de7ff2afac09bce81b75d6c6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d ++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70 ++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c ++Ctrl.type = type:A ++Output = ef982c8fd0fd464f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d ++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70 ++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c ++Ctrl.type = type:B ++Output = 845ad3ba4d359326 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d ++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70 ++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c ++Ctrl.type = type:C ++Output = d9e516001b6b1a17268e507fa6e13f6bc9c3ded0020ef841 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d ++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70 ++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c ++Ctrl.type = type:D ++Output = d57d2f3c25b536442d8c7f36d62778d06fb6e7d4b5c7ab76 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d ++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70 ++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c ++Ctrl.type = type:E ++Output = f0b75425b271eb82645b1f1424b2a838dbcf6f98 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d ++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70 ++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c ++Ctrl.type = type:F ++Output = cdf59b2327588ffd18becfc0e5bb526014101401 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145 ++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.type = type:A ++Output = 79c9195e683ae10750960cb55c4d4c0b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145 ++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.type = type:B ++Output = ef00b448ab9fd6523bb5143a0a818750 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145 ++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.type = type:C ++Output = 51c8b4aaf5e42443be0aa3c50aa7e1dd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145 ++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.type = type:D ++Output = 4153a587397fb14dc3faad028fdb7ecc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145 ++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.type = type:E ++Output = d23e36347052a1cfb4a7789df48627e8a31345c7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145 ++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03 ++Ctrl.type = type:F ++Output = c1286e92655912d923154c460702a31424bd6b01 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4 ++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e ++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4 ++Ctrl.type = type:A ++Output = 739ad52e454ba3457735b7c5304c6578 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4 ++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e ++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4 ++Ctrl.type = type:B ++Output = 3bd9f9d9f06aa521d2f53e40fc5d9f90 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4 ++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e ++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4 ++Ctrl.type = type:C ++Output = 335cd2813bebd3d5e1dda4c1e14c23de ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4 ++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e ++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4 ++Ctrl.type = type:D ++Output = fd25c5ae649645d8c0cfff0d4d8e7a47 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4 ++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e ++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4 ++Ctrl.type = type:E ++Output = 90e89773d04623553d4d298e6aa75781d8a6544b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4 ++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e ++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4 ++Ctrl.type = type:F ++Output = 86a3f05a5f844b23d787cccbda37a3d773a4d049 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde ++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4 ++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e ++Ctrl.type = type:A ++Output = d2d06d589e6e696556e3d44d7d05decb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde ++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4 ++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e ++Ctrl.type = type:B ++Output = 14e3a886b715206e837b70fe7c02b941 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde ++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4 ++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e ++Ctrl.type = type:C ++Output = 98625cf9741819273a0d6852ca7ab592 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde ++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4 ++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e ++Ctrl.type = type:D ++Output = a7b273f04d537856015e06075c94c398 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde ++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4 ++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e ++Ctrl.type = type:E ++Output = 3e1afa980d05ec30e9a55331ac301c10305999e2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde ++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4 ++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e ++Ctrl.type = type:F ++Output = b993c4254669c7a51ed713ddaf7174fd5296fe57 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474 ++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1 ++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d ++Ctrl.type = type:A ++Output = d9c0ed6b7fbf066d4f3cff7d2585ef5b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474 ++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1 ++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d ++Ctrl.type = type:B ++Output = da13833aa2c086e5d76595132f4e5fc6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474 ++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1 ++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d ++Ctrl.type = type:C ++Output = 9e27400587b646397a7655be0e5763ec ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474 ++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1 ++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d ++Ctrl.type = type:D ++Output = 91b95d5cce7f2aec14776f49f652a305 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474 ++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1 ++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d ++Ctrl.type = type:E ++Output = a97dc9a99e37c983a4922cd2ecdfa394b71141ce ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474 ++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1 ++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d ++Ctrl.type = type:F ++Output = 173d846f9790c742ca86af4bff5f965c6088a05b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344 ++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97 ++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a ++Ctrl.type = type:A ++Output = 6fa496847cda7367cb32b8be9aae3f85 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344 ++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97 ++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a ++Ctrl.type = type:B ++Output = 702ac8636520b7c6169ddc660781de9f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344 ++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97 ++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a ++Ctrl.type = type:C ++Output = 6ffd703180af7c2207d5fa9e467272e3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344 ++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97 ++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a ++Ctrl.type = type:D ++Output = 7ae5281e377f230dcc9854cf995f663d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344 ++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97 ++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a ++Ctrl.type = type:E ++Output = fbcb152df7a3f12a8f174f9ca31bb31b124ae3c2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344 ++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97 ++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a ++Ctrl.type = type:F ++Output = 3f0c57fbccfb7306cff23bdaf69d70a8a394b34b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f ++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b ++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc ++Ctrl.type = type:A ++Output = 7e37ea52156fad1903709e1d3229721f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f ++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b ++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc ++Ctrl.type = type:B ++Output = c15569583de413e08293bf1689a9afe8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f ++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b ++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc ++Ctrl.type = type:C ++Output = 0c85227539f5e328c64172280759d9bf ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f ++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b ++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc ++Ctrl.type = type:D ++Output = 3dbc42d9e7128e861b87781546cedc8e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f ++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b ++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc ++Ctrl.type = type:E ++Output = 1ec0d15e38ea1b48da963837dbf30cef855a92c7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f ++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b ++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc ++Ctrl.type = type:F ++Output = eea8ea042a079fcf8416a8b244fafab35adeca8a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858 ++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606 ++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a ++Ctrl.type = type:A ++Output = f2faef6e274814ed7ca544484ac21a3a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858 ++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606 ++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a ++Ctrl.type = type:B ++Output = 3ca9bc0f3c65c257fa160a4d1c5e3520 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858 ++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606 ++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a ++Ctrl.type = type:C ++Output = fcdf0545b51aca6515bccf6ed0ecb582 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858 ++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606 ++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a ++Ctrl.type = type:D ++Output = 86ea895a310c3bbd1aac209b2362d58a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858 ++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606 ++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a ++Ctrl.type = type:E ++Output = 12a4f2b749e2bf88c1f8437e5ff61de761fd48b3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858 ++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606 ++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a ++Ctrl.type = type:F ++Output = a3a9276a120db379ec780e434879a54935db954d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e ++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5 ++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56 ++Ctrl.type = type:A ++Output = e53f2f61d8919e097cb99627fe668385 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e ++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5 ++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56 ++Ctrl.type = type:B ++Output = cea80fd8dc06654ed80b0ec150835537 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e ++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5 ++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56 ++Ctrl.type = type:C ++Output = d5ba475e737bed349b8931ba38d426e9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e ++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5 ++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56 ++Ctrl.type = type:D ++Output = f3ea92b4f365ab2fb8403ad8ecd2d17c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e ++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5 ++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56 ++Ctrl.type = type:E ++Output = 41fa718884738fd6fd9ee9fd5af05f0de9400952 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e ++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5 ++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56 ++Ctrl.type = type:F ++Output = 91395bbd90abb140d0984ed5e77836590bf44695 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1 ++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a ++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c ++Ctrl.type = type:A ++Output = 04d3c0a3f5e33ae373c637ef45897779 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1 ++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a ++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c ++Ctrl.type = type:B ++Output = c5a45bfbf6d7c14c5d3a953b4848e433 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1 ++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a ++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c ++Ctrl.type = type:C ++Output = 3a16d0da2f785e2c325b45109778910a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1 ++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a ++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c ++Ctrl.type = type:D ++Output = 902b38dd6c759945e671c1de7d99e918 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1 ++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a ++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c ++Ctrl.type = type:E ++Output = b573244de3127f6aa5457e792219dc89defaaecd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1 ++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a ++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c ++Ctrl.type = type:F ++Output = 6cd221005dd1f0de4f472f48d15e61dcc2e91e99 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5 ++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7 ++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b ++Ctrl.type = type:A ++Output = 5f9deaf2ee4f05af0a8a813ef6bb9549 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5 ++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7 ++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b ++Ctrl.type = type:B ++Output = a2ea4b795f9c9de1d786d0c771df2b84 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5 ++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7 ++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b ++Ctrl.type = type:C ++Output = 13f828f8f1e5532a04f138681bc8259d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5 ++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7 ++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b ++Ctrl.type = type:D ++Output = 7231ce5fd725391e058cd78815f44625 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5 ++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7 ++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b ++Ctrl.type = type:E ++Output = 937b7e16ed0b2324203cdae904fc55cbe25067a1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5 ++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7 ++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b ++Ctrl.type = type:F ++Output = d7536b911dc79d5953455ba6e15cb5fec7c14025 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792 ++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.type = type:A ++Output = 9fff6c6a6d1f5c31 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792 ++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.type = type:B ++Output = 8e0ae78c64d2fe2a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792 ++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.type = type:C ++Output = 9044f963ffb56b94556a38aac5398a7072ffba60258500be ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792 ++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.type = type:D ++Output = a861a317ea42b050901aff367b5a1d0abd5c497c77311ba2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792 ++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.type = type:E ++Output = 43225d64b6da6f070925ad1c8b7ac88893f9a7cba0dfc55ddea42eec ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792 ++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca ++Ctrl.type = type:F ++Output = eb31db29bbafca2773f815fa478d927943288588e371ae9ba0414d98 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f ++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d ++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8 ++Ctrl.type = type:A ++Output = bf2d6e03ba930c71 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f ++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d ++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8 ++Ctrl.type = type:B ++Output = ff14fadc19a0bd8a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f ++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d ++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8 ++Ctrl.type = type:C ++Output = 34a70734eaebeb8608cbb91098fa13326f37ccc5d408584d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f ++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d ++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8 ++Ctrl.type = type:D ++Output = f993da8f2e840b836c8980fa2d780a1b4eeef77046988eed ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f ++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d ++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8 ++Ctrl.type = type:E ++Output = a274441c86dd146cfab25d87344bd5a880d374d300aa8e1fe4919378 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f ++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d ++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8 ++Ctrl.type = type:F ++Output = 7774dc48324cca24901bedc37224cb291d6202fb6b5e1d9315a9bd10 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e ++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8 ++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b ++Ctrl.type = type:A ++Output = 75bc82b271311f53 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e ++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8 ++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b ++Ctrl.type = type:B ++Output = 602d69e77b8c30b3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e ++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8 ++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b ++Ctrl.type = type:C ++Output = e0c8856a26b2f4804e98809d5b81cdb360b43884a33d4fef ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e ++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8 ++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b ++Ctrl.type = type:D ++Output = e661555415bcab0b1f2d4b4387cda213cdd93f8458a2ace4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e ++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8 ++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b ++Ctrl.type = type:E ++Output = a368f66127573c79e2d936032f75c3d11c0131455eb9b6c5384582de ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e ++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8 ++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b ++Ctrl.type = type:F ++Output = 779f09f514bdf7ed4a01788f10146367ce2ddf2aacebb961524c002a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e ++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b ++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95 ++Ctrl.type = type:A ++Output = 386bc0b99215c8fa ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e ++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b ++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95 ++Ctrl.type = type:B ++Output = c793dba9a68f70a4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e ++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b ++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95 ++Ctrl.type = type:C ++Output = 3dcaea7c946c2de76811482556299aa9bf96c8eef11fb2d6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e ++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b ++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95 ++Ctrl.type = type:D ++Output = fd078ef65922006809729f9533c8742e9f973f7ff37ba987 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e ++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b ++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95 ++Ctrl.type = type:E ++Output = 83a1924fa5f7ceffeba7f519ac51a86a2746a93eb194db51a4596ca1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e ++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b ++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95 ++Ctrl.type = type:F ++Output = e16507d1bbd53b41f9bb2f0f21b5112eb6cd1eb0489fb5e754212390 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5 ++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b ++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7 ++Ctrl.type = type:A ++Output = 0e764ebe0d523aae ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5 ++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b ++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7 ++Ctrl.type = type:B ++Output = 24bd2eff86c2a8dc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5 ++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b ++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7 ++Ctrl.type = type:C ++Output = 26c01e3d56c1b928f65aaa1b6a15f5b8d41de187b4bb5fdc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5 ++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b ++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7 ++Ctrl.type = type:D ++Output = e0cc3bdb6d69d10893eeb73b892d746acea151f24247fd9c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5 ++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b ++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7 ++Ctrl.type = type:E ++Output = bf442ba6ec794f20584528686cedbaa568c13b895f642fe5cb3542bb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5 ++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b ++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7 ++Ctrl.type = type:F ++Output = 65ab453e5ffd1b5e1540aa547766d7c177204c319642f93059bdf257 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0 ++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6 ++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff ++Ctrl.type = type:A ++Output = 45799bbb09fd8804 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0 ++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6 ++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff ++Ctrl.type = type:B ++Output = b787b009f3313be0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0 ++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6 ++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff ++Ctrl.type = type:C ++Output = c4cbb547c997e8fddb9e56ef5df91327766668a43a958a8e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0 ++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6 ++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff ++Ctrl.type = type:D ++Output = b55b7cca0a0363b84b40b79366b87db7c440dec5bf89e952 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0 ++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6 ++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff ++Ctrl.type = type:E ++Output = 9c6399e5f4db0fc7652268d7423230ee5ffc0a210c26568dc5c0ab7d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0 ++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6 ++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff ++Ctrl.type = type:F ++Output = 9824301c33daae0f1b75eb472d6f0b4ef2cea0b2f61e204b6aefb0bd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e ++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df ++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970 ++Ctrl.type = type:A ++Output = 2958928e5fd3c6e4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e ++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df ++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970 ++Ctrl.type = type:B ++Output = aa91bee1a3b3374c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e ++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df ++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970 ++Ctrl.type = type:C ++Output = 6fdac559eb1d6af7fc7fbaa4f9a15fd4145b97b9418518d9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e ++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df ++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970 ++Ctrl.type = type:D ++Output = 5a8271402756f7eac59f09b5020f7b05f6475fc3a2e2b482 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e ++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df ++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970 ++Ctrl.type = type:E ++Output = 910de4a4a437cab056f7c38037f0196c524464237c5e332e79564a90 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e ++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df ++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970 ++Ctrl.type = type:F ++Output = 0bfa6ed5dc8ab0fc1bb9feb966d7107137ebf3f754ac71c2a16a9c22 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c ++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5 ++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545 ++Ctrl.type = type:A ++Output = 82204d79e13252f1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c ++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5 ++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545 ++Ctrl.type = type:B ++Output = a76ff923488c7bd3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c ++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5 ++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545 ++Ctrl.type = type:C ++Output = 8ba3bd224890bdd4dd07d2a5a98e5efcd95d82c66583d098 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c ++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5 ++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545 ++Ctrl.type = type:D ++Output = a04a3844933ca1bb45848bc1a7626e4c50dc46aa5376d027 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c ++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5 ++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545 ++Ctrl.type = type:E ++Output = 393f2f152d6c6d063f284cadd1fd9d700928188b7fea31f74b44fbc6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c ++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5 ++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545 ++Ctrl.type = type:F ++Output = f27f2cd72b22e1719f91b912d6c9d180985121d32bd217e348cd2003 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6 ++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467 ++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262 ++Ctrl.type = type:A ++Output = f843e3c6a1621998 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6 ++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467 ++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262 ++Ctrl.type = type:B ++Output = 128b2d8968cfaad5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6 ++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467 ++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262 ++Ctrl.type = type:C ++Output = d6c4d2685753580dea2c6a6eb6add592011356eb9e868d44 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6 ++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467 ++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262 ++Ctrl.type = type:D ++Output = 92af60f4858f3d14efaac039130389ab9ae1237f0da09a29 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6 ++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467 ++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262 ++Ctrl.type = type:E ++Output = a37af93c8f25e145def1c5397bec2ee2119cc0e0bd4854fe23b2e3d1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6 ++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467 ++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262 ++Ctrl.type = type:F ++Output = d44def5fcec300da5913ca109c0fd7a2c2cbcedd2c3e3216c5cb0d95 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a ++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217 ++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e ++Ctrl.type = type:A ++Output = 4276fab65090b420 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a ++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217 ++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e ++Ctrl.type = type:B ++Output = 00303ca4f9a5a6f8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a ++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217 ++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e ++Ctrl.type = type:C ++Output = 3d67892281e9c6ed6535d7ae69e832f6723afd545763bd3d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a ++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217 ++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e ++Ctrl.type = type:D ++Output = 5a5844e6c47eacc172e0012044037668a653758b96310350 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a ++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217 ++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e ++Ctrl.type = type:E ++Output = 4783fb6e98db788f6594c2b82e751528590c41780adce2ffba234290 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a ++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217 ++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e ++Ctrl.type = type:F ++Output = 7c60752b0b5a0f0027507ecd88e6af2b78e462a98459bf0511152663 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36 ++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.type = type:A ++Output = 2512664639690af9f64afd16d9ccf3d3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36 ++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.type = type:B ++Output = c13223796f394c6d1ffd18c22c09f27a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36 ++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.type = type:C ++Output = 7be659a7cbeda28722315d96444a5c98 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36 ++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.type = type:D ++Output = bdfbd698c518aa45c35d7afd7bd91150 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36 ++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.type = type:E ++Output = dd38b79b081713ac3007ffd88d5cd67f43fbb36c983e0fc1cd273d84 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36 ++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701 ++Ctrl.type = type:F ++Output = edf713ecfb21b9e9c2d9d04c882d5ded433dcf459ff5b0fe7cd45bb1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3 ++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc ++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e ++Ctrl.type = type:A ++Output = f3064d3f3ed09eefd34731a2c60c1a80 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3 ++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc ++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e ++Ctrl.type = type:B ++Output = 1f7f508d9c4cf1004a220f26e0e6c184 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3 ++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc ++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e ++Ctrl.type = type:C ++Output = 2ad48a77fa12fcb5d3d3e98d5bb87d76 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3 ++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc ++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e ++Ctrl.type = type:D ++Output = 0433db7fd40d9d0dc9df6e9eed8059e4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3 ++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc ++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e ++Ctrl.type = type:E ++Output = b07884f15910c6a083143ef9bda115d05c9e4c4057c1987c4f78a1b6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3 ++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc ++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e ++Ctrl.type = type:F ++Output = f838da7b26311dbd529f742d901709229482cea9d7ac9f0c2cd14200 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56 ++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690 ++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53 ++Ctrl.type = type:A ++Output = d8c60bf582892d2cd03956774614b9f1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56 ++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690 ++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53 ++Ctrl.type = type:B ++Output = bac1bef6d6dd92de55bc174c9db77a54 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56 ++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690 ++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53 ++Ctrl.type = type:C ++Output = bdf96d88d7ac4f0daa62d29948a5c891 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56 ++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690 ++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53 ++Ctrl.type = type:D ++Output = ef0dbe568b4f3fbcb8b2665ed7ed0f8d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56 ++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690 ++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53 ++Ctrl.type = type:E ++Output = 315d50a1b29f9d556c983432b98bf437893c1a892cf69880353d9797 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56 ++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690 ++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53 ++Ctrl.type = type:F ++Output = 612e3ac6651f9c7d99c532da0820f079292d9b33d36b684198665f5e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b ++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a ++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f ++Ctrl.type = type:A ++Output = e0d36ac1de6cc8514d25ff824bfaaa37 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b ++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a ++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f ++Ctrl.type = type:B ++Output = 58c896b4d1a9507e7da2234a1a538d78 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b ++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a ++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f ++Ctrl.type = type:C ++Output = 5966df5cb582234585b4c4312318f829 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b ++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a ++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f ++Ctrl.type = type:D ++Output = 40d8bdab78c9dac2b2d14d1c8bd41405 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b ++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a ++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f ++Ctrl.type = type:E ++Output = 1af4707570794ff6c718c817ccb9fca5edf22a3a8d493a861633fb7a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b ++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a ++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f ++Ctrl.type = type:F ++Output = 4e6edd5d86f0a3b92595fb2d4f0f9b0f0ed1e850c84014224270bcbc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2 ++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01 ++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d ++Ctrl.type = type:A ++Output = d30b7efda77a1008d78487fb1c9df511 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2 ++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01 ++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d ++Ctrl.type = type:B ++Output = 498b3d9f14446a028d1aed8bc4748e34 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2 ++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01 ++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d ++Ctrl.type = type:C ++Output = f4909273c39ef8819b353cde80f57cc9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2 ++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01 ++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d ++Ctrl.type = type:D ++Output = b31337a6ecd02f4beb9bf4af12ea4e11 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2 ++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01 ++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d ++Ctrl.type = type:E ++Output = 6f3da7bb4b64ad3e1171083a62eca5e755563e639594b848243760d8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2 ++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01 ++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d ++Ctrl.type = type:F ++Output = e88506aa4a4ffa33675c4a296abf91e24450a496e56f8465e9a7525c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56 ++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143 ++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c ++Ctrl.type = type:A ++Output = c5cbb653102d99457c33c88921b5dbe4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56 ++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143 ++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c ++Ctrl.type = type:B ++Output = dd9b1c786c7f739832629f7666e4e21e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56 ++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143 ++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c ++Ctrl.type = type:C ++Output = c33d08d706ffac1811f157526b08086f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56 ++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143 ++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c ++Ctrl.type = type:D ++Output = 5750b617b71a239d99fc412796f6d986 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56 ++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143 ++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c ++Ctrl.type = type:E ++Output = 4c2edee4688119e17723fede94d81c141cb2dd632dde5e223fcd12c2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56 ++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143 ++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c ++Ctrl.type = type:F ++Output = b48103cd81397bed3bf618b2ef30a44ea806b0ad07aa098a8a33273e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de ++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9 ++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba ++Ctrl.type = type:A ++Output = c8bc1d232edd620e0282af630d596a6c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de ++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9 ++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba ++Ctrl.type = type:B ++Output = 6a90269aab1a3e3612eec97a45db11e1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de ++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9 ++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba ++Ctrl.type = type:C ++Output = ebb8a6227e789d33fa072355cb2851ac ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de ++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9 ++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba ++Ctrl.type = type:D ++Output = 9662ff73b11bd2978ffceb7545f6054e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de ++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9 ++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba ++Ctrl.type = type:E ++Output = 9eb35f9a8a6155b81b8dda117f5d631cc4eddea4b4912147513bc4ec ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de ++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9 ++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba ++Ctrl.type = type:F ++Output = 3e137e015973e21c37a8de81cc812683d506fc35699114b31c06797e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4 ++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3 ++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e ++Ctrl.type = type:A ++Output = cc22a730c15abf9628f749fac9d3f935 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4 ++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3 ++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e ++Ctrl.type = type:B ++Output = 188c477061a597384b1d1e417dc04f7d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4 ++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3 ++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e ++Ctrl.type = type:C ++Output = b309760dd9f0d65c6edcdee3a3457c33 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4 ++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3 ++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e ++Ctrl.type = type:D ++Output = 1b8674f603a78f16fb979d6db70f6795 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4 ++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3 ++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e ++Ctrl.type = type:E ++Output = d881ac0cf62ecff2eb7d3c8284cfd4b95e003c435f6a3121ab0c65b0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4 ++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3 ++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e ++Ctrl.type = type:F ++Output = 9a7560e7976c7fb0153fc94e51a7dead3b7f8954d1efa7ed6be77858 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36 ++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd ++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c ++Ctrl.type = type:A ++Output = b842e2900a8c1f7d7c3fa465d46142fa ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36 ++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd ++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c ++Ctrl.type = type:B ++Output = 5e96f771c176fafd18d4aa0bc07dc5d5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36 ++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd ++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c ++Ctrl.type = type:C ++Output = fe5fca0a03e6f8ac95ba4e882c64fb8c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36 ++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd ++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c ++Ctrl.type = type:D ++Output = b952b4e6f2010ebdac7ee10adb90f9ef ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36 ++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd ++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c ++Ctrl.type = type:E ++Output = 819db930507c1f8e1617dc74e78de9f4abb02b7089d764cb20d14c56 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36 ++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd ++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c ++Ctrl.type = type:F ++Output = 79be1ec6ce722e98bca50a25bbca581318b6227c9fd346d67602958f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177 ++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308 ++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c ++Ctrl.type = type:A ++Output = 4d40be7041ac4c74d56d53855fead94f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177 ++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308 ++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c ++Ctrl.type = type:B ++Output = 501781a04c919226a9e2dd6d7a880568 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177 ++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308 ++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c ++Ctrl.type = type:C ++Output = fe183f0e31d4bf9ebc9364e19e422385 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177 ++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308 ++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c ++Ctrl.type = type:D ++Output = f12c0da703e5bedb2921a0e1795eb62f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177 ++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308 ++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c ++Ctrl.type = type:E ++Output = 1d34b1ae23af48c25db971fe0f95c2fdb4e269ca435b90e0e22ee720 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA224 ++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177 ++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308 ++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c ++Ctrl.type = type:F ++Output = b77dce4e2211c8e2b4fba841ba45d7f136323999ed9a4d306fa411a8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e ++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.type = type:A ++Output = 41ff2ead1683f1e6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e ++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.type = type:B ++Output = e619ecfd9edb50cd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e ++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.type = type:C ++Output = 4a6314d2f7511bf88fad39fb6892f3f218cafd530e72fe43 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e ++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.type = type:D ++Output = 084c15fb7f99c65ff134eeb407cee5d540c341dea45a42a5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e ++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.type = type:E ++Output = 41ec5a94fecce7707ea156a6ad29239a891621adacbedb8be70675008d6f9274 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e ++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642 ++Ctrl.type = type:F ++Output = 47d3c20aba60981e47b30533623613ff1cacbcf1642fb4ad86ee712f2aed9af8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f ++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006 ++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed ++Ctrl.type = type:A ++Output = 99bae6531508705f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f ++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006 ++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed ++Ctrl.type = type:B ++Output = f25786f02f199737 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f ++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006 ++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed ++Ctrl.type = type:C ++Output = 97621bf882266f905da78cf193fc31f642acbb60957c41b7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f ++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006 ++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed ++Ctrl.type = type:D ++Output = ad98a86a2386280912efea50f790e800a7758f7dade5d77e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f ++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006 ++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed ++Ctrl.type = type:E ++Output = f92d052d3cdf34dfc69bc60a489c3a3553f4356596c191931d08fa20551273b3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f ++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006 ++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed ++Ctrl.type = type:F ++Output = 147a771445123f846d8ae514d7ff9b3c93b2bceb7c7c9500942161b8e2d0110f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0 ++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3 ++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655 ++Ctrl.type = type:A ++Output = 93da642974d71e52 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0 ++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3 ++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655 ++Ctrl.type = type:B ++Output = df2035ad67457151 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0 ++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3 ++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655 ++Ctrl.type = type:C ++Output = 42067bb0535da6701232a0f39ac7f436535af346c4786af5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0 ++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3 ++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655 ++Ctrl.type = type:D ++Output = 08a0181a6c373d39540409dafb1b4e2359bc249af33bcfe0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0 ++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3 ++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655 ++Ctrl.type = type:E ++Output = c043b5aece7cd2685c6dfb3788d7a562d6622d20f6d7e07b38aeb47c649dd99c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0 ++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3 ++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655 ++Ctrl.type = type:F ++Output = cbe67a93ac758d9f2a6ff580bad5a44bb1a1062c9e20d5c974decb7aa2b0faa0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c ++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647 ++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4 ++Ctrl.type = type:A ++Output = 320e807fab2b10f0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c ++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647 ++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4 ++Ctrl.type = type:B ++Output = 7b8f91be4dcd59b1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c ++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647 ++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4 ++Ctrl.type = type:C ++Output = dec6e67a94b3ddfcd32a24d6026c6951d00b6f4402d32c1a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c ++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647 ++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4 ++Ctrl.type = type:D ++Output = 2ef3cea4588ad928ac3e8874f3e1f613f2d50787495acc32 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c ++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647 ++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4 ++Ctrl.type = type:E ++Output = 72f93537328eebeec1b5ca88fedb41bf4d9c6279e4fe8d13c38da72a39739ed8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c ++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647 ++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4 ++Ctrl.type = type:F ++Output = 55dcf2c322b9c94686edbf9314d7c93bd9651e2ebc64f1a299d7176577d65b32 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62 ++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81 ++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e ++Ctrl.type = type:A ++Output = f4dbc41aa23e1621 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62 ++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81 ++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e ++Ctrl.type = type:B ++Output = e53b40c511180817 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62 ++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81 ++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e ++Ctrl.type = type:C ++Output = 70fed9412989cf5de908ad429cb92065fd5ccc081477abba ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62 ++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81 ++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e ++Ctrl.type = type:D ++Output = 3afdb0b4b4bc13e8731bb92e541b7d82a0b20d8878ce184b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62 ++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81 ++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e ++Ctrl.type = type:E ++Output = 59937f257aeef0806038543ced541990e5c2243881818edf2c522a54b64e9e93 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62 ++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81 ++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e ++Ctrl.type = type:F ++Output = 187532105293274b841918e3ab51f5dd0453d4331e85f4e06b775dbce4979cdd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2 ++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864 ++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323 ++Ctrl.type = type:A ++Output = 3cc220d5bb9b5346 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2 ++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864 ++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323 ++Ctrl.type = type:B ++Output = 051e3c79aede7e41 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2 ++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864 ++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323 ++Ctrl.type = type:C ++Output = 44c2b4725965ee9a2bce58d38e2e9a778263c415b21a25be ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2 ++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864 ++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323 ++Ctrl.type = type:D ++Output = d5de7a801956b934d820f9aa51bf1dae2a7aec7ce5ce4e50 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2 ++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864 ++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323 ++Ctrl.type = type:E ++Output = 7d2039a6505e3220535fde0ff71464f3971580f50711356760b225fc3053fc19 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2 ++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864 ++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323 ++Ctrl.type = type:F ++Output = b0972348a031ef2e87d42611e53cf0c4782d759ecdcc1390318eb11e1925ac35 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285 ++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517 ++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506 ++Ctrl.type = type:A ++Output = cdb047beecd92d84 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285 ++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517 ++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506 ++Ctrl.type = type:B ++Output = ef378e894d8f675e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285 ++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517 ++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506 ++Ctrl.type = type:C ++Output = 23ee42a437801e87348b3999bde76147a8731e318db57752 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285 ++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517 ++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506 ++Ctrl.type = type:D ++Output = a3f50e3d14498f15e1f111cc929648011d6abfb58e90df1c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285 ++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517 ++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506 ++Ctrl.type = type:E ++Output = fb6a020561e46e521344cb671a50175afd63ded91eedaa1b2879c3a63761674d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285 ++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517 ++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506 ++Ctrl.type = type:F ++Output = 567a79e7c4b10d62a420ce2ea740661c08d9459ed636ecb4edebcedb17b0baba ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96 ++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df ++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91 ++Ctrl.type = type:A ++Output = 1f9e7ad5592ac73d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96 ++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df ++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91 ++Ctrl.type = type:B ++Output = 15b254fe3510dd77 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96 ++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df ++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91 ++Ctrl.type = type:C ++Output = 88eadd5802e1a748284684438eb1b1bdc9b20ea30c59950d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96 ++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df ++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91 ++Ctrl.type = type:D ++Output = 277c2c4ad3d4a3bec4bdc5329bb5f9d4e39aa06b1e115e77 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96 ++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df ++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91 ++Ctrl.type = type:E ++Output = 090d2f273a690ed1d67dd9919c34385b18a661f8657b84bef6832f2396771979 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96 ++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df ++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91 ++Ctrl.type = type:F ++Output = 1f3082fa5ac8ec565595c4c5b8a7ddbba88ed4936fca913bba6a8715dc856f30 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6 ++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1 ++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2 ++Ctrl.type = type:A ++Output = 3aa08d67c81310b7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6 ++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1 ++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2 ++Ctrl.type = type:B ++Output = cf46596878a17a87 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6 ++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1 ++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2 ++Ctrl.type = type:C ++Output = 871db438b8b33c2102ddab0c1f7be51ee4c2cbdf52a01a58 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6 ++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1 ++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2 ++Ctrl.type = type:D ++Output = 04ac13599b84c22be0f1e5f7b96def31598e6ad36be412e8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6 ++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1 ++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2 ++Ctrl.type = type:E ++Output = f00c83a8afb5d1793749d4aae825b80e67ccd7f67e08f572222ccf42126ea2f0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6 ++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1 ++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2 ++Ctrl.type = type:F ++Output = df0570749d67136095b0dda6d461676b7eeb9a386f126306d436cab16dfd1b3c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071 ++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f ++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4 ++Ctrl.type = type:A ++Output = fad800cbf8975a01 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071 ++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f ++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4 ++Ctrl.type = type:B ++Output = 679a118bda1f15a9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071 ++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f ++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4 ++Ctrl.type = type:C ++Output = 5193e9b3b10b7939b79b967b98e6cf3396758eaf8263edf2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071 ++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f ++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4 ++Ctrl.type = type:D ++Output = 3f5de8bec6d737836d3a91480ac76c19d0a90bc146f02d5c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071 ++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f ++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4 ++Ctrl.type = type:E ++Output = ce7be4fffd0ffd09ff45889d10c7be0edf922422d01cb71b737c6149bb1a2d05 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071 ++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f ++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4 ++Ctrl.type = type:F ++Output = 60f413c9bcc42dcf0acc53d513dd8bc703f7e5d668f4e043f13028dcf40880b2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222 ++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.type = type:A ++Output = 81f0330ef6f05361b3823bfded6e1de9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222 ++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.type = type:B ++Output = 3f6fd2065eeb2b0b1d93195a1fed48a5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222 ++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.type = type:C ++Output = c35471034e6fd6547613178e23435f21 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222 ++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.type = type:D ++Output = 7e9d79032090d99f98b015634dd9f462 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222 ++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.type = type:E ++Output = 24ee559ad7ce712b685d0b2271e443c17ab1d1dceb5a360569d25d5dc243002f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222 ++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d ++Ctrl.type = type:F ++Output = c3419c2b966235869d714ba5ac48ddb7d9e35c8c19aac73422337a373453607e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3 ++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2 ++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc ++Ctrl.type = type:A ++Output = 36730bae8de5cb98898d6b4a00b37058 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3 ++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2 ++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc ++Ctrl.type = type:B ++Output = 5dfe446a83f40e8358d28cb97df8f340 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3 ++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2 ++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc ++Ctrl.type = type:C ++Output = 495b7afed0872b761437728e9e94e2b8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3 ++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2 ++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc ++Ctrl.type = type:D ++Output = c1474b3925bec36f0b7f6cc698e949c8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3 ++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2 ++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc ++Ctrl.type = type:E ++Output = b730f8df6a0697645be261169486c32a11612229276cbac5d8b3669afb2e4262 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3 ++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2 ++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc ++Ctrl.type = type:F ++Output = 14a5ea98245fb058978b82a3cb092b1cca7ce0109a4f98c16e1529579d58b819 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc ++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462 ++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410 ++Ctrl.type = type:A ++Output = 32d20a3f5e92b20fe100f4f41a1ad53c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc ++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462 ++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410 ++Ctrl.type = type:B ++Output = c3a3ff57f99187ba011fd422100af577 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc ++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462 ++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410 ++Ctrl.type = type:C ++Output = 8517903c49d5a59ad8ef7cd8591c6b5e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc ++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462 ++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410 ++Ctrl.type = type:D ++Output = a5ad201101a617f1cd5b3a2baa3b27f7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc ++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462 ++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410 ++Ctrl.type = type:E ++Output = 16747a23fddd72f785c5d61dfb81a5a38555f5d8ff1dc5ae4fb423b82adfe05b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc ++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462 ++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410 ++Ctrl.type = type:F ++Output = b1b1bba896b0fd75a90187eae6cdf744d23884caa5f4ca979ced327ca1239771 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528 ++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20 ++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d ++Ctrl.type = type:A ++Output = b5c636c93e002f1fac0b78eb423d92cf ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528 ++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20 ++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d ++Ctrl.type = type:B ++Output = 64d82bef35e924abf030fe42cda10e81 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528 ++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20 ++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d ++Ctrl.type = type:C ++Output = 76a1b8b85d0ea49c68f30d7448155901 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528 ++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20 ++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d ++Ctrl.type = type:D ++Output = f136e09324b1ef12b92bf35d5b3dd8e2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528 ++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20 ++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d ++Ctrl.type = type:E ++Output = 77abc45165b126f9127d59fbe655140cd3f768cd0498c29aa69cb5d65f7b0d50 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528 ++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20 ++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d ++Ctrl.type = type:F ++Output = d43f93faf692f59bc96fd480fb336033c94ee237ceece69691ffaa64bdd7fcc1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7 ++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0 ++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228 ++Ctrl.type = type:A ++Output = 3b3c4416d3121a6838dd3f94a84b6ec6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7 ++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0 ++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228 ++Ctrl.type = type:B ++Output = e0af22a9184e5cea74f3e90faf5212ba ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7 ++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0 ++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228 ++Ctrl.type = type:C ++Output = a3a7a9e48cc09a927e2d6eddd7647368 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7 ++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0 ++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228 ++Ctrl.type = type:D ++Output = b9411d2870e885e223a6b414ae6ac813 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7 ++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0 ++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228 ++Ctrl.type = type:E ++Output = 7f11812c28229fd8e39367b8885045313fea6322f22a69b6436caa4fb6c2d915 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7 ++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0 ++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228 ++Ctrl.type = type:F ++Output = 4fc39e2a1e7038f2664a48986e8227c213e577eafea082f46cb08d087e642fe4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b ++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23 ++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725 ++Ctrl.type = type:A ++Output = b71bd280b230b6fb9b326a3544ab9c90 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b ++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23 ++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725 ++Ctrl.type = type:B ++Output = ca38c1b5940e1417fb8caa6ab6deaf18 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b ++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23 ++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725 ++Ctrl.type = type:C ++Output = 5d02347e16760101a3689bf0087ed947 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b ++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23 ++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725 ++Ctrl.type = type:D ++Output = 2fb5e0eb5552f7e26ad9651bd22f1666 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b ++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23 ++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725 ++Ctrl.type = type:E ++Output = b7b7c4292a73e7d378284b12b318e0cd3ad714904b4ef9c83d44ee06ff49b1e1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b ++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23 ++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725 ++Ctrl.type = type:F ++Output = c9884e71b158f2255fb204733e888bc5b2ee38a5493de9d0ef6700949159ac6a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc ++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764 ++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a ++Ctrl.type = type:A ++Output = 88af3bdb49bd8e9d24489efc95dea1c1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc ++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764 ++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a ++Ctrl.type = type:B ++Output = 5cf41e1d43f797c16a30e070f2f37dd4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc ++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764 ++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a ++Ctrl.type = type:C ++Output = 7cc48e0f8b4bdd63f76e41ba411d7f37 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc ++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764 ++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a ++Ctrl.type = type:D ++Output = 37d942416267be06cd1ff9498dcf1e6e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc ++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764 ++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a ++Ctrl.type = type:E ++Output = c3c8b48e228a3a671ae8c48aa4e4f1fe32c1ad4d5ae48c904836d13e7350f72e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc ++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764 ++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a ++Ctrl.type = type:F ++Output = 605f7d3b3f28a8967402ba67ff916a61b0a4e9b736665c5e911fb33f60dc16fe ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2 ++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943 ++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46 ++Ctrl.type = type:A ++Output = 7b91adc6eb48a6f82a8990efd2537903 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2 ++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943 ++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46 ++Ctrl.type = type:B ++Output = 814c8fb54a535b38d4c2301aa49ad702 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2 ++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943 ++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46 ++Ctrl.type = type:C ++Output = 3ec64c8571c7c7f39a9f37c0e1053324 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2 ++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943 ++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46 ++Ctrl.type = type:D ++Output = 846d40dc45123f2710e27bd3140070c8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2 ++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943 ++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46 ++Ctrl.type = type:E ++Output = c2199b9bd701c2f4ee82a145adc28f3e8fac0af8dd43cb7f3da173681bcad2e0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2 ++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943 ++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46 ++Ctrl.type = type:F ++Output = 49f5fb8862a4f01900f9f76d6146f181483428beadb000d4f5097adf59c5eb99 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad ++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98 ++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2 ++Ctrl.type = type:A ++Output = 50afb2f3b8a3bc466b3a68f04da0d56c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad ++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98 ++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2 ++Ctrl.type = type:B ++Output = b8672a8cc59ee1316fb9a2c0a82ffd73 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad ++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98 ++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2 ++Ctrl.type = type:C ++Output = d854cbdb8f7544b796f982e4973d4de9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad ++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98 ++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2 ++Ctrl.type = type:D ++Output = bd6bde82c451ee39069d0794f7000f38 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad ++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98 ++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2 ++Ctrl.type = type:E ++Output = 270794ec70fcd9d742aad66c54001b4c218ae8cca813453560a9aeaacc6909ec ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad ++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98 ++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2 ++Ctrl.type = type:F ++Output = e967df7571a0eb82f59ddfead22c617beeefa25ce4afd80ac8320bc2635c70d0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235 ++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2 ++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9 ++Ctrl.type = type:A ++Output = ebb3d10f461d8697a064461822f34507 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235 ++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2 ++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9 ++Ctrl.type = type:B ++Output = bb95f9cbed695529fd7977281332100b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235 ++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2 ++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9 ++Ctrl.type = type:C ++Output = da1318a6a34224cc86c9afa41991db4b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235 ++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2 ++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9 ++Ctrl.type = type:D ++Output = 091f8fa87a01c5768de8d663ba8bf9d7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235 ++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2 ++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9 ++Ctrl.type = type:E ++Output = cc09127a759000f3bd9724fbf5285cd680ee323ffc19cf2f495403f896587317 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA256 ++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235 ++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2 ++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9 ++Ctrl.type = type:F ++Output = a3ceddafc49f7c0131ce2965945c3892be6605b465877bc0637685612ede242b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24 ++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.type = type:A ++Output = d31c16f67b17bc69 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24 ++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.type = type:B ++Output = 675340f27269e7ae ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24 ++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.type = type:C ++Output = 2ffed577a90d29872ea59f3782c3b406908d7394ff63c9d7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24 ++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.type = type:D ++Output = fae751987c1fa8665e4387e410297db58ff69b260a8fe85f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24 ++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.type = type:E ++Output = ff2db5975edf3824325b257455791869434c6af47fb0c8145253c2695abfd2b8c980565ad20e6b9313ba44ee488bafb0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24 ++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a ++Ctrl.type = type:F ++Output = 85a9463cd653c7619d4dc85006406d6ed3364220419ca13810301be0f0389d932ddeaebb0e504a0849e2e73a7d087db2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b ++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e ++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563 ++Ctrl.type = type:A ++Output = 93323451441b761f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b ++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e ++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563 ++Ctrl.type = type:B ++Output = 3dbfdc2364807ecc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b ++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e ++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563 ++Ctrl.type = type:C ++Output = c699e3488f825fb24c5e2adc699ec83a5d8fce339fa0e9b0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b ++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e ++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563 ++Ctrl.type = type:D ++Output = a250b13da0716f2d4440cc4cac01a2d591002ebfaada9758 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b ++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e ++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563 ++Ctrl.type = type:E ++Output = 76966a1b7d5f250eea3696077a373b9421e8294dd7cb0aedd172cf9c6879ef34c9deb9c208f11c5d4b6fd713b576894d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b ++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e ++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563 ++Ctrl.type = type:F ++Output = 28a66e21fe7f8a070fe40ecf68a64f2a35a46b84ac38810902639906611053832179d5c07a8422993496059af67f585f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a ++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411 ++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1 ++Ctrl.type = type:A ++Output = b0db344b1e2e98d3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a ++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411 ++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1 ++Ctrl.type = type:B ++Output = 29fcd6a7d317f527 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a ++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411 ++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1 ++Ctrl.type = type:C ++Output = 156f9d4c58d7783959e785af3fefb133662009b93891bff7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a ++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411 ++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1 ++Ctrl.type = type:D ++Output = c4bc4471e2c7f04dbef9100977e222f4156a7118a122f6cd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a ++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411 ++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1 ++Ctrl.type = type:E ++Output = 5878fdbf693638430e31b287ad8cfab560d952d7a828167bd0454e0c8aa14274c7c0c1921a31575f77fd80144e6d2999 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a ++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411 ++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1 ++Ctrl.type = type:F ++Output = 1fdb34ae9d2f12363350dd5aeefe728066500a083668ac2d48af671d7651a67acdf9b7a0581b922e67278d53f0b2fb17 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39 ++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917 ++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e ++Ctrl.type = type:A ++Output = c828150149eb433a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39 ++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917 ++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e ++Ctrl.type = type:B ++Output = 45636e088875de58 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39 ++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917 ++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e ++Ctrl.type = type:C ++Output = 75da9408e65f61dac9dafa496675214b0d84b0e66feb68fe ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39 ++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917 ++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e ++Ctrl.type = type:D ++Output = cb7897fdeb2c235be5812d1959cb55907ff02a9cf6c76c17 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39 ++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917 ++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e ++Ctrl.type = type:E ++Output = 13a8062561c28c1bc678a019b22da95aa462f82cfff6268876ffe2fddc86536fa4d19bdc15d90c1cff4d37e69f1fc021 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39 ++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917 ++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e ++Ctrl.type = type:F ++Output = 69437ec44d764caeb89faebf7b8577b433677abcb0c58f166a5e5724a4eb293d335004d412c983d4c7aca4df1b8328fd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100 ++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b ++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a ++Ctrl.type = type:A ++Output = b669e05aa9706468 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100 ++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b ++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a ++Ctrl.type = type:B ++Output = 57f943111ca01b15 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100 ++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b ++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a ++Ctrl.type = type:C ++Output = e9aa354b6b85f357d6f982fcc18a6ca797bd7a125e786f8a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100 ++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b ++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a ++Ctrl.type = type:D ++Output = 199d2b244689bfc4f807f225a7130a069c8a181f5b20d32a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100 ++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b ++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a ++Ctrl.type = type:E ++Output = 69b55cc82d0429979a3832a3be35483596ff1d26a0c1a62944695764f0eb85c3467528be225db2f516e79f23c0c7c23c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100 ++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b ++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a ++Ctrl.type = type:F ++Output = 6e06df643269751dfc9c8decefe466e1ab2ab99466661aa6f0dfab223c3b9bebcaed4c19cbc4109dfacda81cc8f902eb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3 ++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037 ++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b ++Ctrl.type = type:A ++Output = b2ada53484907db5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3 ++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037 ++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b ++Ctrl.type = type:B ++Output = 89224486fcb33030 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3 ++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037 ++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b ++Ctrl.type = type:C ++Output = 38ccc00303d5aaf748f3c11d986b99f9bf36049a6f7ea92f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3 ++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037 ++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b ++Ctrl.type = type:D ++Output = f8a7a4b2e1d28c6a38e120a2cb876ed49f454ea2aabc3a99 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3 ++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037 ++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b ++Ctrl.type = type:E ++Output = 9f42ab15d0b041019960ff6a5a12e209c427dc334434126399fb8850ec8feda957b74f1976b4c8a97906d7d64c5c2a83 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3 ++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037 ++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b ++Ctrl.type = type:F ++Output = d383bedd3b80ddc470db9b819893e85dfab9e359e40bc77576e23ed8c5e73beecefb511ccdf1eb66416c271be5f90199 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622 ++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372 ++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752 ++Ctrl.type = type:A ++Output = bac9e6c9553bba95 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622 ++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372 ++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752 ++Ctrl.type = type:B ++Output = f29bdc017028a9ca ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622 ++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372 ++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752 ++Ctrl.type = type:C ++Output = 840f7e966d633f57bf6cfb3e6aa6bb1435bbea5822c9db0c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622 ++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372 ++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752 ++Ctrl.type = type:D ++Output = f78b485e49bf72584e45de78fbd75392e3e0b1ce2a57e7a3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622 ++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372 ++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752 ++Ctrl.type = type:E ++Output = 9dcadff513667aee5e2fda86c4a198db4252a9311635d3659db957570e448f3689444dd3e10d6097a07dba923db349ba ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622 ++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372 ++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752 ++Ctrl.type = type:F ++Output = 5e7915ea90a0d81e3c2ada00c85890b6defbb64f45ac4f0e75b22cf6187978e630f356207c97362862389a1ef99fb51a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd ++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e ++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35 ++Ctrl.type = type:A ++Output = 11811427eaa92d61 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd ++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e ++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35 ++Ctrl.type = type:B ++Output = c13f22e0bd66a551 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd ++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e ++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35 ++Ctrl.type = type:C ++Output = 2b9c9c8ecae95d75472495363ca2d46dc79babdb2e0fda40 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd ++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e ++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35 ++Ctrl.type = type:D ++Output = f466d9b9871c1482c699a5d9f8636a041adb60920c6af855 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd ++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e ++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35 ++Ctrl.type = type:E ++Output = 1ecda0252461bd08960c54ba7c570e80715780e5e99ca0f754a3d451409ed2df928daab91ed6b4044fcc68bd5f907c96 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd ++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e ++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35 ++Ctrl.type = type:F ++Output = 202e4e3dda18306c7fa518ea849cf3a4788dbc5305f71267ba69fe8920d3b18d9fc59853a4d03b18480269698e24c190 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776 ++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60 ++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896 ++Ctrl.type = type:A ++Output = 86183fd862bf42af ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776 ++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60 ++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896 ++Ctrl.type = type:B ++Output = 04e146b085c71253 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776 ++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60 ++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896 ++Ctrl.type = type:C ++Output = c4364d4e0e38fe4c5fc2b2a3ad42e49a57106ffa962f4c5e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776 ++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60 ++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896 ++Ctrl.type = type:D ++Output = b9d1549032bf336c8708f13d8f5d281d696b8bddc296e709 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776 ++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60 ++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896 ++Ctrl.type = type:E ++Output = c7ee72c40b26fce673ff23edea3265dfeb7b7f6fd66362bbc91548fac1819a08682c65c7d69d5e54e1c48b05e7233adc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776 ++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60 ++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896 ++Ctrl.type = type:F ++Output = 8b52078a6d45dfaa051193da8f9c8a18bfd0c058e7be145d0c4b5b677eec54a01f9e2a20c997e9c0a1ede9576800cfe5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0 ++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83 ++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7 ++Ctrl.type = type:A ++Output = 54f4be4a33dfa102 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0 ++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83 ++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7 ++Ctrl.type = type:B ++Output = bbb084483803aab4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0 ++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83 ++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7 ++Ctrl.type = type:C ++Output = 466a038b3a5c0d72cf19cf33e5a551437933dad54bfed655 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0 ++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83 ++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7 ++Ctrl.type = type:D ++Output = 44e09698e473edc642256e99bfbfbeab1db3e254d64a3ab7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0 ++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83 ++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7 ++Ctrl.type = type:E ++Output = 8e35d767e738c4282ec1925ba5d59dad723b7220c10ae8b69c9eb3da124ac1bea8195f5ecc1c3b03953938cd1e0e190b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0 ++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83 ++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7 ++Ctrl.type = type:F ++Output = 63e5c62c4e6f2700bfa5927ca2e730101c12a684808ddd6cf5f9da2bad3b49ba3d05d4f88a3a91f341ad2b63952e7db0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a ++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.type = type:A ++Output = e46fdb8c912658c34b7d509f6acc1111 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a ++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.type = type:B ++Output = 959c339aaff2e2ed46da46c5286ddf3b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a ++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.type = type:C ++Output = a1cb0f9c7349d6443494df14b4bd9aad ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a ++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.type = type:D ++Output = cdcd2c2ccbda238e184058b76757ed5d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a ++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.type = type:E ++Output = 026ae927b4a5b63a513c02faac55534dae5c219779f08e239f67df78c52be743aab628607e5a103127450ea51833eb84 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a ++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e ++Ctrl.type = type:F ++Output = 759fd6bd386f4825e644521edfce4187a7104ea7380f2c6c5e283f205c7c025be46c5ee73bc54a956f268c2031026bf6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db ++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134 ++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422 ++Ctrl.type = type:A ++Output = a433ac21ceda36a9d98abec722b2a5e7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db ++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134 ++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422 ++Ctrl.type = type:B ++Output = ed580c2c7890d5f3da87870d71d96300 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db ++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134 ++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422 ++Ctrl.type = type:C ++Output = b310304108476a31154febce2bfcf44e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db ++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134 ++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422 ++Ctrl.type = type:D ++Output = 63d729b0e32d9d7efe7efdc6111489b7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db ++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134 ++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422 ++Ctrl.type = type:E ++Output = 7443a278e0c47e4004ba1c534dfa5c460670d2dd4459a6dc7251664da187f633208f6c06470f6aed6148820187f35a25 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db ++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134 ++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422 ++Ctrl.type = type:F ++Output = 37500b699935ab38b9185018d3676f221dcd6643ba4cf3dccf8ede7ba2f0513c27ad2324158ae98df4e7fb52ffb96526 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e ++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a ++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd ++Ctrl.type = type:A ++Output = 8ad38b03467ef0cac638f93b156e1c05 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e ++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a ++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd ++Ctrl.type = type:B ++Output = c9a867164cad7619621c2390039db88f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e ++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a ++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd ++Ctrl.type = type:C ++Output = 28d6e6a69e686b3b2ca02c7595b6a565 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e ++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a ++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd ++Ctrl.type = type:D ++Output = a3486f9014731b15530dba7498d4b2ff ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e ++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a ++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd ++Ctrl.type = type:E ++Output = 9640b7d6c1351a44dcd430f9728083949adbd8f3c47f1c7358b41d99730f0eeef9f8634cc99207b8d998c8aeb0085e4c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e ++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a ++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd ++Ctrl.type = type:F ++Output = cef923f7cbc47534d9a6da613eea02117b19800995f66df9e49291203ad15e5d29cc08df86200bf09ca091b37cc45432 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b ++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99 ++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2 ++Ctrl.type = type:A ++Output = 1e2fd838058e4569de0699e57eb9bb30 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b ++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99 ++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2 ++Ctrl.type = type:B ++Output = d338052b2288e99bfdd16b5df26e3d3c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b ++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99 ++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2 ++Ctrl.type = type:C ++Output = 020c58037db045fc2a20a9b12e34205d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b ++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99 ++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2 ++Ctrl.type = type:D ++Output = b1e7b4361aaea7f9656151723c21b9a2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b ++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99 ++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2 ++Ctrl.type = type:E ++Output = 67d80666ba420d07153530859fed5a3a2f4b6decd37575714d4826f41a96a1638b89399cdd752af7f6ffd3db0214f0c1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b ++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99 ++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2 ++Ctrl.type = type:F ++Output = c3fb2ab670e39885cbb98a4609d69a90afd37d383512ad222d63c9c6f1009e2a42065a232ab5b39f55247f8bf9e6ab2c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94 ++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8 ++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03 ++Ctrl.type = type:A ++Output = 6e9bb7681d56457fd93aea6d40860dd9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94 ++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8 ++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03 ++Ctrl.type = type:B ++Output = 5d19ce6c6b16c5f2179753a7abdff3e4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94 ++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8 ++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03 ++Ctrl.type = type:C ++Output = c550416e8ea0608a09051cfffe0494e7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94 ++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8 ++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03 ++Ctrl.type = type:D ++Output = 33c9f3f03de395cef067684cb5b95200 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94 ++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8 ++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03 ++Ctrl.type = type:E ++Output = 99071b0615bdec08d040e731828028fac9a16d367b86d2d1302b607cd39ac9678ae7f9f87eb619fe2ba75d54da3b07d1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94 ++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8 ++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03 ++Ctrl.type = type:F ++Output = a11fc539c46d9314645e1f7517e19794a6ba4bf7d7d5a6f71bcb4621bfdedeae3bbcaa62fb638d994d1f21d14f5777d7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df ++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044 ++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063 ++Ctrl.type = type:A ++Output = 876692595fbf1239e03b1eb28890cedf ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df ++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044 ++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063 ++Ctrl.type = type:B ++Output = 438afd7eae8454675ed5964122fcbb9e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df ++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044 ++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063 ++Ctrl.type = type:C ++Output = b9cc0e2718c5853e0aebb43409fcaaef ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df ++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044 ++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063 ++Ctrl.type = type:D ++Output = 8def9f93e633ac2d28a7c5b76567a4cb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df ++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044 ++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063 ++Ctrl.type = type:E ++Output = 3d80ed20f0703857154bda8531b12b96cf73aedfc662df6faf277321be6e38c904bfbd5f9206607684ac331dfc92bbbb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df ++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044 ++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063 ++Ctrl.type = type:F ++Output = 736e77ad5a8fac835795ab08522d834e34a4cbc48439db2845cb1d8636a4dcfd49a7ac5413713a8177c277eead96a0ff ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91 ++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9 ++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393 ++Ctrl.type = type:A ++Output = c84a4fcd4ade28805b032174428a6f27 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91 ++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9 ++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393 ++Ctrl.type = type:B ++Output = 27b0de69f3bc7d79d2f6b54101f3e10f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91 ++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9 ++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393 ++Ctrl.type = type:C ++Output = 3200c39e6ed260f4f345cbd0c88cac1a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91 ++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9 ++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393 ++Ctrl.type = type:D ++Output = 7b9e506a1baede9b80dff09253a9ab88 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91 ++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9 ++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393 ++Ctrl.type = type:E ++Output = 3c860ae21a5dab865eb560ed9ddf51775d3b6603e4e06285cf5e9273115a77d8d5ddfb977fd21c0a70c35798a5ef596e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91 ++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9 ++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393 ++Ctrl.type = type:F ++Output = c53cfa0836ac21bb13c58ed15ddf593e8e01c7437587112ba013058d411d262d87a5e56c098b69146d9019803206ef91 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6 ++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc ++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4 ++Ctrl.type = type:A ++Output = e34b595f755ff42a33126d8efabe1ec0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6 ++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc ++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4 ++Ctrl.type = type:B ++Output = a873f52aa3b91a8dd019be8358c04de6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6 ++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc ++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4 ++Ctrl.type = type:C ++Output = fce5c490a769fbd4aa31b0f5c7aad86b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6 ++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc ++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4 ++Ctrl.type = type:D ++Output = d36a9b7d2c63675d2b250d5a97b0e628 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6 ++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc ++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4 ++Ctrl.type = type:E ++Output = 92c8f89f84575cebb9c37be3a488d0b0312a12d9253dbada7db1318f5a193d4f8f75a212a75c1123bca89d5de43cbf08 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6 ++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc ++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4 ++Ctrl.type = type:F ++Output = 16dcf1bd1aa4d5d6edc2d2b23792872f53767d6b2589e4700469a9bbbbb659c1c8716393fe1ed717833f491cd32d874b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa ++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626 ++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719 ++Ctrl.type = type:A ++Output = bbdc47242c877cc70585a5d9f0b8067d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa ++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626 ++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719 ++Ctrl.type = type:B ++Output = 6dcc6458af049a81a6d3139c2725f67d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa ++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626 ++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719 ++Ctrl.type = type:C ++Output = f788d0b9ea5373031d44972fad39d8e6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa ++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626 ++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719 ++Ctrl.type = type:D ++Output = e939b1367ea35c67ea990988c3c0c474 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa ++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626 ++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719 ++Ctrl.type = type:E ++Output = 069629f693b4d291ea6f16355eb4c57eef7824217d22651af095aadac27a789314fee4e86efa9bc63085a8ebfc606548 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa ++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626 ++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719 ++Ctrl.type = type:F ++Output = 731107905e3b9b36ba3dca504b35f1a51e75e2a3ee2595ade882c21410d439ec1ec31fbc62e64362a5fddc0f39e76da0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19 ++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93 ++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc ++Ctrl.type = type:A ++Output = 8e1af4ce3b9aa9f1e7493775f8846ac0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19 ++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93 ++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc ++Ctrl.type = type:B ++Output = 1796cee0aeb39eb1fbbaeaf15d600832 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19 ++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93 ++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc ++Ctrl.type = type:C ++Output = 7a7485045a2f8cc86f82c8486f8e9f59 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19 ++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93 ++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc ++Ctrl.type = type:D ++Output = 00a9d893e8c14aa3a316163d50d83378 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19 ++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93 ++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc ++Ctrl.type = type:E ++Output = 46133b1cbab3e04043a1b336db99575183d5be76f9d56556493a8d4a8da37a020ae379ff2d470a99ca7e9d2b1cf85cb4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA384 ++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19 ++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93 ++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc ++Ctrl.type = type:F ++Output = 9221abcc3db5a557cca60408e65528e937cc3673b548c350924cd9e6387de526f5cb35a0bbe4020c47318b59d1a0527d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd ++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.type = type:A ++Output = 0e2693ade0524af8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd ++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.type = type:B ++Output = b13144de02295bb8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd ++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.type = type:C ++Output = 7e4a721fb7379ebb423306464d57db46afa3cca10a1d7feb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd ++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.type = type:D ++Output = bb84123b1fac400e0df4767d78d011427e1edd4d4c934b95 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd ++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.type = type:E ++Output = 00fb0a45c650dd9c95666b0c7fcea8c98f0562f61b862054ee400aec875dbbc2bdef4806c09217709a5050569312efe3af513e7aa733c72457abe1607ac01c13 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd ++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf ++Ctrl.type = type:F ++Output = 70a8005e711fb96dea5991cb68831b9e86005821b45ceaf958c13d5c87cbd2953d0877c267796edf8c7fb3d768bb26b74e542f40bf9ac9f6a9d217077e85f511 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327 ++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159 ++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988 ++Ctrl.type = type:A ++Output = c75c77791f7b67c2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327 ++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159 ++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988 ++Ctrl.type = type:B ++Output = dae1e8bfab1b4b7e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327 ++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159 ++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988 ++Ctrl.type = type:C ++Output = 0e79f5b685ebe77ae6d62c344a5dd0f53502523a28e2b408 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327 ++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159 ++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988 ++Ctrl.type = type:D ++Output = c5ec1aae5d26c2c5fe769576eb1b75c53d3dc67d452dca1c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327 ++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159 ++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988 ++Ctrl.type = type:E ++Output = 6bc4e5d6049c69a8ffbf93c7617b6a168bd0f14d71471d199b81729250117272ad102772761a8c0b5d5240e589e48a4f85ab8c3e1bd030327e7c87428ee44d13 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327 ++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159 ++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988 ++Ctrl.type = type:F ++Output = ce109babe86778542856e3934be12decd239120a4dcb948a0154c4cb7b8ac0a4a3cbd682698086123e6c0481ee351bd9fedfba58d37f7814ba9c2b584f6cfedf ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541 ++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f ++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298 ++Ctrl.type = type:A ++Output = 6a71fc98f044591d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541 ++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f ++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298 ++Ctrl.type = type:B ++Output = 9f1a35a5c79014c0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541 ++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f ++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298 ++Ctrl.type = type:C ++Output = 377901cc72e4c06e30e27b03902f65c4a58b9d3f5cf43431 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541 ++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f ++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298 ++Ctrl.type = type:D ++Output = 82a9db94ea5c15dff736c3074a34951e828c8dfa3fef8596 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541 ++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f ++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298 ++Ctrl.type = type:E ++Output = b3ce0202c966df307a0729a4bb3fcd0ee55d4c521a144ecd285a470830f60685b2d751883d85ccd29fcc2481f3f442fdedd58d17528e8c4fb28473ee5e539706 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541 ++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f ++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298 ++Ctrl.type = type:F ++Output = c1ab7227f919cbda46cd6ac2bd4bb2ee5bd586cc55c7c1cb067df4c9a23209f716ff5e97ed76ebbc0354d683c5369937ca8db4cecf9e6c40886a186d9c4e2366 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0 ++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3 ++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3 ++Ctrl.type = type:A ++Output = 3832bf21b907daa3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0 ++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3 ++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3 ++Ctrl.type = type:B ++Output = 4e04d7787ba7fa68 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0 ++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3 ++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3 ++Ctrl.type = type:C ++Output = d7be949edcfe4e4b877de1cc6a861fa721e137bf3dd1bb27 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0 ++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3 ++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3 ++Ctrl.type = type:D ++Output = 5361fc87e24ec3031d97f0099766ac9ff7b8f91ea87666de ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0 ++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3 ++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3 ++Ctrl.type = type:E ++Output = 40a6897606035ebb04907fa15e1545a8973b9b09423f3786be4bcb8db9e4561e0385bcf1e3c0cece5a788e9852ed1da56963f36bad78fede21405ce3ea92a3b8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0 ++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3 ++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3 ++Ctrl.type = type:F ++Output = 727f9bade9334f97486f479c88614ce96b8cbc803a544fbfaf5fcaf0499a1b8edeb59daa1a824ca9b165879c63d9f0b6464bcd3121fb1ad29b38864fbaac7741 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f ++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2 ++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47 ++Ctrl.type = type:A ++Output = 3f077a02dc957eb1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f ++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2 ++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47 ++Ctrl.type = type:B ++Output = 3cc158e348e64a0a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f ++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2 ++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47 ++Ctrl.type = type:C ++Output = 8770fb6792c2fc16a60c9f45c8d40db684fe52de7c60b482 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f ++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2 ++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47 ++Ctrl.type = type:D ++Output = d417a07f1070a2e628424fa990ef436f137725a7cde43f1b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f ++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2 ++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47 ++Ctrl.type = type:E ++Output = 20b810e4f6a540724f269194e37969a10e340d45c557eabe72c41f08a9fad85ab44a9c362e7fc5eea9ed5dd9b84cc837d2aaa46ee71b355cb1dfefa8dc544d1e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f ++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2 ++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47 ++Ctrl.type = type:F ++Output = acd292ab652b49c7c2a5a35b93c31a71eeef8a629cbc6b1c782994ebc7566f7b0ae536cc0ccfe881bfd8cbfaff391fe23568fa5692198f188deff0c6d0808160 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497 ++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5 ++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79 ++Ctrl.type = type:A ++Output = 7cf213cec41701ff ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497 ++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5 ++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79 ++Ctrl.type = type:B ++Output = 81a44f6f95fff954 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497 ++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5 ++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79 ++Ctrl.type = type:C ++Output = e1610d85ea2c24b4af18076c2d7dc0c3f3b3bf1c8df232a4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497 ++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5 ++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79 ++Ctrl.type = type:D ++Output = db146cbf4923693449b857fa927d112f3c8bd1bac73f618a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497 ++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5 ++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79 ++Ctrl.type = type:E ++Output = fac257f4544a0aa77659642c33a421cf27b2216a57399ff8ff48baab37519ce9c27f93bf447a02b3c10d9f9c6201745ed6ae28a13ff85e949e0e8048bf31e0c8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497 ++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5 ++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79 ++Ctrl.type = type:F ++Output = 8532a1014a5a2feba5730823b0fb1781a7782a73f95a97697aedf60997e6cdf5107387be820b74c0e43e8caf42e83bbc703c6cd9d37b0e720aeacc115ce4633e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0 ++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21 ++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906 ++Ctrl.type = type:A ++Output = c5dffc4eb99a1c36 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0 ++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21 ++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906 ++Ctrl.type = type:B ++Output = 13cb7467ddf8ea7d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0 ++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21 ++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906 ++Ctrl.type = type:C ++Output = 4d77a9a1a36500d9ea0389e3813a201fb9b30751d1fcf0b3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0 ++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21 ++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906 ++Ctrl.type = type:D ++Output = a0e4ec099492c752b98013d2176af6e601eeef3cdc2029a9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0 ++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21 ++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906 ++Ctrl.type = type:E ++Output = b4035effa78e6da307f4c096226150e5cab92794192bba492ff8576da3fdbbfdc87fbf79721de0e8f38647261dcad096fd536c4f724f09782a4b684902a4b979 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0 ++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21 ++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906 ++Ctrl.type = type:F ++Output = eae8776eddb75cd4d14d2db129172bab92f0c8d2c8a439d4b63824c23e7481af502a45d2ebee77f3a801d658b59f6cbbdb797f479787ae4d5839b7ddf49ff908 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f ++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a ++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990 ++Ctrl.type = type:A ++Output = 31ef8e737ec154c0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f ++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a ++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990 ++Ctrl.type = type:B ++Output = c0bb41f2c51a0503 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f ++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a ++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990 ++Ctrl.type = type:C ++Output = 3f9058812f36f302dc5ada7de8f4271c435dfe4589f22a00 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f ++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a ++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990 ++Ctrl.type = type:D ++Output = b342a447abcb67f6819a19b8b300946c89739fabd049a6e0 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f ++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a ++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990 ++Ctrl.type = type:E ++Output = a5d70cb0a3e351be09b9600c9b97f2781236bf549209a1fbf3304af145af0941c6cd9923f1f30cec946e8dea96332d284e01a4d8bcc90721fe2e515504073cb8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f ++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a ++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990 ++Ctrl.type = type:F ++Output = dbc3ea086a49e220306cbe57b942d9409cbd205dec20c7b79fd6998906d173bcb2bc2eb5b7eea4c1d84f3926836bd15e0565a17af735596050d6161d9682f2e7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0 ++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c ++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5 ++Ctrl.type = type:A ++Output = 19d6bc79713a4622 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0 ++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c ++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5 ++Ctrl.type = type:B ++Output = 7de9caf89d325dcd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0 ++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c ++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5 ++Ctrl.type = type:C ++Output = 1d5391d658abb9ec1b8df32cbf1db9a302a1301984ab06d4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0 ++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c ++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5 ++Ctrl.type = type:D ++Output = 5d37dab50814543d8d8674f4f491d73d21973f20844c96a7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0 ++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c ++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5 ++Ctrl.type = type:E ++Output = 3e882ae390a64c34f509bc9845df581987ae2524b2ff92d9243580168f32fa68750f3f732c8c5544c98fc585582fe743efbf55dd6c487fb5f9ffac1a156fa31c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0 ++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c ++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5 ++Ctrl.type = type:F ++Output = ce4bcf9cabe7ee7c0e216e64e5427ebd38cb41ba9e9a6d9ae441ca47d9278347a59afdf758ae7f7fd667ed3830bf9a33d7badfd40e2112580af514da9464a6d1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537 ++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095 ++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614 ++Ctrl.type = type:A ++Output = 93fbb01815b63533 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537 ++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095 ++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614 ++Ctrl.type = type:B ++Output = aea76dfe77a87471 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537 ++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095 ++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614 ++Ctrl.type = type:C ++Output = 73a55e25a0a8ec0899c1074bf0845fefd84e42f741897a3f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537 ++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095 ++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614 ++Ctrl.type = type:D ++Output = fead3a851502aa3c58734065eeaf3e63ed4c59c8f450bb1a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537 ++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095 ++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614 ++Ctrl.type = type:E ++Output = 55bde99a692820ad809eb0a62311f8f3e9469ba2ee4d782d5432628ca52d829b9c5bffc41b58232363f97c5dab603268b1997fbe9b9b34ab2aca3da27467b0c8 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537 ++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095 ++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614 ++Ctrl.type = type:F ++Output = 756f65746c861f0985f3dd7d2f08004897ccb22be2f1d3b4791ca0c51d5ee0da776dd03d7dfb7f4db6c6cd37899871e63d75f7f60dff8348c313e99409ad2db5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb ++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.type = type:A ++Output = a626c34c0a74b56262110185a34cd810 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb ++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.type = type:B ++Output = 223d6fc57263da9ad61dad9759454e0f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb ++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.type = type:C ++Output = 7c803e07506969666f446400b2372eee ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb ++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.type = type:D ++Output = 4ad705fbc9e89c03c15f9dbbf34981df ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb ++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.type = type:E ++Output = 36cac32cab8b943cd9d2142559c467593bfaf30d0be71560245c8b38a5671901a858ccc637b0ef6966a2bbfb1a7f51f2cf6d52c4165ca000d52bd908405c305f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb ++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121 ++Ctrl.type = type:F ++Output = 67d42301ce629c0f2a34b9dfb24ec60c138b4edc71f7123bb0db9447b3c915ebd8c54d3b20af04e30b484be3a2d4136f5d5c46f9c56de189b91fec78ecd53e1c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a ++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71 ++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6 ++Ctrl.type = type:A ++Output = 8ebbf0e9afd9f108498f1543104ba8e2 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a ++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71 ++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6 ++Ctrl.type = type:B ++Output = 38bfe6bed75f77675fa36d76b63816a4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a ++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71 ++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6 ++Ctrl.type = type:C ++Output = f759f0ad2d72980f6b12f0fb317222f3 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a ++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71 ++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6 ++Ctrl.type = type:D ++Output = 39f294ec25afb520f5d7f1064b7078c9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a ++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71 ++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6 ++Ctrl.type = type:E ++Output = ff2ad139997ff26e7f4393e49d57d5fc973ddb6225d8f4b5fe990e46b9943772f0d33aa98d01089ff0aeb5740bd388ada35dc44240180c99e522c817dedfc2cd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a ++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71 ++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6 ++Ctrl.type = type:F ++Output = a670c9583c71f403207a192700d5e4fd7a007b60a4617b7f93708399a0cb771af08b9e5f4237e6975f055d6f0a4d91523fa0805013df6ae4a19f077646f1cd4b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066 ++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22 ++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63 ++Ctrl.type = type:A ++Output = f68353f802d39a43c728641e44087cc5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066 ++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22 ++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63 ++Ctrl.type = type:B ++Output = 23c2377f826f77519871941b62cb9fdd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066 ++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22 ++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63 ++Ctrl.type = type:C ++Output = c92b86a099e2605037d531746a6af7cb ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066 ++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22 ++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63 ++Ctrl.type = type:D ++Output = 1517de253a5b9f7d9c4c3f234b27392e ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066 ++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22 ++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63 ++Ctrl.type = type:E ++Output = be48a82cd246cf4d6ddb397a39f1ed62d98b5265e75190624a523033796d05046d63e0810b4b7a6efe9b834cb043871203638557063968910ad1cfa0abe62bb1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066 ++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22 ++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63 ++Ctrl.type = type:F ++Output = 0c9af3775d5dc49a1b9b85fa18420ce1ca10d5159f83f9e078c217289688639dbce5f85665f866d8f93b2c6823bc7b2655830d8bb51fba945ce6eac2b0e6ce8a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda ++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73 ++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292 ++Ctrl.type = type:A ++Output = 7b802a74d216a41f7708c597b9053223 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda ++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73 ++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292 ++Ctrl.type = type:B ++Output = 355223971bed70b804d191b64cde39e6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda ++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73 ++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292 ++Ctrl.type = type:C ++Output = 925f2b036ac2682e20f022377499c3e1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda ++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73 ++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292 ++Ctrl.type = type:D ++Output = 37ae2bbbb1603c07d5274fc8f57126dc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda ++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73 ++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292 ++Ctrl.type = type:E ++Output = 8b36c7e175797bf7bbb079ac5d06e6f7f62fc5a957e0fefab7df565eb72ae0586dbebad978975aaa35846de667b44b7174315b2b932f0be538fba76b92531019 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda ++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73 ++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292 ++Ctrl.type = type:F ++Output = 388ef310bce13188df3fd6285576041754a281548fcc6a212e0de564db661640320130e4df4a6ff31162edaa7ced5b7f05f3456f674ee8be0b03424142058795 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478 ++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8 ++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8 ++Ctrl.type = type:A ++Output = efeb5305eda69b0bd6999b4a27479667 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478 ++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8 ++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8 ++Ctrl.type = type:B ++Output = 806fca9189c02e7ec2a6459387b03506 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478 ++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8 ++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8 ++Ctrl.type = type:C ++Output = 9e542282d0db345a6ba20eba7c5de531 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478 ++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8 ++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8 ++Ctrl.type = type:D ++Output = 41e7962b57a67f75072f15a5ba405d15 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478 ++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8 ++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8 ++Ctrl.type = type:E ++Output = 7bf8f25fd155e41d1dc85cc814704dd8732275b3a53dc1b8c6b330c08f307b5c0da31606cb7eaa1b37b2721f4a1bf70a6885c30d17d7acd32fcc894768fe4106 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478 ++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8 ++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8 ++Ctrl.type = type:F ++Output = 66b8f8c1a38120c73cc55950455a69c426fda44b9c66c3becaf259dd57a620e5ed3a749a486d05eab52c289f489581cb655865d4388a81e79b06bd105e3ae858 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce ++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78 ++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b ++Ctrl.type = type:A ++Output = 8f6ac18ff5300849be34602630bb4102 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce ++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78 ++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b ++Ctrl.type = type:B ++Output = f2b45df2508656758529a1f4679839fd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce ++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78 ++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b ++Ctrl.type = type:C ++Output = 3356d58f61bcca506058e0990c9821f5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce ++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78 ++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b ++Ctrl.type = type:D ++Output = 78495438a5326cca5351a239545941c1 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce ++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78 ++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b ++Ctrl.type = type:E ++Output = dcfc5d099f5040513f76b012ab62ee45d5d8271aec9cbbdd1e1f7e0806f363d21c2eca730f9489ee70fbc7490a1901587b1d418c0e4f429c8098cd793c6d285c ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce ++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78 ++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b ++Ctrl.type = type:F ++Output = a75817465c73517bd7884dcd230464583ae491ae5e39330873cd7a967188022cad63e712c7ec261abdb34c01bddd8989dfce8f5d8a8cdbdcc305429b3fd93c76 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6 ++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972 ++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738 ++Ctrl.type = type:A ++Output = 4fa1b8c53d25f7c1adb4810c46b48ae7 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6 ++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972 ++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738 ++Ctrl.type = type:B ++Output = 3c453d0f50b7f41826e74e5cce5b5996 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6 ++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972 ++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738 ++Ctrl.type = type:C ++Output = 22f47a00a5de0f56b3e586357eeebe57 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6 ++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972 ++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738 ++Ctrl.type = type:D ++Output = 8d32d1945e93c4982bd106567f8e481f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6 ++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972 ++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738 ++Ctrl.type = type:E ++Output = 9eefe581b1514160f81c94193d374d8f85879136e9ae494c487119b1974aac3e143948f656c1c1e837ff1368ef0d997cd3ca9f46c71056269eb8a1da8daf5678 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6 ++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972 ++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738 ++Ctrl.type = type:F ++Output = 8dd76f59e6692ff642894ee1bb147f3e1490cac944af29de6b2b5abcc4ab9eb41d236e9cd2f40cf83935097f307a246d7b35005dd302bacfe7e4fed37d2f46e9 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973 ++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23 ++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5 ++Ctrl.type = type:A ++Output = f335b3ab270d7e686c5e023b3a2da75b ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973 ++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23 ++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5 ++Ctrl.type = type:B ++Output = 857c9245c67bad84b7377c424c5e7e7a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973 ++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23 ++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5 ++Ctrl.type = type:C ++Output = 1c44ef56440f5856bdfd951305fd81e4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973 ++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23 ++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5 ++Ctrl.type = type:D ++Output = 8d3496ac631bb3588abbb13d4ae2dc2d ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973 ++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23 ++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5 ++Ctrl.type = type:E ++Output = ac7899494cfcebbdaa8ee7c343a0a458228a0a5e59730c928e9c8775487e57c3a5f34fdb72c1b3b57cc35e0356e4b7c6a56368e74c68a017538a5b484886ec81 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973 ++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23 ++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5 ++Ctrl.type = type:F ++Output = d32d849b488594d0b8efce91604296393b2240121f2ed51fb7c0bb5b371c33775d184ffaf3028306bc8040b21887f6885e5916ae158ef74a3ba09a1f30654f1a ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800 ++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa ++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13 ++Ctrl.type = type:A ++Output = 5aa8ed531557a1dc934ed667029e062f ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800 ++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa ++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13 ++Ctrl.type = type:B ++Output = 11a810c69785949d5a0ef6eeff960fb4 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800 ++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa ++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13 ++Ctrl.type = type:C ++Output = 54e9402e4f85b08c271b2a9f15d56c75 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800 ++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa ++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13 ++Ctrl.type = type:D ++Output = 838209e0ebe7626cf6482f25c7774bfd ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800 ++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa ++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13 ++Ctrl.type = type:E ++Output = bc62048ddb762ac50336ae0e91a402cc78e73472fe180756a4686299967d2904318b8ad1b8dc622edd75e9ff0e74f7fcb8a1f8acb86e2567a5167084c648c7ef ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800 ++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa ++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13 ++Ctrl.type = type:F ++Output = 4e9644a01a3fe6c3f4f5aceddb00e2584e277354aee6392a1a5aef05024d37fcf25ff46fdd8fe52e7d1dd9a96e77328aadf44b8fc92ac22a14f63d64ad0db621 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e ++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2 ++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85 ++Ctrl.type = type:A ++Output = 77cb432c67bf0ae658aa4e34376d01b5 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e ++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2 ++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85 ++Ctrl.type = type:B ++Output = f55c74d112746001d8908edd347d7e69 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e ++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2 ++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85 ++Ctrl.type = type:C ++Output = 34a48ab90890b385198ea6bf8c50c3f6 ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e ++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2 ++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85 ++Ctrl.type = type:D ++Output = f2b6046d3439c50a9000a63909146abc ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e ++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2 ++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85 ++Ctrl.type = type:E ++Output = 70357486ca57c93418c6705b731b054bc41be03289c25a5ed29a937732807ae10a3604486c53d1f2431411808d87bfbaa6b25971fa2e4ec3719b5d2622aed2ff ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA512 ++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e ++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2 ++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85 ++Ctrl.type = type:F ++Output = 4e6428f7a87455bdef6026cdf68a2f6d93d6cda5145d6bca60ee4eb2d6248b399f6568c65ec92cee8d9b0c7fd83053c91c5be72bf96b5904080624a348243899 ++ ++Title = SSHKDF test error conditions ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:A ++Output = FF ++Result = KDF_DERIVE_ERROR ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:A ++Output = FF ++Result = KDF_DERIVE_ERROR ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:A ++Output = FF ++Result = KDF_DERIVE_ERROR ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Output = FF ++Result = KDF_DERIVE_ERROR ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:X ++Output = FF ++Result = KDF_CTRL_ERROR ++ ++KDF = SSHKDF ++Ctrl.md = md:SHA1 ++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59 ++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245 ++Ctrl.type = type:A ++Output = FF ++Result = KDF_MISMATCH diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch new file mode 100644 index 0000000..400fdaf --- /dev/null +++ b/openssl-1.1.1-system-cipherlist.patch @@ -0,0 +1,312 @@ +Index: openssl-1.1.1m/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-1.1.1m.orig/Configurations/unix-Makefile.tmpl ++++ openssl-1.1.1m/Configurations/unix-Makefile.tmpl +@@ -278,6 +278,10 @@ MANDIR=$(INSTALLTOP)/share/man + DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) + HTMLDIR=$(DOCDIR)/html + ++{- output_off() if $config{system_ciphers_file} eq ""; "" -} ++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" ++{- output_on() if $config{system_ciphers_file} eq ""; "" -} ++ + # MANSUFFIX is for the benefit of anyone who may want to have a suffix + # appended after the manpage file section number. "ssl" is popular, + # resulting in files such as config.5ssl rather than config.5. +@@ -301,6 +305,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} + CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} + CPPFLAGS={- our $cppflags1 = join(" ", + (map { "-D".$_} @{$config{CPPDEFINES}}), ++ "\$(SYSTEM_CIPHERS_FILE_DEFINE)", + (map { "-I".$_} @{$config{CPPINCLUDES}}), + @{$config{CPPFLAGS}}) -} + CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +Index: openssl-1.1.1m/Configure +=================================================================== +--- openssl-1.1.1m.orig/Configure ++++ openssl-1.1.1m/Configure +@@ -24,7 +24,7 @@ use OpenSSL::Glob; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + # Options: + # +@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no- + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) + # ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --cross-compile-prefix Add specified prefix to binutils components. + # + # --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for +@@ -314,6 +317,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -844,6 +848,10 @@ while (@argvcopy) + push @seed_sources, $x; + } + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--cross-compile-prefix=(.*)$/) + { + $user{CROSS_COMPILE}=$1; +@@ -1052,6 +1060,8 @@ if ($target eq "HASH") { + exit 0; + } + ++chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/; ++ + print "Configuring OpenSSL version $config{version} ($config{version_num}) "; + print "for $target\n"; + +Index: openssl-1.1.1m/doc/man1/ciphers.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man1/ciphers.pod ++++ openssl-1.1.1m/doc/man1/ciphers.pod +@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B cipher s + + The cipher suites not enabled by B, currently B. + ++=item B ++ ++The list of enabled cipher suites will be loaded from the system crypto policy ++configuration file B. ++See also L. ++This is the default behavior unless an application explicitly sets a cipher ++list. If used in a cipher list configuration value this string must be at the ++beginning of the cipher list, otherwise it will not be recognized. ++ + =item B + + "High" encryption cipher suites. This currently means those with key lengths +Index: openssl-1.1.1m/include/openssl/ssl.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/ssl.h ++++ openssl-1.1.1m/include/openssl/ssl.h +@@ -191,6 +191,11 @@ extern "C" { + * throwing out anonymous and unencrypted ciphersuites! (The latter are not + * actually enabled by ALL, but "ALL:RSA" would enable some of them.) + */ ++# ifdef SYSTEM_CIPHERS_FILE ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" ++# else ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST ++# endif + + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ + # define SSL_SENT_SHUTDOWN 1 +Index: openssl-1.1.1m/ssl/ssl_ciph.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/ssl_ciph.c ++++ openssl-1.1.1m/ssl/ssl_ciph.c +@@ -9,6 +9,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* for secure_getenv */ ++#define _GNU_SOURCE + #include + #include + #include +@@ -1405,6 +1407,53 @@ int SSL_set_ciphersuites(SSL *s, const c + return ret; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++static char *load_system_str(const char *suffix) ++{ ++ FILE *fp; ++ char buf[1024]; ++ char *new_rules; ++ const char *ciphers_path; ++ unsigned len, slen; ++ ++ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ ciphers_path = SYSTEM_CIPHERS_FILE; ++ fp = fopen(ciphers_path, "r"); ++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { ++ /* cannot open or file is empty */ ++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); ++ } ++ ++ if (fp) ++ fclose(fp); ++ ++ slen = strlen(suffix); ++ len = strlen(buf); ++ ++ if (buf[len - 1] == '\n') { ++ len--; ++ buf[len] = 0; ++ } ++ if (buf[len - 1] == '\r') { ++ len--; ++ buf[len] = 0; ++ } ++ ++ new_rules = OPENSSL_malloc(len + slen + 1); ++ if (new_rules == 0) ++ return NULL; ++ ++ memcpy(new_rules, buf, len); ++ if (slen > 0) { ++ memcpy(&new_rules[len], suffix, slen); ++ len += slen; ++ } ++ new_rules[len] = 0; ++ ++ return new_rules; ++} ++#endif ++ + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, +@@ -1418,15 +1467,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + const char *rule_p; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; + const SSL_CIPHER **ca_list = NULL; ++#ifdef SYSTEM_CIPHERS_FILE ++ char *new_rules = NULL; ++ ++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { ++ char *p = rule_str + 14; ++ ++ new_rules = load_system_str(p); ++ rule_str = new_rules; ++ } ++#endif + + /* + * Return with error if nothing to do. + */ + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) +- return NULL; ++ goto err; + #ifndef OPENSSL_NO_EC + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) +- return NULL; ++ goto err; + #endif + + /* +@@ -1449,7 +1508,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) { + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + + ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, +@@ -1515,8 +1574,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * in force within each class + */ + if (!ssl_cipher_strength_sort(&head, &tail)) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1561,9 +1619,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; + ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); + if (ca_list == NULL) { +- OPENSSL_free(co_list); + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); +- return NULL; /* Failure */ ++ goto err; + } + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + disabled_mkey, disabled_auth, disabled_enc, +@@ -1596,8 +1653,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + OPENSSL_free(ca_list); /* Not needed anymore */ + + if (!ok) { /* Rule processing failure */ +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1605,10 +1661,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * if we cannot get one. + */ + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); /* Not needed anymore */ ++#endif ++ + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { + if (!sk_SSL_CIPHER_push(cipherstack, +@@ -1646,6 +1705,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + *cipher_list = cipherstack; + + return cipherstack; ++ ++err: ++ OPENSSL_free(co_list); ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); ++#endif ++ return NULL; ++ + } + + char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) +Index: openssl-1.1.1m/ssl/ssl_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/ssl_lib.c ++++ openssl-1.1.1m/ssl/ssl_lib.c +@@ -667,7 +667,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx + ctx->tls13_ciphersuites, + &(ctx->cipher_list), + &(ctx->cipher_list_by_id), +- SSL_DEFAULT_CIPHER_LIST, ctx->cert); ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; +@@ -3076,7 +3076,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + if (!ssl_create_cipher_list(ret->method, + ret->tls13_ciphersuites, + &ret->cipher_list, &ret->cipher_list_by_id, +- SSL_DEFAULT_CIPHER_LIST, ret->cert) ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); + goto err2; +Index: openssl-1.1.1m/test/cipherlist_test.c +=================================================================== +--- openssl-1.1.1m.orig/test/cipherlist_test.c ++++ openssl-1.1.1m/test/cipherlist_test.c +@@ -251,7 +251,9 @@ end: + + int setup_tests(void) + { ++#ifndef SYSTEM_CIPHERS_FILE + ADD_TEST(test_default_cipherlist_implicit); ++#endif + ADD_TEST(test_default_cipherlist_explicit); + ADD_TEST(test_default_cipherlist_clear); + return 1; diff --git a/openssl-1.1.1w.tar.gz b/openssl-1.1.1w.tar.gz new file mode 100644 index 0000000..04883c9 --- /dev/null +++ b/openssl-1.1.1w.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 +size 9893384 diff --git a/openssl-1.1.1w.tar.gz.asc b/openssl-1.1.1w.tar.gz.asc new file mode 100644 index 0000000..0091ceb --- /dev/null +++ b/openssl-1.1.1w.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmT/H2QACgkQ2JTizos9 +efVL8A//XiYVgTnhAtnBs8W5+8fTJ2WUh+lcG7I+GF1wi1PRMaA9YddmXu70b9VF +x5EOcAVo7RsjlQ/VeWUtVuyTjd6eXCzoKRlbAwo9YovEsWcIo5sb6lSzuN17bIJi +NOrALx3+TF7SZfuOdd/czohfJfFUX/5mfEmcrkwY67UvIDFgO6E04+S2eFnU9HdC +KEF4kK10IObHRfvnAj+nSfUrnq5xtAAIpj2PBg9GFIEIxKBU72vvJYGdJ0HKFN8/ +352rNVIxGMXlwsAtWY2L09S0kt4iFST4fANM4CkxTnvloimmCtcWJvcst6tTgCMD +PKqXJ4hJpElzCVJJJBNQxz+T2dxc97Upvense/lkB6h8bwQgYaZNgk6B8UsSZyE8 +5v1p1HcOCJBNKc8zW86a3RvGCfxOfjrFz2CC7QPdT84Rv4S/xeCeUqM5b63Ws7pZ +3kA5jHUkP0yXsVOjxdMdqlJxqQ1wE2Q459fklLnsoHERrEQtsoaEW0DG6Kgima58 +YGwY8GxQ/QFLPxYRMjsfaLO54pdSlXa2EZ3nmL6WTY1ScdzN8K+huXz8Ok2lbi7O +oPZCVaDl8cpO9Kh8y5Hc8KAqCU72eTgx4kDGmEou9z//bl33fq0s5+PAjaz0XDvZ +gdOlsOngaAlvcVF50ZkVERBvfVb41O0uWD8MSk+vvBKQvuecrQ0= +=ZcG7 +-----END PGP SIGNATURE----- diff --git a/openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch b/openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch new file mode 100644 index 0000000..b6cfe60 --- /dev/null +++ b/openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch @@ -0,0 +1,1588 @@ +From 44a563dde1584cd9284e80b6e45ee5019be8d36c Mon Sep 17 00:00:00 2001 +From: Danny Tsen +Date: Mon, 18 Oct 2021 10:51:42 -0400 +Subject: [PATCH] AES-GCM performance optimzation with stitched method for p9+ + ppc64le + +Assembly code reviewed by Shricharan Srivatsan + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/16854) +--- + Configurations/00-base-templates.conf | 2 + crypto/evp/e_aes.c | 33 + crypto/modes/asm/aes-gcm-ppc.pl | 1439 ++++++++++++++++++++++++++++++++++ + crypto/modes/build.info | 1 + 4 files changed, 1466 insertions(+), 9 deletions(-) + create mode 100644 crypto/modes/asm/aes-gcm-ppc.pl + create mode 100644 providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc + +--- a/Configurations/00-base-templates.conf ++++ b/Configurations/00-base-templates.conf +@@ -344,7 +344,7 @@ my %targets=( + bn_asm_src => "bn-ppc.s ppc-mont.s", + aes_asm_src => "aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s", + sha1_asm_src => "sha1-ppc.s sha256-ppc.s sha512-ppc.s sha256p8-ppc.s sha512p8-ppc.s", +- modes_asm_src => "ghashp8-ppc.s", ++ modes_asm_src => "ghashp8-ppc.s aes-gcm-ppc.s", + chacha_asm_src => "chacha-ppc.s", + poly1305_asm_src=> "poly1305-ppc.s poly1305-ppcfp.s", + }, +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -178,6 +178,20 @@ static void ctr64_inc(unsigned char *cou + # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks + # define HWAES_xts_encrypt aes_p8_xts_encrypt + # define HWAES_xts_decrypt aes_p8_xts_decrypt ++# define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) ++# define AES_GCM_ENC_BYTES 128 ++# define AES_GCM_DEC_BYTES 128 ++size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi); ++size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi); ++void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); ++# if PPC_AES_GCM_CAPABLE ++# define AES_gcm_encrypt ppc_aes_gcm_encrypt ++# define AES_gcm_decrypt ppc_aes_gcm_decrypt ++# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ ++ (gctx)->gcm.ghash==gcm_ghash_p8) ++# endif + #endif + + #if defined(OPENSSL_CPUID_OBJ) && ( \ +@@ -199,6 +213,9 @@ extern unsigned int OPENSSL_ia32cap_P[]; + */ + # define AESNI_CAPABLE (OPENSSL_ia32cap_P[1]&(1<<(57-32))) + ++# define AES_GCM_ENC_BYTES 32 ++# define AES_GCM_DEC_BYTES 16 ++ + int aesni_set_encrypt_key(const unsigned char *userKey, int bits, + AES_KEY *key); + int aesni_set_decrypt_key(const unsigned char *userKey, int bits, +@@ -3101,7 +3118,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER + if (gctx->ctr) { + size_t bulk = 0; + #if defined(AES_GCM_ASM) +- if (len >= 32 && AES_GCM_ASM(gctx)) { ++ if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM(gctx)) { + if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0)) + return -1; + +@@ -3119,7 +3136,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER + } else { + size_t bulk = 0; + #if defined(AES_GCM_ASM2) +- if (len >= 32 && AES_GCM_ASM2(gctx)) { ++ if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM2(gctx)) { + if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0)) + return -1; + +@@ -3142,7 +3159,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER + if (gctx->ctr) { + size_t bulk = 0; + #if defined(AES_GCM_ASM) +- if (len >= 16 && AES_GCM_ASM(gctx)) { ++ if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM(gctx)) { + if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0)) + return -1; + +@@ -3160,7 +3177,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER + } else { + size_t bulk = 0; + #if defined(AES_GCM_ASM2) +- if (len >= 16 && AES_GCM_ASM2(gctx)) { ++ if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM2(gctx)) { + if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0)) + return -1; + +@@ -3211,7 +3228,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + if (gctx->ctr) { + size_t bulk = 0; + #if defined(AES_GCM_ASM) +- if (len >= 32 && AES_GCM_ASM(gctx)) { ++ if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM(gctx)) { + size_t res = (16 - gctx->gcm.mres) % 16; + + if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) +@@ -3233,7 +3250,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + } else { + size_t bulk = 0; + #if defined(AES_GCM_ASM2) +- if (len >= 32 && AES_GCM_ASM2(gctx)) { ++ if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM2(gctx)) { + size_t res = (16 - gctx->gcm.mres) % 16; + + if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) +@@ -3255,7 +3272,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + if (gctx->ctr) { + size_t bulk = 0; + #if defined(AES_GCM_ASM) +- if (len >= 16 && AES_GCM_ASM(gctx)) { ++ if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM(gctx)) { + size_t res = (16 - gctx->gcm.mres) % 16; + + if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) +@@ -3277,7 +3294,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + } else { + size_t bulk = 0; + #if defined(AES_GCM_ASM2) +- if (len >= 16 && AES_GCM_ASM2(gctx)) { ++ if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM2(gctx)) { + size_t res = (16 - gctx->gcm.mres) % 16; + + if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) +--- /dev/null ++++ b/crypto/modes/asm/aes-gcm-ppc.pl +@@ -0,0 +1,1439 @@ ++#! /usr/bin/env perl ++# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. ++# Copyright 2021- IBM Inc. All rights reserved ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++# ++#=================================================================================== ++# Written by Danny Tsen for OpenSSL Project, ++# ++# GHASH is based on the Karatsuba multiplication method. ++# ++# Xi xor X1 ++# ++# X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H = ++# (X1.h * H4.h + xX.l * H4.l + X1 * H4) + ++# (X2.h * H3.h + X2.l * H3.l + X2 * H3) + ++# (X3.h * H2.h + X3.l * H2.l + X3 * H2) + ++# (X4.h * H.h + X4.l * H.l + X4 * H) ++# ++# Xi = v0 ++# H Poly = v2 ++# Hash keys = v3 - v14 ++# ( H.l, H, H.h) ++# ( H^2.l, H^2, H^2.h) ++# ( H^3.l, H^3, H^3.h) ++# ( H^4.l, H^4, H^4.h) ++# ++# v30 is IV ++# v31 - counter 1 ++# ++# AES used, ++# vs0 - vs14 for round keys ++# v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted) ++# ++# This implementation uses stitched AES-GCM approach to improve overall performance. ++# AES is implemented with 8x blocks and GHASH is using 2 4x blocks. ++# ++# Current large block (16384 bytes) performance per second with 128 bit key -- ++# ++# Encrypt Decrypt ++# Power10[le] (3.5GHz) 5.32G 5.26G ++# ++# =================================================================================== ++# ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++if ($flavour =~ /64/) { ++ $SIZE_T=8; ++ $LRSAVE=2*$SIZE_T; ++ $STU="stdu"; ++ $POP="ld"; ++ $PUSH="std"; ++ $UCMP="cmpld"; ++ $SHRI="srdi"; ++} elsif ($flavour =~ /32/) { ++ $SIZE_T=4; ++ $LRSAVE=$SIZE_T; ++ $STU="stwu"; ++ $POP="lwz"; ++ $PUSH="stw"; ++ $UCMP="cmplw"; ++ $SHRI="srwi"; ++} else { die "nonsense $flavour"; } ++ ++$sp="r1"; ++$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++$code=<<___; ++.machine "any" ++.abiversion 2 ++.text ++ ++# 4x loops ++# v15 - v18 - input states ++# vs1 - vs9 - round keys ++# ++.macro Loop_aes_middle4x ++ xxlor 19+32, 1, 1 ++ xxlor 20+32, 2, 2 ++ xxlor 21+32, 3, 3 ++ xxlor 22+32, 4, 4 ++ ++ vcipher 15, 15, 19 ++ vcipher 16, 16, 19 ++ vcipher 17, 17, 19 ++ vcipher 18, 18, 19 ++ ++ vcipher 15, 15, 20 ++ vcipher 16, 16, 20 ++ vcipher 17, 17, 20 ++ vcipher 18, 18, 20 ++ ++ vcipher 15, 15, 21 ++ vcipher 16, 16, 21 ++ vcipher 17, 17, 21 ++ vcipher 18, 18, 21 ++ ++ vcipher 15, 15, 22 ++ vcipher 16, 16, 22 ++ vcipher 17, 17, 22 ++ vcipher 18, 18, 22 ++ ++ xxlor 19+32, 5, 5 ++ xxlor 20+32, 6, 6 ++ xxlor 21+32, 7, 7 ++ xxlor 22+32, 8, 8 ++ ++ vcipher 15, 15, 19 ++ vcipher 16, 16, 19 ++ vcipher 17, 17, 19 ++ vcipher 18, 18, 19 ++ ++ vcipher 15, 15, 20 ++ vcipher 16, 16, 20 ++ vcipher 17, 17, 20 ++ vcipher 18, 18, 20 ++ ++ vcipher 15, 15, 21 ++ vcipher 16, 16, 21 ++ vcipher 17, 17, 21 ++ vcipher 18, 18, 21 ++ ++ vcipher 15, 15, 22 ++ vcipher 16, 16, 22 ++ vcipher 17, 17, 22 ++ vcipher 18, 18, 22 ++ ++ xxlor 23+32, 9, 9 ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++.endm ++ ++# 8x loops ++# v15 - v22 - input states ++# vs1 - vs9 - round keys ++# ++.macro Loop_aes_middle8x ++ xxlor 23+32, 1, 1 ++ xxlor 24+32, 2, 2 ++ xxlor 25+32, 3, 3 ++ xxlor 26+32, 4, 4 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ vcipher 15, 15, 25 ++ vcipher 16, 16, 25 ++ vcipher 17, 17, 25 ++ vcipher 18, 18, 25 ++ vcipher 19, 19, 25 ++ vcipher 20, 20, 25 ++ vcipher 21, 21, 25 ++ vcipher 22, 22, 25 ++ ++ vcipher 15, 15, 26 ++ vcipher 16, 16, 26 ++ vcipher 17, 17, 26 ++ vcipher 18, 18, 26 ++ vcipher 19, 19, 26 ++ vcipher 20, 20, 26 ++ vcipher 21, 21, 26 ++ vcipher 22, 22, 26 ++ ++ xxlor 23+32, 5, 5 ++ xxlor 24+32, 6, 6 ++ xxlor 25+32, 7, 7 ++ xxlor 26+32, 8, 8 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ vcipher 15, 15, 25 ++ vcipher 16, 16, 25 ++ vcipher 17, 17, 25 ++ vcipher 18, 18, 25 ++ vcipher 19, 19, 25 ++ vcipher 20, 20, 25 ++ vcipher 21, 21, 25 ++ vcipher 22, 22, 25 ++ ++ vcipher 15, 15, 26 ++ vcipher 16, 16, 26 ++ vcipher 17, 17, 26 ++ vcipher 18, 18, 26 ++ vcipher 19, 19, 26 ++ vcipher 20, 20, 26 ++ vcipher 21, 21, 26 ++ vcipher 22, 22, 26 ++ ++ xxlor 23+32, 9, 9 ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++.endm ++ ++# ++# Compute 4x hash values based on Karatsuba method. ++# ++ppc_aes_gcm_ghash: ++ vxor 15, 15, 0 ++ ++ xxlxor 29, 29, 29 ++ ++ vpmsumd 23, 12, 15 # H4.L * X.L ++ vpmsumd 24, 9, 16 ++ vpmsumd 25, 6, 17 ++ vpmsumd 26, 3, 18 ++ ++ vxor 23, 23, 24 ++ vxor 23, 23, 25 ++ vxor 23, 23, 26 # L ++ ++ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L ++ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L ++ vpmsumd 26, 7, 17 ++ vpmsumd 27, 4, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 # M ++ ++ # sum hash and reduction with H Poly ++ vpmsumd 28, 23, 2 # reduction ++ ++ xxlor 29+32, 29, 29 ++ vsldoi 26, 24, 29, 8 # mL ++ vsldoi 29, 29, 24, 8 # mH ++ vxor 23, 23, 26 # mL + L ++ ++ vsldoi 23, 23, 23, 8 # swap ++ vxor 23, 23, 28 ++ ++ vpmsumd 24, 14, 15 # H4.H * X.H ++ vpmsumd 25, 11, 16 ++ vpmsumd 26, 8, 17 ++ vpmsumd 27, 5, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 ++ ++ vxor 24, 24, 29 ++ ++ # sum hash and reduction with H Poly ++ vsldoi 27, 23, 23, 8 # swap ++ vpmsumd 23, 23, 2 ++ vxor 27, 27, 24 ++ vxor 23, 23, 27 ++ ++ xxlor 32, 23+32, 23+32 # update hash ++ ++ blr ++ ++# ++# Combine two 4x ghash ++# v15 - v22 - input blocks ++# ++.macro ppc_aes_gcm_ghash2_4x ++ # first 4x hash ++ vxor 15, 15, 0 # Xi + X ++ ++ xxlxor 29, 29, 29 ++ ++ vpmsumd 23, 12, 15 # H4.L * X.L ++ vpmsumd 24, 9, 16 ++ vpmsumd 25, 6, 17 ++ vpmsumd 26, 3, 18 ++ ++ vxor 23, 23, 24 ++ vxor 23, 23, 25 ++ vxor 23, 23, 26 # L ++ ++ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L ++ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L ++ vpmsumd 26, 7, 17 ++ vpmsumd 27, 4, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ ++ # sum hash and reduction with H Poly ++ vpmsumd 28, 23, 2 # reduction ++ ++ xxlor 29+32, 29, 29 ++ ++ vxor 24, 24, 27 # M ++ vsldoi 26, 24, 29, 8 # mL ++ vsldoi 29, 29, 24, 8 # mH ++ vxor 23, 23, 26 # mL + L ++ ++ vsldoi 23, 23, 23, 8 # swap ++ vxor 23, 23, 28 ++ ++ vpmsumd 24, 14, 15 # H4.H * X.H ++ vpmsumd 25, 11, 16 ++ vpmsumd 26, 8, 17 ++ vpmsumd 27, 5, 18 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 # H ++ ++ vxor 24, 24, 29 # H + mH ++ ++ # sum hash and reduction with H Poly ++ vsldoi 27, 23, 23, 8 # swap ++ vpmsumd 23, 23, 2 ++ vxor 27, 27, 24 ++ vxor 27, 23, 27 # 1st Xi ++ ++ # 2nd 4x hash ++ vpmsumd 24, 9, 20 ++ vpmsumd 25, 6, 21 ++ vpmsumd 26, 3, 22 ++ vxor 19, 19, 27 # Xi + X ++ vpmsumd 23, 12, 19 # H4.L * X.L ++ ++ vxor 23, 23, 24 ++ vxor 23, 23, 25 ++ vxor 23, 23, 26 # L ++ ++ vpmsumd 24, 13, 19 # H4.L * X.H + H4.H * X.L ++ vpmsumd 25, 10, 20 # H3.L * X1.H + H3.H * X1.L ++ vpmsumd 26, 7, 21 ++ vpmsumd 27, 4, 22 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ ++ # sum hash and reduction with H Poly ++ vpmsumd 28, 23, 2 # reduction ++ ++ xxlor 29+32, 29, 29 ++ ++ vxor 24, 24, 27 # M ++ vsldoi 26, 24, 29, 8 # mL ++ vsldoi 29, 29, 24, 8 # mH ++ vxor 23, 23, 26 # mL + L ++ ++ vsldoi 23, 23, 23, 8 # swap ++ vxor 23, 23, 28 ++ ++ vpmsumd 24, 14, 19 # H4.H * X.H ++ vpmsumd 25, 11, 20 ++ vpmsumd 26, 8, 21 ++ vpmsumd 27, 5, 22 ++ ++ vxor 24, 24, 25 ++ vxor 24, 24, 26 ++ vxor 24, 24, 27 # H ++ ++ vxor 24, 24, 29 # H + mH ++ ++ # sum hash and reduction with H Poly ++ vsldoi 27, 23, 23, 8 # swap ++ vpmsumd 23, 23, 2 ++ vxor 27, 27, 24 ++ vxor 23, 23, 27 ++ ++ xxlor 32, 23+32, 23+32 # update hash ++ ++.endm ++ ++# ++# Compute update single hash ++# ++.macro ppc_update_hash_1x ++ vxor 28, 28, 0 ++ ++ vxor 19, 19, 19 ++ ++ vpmsumd 22, 3, 28 # L ++ vpmsumd 23, 4, 28 # M ++ vpmsumd 24, 5, 28 # H ++ ++ vpmsumd 27, 22, 2 # reduction ++ ++ vsldoi 25, 23, 19, 8 # mL ++ vsldoi 26, 19, 23, 8 # mH ++ vxor 22, 22, 25 # LL + LL ++ vxor 24, 24, 26 # HH + HH ++ ++ vsldoi 22, 22, 22, 8 # swap ++ vxor 22, 22, 27 ++ ++ vsldoi 20, 22, 22, 8 # swap ++ vpmsumd 22, 22, 2 # reduction ++ vxor 20, 20, 24 ++ vxor 22, 22, 20 ++ ++ vmr 0, 22 # update hash ++ ++.endm ++ ++# ++# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len, ++# const AES_KEY *key, unsigned char iv[16], ++# void *Xip); ++# ++# r3 - inp ++# r4 - out ++# r5 - len ++# r6 - AES round keys ++# r7 - iv ++# r8 - Xi, HPoli, hash keys ++# ++.global ppc_aes_gcm_encrypt ++.align 5 ++ppc_aes_gcm_encrypt: ++_ppc_aes_gcm_encrypt: ++ ++ stdu 1,-512(1) ++ mflr 0 ++ ++ std 14,112(1) ++ std 15,120(1) ++ std 16,128(1) ++ std 17,136(1) ++ std 18,144(1) ++ std 19,152(1) ++ std 20,160(1) ++ std 21,168(1) ++ li 9, 256 ++ stvx 20, 9, 1 ++ addi 9, 9, 16 ++ stvx 21, 9, 1 ++ addi 9, 9, 16 ++ stvx 22, 9, 1 ++ addi 9, 9, 16 ++ stvx 23, 9, 1 ++ addi 9, 9, 16 ++ stvx 24, 9, 1 ++ addi 9, 9, 16 ++ stvx 25, 9, 1 ++ addi 9, 9, 16 ++ stvx 26, 9, 1 ++ addi 9, 9, 16 ++ stvx 27, 9, 1 ++ addi 9, 9, 16 ++ stvx 28, 9, 1 ++ addi 9, 9, 16 ++ stvx 29, 9, 1 ++ addi 9, 9, 16 ++ stvx 30, 9, 1 ++ addi 9, 9, 16 ++ stvx 31, 9, 1 ++ std 0, 528(1) ++ ++ # Load Xi ++ lxvb16x 32, 0, 8 # load Xi ++ ++ # load Hash - h^4, h^3, h^2, h ++ li 10, 32 ++ lxvd2x 2+32, 10, 8 # H Poli ++ li 10, 48 ++ lxvd2x 3+32, 10, 8 # Hl ++ li 10, 64 ++ lxvd2x 4+32, 10, 8 # H ++ li 10, 80 ++ lxvd2x 5+32, 10, 8 # Hh ++ ++ li 10, 96 ++ lxvd2x 6+32, 10, 8 # H^2l ++ li 10, 112 ++ lxvd2x 7+32, 10, 8 # H^2 ++ li 10, 128 ++ lxvd2x 8+32, 10, 8 # H^2h ++ ++ li 10, 144 ++ lxvd2x 9+32, 10, 8 # H^3l ++ li 10, 160 ++ lxvd2x 10+32, 10, 8 # H^3 ++ li 10, 176 ++ lxvd2x 11+32, 10, 8 # H^3h ++ ++ li 10, 192 ++ lxvd2x 12+32, 10, 8 # H^4l ++ li 10, 208 ++ lxvd2x 13+32, 10, 8 # H^4 ++ li 10, 224 ++ lxvd2x 14+32, 10, 8 # H^4h ++ ++ # initialize ICB: GHASH( IV ), IV - r7 ++ lxvb16x 30+32, 0, 7 # load IV - v30 ++ ++ mr 12, 5 # length ++ li 11, 0 # block index ++ ++ # counter 1 ++ vxor 31, 31, 31 ++ vspltisb 22, 1 ++ vsldoi 31, 31, 22,1 # counter 1 ++ ++ # load round key to VSR ++ lxv 0, 0(6) ++ lxv 1, 0x10(6) ++ lxv 2, 0x20(6) ++ lxv 3, 0x30(6) ++ lxv 4, 0x40(6) ++ lxv 5, 0x50(6) ++ lxv 6, 0x60(6) ++ lxv 7, 0x70(6) ++ lxv 8, 0x80(6) ++ lxv 9, 0x90(6) ++ lxv 10, 0xa0(6) ++ ++ # load rounds - 10 (128), 12 (192), 14 (256) ++ lwz 9,240(6) ++ ++ # ++ # vxor state, state, w # addroundkey ++ xxlor 32+29, 0, 0 ++ vxor 15, 30, 29 # IV + round key - add round key 0 ++ ++ cmpdi 9, 10 ++ beq Loop_aes_gcm_8x ++ ++ # load 2 more round keys (v11, v12) ++ lxv 11, 0xb0(6) ++ lxv 12, 0xc0(6) ++ ++ cmpdi 9, 12 ++ beq Loop_aes_gcm_8x ++ ++ # load 2 more round keys (v11, v12, v13, v14) ++ lxv 13, 0xd0(6) ++ lxv 14, 0xe0(6) ++ cmpdi 9, 14 ++ beq Loop_aes_gcm_8x ++ ++ b aes_gcm_out ++ ++.align 5 ++Loop_aes_gcm_8x: ++ mr 14, 3 ++ mr 9, 4 ++ ++ # n blcoks ++ li 10, 128 ++ divdu 10, 5, 10 # n 128 bytes-blocks ++ cmpdi 10, 0 ++ beq Loop_last_block ++ ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 16, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 29 ++ ++ mtctr 10 ++ ++ li 15, 16 ++ li 16, 32 ++ li 17, 48 ++ li 18, 64 ++ li 19, 80 ++ li 20, 96 ++ li 21, 112 ++ ++ lwz 10, 240(6) ++ ++Loop_8x_block: ++ ++ lxvb16x 15, 0, 14 # load block ++ lxvb16x 16, 15, 14 # load block ++ lxvb16x 17, 16, 14 # load block ++ lxvb16x 18, 17, 14 # load block ++ lxvb16x 19, 18, 14 # load block ++ lxvb16x 20, 19, 14 # load block ++ lxvb16x 21, 20, 14 # load block ++ lxvb16x 22, 21, 14 # load block ++ addi 14, 14, 128 ++ ++ Loop_aes_middle8x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_next_ghash ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_next_ghash ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_next_ghash ++ b aes_gcm_out ++ ++Do_next_ghash: ++ ++ # ++ # last round ++ vcipherlast 15, 15, 23 ++ vcipherlast 16, 16, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ xxlxor 48, 48, 16 ++ stxvb16x 48, 15, 9 # store output ++ ++ vcipherlast 17, 17, 23 ++ vcipherlast 18, 18, 23 ++ ++ xxlxor 49, 49, 17 ++ stxvb16x 49, 16, 9 # store output ++ xxlxor 50, 50, 18 ++ stxvb16x 50, 17, 9 # store output ++ ++ vcipherlast 19, 19, 23 ++ vcipherlast 20, 20, 23 ++ ++ xxlxor 51, 51, 19 ++ stxvb16x 51, 18, 9 # store output ++ xxlxor 52, 52, 20 ++ stxvb16x 52, 19, 9 # store output ++ ++ vcipherlast 21, 21, 23 ++ vcipherlast 22, 22, 23 ++ ++ xxlxor 53, 53, 21 ++ stxvb16x 53, 20, 9 # store output ++ xxlxor 54, 54, 22 ++ stxvb16x 54, 21, 9 # store output ++ ++ addi 9, 9, 128 ++ ++ # ghash here ++ ppc_aes_gcm_ghash2_4x ++ ++ xxlor 27+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vmr 29, 30 ++ vxor 15, 30, 27 # add round key ++ vaddudm 30, 30, 31 ++ vxor 16, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 27 ++ ++ addi 12, 12, -128 ++ addi 11, 11, 128 ++ ++ bdnz Loop_8x_block ++ ++ vmr 30, 29 ++ ++Loop_last_block: ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++ # loop last few blocks ++ li 10, 16 ++ divdu 10, 12, 10 ++ ++ mtctr 10 ++ ++ lwz 10, 240(6) ++ ++ cmpdi 12, 16 ++ blt Final_block ++ ++.macro Loop_aes_middle_1x ++ xxlor 19+32, 1, 1 ++ xxlor 20+32, 2, 2 ++ xxlor 21+32, 3, 3 ++ xxlor 22+32, 4, 4 ++ ++ vcipher 15, 15, 19 ++ vcipher 15, 15, 20 ++ vcipher 15, 15, 21 ++ vcipher 15, 15, 22 ++ ++ xxlor 19+32, 5, 5 ++ xxlor 20+32, 6, 6 ++ xxlor 21+32, 7, 7 ++ xxlor 22+32, 8, 8 ++ ++ vcipher 15, 15, 19 ++ vcipher 15, 15, 20 ++ vcipher 15, 15, 21 ++ vcipher 15, 15, 22 ++ ++ xxlor 19+32, 9, 9 ++ vcipher 15, 15, 19 ++.endm ++ ++Next_rem_block: ++ lxvb16x 15, 0, 14 # load block ++ ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_next_1x ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_next_1x ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_next_1x ++ ++Do_next_1x: ++ vcipherlast 15, 15, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ addi 14, 14, 16 ++ addi 9, 9, 16 ++ ++ vmr 28, 15 ++ ppc_update_hash_1x ++ ++ addi 12, 12, -16 ++ addi 11, 11, 16 ++ xxlor 19+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 15, 30, 19 # add round key ++ ++ bdnz Next_rem_block ++ ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++Final_block: ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_final_1x ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_final_1x ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_final_1x ++ ++Do_final_1x: ++ vcipherlast 15, 15, 23 ++ ++ lxvb16x 15, 0, 14 # load last block ++ xxlxor 47, 47, 15 ++ ++ # create partial block mask ++ li 15, 16 ++ sub 15, 15, 12 # index to the mask ++ ++ vspltisb 16, -1 # first 16 bytes - 0xffff...ff ++ vspltisb 17, 0 # second 16 bytes - 0x0000...00 ++ li 10, 192 ++ stvx 16, 10, 1 ++ addi 10, 10, 16 ++ stvx 17, 10, 1 ++ ++ addi 10, 1, 192 ++ lxvb16x 16, 15, 10 # load partial block mask ++ xxland 47, 47, 16 ++ ++ vmr 28, 15 ++ ppc_update_hash_1x ++ ++ # * should store only the remaining bytes. ++ bl Write_partial_block ++ ++ b aes_gcm_out ++ ++# ++# Write partial block ++# r9 - output ++# r12 - remaining bytes ++# v15 - partial input data ++# ++Write_partial_block: ++ li 10, 192 ++ stxvb16x 15+32, 10, 1 # last block ++ ++ #add 10, 9, 11 # Output ++ addi 10, 9, -1 ++ addi 16, 1, 191 ++ ++ mtctr 12 # remaining bytes ++ li 15, 0 ++ ++Write_last_byte: ++ lbzu 14, 1(16) ++ stbu 14, 1(10) ++ bdnz Write_last_byte ++ blr ++ ++aes_gcm_out: ++ # out = state ++ stxvb16x 32, 0, 8 # write out Xi ++ add 3, 11, 12 # return count ++ ++ li 9, 256 ++ lvx 20, 9, 1 ++ addi 9, 9, 16 ++ lvx 21, 9, 1 ++ addi 9, 9, 16 ++ lvx 22, 9, 1 ++ addi 9, 9, 16 ++ lvx 23, 9, 1 ++ addi 9, 9, 16 ++ lvx 24, 9, 1 ++ addi 9, 9, 16 ++ lvx 25, 9, 1 ++ addi 9, 9, 16 ++ lvx 26, 9, 1 ++ addi 9, 9, 16 ++ lvx 27, 9, 1 ++ addi 9, 9, 16 ++ lvx 28, 9, 1 ++ addi 9, 9, 16 ++ lvx 29, 9, 1 ++ addi 9, 9, 16 ++ lvx 30, 9, 1 ++ addi 9, 9, 16 ++ lvx 31, 9, 1 ++ ++ ld 0, 528(1) ++ ld 14,112(1) ++ ld 15,120(1) ++ ld 16,128(1) ++ ld 17,136(1) ++ ld 18,144(1) ++ ld 19,152(1) ++ ld 20,160(1) ++ ld 21,168(1) ++ ++ mtlr 0 ++ addi 1, 1, 512 ++ blr ++ ++# ++# 8x Decrypt ++# ++.global ppc_aes_gcm_decrypt ++.align 5 ++ppc_aes_gcm_decrypt: ++_ppc_aes_gcm_decrypt: ++ ++ stdu 1,-512(1) ++ mflr 0 ++ ++ std 14,112(1) ++ std 15,120(1) ++ std 16,128(1) ++ std 17,136(1) ++ std 18,144(1) ++ std 19,152(1) ++ std 20,160(1) ++ std 21,168(1) ++ li 9, 256 ++ stvx 20, 9, 1 ++ addi 9, 9, 16 ++ stvx 21, 9, 1 ++ addi 9, 9, 16 ++ stvx 22, 9, 1 ++ addi 9, 9, 16 ++ stvx 23, 9, 1 ++ addi 9, 9, 16 ++ stvx 24, 9, 1 ++ addi 9, 9, 16 ++ stvx 25, 9, 1 ++ addi 9, 9, 16 ++ stvx 26, 9, 1 ++ addi 9, 9, 16 ++ stvx 27, 9, 1 ++ addi 9, 9, 16 ++ stvx 28, 9, 1 ++ addi 9, 9, 16 ++ stvx 29, 9, 1 ++ addi 9, 9, 16 ++ stvx 30, 9, 1 ++ addi 9, 9, 16 ++ stvx 31, 9, 1 ++ std 0, 528(1) ++ ++ # Load Xi ++ lxvb16x 32, 0, 8 # load Xi ++ ++ # load Hash - h^4, h^3, h^2, h ++ li 10, 32 ++ lxvd2x 2+32, 10, 8 # H Poli ++ li 10, 48 ++ lxvd2x 3+32, 10, 8 # Hl ++ li 10, 64 ++ lxvd2x 4+32, 10, 8 # H ++ li 10, 80 ++ lxvd2x 5+32, 10, 8 # Hh ++ ++ li 10, 96 ++ lxvd2x 6+32, 10, 8 # H^2l ++ li 10, 112 ++ lxvd2x 7+32, 10, 8 # H^2 ++ li 10, 128 ++ lxvd2x 8+32, 10, 8 # H^2h ++ ++ li 10, 144 ++ lxvd2x 9+32, 10, 8 # H^3l ++ li 10, 160 ++ lxvd2x 10+32, 10, 8 # H^3 ++ li 10, 176 ++ lxvd2x 11+32, 10, 8 # H^3h ++ ++ li 10, 192 ++ lxvd2x 12+32, 10, 8 # H^4l ++ li 10, 208 ++ lxvd2x 13+32, 10, 8 # H^4 ++ li 10, 224 ++ lxvd2x 14+32, 10, 8 # H^4h ++ ++ # initialize ICB: GHASH( IV ), IV - r7 ++ lxvb16x 30+32, 0, 7 # load IV - v30 ++ ++ mr 12, 5 # length ++ li 11, 0 # block index ++ ++ # counter 1 ++ vxor 31, 31, 31 ++ vspltisb 22, 1 ++ vsldoi 31, 31, 22,1 # counter 1 ++ ++ # load round key to VSR ++ lxv 0, 0(6) ++ lxv 1, 0x10(6) ++ lxv 2, 0x20(6) ++ lxv 3, 0x30(6) ++ lxv 4, 0x40(6) ++ lxv 5, 0x50(6) ++ lxv 6, 0x60(6) ++ lxv 7, 0x70(6) ++ lxv 8, 0x80(6) ++ lxv 9, 0x90(6) ++ lxv 10, 0xa0(6) ++ ++ # load rounds - 10 (128), 12 (192), 14 (256) ++ lwz 9,240(6) ++ ++ # ++ # vxor state, state, w # addroundkey ++ xxlor 32+29, 0, 0 ++ vxor 15, 30, 29 # IV + round key - add round key 0 ++ ++ cmpdi 9, 10 ++ beq Loop_aes_gcm_8x_dec ++ ++ # load 2 more round keys (v11, v12) ++ lxv 11, 0xb0(6) ++ lxv 12, 0xc0(6) ++ ++ cmpdi 9, 12 ++ beq Loop_aes_gcm_8x_dec ++ ++ # load 2 more round keys (v11, v12, v13, v14) ++ lxv 13, 0xd0(6) ++ lxv 14, 0xe0(6) ++ cmpdi 9, 14 ++ beq Loop_aes_gcm_8x_dec ++ ++ b aes_gcm_out ++ ++.align 5 ++Loop_aes_gcm_8x_dec: ++ mr 14, 3 ++ mr 9, 4 ++ ++ # n blcoks ++ li 10, 128 ++ divdu 10, 5, 10 # n 128 bytes-blocks ++ cmpdi 10, 0 ++ beq Loop_last_block_dec ++ ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 16, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 29 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 29 ++ ++ mtctr 10 ++ ++ li 15, 16 ++ li 16, 32 ++ li 17, 48 ++ li 18, 64 ++ li 19, 80 ++ li 20, 96 ++ li 21, 112 ++ ++ lwz 10, 240(6) ++ ++Loop_8x_block_dec: ++ ++ lxvb16x 15, 0, 14 # load block ++ lxvb16x 16, 15, 14 # load block ++ lxvb16x 17, 16, 14 # load block ++ lxvb16x 18, 17, 14 # load block ++ lxvb16x 19, 18, 14 # load block ++ lxvb16x 20, 19, 14 # load block ++ lxvb16x 21, 20, 14 # load block ++ lxvb16x 22, 21, 14 # load block ++ addi 14, 14, 128 ++ ++ Loop_aes_middle8x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_last_aes_dec ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_last_aes_dec ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 16, 16, 23 ++ vcipher 17, 17, 23 ++ vcipher 18, 18, 23 ++ vcipher 19, 19, 23 ++ vcipher 20, 20, 23 ++ vcipher 21, 21, 23 ++ vcipher 22, 22, 23 ++ ++ vcipher 15, 15, 24 ++ vcipher 16, 16, 24 ++ vcipher 17, 17, 24 ++ vcipher 18, 18, 24 ++ vcipher 19, 19, 24 ++ vcipher 20, 20, 24 ++ vcipher 21, 21, 24 ++ vcipher 22, 22, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_last_aes_dec ++ b aes_gcm_out ++ ++Do_last_aes_dec: ++ ++ # ++ # last round ++ vcipherlast 15, 15, 23 ++ vcipherlast 16, 16, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ xxlxor 48, 48, 16 ++ stxvb16x 48, 15, 9 # store output ++ ++ vcipherlast 17, 17, 23 ++ vcipherlast 18, 18, 23 ++ ++ xxlxor 49, 49, 17 ++ stxvb16x 49, 16, 9 # store output ++ xxlxor 50, 50, 18 ++ stxvb16x 50, 17, 9 # store output ++ ++ vcipherlast 19, 19, 23 ++ vcipherlast 20, 20, 23 ++ ++ xxlxor 51, 51, 19 ++ stxvb16x 51, 18, 9 # store output ++ xxlxor 52, 52, 20 ++ stxvb16x 52, 19, 9 # store output ++ ++ vcipherlast 21, 21, 23 ++ vcipherlast 22, 22, 23 ++ ++ xxlxor 53, 53, 21 ++ stxvb16x 53, 20, 9 # store output ++ xxlxor 54, 54, 22 ++ stxvb16x 54, 21, 9 # store output ++ ++ addi 9, 9, 128 ++ ++ xxlor 15+32, 15, 15 ++ xxlor 16+32, 16, 16 ++ xxlor 17+32, 17, 17 ++ xxlor 18+32, 18, 18 ++ xxlor 19+32, 19, 19 ++ xxlor 20+32, 20, 20 ++ xxlor 21+32, 21, 21 ++ xxlor 22+32, 22, 22 ++ ++ # ghash here ++ ppc_aes_gcm_ghash2_4x ++ ++ xxlor 27+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vmr 29, 30 ++ vxor 15, 30, 27 # add round key ++ vaddudm 30, 30, 31 ++ vxor 16, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 17, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 18, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 19, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 20, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 21, 30, 27 ++ vaddudm 30, 30, 31 ++ vxor 22, 30, 27 ++ addi 12, 12, -128 ++ addi 11, 11, 128 ++ ++ bdnz Loop_8x_block_dec ++ ++ vmr 30, 29 ++ ++Loop_last_block_dec: ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++ # loop last few blocks ++ li 10, 16 ++ divdu 10, 12, 10 ++ ++ mtctr 10 ++ ++ lwz 10,240(6) ++ ++ cmpdi 12, 16 ++ blt Final_block_dec ++ ++Next_rem_block_dec: ++ lxvb16x 15, 0, 14 # load block ++ ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_next_1x_dec ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_next_1x_dec ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_next_1x_dec ++ ++Do_next_1x_dec: ++ vcipherlast 15, 15, 23 ++ ++ xxlxor 47, 47, 15 ++ stxvb16x 47, 0, 9 # store output ++ addi 14, 14, 16 ++ addi 9, 9, 16 ++ ++ xxlor 28+32, 15, 15 ++ ppc_update_hash_1x ++ ++ addi 12, 12, -16 ++ addi 11, 11, 16 ++ xxlor 19+32, 0, 0 ++ vaddudm 30, 30, 31 # IV + counter ++ vxor 15, 30, 19 # add round key ++ ++ bdnz Next_rem_block_dec ++ ++ cmpdi 12, 0 ++ beq aes_gcm_out ++ ++Final_block_dec: ++ Loop_aes_middle_1x ++ ++ xxlor 23+32, 10, 10 ++ ++ cmpdi 10, 10 ++ beq Do_final_1x_dec ++ ++ # 192 bits ++ xxlor 24+32, 11, 11 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 12, 12 ++ ++ cmpdi 10, 12 ++ beq Do_final_1x_dec ++ ++ # 256 bits ++ xxlor 24+32, 13, 13 ++ ++ vcipher 15, 15, 23 ++ vcipher 15, 15, 24 ++ ++ xxlor 23+32, 14, 14 ++ ++ cmpdi 10, 14 ++ beq Do_final_1x_dec ++ ++Do_final_1x_dec: ++ vcipherlast 15, 15, 23 ++ ++ lxvb16x 15, 0, 14 # load block ++ xxlxor 47, 47, 15 ++ ++ # create partial block mask ++ li 15, 16 ++ sub 15, 15, 12 # index to the mask ++ ++ vspltisb 16, -1 # first 16 bytes - 0xffff...ff ++ vspltisb 17, 0 # second 16 bytes - 0x0000...00 ++ li 10, 192 ++ stvx 16, 10, 1 ++ addi 10, 10, 16 ++ stvx 17, 10, 1 ++ ++ addi 10, 1, 192 ++ lxvb16x 16, 15, 10 # load block mask ++ xxland 47, 47, 16 ++ ++ xxlor 28+32, 15, 15 ++ ppc_update_hash_1x ++ ++ # * should store only the remaining bytes. ++ bl Write_partial_block ++ ++ b aes_gcm_out ++ ++ ++___ ++ ++foreach (split("\n",$code)) { ++ s/\`([^\`]*)\`/eval $1/geo; ++ ++ if ($flavour =~ /le$/o) { # little-endian ++ s/le\?//o or ++ s/be\?/#be#/o; ++ } else { ++ s/le\?/#le#/o or ++ s/be\?//o; ++ } ++ print $_,"\n"; ++} ++ ++close STDOUT or die "error closing STDOUT: $!"; # enforce flush +--- a/crypto/modes/build.info ++++ b/crypto/modes/build.info +@@ -16,6 +16,7 @@ INCLUDE[ghash-sparcv9.o]=.. + GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl $(PERLASM_SCHEME) + GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl $(PERLASM_SCHEME) + GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl $(PERLASM_SCHEME) ++GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl $(PERLASM_SCHEME) + GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl $(PERLASM_SCHEME) + INCLUDE[ghash-armv4.o]=.. + GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl $(PERLASM_SCHEME) diff --git a/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch new file mode 100644 index 0000000..fb58237 --- /dev/null +++ b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch @@ -0,0 +1,45 @@ +Index: openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c +@@ -63,18 +63,20 @@ int FIPS_selftest_pbkdf2(void) + { + int ret = 0; + EVP_KDF_CTX *kctx; +- unsigned char out[32]; ++ unsigned char out[40]; + + if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, ++ "passwordPASSWORDpassword", (size_t)24) <= 0) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, ++ "saltSALTsaltSALTsaltSALTsaltSALTsalt", (size_t)36) <= 0) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 4096) <= 0) { + goto err; + } + if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { +@@ -86,10 +88,11 @@ int FIPS_selftest_pbkdf2(void) + + { + const unsigned char expected[sizeof(out)] = { +- 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, +- 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, +- 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, +- 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, ++ 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, ++ 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, ++ 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9 + }; + if (memcmp(out, expected, sizeof(expected))) { + goto err; diff --git a/openssl-1_1-FIPS-fix-error-reason-codes.patch b/openssl-1_1-FIPS-fix-error-reason-codes.patch new file mode 100644 index 0000000..54f063f --- /dev/null +++ b/openssl-1_1-FIPS-fix-error-reason-codes.patch @@ -0,0 +1,38 @@ +Index: openssl-1.1.1l/crypto/err/err_all.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/err/err_all.c ++++ openssl-1.1.1l/crypto/err/err_all.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + int err_load_crypto_strings_int(void) + { +@@ -92,10 +93,11 @@ int err_load_crypto_strings_int(void) + ERR_load_CT_strings() == 0 || + # endif + ERR_load_ASYNC_strings() == 0 || +-#endif + ERR_load_KDF_strings() == 0 || +- ERR_load_OSSL_STORE_strings() == 0) ++ ERR_load_OSSL_STORE_strings() == 0 || ++ ERR_load_FIPS_strings() == 0) + return 0; ++#endif + + return 1; + } +Index: openssl-1.1.1l/crypto/err/openssl.ec +=================================================================== +--- openssl-1.1.1l.orig/crypto/err/openssl.ec ++++ openssl-1.1.1l/crypto/err/openssl.ec +@@ -34,6 +34,7 @@ L ASYNC include/openssl/async.h + L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c + L SM2 include/crypto/sm2.h crypto/sm2/sm2_err.c + L OSSL_STORE include/openssl/store.h crypto/store/store_err.c ++L FIPS include/crypto/fips_int.h crypto/fips/fips_ers.c + + # additional header files to be scanned for function names + L NONE include/openssl/x509_vfy.h NONE diff --git a/openssl-1_1-FIPS_drbg-rewire.patch b/openssl-1_1-FIPS_drbg-rewire.patch new file mode 100644 index 0000000..48358b7 --- /dev/null +++ b/openssl-1_1-FIPS_drbg-rewire.patch @@ -0,0 +1,182 @@ +Index: openssl-1.1.1l/crypto/fips/fips_drbg_lib.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_lib.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_lib.c +@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, + int FIPS_drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)adinlen; ++ ++ if (len < 0 || (size_t)len != adinlen) { ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++ return 0; ++ } ++ RAND_seed(adin, len); ++ return 1; ++} ++ ++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ + return drbg_reseed(dctx, adin, adinlen, 1); + } + +@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u + int prediction_resistance, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)outlen; ++ ++ if (len < 0 || (size_t)len != outlen) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); ++ return 0; ++ } ++ return RAND_bytes(out, len); ++} ++ ++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ + int r = 0; + + if (FIPS_selftest_failed()) { +Index: openssl-1.1.1l/crypto/fips/fips_drbg_rand.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_rand.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_rand.c +@@ -57,6 +57,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + +Index: openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_selftest.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c +@@ -55,6 +55,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + #include "fips_locl.h" +Index: openssl-1.1.1l/crypto/fips/fips_rand_lib.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_rand_lib.c ++++ openssl-1.1.1l/crypto/fips/fips_rand_lib.c +@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) + + int FIPS_rand_seed(const void *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int + if (fips_rand_meth && fips_rand_meth->seed) + fips_rand_meth->seed(buf, num); + return 1; ++#else ++ RAND_seed(buf, num); ++ return 1; ++#endif + } + + int FIPS_rand_bytes(unsigned char *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, + if (fips_rand_meth && fips_rand_meth->bytes) + return fips_rand_meth->bytes(buf, num); + return 0; ++#else ++ return RAND_bytes(buf, num); ++#endif + } + + int FIPS_rand_status(void) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -149,6 +159,9 @@ int FIPS_rand_status(void) + if (fips_rand_meth && fips_rand_meth->status) + return fips_rand_meth->status(); + return 0; ++#else ++ return RAND_status(); ++#endif + } + + /* Return instantiated strength of PRNG. For DRBG this is an internal +Index: openssl-1.1.1l/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1l.orig/include/openssl/fips.h ++++ openssl-1.1.1l/include/openssl/fips.h +@@ -64,6 +64,11 @@ extern "C" { + + int FIPS_selftest(void); + int FIPS_selftest_failed(void); ++ ++ /* ++ * This function is deprecated as it performs selftest of the old FIPS drbg ++ * implementation that is not validated. ++ */ + int FIPS_selftest_drbg_all(void); + void NONFIPS_selftest_check(void); + +Index: openssl-1.1.1l/include/openssl/fips_rand.h +=================================================================== +--- openssl-1.1.1l.orig/include/openssl/fips_rand.h ++++ openssl-1.1.1l/include/openssl/fips_rand.h +@@ -60,6 +60,20 @@ + # ifdef __cplusplus + extern "C" { + # endif ++ ++/* ++ * IMPORTANT NOTE: ++ * All functions in this header file are deprecated and should not be used ++ * as they use the old FIPS_drbg implementation that is not FIPS validated ++ * anymore. ++ * To provide backwards compatibility for applications that need FIPS compliant ++ * RNG number generation and use FIPS_drbg_generate, this function was ++ * re-wired to call the FIPS validated DRBG instance instead through ++ * the RAND_bytes() call. ++ * ++ * All these functions will be removed in future. ++ */ ++ + typedef struct drbg_ctx_st DRBG_CTX; + /* DRBG external flags */ + /* Flag for CTR mode only: use derivation function ctr_df */ +Index: openssl-1.1.1l/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1l/crypto/fips/fips_post.c +@@ -72,8 +72,13 @@ + int FIPS_selftest(void) + { + int rv = 1; ++#if 0 ++ /* This selftest is deprecated as it uses the old FIPS_drbg ++ * implementation that is not FIPS validated. ++ */ + if (!FIPS_selftest_drbg_all()) + rv = 0; ++#endif + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) diff --git a/openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch b/openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch new file mode 100644 index 0000000..e990782 --- /dev/null +++ b/openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch @@ -0,0 +1,208 @@ +From 9ab6b64ac856157a31a54c0d12207c2338bfa8e2 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 9 Sep 2022 14:46:24 +0200 +Subject: [PATCH] Fix AES-GCM on Power 8 CPUs + +Properly fallback to the default implementation on CPUs +missing necessary instructions. + +Fixes #19163 + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/19182) +--- + crypto/evp/e_aes.c | 146 ++++++++++++++++++++++++++--------------------------- + 1 file changed, 74 insertions(+), 72 deletions(-) + +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -181,30 +181,16 @@ static void ctr64_inc(unsigned char *cou + # define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) + # define AES_GCM_ENC_BYTES 128 + # define AES_GCM_DEC_BYTES 128 +-# if PPC_AES_GCM_CAPABLE + size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, unsigned char ivec[16], + u64 *Xi); + size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, + size_t len, const void *key, unsigned char ivec[16], + u64 *Xi); +-size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, +- size_t len, const void *key, +- unsigned char ivec[16], u64 *Xi); +-size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, +- size_t len, const void *key, +- unsigned char ivec[16], u64 *Xi); +-# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap +-# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap +-# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ +- (gctx)->gcm.ghash==gcm_ghash_p8) ++# define AES_GCM_ASM_PPC(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ ++ (gctx)->gcm.ghash==gcm_ghash_p8) + void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); + +-extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi); +-extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi); +- + static inline u32 UTO32(unsigned char *buf) + { + return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); +@@ -223,62 +209,6 @@ static inline u32 add32TOU(unsigned char + return r; + } + +-static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) +-{ +- int s = 0; +- int ndone = 0; +- int ctr_reset = 0; +- u64 blocks_unused; +- u64 nb = len / 16; +- u64 next_ctr = 0; +- unsigned char ctr_saved[12]; +- +- memcpy(ctr_saved, ivec, 12); +- +- while (nb) { +- blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); +- if (nb > blocks_unused) { +- len = blocks_unused * 16; +- nb -= blocks_unused; +- next_ctr = blocks_unused; +- ctr_reset = 1; +- } else { +- len = nb * 16; +- next_ctr = nb; +- nb = 0; +- } +- +- s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) +- : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); +- +- /* add counter to ivec */ +- add32TOU(ivec + 12, (u32) next_ctr); +- if (ctr_reset) { +- ctr_reset = 0; +- in += len; +- out += len; +- } +- memcpy(ivec, ctr_saved, 12); +- ndone += s; +- } +- +- return ndone; +-} +- +-size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi) +-{ +- return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1); +-} +- +-size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi) +-{ +- return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0); +-} +- +-# endif + #endif + + #if defined(OPENSSL_CPUID_OBJ) && ( \ +@@ -3294,6 +3224,51 @@ static int aes_gcm_tls_cipher(EVP_CIPHER + return rv; + } + ++#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC)) ++static size_t ppc_aes_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) ++{ ++ int s = 0; ++ int ndone = 0; ++ int ctr_reset = 0; ++ u64 blocks_unused; ++ u64 nb = len / 16; ++ u64 next_ctr = 0; ++ unsigned char ctr_saved[12]; ++ ++ memcpy(ctr_saved, ivec, 12); ++ ++ while (nb) { ++ blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); ++ if (nb > blocks_unused) { ++ len = blocks_unused * 16; ++ nb -= blocks_unused; ++ next_ctr = blocks_unused; ++ ctr_reset = 1; ++ } else { ++ len = nb * 16; ++ next_ctr = nb; ++ nb = 0; ++ } ++ ++ s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) ++ : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); ++ ++ /* add counter to ivec */ ++ add32TOU(ivec + 12, (u32) next_ctr); ++ if (ctr_reset) { ++ ctr_reset = 0; ++ in += len; ++ out += len; ++ } ++ memcpy(ivec, ctr_saved, 12); ++ ndone += s; ++ } ++ ++ return ndone; ++} ++#endif ++ + static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) + { +@@ -3325,6 +3300,20 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + out + res, len - res, + gctx->gcm.key, gctx->gcm.Yi.c, + gctx->gcm.Xi.u); ++ ++ gctx->gcm.len.u[1] += bulk; ++ bulk += res; ++ } ++#elif defined(AES_GCM_ASM_PPC) && defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC)) ++ if (PPC_AES_GCM_CAPABLE && len >= AES_GCM_ENC_BYTES && AES_GCM_ASM_PPC(gctx)) { ++ size_t res = (16 - gctx->gcm.mres) % 16; ++ ++ if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res)) ++ return -1; ++ ++ bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res, ++ gctx->gcm.key, ++ gctx->gcm.Yi.c, gctx->gcm.Xi.u, 1); + gctx->gcm.len.u[1] += bulk; + bulk += res; + } +@@ -3372,6 +3361,19 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + gctx->gcm.len.u[1] += bulk; + bulk += res; + } ++#elif defined(AES_GCM_ASM_PPC) && defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC)) ++ if (PPC_AES_GCM_CAPABLE && len >= AES_GCM_DEC_BYTES && AES_GCM_ASM_PPC(gctx)) { ++ size_t res = (16 - gctx->gcm.mres) % 16; ++ ++ if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res)) ++ return -1; ++ ++ bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res, ++ gctx->gcm.key, ++ gctx->gcm.Yi.c, gctx->gcm.Xi.u, 0); ++ gctx->gcm.len.u[1] += bulk; ++ bulk += res; ++ } + #endif + if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, + in + bulk, diff --git a/openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch b/openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch new file mode 100644 index 0000000..a727083 --- /dev/null +++ b/openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch @@ -0,0 +1,103 @@ +From 7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa Mon Sep 17 00:00:00 2001 +From: Danny Tsen +Date: Wed, 23 Feb 2022 13:18:35 -0600 +Subject: [PATCH] Fixed conditional statement testing 64 and 256 bytes + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17760) +--- + crypto/chacha/asm/chachap10-ppc.pl | 68 ------------------------------------- + 1 file changed, 1 insertion(+), 67 deletions(-) + +--- a/crypto/chacha/asm/chachap10-ppc.pl ++++ b/crypto/chacha/asm/chachap10-ppc.pl +@@ -101,29 +101,6 @@ my ($x00,$x10,$x20,$x30) = (0, map("r$_" + + my $FRAME=$LOCALS+64+7*16; # 7*16 is for v26-v31 offload + +-sub VSX_lane_ROUND_1x { +-my $a=@_[0]; +-my $b=@_[1]; +-my $c=@_[2]; +-my $d=@_[3]; +-my $odd=@_[4]; +- vadduwm ($a,$a,$b); +- vxor ($d,$d,$a); +- vrlw ($d,$d,$sixteen); +- vadduwm ($c,$c,$d); +- vxor ($b,$b,$c); +- vrlw ($b,$b,$twelve); +- vadduwm ($a,$a,$b); +- vxor ($d,$d,$a); +- vrlw ($d,$d,$eight); +- vadduwm ($c,$c,$d); +- vxor ($b,$b,$c); +- vrlw ($b,$b,$seven); +- xxsldwi ($c,$c,$c,2); +- xxsldwi ($b,$b,$b,$odd?3:1); +- xxsldwi ($d,$d,$d,$odd?1:3); +-} +- + + sub VSX_lane_ROUND_4x { + my ($a0,$b0,$c0,$d0)=@_; +@@ -192,7 +169,7 @@ $code.=<<___; + .globl .ChaCha20_ctr32_vsx_p10 + .align 5 + .ChaCha20_ctr32_vsx_p10: +- ${UCMP}i $len,256 ++ ${UCMP}i $len,255 + bgt ChaCha20_ctr32_vsx_8x + $STU $sp,-$FRAME($sp) + mflr r0 +@@ -268,49 +245,6 @@ Loop_outer_vsx: + vspltisw $eight,8 + vspltisw $seven,7 + +- ${UCMP}i $len,64 +- bgt Loop_vsx_4x +- +- vmr $xa0,@K[0] +- vmr $xb0,@K[1] +- vmr $xc0,@K[2] +- vmr $xd0,@K[3] +- +-Loop_vsx_1x: +-___ +- VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,0); +- VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,1); +- +-$code.=<<___; +- +- bdnz Loop_vsx_1x +- +- vadduwm $xa0, $xa0, @K[0] +- vadduwm $xb0, $xb0, @K[1] +- vadduwm $xc0, $xc0, @K[2] +- vadduwm $xd0, $xd0, @K[3] +- ${UCMP}i $len,0x40 +- blt Ltail_vsx +- +- lvx_4w $xt0,$x00, $inp +- lvx_4w $xt1,$x10, $inp +- lvx_4w $xt2,$x20, $inp +- lvx_4w $xt3,$x30, $inp +- +- vxor $xa0,$xa0,$xt0 +- vxor $xb0,$xb0,$xt1 +- vxor $xc0,$xc0,$xt2 +- vxor $xd0,$xd0,$xt3 +- +- stvx_4w $xa0,$x00,$out +- stvx_4w $xb0,$x10,$out +- addi $inp,$inp,0x40 +- stvx_4w $xc0,$x20,$out +- subi $len,$len,0x40 +- stvx_4w $xd0,$x30,$out +- addi $out,$out,0x40 +- beq Ldone_vsx +- + Loop_vsx_4x: + ___ + foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; } diff --git a/openssl-1_1-Fixed-counter-overflow.patch b/openssl-1_1-Fixed-counter-overflow.patch new file mode 100644 index 0000000..40d8213 --- /dev/null +++ b/openssl-1_1-Fixed-counter-overflow.patch @@ -0,0 +1,136 @@ +From 345c99b6654b8313c792d54f829943068911ddbd Mon Sep 17 00:00:00 2001 +From: Danny Tsen +Date: Thu, 27 Jan 2022 18:49:59 -0600 +Subject: [PATCH] Fixed counter overflow + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/17607) +--- + crypto/evp/e_aes.c | 101 +++++++++++++++++++++++++++++++++++++--- + crypto/modes/asm/aes-gcm-ppc.pl | 1 + 2 files changed, 94 insertions(+), 8 deletions(-) + +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -181,16 +181,103 @@ static void ctr64_inc(unsigned char *cou + # define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) + # define AES_GCM_ENC_BYTES 128 + # define AES_GCM_DEC_BYTES 128 +-size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi); +-size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, +- const void *key, unsigned char ivec[16], u64 *Xi); +-void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); + # if PPC_AES_GCM_CAPABLE +-# define AES_gcm_encrypt ppc_aes_gcm_encrypt +-# define AES_gcm_decrypt ppc_aes_gcm_decrypt ++size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, unsigned char ivec[16], ++ u64 *Xi); ++size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, unsigned char ivec[16], ++ u64 *Xi); ++size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, ++ unsigned char ivec[16], u64 *Xi); ++size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, ++ size_t len, const void *key, ++ unsigned char ivec[16], u64 *Xi); ++# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap ++# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap + # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ + (gctx)->gcm.ghash==gcm_ghash_p8) ++void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); ++ ++extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi); ++extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi); ++ ++static inline u32 UTO32(unsigned char *buf) ++{ ++ return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); ++} ++ ++static inline u32 add32TOU(unsigned char buf[4], u32 n) ++{ ++ u32 r; ++ ++ r = UTO32(buf); ++ r += n; ++ buf[0] = (unsigned char) (r >> 24) & 0xFF; ++ buf[1] = (unsigned char) (r >> 16) & 0xFF; ++ buf[2] = (unsigned char) (r >> 8) & 0xFF; ++ buf[3] = (unsigned char) r & 0xFF; ++ return r; ++} ++ ++static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) ++{ ++ int s = 0; ++ int ndone = 0; ++ int ctr_reset = 0; ++ u64 blocks_unused; ++ u64 nb = len / 16; ++ u64 next_ctr = 0; ++ unsigned char ctr_saved[12]; ++ ++ memcpy(ctr_saved, ivec, 12); ++ ++ while (nb) { ++ blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); ++ if (nb > blocks_unused) { ++ len = blocks_unused * 16; ++ nb -= blocks_unused; ++ next_ctr = blocks_unused; ++ ctr_reset = 1; ++ } else { ++ len = nb * 16; ++ next_ctr = nb; ++ nb = 0; ++ } ++ ++ s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) ++ : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); ++ ++ /* add counter to ivec */ ++ add32TOU(ivec + 12, (u32) next_ctr); ++ if (ctr_reset) { ++ ctr_reset = 0; ++ in += len; ++ out += len; ++ } ++ memcpy(ivec, ctr_saved, 12); ++ ndone += s; ++ } ++ ++ return ndone; ++} ++ ++size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi) ++{ ++ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1); ++} ++ ++size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, ++ const void *key, unsigned char ivec[16], u64 *Xi) ++{ ++ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0); ++} ++ + # endif + #endif + +--- a/crypto/modes/asm/aes-gcm-ppc.pl ++++ b/crypto/modes/asm/aes-gcm-ppc.pl +@@ -81,7 +81,6 @@ open STDOUT,"| $^X $xlate $flavour \"$ou + + $code=<<___; + .machine "any" +-.abiversion 2 + .text + + # 4x loops diff --git a/openssl-1_1-Optimize-AES-GCM-uarchs.patch b/openssl-1_1-Optimize-AES-GCM-uarchs.patch new file mode 100644 index 0000000..69e4302 --- /dev/null +++ b/openssl-1_1-Optimize-AES-GCM-uarchs.patch @@ -0,0 +1,7709 @@ +From 954f45ba4c504570206ff5bed811e512cf92dc8e Mon Sep 17 00:00:00 2001 +From: XiaokangQian +Date: Wed, 9 Jun 2021 06:35:46 +0000 +Subject: [PATCH] Optimize AES-GCM for uarchs with unroll and new instructions + +Increase the block numbers to 8 for every iteration. Increase the hash +table capacity. Make use of EOR3 instruction to improve the performance. + +This can improve performance 25-40% on out-of-order microarchitectures +with a large number of fast execution units, such as Neoverse V1. We also +see 20-30% performance improvements on other architectures such as the M1. + +Assembly code reviewd by Tom Cosgrove (ARM). + +Reviewed-by: Bernd Edlinger +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/15916) +--- + crypto/arm64cpuid.pl | 8 + + crypto/arm_arch.h | 6 + + crypto/armcap.c | 24 +- + crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl | 7369 +++++++++++++++++ + crypto/modes/asm/ghashv8-armx.pl | 105 +- + crypto/modes/build.info | 4 +- + include/crypto/aes_platform.h | 12 + + .../ciphers/cipher_aes_gcm_hw_armv8.inc | 36 +- + 8 files changed, 7546 insertions(+), 18 deletions(-) + create mode 100644 crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl + +Index: openssl-1.1.1m/crypto/arm64cpuid.pl +=================================================================== +--- openssl-1.1.1m.orig/crypto/arm64cpuid.pl ++++ openssl-1.1.1m/crypto/arm64cpuid.pl +@@ -78,6 +78,14 @@ _armv8_sha512_probe: + ret + .size _armv8_sha512_probe,.-_armv8_sha512_probe + ++.globl _armv8_eor3_probe ++.type _armv8_eor3_probe,%function ++_armv8_eor3_probe: ++ AARCH64_VALID_CALL_TARGET ++ .long 0xce010800 // eor3 v0.16b, v0.16b, v1.16b, v2.16b ++ ret ++.size _armv8_eor3_probe,.-_armv8_eor3_probe ++ + .globl _armv8_cpuid_probe + .type _armv8_cpuid_probe,%function + _armv8_cpuid_probe: +Index: openssl-1.1.1m/crypto/arm_arch.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/arm_arch.h ++++ openssl-1.1.1m/crypto/arm_arch.h +@@ -83,6 +83,9 @@ extern unsigned int OPENSSL_arm_midr; + # define ARMV8_SHA512 (1<<6) + # define ARMV8_CPUID (1<<7) + ++# define ARMV8_SHA3 (1<<11) ++# define ARMV8_UNROLL8_EOR3 (1<<12) ++ + /* + * MIDR_EL1 system register + * +@@ -97,6 +100,7 @@ extern unsigned int OPENSSL_arm_midr; + + # define ARM_CPU_PART_CORTEX_A72 0xD08 + # define ARM_CPU_PART_N1 0xD0C ++# define ARM_CPU_PART_V1 0xD40 + + # define MIDR_PARTNUM_SHIFT 4 + # define MIDR_PARTNUM_MASK (0xfff << MIDR_PARTNUM_SHIFT) +@@ -125,4 +129,29 @@ extern unsigned int OPENSSL_arm_midr; + + # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ + (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) ++ ++# define IS_CPU_SUPPORT_UNROLL8_EOR3() \ ++ (OPENSSL_armcap_P & ARMV8_UNROLL8_EOR3) ++ ++#if defined(__ASSEMBLER__) ++ ++ /* ++ * Support macros for ++ * - Armv8.3-A Pointer Authentication and ++ * - Armv8.5-A Branch Target Identification ++ * features which require emitting a .note.gnu.property section with the ++ * appropriate architecture-dependent feature bits set. ++ * Read more: "ELF for the Arm® 64-bit Architecture" ++ */ ++ ++# if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 ++# define GNU_PROPERTY_AARCH64_BTI (1 << 0) /* Has Branch Target Identification */ ++# define AARCH64_VALID_CALL_TARGET hint #34 /* BTI 'c' */ ++# else ++# define GNU_PROPERTY_AARCH64_BTI 0 /* No Branch Target Identification */ ++# define AARCH64_VALID_CALL_TARGET ++# endif ++ ++# endif /* defined __ASSEMBLER__ */ ++ + #endif +Index: openssl-1.1.1m/crypto/armcap.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/armcap.c ++++ openssl-1.1.1m/crypto/armcap.c +@@ -13,6 +13,9 @@ + #include + #include + #include ++#ifdef __APPLE__ ++#include ++#endif + #include "internal/cryptlib.h" + + #include "arm_arch.h" +@@ -134,6 +137,7 @@ static unsigned long getauxval(unsigned + # define HWCAP_CE_SHA1 (1 << 5) + # define HWCAP_CE_SHA256 (1 << 6) + # define HWCAP_CPUID (1 << 11) ++# define HWCAP_SHA3 (1 << 17) + # define HWCAP_CE_SHA512 (1 << 21) + # endif + +@@ -148,12 +152,15 @@ void OPENSSL_cpuid_setup(void) + return; + trigger = 1; + ++ OPENSSL_armcap_P = 0; ++ + if ((e = getenv("OPENSSL_armcap"))) { + OPENSSL_armcap_P = (unsigned int)strtoul(e, NULL, 0); + return; + } + +-# if defined(__APPLE__) && !defined(__aarch64__) ++# if defined(__APPLE__) ++# if !defined(__aarch64__) + /* + * Capability probing by catching SIGILL appears to be problematic + * on iOS. But since Apple universe is "monocultural", it's actually +@@ -169,9 +176,25 @@ void OPENSSL_cpuid_setup(void) + * Unified code works because it never triggers SIGILL on Apple + * devices... + */ +-# endif ++# else ++ { ++ unsigned int feature; ++ size_t len = sizeof(feature); ++ char uarch[64]; + +- OPENSSL_armcap_P = 0; ++ if (sysctlbyname("hw.optional.armv8_2_sha512", &feature, &len, NULL, 0) == 0 && feature == 1) ++ OPENSSL_armcap_P |= ARMV8_SHA512; ++ feature = 0; ++ if (sysctlbyname("hw.optional.armv8_2_sha3", &feature, &len, NULL, 0) == 0 && feature == 1) { ++ OPENSSL_armcap_P |= ARMV8_SHA3; ++ len = sizeof(uarch); ++ if ((sysctlbyname("machdep.cpu.brand_string", uarch, &len, NULL, 0) == 0) && ++ (strncmp(uarch, "Apple M1", 8) == 0)) ++ OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; ++ } ++ } ++# endif ++# endif + + # ifdef OSSL_IMPLEMENT_GETAUXVAL + if (getauxval(HWCAP) & HWCAP_NEON) { +@@ -197,6 +220,9 @@ void OPENSSL_cpuid_setup(void) + + if (hwcap & HWCAP_CPUID) + OPENSSL_armcap_P |= ARMV8_CPUID; ++ ++ if (hwcap & HWCAP_SHA3) ++ OPENSSL_armcap_P |= ARMV8_SHA3; + # endif + } + # endif +@@ -240,6 +266,10 @@ void OPENSSL_cpuid_setup(void) + _armv8_sha512_probe(); + OPENSSL_armcap_P |= ARMV8_SHA512; + } ++ if (sigsetjmp(ill_jmp, 1) == 0) { ++ _armv8_eor3_probe(); ++ OPENSSL_armcap_P |= ARMV8_SHA3; ++ } + # endif + } + # endif +@@ -262,6 +292,9 @@ void OPENSSL_cpuid_setup(void) + (OPENSSL_armcap_P & ARMV7_NEON)) { + OPENSSL_armv8_rsa_neonized = 1; + } ++ if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1)) && ++ (OPENSSL_armcap_P & ARMV8_SHA3)) ++ OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3; + # endif + } + #endif +Index: openssl-1.1.1m/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl +=================================================================== +--- /dev/null ++++ openssl-1.1.1m/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl +@@ -0,0 +1,7369 @@ ++#! /usr/bin/env perl ++# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# ++#======================================================================== ++# Written by Xiaokang Qian for the OpenSSL project, ++# derived from https://github.com/ARM-software/AArch64cryptolib, original ++# author Samuel Lee . The module is, however, dual ++# licensed under OpenSSL and SPDX BSD-3-Clause licenses depending on where you ++# obtain it. ++#======================================================================== ++# ++# Approach - We want to reload constants as we have plenty of spare ASIMD slots around crypto units for loading ++# Unroll x8 in main loop, main loop to act on 8 16B blocks per iteration, and then do modulo of the accumulated ++# intermediate hashesfrom the 8 blocks. ++# ++# ____________________________________________________ ++# | | ++# | PRE | ++# |____________________________________________________| ++# | | | | ++# | CTR block 8k+13| AES block 8k+8 | GHASH block 8k+0 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+14| AES block 8k+9 | GHASH block 8k+1 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+15| AES block 8k+10| GHASH block 8k+2 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+16| AES block 8k+11| GHASH block 8k+3 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+17| AES block 8k+12| GHASH block 8k+4 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+18| AES block 8k+13| GHASH block 8k+5 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+19| AES block 8k+14| GHASH block 8k+6 | ++# |________________|________________|__________________| ++# | | | | ++# | CTR block 8k+20| AES block 8k+15| GHASH block 8k+7 | ++# |________________|____(mostly)____|__________________| ++# | | ++# | MODULO | ++# |____________________________________________________| ++# ++# PRE: ++# Ensure previous generated intermediate hash is aligned and merged with result for GHASH 4k+0 ++# EXT low_acc, low_acc, low_acc, #8 ++# EOR res_curr (8k+0), res_curr (4k+0), low_acc ++# ++# CTR block: ++# Increment and byte reverse counter in scalar registers and transfer to SIMD registers ++# REV ctr32, rev_ctr32 ++# ORR ctr64, constctr96_top32, ctr32, LSL #32 ++# INS ctr_next.d[0], constctr96_bottom64 // Keeping this in scalar registers to free up space in SIMD RF ++# INS ctr_next.d[1], ctr64X ++# ADD rev_ctr32, #1 ++# ++# AES block: ++# Do AES encryption/decryption on CTR block X and EOR it with input block X. Take 256 bytes key below for example. ++# Doing small trick here of loading input in scalar registers, EORing with last key and then transferring ++# Given we are very constrained in our ASIMD registers this is quite important ++# ++# Encrypt: ++# LDR input_low, [ input_ptr ], #8 ++# LDR input_high, [ input_ptr ], #8 ++# EOR input_low, k14_low ++# EOR input_high, k14_high ++# INS res_curr.d[0], input_low ++# INS res_curr.d[1], input_high ++# AESE ctr_curr, k0; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k1; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k2; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k3; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k4; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k5; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k6; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k7; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k8; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k9; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k10; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k11; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k12; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k13 ++# EOR res_curr, res_curr, ctr_curr ++# ST1 { res_curr.16b }, [ output_ptr ], #16 ++# ++# Decrypt: ++# AESE ctr_curr, k0; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k1; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k2; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k3; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k4; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k5; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k6; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k7; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k8; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k9; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k10; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k11; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k12; AESMC ctr_curr, ctr_curr ++# AESE ctr_curr, k13 ++# LDR res_curr, [ input_ptr ], #16 ++# EOR res_curr, res_curr, ctr_curr ++# MOV output_low, res_curr.d[0] ++# MOV output_high, res_curr.d[1] ++# EOR output_low, k14_low ++# EOR output_high, k14_high ++# STP output_low, output_high, [ output_ptr ], #16 ++ ++# GHASH block X: ++# Do 128b karatsuba polynomial multiplication on block ++# We only have 64b->128b polynomial multipliers, naively that means we need to do 4 64b multiplies to generate a 128b ++# ++# multiplication: ++# Pmull(A,B) == (Pmull(Ah,Bh)<<128 | Pmull(Al,Bl)) ^ (Pmull(Ah,Bl) ^ Pmull(Al,Bh))<<64 ++# ++# The idea behind Karatsuba multiplication is that we can do just 3 64b multiplies: ++# Pmull(A,B) == (Pmull(Ah,Bh)<<128 | Pmull(Al,Bl)) ^ (Pmull(Ah^Al,Bh^Bl) ^ Pmull(Ah,Bh) ^ Pmull(Al,Bl))<<64 ++# ++# There is some complication here because the bit order of GHASH's PMULL is reversed compared to elsewhere, so we are ++# multiplying with "twisted" powers of H ++# ++# Note: We can PMULL directly into the acc_x in first GHASH of the loop ++# Note: For scheduling big cores we want to split the processing to happen over two loop iterations - otherwise the critical ++# path latency dominates the performance ++# ++# This has a knock on effect on register pressure, so we have to be a bit more clever with our temporary registers ++# than indicated here ++# REV64 res_curr, res_curr ++# INS t_m.d[0], res_curr.d[1] ++# EOR t_m.8B, t_m.8B, res_curr.8B ++# PMULL2 t_h, res_curr, HX ++# PMULL t_l, res_curr, HX ++# PMULL t_m, t_m, HX_k ++# EOR acc_h, acc_h, t_h ++# EOR acc_l, acc_l, t_l ++# EOR acc_m, acc_m, t_m ++# ++# MODULO: take the partial accumulators (~representing sum of 256b multiplication results), from GHASH and do modulo reduction on them ++# There is some complication here because the bit order of GHASH's PMULL is reversed compared to elsewhere, so we are doing modulo ++# with a reversed constant ++# EOR3 acc_m, acc_m, acc_l, acc_h // Finish off karatsuba processing ++# PMULL t_mod, acc_h, mod_constant ++# EXT acc_h, acc_h, acc_h, #8 ++# EOR3 acc_m, acc_m, t_mod, acc_h ++# PMULL acc_h, acc_m, mod_constant ++# EXT acc_m, acc_m, acc_m, #8 ++# EOR3 acc_l, acc_l, acc_m, acc_h ++ ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate ) or ++die "can't locate arm-xlate.pl"; ++ ++die "only for 64 bit" if $flavour !~ /64/; ++ ++open OUT,"| \"$^X\" $xlate $flavour $output"; ++*STDOUT=*OUT; ++ ++$code=<<___; ++#include "arm_arch.h" ++ ++#if __ARM_MAX_ARCH__>=8 ++___ ++$code.=".arch armv8.2-a+crypto\n.arch_extension sha3\n.text\n"; ++ ++$input_ptr="x0"; #argument block ++$bit_length="x1"; ++$output_ptr="x2"; ++$current_tag="x3"; ++$counter="x16"; ++$constant_temp="x15"; ++$modulo_constant="x10"; ++$cc="x8"; ++{ ++my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7)); ++my ($temp2_x,$temp3_x)=map("x$_",(13..14)); ++my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15)); ++my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15)); ++my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7)); ++my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7)); ++my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15)); ++ ++my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15)); ++my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15)); ++my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15)); ++ ++my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19)); ++my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19)); ++ ++my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25)); ++my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25)); ++my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25)); ++my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25)); ++ ++my $t0="v16"; ++my $t0d="d16"; ++ ++my $t1="v29"; ++my $t2=$res1; ++my $t3=$t1; ++ ++my $t4=$res0; ++my $t5=$res2; ++my $t6=$t0; ++ ++my $t7=$res3; ++my $t8=$res4; ++my $t9=$res5; ++ ++my $t10=$res6; ++my $t11="v21"; ++my $t12=$t1; ++ ++my $rtmp_ctr="v30"; ++my $rtmp_ctrq="q30"; ++my $rctr_inc="v31"; ++my $rctr_incd="d31"; ++ ++my $mod_constantd=$t0d; ++my $mod_constant=$t0; ++ ++my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28)); ++my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28)); ++my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28)); ++my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28)); ++my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28)); ++my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28)); ++my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28)); ++my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28)); ++my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28)); ++my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28)); ++my $rk2q1="v28.1q"; ++my $rk3q1="v26.1q"; ++my $rk4v="v27"; ++ ++ ++######################################################################################### ++# size_t unroll8_eor3_aes_gcm_enc_128_kernel(const unsigned char *in, ++# size_t len, ++# unsigned char *out, ++# const void *key, ++# unsigned char ivec[16], ++# u64 *Xi); ++# ++$code.=<<___; ++.global unroll8_eor3_aes_gcm_enc_128_kernel ++.type unroll8_eor3_aes_gcm_enc_128_kernel,%function ++.align 4 ++unroll8_eor3_aes_gcm_enc_128_kernel: ++ AARCH64_VALID_CALL_TARGET ++ cbz x1, .L128_enc_ret ++ stp d8, d9, [sp, #-80]! ++ mov $counter, x4 ++ mov $cc, x5 ++ stp d10, d11, [sp, #16] ++ stp d12, d13, [sp, #32] ++ stp d14, d15, [sp, #48] ++ mov x5, #0xc200000000000000 ++ stp x5, xzr, [sp, #64] ++ add $modulo_constant, sp, #64 ++ ++ mov $constant_temp, #0x100000000 @ set up counter increment ++ movi $rctr_inc.16b, #0x0 ++ mov $rctr_inc.d[1], $constant_temp ++ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len ++ ld1 { $ctr0b}, [$counter] @ CTR block 0 ++ ++ sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 ++ ++ and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ++ ++ rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 ++ ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ++ ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ++ ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 ++ ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 ++ ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 ++ ++ ld1 { $acc_lb}, [$current_tag] ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 ++ ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ ldr $rk10q, [$cc, #160] @ load rk10 ++ ++ aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 ++ ++ aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 ++ add $main_end_input_ptr, $main_end_input_ptr, $input_ptr ++ aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 ++ ++ aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 ++ aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 ++ aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 ++ ++ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ b.ge .L128_enc_tail @ handle tail ++ ++ ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 0, 1 - load plaintext ++ ++ ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 2, 3 - load plaintext ++ ++ ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext ++ ++ ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ ++ eor3 $res0b, $ctr_t0b, $ctr0b, $rk10 @ AES block 0 - result ++ rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 ++ ++ eor3 $res1b, $ctr_t1b, $ctr1b, $rk10 @ AES block 1 - result ++ stp $res0q, $res1q, [$output_ptr], #32 @ AES block 0, 1 - store result ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 ++ eor3 $res5b, $ctr_t5b, $ctr5b, $rk10 @ AES block 5 - result ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 ++ ++ eor3 $res2b, $ctr_t2b, $ctr2b, $rk10 @ AES block 2 - result ++ eor3 $res6b, $ctr_t6b, $ctr6b, $rk10 @ AES block 6 - result ++ eor3 $res4b, $ctr_t4b, $ctr4b, $rk10 @ AES block 4 - result ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 ++ ++ eor3 $res3b, $ctr_t3b, $ctr3b, $rk10 @ AES block 3 - result ++ eor3 $res7b, $ctr_t7b, $ctr7b,$rk10 @ AES block 7 - result ++ stp $res2q, $res3q, [$output_ptr], #32 @ AES block 2, 3 - store result ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 ++ stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ ++ stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 ++ b.ge .L128_enc_prepretail @ do prepretail ++ ++.L128_enc_main_loop: @ main loop start ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ ++ rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) ++ ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h3l | h3h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ ++ eor3 $acc_hb, $acc_hb, $t1.16b,$t2.16b @ GHASH block 8k+2, 8k+3 - high ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load plaintext ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load plaintext ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ ++ rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load plaintext ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 ++ ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ldr $rk10q, [$cc, #160] @ load rk10 ++ ++ ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ ++ aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 ++ aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 ++ aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 ++ ++ ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load plaintext ++ rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 ++ ++ cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL ++ eor3 $res4b, $ctr_t4b, $ctr4b, $rk10 @ AES block 4 - result ++ aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 ++ ++ aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 ++ aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 ++ ++ eor3 $res2b, $ctr_t2b, $ctr2b, $rk10 @ AES block 8k+10 - result ++ ++ mov $ctr2.16b, $h3.16b @ CTR block 8k+18 ++ aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 ++ ++ eor3 $res7b, $ctr_t7b, $ctr7b, $rk10 @ AES block 7 - result ++ aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ++ eor3 $res1b, $ctr_t1b, $ctr1b, $rk10 @ AES block 8k+9 - result ++ eor3 $res3b, $ctr_t3b, $ctr3b, $rk10 @ AES block 8k+11 - result ++ mov $ctr3.16b, $h4.16b @ CTR block 8k+19 ++ ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ eor3 $res5b, $ctr_t5b, $ctr5b, $rk10 @ AES block 5 - result ++ mov $ctr1.16b, $h2.16b @ CTR block 8k+17 ++ ++ eor3 $res0b, $ctr_t0b, $ctr0b, $rk10 @ AES block 8k+8 - result ++ mov $ctr0.16b, $h1.16b @ CTR block 8k+16 ++ stp $res0q, $res1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result ++ ++ stp $res2q, $res3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result ++ eor3 $res6b, $ctr_t6b, $ctr6b, $rk10 @ AES block 6 - result ++ ++ stp $res4q, $res5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ ++ stp $res6q, $res7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result ++ b.lt .L128_enc_main_loop ++ ++.L128_enc_prepretail: @ PREPRETAIL ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h6k | h5k ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ ++ rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) ++ rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) ++ ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) ++ ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ eor3 $acc_lb, $acc_lb, $acc_hb, $acc_mb @ MODULO - fold into low ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ ++ ldr $rk10q, [$cc, #160] @ load rk10 ++ aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 ++ aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 ++ ++ aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 ++ aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 ++ ++ aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 ++ aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 ++ ++ aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 ++ aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 ++.L128_enc_tail: @ TAIL ++ ++ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ++ ldr $ctr_t0q, [$input_ptr], #16 @ AES block 8k+8 - load plaintext ++ ++ mov $t1.16b, $rk10 ++ ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ++ eor3 $res1b, $ctr_t0b, $ctr0b, $t1.16b @ AES block 8k+8 - result ++ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag ++ ldp $h6q, $h7q, [$current_tag, #160] @ load h6k | h5k ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ++ ldp $h78kq, $h8q, [$current_tag, #192] @ load h7l | h7h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ cmp $main_end_input_ptr, #112 ++ b.gt .L128_enc_blocks_more_than_7 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ movi $acc_h.8b, #0 ++ ++ cmp $main_end_input_ptr, #96 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr2b ++ mov $ctr2b, $ctr1b ++ ++ movi $acc_l.8b, #0 ++ movi $acc_m.8b, #0 ++ b.gt .L128_enc_blocks_more_than_6 ++ ++ mov $ctr7b, $ctr6b ++ cmp $main_end_input_ptr, #80 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr1b ++ b.gt .L128_enc_blocks_more_than_5 ++ ++ cmp $main_end_input_ptr, #64 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr1b ++ b.gt .L128_enc_blocks_more_than_4 ++ ++ mov $ctr7b, $ctr6b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr1b ++ cmp $main_end_input_ptr, #48 ++ b.gt .L128_enc_blocks_more_than_3 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr1b ++ ++ cmp $main_end_input_ptr, #32 ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ b.gt .L128_enc_blocks_more_than_2 ++ ++ cmp $main_end_input_ptr, #16 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr1b ++ b.gt .L128_enc_blocks_more_than_1 ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b .L128_enc_blocks_less_than_1 ++.L128_enc_blocks_more_than_7: @ blocks left > 7 ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-7 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-7 block ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-6 block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high ++ ++ ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor3 $res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result ++ ++ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low ++.L128_enc_blocks_more_than_6: @ blocks left > 6 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-6 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-6 block ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-5 block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid ++ ++ eor3 $res1b, $ctr_t1b, $ctr2b, $t1.16b @ AES final-5 block - result ++ pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid ++ pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high ++.L128_enc_blocks_more_than_5: @ blocks left > 5 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-5 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-5 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-4 block - load plaintext ++ pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid ++ ++ eor3 $res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result ++ pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid ++.L128_enc_blocks_more_than_4: @ blocks left > 4 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-4 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-4 block ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-3 block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high ++ pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low ++ ++ eor3 $res1b, $ctr_t1b, $ctr4b, $t1.16b @ AES final-3 block - result ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid ++.L128_enc_blocks_more_than_3: @ blocks left > 3 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ++ ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ ++ rev64 $res0b, $res1b @ GHASH final-3 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-2 block - load plaintext ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low ++ ++ eor3 $res1b, $ctr_t1b, $ctr5b, $t1.16b @ AES final-2 block - result ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid ++ pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high ++.L128_enc_blocks_more_than_2: @ blocks left > 2 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-2 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-1 block - load plaintext ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr6b, $t1.16b @ AES final-1 block - result ++ ++ pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high ++ ++ pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low ++ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low ++.L128_enc_blocks_more_than_1: @ blocks left > 1 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result ++ ++ ldr $h2q, [$current_tag, #64] @ load h2l | h2h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ rev64 $res0b, $res1b @ GHASH final-1 block ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr7b, $t1.16b @ AES final block - result ++ ++ pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low ++ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low ++.L128_enc_blocks_less_than_1: @ blocks left <= 1 ++ ++ rev32 $rtmp_ctr.16b, $rtmp_ctr.16b ++ str $rtmp_ctrq, [$counter] @ store the updated counter ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ sub $bit_length, $bit_length, #128 @ bit_length -= 128 ++ ++ neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) ++ ++ mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff ++ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block ++ mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff ++ cmp $bit_length, #64 ++ ++ csel $temp2_x, $temp1_x, $temp0_x, lt ++ csel $temp3_x, $temp0_x, xzr, lt ++ ++ mov $ctr0.d[1], $temp3_x ++ mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block ++ ++ and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits ++ ++ rev64 $res0b, $res1b @ GHASH final block ++ ++ bif $res1b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing ++ st1 { $res1b}, [$output_ptr] @ store all 16B ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $t0.d[0], $res0.d[1] @ GHASH final block - mid ++ ++ eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ++ pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid ++ ++ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high ++ eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low ++ ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ st1 { $acc_l.16b }, [$current_tag] ++ lsr x0, $bit_length, #3 @ return sizes ++ ++ ldp d10, d11, [sp, #16] ++ ldp d12, d13, [sp, #32] ++ ldp d14, d15, [sp, #48] ++ ldp d8, d9, [sp], #80 ++ ret ++ ++.L128_enc_ret: ++ mov w0, #0x0 ++ ret ++.size unroll8_eor3_aes_gcm_enc_128_kernel,.-unroll8_eor3_aes_gcm_enc_128_kernel ++___ ++ ++######################################################################################### ++# size_t unroll8_eor3_aes_gcm_dec_128_kernel(const unsigned char *in, ++# size_t len, ++# unsigned char *out, ++# u64 *Xi, ++# unsigned char ivec[16], ++# const void *key); ++# ++$code.=<<___; ++.global unroll8_eor3_aes_gcm_dec_128_kernel ++.type unroll8_eor3_aes_gcm_dec_128_kernel,%function ++.align 4 ++unroll8_eor3_aes_gcm_dec_128_kernel: ++ AARCH64_VALID_CALL_TARGET ++ cbz x1, .L128_dec_ret ++ stp d8, d9, [sp, #-80]! ++ mov $counter, x4 ++ mov $cc, x5 ++ stp d10, d11, [sp, #16] ++ stp d12, d13, [sp, #32] ++ stp d14, d15, [sp, #48] ++ mov x5, #0xc200000000000000 ++ stp x5, xzr, [sp, #64] ++ add $modulo_constant, sp, #64 ++ ++ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len ++ ld1 { $ctr0b}, [$counter] @ CTR block 0 ++ ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 ++ ++ mov $constant_temp, #0x100000000 @ set up counter increment ++ movi $rctr_inc.16b, #0x0 ++ mov $rctr_inc.d[1], $constant_temp ++ ld1 { $acc_lb}, [$current_tag] ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ ++ rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 ++ ++ and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 ++ ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 ++ ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ++ ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 ++ ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ++ ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 ++ ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ++ ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 ++ ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 ++ ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 ++ ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 ++ ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 ++ ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 ++ ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 ++ ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 ++ ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 ++ ++ add $main_end_input_ptr, $main_end_input_ptr, $input_ptr ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 ++ ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 ++ ++ aese $ctr0b, $rk9 @ AES block 0 - round 9 ++ aese $ctr1b, $rk9 @ AES block 1 - round 9 ++ aese $ctr6b, $rk9 @ AES block 6 - round 9 ++ ++ ldr $rk10q, [$cc, #160] @ load rk10 ++ aese $ctr4b, $rk9 @ AES block 4 - round 9 ++ aese $ctr3b, $rk9 @ AES block 3 - round 9 ++ ++ aese $ctr2b, $rk9 @ AES block 2 - round 9 ++ aese $ctr5b, $rk9 @ AES block 5 - round 9 ++ aese $ctr7b, $rk9 @ AES block 7 - round 9 ++ ++ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ b.ge .L128_dec_tail @ handle tail ++ ++ ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 0, 1 - load ciphertext ++ ++ eor3 $ctr0b, $res0b, $ctr0b, $rk10 @ AES block 0 - result ++ eor3 $ctr1b, $res1b, $ctr1b, $rk10 @ AES block 1 - result ++ stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 0, 1 - store result ++ ++ rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 ++ ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 2, 3 - load ciphertext ++ ++ ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 4, 5 - load ciphertext ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 ++ ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 6, 7 - load ciphertext ++ ++ eor3 $ctr3b, $res3b, $ctr3b, $rk10 @ AES block 3 - result ++ eor3 $ctr2b, $res2b, $ctr2b, $rk10 @ AES block 2 - result ++ stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 2, 3 - store result ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 ++ ++ eor3 $ctr6b, $res6b, $ctr6b, $rk10 @ AES block 6 - result ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 ++ ++ eor3 $ctr4b, $res4b, $ctr4b, $rk10 @ AES block 4 - result ++ eor3 $ctr5b, $res5b, $ctr5b, $rk10 @ AES block 5 - result ++ stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ ++ eor3 $ctr7b, $res7b, $ctr7b, $rk10 @ AES block 7 - result ++ stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 ++ ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 ++ b.ge .L128_dec_prepretail @ do prepretail ++ ++.L128_dec_main_loop: @ main loop start ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h7l | h7h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h6k | h5k ++ ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ++ rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load ciphertext ++ ++ ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load ciphertext ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 ++ ++ ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load ciphertext ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load ciphertext ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ ++ aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 ++ aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 ++ ldr $rk10q, [$cc, #160] @ load rk10 ++ ++ aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 ++ ++ aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 ++ aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 ++ ++ aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 ++ aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 ++ eor3 $ctr1b, $res1b, $ctr1b, $rk10 @ AES block 8k+9 - result ++ ++ eor3 $ctr0b, $res0b, $ctr0b, $rk10 @ AES block 8k+8 - result ++ eor3 $ctr7b, $res7b, $ctr7b, $rk10 @ AES block 8k+15 - result ++ eor3 $ctr6b, $res6b, $ctr6b, $rk10 @ AES block 8k+14 - result ++ ++ eor3 $ctr2b, $res2b, $ctr2b, $rk10 @ AES block 8k+10 - result ++ stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result ++ mov $ctr1.16b, $h2.16b @ CTR block 8k+17 ++ ++ eor3 $ctr4b, $res4b, $ctr4b, $rk10 @ AES block 8k+12 - result ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ mov $ctr0.16b, $h1.16b @ CTR block 8k+16 ++ ++ eor3 $ctr3b, $res3b, $ctr3b, $rk10 @ AES block 8k+11 - result ++ cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL ++ stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result ++ ++ eor3 $ctr5b, $res5b, $ctr5b, $rk10 @ AES block 8k+13 - result ++ mov $ctr2.16b, $h3.16b @ CTR block 8k+18 ++ ++ stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 ++ ++ stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result ++ mov $ctr3.16b, $h4.16b @ CTR block 8k+19 ++ b.lt .L128_dec_main_loop ++ ++.L128_dec_prepretail: @ PREPRETAIL ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h6k | h5k ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ldr $rk10q, [$cc, #160] @ load rk10 ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ ++ aese $ctr6b, $rk9 @ AES block 8k+14 - round 9 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ aese $ctr2b, $rk9 @ AES block 8k+10 - round 9 ++ ++ aese $ctr3b, $rk9 @ AES block 8k+11 - round 9 ++ aese $ctr5b, $rk9 @ AES block 8k+13 - round 9 ++ aese $ctr0b, $rk9 @ AES block 8k+8 - round 9 ++ ++ aese $ctr4b, $rk9 @ AES block 8k+12 - round 9 ++ aese $ctr1b, $rk9 @ AES block 8k+9 - round 9 ++ aese $ctr7b, $rk9 @ AES block 8k+15 - round 9 ++ ++.L128_dec_tail: @ TAIL ++ ++ mov $t1.16b, $rk10 ++ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ++ ++ cmp $main_end_input_ptr, #112 ++ ++ ldp $h78kq, $h8q, [$current_tag, #192] @ load h7l | h7h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ldr $res1q, [$input_ptr], #16 @ AES block 8k+8 - load ciphertext ++ ++ ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag ++ ++ ldp $h6q, $h7q, [$current_tag, #160] @ load h6k | h5k ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ++ eor3 $res4b, $res1b, $ctr0b, $t1.16b @ AES block 8k+8 - result ++ b.gt .L128_dec_blocks_more_than_7 ++ ++ cmp $main_end_input_ptr, #96 ++ mov $ctr7b, $ctr6b ++ movi $acc_l.8b, #0 ++ ++ movi $acc_h.8b, #0 ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr2b ++ mov $ctr2b, $ctr1b ++ ++ movi $acc_m.8b, #0 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L128_dec_blocks_more_than_6 ++ ++ cmp $main_end_input_ptr, #80 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr1b ++ b.gt .L128_dec_blocks_more_than_5 ++ ++ cmp $main_end_input_ptr, #64 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr1b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L128_dec_blocks_more_than_4 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr1b ++ cmp $main_end_input_ptr, #48 ++ b.gt .L128_dec_blocks_more_than_3 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ cmp $main_end_input_ptr, #32 ++ ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ mov $ctr6b, $ctr1b ++ b.gt .L128_dec_blocks_more_than_2 ++ ++ cmp $main_end_input_ptr, #16 ++ ++ mov $ctr7b, $ctr1b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt L128_dec_blocks_more_than_1 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ b .L128_dec_blocks_less_than_1 ++.L128_dec_blocks_more_than_7: @ blocks left > 7 ++ rev64 $res0b, $res1b @ GHASH final-7 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid ++ ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ldr $res1q, [$input_ptr], #16 @ AES final-6 block - load ciphertext ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-7 block - store result ++ eor3 $res4b, $res1b, $ctr1b, $t1.16b @ AES final-6 block - result ++ ++ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid ++.L128_dec_blocks_more_than_6: @ blocks left > 6 ++ ++ rev64 $res0b, $res1b @ GHASH final-6 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low ++ ldr $res1q, [$input_ptr], #16 @ AES final-5 block - load ciphertext ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-6 block - store result ++ pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid ++ eor3 $res4b, $res1b, $ctr2b, $t1.16b @ AES final-5 block - result ++.L128_dec_blocks_more_than_5: @ blocks left > 5 ++ ++ rev64 $res0b, $res1b @ GHASH final-5 block ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final-4 block - load ciphertext ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-5 block - store result ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid ++ ++ eor3 $res4b, $res1b, $ctr3b, $t1.16b @ AES final-4 block - result ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid ++ pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid ++ pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high ++.L128_dec_blocks_more_than_4: @ blocks left > 4 ++ ++ rev64 $res0b, $res1b @ GHASH final-4 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ldr $res1q, [$input_ptr], #16 @ AES final-3 block - load ciphertext ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high ++ ++ pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high ++ ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-4 block - store result ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid ++ ++ eor3 $res4b, $res1b, $ctr4b, $t1.16b @ AES final-3 block - result ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low ++ ++ pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid ++.L128_dec_blocks_more_than_3: @ blocks left > 3 ++ ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-3 block - store result ++ rev64 $res0b, $res1b @ GHASH final-3 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid ++ ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final-2 block - load ciphertext ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid ++ pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low ++ pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ eor3 $res4b, $res1b, $ctr5b, $t1.16b @ AES final-2 block - result ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid ++.L128_dec_blocks_more_than_2: @ blocks left > 2 ++ ++ rev64 $res0b, $res1b @ GHASH final-2 block ++ ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-2 block - store result ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low ++ ++ pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high ++ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid ++ ldr $res1q, [$input_ptr], #16 @ AES final-1 block - load ciphertext ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low ++ ++ eor3 $res4b, $res1b, $ctr6b, $t1.16b @ AES final-1 block - result ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high ++.L128_dec_blocks_more_than_1: @ blocks left > 1 ++ ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-1 block - store result ++ rev64 $res0b, $res1b @ GHASH final-1 block ++ ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final block - load ciphertext ++ pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid ++ eor3 $res4b, $res1b, $ctr7b, $t1.16b @ AES final block - result ++ ++ pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid ++.L128_dec_blocks_less_than_1: @ blocks left <= 1 ++ ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ sub $bit_length, $bit_length, #128 @ bit_length -= 128 ++ ++ neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) ++ ++ mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block ++ cmp $bit_length, #64 ++ mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff ++ ++ csel $temp2_x, $temp1_x, $temp0_x, lt ++ csel $temp3_x, $temp0_x, xzr, lt ++ ++ mov $ctr0.d[1], $temp3_x ++ mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored ++ ++ and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits ++ ++ rev64 $res0b, $res1b @ GHASH final block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high ++ ins $t0.d[0], $res0.d[1] @ GHASH final block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high ++ eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid ++ ++ bif $res4b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing ++ ++ pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid ++ st1 { $res4b}, [$output_ptr] @ store all 16B ++ ++ pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low ++ ++ eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low ++ ++ eor $t10.16b, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ eor $acc_mb, $acc_mb, $t10.16b @ MODULO - karatsuba tidy up ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $t11.16b @ MODULO - fold into mid ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ eor3 $acc_lb, $acc_lb, $acc_mb, $acc_hb @ MODULO - fold into low ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ st1 { $acc_l.16b }, [$current_tag] ++ rev32 $rtmp_ctr.16b, $rtmp_ctr.16b ++ ++ str $rtmp_ctrq, [$counter] @ store the updated counter ++ ++ lsr x0, $bit_length, #3 ++ ++ ldp d10, d11, [sp, #16] ++ ldp d12, d13, [sp, #32] ++ ldp d14, d15, [sp, #48] ++ ldp d8, d9, [sp], #80 ++ ret ++.L128_dec_ret: ++ mov w0, #0x0 ++ ret ++.size unroll8_eor3_aes_gcm_dec_128_kernel,.-unroll8_eor3_aes_gcm_dec_128_kernel ++___ ++} ++ ++{ ++my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7)); ++my ($temp2_x,$temp3_x)=map("x$_",(13..14)); ++my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15)); ++my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15)); ++my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7)); ++my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7)); ++my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15)); ++ ++my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15)); ++my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15)); ++my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15)); ++ ++my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19)); ++my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19)); ++ ++my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25)); ++my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25)); ++my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25)); ++my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25)); ++ ++my $t0="v16"; ++my $t0d="d16"; ++ ++my $t1="v29"; ++my $t2=$res1; ++my $t3=$t1; ++ ++my $t4=$res0; ++my $t5=$res2; ++my $t6=$t0; ++ ++my $t7=$res3; ++my $t8=$res4; ++my $t9=$res5; ++ ++my $t10=$res6; ++my $t11="v21"; ++my $t12=$t1; ++ ++my $rtmp_ctr="v30"; ++my $rtmp_ctrq="q30"; ++my $rctr_inc="v31"; ++my $rctr_incd="d31"; ++ ++my $mod_constantd=$t0d; ++my $mod_constant=$t0; ++ ++my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28)); ++my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28)); ++my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28)); ++my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28)); ++my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28)); ++my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28)); ++my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28)); ++my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28)); ++my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28)); ++my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28)); ++my $rk2q1="v28.1q"; ++my $rk3q1="v26.1q"; ++my $rk4v="v27"; ++ ++######################################################################################### ++# size_t unroll8_eor3_aes_gcm_enc_192_kernel(const unsigned char *in, ++# size_t len, ++# unsigned char *out, ++# const void *key, ++# unsigned char ivec[16], ++# u64 *Xi); ++# ++$code.=<<___; ++.global unroll8_eor3_aes_gcm_enc_192_kernel ++.type unroll8_eor3_aes_gcm_enc_192_kernel,%function ++.align 4 ++unroll8_eor3_aes_gcm_enc_192_kernel: ++ AARCH64_VALID_CALL_TARGET ++ cbz x1, .L192_enc_ret ++ stp d8, d9, [sp, #-80]! ++ mov $counter, x4 ++ mov $cc, x5 ++ stp d10, d11, [sp, #16] ++ stp d12, d13, [sp, #32] ++ stp d14, d15, [sp, #48] ++ mov x5, #0xc200000000000000 ++ stp x5, xzr, [sp, #64] ++ add $modulo_constant, sp, #64 ++ ++ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len ++ ld1 { $ctr0b}, [$counter] @ CTR block 0 ++ ++ mov $constant_temp, #0x100000000 @ set up counter increment ++ movi $rctr_inc.16b, #0x0 ++ mov $rctr_inc.d[1], $constant_temp ++ ++ rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 ++ sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 ++ ++ and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ add $main_end_input_ptr, $main_end_input_ptr, $input_ptr ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 ++ ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 ++ ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ++ ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 ++ ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 ++ ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 ++ ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 ++ ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 ++ ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 ++ ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 ++ ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 ++ ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 ++ ++ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 ++ ++ ld1 { $acc_lb}, [$current_tag] ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 ++ ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 ++ ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 ++ ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 14 - round 10 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 11 - round 10 ++ ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 9 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 13 - round 10 ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 12 - round 10 ++ ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 10 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 15 - round 10 ++ ++ aese $ctr6b, $rk11 @ AES block 14 - round 11 ++ aese $ctr3b, $rk11 @ AES block 11 - round 11 ++ ++ aese $ctr4b, $rk11 @ AES block 12 - round 11 ++ aese $ctr7b, $rk11 @ AES block 15 - round 11 ++ ldr $rk12q, [$cc, #192] @ load rk12 ++ ++ aese $ctr1b, $rk11 @ AES block 9 - round 11 ++ aese $ctr5b, $rk11 @ AES block 13 - round 11 ++ ++ aese $ctr2b, $rk11 @ AES block 10 - round 11 ++ aese $ctr0b, $rk11 @ AES block 8 - round 11 ++ b.ge .L192_enc_tail @ handle tail ++ ++ ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 0, 1 - load plaintext ++ ++ ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 2, 3 - load plaintext ++ ++ ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext ++ ++ ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext ++ ++ eor3 $res0b, $ctr_t0b, $ctr0b, $rk12 @ AES block 0 - result ++ rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 ++ ++ eor3 $res3b, $ctr_t3b, $ctr3b, $rk12 @ AES block 3 - result ++ eor3 $res1b, $ctr_t1b, $ctr1b, $rk12 @ AES block 1 - result ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 ++ eor3 $res4b, $ctr_t4b, $ctr4b, $rk12 @ AES block 4 - result ++ ++ eor3 $res5b, $ctr_t5b, $ctr5b, $rk12 @ AES block 5 - result ++ eor3 $res7b, $ctr_t7b, $ctr7b, $rk12 @ AES block 7 - result ++ stp $res0q, $res1q, [$output_ptr], #32 @ AES block 0, 1 - store result ++ ++ eor3 $res2b, $ctr_t2b, $ctr2b, $rk12 @ AES block 2 - result ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 ++ ++ stp $res2q, $res3q, [$output_ptr], #32 @ AES block 2, 3 - store result ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 ++ eor3 $res6b, $ctr_t6b, $ctr6b, $rk12 @ AES block 6 - result ++ ++ stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 ++ stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 ++ ++ b.ge .L192_enc_prepretail @ do prepretail ++ ++.L192_enc_main_loop: @ main loop start ++ rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 ++ ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load plaintext ++ ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 ++ ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ ldr $rk12q, [$cc, #192] @ load rk12 ++ ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load plaintext ++ ++ aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load plaintext ++ ++ ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load plaintext ++ aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ ++ rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 ++ ++ aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 ++ aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 ++ eor3 $res4b, $ctr_t4b, $ctr4b, $rk12 @ AES block 4 - result ++ ++ aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 ++ aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 ++ aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 ++ ++ rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 ++ eor3 $res7b, $ctr_t7b, $ctr7b, $rk12 @ AES block 7 - result ++ ++ eor3 $res2b, $ctr_t2b, $ctr2b, $rk12 @ AES block 8k+10 - result ++ eor3 $res0b, $ctr_t0b, $ctr0b, $rk12 @ AES block 8k+8 - result ++ mov $ctr2.16b, $h3.16b @ CTR block 8k+18 ++ ++ eor3 $res1b, $ctr_t1b, $ctr1b, $rk12 @ AES block 8k+9 - result ++ mov $ctr1.16b, $h2.16b @ CTR block 8k+17 ++ stp $res0q, $res1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ eor3 $res6b, $ctr_t6b, $ctr6b, $rk12 @ AES block 6 - result ++ mov $ctr0.16b, $h1.16b @ CTR block 8k+16 ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 ++ eor3 $res5b, $ctr_t5b, $ctr5b, $rk12 @ AES block 5 - result ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ ++ eor3 $res3b, $ctr_t3b, $ctr3b, $rk12 @ AES block 8k+11 - result ++ mov $ctr3.16b, $h4.16b @ CTR block 8k+19 ++ ++ stp $res2q, $res3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result ++ ++ stp $res4q, $res5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result ++ ++ cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL ++ stp $res6q, $res7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result ++ b.lt .L192_enc_main_loop ++ ++.L192_enc_prepretail: @ PREPRETAIL ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ rev64 $res5b, $res5b @ GHASH block 8k+5 (t0, t1, t2 and t3 free) ++ rev64 $res6b, $res6b @ GHASH block 8k+6 (t0, t1, and t2 free) ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ rev64 $res4b, $res4b @ GHASH block 8k+4 (t0, t1, and t2 free) ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 (t0, t1, t2 and t3 free) ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ext $t12.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ldr $rk12q, [$cc, #192] @ load rk12 ++ ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ ++ aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 ++ aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 ++ ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 ++ aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 ++ ++ aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 ++ aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 ++ aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 ++ ++.L192_enc_tail: @ TAIL ++ ++ ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ++ ++ ldr $ctr_t0q, [$input_ptr], #16 @ AES block 8k+8 - l3ad plaintext ++ ++ ldp $h78kq, $h8q, [$current_tag, #192] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ mov $t1.16b, $rk12 ++ ++ ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ cmp $main_end_input_ptr, #112 ++ ++ eor3 $res1b, $ctr_t0b, $ctr0b, $t1.16b @ AES block 8k+8 - result ++ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag ++ b.gt .L192_enc_blocks_more_than_7 ++ ++ cmp $main_end_input_ptr, #96 ++ mov $ctr7b, $ctr6b ++ movi $acc_h.8b, #0 ++ ++ mov $ctr6b, $ctr5b ++ movi $acc_l.8b, #0 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr2b ++ ++ mov $ctr2b, $ctr1b ++ movi $acc_m.8b, #0 ++ b.gt .L192_enc_blocks_more_than_6 ++ ++ mov $ctr7b, $ctr6b ++ cmp $main_end_input_ptr, #80 ++ ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr3b ++ ++ mov $ctr3b, $ctr1b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L192_enc_blocks_more_than_5 ++ ++ cmp $main_end_input_ptr, #64 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr1b ++ b.gt .L192_enc_blocks_more_than_4 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr1b ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ cmp $main_end_input_ptr, #48 ++ b.gt .L192_enc_blocks_more_than_3 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr1b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ cmp $main_end_input_ptr, #32 ++ b.gt .L192_enc_blocks_more_than_2 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ cmp $main_end_input_ptr, #16 ++ mov $ctr7b, $ctr1b ++ b.gt .L192_enc_blocks_more_than_1 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ b .L192_enc_blocks_less_than_1 ++.L192_enc_blocks_more_than_7: @ blocks left > 7 ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-7 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-7 block ++ ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-6 block - load plaintext ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high ++ ++ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result ++.L192_enc_blocks_more_than_6: @ blocks left > 6 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-6 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-6 block ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-5 block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low ++ eor3 $res1b, $ctr_t1b, $ctr2b, $t1.16b @ AES final-5 block - result ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid ++ ++ pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid ++.L192_enc_blocks_more_than_5: @ blocks left > 5 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-5 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-5 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-4 block - load plaintext ++ pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid ++ pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low ++ pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid ++ ++ eor3 $res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid ++.L192_enc_blocks_more_than_4: @ blocks left > 4 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-4 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-4 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-3 block - load plaintext ++ pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low ++ ++ pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr4b, $t1.16b @ AES final-3 block - result ++.L192_enc_blocks_more_than_3: @ blocks left > 3 ++ ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-3 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-2 block - load plaintext ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid ++ ++ eor3 $res1b, $ctr_t1b, $ctr5b, $t1.16b @ AES final-2 block - result ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid ++ pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low ++ ++ pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high ++ pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high ++.L192_enc_blocks_more_than_2: @ blocks left > 2 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-2 block ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-1 block - load plaintext ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low ++ pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr6b, $t1.16b @ AES final-1 block - result ++.L192_enc_blocks_more_than_1: @ blocks left > 1 ++ ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-1 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid ++ pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low ++ pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final block - load plaintext ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid ++ ++ eor3 $res1b, $ctr_t1b, $ctr7b, $t1.16b @ AES final block - result ++ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high ++.L192_enc_blocks_less_than_1: @ blocks left <= 1 ++ ++ mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ sub $bit_length, $bit_length, #128 @ bit_length -= 128 ++ ++ neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) ++ ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block ++ cmp $bit_length, #64 ++ mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff ++ ++ csel $temp2_x, $temp1_x, $temp0_x, lt ++ csel $temp3_x, $temp0_x, xzr, lt ++ ++ mov $ctr0.d[1], $temp3_x ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ++ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored ++ mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block ++ ++ and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits ++ ++ rev64 $res0b, $res1b @ GHASH final block ++ bif $res1b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing ++ ++ st1 { $res1b}, [$output_ptr] @ store all 16B ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $t0.d[0], $res0.d[1] @ GHASH final block - mid ++ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high ++ pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low ++ ++ eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid ++ ++ pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid ++ ++ eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ rev32 $rtmp_ctr.16b, $rtmp_ctr.16b ++ ++ str $rtmp_ctrq, [$counter] @ store the updated counter ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ st1 { $acc_l.16b }, [$current_tag] ++ ++ lsr x0, $bit_length, #3 @ return sizes ++ ++ ldp d10, d11, [sp, #16] ++ ldp d12, d13, [sp, #32] ++ ldp d14, d15, [sp, #48] ++ ldp d8, d9, [sp], #80 ++ ret ++ ++.L192_enc_ret: ++ mov w0, #0x0 ++ ret ++.size unroll8_eor3_aes_gcm_enc_192_kernel,.-unroll8_eor3_aes_gcm_enc_192_kernel ++___ ++ ++######################################################################################### ++# size_t unroll8_eor3_aes_gcm_dec_192_kernel(const unsigned char *in, ++# size_t len, ++# unsigned char *out, ++# const void *key, ++# unsigned char ivec[16], ++# u64 *Xi); ++# ++$code.=<<___; ++.global unroll8_eor3_aes_gcm_dec_192_kernel ++.type unroll8_eor3_aes_gcm_dec_192_kernel,%function ++.align 4 ++unroll8_eor3_aes_gcm_dec_192_kernel: ++ AARCH64_VALID_CALL_TARGET ++ cbz x1, .L192_dec_ret ++ stp d8, d9, [sp, #-80]! ++ mov $counter, x4 ++ mov $cc, x5 ++ stp d10, d11, [sp, #16] ++ stp d12, d13, [sp, #32] ++ stp d14, d15, [sp, #48] ++ mov x5, #0xc200000000000000 ++ stp x5, xzr, [sp, #64] ++ add $modulo_constant, sp, #64 ++ ++ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len ++ ld1 { $ctr0b}, [$counter] @ CTR block 0 ++ ld1 { $acc_lb}, [$current_tag] ++ ++ mov $constant_temp, #0x100000000 @ set up counter increment ++ movi $rctr_inc.16b, #0x0 ++ mov $rctr_inc.d[1], $constant_temp ++ ++ rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 ++ ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ++ ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 ++ ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 ++ ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ++ ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 ++ ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 ++ ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 ++ ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 ++ ++ sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 ++ ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 ++ ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 ++ and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 ++ ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 ++ ++ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 ++ ++ ld1 { $acc_lb}, [$current_tag] ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 ++ add $main_end_input_ptr, $main_end_input_ptr, $input_ptr ++ ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 ++ ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 ++ ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 ++ ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 10 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 10 ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 10 ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 10 ++ ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 10 ++ ldr $rk12q, [$cc, #192] @ load rk12 ++ ++ aese $ctr0b, $rk11 @ AES block 0 - round 11 ++ aese $ctr1b, $rk11 @ AES block 1 - round 11 ++ aese $ctr4b, $rk11 @ AES block 4 - round 11 ++ ++ aese $ctr6b, $rk11 @ AES block 6 - round 11 ++ aese $ctr5b, $rk11 @ AES block 5 - round 11 ++ aese $ctr7b, $rk11 @ AES block 7 - round 11 ++ ++ aese $ctr2b, $rk11 @ AES block 2 - round 11 ++ aese $ctr3b, $rk11 @ AES block 3 - round 11 ++ b.ge .L192_dec_tail @ handle tail ++ ++ ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 0, 1 - load ciphertext ++ ++ ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 2, 3 - load ciphertext ++ ++ ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 4, 5 - load ciphertext ++ ++ eor3 $ctr1b, $res1b, $ctr1b, $rk12 @ AES block 1 - result ++ eor3 $ctr0b, $res0b, $ctr0b, $rk12 @ AES block 0 - result ++ stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 0, 1 - store result ++ ++ rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 ++ eor3 $ctr3b, $res3b, $ctr3b, $rk12 @ AES block 3 - result ++ ++ eor3 $ctr2b, $res2b, $ctr2b, $rk12 @ AES block 2 - result ++ stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 2, 3 - store result ++ ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 6, 7 - load ciphertext ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 ++ ++ eor3 $ctr4b, $res4b, $ctr4b, $rk12 @ AES block 4 - result ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 ++ ++ eor3 $ctr5b, $res5b, $ctr5b, $rk12 @ AES block 5 - result ++ stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ ++ eor3 $ctr6b, $res6b, $ctr6b, $rk12 @ AES block 6 - result ++ eor3 $ctr7b, $res7b, $ctr7b, $rk12 @ AES block 7 - result ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 ++ stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ b.ge .L192_dec_prepretail @ do prepretail ++ ++.L192_dec_main_loop: @ main loop start ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ++ rev64 $res0b, $res0b @ GHASH block 8k ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 ++ ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load ciphertext ++ ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load ciphertext ++ ++ rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 ++ ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load ciphertext ++ ++ rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ ldr $rk12q, [$cc, #192] @ load rk12 ++ ++ ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load ciphertext ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ ++ aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 ++ ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 ++ aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 ++ ++ eor3 $ctr0b, $res0b, $ctr0b, $rk12 @ AES block 8k+8 - result ++ rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ ++ aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 ++ aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 ++ ++ aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 ++ aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ++ eor3 $ctr1b, $res1b, $ctr1b, $rk12 @ AES block 8k+9 - result ++ stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result ++ eor3 $ctr3b, $res3b, $ctr3b, $rk12 @ AES block 8k+11 - result ++ ++ eor3 $ctr2b, $res2b, $ctr2b, $rk12 @ AES block 8k+10 - result ++ eor3 $ctr7b, $res7b, $ctr7b, $rk12 @ AES block 8k+15 - result ++ stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result ++ ++ eor3 $ctr5b, $res5b, $ctr5b, $rk12 @ AES block 8k+13 - result ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ mov $ctr3.16b, $h4.16b @ CTR block 8k+19 ++ ++ eor3 $ctr4b, $res4b, $ctr4b, $rk12 @ AES block 8k+12 - result ++ stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result ++ cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL ++ ++ eor3 $ctr6b, $res6b, $ctr6b, $rk12 @ AES block 8k+14 - result ++ stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result ++ mov $ctr0.16b, $h1.16b @ CTR block 8k+16 ++ ++ mov $ctr1.16b, $h2.16b @ CTR block 8k+17 ++ mov $ctr2.16b, $h3.16b @ CTR block 8k+18 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 ++ b.lt .L192_dec_main_loop ++ ++.L192_dec_prepretail: @ PREPRETAIL ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ldr $rk12q, [$cc, #192] @ load rk12 ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ ++ aese $ctr0b, $rk11 @ AES block 8k+8 - round 11 ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ aese $ctr5b, $rk11 @ AES block 8k+13 - round 11 ++ ++ aese $ctr2b, $rk11 @ AES block 8k+10 - round 11 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ ++ aese $ctr6b, $rk11 @ AES block 8k+14 - round 11 ++ aese $ctr4b, $rk11 @ AES block 8k+12 - round 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ aese $ctr3b, $rk11 @ AES block 8k+11 - round 11 ++ aese $ctr1b, $rk11 @ AES block 8k+9 - round 11 ++ aese $ctr7b, $rk11 @ AES block 8k+15 - round 11 ++ ++.L192_dec_tail: @ TAIL ++ ++ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ++ ++ ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $res1q, [$input_ptr], #16 @ AES block 8k+8 - load ciphertext ++ ++ ldp $h78kq, $h8q, [$current_tag, #192] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ mov $t1.16b, $rk12 ++ ++ ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag ++ ++ eor3 $res4b, $res1b, $ctr0b, $t1.16b @ AES block 8k+8 - result ++ cmp $main_end_input_ptr, #112 ++ b.gt .L192_dec_blocks_more_than_7 ++ ++ mov $ctr7b, $ctr6b ++ movi $acc_h.8b, #0 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr3b ++ ++ cmp $main_end_input_ptr, #96 ++ movi $acc_l.8b, #0 ++ mov $ctr3b, $ctr2b ++ ++ mov $ctr2b, $ctr1b ++ movi $acc_m.8b, #0 ++ b.gt .L192_dec_blocks_more_than_6 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr1b ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ cmp $main_end_input_ptr, #80 ++ b.gt .L192_dec_blocks_more_than_5 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr1b ++ cmp $main_end_input_ptr, #64 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L192_dec_blocks_more_than_4 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr1b ++ cmp $main_end_input_ptr, #48 ++ b.gt .L192_dec_blocks_more_than_3 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ cmp $main_end_input_ptr, #32 ++ ++ mov $ctr6b, $ctr1b ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ b.gt .L192_dec_blocks_more_than_2 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr7b, $ctr1b ++ cmp $main_end_input_ptr, #16 ++ b.gt .L192_dec_blocks_more_than_1 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ b .L192_dec_blocks_less_than_1 ++.L192_dec_blocks_more_than_7: @ blocks left > 7 ++ rev64 $res0b, $res1b @ GHASH final-7 block ++ ++ ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid ++ ldr $res1q, [$input_ptr], #16 @ AES final-6 block - load ciphertext ++ ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-7 block - store result ++ ++ eor3 $res4b, $res1b, $ctr1b, $t1.16b @ AES final-6 block - result ++ ++ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++.L192_dec_blocks_more_than_6: @ blocks left > 6 ++ ++ rev64 $res0b, $res1b @ GHASH final-6 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final-5 block - load ciphertext ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high ++ ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-6 block - store result ++ eor3 $res4b, $res1b, $ctr2b, $t1.16b @ AES final-5 block - result ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high ++ pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid ++ pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low ++.L192_dec_blocks_more_than_5: @ blocks left > 5 ++ ++ rev64 $res0b, $res1b @ GHASH final-5 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid ++ pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final-4 block - load ciphertext ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high ++ pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-5 block - store result ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid ++ eor3 $res4b, $res1b, $ctr3b, $t1.16b @ AES final-4 block - result ++.L192_dec_blocks_more_than_4: @ blocks left > 4 ++ ++ rev64 $res0b, $res1b @ GHASH final-4 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final-3 block - load ciphertext ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid ++ pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low ++ ++ pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-4 block - store result ++ pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high ++ ++ eor3 $res4b, $res1b, $ctr4b, $t1.16b @ AES final-3 block - result ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high ++.L192_dec_blocks_more_than_3: @ blocks left > 3 ++ ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ rev64 $res0b, $res1b @ GHASH final-3 block ++ ldr $res1q, [$input_ptr], #16 @ AES final-2 block - load ciphertext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid ++ pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low ++ ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-3 block - store result ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid ++ eor3 $res4b, $res1b, $ctr5b, $t1.16b @ AES final-2 block - result ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid ++.L192_dec_blocks_more_than_2: @ blocks left > 2 ++ ++ rev64 $res0b, $res1b @ GHASH final-2 block ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid ++ ldr $res1q, [$input_ptr], #16 @ AES final-1 block - load ciphertext ++ ++ pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high ++ pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low ++ ++ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-2 block - store result ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid ++ eor3 $res4b, $res1b, $ctr6b, $t1.16b @ AES final-1 block - result ++.L192_dec_blocks_more_than_1: @ blocks left > 1 ++ ++ rev64 $res0b, $res1b @ GHASH final-1 block ++ ldr $res1q, [$input_ptr], #16 @ AES final block - load ciphertext ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ++ pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-1 block - store result ++ ++ pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high ++ ++ eor3 $res4b, $res1b, $ctr7b, $t1.16b @ AES final block - result ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high ++.L192_dec_blocks_less_than_1: @ blocks left <= 1 ++ ++ rev32 $rtmp_ctr.16b, $rtmp_ctr.16b ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ sub $bit_length, $bit_length, #128 @ bit_length -= 128 ++ str $rtmp_ctrq, [$counter] @ store the updated counter ++ ++ neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) ++ mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff ++ ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff ++ lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block ++ cmp $bit_length, #64 ++ ++ csel $temp2_x, $temp1_x, $temp0_x, lt ++ csel $temp3_x, $temp0_x, xzr, lt ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ++ mov $ctr0.d[1], $temp3_x ++ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored ++ ++ mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block ++ ++ and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits ++ bif $res4b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing ++ ++ rev64 $res0b, $res1b @ GHASH final block ++ ++ st1 { $res4b}, [$output_ptr] @ store all 16B ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $t0.d[0], $res0.d[1] @ GHASH final block - mid ++ pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low ++ ++ eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid ++ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low ++ ++ pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high ++ ++ eor $t10.16b, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ eor $acc_mb, $acc_mb, $t10.16b @ MODULO - karatsuba tidy up ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $t11.16b @ MODULO - fold into mid ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ eor3 $acc_lb, $acc_lb, $acc_mb, $acc_hb @ MODULO - fold into low ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ st1 { $acc_l.16b }, [$current_tag] ++ ++ ldp d10, d11, [sp, #16] ++ ldp d12, d13, [sp, #32] ++ ldp d14, d15, [sp, #48] ++ ldp d8, d9, [sp], #80 ++ ret ++ ++.L192_dec_ret: ++ mov w0, #0x0 ++ ret ++.size unroll8_eor3_aes_gcm_dec_192_kernel,.-unroll8_eor3_aes_gcm_dec_192_kernel ++___ ++} ++ ++{ ++ ++my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7)); ++my ($temp2_x,$temp3_x)=map("x$_",(13..14)); ++my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15)); ++my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15)); ++my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7)); ++my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7)); ++my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15)); ++ ++my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15)); ++my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15)); ++my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15)); ++ ++my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19)); ++my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19)); ++ ++my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25)); ++my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25)); ++my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25)); ++my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25)); ++ ++my $t0="v16"; ++my $t0d="d16"; ++ ++my $t1="v29"; ++my $t2=$res1; ++my $t3=$t1; ++ ++my $t4=$res0; ++my $t5=$res2; ++my $t6=$t0; ++ ++my $t7=$res3; ++my $t8=$res4; ++my $t9=$res5; ++ ++my $t10=$res6; ++my $t11="v21"; ++my $t12=$t1; ++ ++my $rtmp_ctr="v30"; ++my $rtmp_ctrq="q30"; ++my $rctr_inc="v31"; ++my $rctr_incd="d31"; ++ ++my $mod_constantd=$t0d; ++my $mod_constant=$t0; ++ ++my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28)); ++my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28)); ++my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28)); ++my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28)); ++my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28)); ++my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28)); ++my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28)); ++my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28)); ++my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28)); ++my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28)); ++my $rk2q1="v28.1q"; ++my $rk3q1="v26.1q"; ++my $rk4v="v27"; ++######################################################################################### ++# size_t unroll8_eor3_aes_gcm_enc_256_kernel(const unsigned char *in, ++# size_t len, ++# unsigned char *out, ++# const void *key, ++# unsigned char ivec[16], ++# u64 *Xi); ++# ++$code.=<<___; ++.global unroll8_eor3_aes_gcm_enc_256_kernel ++.type unroll8_eor3_aes_gcm_enc_256_kernel,%function ++.align 4 ++unroll8_eor3_aes_gcm_enc_256_kernel: ++ AARCH64_VALID_CALL_TARGET ++ cbz x1, .L256_enc_ret ++ stp d8, d9, [sp, #-80]! ++ mov $counter, x4 ++ mov $cc, x5 ++ stp d10, d11, [sp, #16] ++ stp d12, d13, [sp, #32] ++ stp d14, d15, [sp, #48] ++ mov x5, #0xc200000000000000 ++ stp x5, xzr, [sp, #64] ++ add $modulo_constant, sp, #64 ++ ++ ld1 { $ctr0b}, [$counter] @ CTR block 0 ++ ++ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len ++ ++ mov $constant_temp, #0x100000000 @ set up counter increment ++ movi $rctr_inc.16b, #0x0 ++ mov $rctr_inc.d[1], $constant_temp ++ sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 ++ ++ and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ++ ++ add $main_end_input_ptr, $main_end_input_ptr, $input_ptr ++ ++ rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 ++ ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ++ ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 ++ ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 ++ ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 ++ ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 ++ ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 ++ ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 ++ ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 ++ ++ ld1 { $acc_lb}, [$current_tag] ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 ++ ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 ++ ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 ++ ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 10 ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 10 ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 ++ ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 10 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 10 ++ ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 10 ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 10 ++ ++ aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 11 ++ ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 ++ aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 11 ++ ++ aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 11 ++ aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 11 ++ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 11 ++ ++ aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 11 ++ aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 11 ++ aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 11 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 ++ ldr $rk14q, [$cc, #224] @ load rk14 ++ ++ aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 12 ++ aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 12 ++ aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 12 ++ ++ aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 12 ++ aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 12 ++ aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 12 ++ ++ aese $ctr2b, $rk13 @ AES block 2 - round 13 ++ aese $ctr1b, $rk13 @ AES block 1 - round 13 ++ aese $ctr4b, $rk13 @ AES block 4 - round 13 ++ ++ aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 12 ++ aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 12 ++ ++ aese $ctr0b, $rk13 @ AES block 0 - round 13 ++ aese $ctr5b, $rk13 @ AES block 5 - round 13 ++ ++ aese $ctr6b, $rk13 @ AES block 6 - round 13 ++ aese $ctr7b, $rk13 @ AES block 7 - round 13 ++ aese $ctr3b, $rk13 @ AES block 3 - round 13 ++ ++ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ b.ge .L256_enc_tail @ handle tail ++ ++ ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 0, 1 - load plaintext ++ ++ ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 2, 3 - load plaintext ++ ++ eor3 $res0b, $ctr_t0b, $ctr0b, $rk14 @ AES block 0 - result ++ rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 ++ ++ eor3 $res1b, $ctr_t1b, $ctr1b, $rk14 @ AES block 1 - result ++ eor3 $res3b, $ctr_t3b, $ctr3b, $rk14 @ AES block 3 - result ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 ++ ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext ++ ++ ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext ++ eor3 $res2b, $ctr_t2b, $ctr2b, $rk14 @ AES block 2 - result ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 ++ stp $res0q, $res1q, [$output_ptr], #32 @ AES block 0, 1 - store result ++ ++ stp $res2q, $res3q, [$output_ptr], #32 @ AES block 2, 3 - store result ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 ++ ++ eor3 $res4b, $ctr_t4b, $ctr4b, $rk14 @ AES block 4 - result ++ ++ eor3 $res7b, $ctr_t7b, $ctr7b, $rk14 @ AES block 7 - result ++ eor3 $res6b, $ctr_t6b, $ctr6b, $rk14 @ AES block 6 - result ++ eor3 $res5b, $ctr_t5b, $ctr5b, $rk14 @ AES block 5 - result ++ ++ stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 ++ ++ stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 ++ b.ge .L256_enc_prepretail @ do prepretail ++ ++.L256_enc_main_loop: @ main loop start ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ ++ ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 ++ rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 ++ ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ldp $ctr_t0q, $ctr_t1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load plaintext ++ aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 ++ ++ aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 ++ aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 ++ ++ aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 ++ aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 ++ ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 ++ ++ aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 ++ aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 ++ ++ aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 ++ aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 ++ rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 ++ aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ++ aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 ++ ldr $rk14q, [$cc, #224] @ load rk14 ++ aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 ++ ++ ldp $ctr_t2q, $ctr_t3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load plaintext ++ aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 ++ aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 ++ ldp $ctr_t4q, $ctr_t5q, [$input_ptr], #32 @ AES block 4, 5 - load plaintext ++ ++ ldp $ctr_t6q, $ctr_t7q, [$input_ptr], #32 @ AES block 6, 7 - load plaintext ++ aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 ++ aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 ++ ++ rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 ++ aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 ++ ++ aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 ++ aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 ++ cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL ++ ++ eor3 $res2b, $ctr_t2b, $ctr2b, $rk14 @ AES block 8k+10 - result ++ rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 ++ ++ aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 ++ aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 ++ eor3 $res5b, $ctr_t5b, $ctr5b, $rk14 @ AES block 5 - result ++ ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 ++ ++ eor3 $res4b, $ctr_t4b, $ctr4b, $rk14 @ AES block 4 - result ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 ++ eor3 $res3b, $ctr_t3b, $ctr3b, $rk14 @ AES block 8k+11 - result ++ ++ mov $ctr3.16b, $h4.16b @ CTR block 8k+19 ++ eor3 $res1b, $ctr_t1b, $ctr1b, $rk14 @ AES block 8k+9 - result ++ eor3 $res0b, $ctr_t0b, $ctr0b, $rk14 @ AES block 8k+8 - result ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 ++ stp $res0q, $res1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result ++ mov $ctr2.16b, $h3.16b @ CTR block 8k+18 ++ ++ eor3 $res7b, $ctr_t7b, $ctr7b, $rk14 @ AES block 7 - result ++ eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low ++ stp $res2q, $res3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result ++ ++ eor3 $res6b, $ctr_t6b, $ctr6b, $rk14 @ AES block 6 - result ++ mov $ctr1.16b, $h2.16b @ CTR block 8k+17 ++ stp $res4q, $res5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ ++ stp $res6q, $res7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ mov $ctr0.16b, $h1.16b @ CTR block 8k+16 ++ b.lt .L256_enc_main_loop ++ ++.L256_enc_prepretail: @ PREPRETAIL ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 ++ ++ ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 ++ aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 ++ ++ aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 ++ aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 ++ aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 ++ ldr $rk14q, [$cc, #224] @ load rk14 ++ ++ aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 ++ aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 ++ aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 ++ ++ aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 ++ aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 ++ aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 ++ aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 ++ ++ eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low ++ aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 ++ aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 ++ ++ aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 ++ aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 ++ aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 ++ ++ aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 ++ aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 ++.L256_enc_tail: @ TAIL ++ ++ ldp $h78kq, $h8q, [$current_tag, #192] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ++ ++ ldr $ctr_t0q, [$input_ptr], #16 @ AES block 8k+8 - load plaintext ++ ++ ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ++ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag ++ ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ mov $t1.16b, $rk14 ++ ++ cmp $main_end_input_ptr, #112 ++ eor3 $res1b, $ctr_t0b, $ctr0b, $t1.16b @ AES block 8k+8 - result ++ b.gt .L256_enc_blocks_more_than_7 ++ ++ movi $acc_l.8b, #0 ++ mov $ctr7b, $ctr6b ++ movi $acc_h.8b, #0 ++ ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr3b ++ ++ mov $ctr3b, $ctr2b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr2b, $ctr1b ++ ++ movi $acc_m.8b, #0 ++ cmp $main_end_input_ptr, #96 ++ b.gt .L256_enc_blocks_more_than_6 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ cmp $main_end_input_ptr, #80 ++ ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr1b ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L256_enc_blocks_more_than_5 ++ ++ mov $ctr7b, $ctr6b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr4b ++ ++ cmp $main_end_input_ptr, #64 ++ mov $ctr4b, $ctr1b ++ b.gt .L256_enc_blocks_more_than_4 ++ ++ cmp $main_end_input_ptr, #48 ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr1b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L256_enc_blocks_more_than_3 ++ ++ cmp $main_end_input_ptr, #32 ++ mov $ctr7b, $ctr6b ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ mov $ctr6b, $ctr1b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ b.gt .L256_enc_blocks_more_than_2 ++ ++ mov $ctr7b, $ctr1b ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ cmp $main_end_input_ptr, #16 ++ b.gt .L256_enc_blocks_more_than_1 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ b .L256_enc_blocks_less_than_1 ++.L256_enc_blocks_more_than_7: @ blocks left > 7 ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-7 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-7 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-6 block - load plaintext ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid ++ ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr1b, $t1.16b @ AES final-6 block - result ++ ++ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low ++.L256_enc_blocks_more_than_6: @ blocks left > 6 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-6 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-6 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid ++ pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-5 block - load plaintext ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid ++ ++ pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr2b, $t1.16b @ AES final-5 block - result ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high ++.L256_enc_blocks_more_than_5: @ blocks left > 5 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-5 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-5 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid ++ ++ pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-4 block - load plaintext ++ pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid ++ eor3 $res1b, $ctr_t1b, $ctr3b, $t1.16b @ AES final-4 block - result ++.L256_enc_blocks_more_than_4: @ blocks left > 4 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-4 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-4 block ++ ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-3 block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid ++ pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high ++ ++ eor3 $res1b, $ctr_t1b, $ctr4b, $t1.16b @ AES final-3 block - result ++ pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low ++ ++ pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high ++.L256_enc_blocks_more_than_3: @ blocks left > 3 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-3 block - store result ++ ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ rev64 $res0b, $res1b @ GHASH final-3 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid ++ pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-2 block - load plaintext ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid ++ pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low ++ ++ eor3 $res1b, $ctr_t1b, $ctr5b, $t1.16b @ AES final-2 block - result ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low ++.L256_enc_blocks_more_than_2: @ blocks left > 2 ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-2 block - store result ++ ++ rev64 $res0b, $res1b @ GHASH final-2 block ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final-1 block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high ++ eor3 $res1b, $ctr_t1b, $ctr6b, $t1.16b @ AES final-1 block - result ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high ++ ++ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid ++ pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low ++.L256_enc_blocks_more_than_1: @ blocks left > 1 ++ ++ st1 { $res1b}, [$output_ptr], #16 @ AES final-1 block - store result ++ ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ rev64 $res0b, $res1b @ GHASH final-1 block ++ ldr $ctr_t1q, [$input_ptr], #16 @ AES final block - load plaintext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid ++ pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high ++ ++ eor3 $res1b, $ctr_t1b, $ctr7b, $t1.16b @ AES final block - result ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high ++ ++ pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid ++.L256_enc_blocks_less_than_1: @ blocks left <= 1 ++ ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ sub $bit_length, $bit_length, #128 @ bit_length -= 128 ++ ++ neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) ++ ++ mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block ++ cmp $bit_length, #64 ++ mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff ++ ++ csel $temp3_x, $temp0_x, xzr, lt ++ csel $temp2_x, $temp1_x, $temp0_x, lt ++ ++ mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ++ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored ++ mov $ctr0.d[1], $temp3_x ++ ++ and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits ++ ++ rev64 $res0b, $res1b @ GHASH final block ++ ++ rev32 $rtmp_ctr.16b, $rtmp_ctr.16b ++ bif $res1b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing ++ str $rtmp_ctrq, [$counter] @ store the updated counter ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ st1 { $res1b}, [$output_ptr] @ store all 16B ++ ++ ins $t0.d[0], $res0.d[1] @ GHASH final block - mid ++ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high ++ pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low ++ ++ eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid ++ ++ pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid ++ ++ eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ ++ eor3 $acc_lb, $acc_lb, $acc_hb, $t11.16b @ MODULO - fold into low ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ st1 { $acc_l.16b }, [$current_tag] ++ lsr x0, $bit_length, #3 @ return sizes ++ ++ ldp d10, d11, [sp, #16] ++ ldp d12, d13, [sp, #32] ++ ldp d14, d15, [sp, #48] ++ ldp d8, d9, [sp], #80 ++ ret ++ ++.L256_enc_ret: ++ mov w0, #0x0 ++ ret ++.size unroll8_eor3_aes_gcm_enc_256_kernel,.-unroll8_eor3_aes_gcm_enc_256_kernel ++___ ++ ++{ ++######################################################################################### ++# size_t unroll8_eor3_aes_gcm_dec_256_kernel(const unsigned char *in, ++# size_t len, ++# unsigned char *out, ++# const void *key, ++# unsigned char ivec[16], ++# u64 *Xi); ++# ++$code.=<<___; ++.global unroll8_eor3_aes_gcm_dec_256_kernel ++.type unroll8_eor3_aes_gcm_dec_256_kernel,%function ++.align 4 ++unroll8_eor3_aes_gcm_dec_256_kernel: ++ AARCH64_VALID_CALL_TARGET ++ cbz x1, .L256_dec_ret ++ stp d8, d9, [sp, #-80]! ++ mov $counter, x4 ++ mov $cc, x5 ++ stp d10, d11, [sp, #16] ++ stp d12, d13, [sp, #32] ++ stp d14, d15, [sp, #48] ++ mov x5, #0xc200000000000000 ++ stp x5, xzr, [sp, #64] ++ add $modulo_constant, sp, #64 ++ ++ ld1 { $ctr0b}, [$counter] @ CTR block 0 ++ ++ mov $constant_temp, #0x100000000 @ set up counter increment ++ movi $rctr_inc.16b, #0x0 ++ mov $rctr_inc.d[1], $constant_temp ++ lsr $main_end_input_ptr, $bit_length, #3 @ byte_len ++ ++ sub $main_end_input_ptr, $main_end_input_ptr, #1 @ byte_len - 1 ++ ++ rev32 $rtmp_ctr.16b, $ctr0.16b @ set up reversed counter ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 0 ++ ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 1 ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 2 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 2 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 3 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 3 ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 4 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 4 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 0 ++ ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 5 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 5 ++ ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 0 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 6 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 6 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 7 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 0 ++ ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 0 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 0 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 1 ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 1 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 1 ++ ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 1 ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 1 ++ ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 1 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 1 ++ ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 2 ++ ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 2 ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 2 ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 2 ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 2 ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 3 ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 3 ++ ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 3 ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 3 ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 3 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 3 ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 3 ++ ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 3 ++ ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 4 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 4 ++ ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 4 ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 4 ++ ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 4 ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 4 ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 5 ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 5 ++ ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 5 ++ ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 5 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 5 ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 5 ++ ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 6 ++ ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 6 ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 6 ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 6 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 7 ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 7 ++ ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 7 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 7 ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 7 ++ ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 7 ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 7 ++ ++ and $main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail) ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 8 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 8 ++ ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 8 ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 8 ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 8 ++ ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 8 ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 8 ++ ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 9 ++ ++ ld1 { $acc_lb}, [$current_tag] ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ add $end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr ++ add $main_end_input_ptr, $main_end_input_ptr, $input_ptr ++ ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 9 ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 9 ++ ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 9 ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 9 ++ ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 9 ++ ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 9 ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 10 ++ ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 10 ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 10 ++ ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 10 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 10 ++ ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 ++ ++ aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7 ++ ++ aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 11 ++ aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 11 ++ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 11 ++ ++ aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 11 ++ aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 11 ++ aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 11 ++ ++ aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 11 ++ ldr $rk14q, [$cc, #224] @ load rk14 ++ ++ aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 1 - round 12 ++ aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 4 - round 12 ++ aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 5 - round 12 ++ ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 3 - round 12 ++ aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 2 - round 12 ++ ++ aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 6 - round 12 ++ aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 0 - round 12 ++ aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 7 - round 12 ++ ++ aese $ctr5b, $rk13 @ AES block 5 - round 13 ++ aese $ctr1b, $rk13 @ AES block 1 - round 13 ++ aese $ctr2b, $rk13 @ AES block 2 - round 13 ++ ++ aese $ctr0b, $rk13 @ AES block 0 - round 13 ++ aese $ctr4b, $rk13 @ AES block 4 - round 13 ++ aese $ctr6b, $rk13 @ AES block 6 - round 13 ++ ++ aese $ctr3b, $rk13 @ AES block 3 - round 13 ++ aese $ctr7b, $rk13 @ AES block 7 - round 13 ++ b.ge .L256_dec_tail @ handle tail ++ ++ ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 0, 1 - load ciphertext ++ ++ ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 2, 3 - load ciphertext ++ ++ ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 4, 5 - load ciphertext ++ ++ ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 6, 7 - load ciphertext ++ cmp $input_ptr, $main_end_input_ptr @ check if we have <= 8 blocks ++ ++ eor3 $ctr1b, $res1b, $ctr1b, $rk14 @ AES block 1 - result ++ eor3 $ctr0b, $res0b, $ctr0b, $rk14 @ AES block 0 - result ++ stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 0, 1 - store result ++ ++ rev32 $ctr0.16b, $rtmp_ctr.16b @ CTR block 8 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8 ++ eor3 $ctr3b, $res3b, $ctr3b, $rk14 @ AES block 3 - result ++ ++ eor3 $ctr5b, $res5b, $ctr5b, $rk14 @ AES block 5 - result ++ ++ eor3 $ctr4b, $res4b, $ctr4b, $rk14 @ AES block 4 - result ++ rev32 $ctr1.16b, $rtmp_ctr.16b @ CTR block 9 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 9 ++ ++ eor3 $ctr2b, $res2b, $ctr2b, $rk14 @ AES block 2 - result ++ stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 2, 3 - store result ++ ++ rev32 $ctr2.16b, $rtmp_ctr.16b @ CTR block 10 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 10 ++ ++ eor3 $ctr6b, $res6b, $ctr6b, $rk14 @ AES block 6 - result ++ ++ rev32 $ctr3.16b, $rtmp_ctr.16b @ CTR block 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 11 ++ stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 4, 5 - store result ++ ++ eor3 $ctr7b, $res7b, $ctr7b, $rk14 @ AES block 7 - result ++ stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 6, 7 - store result ++ ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 12 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 12 ++ b.ge .L256_dec_prepretail @ do prepretail ++ ++.L256_dec_main_loop: @ main loop start ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ ++ ldp $res0q, $res1q, [$input_ptr], #32 @ AES block 8k+8, 8k+9 - load ciphertext ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ rev32 $h1.16b, $rtmp_ctr.16b @ CTR block 8k+16 ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+16 ++ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 ++ ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 ++ ++ aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 ++ aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 ++ ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ rev32 $h2.16b, $rtmp_ctr.16b @ CTR block 8k+17 ++ aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 ++ ++ ldp $res2q, $res3q, [$input_ptr], #32 @ AES block 8k+10, 8k+11 - load ciphertext ++ aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+17 ++ aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 ++ ++ aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 ++ aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 ++ aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 ++ ++ rev32 $h3.16b, $rtmp_ctr.16b @ CTR block 8k+18 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+18 ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 ++ aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 ++ ++ ldr $rk14q, [$cc, #224] @ load rk14 ++ aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 ++ aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 ++ aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 ++ ++ ldp $res4q, $res5q, [$input_ptr], #32 @ AES block 8k+12, 8k+13 - load ciphertext ++ aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 ++ aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 ++ ++ ldp $res6q, $res7q, [$input_ptr], #32 @ AES block 8k+14, 8k+15 - load ciphertext ++ aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 ++ aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 ++ ++ rev32 $h4.16b, $rtmp_ctr.16b @ CTR block 8k+19 ++ eor3 $ctr2b, $res2b, $ctr2b, $rk14 @ AES block 8k+10 - result ++ eor3 $ctr1b, $res1b, $ctr1b, $rk14 @ AES block 8k+9 - result ++ ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 ++ ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+19 ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 ++ ++ eor3 $ctr5b, $res5b, $ctr5b, $rk14 @ AES block 8k+13 - result ++ eor3 $ctr0b, $res0b, $ctr0b, $rk14 @ AES block 8k+8 - result ++ aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 ++ ++ stp $ctr0q, $ctr1q, [$output_ptr], #32 @ AES block 8k+8, 8k+9 - store result ++ mov $ctr0.16b, $h1.16b @ CTR block 8k+16 ++ eor3 $ctr4b, $res4b, $ctr4b, $rk14 @ AES block 8k+12 - result ++ ++ eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low ++ eor3 $ctr3b, $res3b, $ctr3b, $rk14 @ AES block 8k+11 - result ++ stp $ctr2q, $ctr3q, [$output_ptr], #32 @ AES block 8k+10, 8k+11 - store result ++ ++ mov $ctr3.16b, $h4.16b @ CTR block 8k+19 ++ mov $ctr2.16b, $h3.16b @ CTR block 8k+18 ++ aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 ++ ++ mov $ctr1.16b, $h2.16b @ CTR block 8k+17 ++ stp $ctr4q, $ctr5q, [$output_ptr], #32 @ AES block 8k+12, 8k+13 - store result ++ eor3 $ctr7b, $res7b, $ctr7b, $rk14 @ AES block 8k+15 - result ++ ++ eor3 $ctr6b, $res6b, $ctr6b, $rk14 @ AES block 8k+14 - result ++ rev32 $ctr4.16b, $rtmp_ctr.16b @ CTR block 8k+20 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+20 ++ ++ cmp $input_ptr, $main_end_input_ptr @ LOOP CONTROL ++ stp $ctr6q, $ctr7q, [$output_ptr], #32 @ AES block 8k+14, 8k+15 - store result ++ b.lt .L256_dec_main_loop ++ ++.L256_dec_prepretail: @ PREPRETAIL ++ ldp $rk0q, $rk1q, [$cc, #0] @ load rk0, rk1 ++ rev32 $ctr5.16b, $rtmp_ctr.16b @ CTR block 8k+13 ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+13 ++ ++ rev64 $res4b, $res4b @ GHASH block 8k+4 ++ ldr $h56kq, [$current_tag, #144] @ load h6k | h5k ++ ldr $h78kq, [$current_tag, #192] @ load h8k | h7k ++ ++ rev32 $ctr6.16b, $rtmp_ctr.16b @ CTR block 8k+14 ++ rev64 $res0b, $res0b @ GHASH block 8k ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+14 ++ ++ ext $acc_lb, $acc_lb, $acc_lb, #8 @ PRE 0 ++ ldr $h7q, [$current_tag, #176] @ load h7l | h7h ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ ldr $h8q, [$current_tag, #208] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ rev64 $res1b, $res1b @ GHASH block 8k+1 ++ ++ rev32 $ctr7.16b, $rtmp_ctr.16b @ CTR block 8k+15 ++ rev64 $res2b, $res2b @ GHASH block 8k+2 ++ ldr $h5q, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ldr $h6q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ++ aese $ctr0b, $rk0 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 0 ++ aese $ctr1b, $rk0 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 0 ++ aese $ctr4b, $rk0 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 0 ++ ++ aese $ctr3b, $rk0 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 0 ++ aese $ctr5b, $rk0 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 0 ++ aese $ctr6b, $rk0 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 0 ++ ++ aese $ctr4b, $rk1 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 1 ++ aese $ctr7b, $rk0 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 0 ++ aese $ctr2b, $rk0 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 0 ++ ++ ldp $rk2q, $rk3q, [$cc, #32] @ load rk2, rk3 ++ aese $ctr0b, $rk1 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 1 ++ eor $res0b, $res0b, $acc_lb @ PRE 1 ++ ++ aese $ctr7b, $rk1 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 1 ++ aese $ctr6b, $rk1 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 1 ++ aese $ctr2b, $rk1 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 1 ++ ++ aese $ctr3b, $rk1 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 1 ++ aese $ctr1b, $rk1 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 1 ++ aese $ctr5b, $rk1 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 1 ++ ++ pmull2 $t0.1q, $res1.2d, $h7.2d @ GHASH block 8k+1 - high ++ trn1 $acc_m.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH block 8k - low ++ ++ rev64 $res3b, $res3b @ GHASH block 8k+3 ++ pmull $h7.1q, $res1.1d, $h7.1d @ GHASH block 8k+1 - low ++ ++ aese $ctr5b, $rk2 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 2 ++ aese $ctr7b, $rk2 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 2 ++ aese $ctr1b, $rk2 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 2 ++ ++ aese $ctr3b, $rk2 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 2 ++ aese $ctr6b, $rk2 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 2 ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH block 8k - high ++ ++ aese $ctr0b, $rk2 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 2 ++ aese $ctr7b, $rk3 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 3 ++ ++ aese $ctr5b, $rk3 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 3 ++ rev64 $res6b, $res6b @ GHASH block 8k+6 ++ ++ aese $ctr0b, $rk3 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 3 ++ aese $ctr2b, $rk2 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 2 ++ aese $ctr6b, $rk3 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 3 ++ ++ pmull2 $t1.1q, $res2.2d, $h6.2d @ GHASH block 8k+2 - high ++ trn2 $res0.2d, $res1.2d, $res0.2d @ GHASH block 8k, 8k+1 - mid ++ aese $ctr4b, $rk2 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 2 ++ ++ ldp $rk4q, $rk5q, [$cc, #64] @ load rk4, rk5 ++ aese $ctr1b, $rk3 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 3 ++ pmull2 $t2.1q, $res3.2d, $h5.2d @ GHASH block 8k+3 - high ++ ++ aese $ctr2b, $rk3 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 3 ++ eor $acc_hb, $acc_hb, $t0.16b @ GHASH block 8k+1 - high ++ eor $res0.16b, $res0.16b, $acc_m.16b @ GHASH block 8k, 8k+1 - mid ++ ++ aese $ctr4b, $rk3 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 3 ++ pmull $h6.1q, $res2.1d, $h6.1d @ GHASH block 8k+2 - low ++ aese $ctr3b, $rk3 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 3 ++ ++ eor3 $acc_hb, $acc_hb, $t1.16b, $t2.16b @ GHASH block 8k+2, 8k+3 - high ++ trn1 $t3.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ trn2 $res2.2d, $res3.2d, $res2.2d @ GHASH block 8k+2, 8k+3 - mid ++ ++ pmull2 $acc_m.1q, $res0.2d, $h78k.2d @ GHASH block 8k - mid ++ pmull $h5.1q, $res3.1d, $h5.1d @ GHASH block 8k+3 - low ++ eor $acc_lb, $acc_lb, $h7.16b @ GHASH block 8k+1 - low ++ ++ pmull $h78k.1q, $res0.1d, $h78k.1d @ GHASH block 8k+1 - mid ++ aese $ctr5b, $rk4 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 4 ++ aese $ctr0b, $rk4 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 4 ++ ++ eor3 $acc_lb, $acc_lb, $h6.16b, $h5.16b @ GHASH block 8k+2, 8k+3 - low ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ aese $ctr7b, $rk4 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 4 ++ ++ aese $ctr2b, $rk4 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 4 ++ aese $ctr6b, $rk4 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 4 ++ eor $acc_mb, $acc_mb, $h78k.16b @ GHASH block 8k+1 - mid ++ ++ eor $res2.16b, $res2.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ aese $ctr7b, $rk5 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 5 ++ aese $ctr1b, $rk4 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 4 ++ ++ aese $ctr2b, $rk5 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 5 ++ aese $ctr3b, $rk4 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 4 ++ aese $ctr4b, $rk4 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 4 ++ ++ aese $ctr1b, $rk5 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 5 ++ pmull2 $t3.1q, $res2.2d, $h56k.2d @ GHASH block 8k+2 - mid ++ aese $ctr6b, $rk5 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 5 ++ ++ aese $ctr4b, $rk5 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 5 ++ aese $ctr3b, $rk5 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 5 ++ pmull $h56k.1q, $res2.1d, $h56k.1d @ GHASH block 8k+3 - mid ++ ++ aese $ctr0b, $rk5 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 5 ++ aese $ctr5b, $rk5 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 5 ++ ldp $rk6q, $rk7q, [$cc, #96] @ load rk6, rk7 ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ rev64 $res7b, $res7b @ GHASH block 8k+7 ++ rev64 $res5b, $res5b @ GHASH block 8k+5 ++ ++ eor3 $acc_mb, $acc_mb, $h56k.16b, $t3.16b @ GHASH block 8k+2, 8k+3 - mid ++ ++ trn1 $t6.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr0b, $rk6 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 6 ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ aese $ctr6b, $rk6 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 6 ++ ++ aese $ctr5b, $rk6 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 6 ++ aese $ctr7b, $rk6 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 6 ++ ++ pmull2 $t4.1q, $res4.2d, $h4.2d @ GHASH block 8k+4 - high ++ pmull2 $t5.1q, $res5.2d, $h3.2d @ GHASH block 8k+5 - high ++ pmull $h4.1q, $res4.1d, $h4.1d @ GHASH block 8k+4 - low ++ ++ trn2 $res4.2d, $res5.2d, $res4.2d @ GHASH block 8k+4, 8k+5 - mid ++ pmull $h3.1q, $res5.1d, $h3.1d @ GHASH block 8k+5 - low ++ trn1 $t9.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr7b, $rk7 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 7 ++ pmull2 $t7.1q, $res6.2d, $h2.2d @ GHASH block 8k+6 - high ++ aese $ctr1b, $rk6 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 6 ++ ++ aese $ctr2b, $rk6 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 6 ++ aese $ctr3b, $rk6 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 6 ++ aese $ctr4b, $rk6 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 6 ++ ++ ldp $rk8q, $rk9q, [$cc, #128] @ load rk8, rk9 ++ pmull $h2.1q, $res6.1d, $h2.1d @ GHASH block 8k+6 - low ++ aese $ctr5b, $rk7 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 7 ++ ++ aese $ctr1b, $rk7 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 7 ++ aese $ctr4b, $rk7 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 7 ++ ++ aese $ctr6b, $rk7 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 7 ++ aese $ctr2b, $rk7 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 7 ++ eor3 $acc_hb, $acc_hb, $t4.16b, $t5.16b @ GHASH block 8k+4, 8k+5 - high ++ ++ aese $ctr0b, $rk7 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 7 ++ trn2 $res6.2d, $res7.2d, $res6.2d @ GHASH block 8k+6, 8k+7 - mid ++ aese $ctr3b, $rk7 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 7 ++ ++ aese $ctr0b, $rk8 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 8 ++ aese $ctr7b, $rk8 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 8 ++ aese $ctr4b, $rk8 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 8 ++ ++ aese $ctr1b, $rk8 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 8 ++ aese $ctr5b, $rk8 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 8 ++ aese $ctr6b, $rk8 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 8 ++ ++ aese $ctr3b, $rk8 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 8 ++ aese $ctr4b, $rk9 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 9 ++ eor $res4.16b, $res4.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr0b, $rk9 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 9 ++ aese $ctr1b, $rk9 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 9 ++ eor $res6.16b, $res6.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr6b, $rk9 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 9 ++ aese $ctr7b, $rk9 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 9 ++ pmull2 $t6.1q, $res4.2d, $h34k.2d @ GHASH block 8k+4 - mid ++ ++ aese $ctr2b, $rk8 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 8 ++ pmull $h34k.1q, $res4.1d, $h34k.1d @ GHASH block 8k+5 - mid ++ pmull2 $t8.1q, $res7.2d, $h1.2d @ GHASH block 8k+7 - high ++ ++ pmull2 $t9.1q, $res6.2d, $h12k.2d @ GHASH block 8k+6 - mid ++ pmull $h12k.1q, $res6.1d, $h12k.1d @ GHASH block 8k+7 - mid ++ pmull $h1.1q, $res7.1d, $h1.1d @ GHASH block 8k+7 - low ++ ++ ldp $rk10q, $rk11q, [$cc, #160] @ load rk10, rk11 ++ eor3 $acc_lb, $acc_lb, $h4.16b, $h3.16b @ GHASH block 8k+4, 8k+5 - low ++ eor3 $acc_mb, $acc_mb, $h34k.16b, $t6.16b @ GHASH block 8k+4, 8k+5 - mid ++ ++ aese $ctr2b, $rk9 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 9 ++ aese $ctr3b, $rk9 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 9 ++ aese $ctr5b, $rk9 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 9 ++ ++ eor3 $acc_hb, $acc_hb, $t7.16b, $t8.16b @ GHASH block 8k+6, 8k+7 - high ++ eor3 $acc_lb, $acc_lb, $h2.16b, $h1.16b @ GHASH block 8k+6, 8k+7 - low ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ ++ eor3 $acc_mb, $acc_mb, $h12k.16b, $t9.16b @ GHASH block 8k+6, 8k+7 - mid ++ ++ aese $ctr4b, $rk10 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 10 ++ aese $ctr6b, $rk10 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 10 ++ aese $ctr5b, $rk10 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 10 ++ ++ aese $ctr0b, $rk10 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 10 ++ aese $ctr2b, $rk10 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 10 ++ aese $ctr3b, $rk10 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 10 ++ ++ eor3 $acc_mb, $acc_mb, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ++ aese $ctr7b, $rk10 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 10 ++ aese $ctr1b, $rk10 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 10 ++ ldp $rk12q, $rk13q, [$cc, #192] @ load rk12, rk13 ++ ++ ext $t11.16b, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ ++ aese $ctr2b, $rk11 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 11 ++ aese $ctr1b, $rk11 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 11 ++ aese $ctr0b, $rk11 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 11 ++ ++ pmull $t12.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ aese $ctr3b, $rk11 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 11 ++ ++ aese $ctr7b, $rk11 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 11 ++ aese $ctr6b, $rk11 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 11 ++ aese $ctr4b, $rk11 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 11 ++ ++ aese $ctr5b, $rk11 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 11 ++ aese $ctr3b, $rk12 \n aesmc $ctr3b, $ctr3b @ AES block 8k+11 - round 12 ++ ++ eor3 $acc_mb, $acc_mb, $t12.16b, $t11.16b @ MODULO - fold into mid ++ ++ aese $ctr3b, $rk13 @ AES block 8k+11 - round 13 ++ aese $ctr2b, $rk12 \n aesmc $ctr2b, $ctr2b @ AES block 8k+10 - round 12 ++ aese $ctr6b, $rk12 \n aesmc $ctr6b, $ctr6b @ AES block 8k+14 - round 12 ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ aese $ctr4b, $rk12 \n aesmc $ctr4b, $ctr4b @ AES block 8k+12 - round 12 ++ aese $ctr7b, $rk12 \n aesmc $ctr7b, $ctr7b @ AES block 8k+15 - round 12 ++ ++ aese $ctr0b, $rk12 \n aesmc $ctr0b, $ctr0b @ AES block 8k+8 - round 12 ++ ldr $rk14q, [$cc, #224] @ load rk14 ++ aese $ctr1b, $rk12 \n aesmc $ctr1b, $ctr1b @ AES block 8k+9 - round 12 ++ ++ aese $ctr4b, $rk13 @ AES block 8k+12 - round 13 ++ ext $t11.16b, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ aese $ctr5b, $rk12 \n aesmc $ctr5b, $ctr5b @ AES block 8k+13 - round 12 ++ ++ aese $ctr6b, $rk13 @ AES block 8k+14 - round 13 ++ aese $ctr2b, $rk13 @ AES block 8k+10 - round 13 ++ aese $ctr1b, $rk13 @ AES block 8k+9 - round 13 ++ ++ aese $ctr5b, $rk13 @ AES block 8k+13 - round 13 ++ eor3 $acc_lb, $acc_lb, $t11.16b, $acc_hb @ MODULO - fold into low ++ add $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 8k+15 ++ ++ aese $ctr7b, $rk13 @ AES block 8k+15 - round 13 ++ aese $ctr0b, $rk13 @ AES block 8k+8 - round 13 ++.L256_dec_tail: @ TAIL ++ ++ ext $t0.16b, $acc_lb, $acc_lb, #8 @ prepare final partial tag ++ sub $main_end_input_ptr, $end_input_ptr, $input_ptr @ main_end_input_ptr is number of bytes left to process ++ cmp $main_end_input_ptr, #112 ++ ++ ldr $res1q, [$input_ptr], #16 @ AES block 8k+8 - load ciphertext ++ ++ ldp $h78kq, $h8q, [$current_tag, #192] @ load h8l | h8h ++ ext $h8.16b, $h8.16b, $h8.16b, #8 ++ mov $t1.16b, $rk14 ++ ++ ldp $h5q, $h56kq, [$current_tag, #128] @ load h5l | h5h ++ ext $h5.16b, $h5.16b, $h5.16b, #8 ++ ++ eor3 $res4b, $res1b, $ctr0b, $t1.16b @ AES block 8k+8 - result ++ ldp $h6q, $h7q, [$current_tag, #160] @ load h6l | h6h ++ ext $h6.16b, $h6.16b, $h6.16b, #8 ++ ext $h7.16b, $h7.16b, $h7.16b, #8 ++ b.gt .L256_dec_blocks_more_than_7 ++ ++ mov $ctr7b, $ctr6b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr3b ++ movi $acc_l.8b, #0 ++ ++ movi $acc_h.8b, #0 ++ movi $acc_m.8b, #0 ++ mov $ctr3b, $ctr2b ++ ++ cmp $main_end_input_ptr, #96 ++ mov $ctr2b, $ctr1b ++ b.gt .L256_dec_blocks_more_than_6 ++ ++ mov $ctr7b, $ctr6b ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr4b ++ cmp $main_end_input_ptr, #80 ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr4b, $ctr3b ++ mov $ctr3b, $ctr1b ++ b.gt .L256_dec_blocks_more_than_5 ++ ++ cmp $main_end_input_ptr, #64 ++ mov $ctr7b, $ctr6b ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr6b, $ctr5b ++ ++ mov $ctr5b, $ctr4b ++ mov $ctr4b, $ctr1b ++ b.gt .L256_dec_blocks_more_than_4 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ cmp $main_end_input_ptr, #48 ++ ++ mov $ctr6b, $ctr5b ++ mov $ctr5b, $ctr1b ++ b.gt .L256_dec_blocks_more_than_3 ++ ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ mov $ctr7b, $ctr6b ++ ++ cmp $main_end_input_ptr, #32 ++ mov $ctr6b, $ctr1b ++ b.gt .L256_dec_blocks_more_than_2 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ++ mov $ctr7b, $ctr1b ++ cmp $main_end_input_ptr, #16 ++ b.gt .L256_dec_blocks_more_than_1 ++ ++ sub $rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ b .L256_dec_blocks_less_than_1 ++.L256_dec_blocks_more_than_7: @ blocks left > 7 ++ rev64 $res0b, $res1b @ GHASH final-7 block ++ ldr $res1q, [$input_ptr], #16 @ AES final-6 block - load ciphertext ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-7 block - store result ++ ++ ins $acc_m.d[0], $h78k.d[1] @ GHASH final-7 block - mid ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-7 block - mid ++ eor3 $res4b, $res1b, $ctr1b, $t1.16b @ AES final-6 block - result ++ ++ pmull2 $acc_h.1q, $res0.2d, $h8.2d @ GHASH final-7 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-7 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull $acc_l.1q, $res0.1d, $h8.1d @ GHASH final-7 block - low ++ pmull $acc_m.1q, $rk4v.1d, $acc_m.1d @ GHASH final-7 block - mid ++.L256_dec_blocks_more_than_6: @ blocks left > 6 ++ ++ rev64 $res0b, $res1b @ GHASH final-6 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ldr $res1q, [$input_ptr], #16 @ AES final-5 block - load ciphertext ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-6 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-6 block - store result ++ pmull2 $rk2q1, $res0.2d, $h7.2d @ GHASH final-6 block - high ++ ++ pmull $rk3q1, $res0.1d, $h7.1d @ GHASH final-6 block - low ++ ++ eor3 $res4b, $res1b, $ctr2b, $t1.16b @ AES final-5 block - result ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-6 block - low ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-6 block - mid ++ ++ pmull $rk4v.1q, $rk4v.1d, $h78k.1d @ GHASH final-6 block - mid ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-6 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-6 block - high ++.L256_dec_blocks_more_than_5: @ blocks left > 5 ++ ++ rev64 $res0b, $res1b @ GHASH final-5 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ pmull2 $rk2q1, $res0.2d, $h6.2d @ GHASH final-5 block - high ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-5 block - mid ++ ++ ldr $res1q, [$input_ptr], #16 @ AES final-4 block - load ciphertext ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-5 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-5 block - store result ++ ++ pmull $rk3q1, $res0.1d, $h6.1d @ GHASH final-5 block - low ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-5 block - mid ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h56k.2d @ GHASH final-5 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-5 block - high ++ eor3 $res4b, $res1b, $ctr3b, $t1.16b @ AES final-4 block - result ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-5 block - low ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-5 block - mid ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++.L256_dec_blocks_more_than_4: @ blocks left > 4 ++ ++ rev64 $res0b, $res1b @ GHASH final-4 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-4 block - mid ++ ldr $res1q, [$input_ptr], #16 @ AES final-3 block - load ciphertext ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull $rk3q1, $res0.1d, $h5.1d @ GHASH final-4 block - low ++ pmull2 $rk2q1, $res0.2d, $h5.2d @ GHASH final-4 block - high ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-4 block - mid ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-4 block - high ++ ++ pmull $rk4v.1q, $rk4v.1d, $h56k.1d @ GHASH final-4 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-4 block - low ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-4 block - store result ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-4 block - mid ++ eor3 $res4b, $res1b, $ctr4b, $t1.16b @ AES final-3 block - result ++.L256_dec_blocks_more_than_3: @ blocks left > 3 ++ ++ ldr $h4q, [$current_tag, #112] @ load h4l | h4h ++ ext $h4.16b, $h4.16b, $h4.16b, #8 ++ rev64 $res0b, $res1b @ GHASH final-3 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ldr $res1q, [$input_ptr], #16 @ AES final-2 block - load ciphertext ++ ldr $h34kq, [$current_tag, #96] @ load h4k | h3k ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-3 block - mid ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-3 block - store result ++ ++ eor3 $res4b, $res1b, $ctr5b, $t1.16b @ AES final-2 block - result ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-3 block - mid ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-3 block - mid ++ pmull $rk3q1, $res0.1d, $h4.1d @ GHASH final-3 block - low ++ pmull2 $rk2q1, $res0.2d, $h4.2d @ GHASH final-3 block - high ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ pmull2 $rk4v.1q, $rk4v.2d, $h34k.2d @ GHASH final-3 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-3 block - low ++ ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-3 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-3 block - mid ++.L256_dec_blocks_more_than_2: @ blocks left > 2 ++ ++ rev64 $res0b, $res1b @ GHASH final-2 block ++ ++ ldr $h3q, [$current_tag, #80] @ load h3l | h3h ++ ext $h3.16b, $h3.16b, $h3.16b, #8 ++ ldr $res1q, [$input_ptr], #16 @ AES final-1 block - load ciphertext ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-2 block - mid ++ ++ pmull $rk3q1, $res0.1d, $h3.1d @ GHASH final-2 block - low ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-2 block - store result ++ eor3 $res4b, $res1b, $ctr6b, $t1.16b @ AES final-1 block - result ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-2 block - mid ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-2 block - low ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ ++ pmull $rk4v.1q, $rk4v.1d, $h34k.1d @ GHASH final-2 block - mid ++ pmull2 $rk2q1, $res0.2d, $h3.2d @ GHASH final-2 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-2 block - mid ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-2 block - high ++.L256_dec_blocks_more_than_1: @ blocks left > 1 ++ ++ rev64 $res0b, $res1b @ GHASH final-1 block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $rk4v.d[0], $res0.d[1] @ GHASH final-1 block - mid ++ ldr $h2q, [$current_tag, #64] @ load h1l | h1h ++ ext $h2.16b, $h2.16b, $h2.16b, #8 ++ ++ eor $rk4v.8b, $rk4v.8b, $res0.8b @ GHASH final-1 block - mid ++ ldr $res1q, [$input_ptr], #16 @ AES final block - load ciphertext ++ st1 { $res4b}, [$output_ptr], #16 @ AES final-1 block - store result ++ ++ ldr $h12kq, [$current_tag, #48] @ load h2k | h1k ++ pmull $rk3q1, $res0.1d, $h2.1d @ GHASH final-1 block - low ++ ++ ins $rk4v.d[1], $rk4v.d[0] @ GHASH final-1 block - mid ++ ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final-1 block - low ++ ++ eor3 $res4b, $res1b, $ctr7b, $t1.16b @ AES final block - result ++ pmull2 $rk2q1, $res0.2d, $h2.2d @ GHASH final-1 block - high ++ ++ pmull2 $rk4v.1q, $rk4v.2d, $h12k.2d @ GHASH final-1 block - mid ++ ++ movi $t0.8b, #0 @ surpress further partial tag feed in ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final-1 block - high ++ ++ eor $acc_mb, $acc_mb, $rk4v.16b @ GHASH final-1 block - mid ++.L256_dec_blocks_less_than_1: @ blocks left <= 1 ++ ++ ld1 { $rk0}, [$output_ptr] @ load existing bytes where the possibly partial last block is to be stored ++ mvn $temp0_x, xzr @ temp0_x = 0xffffffffffffffff ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ sub $bit_length, $bit_length, #128 @ bit_length -= 128 ++ rev32 $rtmp_ctr.16b, $rtmp_ctr.16b ++ str $rtmp_ctrq, [$counter] @ store the updated counter ++ ++ neg $bit_length, $bit_length @ bit_length = 128 - #bits in input (in range [1,128]) ++ ++ and $bit_length, $bit_length, #127 @ bit_length %= 128 ++ ++ lsr $temp0_x, $temp0_x, $bit_length @ temp0_x is mask for top 64b of last block ++ cmp $bit_length, #64 ++ mvn $temp1_x, xzr @ temp1_x = 0xffffffffffffffff ++ ++ csel $temp3_x, $temp0_x, xzr, lt ++ csel $temp2_x, $temp1_x, $temp0_x, lt ++ ++ mov $ctr0.d[0], $temp2_x @ ctr0b is mask for last block ++ mov $ctr0.d[1], $temp3_x ++ ++ and $res1b, $res1b, $ctr0b @ possibly partial last block has zeroes in highest bits ++ ldr $h1q, [$current_tag, #32] @ load h1l | h1h ++ ext $h1.16b, $h1.16b, $h1.16b, #8 ++ bif $res4b, $rk0, $ctr0b @ insert existing bytes in top end of result before storing ++ ++ rev64 $res0b, $res1b @ GHASH final block ++ ++ eor $res0b, $res0b, $t0.16b @ feed in partial tag ++ ++ ins $t0.d[0], $res0.d[1] @ GHASH final block - mid ++ pmull2 $rk2q1, $res0.2d, $h1.2d @ GHASH final block - high ++ ++ eor $t0.8b, $t0.8b, $res0.8b @ GHASH final block - mid ++ ++ pmull $rk3q1, $res0.1d, $h1.1d @ GHASH final block - low ++ eor $acc_hb, $acc_hb, $rk2 @ GHASH final block - high ++ ++ pmull $t0.1q, $t0.1d, $h12k.1d @ GHASH final block - mid ++ ++ eor $acc_mb, $acc_mb, $t0.16b @ GHASH final block - mid ++ ldr $mod_constantd, [$modulo_constant] @ MODULO - load modulo constant ++ eor $acc_lb, $acc_lb, $rk3 @ GHASH final block - low ++ ++ pmull $t11.1q, $acc_h.1d, $mod_constant.1d @ MODULO - top 64b align with mid ++ eor $t10.16b, $acc_hb, $acc_lb @ MODULO - karatsuba tidy up ++ ++ ext $acc_hb, $acc_hb, $acc_hb, #8 @ MODULO - other top alignment ++ st1 { $res4b}, [$output_ptr] @ store all 16B ++ ++ eor $acc_mb, $acc_mb, $t10.16b @ MODULO - karatsuba tidy up ++ ++ eor $t11.16b, $acc_hb, $t11.16b @ MODULO - fold into mid ++ eor $acc_mb, $acc_mb, $t11.16b @ MODULO - fold into mid ++ ++ pmull $acc_h.1q, $acc_m.1d, $mod_constant.1d @ MODULO - mid 64b align with low ++ ++ ext $acc_mb, $acc_mb, $acc_mb, #8 @ MODULO - other mid alignment ++ eor $acc_lb, $acc_lb, $acc_hb @ MODULO - fold into low ++ ++ eor $acc_lb, $acc_lb, $acc_mb @ MODULO - fold into low ++ ext $acc_lb, $acc_lb, $acc_lb, #8 ++ rev64 $acc_lb, $acc_lb ++ st1 { $acc_l.16b }, [$current_tag] ++ lsr x0, $bit_length, #3 @ return sizes ++ ++ ldp d10, d11, [sp, #16] ++ ldp d12, d13, [sp, #32] ++ ldp d14, d15, [sp, #48] ++ ldp d8, d9, [sp], #80 ++ ret ++ ++.L256_dec_ret: ++ mov w0, #0x0 ++ ret ++.size unroll8_eor3_aes_gcm_dec_256_kernel,.-unroll8_eor3_aes_gcm_dec_256_kernel ++___ ++} ++} ++ ++$code.=<<___; ++.asciz "AES GCM module for ARMv8, SPDX BSD-3-Clause by " ++.align 2 ++#endif ++___ ++ ++{ ++ my %opcode = ( ++ "rax1" => 0xce608c00, "eor3" => 0xce000000, ++ "bcax" => 0xce200000, "xar" => 0xce800000 ); ++ ++ sub unsha3 { ++ my ($mnemonic,$arg)=@_; ++ ++ $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv#]([0-9\-]+))?)?/ ++ && ++ sprintf ".inst\t0x%08x\t//%s %s", ++ $opcode{$mnemonic}|$1|($2<<5)|($3<<16)|(eval($4)<<10), ++ $mnemonic,$arg; ++ } ++ sub unvmov { ++ my $arg=shift; ++ ++ $arg =~ m/q([0-9]+)#(lo|hi),\s*q([0-9]+)#(lo|hi)/o && ++ sprintf "ins v%d.d[%d],v%d.d[%d]",$1<8?$1:$1+8,($2 eq "lo")?0:1, ++ $3<8?$3:$3+8,($4 eq "lo")?0:1; ++ } ++ ++ foreach(split("\n",$code)) { ++ s/@\s/\/\//o; # old->new style commentary ++ s/\`([^\`]*)\`/eval($1)/ge; ++ ++ m/\bld1r\b/ and s/\.16b/.2d/g or ++ s/\b(eor3|rax1|xar|bcax)\s+(v.*)/unsha3($1,$2)/ge; ++ print $_,"\n"; ++ } ++} ++ ++close STDOUT or die "error closing STDOUT: $!"; # enforce flush +Index: openssl-1.1.1m/crypto/modes/asm/ghashv8-armx.pl +=================================================================== +--- openssl-1.1.1m.orig/crypto/modes/asm/ghashv8-armx.pl ++++ openssl-1.1.1m/crypto/modes/asm/ghashv8-armx.pl +@@ -141,6 +141,7 @@ gcm_init_v8: + ___ + if ($flavour =~ /64/) { + my ($t3,$Yl,$Ym,$Yh) = map("q$_",(4..7)); ++my ($H3,$H34k,$H4,$H5,$H56k,$H6,$H7,$H78k,$H8) = map("q$_",(15..23)); + + $code.=<<___; + @ calculate H^3 and H^4 +@@ -175,15 +176,103 @@ $code.=<<___; + vpmull.p64 $Yl,$Yl,$xC2 + veor $t2,$t2,$Xh + veor $t3,$t3,$Yh +- veor $H, $Xl,$t2 @ H^3 +- veor $H2,$Yl,$t3 @ H^4 ++ veor $H3, $Xl,$t2 @ H^3 ++ veor $H4,$Yl,$t3 @ H^4 + +- vext.8 $t0,$H, $H,#8 @ Karatsuba pre-processing +- vext.8 $t1,$H2,$H2,#8 +- veor $t0,$t0,$H +- veor $t1,$t1,$H2 +- vext.8 $Hhl,$t0,$t1,#8 @ pack Karatsuba pre-processed +- vst1.64 {$H-$H2},[x0] @ store Htable[3..5] ++ vext.8 $t0,$H3, $H3,#8 @ Karatsuba pre-processing ++ vext.8 $t1,$H4,$H4,#8 ++ vext.8 $t2,$H2,$H2,#8 ++ veor $t0,$t0,$H3 ++ veor $t1,$t1,$H4 ++ veor $t2,$t2,$H2 ++ vext.8 $H34k,$t0,$t1,#8 @ pack Karatsuba pre-processed ++ vst1.64 {$H3-$H4},[x0],#48 @ store Htable[3..5] ++ ++ @ calculate H^5 and H^6 ++ vpmull.p64 $Xl,$H2, $H3 ++ vpmull.p64 $Yl,$H3,$H3 ++ vpmull2.p64 $Xh,$H2, $H3 ++ vpmull2.p64 $Yh,$H3,$H3 ++ vpmull.p64 $Xm,$t0,$t2 ++ vpmull.p64 $Ym,$t0,$t0 ++ ++ vext.8 $t0,$Xl,$Xh,#8 @ Karatsuba post-processing ++ vext.8 $t1,$Yl,$Yh,#8 ++ veor $t2,$Xl,$Xh ++ veor $Xm,$Xm,$t0 ++ veor $t3,$Yl,$Yh ++ veor $Ym,$Ym,$t1 ++ veor $Xm,$Xm,$t2 ++ vpmull.p64 $t2,$Xl,$xC2 @ 1st phase ++ veor $Ym,$Ym,$t3 ++ vpmull.p64 $t3,$Yl,$xC2 ++ ++ vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result ++ vmov $Yh#lo,$Ym#hi ++ vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl ++ vmov $Ym#hi,$Yl#lo ++ veor $Xl,$Xm,$t2 ++ veor $Yl,$Ym,$t3 ++ ++ vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase ++ vext.8 $t3,$Yl,$Yl,#8 ++ vpmull.p64 $Xl,$Xl,$xC2 ++ vpmull.p64 $Yl,$Yl,$xC2 ++ veor $t2,$t2,$Xh ++ veor $t3,$t3,$Yh ++ veor $H5,$Xl,$t2 @ H^5 ++ veor $H6,$Yl,$t3 @ H^6 ++ ++ vext.8 $t0,$H5, $H5,#8 @ Karatsuba pre-processing ++ vext.8 $t1,$H6,$H6,#8 ++ vext.8 $t2,$H2,$H2,#8 ++ veor $t0,$t0,$H5 ++ veor $t1,$t1,$H6 ++ veor $t2,$t2,$H2 ++ vext.8 $H56k,$t0,$t1,#8 @ pack Karatsuba pre-processed ++ vst1.64 {$H5-$H6},[x0],#48 @ store Htable[6..8] ++ ++ @ calculate H^7 and H^8 ++ vpmull.p64 $Xl,$H2,$H5 ++ vpmull.p64 $Yl,$H2,$H6 ++ vpmull2.p64 $Xh,$H2,$H5 ++ vpmull2.p64 $Yh,$H2,$H6 ++ vpmull.p64 $Xm,$t0,$t2 ++ vpmull.p64 $Ym,$t1,$t2 ++ ++ vext.8 $t0,$Xl,$Xh,#8 @ Karatsuba post-processing ++ vext.8 $t1,$Yl,$Yh,#8 ++ veor $t2,$Xl,$Xh ++ veor $Xm,$Xm,$t0 ++ veor $t3,$Yl,$Yh ++ veor $Ym,$Ym,$t1 ++ veor $Xm,$Xm,$t2 ++ vpmull.p64 $t2,$Xl,$xC2 @ 1st phase ++ veor $Ym,$Ym,$t3 ++ vpmull.p64 $t3,$Yl,$xC2 ++ ++ vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result ++ vmov $Yh#lo,$Ym#hi ++ vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl ++ vmov $Ym#hi,$Yl#lo ++ veor $Xl,$Xm,$t2 ++ veor $Yl,$Ym,$t3 ++ ++ vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase ++ vext.8 $t3,$Yl,$Yl,#8 ++ vpmull.p64 $Xl,$Xl,$xC2 ++ vpmull.p64 $Yl,$Yl,$xC2 ++ veor $t2,$t2,$Xh ++ veor $t3,$t3,$Yh ++ veor $H7,$Xl,$t2 @ H^7 ++ veor $H8,$Yl,$t3 @ H^8 ++ ++ vext.8 $t0,$H7,$H7,#8 @ Karatsuba pre-processing ++ vext.8 $t1,$H8,$H8,#8 ++ veor $t0,$t0,$H7 ++ veor $t1,$t1,$H8 ++ vext.8 $H78k,$t0,$t1,#8 @ pack Karatsuba pre-processed ++ vst1.64 {$H7-$H8},[x0] @ store Htable[9..11] + ___ + } + $code.=<<___; +Index: openssl-1.1.1m/crypto/modes/build.info +=================================================================== +--- openssl-1.1.1m.orig/crypto/modes/build.info ++++ openssl-1.1.1m/crypto/modes/build.info +@@ -20,6 +20,8 @@ GENERATE[ghash-armv4.S]=asm/ghash-armv4. + INCLUDE[ghash-armv4.o]=.. + GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl $(PERLASM_SCHEME) + INCLUDE[ghashv8-armx.o]=.. ++GENERATE[aes-gcm-armv8-unroll8_64.S]=asm/aes-gcm-armv8-unroll8_64.pl $(PERLASM_SCHEME) ++INCLUDE[aes-gcm-armv8-unroll8_64.o]=.. + GENERATE[ghash-s390x.S]=asm/ghash-s390x.pl $(PERLASM_SCHEME) + INCLUDE[ghash-s390x.o]=.. + diff --git a/openssl-1_1-Optimize-AES-XTS-aarch64.patch b/openssl-1_1-Optimize-AES-XTS-aarch64.patch new file mode 100644 index 0000000..ea2c3e9 --- /dev/null +++ b/openssl-1_1-Optimize-AES-XTS-aarch64.patch @@ -0,0 +1,1616 @@ +From 9ce8e0d17e608de4f85f7543c52b146e3c6a2291 Mon Sep 17 00:00:00 2001 +From: XiaokangQian +Date: Fri, 13 Mar 2020 03:27:34 +0000 +Subject: [PATCH] Optimize AES-XTS mode in OpenSSL for aarch64 + +Aes-xts mode can be optimized by interleaving cipher operation on +several blocks and loop unrolling. Interleaving needs one ideal +unrolling factor, here we adopt the same factor with aes-cbc, +which is described as below: + If blocks number > 5, select 5 blocks as one iteration,every + loop, decrease the blocks number by 5. + If left blocks < 5, treat them as tail blocks. +Detailed implementation has a little adjustment for squeezing +code space. +With this way, for small size such as 16 bytes, the performance is +similar as before, but for big size such as 16k bytes, the performance +improves a lot, even reaches to 2x uplift, for some arches such as A57, +the improvement even reaches more than 2x uplift. We collect many +performance datas on different micro-archs such as thunderx2, +ampere-emag, a72, a75, a57, a53 and N1, all of which reach 0.5-2x uplift. +The following table lists the encryption performance data on aarch64, +take a72, a75, a57, a53 and N1 as examples. Performance value takes the +unit of cycles per byte, takes the format as comparision of values. +List them as below: + +A72: + Before optimization After optimization Improve +evp-aes-128-xts@16 8.899913518 5.949087263 49.60% +evp-aes-128-xts@64 4.525512668 3.389141845 33.53% +evp-aes-128-xts@256 3.502906908 1.633573479 114.43% +evp-aes-128-xts@1024 3.174210419 1.155952639 174.60% +evp-aes-128-xts@8192 3.053019303 1.028134888 196.95% +evp-aes-128-xts@16384 3.025292462 1.02021169 196.54% +evp-aes-256-xts@16 9.971105023 6.754233758 47.63% +evp-aes-256-xts@64 4.931479093 3.786527393 30.24% +evp-aes-256-xts@256 3.746788153 1.943975947 92.74% +evp-aes-256-xts@1024 3.401743802 1.477394648 130.25% +evp-aes-256-xts@8192 3.278769327 1.32950421 146.62% +evp-aes-256-xts@16384 3.27093296 1.325276257 146.81% + +A75: + Before optimization After optimization Improve +evp-aes-128-xts@16 8.397965173 5.126839098 63.80% +evp-aes-128-xts@64 4.176860631 2.59817764 60.76% +evp-aes-128-xts@256 3.069126585 1.284561028 138.92% +evp-aes-128-xts@1024 2.805962699 0.932754655 200.83% +evp-aes-128-xts@8192 2.725820131 0.829820397 228.48% +evp-aes-128-xts@16384 2.71521905 0.823251591 229.82% +evp-aes-256-xts@16 11.24790935 7.383914448 52.33% +evp-aes-256-xts@64 5.294128847 3.048641998 73.66% +evp-aes-256-xts@256 3.861649617 1.570359905 145.91% +evp-aes-256-xts@1024 3.537646797 1.200493533 194.68% +evp-aes-256-xts@8192 3.435353012 1.085345319 216.52% +evp-aes-256-xts@16384 3.437952563 1.097963822 213.12% + +A57: + Before optimization After optimization Improve +evp-aes-128-xts@16 10.57455446 7.165438012 47.58% +evp-aes-128-xts@64 5.418185447 3.721241202 45.60% +evp-aes-128-xts@256 3.855184592 1.747145379 120.66% +evp-aes-128-xts@1024 3.477199757 1.253049735 177.50% +evp-aes-128-xts@8192 3.36768104 1.091943159 208.41% +evp-aes-128-xts@16384 3.360373443 1.088942789 208.59% +evp-aes-256-xts@16 12.54559459 8.745489036 43.45% +evp-aes-256-xts@64 6.542808937 4.326387568 51.23% +evp-aes-256-xts@256 4.62668822 2.119908754 118.25% +evp-aes-256-xts@1024 4.161716505 1.557335554 167.23% +evp-aes-256-xts@8192 4.032462227 1.377749511 192.68% +evp-aes-256-xts@16384 4.023293877 1.371558933 193.34% + +A53: + Before optimization After optimization Improve +evp-aes-128-xts@16 18.07842135 13.96980808 29.40% +evp-aes-128-xts@64 7.933818397 6.07159276 30.70% +evp-aes-128-xts@256 5.264604704 2.611155744 101.60% +evp-aes-128-xts@1024 4.606660117 1.722713454 167.40% +evp-aes-128-xts@8192 4.405160115 1.454379201 202.90% +evp-aes-128-xts@16384 4.401592028 1.442279392 205.20% +evp-aes-256-xts@16 20.07084054 16.00803726 25.40% +evp-aes-256-xts@64 9.192647294 6.883876732 33.50% +evp-aes-256-xts@256 6.336143161 3.108140452 103.90% +evp-aes-256-xts@1024 5.62502952 2.097960651 168.10% +evp-aes-256-xts@8192 5.412085608 1.807294191 199.50% +evp-aes-256-xts@16384 5.403062591 1.790135764 201.80% + +N1: + Before optimization After optimization Improve +evp-aes-128-xts@16 6.48147613 4.209415473 53.98% +evp-aes-128-xts@64 2.847744115 1.950757468 45.98% +evp-aes-128-xts@256 2.085711968 1.061903238 96.41% +evp-aes-128-xts@1024 1.842014669 0.798486302 130.69% +evp-aes-128-xts@8192 1.760449052 0.713853939 146.61% +evp-aes-128-xts@16384 1.760763546 0.707702009 148.80% +evp-aes-256-xts@16 7.264142817 5.265970454 37.94% +evp-aes-256-xts@64 3.251356212 2.41176323 34.81% +evp-aes-256-xts@256 2.380488469 1.342095742 77.37% +evp-aes-256-xts@1024 2.08853022 1.041718215 100.49% +evp-aes-256-xts@8192 2.027432668 0.944571334 114.64% +evp-aes-256-xts@16384 2.00740782 0.941991415 113.10% + +Add more XTS test cases to cover the cipher stealing mode and cases of different +number of blocks. + +CustomizedGitHooks: yes +Change-Id: I93ee31b2575e1413764e27b599af62994deb4c96 + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11399) +--- + crypto/aes/asm/aesv8-armx.pl | 1426 +++++++++++++++++ + include/crypto/aes_platform.h | 4 + + .../30-test_evp_data/evpciph_aes_common.txt | 38 + + 3 files changed, 1468 insertions(+) + +Index: openssl-1.1.1d/crypto/aes/asm/aesv8-armx.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/aes/asm/aesv8-armx.pl ++++ openssl-1.1.1d/crypto/aes/asm/aesv8-armx.pl +@@ -897,6 +897,1432 @@ $code.=<<___; + .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks + ___ + }}} ++# Performance in cycles per byte. ++# Processed with AES-XTS different key size. ++# It shows the value before and after optimization as below: ++# (before/after): ++# ++# AES-128-XTS AES-256-XTS ++# Cortex-A57 3.36/1.09 4.02/1.37 ++# Cortex-A72 3.03/1.02 3.28/1.33 ++ ++# Optimization is implemented by loop unrolling and interleaving. ++# Commonly, we choose the unrolling factor as 5, if the input ++# data size smaller than 5 blocks, but not smaller than 3 blocks, ++# choose 3 as the unrolling factor. ++# If the input data size dsize >= 5*16 bytes, then take 5 blocks ++# as one iteration, every loop the left size lsize -= 5*16. ++# If lsize < 5*16 bytes, treat them as the tail. Note: left 4*16 bytes ++# will be processed specially, which be integrated into the 5*16 bytes ++# loop to improve the efficiency. ++# There is one special case, if the original input data size dsize ++# = 16 bytes, we will treat it seperately to improve the ++# performance: one independent code block without LR, FP load and ++# store. ++# Encryption will process the (length -tailcnt) bytes as mentioned ++# previously, then encrypt the composite block as last second ++# cipher block. ++# Decryption will process the (length -tailcnt -1) bytes as mentioned ++# previously, then decrypt the last second cipher block to get the ++# last plain block(tail), decrypt the composite block as last second ++# plain text block. ++ ++{{{ ++my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5)); ++my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10"); ++my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20"); ++my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19"); ++my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11"); ++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); ++my ($iv0,$iv1,$iv2,$iv3,$iv4)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b"); ++my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]"); ++my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]"); ++ ++my ($tmpin)=("v26.16b"); ++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); ++ ++# q7 last round key ++# q10-q15, q7 Last 7 round keys ++# q8-q9 preloaded round keys except last 7 keys for big size ++# q20, q21, q8-q9 preloaded round keys except last 7 keys for only 16 byte ++ ++ ++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); ++ ++my ($dat3,$in3,$tmp3); # used only in 64-bit mode ++my ($dat4,$in4,$tmp4); ++if ($flavour =~ /64/) { ++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); ++} ++ ++$code.=<<___ if ($flavour =~ /64/); ++.globl ${prefix}_xts_encrypt ++.type ${prefix}_xts_encrypt,%function ++.align 5 ++${prefix}_xts_encrypt: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#16 ++ // Original input data size bigger than 16, jump to big size processing. ++ b.ne .Lxts_enc_big_size ++ // Encrypt the iv with key2, as the first XEX iv. ++ ldr $rounds,[$key2,#240] ++ vld1.8 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key2],#16 ++ ++.Loop_enc_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_enc_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ vld1.8 {$dat0},[$inp] ++ veor $dat0,$iv0,$dat0 ++ ++ ldr $rounds,[$key1,#240] ++ vld1.32 {q20-q21},[$key1],#32 // load key schedule... ++ ++ aese $dat0,q20 ++ aesmc $dat0,$dat0 ++ vld1.32 {q8-q9},[$key1],#32 // load key schedule... ++ aese $dat0,q21 ++ aesmc $dat0,$dat0 ++ subs $rounds,$rounds,#10 // if rounds==10, jump to aes-128-xts processing ++ b.eq .Lxts_128_enc ++.Lxts_enc_round_loop: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ vld1.32 {q8},[$key1],#16 // load key schedule... ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ vld1.32 {q9},[$key1],#16 // load key schedule... ++ subs $rounds,$rounds,#2 // bias ++ b.gt .Lxts_enc_round_loop ++.Lxts_128_enc: ++ vld1.32 {q10-q11},[$key1],#32 // load key schedule... ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ vld1.32 {q12-q13},[$key1],#32 // load key schedule... ++ aese $dat0,q10 ++ aesmc $dat0,$dat0 ++ aese $dat0,q11 ++ aesmc $dat0,$dat0 ++ vld1.32 {q14-q15},[$key1],#32 // load key schedule... ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ vld1.32 {$rndlast},[$key1] ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat0,q15 ++ veor $dat0,$dat0,$rndlast ++ veor $dat0,$dat0,$iv0 ++ vst1.8 {$dat0},[$out] ++ b .Lxts_enc_final_abort ++ ++.align 4 ++.Lxts_enc_big_size: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ stp $constnumx,$tmpinp,[sp,#-64]! ++ stp $tailcnt,$midnumx,[sp,#48] ++ stp $ivd10,$ivd20,[sp,#32] ++ stp $ivd30,$ivd40,[sp,#16] ++ ++ // tailcnt store the tail value of length%16. ++ and $tailcnt,$len,#0xf ++ and $len,$len,#-16 ++ subs $len,$len,#16 ++ mov $step,#16 ++ b.lo .Lxts_abort ++ csel $step,xzr,$step,eq ++ ++ // Firstly, encrypt the iv with key2, as the first iv of XEX. ++ ldr $rounds,[$key2,#240] ++ vld1.32 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.32 {$dat1},[$key2],#16 ++ ++.Loop_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ // The iv for second block ++ // $ivl- iv(low), $ivh - iv(high) ++ // the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4 ++ fmov $ivl,$ivd00 ++ fmov $ivh,$ivd01 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ ++ ldr $rounds0,[$key1,#240] // next starting point ++ vld1.8 {$dat},[$inp],$step ++ ++ vld1.32 {q8-q9},[$key1] // load key schedule... ++ sub $rounds0,$rounds0,#6 ++ add $key_,$key1,$ivp,lsl#4 // pointer to last 7 round keys ++ sub $rounds0,$rounds0,#2 ++ vld1.32 {q10-q11},[$key_],#32 ++ vld1.32 {q12-q13},[$key_],#32 ++ vld1.32 {q14-q15},[$key_],#32 ++ vld1.32 {$rndlast},[$key_] ++ ++ add $key_,$key1,#32 ++ mov $rounds,$rounds0 ++ ++ // Encryption ++.Lxts_enc: ++ vld1.8 {$dat2},[$inp],#16 ++ subs $len,$len,#32 // bias ++ add $rounds,$rounds0,#2 ++ vorr $in1,$dat,$dat ++ vorr $dat1,$dat,$dat ++ vorr $in3,$dat,$dat ++ vorr $in2,$dat2,$dat2 ++ vorr $in4,$dat2,$dat2 ++ b.lo .Lxts_inner_enc_tail ++ veor $dat,$dat,$iv0 // before encryption, xor with iv ++ veor $dat2,$dat2,$iv1 ++ ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ ++ ++ vorr $dat1,$dat2,$dat2 ++ vld1.8 {$dat2},[$inp],#16 ++ vorr $in0,$dat,$dat ++ vorr $in1,$dat1,$dat1 ++ veor $in2,$dat2,$iv2 // the third block ++ veor $dat2,$dat2,$iv2 ++ cmp $len,#32 ++ b.lo .Lxts_outer_enc_tail ++ ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ ++ vld1.8 {$dat3},[$inp],#16 ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$dat4},[$inp],#16 ++ veor $dat3,$dat3,$iv3 // the fourth block ++ veor $dat4,$dat4,$iv4 ++ sub $len,$len,#32 // bias ++ mov $rounds,$rounds0 ++ b .Loop5x_xts_enc ++ ++.align 4 ++.Loop5x_xts_enc: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Loop5x_xts_enc ++ ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat3,q8 ++ aesmc $dat3,$dat3 ++ aese $dat4,q8 ++ aesmc $dat4,$dat4 ++ subs $len,$len,#0x50 // because .Lxts_enc_tail4x ++ ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat3,q9 ++ aesmc $dat3,$dat3 ++ aese $dat4,q9 ++ aesmc $dat4,$dat4 ++ csel $xoffset,xzr,$len,gt // borrow x6, w6, "gt" is not typo ++ mov $key_,$key1 ++ ++ aese $dat0,q10 ++ aesmc $dat0,$dat0 ++ aese $dat1,q10 ++ aesmc $dat1,$dat1 ++ aese $dat2,q10 ++ aesmc $dat2,$dat2 ++ aese $dat3,q10 ++ aesmc $dat3,$dat3 ++ aese $dat4,q10 ++ aesmc $dat4,$dat4 ++ add $inp,$inp,$xoffset // x0 is adjusted in such way that ++ // at exit from the loop v1.16b-v26.16b ++ // are loaded with last "words" ++ add $xoffset,$len,#0x60 // because .Lxts_enc_tail4x ++ ++ aese $dat0,q11 ++ aesmc $dat0,$dat0 ++ aese $dat1,q11 ++ aesmc $dat1,$dat1 ++ aese $dat2,q11 ++ aesmc $dat2,$dat2 ++ aese $dat3,q11 ++ aesmc $dat3,$dat3 ++ aese $dat4,q11 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ aese $dat3,q12 ++ aesmc $dat3,$dat3 ++ aese $dat4,q12 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat3,q13 ++ aesmc $dat3,$dat3 ++ aese $dat4,q13 ++ aesmc $dat4,$dat4 ++ ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ aese $dat3,q14 ++ aesmc $dat3,$dat3 ++ aese $dat4,q14 ++ aesmc $dat4,$dat4 ++ ++ veor $tmp0,$rndlast,$iv0 ++ aese $dat0,q15 ++ // The iv for first block of one iteration ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$rndlast,$iv1 ++ vld1.8 {$in0},[$inp],#16 ++ aese $dat1,q15 ++ // The iv for second block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ veor $tmp2,$rndlast,$iv2 ++ vld1.8 {$in1},[$inp],#16 ++ aese $dat2,q15 ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ veor $tmp3,$rndlast,$iv3 ++ vld1.8 {$in2},[$inp],#16 ++ aese $dat3,q15 ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ veor $tmp4,$rndlast,$iv4 ++ vld1.8 {$in3},[$inp],#16 ++ aese $dat4,q15 ++ ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$in4},[$inp],#16 ++ cbz $xoffset,.Lxts_enc_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ veor $dat0,$in0,$iv0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat1,$in1,$iv1 ++ veor $tmp2,$tmp2,$dat2 ++ veor $dat2,$in2,$iv2 ++ veor $tmp3,$tmp3,$dat3 ++ veor $dat3,$in3,$iv3 ++ veor $tmp4,$tmp4,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ veor $dat4,$in4,$iv4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $rounds,$rounds0 ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_xts_enc ++ ++ ++ // If left 4 blocks, borrow the five block's processing. ++ cmn $len,#0x10 ++ b.ne .Loop5x_enc_after ++ vorr $iv4,$iv3,$iv3 ++ vorr $iv3,$iv2,$iv2 ++ vorr $iv2,$iv1,$iv1 ++ vorr $iv1,$iv0,$iv0 ++ fmov $ivl,$ivd40 ++ fmov $ivh,$ivd41 ++ veor $dat0,$iv0,$in0 ++ veor $dat1,$iv1,$in1 ++ veor $dat2,$in2,$iv2 ++ veor $dat3,$in3,$iv3 ++ veor $dat4,$in4,$iv4 ++ b.eq .Loop5x_xts_enc ++ ++.Loop5x_enc_after: ++ add $len,$len,#0x50 ++ cbz $len,.Lxts_enc_done ++ ++ add $rounds,$rounds0,#2 ++ subs $len,$len,#0x30 ++ b.lo .Lxts_inner_enc_tail ++ ++ veor $dat0,$iv0,$in2 ++ veor $dat1,$iv1,$in3 ++ veor $dat2,$in4,$iv2 ++ b .Lxts_outer_enc_tail ++ ++.align 4 ++.Lxts_enc_tail4x: ++ add $inp,$inp,#16 ++ veor $tmp1,$dat1,$tmp1 ++ vst1.8 {$tmp1},[$out],#16 ++ veor $tmp2,$dat2,$tmp2 ++ vst1.8 {$tmp2},[$out],#16 ++ veor $tmp3,$dat3,$tmp3 ++ veor $tmp4,$dat4,$tmp4 ++ vst1.8 {$tmp3-$tmp4},[$out],#32 ++ ++ b .Lxts_enc_done ++.align 4 ++.Lxts_outer_enc_tail: ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_outer_enc_tail ++ ++ aese $dat0,q8 ++ aesmc $dat0,$dat0 ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ veor $tmp0,$iv0,$rndlast ++ subs $len,$len,#0x30 ++ // The iv for first block ++ fmov $ivl,$ivd20 ++ fmov $ivh,$ivd21 ++ //mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr#31 ++ eor $ivl,$tmpmx,$ivl,lsl#1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$iv1,$rndlast ++ csel $xoffset,$len,$xoffset,lo // x6, w6, is zero at this point ++ aese $dat0,q9 ++ aesmc $dat0,$dat0 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ veor $tmp2,$iv2,$rndlast ++ ++ add $xoffset,$xoffset,#0x20 ++ add $inp,$inp,$xoffset ++ mov $key_,$key1 ++ ++ aese $dat0,q12 ++ aesmc $dat0,$dat0 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ aese $dat0,q13 ++ aesmc $dat0,$dat0 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ aese $dat0,q14 ++ aesmc $dat0,$dat0 ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ aese $dat0,q15 ++ aese $dat1,q15 ++ aese $dat2,q15 ++ vld1.8 {$in2},[$inp],#16 ++ add $rounds,$rounds0,#2 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat2,$dat2,$tmp2 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp0},[$out],#16 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$dat2},[$out],#16 ++ cmn $len,#0x30 ++ b.eq .Lxts_enc_done ++.Lxts_encxor_one: ++ vorr $in3,$in1,$in1 ++ vorr $in4,$in2,$in2 ++ nop ++ ++.Lxts_inner_enc_tail: ++ cmn $len,#0x10 ++ veor $dat1,$in3,$iv0 ++ veor $dat2,$in4,$iv1 ++ b.eq .Lxts_enc_tail_loop ++ veor $dat2,$in4,$iv0 ++.Lxts_enc_tail_loop: ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_enc_tail_loop ++ ++ aese $dat1,q8 ++ aesmc $dat1,$dat1 ++ aese $dat2,q8 ++ aesmc $dat2,$dat2 ++ aese $dat1,q9 ++ aesmc $dat1,$dat1 ++ aese $dat2,q9 ++ aesmc $dat2,$dat2 ++ aese $dat1,q12 ++ aesmc $dat1,$dat1 ++ aese $dat2,q12 ++ aesmc $dat2,$dat2 ++ cmn $len,#0x20 ++ aese $dat1,q13 ++ aesmc $dat1,$dat1 ++ aese $dat2,q13 ++ aesmc $dat2,$dat2 ++ veor $tmp1,$iv0,$rndlast ++ aese $dat1,q14 ++ aesmc $dat1,$dat1 ++ aese $dat2,q14 ++ aesmc $dat2,$dat2 ++ veor $tmp2,$iv1,$rndlast ++ aese $dat1,q15 ++ aese $dat2,q15 ++ b.eq .Lxts_enc_one ++ veor $tmp1,$tmp1,$dat1 ++ vst1.8 {$tmp1},[$out],#16 ++ veor $tmp2,$tmp2,$dat2 ++ vorr $iv0,$iv1,$iv1 ++ vst1.8 {$tmp2},[$out],#16 ++ fmov $ivl,$ivd10 ++ fmov $ivh,$ivd11 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ b .Lxts_enc_done ++ ++.Lxts_enc_one: ++ veor $tmp1,$tmp1,$dat2 ++ vorr $iv0,$iv0,$iv0 ++ vst1.8 {$tmp1},[$out],#16 ++ fmov $ivl,$ivd00 ++ fmov $ivh,$ivd01 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ b .Lxts_enc_done ++.align 5 ++.Lxts_enc_done: ++ // Process the tail block with cipher stealing. ++ tst $tailcnt,#0xf ++ b.eq .Lxts_abort ++ ++ mov $tmpinp,$inp ++ mov $tmpoutp,$out ++ sub $out,$out,#16 ++.composite_enc_loop: ++ subs $tailcnt,$tailcnt,#1 ++ ldrb $l2outp,[$out,$tailcnt] ++ ldrb $loutp,[$tmpinp,$tailcnt] ++ strb $l2outp,[$tmpoutp,$tailcnt] ++ strb $loutp,[$out,$tailcnt] ++ b.gt .composite_enc_loop ++.Lxts_enc_load_done: ++ vld1.8 {$tmpin},[$out] ++ veor $tmpin,$tmpin,$iv0 ++ ++ // Encrypt the composite block to get the last second encrypted text block ++ ldr $rounds,[$key1,#240] // load key schedule... ++ vld1.8 {$dat},[$key1],#16 ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key1],#16 // load key schedule... ++.Loop_final_enc: ++ aese $tmpin,$dat0 ++ aesmc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1],#16 ++ subs $rounds,$rounds,#2 ++ aese $tmpin,$dat1 ++ aesmc $tmpin,$tmpin ++ vld1.32 {$dat1},[$key1],#16 ++ b.gt .Loop_final_enc ++ ++ aese $tmpin,$dat0 ++ aesmc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1] ++ aese $tmpin,$dat1 ++ veor $tmpin,$tmpin,$dat0 ++ veor $tmpin,$tmpin,$iv0 ++ vst1.8 {$tmpin},[$out] ++ ++.Lxts_abort: ++ ldp $tailcnt,$midnumx,[sp,#48] ++ ldp $ivd10,$ivd20,[sp,#32] ++ ldp $ivd30,$ivd40,[sp,#16] ++ ldp $constnumx,$tmpinp,[sp],#64 ++.Lxts_enc_final_abort: ++ ret ++.size ${prefix}_xts_encrypt,.-${prefix}_xts_encrypt ++___ ++ ++}}} ++{{{ ++my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5)); ++my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10"); ++my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20"); ++my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19"); ++my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11"); ++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); ++my ($iv0,$iv1,$iv2,$iv3,$iv4,$tmpin)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b","v26.16b"); ++my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]"); ++my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]"); ++ ++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); ++ ++# q7 last round key ++# q10-q15, q7 Last 7 round keys ++# q8-q9 preloaded round keys except last 7 keys for big size ++# q20, q21, q8-q9 preloaded round keys except last 7 keys for only 16 byte ++ ++{ ++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); ++ ++my ($dat3,$in3,$tmp3); # used only in 64-bit mode ++my ($dat4,$in4,$tmp4); ++if ($flavour =~ /64/) { ++ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); ++} ++ ++$code.=<<___ if ($flavour =~ /64/); ++.globl ${prefix}_xts_decrypt ++.type ${prefix}_xts_decrypt,%function ++.align 5 ++${prefix}_xts_decrypt: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ cmp $len,#16 ++ // Original input data size bigger than 16, jump to big size processing. ++ b.ne .Lxts_dec_big_size ++ // Encrypt the iv with key2, as the first XEX iv. ++ ldr $rounds,[$key2,#240] ++ vld1.8 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key2],#16 ++ ++.Loop_dec_small_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_dec_small_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ vld1.8 {$dat0},[$inp] ++ veor $dat0,$iv0,$dat0 ++ ++ ldr $rounds,[$key1,#240] ++ vld1.32 {q20-q21},[$key1],#32 // load key schedule... ++ ++ aesd $dat0,q20 ++ aesimc $dat0,$dat0 ++ vld1.32 {q8-q9},[$key1],#32 // load key schedule... ++ aesd $dat0,q21 ++ aesimc $dat0,$dat0 ++ subs $rounds,$rounds,#10 // bias ++ b.eq .Lxts_128_dec ++.Lxts_dec_round_loop: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ vld1.32 {q8},[$key1],#16 // load key schedule... ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ vld1.32 {q9},[$key1],#16 // load key schedule... ++ subs $rounds,$rounds,#2 // bias ++ b.gt .Lxts_dec_round_loop ++.Lxts_128_dec: ++ vld1.32 {q10-q11},[$key1],#32 // load key schedule... ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ vld1.32 {q12-q13},[$key1],#32 // load key schedule... ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ vld1.32 {q14-q15},[$key1],#32 // load key schedule... ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ vld1.32 {$rndlast},[$key1] ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat0,q15 ++ veor $dat0,$dat0,$rndlast ++ veor $dat0,$iv0,$dat0 ++ vst1.8 {$dat0},[$out] ++ b .Lxts_dec_final_abort ++.Lxts_dec_big_size: ++___ ++$code.=<<___ if ($flavour =~ /64/); ++ stp $constnumx,$tmpinp,[sp,#-64]! ++ stp $tailcnt,$midnumx,[sp,#48] ++ stp $ivd10,$ivd20,[sp,#32] ++ stp $ivd30,$ivd40,[sp,#16] ++ ++ and $tailcnt,$len,#0xf ++ and $len,$len,#-16 ++ subs $len,$len,#16 ++ mov $step,#16 ++ b.lo .Lxts_dec_abort ++ ++ // Encrypt the iv with key2, as the first XEX iv ++ ldr $rounds,[$key2,#240] ++ vld1.8 {$dat},[$key2],#16 ++ vld1.8 {$iv0},[$ivp] ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key2],#16 ++ ++.Loop_dec_iv_enc: ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2],#16 ++ subs $rounds,$rounds,#2 ++ aese $iv0,$dat1 ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat1},[$key2],#16 ++ b.gt .Loop_dec_iv_enc ++ ++ aese $iv0,$dat ++ aesmc $iv0,$iv0 ++ vld1.32 {$dat},[$key2] ++ aese $iv0,$dat1 ++ veor $iv0,$iv0,$dat ++ ++ // The iv for second block ++ // $ivl- iv(low), $ivh - iv(high) ++ // the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4 ++ fmov $ivl,$ivd00 ++ fmov $ivh,$ivd01 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ ++ ldr $rounds0,[$key1,#240] // load rounds number ++ ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ ++ vld1.32 {q8-q9},[$key1] // load key schedule... ++ sub $rounds0,$rounds0,#6 ++ add $key_,$key1,$ivp,lsl#4 // pointer to last 7 round keys ++ sub $rounds0,$rounds0,#2 ++ vld1.32 {q10-q11},[$key_],#32 // load key schedule... ++ vld1.32 {q12-q13},[$key_],#32 ++ vld1.32 {q14-q15},[$key_],#32 ++ vld1.32 {$rndlast},[$key_] ++ ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ ++ add $key_,$key1,#32 ++ mov $rounds,$rounds0 ++ b .Lxts_dec ++ ++ // Decryption ++.align 5 ++.Lxts_dec: ++ tst $tailcnt,#0xf ++ b.eq .Lxts_dec_begin ++ subs $len,$len,#16 ++ csel $step,xzr,$step,eq ++ vld1.8 {$dat},[$inp],#16 ++ b.lo .Lxts_done ++ sub $inp,$inp,#16 ++.Lxts_dec_begin: ++ vld1.8 {$dat},[$inp],$step ++ subs $len,$len,#32 // bias ++ add $rounds,$rounds0,#2 ++ vorr $in1,$dat,$dat ++ vorr $dat1,$dat,$dat ++ vorr $in3,$dat,$dat ++ vld1.8 {$dat2},[$inp],#16 ++ vorr $in2,$dat2,$dat2 ++ vorr $in4,$dat2,$dat2 ++ b.lo .Lxts_inner_dec_tail ++ veor $dat,$dat,$iv0 // before decryt, xor with iv ++ veor $dat2,$dat2,$iv1 ++ ++ vorr $dat1,$dat2,$dat2 ++ vld1.8 {$dat2},[$inp],#16 ++ vorr $in0,$dat,$dat ++ vorr $in1,$dat1,$dat1 ++ veor $in2,$dat2,$iv2 // third block xox with third iv ++ veor $dat2,$dat2,$iv2 ++ cmp $len,#32 ++ b.lo .Lxts_outer_dec_tail ++ ++ vld1.8 {$dat3},[$inp],#16 ++ ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$dat4},[$inp],#16 ++ veor $dat3,$dat3,$iv3 // the fourth block ++ veor $dat4,$dat4,$iv4 ++ sub $len,$len,#32 // bias ++ mov $rounds,$rounds0 ++ b .Loop5x_xts_dec ++ ++.align 4 ++.Loop5x_xts_dec: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ vld1.32 {q8},[$key_],#16 // load key schedule... ++ subs $rounds,$rounds,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ vld1.32 {q9},[$key_],#16 // load key schedule... ++ b.gt .Loop5x_xts_dec ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q8 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q8 ++ aesimc $dat4,$dat4 ++ subs $len,$len,#0x50 // because .Lxts_dec_tail4x ++ ++ aesd $dat0,q9 ++ aesimc $dat0,$dat ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q9 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q9 ++ aesimc $dat4,$dat4 ++ csel $xoffset,xzr,$len,gt // borrow x6, w6, "gt" is not typo ++ mov $key_,$key1 ++ ++ aesd $dat0,q10 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q10 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q10 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q10 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q10 ++ aesimc $dat4,$dat4 ++ add $inp,$inp,$xoffset // x0 is adjusted in such way that ++ // at exit from the loop v1.16b-v26.16b ++ // are loaded with last "words" ++ add $xoffset,$len,#0x60 // because .Lxts_dec_tail4x ++ ++ aesd $dat0,q11 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q11 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q11 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q11 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q11 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q12 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q12 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q13 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q13 ++ aesimc $dat4,$dat4 ++ ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ aesd $dat3,q14 ++ aesimc $dat3,$dat3 ++ aesd $dat4,q14 ++ aesimc $dat4,$dat4 ++ ++ veor $tmp0,$rndlast,$iv0 ++ aesd $dat0,q15 ++ // The iv for first block of next iteration. ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$rndlast,$iv1 ++ vld1.8 {$in0},[$inp],#16 ++ aesd $dat1,q15 ++ // The iv for second block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ veor $tmp2,$rndlast,$iv2 ++ vld1.8 {$in1},[$inp],#16 ++ aesd $dat2,q15 ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ veor $tmp3,$rndlast,$iv3 ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat3,q15 ++ // The iv for fourth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd30,$ivl ++ fmov $ivd31,$ivh ++ veor $tmp4,$rndlast,$iv4 ++ vld1.8 {$in3},[$inp],#16 ++ aesd $dat4,q15 ++ ++ // The iv for fifth block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd40,$ivl ++ fmov $ivd41,$ivh ++ ++ vld1.8 {$in4},[$inp],#16 ++ cbz $xoffset,.Lxts_dec_tail4x ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ veor $tmp0,$tmp0,$dat0 ++ veor $dat0,$in0,$iv0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat1,$in1,$iv1 ++ veor $tmp2,$tmp2,$dat2 ++ veor $dat2,$in2,$iv2 ++ veor $tmp3,$tmp3,$dat3 ++ veor $dat3,$in3,$iv3 ++ veor $tmp4,$tmp4,$dat4 ++ vst1.8 {$tmp0},[$out],#16 ++ veor $dat4,$in4,$iv4 ++ vst1.8 {$tmp1},[$out],#16 ++ mov $rounds,$rounds0 ++ vst1.8 {$tmp2},[$out],#16 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp3},[$out],#16 ++ vst1.8 {$tmp4},[$out],#16 ++ b.hs .Loop5x_xts_dec ++ ++ cmn $len,#0x10 ++ b.ne .Loop5x_dec_after ++ // If x2($len) equal to -0x10, the left blocks is 4. ++ // After specially processing, utilize the five blocks processing again. ++ // It will use the following IVs: $iv0,$iv0,$iv1,$iv2,$iv3. ++ vorr $iv4,$iv3,$iv3 ++ vorr $iv3,$iv2,$iv2 ++ vorr $iv2,$iv1,$iv1 ++ vorr $iv1,$iv0,$iv0 ++ fmov $ivl,$ivd40 ++ fmov $ivh,$ivd41 ++ veor $dat0,$iv0,$in0 ++ veor $dat1,$iv1,$in1 ++ veor $dat2,$in2,$iv2 ++ veor $dat3,$in3,$iv3 ++ veor $dat4,$in4,$iv4 ++ b.eq .Loop5x_xts_dec ++ ++.Loop5x_dec_after: ++ add $len,$len,#0x50 ++ cbz $len,.Lxts_done ++ ++ add $rounds,$rounds0,#2 ++ subs $len,$len,#0x30 ++ b.lo .Lxts_inner_dec_tail ++ ++ veor $dat0,$iv0,$in2 ++ veor $dat1,$iv1,$in3 ++ veor $dat2,$in4,$iv2 ++ b .Lxts_outer_dec_tail ++ ++.align 4 ++.Lxts_dec_tail4x: ++ add $inp,$inp,#16 ++ vld1.32 {$dat0},[$inp],#16 ++ veor $tmp1,$dat1,$tmp0 ++ vst1.8 {$tmp1},[$out],#16 ++ veor $tmp2,$dat2,$tmp2 ++ vst1.8 {$tmp2},[$out],#16 ++ veor $tmp3,$dat3,$tmp3 ++ veor $tmp4,$dat4,$tmp4 ++ vst1.8 {$tmp3-$tmp4},[$out],#32 ++ ++ b .Lxts_done ++.align 4 ++.Lxts_outer_dec_tail: ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_outer_dec_tail ++ ++ aesd $dat0,q8 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ veor $tmp0,$iv0,$rndlast ++ subs $len,$len,#0x30 ++ // The iv for first block ++ fmov $ivl,$ivd20 ++ fmov $ivh,$ivd21 ++ mov $constnum,#0x87 ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd00,$ivl ++ fmov $ivd01,$ivh ++ veor $tmp1,$iv1,$rndlast ++ csel $xoffset,$len,$xoffset,lo // x6, w6, is zero at this point ++ aesd $dat0,q9 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ veor $tmp2,$iv2,$rndlast ++ // The iv for second block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd10,$ivl ++ fmov $ivd11,$ivh ++ ++ add $xoffset,$xoffset,#0x20 ++ add $inp,$inp,$xoffset // $inp is adjusted to the last data ++ ++ mov $key_,$key1 ++ ++ // The iv for third block ++ extr $midnumx,$ivh,$ivh,#32 ++ extr $ivh,$ivh,$ivl,#63 ++ and $tmpmw,$constnum,$midnum,asr #31 ++ eor $ivl,$tmpmx,$ivl,lsl #1 ++ fmov $ivd20,$ivl ++ fmov $ivd21,$ivh ++ ++ aesd $dat0,q12 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ aesd $dat0,q13 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ aesd $dat0,q14 ++ aesimc $dat0,$dat0 ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ vld1.8 {$in2},[$inp],#16 ++ aesd $dat0,q15 ++ aesd $dat1,q15 ++ aesd $dat2,q15 ++ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] ++ add $rounds,$rounds0,#2 ++ veor $tmp0,$tmp0,$dat0 ++ veor $tmp1,$tmp1,$dat1 ++ veor $dat2,$dat2,$tmp2 ++ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] ++ vst1.8 {$tmp0},[$out],#16 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$dat2},[$out],#16 ++ ++ cmn $len,#0x30 ++ add $len,$len,#0x30 ++ b.eq .Lxts_done ++ sub $len,$len,#0x30 ++ vorr $in3,$in1,$in1 ++ vorr $in4,$in2,$in2 ++ nop ++ ++.Lxts_inner_dec_tail: ++ // $len == -0x10 means two blocks left. ++ cmn $len,#0x10 ++ veor $dat1,$in3,$iv0 ++ veor $dat2,$in4,$iv1 ++ b.eq .Lxts_dec_tail_loop ++ veor $dat2,$in4,$iv0 ++.Lxts_dec_tail_loop: ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ vld1.32 {q8},[$key_],#16 ++ subs $rounds,$rounds,#2 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ vld1.32 {q9},[$key_],#16 ++ b.gt .Lxts_dec_tail_loop ++ ++ aesd $dat1,q8 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q8 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q9 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q9 ++ aesimc $dat2,$dat2 ++ aesd $dat1,q12 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q12 ++ aesimc $dat2,$dat2 ++ cmn $len,#0x20 ++ aesd $dat1,q13 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q13 ++ aesimc $dat2,$dat2 ++ veor $tmp1,$iv0,$rndlast ++ aesd $dat1,q14 ++ aesimc $dat1,$dat1 ++ aesd $dat2,q14 ++ aesimc $dat2,$dat2 ++ veor $tmp2,$iv1,$rndlast ++ aesd $dat1,q15 ++ aesd $dat2,q15 ++ b.eq .Lxts_dec_one ++ veor $tmp1,$tmp1,$dat1 ++ veor $tmp2,$tmp2,$dat2 ++ vorr $iv0,$iv2,$iv2 ++ vorr $iv1,$iv3,$iv3 ++ vst1.8 {$tmp1},[$out],#16 ++ vst1.8 {$tmp2},[$out],#16 ++ add $len,$len,#16 ++ b .Lxts_done ++ ++.Lxts_dec_one: ++ veor $tmp1,$tmp1,$dat2 ++ vorr $iv0,$iv1,$iv1 ++ vorr $iv1,$iv2,$iv2 ++ vst1.8 {$tmp1},[$out],#16 ++ add $len,$len,#32 ++ ++.Lxts_done: ++ tst $tailcnt,#0xf ++ b.eq .Lxts_dec_abort ++ // Processing the last two blocks with cipher stealing. ++ mov x7,x3 ++ cbnz x2,.Lxts_dec_1st_done ++ vld1.32 {$dat0},[$inp],#16 ++ ++ // Decrypt the last secod block to get the last plain text block ++.Lxts_dec_1st_done: ++ eor $tmpin,$dat0,$iv1 ++ ldr $rounds,[$key1,#240] ++ vld1.32 {$dat0},[$key1],#16 ++ sub $rounds,$rounds,#2 ++ vld1.32 {$dat1},[$key1],#16 ++.Loop_final_2nd_dec: ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1],#16 // load key schedule... ++ subs $rounds,$rounds,#2 ++ aesd $tmpin,$dat1 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat1},[$key1],#16 // load key schedule... ++ b.gt .Loop_final_2nd_dec ++ ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key1] ++ aesd $tmpin,$dat1 ++ veor $tmpin,$tmpin,$dat0 ++ veor $tmpin,$tmpin,$iv1 ++ vst1.8 {$tmpin},[$out] ++ ++ mov $tmpinp,$inp ++ add $tmpoutp,$out,#16 ++ ++ // Composite the tailcnt "16 byte not aligned block" into the last second plain blocks ++ // to get the last encrypted block. ++.composite_dec_loop: ++ subs $tailcnt,$tailcnt,#1 ++ ldrb $l2outp,[$out,$tailcnt] ++ ldrb $loutp,[$tmpinp,$tailcnt] ++ strb $l2outp,[$tmpoutp,$tailcnt] ++ strb $loutp,[$out,$tailcnt] ++ b.gt .composite_dec_loop ++.Lxts_dec_load_done: ++ vld1.8 {$tmpin},[$out] ++ veor $tmpin,$tmpin,$iv0 ++ ++ // Decrypt the composite block to get the last second plain text block ++ ldr $rounds,[$key_,#240] ++ vld1.8 {$dat},[$key_],#16 ++ sub $rounds,$rounds,#2 ++ vld1.8 {$dat1},[$key_],#16 ++.Loop_final_dec: ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key_],#16 // load key schedule... ++ subs $rounds,$rounds,#2 ++ aesd $tmpin,$dat1 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat1},[$key_],#16 // load key schedule... ++ b.gt .Loop_final_dec ++ ++ aesd $tmpin,$dat0 ++ aesimc $tmpin,$tmpin ++ vld1.32 {$dat0},[$key_] ++ aesd $tmpin,$dat1 ++ veor $tmpin,$tmpin,$dat0 ++ veor $tmpin,$tmpin,$iv0 ++ vst1.8 {$tmpin},[$out] ++ ++.Lxts_dec_abort: ++ ldp $tailcnt,$midnumx,[sp,#48] ++ ldp $ivd10,$ivd20,[sp,#32] ++ ldp $ivd30,$ivd40,[sp,#16] ++ ldp $constnumx,$tmpinp,[sp],#64 ++ ++.Lxts_dec_final_abort: ++ ret ++.size ${prefix}_xts_decrypt,.-${prefix}_xts_decrypt ++___ ++} ++}}} + $code.=<<___; + #endif + ___ +Index: openssl-1.1.1d/crypto/evp/e_aes.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/evp/e_aes.c ++++ openssl-1.1.1d/crypto/evp/e_aes.c +@@ -170,6 +170,10 @@ static void ctr64_inc(unsigned char *cou + # define HWAES_set_decrypt_key aes_p8_set_decrypt_key + # define HWAES_encrypt aes_p8_encrypt + # define HWAES_decrypt aes_p8_decrypt ++# if __ARM_MAX_ARCH__>=8 ++# define HWAES_xts_encrypt aes_v8_xts_encrypt ++# define HWAES_xts_decrypt aes_v8_xts_decrypt ++# endif + # define HWAES_cbc_encrypt aes_p8_cbc_encrypt + # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks + # define HWAES_xts_encrypt aes_p8_xts_encrypt +Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evpcase.txt +=================================================================== +--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evpcase.txt ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpcase.txt +@@ -15,6 +15,44 @@ + # These tests exercise the case insensitive handling of object names. + # They are contrived + ++Title = AES XTS Non standard test vectors - generated from reference implementation ++ ++Cipher = aes-128-xts ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0 ++IV = 9a785634120000000000000000000000 ++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f2021 ++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b9dc31efeb418c373ce073b66755529982538 ++ ++Cipher = aes-128-xts ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0 ++IV = 9a785634120000000000000000000000 ++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031 ++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39237a709959673bd8747d58690f8c762a353ad6 ++ ++Cipher = aes-128-xts ++Key = 2718281828459045235360287471352631415926535897932384626433832795 ++IV = 00000000000000000000000000000000 ++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f ++Ciphertext = 27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412 ++ ++Cipher = aes-128-xts ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0 ++IV = 9a785634120000000000000000000000 ++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f40 ++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39233ad6183c66fa548a3cdf3e36d2b21ccde9ffb48286ec211619e02decc7ca0883c6 ++ ++Cipher = aes-128-xts ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0 ++IV = 9a785634120000000000000000000000 ++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f ++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39233ad6183c66fa548a3cdf3e36d2b21ccdc6bc657cb3aeb87ba2c5f58ffafacd76d0a098b687c0b6536d560ca007051b0b ++ ++Cipher = aes-128-xts ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0 ++IV = 9a785634120000000000000000000000 ++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f5051 ++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39233ad6183c66fa548a3cdf3e36d2b21ccdc6bc657cb3aeb87ba2c5f58ffafacd765ecc4c85c0a01bf317b823fbd6111956d0a0 ++ + Title = Case insensitive AES tests + + Cipher = Aes-128-eCb diff --git a/openssl-1_1-Optimize-RSA-armv8.patch b/openssl-1_1-Optimize-RSA-armv8.patch new file mode 100644 index 0000000..f5abceb --- /dev/null +++ b/openssl-1_1-Optimize-RSA-armv8.patch @@ -0,0 +1,575 @@ +From 5ea64b456b1a27ae046f23d632a968a7583bb9eb Mon Sep 17 00:00:00 2001 +From: "Fangming.Fang" +Date: Tue, 28 Apr 2020 02:33:50 +0000 +Subject: [PATCH] Read MIDR_EL1 system register on aarch64 + +MIDR_EL1 system register exposes microarchitecture information so that +people can make micro-arch related optimization such as exposing as +much instruction level parallelism as possible. + +MIDR_EL1 register can be read only if HWCAP_CPUID feature is supported. + +Change-Id: Iabb8a36c5d31b184dba6399f378598058d394d4e + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/11744) +--- + crypto/arm64cpuid.pl | 7 +++++++ + crypto/arm_arch.h | 44 ++++++++++++++++++++++++++++++++++++++++++++ + crypto/armcap.c | 11 +++++++++++ + 3 files changed, 62 insertions(+) + +Index: openssl-1.1.1d/crypto/arm64cpuid.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/arm64cpuid.pl ++++ openssl-1.1.1d/crypto/arm64cpuid.pl +@@ -78,6 +78,13 @@ _armv8_sha512_probe: + ret + .size _armv8_sha512_probe,.-_armv8_sha512_probe + ++.globl _armv8_cpuid_probe ++.type _armv8_cpuid_probe,%function ++_armv8_cpuid_probe: ++ mrs x0, midr_el1 ++ ret ++.size _armv8_cpuid_probe,.-_armv8_cpuid_probe ++ + .globl OPENSSL_cleanse + .type OPENSSL_cleanse,%function + .align 5 +Index: openssl-1.1.1d/crypto/arm_arch.h +=================================================================== +--- openssl-1.1.1d.orig/crypto/arm_arch.h ++++ openssl-1.1.1d/crypto/arm_arch.h +@@ -71,6 +71,7 @@ + + # ifndef __ASSEMBLER__ + extern unsigned int OPENSSL_armcap_P; ++extern unsigned int OPENSSL_arm_midr; + # endif + + # define ARMV7_NEON (1<<0) +@@ -80,5 +81,48 @@ extern unsigned int OPENSSL_armcap_P; + # define ARMV8_SHA256 (1<<4) + # define ARMV8_PMULL (1<<5) + # define ARMV8_SHA512 (1<<6) ++# define ARMV8_CPUID (1<<7) + ++/* ++ * MIDR_EL1 system register ++ * ++ * 63___ _ ___32_31___ _ ___24_23_____20_19_____16_15__ _ __4_3_______0 ++ * | | | | | | | ++ * |RES0 | Implementer | Variant | Arch | PartNum |Revision| ++ * |____ _ _____|_____ _ _____|_________|_______ _|____ _ ___|________| ++ * ++ */ ++ ++# define ARM_CPU_IMP_ARM 0x41 ++ ++# define ARM_CPU_PART_CORTEX_A72 0xD08 ++# define ARM_CPU_PART_N1 0xD0C ++ ++# define MIDR_PARTNUM_SHIFT 4 ++# define MIDR_PARTNUM_MASK (0xfff << MIDR_PARTNUM_SHIFT) ++# define MIDR_PARTNUM(midr) \ ++ (((midr) & MIDR_PARTNUM_MASK) >> MIDR_PARTNUM_SHIFT) ++ ++# define MIDR_IMPLEMENTER_SHIFT 24 ++# define MIDR_IMPLEMENTER_MASK (0xff << MIDR_IMPLEMENTER_SHIFT) ++# define MIDR_IMPLEMENTER(midr) \ ++ (((midr) & MIDR_IMPLEMENTER_MASK) >> MIDR_IMPLEMENTER_SHIFT) ++ ++# define MIDR_ARCHITECTURE_SHIFT 16 ++# define MIDR_ARCHITECTURE_MASK (0xf << MIDR_ARCHITECTURE_SHIFT) ++# define MIDR_ARCHITECTURE(midr) \ ++ (((midr) & MIDR_ARCHITECTURE_MASK) >> MIDR_ARCHITECTURE_SHIFT) ++ ++# define MIDR_CPU_MODEL_MASK \ ++ (MIDR_IMPLEMENTER_MASK | \ ++ MIDR_PARTNUM_MASK | \ ++ MIDR_ARCHITECTURE_MASK) ++ ++# define MIDR_CPU_MODEL(imp, partnum) \ ++ (((imp) << MIDR_IMPLEMENTER_SHIFT) | \ ++ (0xf << MIDR_ARCHITECTURE_SHIFT) | \ ++ ((partnum) << MIDR_PARTNUM_SHIFT)) ++ ++# define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ ++ (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) + #endif +Index: openssl-1.1.1d/crypto/armcap.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/armcap.c ++++ openssl-1.1.1d/crypto/armcap.c +@@ -18,6 +18,8 @@ + #include "arm_arch.h" + + unsigned int OPENSSL_armcap_P = 0; ++unsigned int OPENSSL_arm_midr = 0; ++unsigned int OPENSSL_armv8_rsa_neonized = 0; + + #if __ARM_MAX_ARCH__<7 + void OPENSSL_cpuid_setup(void) +@@ -48,6 +50,7 @@ void _armv8_sha256_probe(void); + void _armv8_pmull_probe(void); + # ifdef __aarch64__ + void _armv8_sha512_probe(void); ++unsigned int _armv8_cpuid_probe(void); + # endif + uint32_t _armv7_tick(void); + +@@ -95,6 +98,7 @@ void OPENSSL_cpuid_setup(void) __attribu + # define HWCAP_CE_PMULL (1 << 4) + # define HWCAP_CE_SHA1 (1 << 5) + # define HWCAP_CE_SHA256 (1 << 6) ++# define HWCAP_CPUID (1 << 11) + # define HWCAP_CE_SHA512 (1 << 21) + # endif + +@@ -155,6 +159,9 @@ void OPENSSL_cpuid_setup(void) + # ifdef __aarch64__ + if (hwcap & HWCAP_CE_SHA512) + OPENSSL_armcap_P |= ARMV8_SHA512; ++ ++ if (hwcap & HWCAP_CPUID) ++ OPENSSL_armcap_P |= ARMV8_CPUID; + # endif + } + # endif +@@ -210,5 +217,16 @@ void OPENSSL_cpuid_setup(void) + + sigaction(SIGILL, &ill_oact, NULL); + sigprocmask(SIG_SETMASK, &oset, NULL); ++ ++# ifdef __aarch64__ ++ if (OPENSSL_armcap_P & ARMV8_CPUID) ++ OPENSSL_arm_midr = _armv8_cpuid_probe(); ++ ++ if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) || ++ MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1)) && ++ (OPENSSL_armcap_P & ARMV7_NEON)) { ++ OPENSSL_armv8_rsa_neonized = 1; ++ } ++# endif + } + #endif +Index: openssl-1.1.1d/crypto/bn/asm/armv8-mont.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/bn/asm/armv8-mont.pl ++++ openssl-1.1.1d/crypto/bn/asm/armv8-mont.pl +@@ -64,16 +64,34 @@ $n0="x4"; # const BN_ULONG *n0, + $num="x5"; # int num); + + $code.=<<___; ++#ifndef __KERNEL__ ++# include "arm_arch.h" ++.extern OPENSSL_armv8_rsa_neonized ++.hidden OPENSSL_armv8_rsa_neonized ++#endif + .text + + .globl bn_mul_mont + .type bn_mul_mont,%function + .align 5 + bn_mul_mont: ++.Lbn_mul_mont: ++ tst $num,#3 ++ b.ne .Lmul_mont ++ cmp $num,#32 ++ b.le .Lscalar_impl ++#ifndef __KERNEL__ ++ adrp x17,OPENSSL_armv8_rsa_neonized ++ ldr w17,[x17,#:lo12:OPENSSL_armv8_rsa_neonized] ++ cbnz w17, bn_mul8x_mont_neon ++#endif ++ ++.Lscalar_impl: + tst $num,#7 + b.eq __bn_sqr8x_mont + tst $num,#3 + b.eq __bn_mul4x_mont ++ + .Lmul_mont: + stp x29,x30,[sp,#-64]! + add x29,sp,#0 +@@ -271,6 +289,369 @@ bn_mul_mont: + .size bn_mul_mont,.-bn_mul_mont + ___ + { ++my ($A0,$A1,$N0,$N1)=map("v$_",(0..3)); ++my ($Z,$Temp)=("v4.16b","v5"); ++my @ACC=map("v$_",(6..13)); ++my ($Bi,$Ni,$M0)=map("v$_",(28..30)); ++my $sBi="s28"; ++my $sM0="s30"; ++my $zero="v14"; ++my $temp="v15"; ++my $ACCTemp="v16"; ++ ++my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("x$_",(0..5)); ++my ($tinptr,$toutptr,$inner,$outer,$bnptr)=map("x$_",(6..11)); ++ ++$code.=<<___; ++.type bn_mul8x_mont_neon,%function ++.align 5 ++bn_mul8x_mont_neon: ++ stp x29,x30,[sp,#-80]! ++ mov x16,sp ++ stp d8,d9,[sp,#16] ++ stp d10,d11,[sp,#32] ++ stp d12,d13,[sp,#48] ++ stp d14,d15,[sp,#64] ++ lsl $num,$num,#1 ++ eor $zero.16b,$zero.16b,$zero.16b ++ ++.align 4 ++.LNEON_8n: ++ eor @ACC[0].16b,@ACC[0].16b,@ACC[0].16b ++ sub $toutptr,sp,#128 ++ eor @ACC[1].16b,@ACC[1].16b,@ACC[1].16b ++ sub $toutptr,$toutptr,$num,lsl#4 ++ eor @ACC[2].16b,@ACC[2].16b,@ACC[2].16b ++ and $toutptr,$toutptr,#-64 ++ eor @ACC[3].16b,@ACC[3].16b,@ACC[3].16b ++ mov sp,$toutptr // alloca ++ eor @ACC[4].16b,@ACC[4].16b,@ACC[4].16b ++ add $toutptr,$toutptr,#256 ++ eor @ACC[5].16b,@ACC[5].16b,@ACC[5].16b ++ sub $inner,$num,#8 ++ eor @ACC[6].16b,@ACC[6].16b,@ACC[6].16b ++ eor @ACC[7].16b,@ACC[7].16b,@ACC[7].16b ++ ++.LNEON_8n_init: ++ st1 {@ACC[0].2d,@ACC[1].2d},[$toutptr],#32 ++ subs $inner,$inner,#8 ++ st1 {@ACC[2].2d,@ACC[3].2d},[$toutptr],#32 ++ st1 {@ACC[4].2d,@ACC[5].2d},[$toutptr],#32 ++ st1 {@ACC[6].2d,@ACC[7].2d},[$toutptr],#32 ++ bne .LNEON_8n_init ++ ++ add $tinptr,sp,#256 ++ ld1 {$A0.4s,$A1.4s},[$aptr],#32 ++ add $bnptr,sp,#8 ++ ldr $sM0,[$n0],#4 ++ mov $outer,$num ++ b .LNEON_8n_outer ++ ++.align 4 ++.LNEON_8n_outer: ++ ldr $sBi,[$bptr],#4 // *b++ ++ uxtl $Bi.4s,$Bi.4h ++ add $toutptr,sp,#128 ++ ld1 {$N0.4s,$N1.4s},[$nptr],#32 ++ ++ umlal @ACC[0].2d,$Bi.2s,$A0.s[0] ++ umlal @ACC[1].2d,$Bi.2s,$A0.s[1] ++ umlal @ACC[2].2d,$Bi.2s,$A0.s[2] ++ shl $Ni.2d,@ACC[0].2d,#16 ++ ext $Ni.16b,$Ni.16b,$Ni.16b,#8 ++ umlal @ACC[3].2d,$Bi.2s,$A0.s[3] ++ add $Ni.2d,$Ni.2d,@ACC[0].2d ++ umlal @ACC[4].2d,$Bi.2s,$A1.s[0] ++ mul $Ni.2s,$Ni.2s,$M0.2s ++ umlal @ACC[5].2d,$Bi.2s,$A1.s[1] ++ st1 {$Bi.2s},[sp] // put aside smashed b[8*i+0] ++ umlal @ACC[6].2d,$Bi.2s,$A1.s[2] ++ uxtl $Ni.4s,$Ni.4h ++ umlal @ACC[7].2d,$Bi.2s,$A1.s[3] ++___ ++for ($i=0; $i<7;) { ++$code.=<<___; ++ ldr $sBi,[$bptr],#4 // *b++ ++ umlal @ACC[0].2d,$Ni.2s,$N0.s[0] ++ umlal @ACC[1].2d,$Ni.2s,$N0.s[1] ++ uxtl $Bi.4s,$Bi.4h ++ umlal @ACC[2].2d,$Ni.2s,$N0.s[2] ++ ushr $temp.2d,@ACC[0].2d,#16 ++ umlal @ACC[3].2d,$Ni.2s,$N0.s[3] ++ umlal @ACC[4].2d,$Ni.2s,$N1.s[0] ++ ext @ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8 ++ add @ACC[0].2d,@ACC[0].2d,$temp.2d ++ umlal @ACC[5].2d,$Ni.2s,$N1.s[1] ++ ushr @ACC[0].2d,@ACC[0].2d,#16 ++ umlal @ACC[6].2d,$Ni.2s,$N1.s[2] ++ umlal @ACC[7].2d,$Ni.2s,$N1.s[3] ++ add $ACCTemp.2d,@ACC[1].2d,@ACC[0].2d ++ ins @ACC[1].d[0],$ACCTemp.d[0] ++ st1 {$Ni.2s},[$bnptr],#8 // put aside smashed m[8*i+$i] ++___ ++ push(@ACC,shift(@ACC)); $i++; ++$code.=<<___; ++ umlal @ACC[0].2d,$Bi.2s,$A0.s[0] ++ ld1 {@ACC[7].2d},[$tinptr],#16 ++ umlal @ACC[1].2d,$Bi.2s,$A0.s[1] ++ umlal @ACC[2].2d,$Bi.2s,$A0.s[2] ++ shl $Ni.2d,@ACC[0].2d,#16 ++ ext $Ni.16b,$Ni.16b,$Ni.16b,#8 ++ umlal @ACC[3].2d,$Bi.2s,$A0.s[3] ++ add $Ni.2d,$Ni.2d,@ACC[0].2d ++ umlal @ACC[4].2d,$Bi.2s,$A1.s[0] ++ mul $Ni.2s,$Ni.2s,$M0.2s ++ umlal @ACC[5].2d,$Bi.2s,$A1.s[1] ++ st1 {$Bi.2s},[$bnptr],#8 // put aside smashed b[8*i+$i] ++ umlal @ACC[6].2d,$Bi.2s,$A1.s[2] ++ uxtl $Ni.4s,$Ni.4h ++ umlal @ACC[7].2d,$Bi.2s,$A1.s[3] ++___ ++} ++$code.=<<___; ++ ld1 {$Bi.2s},[sp] // pull smashed b[8*i+0] ++ umlal @ACC[0].2d,$Ni.2s,$N0.s[0] ++ ld1 {$A0.4s,$A1.4s},[$aptr],#32 ++ umlal @ACC[1].2d,$Ni.2s,$N0.s[1] ++ umlal @ACC[2].2d,$Ni.2s,$N0.s[2] ++ mov $Temp.16b,@ACC[0].16b ++ ushr $Temp.2d,$Temp.2d,#16 ++ ext @ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8 ++ umlal @ACC[3].2d,$Ni.2s,$N0.s[3] ++ umlal @ACC[4].2d,$Ni.2s,$N1.s[0] ++ add @ACC[0].2d,@ACC[0].2d,$Temp.2d ++ umlal @ACC[5].2d,$Ni.2s,$N1.s[1] ++ ushr @ACC[0].2d,@ACC[0].2d,#16 ++ eor $temp.16b,$temp.16b,$temp.16b ++ ins @ACC[0].d[1],$temp.d[0] ++ umlal @ACC[6].2d,$Ni.2s,$N1.s[2] ++ umlal @ACC[7].2d,$Ni.2s,$N1.s[3] ++ add @ACC[1].2d,@ACC[1].2d,@ACC[0].2d ++ st1 {$Ni.2s},[$bnptr],#8 // put aside smashed m[8*i+$i] ++ add $bnptr,sp,#8 // rewind ++___ ++ push(@ACC,shift(@ACC)); ++$code.=<<___; ++ sub $inner,$num,#8 ++ b .LNEON_8n_inner ++ ++.align 4 ++.LNEON_8n_inner: ++ subs $inner,$inner,#8 ++ umlal @ACC[0].2d,$Bi.2s,$A0.s[0] ++ ld1 {@ACC[7].2d},[$tinptr] ++ umlal @ACC[1].2d,$Bi.2s,$A0.s[1] ++ ld1 {$Ni.2s},[$bnptr],#8 // pull smashed m[8*i+0] ++ umlal @ACC[2].2d,$Bi.2s,$A0.s[2] ++ ld1 {$N0.4s,$N1.4s},[$nptr],#32 ++ umlal @ACC[3].2d,$Bi.2s,$A0.s[3] ++ b.eq .LInner_jump ++ add $tinptr,$tinptr,#16 // don't advance in last iteration ++.LInner_jump: ++ umlal @ACC[4].2d,$Bi.2s,$A1.s[0] ++ umlal @ACC[5].2d,$Bi.2s,$A1.s[1] ++ umlal @ACC[6].2d,$Bi.2s,$A1.s[2] ++ umlal @ACC[7].2d,$Bi.2s,$A1.s[3] ++___ ++for ($i=1; $i<8; $i++) { ++$code.=<<___; ++ ld1 {$Bi.2s},[$bnptr],#8 // pull smashed b[8*i+$i] ++ umlal @ACC[0].2d,$Ni.2s,$N0.s[0] ++ umlal @ACC[1].2d,$Ni.2s,$N0.s[1] ++ umlal @ACC[2].2d,$Ni.2s,$N0.s[2] ++ umlal @ACC[3].2d,$Ni.2s,$N0.s[3] ++ umlal @ACC[4].2d,$Ni.2s,$N1.s[0] ++ umlal @ACC[5].2d,$Ni.2s,$N1.s[1] ++ umlal @ACC[6].2d,$Ni.2s,$N1.s[2] ++ umlal @ACC[7].2d,$Ni.2s,$N1.s[3] ++ st1 {@ACC[0].2d},[$toutptr],#16 ++___ ++ push(@ACC,shift(@ACC)); ++$code.=<<___; ++ umlal @ACC[0].2d,$Bi.2s,$A0.s[0] ++ ld1 {@ACC[7].2d},[$tinptr] ++ umlal @ACC[1].2d,$Bi.2s,$A0.s[1] ++ ld1 {$Ni.2s},[$bnptr],#8 // pull smashed m[8*i+$i] ++ umlal @ACC[2].2d,$Bi.2s,$A0.s[2] ++ b.eq .LInner_jump$i ++ add $tinptr,$tinptr,#16 // don't advance in last iteration ++.LInner_jump$i: ++ umlal @ACC[3].2d,$Bi.2s,$A0.s[3] ++ umlal @ACC[4].2d,$Bi.2s,$A1.s[0] ++ umlal @ACC[5].2d,$Bi.2s,$A1.s[1] ++ umlal @ACC[6].2d,$Bi.2s,$A1.s[2] ++ umlal @ACC[7].2d,$Bi.2s,$A1.s[3] ++___ ++} ++$code.=<<___; ++ b.ne .LInner_after_rewind$i ++ sub $aptr,$aptr,$num,lsl#2 // rewind ++.LInner_after_rewind$i: ++ umlal @ACC[0].2d,$Ni.2s,$N0.s[0] ++ ld1 {$Bi.2s},[sp] // pull smashed b[8*i+0] ++ umlal @ACC[1].2d,$Ni.2s,$N0.s[1] ++ ld1 {$A0.4s,$A1.4s},[$aptr],#32 ++ umlal @ACC[2].2d,$Ni.2s,$N0.s[2] ++ add $bnptr,sp,#8 // rewind ++ umlal @ACC[3].2d,$Ni.2s,$N0.s[3] ++ umlal @ACC[4].2d,$Ni.2s,$N1.s[0] ++ umlal @ACC[5].2d,$Ni.2s,$N1.s[1] ++ umlal @ACC[6].2d,$Ni.2s,$N1.s[2] ++ st1 {@ACC[0].2d},[$toutptr],#16 ++ umlal @ACC[7].2d,$Ni.2s,$N1.s[3] ++ ++ bne .LNEON_8n_inner ++___ ++ push(@ACC,shift(@ACC)); ++$code.=<<___; ++ add $tinptr,sp,#128 ++ st1 {@ACC[0].2d,@ACC[1].2d},[$toutptr],#32 ++ eor $N0.16b,$N0.16b,$N0.16b // $N0 ++ st1 {@ACC[2].2d,@ACC[3].2d},[$toutptr],#32 ++ eor $N1.16b,$N1.16b,$N1.16b // $N1 ++ st1 {@ACC[4].2d,@ACC[5].2d},[$toutptr],#32 ++ st1 {@ACC[6].2d},[$toutptr] ++ ++ subs $outer,$outer,#8 ++ ld1 {@ACC[0].2d,@ACC[1].2d},[$tinptr],#32 ++ ld1 {@ACC[2].2d,@ACC[3].2d},[$tinptr],#32 ++ ld1 {@ACC[4].2d,@ACC[5].2d},[$tinptr],#32 ++ ld1 {@ACC[6].2d,@ACC[7].2d},[$tinptr],#32 ++ ++ b.eq .LInner_8n_jump_2steps ++ sub $nptr,$nptr,$num,lsl#2 // rewind ++ b .LNEON_8n_outer ++ ++.LInner_8n_jump_2steps: ++ add $toutptr,sp,#128 ++ st1 {$N0.2d,$N1.2d}, [sp],#32 // start wiping stack frame ++ mov $Temp.16b,@ACC[0].16b ++ ushr $temp.2d,@ACC[0].2d,#16 ++ ext @ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8 ++ st1 {$N0.2d,$N1.2d}, [sp],#32 ++ add @ACC[0].2d,@ACC[0].2d,$temp.2d ++ st1 {$N0.2d,$N1.2d}, [sp],#32 ++ ushr $temp.2d,@ACC[0].2d,#16 ++ st1 {$N0.2d,$N1.2d}, [sp],#32 ++ zip1 @ACC[0].4h,$Temp.4h,@ACC[0].4h ++ ins $temp.d[1],$zero.d[0] ++ ++ mov $inner,$num ++ b .LNEON_tail_entry ++ ++.align 4 ++.LNEON_tail: ++ add @ACC[0].2d,@ACC[0].2d,$temp.2d ++ mov $Temp.16b,@ACC[0].16b ++ ushr $temp.2d,@ACC[0].2d,#16 ++ ext @ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8 ++ ld1 {@ACC[2].2d,@ACC[3].2d}, [$tinptr],#32 ++ add @ACC[0].2d,@ACC[0].2d,$temp.2d ++ ld1 {@ACC[4].2d,@ACC[5].2d}, [$tinptr],#32 ++ ushr $temp.2d,@ACC[0].2d,#16 ++ ld1 {@ACC[6].2d,@ACC[7].2d}, [$tinptr],#32 ++ zip1 @ACC[0].4h,$Temp.4h,@ACC[0].4h ++ ins $temp.d[1],$zero.d[0] ++ ++.LNEON_tail_entry: ++___ ++for ($i=1; $i<8; $i++) { ++$code.=<<___; ++ add @ACC[1].2d,@ACC[1].2d,$temp.2d ++ st1 {@ACC[0].s}[0], [$toutptr],#4 ++ ushr $temp.2d,@ACC[1].2d,#16 ++ mov $Temp.16b,@ACC[1].16b ++ ext @ACC[1].16b,@ACC[1].16b,@ACC[1].16b,#8 ++ add @ACC[1].2d,@ACC[1].2d,$temp.2d ++ ushr $temp.2d,@ACC[1].2d,#16 ++ zip1 @ACC[1].4h,$Temp.4h,@ACC[1].4h ++ ins $temp.d[1],$zero.d[0] ++___ ++ push(@ACC,shift(@ACC)); ++} ++ push(@ACC,shift(@ACC)); ++$code.=<<___; ++ ld1 {@ACC[0].2d,@ACC[1].2d}, [$tinptr],#32 ++ subs $inner,$inner,#8 ++ st1 {@ACC[7].s}[0], [$toutptr],#4 ++ bne .LNEON_tail ++ ++ st1 {$temp.s}[0], [$toutptr],#4 // top-most bit ++ sub $nptr,$nptr,$num,lsl#2 // rewind $nptr ++ subs $aptr,sp,#0 // clear carry flag ++ add $bptr,sp,$num,lsl#2 ++ ++.LNEON_sub: ++ ldp w4,w5,[$aptr],#8 ++ ldp w6,w7,[$aptr],#8 ++ ldp w8,w9,[$nptr],#8 ++ ldp w10,w11,[$nptr],#8 ++ sbcs w8,w4,w8 ++ sbcs w9,w5,w9 ++ sbcs w10,w6,w10 ++ sbcs w11,w7,w11 ++ sub x17,$bptr,$aptr ++ stp w8,w9,[$rptr],#8 ++ stp w10,w11,[$rptr],#8 ++ cbnz x17,.LNEON_sub ++ ++ ldr w10, [$aptr] // load top-most bit ++ mov x11,sp ++ eor v0.16b,v0.16b,v0.16b ++ sub x11,$bptr,x11 // this is num*4 ++ eor v1.16b,v1.16b,v1.16b ++ mov $aptr,sp ++ sub $rptr,$rptr,x11 // rewind $rptr ++ mov $nptr,$bptr // second 3/4th of frame ++ sbcs w10,w10,wzr // result is carry flag ++ ++.LNEON_copy_n_zap: ++ ldp w4,w5,[$aptr],#8 ++ ldp w6,w7,[$aptr],#8 ++ ldp w8,w9,[$rptr],#8 ++ ldp w10,w11,[$rptr] ++ sub $rptr,$rptr,#8 ++ b.cs .LCopy_1 ++ mov w8,w4 ++ mov w9,w5 ++ mov w10,w6 ++ mov w11,w7 ++.LCopy_1: ++ st1 {v0.2d,v1.2d}, [$nptr],#32 // wipe ++ st1 {v0.2d,v1.2d}, [$nptr],#32 // wipe ++ ldp w4,w5,[$aptr],#8 ++ ldp w6,w7,[$aptr],#8 ++ stp w8,w9,[$rptr],#8 ++ stp w10,w11,[$rptr],#8 ++ sub $aptr,$aptr,#32 ++ ldp w8,w9,[$rptr],#8 ++ ldp w10,w11,[$rptr] ++ sub $rptr,$rptr,#8 ++ b.cs .LCopy_2 ++ mov w8, w4 ++ mov w9, w5 ++ mov w10, w6 ++ mov w11, w7 ++.LCopy_2: ++ st1 {v0.2d,v1.2d}, [$aptr],#32 // wipe ++ st1 {v0.2d,v1.2d}, [$nptr],#32 // wipe ++ sub x17,$bptr,$aptr // preserves carry ++ stp w8,w9,[$rptr],#8 ++ stp w10,w11,[$rptr],#8 ++ cbnz x17,.LNEON_copy_n_zap ++ ++ mov sp,x16 ++ ldp d14,d15,[sp,#64] ++ ldp d12,d13,[sp,#48] ++ ldp d10,d11,[sp,#32] ++ ldp d8,d9,[sp,#16] ++ ldr x29,[sp],#80 ++ ret // bx lr ++ ++.size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon ++___ ++} ++{ + ######################################################################## + # Following is ARMv8 adaptation of sqrx8x_mont from x86_64-mont5 module. + +Index: openssl-1.1.1d/crypto/bn/build.info +=================================================================== +--- openssl-1.1.1d.orig/crypto/bn/build.info ++++ openssl-1.1.1d/crypto/bn/build.info +@@ -65,3 +65,4 @@ INCLUDE[armv4-mont.o]=.. + GENERATE[armv4-gf2m.S]=asm/armv4-gf2m.pl $(PERLASM_SCHEME) + INCLUDE[armv4-gf2m.o]=.. + GENERATE[armv8-mont.S]=asm/armv8-mont.pl $(PERLASM_SCHEME) ++INCLUDE[armv8-mont.o]=.. diff --git a/openssl-1_1-Optimize-ppc64.patch b/openssl-1_1-Optimize-ppc64.patch new file mode 100644 index 0000000..28470ce --- /dev/null +++ b/openssl-1_1-Optimize-ppc64.patch @@ -0,0 +1,2308 @@ +From 4dba53694bf633c272075e62acdc5a5ca3003ce6 Mon Sep 17 00:00:00 2001 +From: Amitay Isaacs +Date: Mon, 29 Mar 2021 18:06:13 +1100 +Subject: [PATCH 01/29] numbers: Define 128-bit integers if compiler supports + +Signed-off-by: Amitay Isaacs + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/14784) + +(cherry picked from commit bbed0d1cbd436af6797d7837e270bff4ca4d5a10) +--- + include/internal/numbers.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +Index: openssl-1.1.1l/include/internal/numbers.h +=================================================================== +--- openssl-1.1.1l.orig/include/internal/numbers.h ++++ openssl-1.1.1l/include/internal/numbers.h +@@ -60,6 +60,16 @@ + # define UINT64_MAX __MAXUINT__(uint64_t) + # endif + ++# ifndef INT128_MAX ++# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 ++typedef __int128_t int128_t; ++typedef __uint128_t uint128_t; ++# define INT128_MIN __MININT__(int128_t) ++# define INT128_MAX __MAXINT__(int128_t) ++# define UINT128_MAX __MAXUINT__(uint128_t) ++# endif ++# endif ++ + # ifndef SIZE_MAX + # define SIZE_MAX __MAXUINT__(size_t) + # endif +Index: openssl-1.1.1l/crypto/bn/bn_div.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/bn/bn_div.c ++++ openssl-1.1.1l/crypto/bn/bn_div.c +@@ -97,7 +97,7 @@ BN_ULONG bn_div_3_words(const BN_ULONG * + */ + # if BN_BITS2 == 64 && defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 + # undef BN_ULLONG +-# define BN_ULLONG __uint128_t ++# define BN_ULLONG uint128_t + # define BN_LLONG + # endif + +Index: openssl-1.1.1l/crypto/bn/bn_local.h +=================================================================== +--- openssl-1.1.1l.orig/crypto/bn/bn_local.h ++++ openssl-1.1.1l/crypto/bn/bn_local.h +@@ -22,6 +22,7 @@ + # endif + + # include "crypto/bn.h" ++# include "internal/numbers.h" + + /* + * These preprocessor symbols control various aspects of the bignum headers +@@ -374,9 +375,9 @@ struct bn_gencb_st { + */ + # if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 && \ + (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) +-# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) ++# define BN_UMULT_HIGH(a,b) (((uint128_t)(a)*(b))>>64) + # define BN_UMULT_LOHI(low,high,a,b) ({ \ +- __uint128_t ret=(__uint128_t)(a)*(b); \ ++ uint128_t ret=(uint128_t)(a)*(b); \ + (high)=ret>>64; (low)=ret; }) + # elif defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT)) + # if defined(__DECC) +Index: openssl-1.1.1l/crypto/ec/curve25519.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/curve25519.c ++++ openssl-1.1.1l/crypto/ec/curve25519.c +@@ -11,6 +11,8 @@ + #include "ec_local.h" + #include + ++#include "internal/numbers.h" ++ + #if defined(X25519_ASM) && (defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64)) + +@@ -252,7 +254,7 @@ static void x25519_scalar_mulx(uint8_t o + #endif + + #if defined(X25519_ASM) \ +- || ( (defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16) \ ++ || ( defined(INT128_MAX) \ + && !defined(__sparc__) \ + && (!defined(__SIZEOF_LONG__) || (__SIZEOF_LONG__ == 8)) \ + && !(defined(__ANDROID__) && !defined(__clang__)) ) +@@ -385,7 +387,7 @@ void x25519_fe51_mul121666(fe51 h, fe51 + # define fe51_mul121666 x25519_fe51_mul121666 + # else + +-typedef __uint128_t u128; ++typedef uint128_t u128; + + static void fe51_mul(fe51 h, const fe51 f, const fe51 g) + { +Index: openssl-1.1.1l/crypto/ec/curve448/curve448utils.h +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/curve448/curve448utils.h ++++ openssl-1.1.1l/crypto/ec/curve448/curve448utils.h +@@ -15,6 +15,8 @@ + + # include + ++# include "internal/numbers.h" ++ + /* + * Internal word types. Somewhat tricky. This could be decided separately per + * platform. However, the structs do need to be all the same size and +@@ -41,9 +43,9 @@ typedef int64_t c448_sword_t; + /* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */ + typedef uint64_t c448_bool_t; + /* Double-word size for internal computations */ +-typedef __uint128_t c448_dword_t; ++typedef uint128_t c448_dword_t; + /* Signed double-word size for internal computations */ +-typedef __int128_t c448_dsword_t; ++typedef int128_t c448_dsword_t; + # elif C448_WORD_BITS == 32 + /* Word size for internal computations */ + typedef uint32_t c448_word_t; +Index: openssl-1.1.1l/crypto/ec/curve448/word.h +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/curve448/word.h ++++ openssl-1.1.1l/crypto/ec/curve448/word.h +@@ -17,15 +17,20 @@ + # include + # include + # include +-# include "arch_intrinsics.h" + # include "curve448utils.h" + ++# ifdef INT128_MAX ++# include "arch_64/arch_intrinsics.h" ++# else ++# include "arch_32/arch_intrinsics.h" ++# endif ++ + # if (ARCH_WORD_BITS == 64) + typedef uint64_t word_t, mask_t; +-typedef __uint128_t dword_t; ++typedef uint128_t dword_t; + typedef int32_t hsword_t; + typedef int64_t sword_t; +-typedef __int128_t dsword_t; ++typedef int128_t dsword_t; + # elif (ARCH_WORD_BITS == 32) + typedef uint32_t word_t, mask_t; + typedef uint64_t dword_t; +Index: openssl-1.1.1l/crypto/ec/ecp_nistp224.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/ecp_nistp224.c ++++ openssl-1.1.1l/crypto/ec/ecp_nistp224.c +@@ -40,11 +40,9 @@ NON_EMPTY_TRANSLATION_UNIT + # include + # include "ec_local.h" + +-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 +- /* even with gcc, the typedef won't work for 32-bit platforms */ +-typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit +- * platforms */ +-# else ++#include "internal/numbers.h" ++ ++#ifndef INT128_MAX + # error "Your compiler doesn't appear to support 128-bit integer types" + # endif + +Index: openssl-1.1.1l/crypto/ec/ecp_nistp256.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/ecp_nistp256.c ++++ openssl-1.1.1l/crypto/ec/ecp_nistp256.c +@@ -41,14 +41,11 @@ NON_EMPTY_TRANSLATION_UNIT + # include + # include "ec_local.h" + +-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 +- /* even with gcc, the typedef won't work for 32-bit platforms */ +-typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit +- * platforms */ +-typedef __int128_t int128_t; +-# else +-# error "Your compiler doesn't appear to support 128-bit integer types" +-# endif ++#include "internal/numbers.h" ++ ++#ifndef INT128_MAX ++# error "Your compiler doesn't appear to support 128-bit integer types" ++#endif + + typedef uint8_t u8; + typedef uint32_t u32; +Index: openssl-1.1.1l/crypto/ec/ecp_nistp521.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/ecp_nistp521.c ++++ openssl-1.1.1l/crypto/ec/ecp_nistp521.c +@@ -40,13 +40,11 @@ NON_EMPTY_TRANSLATION_UNIT + # include + # include "ec_local.h" + +-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 +- /* even with gcc, the typedef won't work for 32-bit platforms */ +-typedef __uint128_t uint128_t; /* nonstandard; implemented by gcc on 64-bit +- * platforms */ +-# else +-# error "Your compiler doesn't appear to support 128-bit integer types" +-# endif ++#include "internal/numbers.h" ++ ++#ifndef INT128_MAX ++# error "Your compiler doesn't appear to support 128-bit integer types" ++#endif + + typedef uint8_t u8; + typedef uint64_t u64; +@@ -400,7 +398,7 @@ static void felem_diff128(largefelem out + * On exit: + * out[i] < 17 * max(in[i]) * max(in[i]) + */ +-static void felem_square(largefelem out, const felem in) ++static void felem_square_ref(largefelem out, const felem in) + { + felem inx2, inx4; + felem_scalar(inx2, in, 2); +@@ -484,7 +482,7 @@ static void felem_square(largefelem out, + * On exit: + * out[i] < 17 * max(in1[i]) * max(in2[i]) + */ +-static void felem_mul(largefelem out, const felem in1, const felem in2) ++static void felem_mul_ref(largefelem out, const felem in1, const felem in2) + { + felem in2x2; + felem_scalar(in2x2, in2, 2); +@@ -674,6 +672,57 @@ static void felem_reduce(felem out, cons + */ + } + ++#if defined(ECP_NISTP521_ASM) ++void felem_square_wrapper(largefelem out, const felem in); ++void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); ++ ++static void (*felem_square_p)(largefelem out, const felem in) = ++ felem_square_wrapper; ++static void (*felem_mul_p)(largefelem out, const felem in1, const felem in2) = ++ felem_mul_wrapper; ++ ++void p521_felem_square(largefelem out, const felem in); ++void p521_felem_mul(largefelem out, const felem in1, const felem in2); ++ ++# if defined(_ARCH_PPC64) ++# include "../ppc_arch.h" ++# endif ++ ++void felem_select(void) ++{ ++# if defined(_ARCH_PPC64) ++ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { ++ felem_square_p = p521_felem_square; ++ felem_mul_p = p521_felem_mul; ++ ++ return; ++ } ++# endif ++ ++ /* Default */ ++ felem_square_p = felem_square_ref; ++ felem_mul_p = felem_mul_ref; ++} ++ ++void felem_square_wrapper(largefelem out, const felem in) ++{ ++ felem_select(); ++ felem_square_p(out, in); ++} ++ ++void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) ++{ ++ felem_select(); ++ felem_mul_p(out, in1, in2); ++} ++ ++# define felem_square felem_square_p ++# define felem_mul felem_mul_p ++#else ++# define felem_square felem_square_ref ++# define felem_mul felem_mul_ref ++#endif ++ + static void felem_square_reduce(felem out, const felem in) + { + largefelem tmp; +Index: openssl-1.1.1l/crypto/poly1305/poly1305.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/poly1305/poly1305.c ++++ openssl-1.1.1l/crypto/poly1305/poly1305.c +@@ -95,11 +95,10 @@ poly1305_blocks(void *ctx, const unsigne + (a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1) \ + ) + +-# if (defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16) && \ +- (defined(__SIZEOF_LONG__) && __SIZEOF_LONG__==8) ++# if defined(INT64_MAX) && defined(INT128_MAX) + + typedef unsigned long u64; +-typedef __uint128_t u128; ++typedef uint128_t u128; + + typedef struct { + u64 h[3]; +Index: openssl-1.1.1l/crypto/poly1305/poly1305_base2_44.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/poly1305/poly1305_base2_44.c ++++ openssl-1.1.1l/crypto/poly1305/poly1305_base2_44.c +@@ -18,7 +18,7 @@ + typedef unsigned char u8; + typedef unsigned int u32; + typedef unsigned long u64; +-typedef unsigned __int128 u128; ++typedef uint128_t u128; + + typedef struct { + u64 h[3]; +Index: openssl-1.1.1l/crypto/ec/build.info +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/build.info ++++ openssl-1.1.1l/crypto/ec/build.info +@@ -6,8 +13,9 @@ SOURCE[../../libcrypto]=\ + ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \ + ecp_oct.c ec2_oct.c ec_oct.c ec_kmeth.c ecdh_ossl.c ecdh_kdf.c \ + ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c ecx_meth.c \ +- curve448/arch_32/f_impl.c curve448/f_generic.c curve448/scalar.c \ ++ curve448/f_generic.c curve448/scalar.c \ + curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \ ++ curve448/arch_64/f_impl64.c curve448/arch_32/f_impl32.c \ + {- $target{ec_asm_src} -} + + GENERATE[ecp_nistz256-x86.s]=asm/ecp_nistz256-x86.pl \ +@@ -29,6 +38,8 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n + INCLUDE[ecp_nistz256-armv8.o]=.. + GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME) + ++GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl $(PERLASM_SCHEME) ++ + GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME) + GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME) + +@@ -36,10 +47,3 @@ BEGINRAW[Makefile] + {- $builddir -}/ecp_nistz256-%.S: {- $sourcedir -}/asm/ecp_nistz256-%.pl + CC="$(CC)" $(PERL) $< $(PERLASM_SCHEME) $@ + ENDRAW[Makefile] +- +-INCLUDE[curve448/arch_32/f_impl.o]=curve448/arch_32 curve448 +-INCLUDE[curve448/f_generic.o]=curve448/arch_32 curve448 +-INCLUDE[curve448/scalar.o]=curve448/arch_32 curve448 +-INCLUDE[curve448/curve448_tables.o]=curve448/arch_32 curve448 +-INCLUDE[curve448/eddsa.o]=curve448/arch_32 curve448 +-INCLUDE[curve448/curve448.o]=curve448/arch_32 curve448 +Index: openssl-1.1.1l/crypto/ec/curve448/field.h +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/curve448/field.h ++++ openssl-1.1.1l/crypto/ec/curve448/field.h +@@ -66,10 +66,15 @@ void gf_serialize(uint8_t *serial, const + mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit, + uint8_t hi_nmask); + +-# include "f_impl.h" /* Bring in the inline implementations */ + + # define LIMBPERM(i) (i) +-# define LIMB_MASK(i) (((1)<limb[i] = a->limb[i] + b->limb[i]; ++ ++ gf_weak_reduce(out); ++} ++ ++void gf_sub_RAW(gf out, const gf a, const gf b) ++{ ++ uint64_t co1 = ((1ULL << 56) - 1) * 2, co2 = co1 - 2; ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out->limb[i] = a->limb[i] - b->limb[i] + ((i == NLIMBS / 2) ? co2 : co1); ++ ++ gf_weak_reduce(out); ++} ++ ++void gf_bias(gf a, int amt) ++{ ++} ++ ++void gf_weak_reduce(gf a) ++{ ++ uint64_t mask = (1ULL << 56) - 1; ++ uint64_t tmp = a->limb[NLIMBS - 1] >> 56; ++ unsigned int i; ++ ++ a->limb[NLIMBS / 2] += tmp; ++ for (i = NLIMBS - 1; i > 0; i--) ++ a->limb[i] = (a->limb[i] & mask) + (a->limb[i - 1] >> 56); ++ a->limb[0] = (a->limb[0] & mask) + tmp; ++} ++ ++#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_64_F_IMPL_H */ +Index: openssl-1.1.1l/include/internal/constant_time.h +=================================================================== +--- openssl-1.1.1l.orig/include/internal/constant_time.h ++++ openssl-1.1.1l/include/internal/constant_time.h +@@ -181,6 +181,11 @@ static ossl_inline uint32_t constant_tim + return constant_time_msb_32(~a & (a - 1)); + } + ++static ossl_inline uint64_t constant_time_is_zero_64(uint64_t a) ++{ ++ return constant_time_msb_64(~a & (a - 1)); ++} ++ + static ossl_inline unsigned int constant_time_eq(unsigned int a, + unsigned int b) + { +Index: openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl32.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl32.c +@@ -0,0 +1,104 @@ ++/* ++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2014 Cryptography Research, Inc. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ * ++ * Originally written by Mike Hamburg ++ */ ++ ++#include ++#include "internal/numbers.h" ++ ++#ifdef UINT128_MAX ++/* We have support for 128 bit ints, so do nothing here */ ++NON_EMPTY_TRANSLATION_UNIT ++#else ++ ++# include "../field.h" ++ ++void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs) ++{ ++ const uint32_t *a = as->limb, *b = bs->limb; ++ uint32_t *c = cs->limb; ++ uint64_t accum0 = 0, accum1 = 0, accum2 = 0; ++ uint32_t mask = (1 << 28) - 1; ++ uint32_t aa[8], bb[8]; ++ int i, j; ++ ++ for (i = 0; i < 8; i++) { ++ aa[i] = a[i] + a[i + 8]; ++ bb[i] = b[i] + b[i + 8]; ++ } ++ ++ for (j = 0; j < 8; j++) { ++ accum2 = 0; ++ for (i = 0; i < j + 1; i++) { ++ accum2 += widemul(a[j - i], b[i]); ++ accum1 += widemul(aa[j - i], bb[i]); ++ accum0 += widemul(a[8 + j - i], b[8 + i]); ++ } ++ accum1 -= accum2; ++ accum0 += accum2; ++ accum2 = 0; ++ for (i = j + 1; i < 8; i++) { ++ accum0 -= widemul(a[8 + j - i], b[i]); ++ accum2 += widemul(aa[8 + j - i], bb[i]); ++ accum1 += widemul(a[16 + j - i], b[8 + i]); ++ } ++ accum1 += accum2; ++ accum0 += accum2; ++ c[j] = ((uint32_t)(accum0)) & mask; ++ c[j + 8] = ((uint32_t)(accum1)) & mask; ++ accum0 >>= 28; ++ accum1 >>= 28; ++ } ++ ++ accum0 += accum1; ++ accum0 += c[8]; ++ accum1 += c[0]; ++ c[8] = ((uint32_t)(accum0)) & mask; ++ c[0] = ((uint32_t)(accum1)) & mask; ++ ++ accum0 >>= 28; ++ accum1 >>= 28; ++ c[9] += ((uint32_t)(accum0)); ++ c[1] += ((uint32_t)(accum1)); ++} ++ ++void gf_mulw_unsigned(gf_s * RESTRICT cs, const gf as, uint32_t b) ++{ ++ const uint32_t *a = as->limb; ++ uint32_t *c = cs->limb; ++ uint64_t accum0 = 0, accum8 = 0; ++ uint32_t mask = (1 << 28) - 1; ++ int i; ++ ++ assert(b <= mask); ++ ++ for (i = 0; i < 8; i++) { ++ accum0 += widemul(b, a[i]); ++ accum8 += widemul(b, a[i + 8]); ++ c[i] = accum0 & mask; ++ accum0 >>= 28; ++ c[i + 8] = accum8 & mask; ++ accum8 >>= 28; ++ } ++ ++ accum0 += accum8 + c[8]; ++ c[8] = ((uint32_t)accum0) & mask; ++ c[9] += (uint32_t)(accum0 >> 28); ++ ++ accum8 += c[0]; ++ c[0] = ((uint32_t)accum8) & mask; ++ c[1] += (uint32_t)(accum8 >> 28); ++} ++ ++void gf_sqr(gf_s * RESTRICT cs, const gf as) ++{ ++ gf_mul(cs, as, as); /* Performs better with a dedicated square */ ++} ++#endif +Index: openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl64.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl64.c +@@ -0,0 +1,210 @@ ++/* ++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2014 Cryptography Research, Inc. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ * ++ * Originally written by Mike Hamburg ++ */ ++ ++#include ++#include "internal/numbers.h" ++ ++#ifndef UINT128_MAX ++/* No support for 128 bit ints, so do nothing here */ ++NON_EMPTY_TRANSLATION_UNIT ++#else ++ ++# include "../field.h" ++ ++void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs) ++{ ++ const uint64_t *a = as->limb, *b = bs->limb; ++ uint64_t *c = cs->limb; ++ uint128_t accum0 = 0, accum1 = 0, accum2; ++ uint64_t mask = (1ULL << 56) - 1; ++ uint64_t aa[4], bb[4], bbb[4]; ++ unsigned int i, j; ++ ++ for (i = 0; i < 4; i++) { ++ aa[i] = a[i] + a[i + 4]; ++ bb[i] = b[i] + b[i + 4]; ++ bbb[i] = bb[i] + b[i + 4]; ++ } ++ ++ for (i = 0; i < 4; i++) { ++ accum2 = 0; ++ ++ for (j = 0; j <= i; j++) { ++ accum2 += widemul(a[j], b[i - j]); ++ accum1 += widemul(aa[j], bb[i - j]); ++ accum0 += widemul(a[j + 4], b[i - j + 4]); ++ } ++ for (; j < 4; j++) { ++ accum2 += widemul(a[j], b[i - j + 8]); ++ accum1 += widemul(aa[j], bbb[i - j + 4]); ++ accum0 += widemul(a[j + 4], bb[i - j + 4]); ++ } ++ ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ c[i] = ((uint64_t)(accum0)) & mask; ++ c[i + 4] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ } ++ ++ accum0 += accum1; ++ accum0 += c[4]; ++ accum1 += c[0]; ++ c[4] = ((uint64_t)(accum0)) & mask; ++ c[0] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ c[5] += ((uint64_t)(accum0)); ++ c[1] += ((uint64_t)(accum1)); ++} ++ ++void gf_mulw_unsigned(gf_s * __restrict__ cs, const gf as, uint32_t b) ++{ ++ const uint64_t *a = as->limb; ++ uint64_t *c = cs->limb; ++ uint128_t accum0 = 0, accum4 = 0; ++ uint64_t mask = (1ULL << 56) - 1; ++ int i; ++ ++ for (i = 0; i < 4; i++) { ++ accum0 += widemul(b, a[i]); ++ accum4 += widemul(b, a[i + 4]); ++ c[i] = accum0 & mask; ++ accum0 >>= 56; ++ c[i + 4] = accum4 & mask; ++ accum4 >>= 56; ++ } ++ ++ accum0 += accum4 + c[4]; ++ c[4] = accum0 & mask; ++ c[5] += accum0 >> 56; ++ ++ accum4 += c[0]; ++ c[0] = accum4 & mask; ++ c[1] += accum4 >> 56; ++} ++ ++void gf_sqr(gf_s * __restrict__ cs, const gf as) ++{ ++ const uint64_t *a = as->limb; ++ uint64_t *c = cs->limb; ++ uint128_t accum0 = 0, accum1 = 0, accum2; ++ uint64_t mask = (1ULL << 56) - 1; ++ uint64_t aa[4]; ++ ++ /* For some reason clang doesn't vectorize this without prompting? */ ++ unsigned int i; ++ for (i = 0; i < 4; i++) { ++ aa[i] = a[i] + a[i + 4]; ++ } ++ ++ accum2 = widemul(a[0], a[3]); ++ accum0 = widemul(aa[0], aa[3]); ++ accum1 = widemul(a[4], a[7]); ++ ++ accum2 += widemul(a[1], a[2]); ++ accum0 += widemul(aa[1], aa[2]); ++ accum1 += widemul(a[5], a[6]); ++ ++ accum0 -= accum2; ++ accum1 += accum2; ++ ++ c[3] = ((uint64_t)(accum1)) << 1 & mask; ++ c[7] = ((uint64_t)(accum0)) << 1 & mask; ++ ++ accum0 >>= 55; ++ accum1 >>= 55; ++ ++ accum0 += widemul(2 * aa[1], aa[3]); ++ accum1 += widemul(2 * a[5], a[7]); ++ accum0 += widemul(aa[2], aa[2]); ++ accum1 += accum0; ++ ++ accum0 -= widemul(2 * a[1], a[3]); ++ accum1 += widemul(a[6], a[6]); ++ ++ accum2 = widemul(a[0], a[0]); ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ accum0 -= widemul(a[2], a[2]); ++ accum1 += widemul(aa[0], aa[0]); ++ accum0 += widemul(a[4], a[4]); ++ ++ c[0] = ((uint64_t)(accum0)) & mask; ++ c[4] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ accum2 = widemul(2 * aa[2], aa[3]); ++ accum0 -= widemul(2 * a[2], a[3]); ++ accum1 += widemul(2 * a[6], a[7]); ++ ++ accum1 += accum2; ++ accum0 += accum2; ++ ++ accum2 = widemul(2 * a[0], a[1]); ++ accum1 += widemul(2 * aa[0], aa[1]); ++ accum0 += widemul(2 * a[4], a[5]); ++ ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ c[1] = ((uint64_t)(accum0)) & mask; ++ c[5] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ accum2 = widemul(aa[3], aa[3]); ++ accum0 -= widemul(a[3], a[3]); ++ accum1 += widemul(a[7], a[7]); ++ ++ accum1 += accum2; ++ accum0 += accum2; ++ ++ accum2 = widemul(2 * a[0], a[2]); ++ accum1 += widemul(2 * aa[0], aa[2]); ++ accum0 += widemul(2 * a[4], a[6]); ++ ++ accum2 += widemul(a[1], a[1]); ++ accum1 += widemul(aa[1], aa[1]); ++ accum0 += widemul(a[5], a[5]); ++ ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ c[2] = ((uint64_t)(accum0)) & mask; ++ c[6] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ accum0 += c[3]; ++ accum1 += c[7]; ++ c[3] = ((uint64_t)(accum0)) & mask; ++ c[7] = ((uint64_t)(accum1)) & mask; ++ ++ /* we could almost stop here, but it wouldn't be stable, so... */ ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1)); ++ c[0] += ((uint64_t)(accum1)); ++} ++#endif +Index: openssl-1.1.1l/Configurations/00-base-templates.conf +=================================================================== +--- openssl-1.1.1l.orig/Configurations/00-base-templates.conf ++++ openssl-1.1.1l/Configurations/00-base-templates.conf +@@ -351,7 +351,8 @@ my %targets=( + ppc64_asm => { + inherit_from => [ "ppc32_asm" ], + template => 1, +- ec_asm_src => "ecp_nistz256.c ecp_nistz256-ppc64.s x25519-ppc64.s", ++ bn_asm_src => add("ppc64-mont-fixed.s"), ++ ec_asm_src => "ecp_nistz256.c ecp_nistz256-ppc64.s ecp_nistp521-ppc64.s x25519-ppc64.s", + keccak1600_asm_src => "keccak1600-ppc64.s", + }, + ); +Index: openssl-1.1.1l/crypto/bn/asm/ppc64-mont-fixed.pl +=================================================================== +--- /dev/null ++++ openssl-1.1.1l/crypto/bn/asm/ppc64-mont-fixed.pl +@@ -0,0 +1,581 @@ ++#! /usr/bin/env perl ++# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# ==================================================================== ++# Written by Amitay Isaacs , Martin Schwenke ++# & Alastair D'Silva for ++# the OpenSSL project. ++# ==================================================================== ++ ++# ++# Fixed length (n=6), unrolled PPC Montgomery Multiplication ++# ++ ++# 2021 ++# ++# Although this is a generic implementation for unrolling Montgomery ++# Multiplication for arbitrary values of n, this is currently only ++# used for n = 6 to improve the performance of ECC p384. ++# ++# Unrolling allows intermediate results to be stored in registers, ++# rather than on the stack, improving performance by ~7% compared to ++# the existing PPC assembly code. ++# ++# The ISA 3.0 implementation uses combination multiply/add ++# instructions (maddld, maddhdu) to improve performance by an ++# additional ~10% on Power 9. ++# ++# Finally, saving non-volatile registers into volatile vector ++# registers instead of onto the stack saves a little more. ++# ++# On a Power 9 machine we see an overall improvement of ~18%. ++# ++ ++use strict; ++use warnings; ++ ++my ($flavour, $output, $dir, $xlate); ++ ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++if ($flavour !~ /64/) { ++ die "bad flavour ($flavour) - only ppc64 permitted"; ++} ++ ++my $SIZE_T= 8; ++ ++# Registers are global so the code is remotely readable ++ ++# Parameters for Montgomery multiplication ++my $sp = "r1"; ++my $toc = "r2"; ++my $rp = "r3"; ++my $ap = "r4"; ++my $bp = "r5"; ++my $np = "r6"; ++my $n0 = "r7"; ++my $num = "r8"; ++ ++my $i = "r9"; ++my $c0 = "r10"; ++my $bp0 = "r11"; ++my $bpi = "r11"; ++my $bpj = "r11"; ++my $tj = "r12"; ++my $apj = "r12"; ++my $npj = "r12"; ++my $lo = "r14"; ++my $c1 = "r14"; ++ ++# Non-volatile registers used for tp[i] ++# ++# 12 registers are available but the limit on unrolling is 10, ++# since registers from $tp[0] to $tp[$n+1] are used. ++my @tp = ("r20" .. "r31"); ++ ++# volatile VSRs for saving non-volatile GPRs - faster than stack ++my @vsrs = ("v32" .. "v46"); ++ ++package Mont; ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ if ($n > 10) { ++ die "Can't unroll for BN length ${n} (maximum 10)" ++ } ++ ++ my $self = { ++ code => "", ++ n => $n, ++ }; ++ bless $self, $class; ++ ++ return $self; ++} ++ ++sub add_code($$) ++{ ++ my ($self, $c) = @_; ++ ++ $self->{code} .= $c; ++} ++ ++sub get_code($) ++{ ++ my ($self) = @_; ++ ++ return $self->{code}; ++} ++ ++sub get_function_name($) ++{ ++ my ($self) = @_; ++ ++ return "bn_mul_mont_fixed_n" . $self->{n}; ++} ++ ++sub get_label($$) ++{ ++ my ($self, $l) = @_; ++ ++ return "L" . $l . "_" . $self->{n}; ++} ++ ++sub get_labels($@) ++{ ++ my ($self, @labels) = @_; ++ ++ my %out = (); ++ ++ foreach my $l (@labels) { ++ $out{"$l"} = $self->get_label("$l"); ++ } ++ ++ return \%out; ++} ++ ++sub nl($) ++{ ++ my ($self) = @_; ++ ++ $self->add_code("\n"); ++} ++ ++sub copy_result($) ++{ ++ my ($self) = @_; ++ ++ my ($n) = $self->{n}; ++ ++ for (my $j = 0; $j < $n; $j++) { ++ $self->add_code(<<___); ++ std $tp[$j],`$j*$SIZE_T`($rp) ++___ ++ } ++ ++} ++ ++sub mul_mont_fixed($) ++{ ++ my ($self) = @_; ++ ++ my ($n) = $self->{n}; ++ my $fname = $self->get_function_name(); ++ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); ++ ++ $self->add_code(<<___); ++ ++.globl .${fname} ++.align 5 ++.${fname}: ++ ++___ ++ ++ $self->save_registers(); ++ ++ $self->add_code(<<___); ++ ld $n0,0($n0) ++ ++ ld $bp0,0($bp) ++ ++ ld $apj,0($ap) ++___ ++ ++ $self->mul_c_0($tp[0], $apj, $bp0, $c0); ++ ++ for (my $j = 1; $j < $n - 1; $j++) { ++ $self->add_code(<<___); ++ ld $apj,`$j*$SIZE_T`($ap) ++___ ++ $self->mul($tp[$j], $apj, $bp0, $c0); ++ } ++ ++ $self->add_code(<<___); ++ ld $apj,`($n-1)*$SIZE_T`($ap) ++___ ++ ++ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); ++ ++ $self->add_code(<<___); ++ li $tp[$n+1],0 ++ ++___ ++ ++ $self->add_code(<<___); ++ li $i,0 ++ mtctr $num ++ b $label->{"enter"} ++ ++.align 4 ++$label->{"outer"}: ++ ldx $bpi,$bp,$i ++ ++ ld $apj,0($ap) ++___ ++ ++ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); ++ ++ for (my $j = 1; $j < $n; $j++) { ++ $self->add_code(<<___); ++ ld $apj,`$j*$SIZE_T`($ap) ++___ ++ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); ++ } ++ ++ $self->add_code(<<___); ++ addc $tp[$n],$tp[$n],$c0 ++ addze $tp[$n+1],$tp[$n+1] ++___ ++ ++ $self->add_code(<<___); ++.align 4 ++$label->{"enter"}: ++ mulld $bpi,$tp[0],$n0 ++ ++ ld $npj,0($np) ++___ ++ ++ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); ++ ++ for (my $j = 1; $j < $n; $j++) { ++ $self->add_code(<<___); ++ ld $npj,`$j*$SIZE_T`($np) ++___ ++ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); ++ } ++ ++ $self->add_code(<<___); ++ addc $tp[$n-1],$tp[$n],$c0 ++ addze $tp[$n],$tp[$n+1] ++ ++ addi $i,$i,$SIZE_T ++ bdnz $label->{"outer"} ++ ++ and. $tp[$n],$tp[$n],$tp[$n] ++ bne $label->{"sub"} ++ ++ cmpld $tp[$n-1],$npj ++ blt $label->{"copy"} ++ ++$label->{"sub"}: ++___ ++ ++ # ++ # Reduction ++ # ++ ++ $self->add_code(<<___); ++ ld $bpj,`0*$SIZE_T`($np) ++ subfc $c1,$bpj,$tp[0] ++ std $c1,`0*$SIZE_T`($rp) ++ ++___ ++ for (my $j = 1; $j < $n - 1; $j++) { ++ $self->add_code(<<___); ++ ld $bpj,`$j*$SIZE_T`($np) ++ subfe $c1,$bpj,$tp[$j] ++ std $c1,`$j*$SIZE_T`($rp) ++ ++___ ++ } ++ ++ $self->add_code(<<___); ++ subfe $c1,$npj,$tp[$n-1] ++ std $c1,`($n-1)*$SIZE_T`($rp) ++ ++___ ++ ++ $self->add_code(<<___); ++ addme. $tp[$n],$tp[$n] ++ beq $label->{"end"} ++ ++$label->{"copy"}: ++___ ++ ++ $self->copy_result(); ++ ++ $self->add_code(<<___); ++ ++$label->{"end"}: ++___ ++ ++ $self->restore_registers(); ++ ++ $self->add_code(<<___); ++ li r3,1 ++ blr ++.size .${fname},.-.${fname} ++___ ++ ++} ++ ++package Mont::GPR; ++ ++our @ISA = ('Mont'); ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ return $class->SUPER::new($n); ++} ++ ++sub save_registers($) ++{ ++ my ($self) = @_; ++ ++ my $n = $self->{n}; ++ ++ $self->add_code(<<___); ++ std $lo,-8($sp) ++___ ++ ++ for (my $j = 0; $j <= $n+1; $j++) { ++ $self->{code}.=<<___; ++ std $tp[$j],-`($j+2)*8`($sp) ++___ ++ } ++ ++ $self->add_code(<<___); ++ ++___ ++} ++ ++sub restore_registers($) ++{ ++ my ($self) = @_; ++ ++ my $n = $self->{n}; ++ ++ $self->add_code(<<___); ++ ld $lo,-8($sp) ++___ ++ ++ for (my $j = 0; $j <= $n+1; $j++) { ++ $self->{code}.=<<___; ++ ld $tp[$j],-`($j+2)*8`($sp) ++___ ++ } ++ ++ $self->{code} .=<<___; ++ ++___ ++} ++ ++# Direct translation of C mul() ++sub mul($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r,$lo,$c ++ mulhdu $c,$a,$w ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_c_0($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $r,$a,$w ++ mulhdu $c,$a,$w ++ ++___ ++} ++ ++# Like mul() but does not to the final addition of CA into $c - an ++# optimisation to save an instruction ++sub mul_last($$$$$$) ++{ ++ my ($self, $r1, $r2, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r1,$lo,$c ++ mulhdu $c,$a,$w ++ ++ addze $r2,$c ++___ ++} ++ ++# Like C mul_add() but allow $r_out and $r_in to be different ++sub mul_add($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $lo,$lo,$c ++ mulhdu $c,$a,$w ++ addze $c,$c ++ addc $r_out,$r_in,$lo ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul_add() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_add_c_0($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $lo,$a,$w ++ addc $r_out,$r_in,$lo ++ mulhdu $c,$a,$w ++ addze $c,$c ++ ++___ ++} ++ ++package Mont::GPR_300; ++ ++our @ISA = ('Mont::GPR'); ++ ++sub new($$) ++{ ++ my ($class, $n) = @_; ++ ++ my $mont = $class->SUPER::new($n); ++ ++ return $mont; ++} ++ ++sub get_function_name($) ++{ ++ my ($self) = @_; ++ ++ return "bn_mul_mont_300_fixed_n" . $self->{n}; ++} ++ ++sub get_label($$) ++{ ++ my ($self, $l) = @_; ++ ++ return "L" . $l . "_300_" . $self->{n}; ++} ++ ++# Direct translation of C mul() ++sub mul($$$$$) ++{ ++ my ($self, $r, $a, $w, $c, $last) = @_; ++ ++ $self->add_code(<<___); ++ maddld $r,$a,$w,$c ++ maddhdu $c,$a,$w,$c ++ ++___ ++} ++ ++# Save the last carry as the final entry ++sub mul_last($$$$$) ++{ ++ my ($self, $r1, $r2, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $r1,$a,$w,$c ++ maddhdu $r2,$a,$w,$c ++ ++___ ++} ++ ++# Like mul() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_c_0($$$$$) ++{ ++ my ($self, $r, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ mulld $r,$a,$w ++ mulhdu $c,$a,$w ++ ++___ ++} ++ ++# Like C mul_add() but allow $r_out and $r_in to be different ++sub mul_add($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $lo,$a,$w,$c ++ maddhdu $c,$a,$w,$c ++ addc $r_out,$r_in,$lo ++ addze $c,$c ++ ++___ ++} ++ ++# Like mul_add() but $c is ignored as an input - an optimisation to save a ++# preliminary instruction that would set input $c to 0 ++sub mul_add_c_0($$$$$$) ++{ ++ my ($self, $r_out, $r_in, $a, $w, $c) = @_; ++ ++ $self->add_code(<<___); ++ maddld $lo,$a,$w,$r_in ++ maddhdu $c,$a,$w,$r_in ++___ ++ ++ if ($r_out ne $lo) { ++ $self->add_code(<<___); ++ mr $r_out,$lo ++___ ++ } ++ ++ $self->nl(); ++} ++ ++ ++package main; ++ ++my $code; ++ ++$code.=<<___; ++.machine "any" ++.text ++___ ++ ++my $mont; ++ ++$mont = new Mont::GPR(6); ++$mont->mul_mont_fixed(); ++$code .= $mont->get_code(); ++ ++$mont = new Mont::GPR_300(6); ++$mont->mul_mont_fixed(); ++$code .= $mont->get_code(); ++ ++$code =~ s/\`([^\`]*)\`/eval $1/gem; ++ ++$code.=<<___; ++.asciz "Montgomery Multiplication for PPC by , " ++___ ++ ++print $code; ++close STDOUT or die "error closing STDOUT: $!"; +Index: openssl-1.1.1l/crypto/bn/build.info +=================================================================== +--- openssl-1.1.1l.orig/crypto/bn/build.info ++++ openssl-1.1.1l/crypto/bn/build.info +@@ -56,6 +56,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont. + GENERATE[bn-ppc.s]=asm/ppc.pl $(PERLASM_SCHEME) + GENERATE[ppc-mont.s]=asm/ppc-mont.pl $(PERLASM_SCHEME) + GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl $(PERLASM_SCHEME) ++GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl $(PERLASM_SCHEME) + + GENERATE[alpha-mont.S]=asm/alpha-mont.pl $(PERLASM_SCHEME) + +Index: openssl-1.1.1l/crypto/ppccap.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/ppccap.c ++++ openssl-1.1.1l/crypto/ppccap.c +@@ -46,6 +46,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_U + const BN_ULONG *np, const BN_ULONG *n0, int num); + int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); ++ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, ++ const BN_ULONG *bp, const BN_ULONG *np, ++ const BN_ULONG *n0, int num); ++ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, ++ const BN_ULONG *bp, const BN_ULONG *np, ++ const BN_ULONG *n0, int num); + + if (num < 4) + return 0; +@@ -61,6 +67,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_U + * no opportunity to figure it out... + */ + ++#if defined(_ARCH_PPC64) ++ if (num == 6) { ++ if (OPENSSL_ppccap_P & PPC_MADD300) ++ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); ++ else ++ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); ++ } ++#endif ++ + return bn_mul_mont_int(rp, ap, bp, np, n0, num); + } + #endif +Index: openssl-1.1.1l/crypto/perlasm/ppc-xlate.pl +=================================================================== +--- openssl-1.1.1l.orig/crypto/perlasm/ppc-xlate.pl ++++ openssl-1.1.1l/crypto/perlasm/ppc-xlate.pl +@@ -136,6 +136,71 @@ my $quad = sub { + }; + + ################################################################ ++# vector register number hacking ++################################################################ ++ ++# It is convenient to be able to set a variable like: ++# my $foo = "v33"; ++# and use this in different contexts where: ++# * a VSR (Vector-Scaler Register) number (i.e. "v33") is required ++# * a VR (Vector Register) number (i.e. "v1") is required ++# Map VSR numbering to VR number for certain vector instructions. ++ ++# vs -> v if N > 32 ++sub vsr2vr1 { ++ my $in = shift; ++ ++ my $n = int($in); ++ if ($n >= 32) { ++ $n -= 32; ++ } ++ ++ return "$n"; ++} ++# As above for first $num register args, returns list ++sub _vsr2vr { ++ my $num = shift; ++ my @rest = @_; ++ my @subst = splice(@rest, 0, $num); ++ ++ @subst = map { vsr2vr1($_); } @subst; ++ ++ return (@subst, @rest); ++} ++# As above but 1st arg ($f) is extracted and reinserted after ++# processing so that it can be ignored by a code generation function ++# that consumes the result ++sub vsr2vr_args { ++ my $num = shift; ++ my $f = shift; ++ ++ my @out = _vsr2vr($num, @_); ++ ++ return ($f, @out); ++} ++# As above but 1st arg is mnemonic, return formatted instruction ++sub vsr2vr { ++ my $mnemonic = shift; ++ my $num = shift; ++ my $f = shift; ++ ++ my @out = _vsr2vr($num, @_); ++ ++ " ${mnemonic}${f} " . join(",", @out); ++} ++ ++# ISA 2.03 ++my $vsel = sub { vsr2vr("vsel", 4, @_); }; ++my $vsl = sub { vsr2vr("vsl", 3, @_); }; ++my $vspltisb = sub { vsr2vr("vspltisb", 1, @_); }; ++my $vspltisw = sub { vsr2vr("vspltisw", 1, @_); }; ++my $vsr = sub { vsr2vr("vsr", 3, @_); }; ++my $vsro = sub { vsr2vr("vsro", 3, @_); }; ++ ++# ISA 3.0 ++my $lxsd = sub { vsr2vr("lxsd", 1, @_); }; ++ ++################################################################ + # simplified mnemonics not handled by at least one assembler + ################################################################ + my $cmplw = sub { +@@ -226,13 +291,18 @@ my $vpermdi = sub { # xxpermdi + + # PowerISA 2.07 stuff + sub vcrypto_op { +- my ($f, $vrt, $vra, $vrb, $op) = @_; ++ my ($f, $vrt, $vra, $vrb, $op) = vsr2vr_args(3, @_); + " .long ".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|$op; + } + sub vfour { + my ($f, $vrt, $vra, $vrb, $vrc, $op) = @_; + " .long ".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($vrc<<6)|$op; + }; ++sub vfour_vsr { ++ my ($f, $vrt, $vra, $vrb, $vrc, $op) = vsr2vr_args(4, @_); ++ " .long ".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($vrc<<6)|$op; ++}; ++ + my $vcipher = sub { vcrypto_op(@_, 1288); }; + my $vcipherlast = sub { vcrypto_op(@_, 1289); }; + my $vncipher = sub { vcrypto_op(@_, 1352); }; +@@ -254,10 +324,10 @@ my $vsld = sub { vcrypto_op(@_, 1476); } + my $vsrd = sub { vcrypto_op(@_, 1732); }; + my $vsubudm = sub { vcrypto_op(@_, 1216); }; + my $vaddcuq = sub { vcrypto_op(@_, 320); }; +-my $vaddeuqm = sub { vfour(@_,60); }; +-my $vaddecuq = sub { vfour(@_,61); }; +-my $vmrgew = sub { vfour(@_,0,1932); }; +-my $vmrgow = sub { vfour(@_,0,1676); }; ++my $vaddeuqm = sub { vfour_vsr(@_,60); }; ++my $vaddecuq = sub { vfour_vsr(@_,61); }; ++my $vmrgew = sub { vfour_vsr(@_,0,1932); }; ++my $vmrgow = sub { vfour_vsr(@_,0,1676); }; + + my $mtsle = sub { + my ($f, $arg) = @_; +@@ -298,7 +368,7 @@ my $addex = sub { + my ($f, $rt, $ra, $rb, $cy) = @_; # only cy==0 is specified in 3.0B + " .long ".sprintf "0x%X",(31<<26)|($rt<<21)|($ra<<16)|($rb<<11)|($cy<<9)|(170<<1); + }; +-my $vmsumudm = sub { vfour(@_,35); }; ++my $vmsumudm = sub { vfour_vsr(@_, 35); }; + + while($line=<>) { + +Index: openssl-1.1.1l/Configurations/10-main.conf +=================================================================== +--- openssl-1.1.1l.orig/Configurations/10-main.conf ++++ openssl-1.1.1l/Configurations/10-main.conf +@@ -669,7 +669,7 @@ my %targets = ( + inherit_from => [ "linux-generic64", asm("ppc64_asm") ], + cflags => add("-m64"), + cxxflags => add("-m64"), +- lib_cppflags => add("-DB_ENDIAN"), ++ lib_cppflags => add("-DB_ENDIAN -DECP_NISTP521_ASM"), + perlasm_scheme => "linux64", + multilib => "64", + }, +@@ -677,7 +677,7 @@ my %targets = ( + inherit_from => [ "linux-generic64", asm("ppc64_asm") ], + cflags => add("-m64"), + cxxflags => add("-m64"), +- lib_cppflags => add("-DL_ENDIAN"), ++ lib_cppflags => add("-DL_ENDIAN -DECP_NISTP521_ASM"), + perlasm_scheme => "linux64le", + }, + +Index: openssl-1.1.1l/crypto/ec/asm/ecp_nistp521-ppc64.pl +=================================================================== +--- /dev/null ++++ openssl-1.1.1l/crypto/ec/asm/ecp_nistp521-ppc64.pl +@@ -0,0 +1,435 @@ ++#! /usr/bin/env perl ++# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the OpenSSL license (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++# ++# ==================================================================== ++# Written by Amitay Isaacs and Martin Schwenke ++# for the OpenSSL project. ++# ==================================================================== ++# ++# p521 lower-level primitives for PPC64 using vector instructions. ++# ++ ++use strict; ++use warnings; ++ ++my $flavour = shift; ++my $output = ""; ++while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} ++if (!$output) { ++ $output = "-"; ++} ++ ++my ($xlate, $dir); ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open OUT,"| \"$^X\" $xlate $flavour $output"; ++*STDOUT=*OUT; ++ ++my $code = ""; ++ ++my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); ++ ++my $vzero = "v32"; ++ ++sub startproc($) ++{ ++ my ($name) = @_; ++ ++ $code.=<<___; ++ .globl ${name} ++ .align 5 ++${name}: ++ ++___ ++} ++ ++sub endproc($) ++{ ++ my ($name) = @_; ++ ++ $code.=<<___; ++ blr ++ .size ${name},.-${name} ++ ++___ ++} ++ ++ ++sub push_vrs($$) ++{ ++ my ($min, $max) = @_; ++ ++ my $count = $max - $min + 1; ++ ++ $code.=<<___; ++ mr $savesp,$sp ++ stdu $sp,-16*`$count+1`($sp) ++ ++___ ++ for (my $i = $min; $i <= $max; $i++) { ++ my $mult = $max - $i + 1; ++ $code.=<<___; ++ stxv $i,-16*$mult($savesp) ++___ ++ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++sub pop_vrs($$) ++{ ++ my ($min, $max) = @_; ++ ++ $code.=<<___; ++ ld $savesp,0($sp) ++___ ++ for (my $i = $min; $i <= $max; $i++) { ++ my $mult = $max - $i + 1; ++ $code.=<<___; ++ lxv $i,-16*$mult($savesp) ++___ ++ } ++ ++ $code.=<<___; ++ mr $sp,$savesp ++ ++___ ++} ++ ++sub load_vrs($$) ++{ ++ my ($pointer, $reg_list) = @_; ++ ++ for (my $i = 0; $i <= 8; $i++) { ++ my $offset = $i * 8; ++ $code.=<<___; ++ lxsd $reg_list->[$i],$offset($pointer) ++___ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++sub store_vrs($$) ++{ ++ my ($pointer, $reg_list) = @_; ++ ++ for (my $i = 0; $i <= 8; $i++) { ++ my $offset = $i * 16; ++ $code.=<<___; ++ stxv $reg_list->[$i],$offset($pointer) ++___ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++$code.=<<___; ++.text ++ ++___ ++ ++{ ++ # mul/square common ++ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v44", "v54"); ++ my ($zero, $one) = ("r8", "r9"); ++ my @out = map("v$_",(55..63)); ++ ++ { ++ # ++ # p521_felem_mul ++ # ++ ++ my ($in1p, $in2p) = ("r4", "r5"); ++ my @in1 = map("v$_",(45..53)); ++ my @in2 = map("v$_",(35..43)); ++ ++ startproc("p521_felem_mul"); ++ ++ push_vrs(52, 63); ++ ++ $code.=<<___; ++ vspltisw $vzero,0 ++ ++___ ++ ++ load_vrs($in1p, \@in1); ++ load_vrs($in2p, \@in2); ++ ++ $code.=<<___; ++ vmsumudm $out[0],$in1[0],$in2[0],$vzero ++ ++ xxpermdi $t1,$in1[0],$in1[1],0b00 ++ xxpermdi $t2,$in2[1],$in2[0],0b00 ++ vmsumudm $out[1],$t1,$t2,$vzero ++ ++ xxpermdi $t2,$in2[2],$in2[1],0b00 ++ vmsumudm $out[2],$t1,$t2,$vzero ++ vmsumudm $out[2],$in1[2],$in2[0],$out[2] ++ ++ xxpermdi $t2,$in2[3],$in2[2],0b00 ++ vmsumudm $out[3],$t1,$t2,$vzero ++ xxpermdi $t3,$in1[2],$in1[3],0b00 ++ xxpermdi $t4,$in2[1],$in2[0],0b00 ++ vmsumudm $out[3],$t3,$t4,$out[3] ++ ++ xxpermdi $t2,$in2[4],$in2[3],0b00 ++ vmsumudm $out[4],$t1,$t2,$vzero ++ xxpermdi $t4,$in2[2],$in2[1],0b00 ++ vmsumudm $out[4],$t3,$t4,$out[4] ++ vmsumudm $out[4],$in1[4],$in2[0],$out[4] ++ ++ xxpermdi $t2,$in2[5],$in2[4],0b00 ++ vmsumudm $out[5],$t1,$t2,$vzero ++ xxpermdi $t4,$in2[3],$in2[2],0b00 ++ vmsumudm $out[5],$t3,$t4,$out[5] ++ ++ xxpermdi $t2,$in2[6],$in2[5],0b00 ++ vmsumudm $out[6],$t1,$t2,$vzero ++ xxpermdi $t4,$in2[4],$in2[3],0b00 ++ vmsumudm $out[6],$t3,$t4,$out[6] ++ ++ xxpermdi $t2,$in2[7],$in2[6],0b00 ++ vmsumudm $out[7],$t1,$t2,$vzero ++ xxpermdi $t4,$in2[5],$in2[4],0b00 ++ vmsumudm $out[7],$t3,$t4,$out[7] ++ ++ xxpermdi $t2,$in2[8],$in2[7],0b00 ++ vmsumudm $out[8],$t1,$t2,$vzero ++ xxpermdi $t4,$in2[6],$in2[5],0b00 ++ vmsumudm $out[8],$t3,$t4,$out[8] ++ ++ xxpermdi $t1,$in1[4],$in1[5],0b00 ++ xxpermdi $t2,$in2[1],$in2[0],0b00 ++ vmsumudm $out[5],$t1,$t2,$out[5] ++ ++ xxpermdi $t2,$in2[2],$in2[1],0b00 ++ vmsumudm $out[6],$t1,$t2,$out[6] ++ vmsumudm $out[6],$in1[6],$in2[0],$out[6] ++ ++ xxpermdi $t2,$in2[3],$in2[2],0b00 ++ vmsumudm $out[7],$t1,$t2,$out[7] ++ xxpermdi $t3,$in1[6],$in1[7],0b00 ++ xxpermdi $t4,$in2[1],$in2[0],0b00 ++ vmsumudm $out[7],$t3,$t4,$out[7] ++ ++ xxpermdi $t2,$in2[4],$in2[3],0b00 ++ vmsumudm $out[8],$t1,$t2,$out[8] ++ xxpermdi $t4,$in2[2],$in2[1],0b00 ++ vmsumudm $out[8],$t3,$t4,$out[8] ++ vmsumudm $out[8],$in1[8],$in2[0],$out[8] ++ ++ li $zero,0 ++ li $one,1 ++ mtvsrdd $t1,$one,$zero ++___ ++ ++ for (my $i = 0; $i <= 8; $i++) { ++ $code.=<<___; ++ vsld $in2[$i],$in2[$i],$t1 ++___ ++ } ++ ++ $code.=<<___; ++ ++ vmsumudm $out[7],$in1[8],$in2[8],$out[7] ++ ++ xxpermdi $t2,$in2[8],$in2[7],0b00 ++ xxpermdi $t1,$in1[7],$in1[8],0b00 ++ vmsumudm $out[6],$t1,$t2,$out[6] ++ ++ xxpermdi $t1,$in1[6],$in1[7],0b00 ++ vmsumudm $out[5],$t1,$t2,$out[5] ++ vmsumudm $out[5],$in1[8],$in2[6],$out[5] ++ ++ xxpermdi $t1,$in1[5],$in1[6],0b00 ++ vmsumudm $out[4],$t1,$t2,$out[4] ++ xxpermdi $t4,$in2[6],$in2[5],0b00 ++ xxpermdi $t3,$in1[7],$in1[8],0b00 ++ vmsumudm $out[4],$t3,$t4,$out[4] ++ ++ xxpermdi $t1,$in1[4],$in1[5],0b00 ++ vmsumudm $out[3],$t1,$t2,$out[3] ++ xxpermdi $t3,$in1[6],$in1[7],0b00 ++ vmsumudm $out[3],$t3,$t4,$out[3] ++ vmsumudm $out[3],$in1[8],$in2[4],$out[3] ++ ++ xxpermdi $t1,$in1[3],$in1[4],0b00 ++ vmsumudm $out[2],$t1,$t2,$out[2] ++ xxpermdi $t3,$in1[5],$in1[6],0b00 ++ vmsumudm $out[2],$t3,$t4,$out[2] ++ ++ xxpermdi $t1,$in1[2],$in1[3],0b00 ++ vmsumudm $out[1],$t1,$t2,$out[1] ++ xxpermdi $t3,$in1[4],$in1[5],0b00 ++ vmsumudm $out[1],$t3,$t4,$out[1] ++ ++ xxpermdi $t1,$in1[1],$in1[2],0b00 ++ vmsumudm $out[0],$t1,$t2,$out[0] ++ xxpermdi $t3,$in1[3],$in1[4],0b00 ++ vmsumudm $out[0],$t3,$t4,$out[0] ++ ++ xxpermdi $t2,$in2[4],$in2[3],0b00 ++ xxpermdi $t1,$in1[7],$in1[8],0b00 ++ vmsumudm $out[2],$t1,$t2,$out[2] ++ ++ xxpermdi $t1,$in1[6],$in1[7],0b00 ++ vmsumudm $out[1],$t1,$t2,$out[1] ++ vmsumudm $out[1],$in1[8],$in2[2],$out[1] ++ ++ xxpermdi $t1,$in1[5],$in1[6],0b00 ++ vmsumudm $out[0],$t1,$t2,$out[0] ++ xxpermdi $t4,$in2[2],$in2[1],0b00 ++ xxpermdi $t3,$in1[7],$in1[8],0b00 ++ vmsumudm $out[0],$t3,$t4,$out[0] ++ ++___ ++ ++ store_vrs($outp, \@out); ++ ++ pop_vrs(52, 63); ++ ++ endproc("p521_felem_mul"); ++ } ++ ++ { ++ # ++ # p51_felem_square ++ # ++ ++ my ($inp) = ("r4"); ++ my @in = map("v$_",(45..53)); ++ my @inx2 = map("v$_",(35..43)); ++ ++ startproc("p521_felem_square"); ++ ++ push_vrs(52, 63); ++ ++ $code.=<<___; ++ vspltisw $vzero,0 ++ ++___ ++ ++ load_vrs($inp, \@in); ++ ++ $code.=<<___; ++ li $zero,0 ++ li $one,1 ++ mtvsrdd $t1,$one,$zero ++___ ++ ++ for (my $i = 0; $i <= 8; $i++) { ++ $code.=<<___; ++ vsld $inx2[$i],$in[$i],$t1 ++___ ++ } ++ ++ $code.=<<___; ++ vmsumudm $out[0],$in[0],$in[0],$vzero ++ ++ vmsumudm $out[1],$in[0],$inx2[1],$vzero ++ ++ xxpermdi $t1,$in[0],$in[1],0b00 ++ xxpermdi $t2,$inx2[2],$in[1],0b00 ++ vmsumudm $out[2],$t1,$t2,$vzero ++ ++ xxpermdi $t2,$inx2[3],$inx2[2],0b00 ++ vmsumudm $out[3],$t1,$t2,$vzero ++ ++ xxpermdi $t2,$inx2[4],$inx2[3],0b00 ++ vmsumudm $out[4],$t1,$t2,$vzero ++ vmsumudm $out[4],$in[2],$in[2],$out[4] ++ ++ xxpermdi $t2,$inx2[5],$inx2[4],0b00 ++ vmsumudm $out[5],$t1,$t2,$vzero ++ vmsumudm $out[5],$in[2],$inx2[3],$out[5] ++ ++ xxpermdi $t2,$inx2[6],$inx2[5],0b00 ++ vmsumudm $out[6],$t1,$t2,$vzero ++ xxpermdi $t3,$in[2],$in[3],0b00 ++ xxpermdi $t4,$inx2[4],$in[3],0b00 ++ vmsumudm $out[6],$t3,$t4,$out[6] ++ ++ xxpermdi $t2,$inx2[7],$inx2[6],0b00 ++ vmsumudm $out[7],$t1,$t2,$vzero ++ xxpermdi $t4,$inx2[5],$inx2[4],0b00 ++ vmsumudm $out[7],$t3,$t4,$out[7] ++ ++ xxpermdi $t2,$inx2[8],$inx2[7],0b00 ++ vmsumudm $out[8],$t1,$t2,$vzero ++ xxpermdi $t4,$inx2[6],$inx2[5],0b00 ++ vmsumudm $out[8],$t3,$t4,$out[8] ++ vmsumudm $out[8],$in[4],$in[4],$out[8] ++ ++ vmsumudm $out[1],$in[5],$inx2[5],$out[1] ++ ++ vmsumudm $out[3],$in[6],$inx2[6],$out[3] ++ ++ vmsumudm $out[5],$in[7],$inx2[7],$out[5] ++ ++ vmsumudm $out[7],$in[8],$inx2[8],$out[7] ++ ++ mtvsrdd $t1,$one,$zero ++___ ++ ++ for (my $i = 5; $i <= 8; $i++) { ++ $code.=<<___; ++ vsld $inx2[$i],$inx2[$i],$t1 ++___ ++ } ++ ++ $code.=<<___; ++ ++ vmsumudm $out[6],$in[7],$inx2[8],$out[6] ++ ++ vmsumudm $out[5],$in[6],$inx2[8],$out[5] ++ ++ xxpermdi $t2,$inx2[8],$inx2[7],0b00 ++ xxpermdi $t1,$in[5],$in[6],0b00 ++ vmsumudm $out[4],$t1,$t2,$out[4] ++ ++ xxpermdi $t1,$in[4],$in[5],0b00 ++ vmsumudm $out[3],$t1,$t2,$out[3] ++ ++ xxpermdi $t1,$in[3],$in[4],0b00 ++ vmsumudm $out[2],$t1,$t2,$out[2] ++ vmsumudm $out[2],$in[5],$inx2[6],$out[2] ++ ++ xxpermdi $t1,$in[2],$in[3],0b00 ++ vmsumudm $out[1],$t1,$t2,$out[1] ++ vmsumudm $out[1],$in[4],$inx2[6],$out[1] ++ ++ xxpermdi $t1,$in[1],$in[2],0b00 ++ vmsumudm $out[0],$t1,$t2,$out[0] ++ xxpermdi $t2,$inx2[6],$inx2[5],0b00 ++ xxpermdi $t1,$in[3],$in[4],0b00 ++ vmsumudm $out[0],$t1,$t2,$out[0] ++ ++___ ++ ++ store_vrs($outp, \@out); ++ ++ pop_vrs(52, 63); ++ ++ endproc("p521_felem_square"); ++ } ++} ++ ++$code =~ s/\`([^\`]*)\`/eval $1/gem; ++print $code; ++close STDOUT or die "error closing STDOUT: $!"; +Index: openssl-1.1.1l/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1l/crypto/ec/ec_local.h +@@ -499,6 +499,10 @@ int ec_GF2m_simple_field_div(const EC_GR + const BIGNUM *b, BN_CTX *); + + #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 ++# ifdef B_ENDIAN ++# error "Can not enable ec_nistp_64_gcc_128 on big-endian systems" ++# endif ++ + /* method functions in ecp_nistp224.c */ + int ec_GFp_nistp224_group_init(EC_GROUP *group); + int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, +Index: openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/ec/curve448/arch_32/f_impl.c ++++ openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl.c +@@ -10,7 +10,7 @@ + * Originally written by Mike Hamburg + */ + +-#include "field.h" ++#include "../field.h" + + void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs) + { +Index: openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl.c +@@ -0,0 +1,200 @@ ++/* ++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2014 Cryptography Research, Inc. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ * ++ * Originally written by Mike Hamburg ++ */ ++ ++#include "../field.h" ++ ++void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs) ++{ ++ const uint64_t *a = as->limb, *b = bs->limb; ++ uint64_t *c = cs->limb; ++ uint128_t accum0 = 0, accum1 = 0, accum2; ++ uint64_t mask = (1ULL << 56) - 1; ++ uint64_t aa[4], bb[4], bbb[4]; ++ unsigned int i, j; ++ ++ for (i = 0; i < 4; i++) { ++ aa[i] = a[i] + a[i + 4]; ++ bb[i] = b[i] + b[i + 4]; ++ bbb[i] = bb[i] + b[i + 4]; ++ } ++ ++ for (i = 0; i < 4; i++) { ++ accum2 = 0; ++ ++ for (j = 0; j <= i; j++) { ++ accum2 += widemul(a[j], b[i - j]); ++ accum1 += widemul(aa[j], bb[i - j]); ++ accum0 += widemul(a[j + 4], b[i - j + 4]); ++ } ++ for (; j < 4; j++) { ++ accum2 += widemul(a[j], b[i - j + 8]); ++ accum1 += widemul(aa[j], bbb[i - j + 4]); ++ accum0 += widemul(a[j + 4], bb[i - j + 4]); ++ } ++ ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ c[i] = ((uint64_t)(accum0)) & mask; ++ c[i + 4] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ } ++ ++ accum0 += accum1; ++ accum0 += c[4]; ++ accum1 += c[0]; ++ c[4] = ((uint64_t)(accum0)) & mask; ++ c[0] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ c[5] += ((uint64_t)(accum0)); ++ c[1] += ((uint64_t)(accum1)); ++} ++ ++void gf_mulw_unsigned(gf_s * RESTRICT cs, const gf as, uint32_t b) ++{ ++ const uint64_t *a = as->limb; ++ uint64_t *c = cs->limb; ++ uint128_t accum0 = 0, accum4 = 0; ++ uint64_t mask = (1ULL << 56) - 1; ++ int i; ++ ++ for (i = 0; i < 4; i++) { ++ accum0 += widemul(b, a[i]); ++ accum4 += widemul(b, a[i + 4]); ++ c[i] = accum0 & mask; ++ accum0 >>= 56; ++ c[i + 4] = accum4 & mask; ++ accum4 >>= 56; ++ } ++ ++ accum0 += accum4 + c[4]; ++ c[4] = accum0 & mask; ++ c[5] += accum0 >> 56; ++ ++ accum4 += c[0]; ++ c[0] = accum4 & mask; ++ c[1] += accum4 >> 56; ++} ++ ++void gf_sqr(gf_s * RESTRICT cs, const gf as) ++{ ++ const uint64_t *a = as->limb; ++ uint64_t *c = cs->limb; ++ uint128_t accum0 = 0, accum1 = 0, accum2; ++ uint64_t mask = (1ULL << 56) - 1; ++ uint64_t aa[4]; ++ unsigned int i; ++ ++ /* For some reason clang doesn't vectorize this without prompting? */ ++ for (i = 0; i < 4; i++) ++ aa[i] = a[i] + a[i + 4]; ++ ++ accum2 = widemul(a[0], a[3]); ++ accum0 = widemul(aa[0], aa[3]); ++ accum1 = widemul(a[4], a[7]); ++ ++ accum2 += widemul(a[1], a[2]); ++ accum0 += widemul(aa[1], aa[2]); ++ accum1 += widemul(a[5], a[6]); ++ ++ accum0 -= accum2; ++ accum1 += accum2; ++ ++ c[3] = ((uint64_t)(accum1)) << 1 & mask; ++ c[7] = ((uint64_t)(accum0)) << 1 & mask; ++ ++ accum0 >>= 55; ++ accum1 >>= 55; ++ ++ accum0 += widemul(2 * aa[1], aa[3]); ++ accum1 += widemul(2 * a[5], a[7]); ++ accum0 += widemul(aa[2], aa[2]); ++ accum1 += accum0; ++ ++ accum0 -= widemul(2 * a[1], a[3]); ++ accum1 += widemul(a[6], a[6]); ++ ++ accum2 = widemul(a[0], a[0]); ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ accum0 -= widemul(a[2], a[2]); ++ accum1 += widemul(aa[0], aa[0]); ++ accum0 += widemul(a[4], a[4]); ++ ++ c[0] = ((uint64_t)(accum0)) & mask; ++ c[4] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ accum2 = widemul(2 * aa[2], aa[3]); ++ accum0 -= widemul(2 * a[2], a[3]); ++ accum1 += widemul(2 * a[6], a[7]); ++ ++ accum1 += accum2; ++ accum0 += accum2; ++ ++ accum2 = widemul(2 * a[0], a[1]); ++ accum1 += widemul(2 * aa[0], aa[1]); ++ accum0 += widemul(2 * a[4], a[5]); ++ ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ c[1] = ((uint64_t)(accum0)) & mask; ++ c[5] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ accum2 = widemul(aa[3], aa[3]); ++ accum0 -= widemul(a[3], a[3]); ++ accum1 += widemul(a[7], a[7]); ++ ++ accum1 += accum2; ++ accum0 += accum2; ++ ++ accum2 = widemul(2 * a[0], a[2]); ++ accum1 += widemul(2 * aa[0], aa[2]); ++ accum0 += widemul(2 * a[4], a[6]); ++ ++ accum2 += widemul(a[1], a[1]); ++ accum1 += widemul(aa[1], aa[1]); ++ accum0 += widemul(a[5], a[5]); ++ ++ accum1 -= accum2; ++ accum0 += accum2; ++ ++ c[2] = ((uint64_t)(accum0)) & mask; ++ c[6] = ((uint64_t)(accum1)) & mask; ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ ++ accum0 += c[3]; ++ accum1 += c[7]; ++ c[3] = ((uint64_t)(accum0)) & mask; ++ c[7] = ((uint64_t)(accum1)) & mask; ++ ++ /* we could almost stop here, but it wouldn't be stable, so... */ ++ ++ accum0 >>= 56; ++ accum1 >>= 56; ++ c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1)); ++ c[0] += ((uint64_t)(accum1)); ++} +Index: openssl-1.1.1l/Configure +=================================================================== +--- openssl-1.1.1l.orig/Configure ++++ openssl-1.1.1l/Configure +@@ -1476,6 +1476,20 @@ if (!$disabled{asm} && !$predefined_C{__ + } + } + ++# Check if __SIZEOF_INT128__ is defined by compiler ++$config{use_int128} = 0; ++{ ++ my $cc = $config{CROSS_COMPILE}.$config{CC}; ++ open(PIPE, "$cc -E -dM - &1 |"); ++ while() { ++ if (m/__SIZEOF_INT128__/) { ++ $config{use_int128} = 1; ++ last; ++ } ++ } ++ close(PIPE); ++} ++ + # Deal with bn_ops ################################################### + + $config{bn_ll} =0; diff --git a/openssl-1_1-Zeroization.patch b/openssl-1_1-Zeroization.patch new file mode 100644 index 0000000..2f13470 --- /dev/null +++ b/openssl-1_1-Zeroization.patch @@ -0,0 +1,25 @@ +--- openssl-1.1.1l/crypto/fips/fips.c ++++ openssl-1.1.1l/crypto/fips/fips.c +@@ -350,6 +350,10 @@ static int FIPSCHECK_verify(const char * + if (strcmp(hex, hmac) != 0) { + rv = -1; + } ++ if (hmaclen != 0) { ++ OPENSSL_cleanse(buf, hmaclen); ++ OPENSSL_cleanse(hex, hmaclen * 2 + 1); ++ } + free(buf); + free(hex); + } else { +@@ -357,7 +360,11 @@ static int FIPSCHECK_verify(const char * + } + + end: ++ if (n != 0) ++ OPENSSL_cleanse(hmac, n); + free(hmac); ++ if (strlen(hmacpath) != 0) ++ OPENSSL_cleanse(hmacpath, strlen(hmacpath)); + free(hmacpath); + fclose(hf); + diff --git a/openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch b/openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch new file mode 100644 index 0000000..c28231c --- /dev/null +++ b/openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch @@ -0,0 +1,1535 @@ +From f596bbe4da779b56eea34d96168b557d78e1149a Mon Sep 17 00:00:00 2001 +From: Deepankar Bhattacharjee +Date: Mon, 20 Sep 2021 10:45:15 -0400 +Subject: [PATCH] chacha20 performance optimizations for ppc64le with 8x lanes, + Performance increase around 50%. + +Co-authored-by: Madhusudhanan Duraisamy + +Co-authored-by: Nilamjyoti Goswami + +Co-authored-by: Siva Sundar Anbareeswaran + +Reviewed-by: Danny Tsen +Tested-by: Danny Tsen +Signed-off-by: Danny + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/16637) +--- + Configurations/00-base-templates.conf | 2 + crypto/chacha/asm/chachap10-ppc.pl | 1354 ++++++++++++++++++++++++++++++++++ + crypto/chacha/build.info | 1 + crypto/perlasm/ppc-xlate.pl | 17 + crypto/ppc_arch.h | 1 + crypto/ppccap.c | 24 + crypto/ppccpuid.pl | 11 + 7 files changed, 1404 insertions(+), 6 deletions(-) + create mode 100755 crypto/chacha/asm/chachap10-ppc.pl + +--- a/Configurations/00-base-templates.conf ++++ b/Configurations/00-base-templates.conf +@@ -345,7 +345,7 @@ my %targets=( + aes_asm_src => "aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s", + sha1_asm_src => "sha1-ppc.s sha256-ppc.s sha512-ppc.s sha256p8-ppc.s sha512p8-ppc.s", + modes_asm_src => "ghashp8-ppc.s aes-gcm-ppc.s", +- chacha_asm_src => "chacha-ppc.s", ++ chacha_asm_src => "chacha-ppc.s chachap10-ppc.s", + poly1305_asm_src=> "poly1305-ppc.s poly1305-ppcfp.s", + }, + ppc64_asm => { +--- /dev/null ++++ b/crypto/chacha/asm/chachap10-ppc.pl +@@ -0,0 +1,1354 @@ ++#! /usr/bin/env perl ++# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++# ++# ==================================================================== ++# Written by Andy Polyakov for the OpenSSL ++# project. The module is, however, dual licensed under OpenSSL and ++# CRYPTOGAMS licenses depending on where you obtain it. For further ++# details see http://www.openssl.org/~appro/cryptogams/. ++# ==================================================================== ++# ++# October 2015 ++# ++# ChaCha20 for PowerPC/AltiVec. ++# ++# June 2018 ++# ++# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for ++# processors that can't issue more than one vector instruction per ++# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x ++# interleave would perform better. Incidentally PowerISA 2.07 (first ++# implemented by POWER8) defined new usable instructions, hence 4xVSX ++# code path... ++# ++# Performance in cycles per byte out of large buffer. ++# ++# IALU/gcc-4.x 3xAltiVec+1xIALU 4xVSX ++# ++# Freescale e300 13.6/+115% - - ++# PPC74x0/G4e 6.81/+310% 3.81 - ++# PPC970/G5 9.29/+160% ? - ++# POWER7 8.62/+61% 3.35 - ++# POWER8 8.70/+51% 2.91 2.09 ++# POWER9 8.80/+29% 4.44(*) 2.45(**) ++# ++# (*) this is trade-off result, it's possible to improve it, but ++# then it would negatively affect all others; ++# (**) POWER9 seems to be "allergic" to mixing vector and integer ++# instructions, which is why switch to vector-only code pays ++# off that much; ++ ++# $output is the last argument if it looks like a file (it has an extension) ++# $flavour is the first argument if it doesn't look like a file ++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; ++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; ++ ++if ($flavour =~ /64/) { ++ $SIZE_T =8; ++ $LRSAVE =2*$SIZE_T; ++ $STU ="stdu"; ++ $POP ="ld"; ++ $PUSH ="std"; ++ $UCMP ="cmpld"; ++} elsif ($flavour =~ /32/) { ++ $SIZE_T =4; ++ $LRSAVE =$SIZE_T; ++ $STU ="stwu"; ++ $POP ="lwz"; ++ $PUSH ="stw"; ++ $UCMP ="cmplw"; ++} else { die "nonsense $flavour"; } ++ ++$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; ++ ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open STDOUT,"| $^X $xlate $flavour \"$output\"" ++ or die "can't call $xlate: $!"; ++ ++$LOCALS=6*$SIZE_T; ++$FRAME=$LOCALS+64+18*$SIZE_T; # 64 is for local variables ++ ++sub AUTOLOAD() # thunk [simplified] x86-style perlasm ++{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; ++ $code .= "\t$opcode\t".join(',',@_)."\n"; ++} ++ ++my $sp = "r1"; ++ ++my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); ++ ++ ++{{{ ++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, ++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15)); ++my @K = map("v$_",(16..19)); ++my $CTR = "v26"; ++my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30)); ++my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3); ++my $beperm = "v31"; ++ ++my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); ++ ++my $FRAME=$LOCALS+64+7*16; # 7*16 is for v26-v31 offload ++ ++sub VSX_lane_ROUND_1x { ++my $a=@_[0]; ++my $b=@_[1]; ++my $c=@_[2]; ++my $d=@_[3]; ++my $odd=@_[4]; ++ vadduwm ($a,$a,$b); ++ vxor ($d,$d,$a); ++ vrlw ($d,$d,$sixteen); ++ vadduwm ($c,$c,$d); ++ vxor ($b,$b,$c); ++ vrlw ($b,$b,$twelve); ++ vadduwm ($a,$a,$b); ++ vxor ($d,$d,$a); ++ vrlw ($d,$d,$eight); ++ vadduwm ($c,$c,$d); ++ vxor ($b,$b,$c); ++ vrlw ($b,$b,$seven); ++ xxsldwi ($c,$c,$c,2); ++ xxsldwi ($b,$b,$b,$odd?3:1); ++ xxsldwi ($d,$d,$d,$odd?1:3); ++} ++ ++ ++sub VSX_lane_ROUND_4x { ++my ($a0,$b0,$c0,$d0)=@_; ++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); ++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); ++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++my @x=map("\"v$_\"",(0..15)); ++ ++ ( ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vrlw (@x[$d0],@x[$d0],'$sixteen')", ++ "&vrlw (@x[$d1],@x[$d1],'$sixteen')", ++ "&vrlw (@x[$d2],@x[$d2],'$sixteen')", ++ "&vrlw (@x[$d3],@x[$d3],'$sixteen')", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vrlw (@x[$b0],@x[$b0],'$twelve')", ++ "&vrlw (@x[$b1],@x[$b1],'$twelve')", ++ "&vrlw (@x[$b2],@x[$b2],'$twelve')", ++ "&vrlw (@x[$b3],@x[$b3],'$twelve')", ++ ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vrlw (@x[$d0],@x[$d0],'$eight')", ++ "&vrlw (@x[$d1],@x[$d1],'$eight')", ++ "&vrlw (@x[$d2],@x[$d2],'$eight')", ++ "&vrlw (@x[$d3],@x[$d3],'$eight')", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vrlw (@x[$b0],@x[$b0],'$seven')", ++ "&vrlw (@x[$b1],@x[$b1],'$seven')", ++ "&vrlw (@x[$b2],@x[$b2],'$seven')", ++ "&vrlw (@x[$b3],@x[$b3],'$seven')" ++ ); ++} ++ ++$code.=<<___; ++ ++.globl .ChaCha20_ctr32_vsx_p10 ++.align 5 ++.ChaCha20_ctr32_vsx_p10: ++ ${UCMP}i $len,256 ++ bgt ChaCha20_ctr32_vsx_8x ++ $STU $sp,-$FRAME($sp) ++ mflr r0 ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ mfspr r12,256 ++ stvx v26,r10,$sp ++ addi r10,r10,32 ++ stvx v27,r11,$sp ++ addi r11,r11,32 ++ stvx v28,r10,$sp ++ addi r10,r10,32 ++ stvx v29,r11,$sp ++ addi r11,r11,32 ++ stvx v30,r10,$sp ++ stvx v31,r11,$sp ++ stw r12,`$FRAME-4`($sp) # save vrsave ++ li r12,-4096+63 ++ $PUSH r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # preserve 29 AltiVec registers ++ ++ bl Lconsts # returns pointer Lsigma in r12 ++ lvx_4w @K[0],0,r12 # load sigma ++ addi r12,r12,0x70 ++ li $x10,16 ++ li $x20,32 ++ li $x30,48 ++ li r11,64 ++ ++ lvx_4w @K[1],0,$key # load key ++ lvx_4w @K[2],$x10,$key ++ lvx_4w @K[3],0,$ctr # load counter ++ ++ vxor $xt0,$xt0,$xt0 ++ lvx_4w $xt1,r11,r12 ++ vspltw $CTR,@K[3],0 ++ vsldoi @K[3],@K[3],$xt0,4 ++ vsldoi @K[3],$xt0,@K[3],12 # clear @K[3].word[0] ++ vadduwm $CTR,$CTR,$xt1 ++ ++ be?lvsl $beperm,0,$x10 # 0x00..0f ++ be?vspltisb $xt0,3 # 0x03..03 ++ be?vxor $beperm,$beperm,$xt0 # swap bytes within words ++ ++ li r0,10 # inner loop counter ++ mtctr r0 ++ b Loop_outer_vsx ++ ++.align 5 ++Loop_outer_vsx: ++ lvx $xa0,$x00,r12 # load [smashed] sigma ++ lvx $xa1,$x10,r12 ++ lvx $xa2,$x20,r12 ++ lvx $xa3,$x30,r12 ++ ++ vspltw $xb0,@K[1],0 # smash the key ++ vspltw $xb1,@K[1],1 ++ vspltw $xb2,@K[1],2 ++ vspltw $xb3,@K[1],3 ++ ++ vspltw $xc0,@K[2],0 ++ vspltw $xc1,@K[2],1 ++ vspltw $xc2,@K[2],2 ++ vspltw $xc3,@K[2],3 ++ ++ vmr $xd0,$CTR # smash the counter ++ vspltw $xd1,@K[3],1 ++ vspltw $xd2,@K[3],2 ++ vspltw $xd3,@K[3],3 ++ ++ vspltisw $sixteen,-16 # synthesize constants ++ vspltisw $twelve,12 ++ vspltisw $eight,8 ++ vspltisw $seven,7 ++ ++ ${UCMP}i $len,64 ++ bgt Loop_vsx_4x ++ ++ vmr $xa0,@K[0] ++ vmr $xb0,@K[1] ++ vmr $xc0,@K[2] ++ vmr $xd0,@K[3] ++ ++Loop_vsx_1x: ++___ ++ VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,0); ++ VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,1); ++ ++$code.=<<___; ++ ++ bdnz Loop_vsx_1x ++ ++ vadduwm $xa0, $xa0, @K[0] ++ vadduwm $xb0, $xb0, @K[1] ++ vadduwm $xc0, $xc0, @K[2] ++ vadduwm $xd0, $xd0, @K[3] ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00, $inp ++ lvx_4w $xt1,$x10, $inp ++ lvx_4w $xt2,$x20, $inp ++ lvx_4w $xt3,$x30, $inp ++ ++ vxor $xa0,$xa0,$xt0 ++ vxor $xb0,$xb0,$xt1 ++ vxor $xc0,$xc0,$xt2 ++ vxor $xd0,$xd0,$xt3 ++ ++ stvx_4w $xa0,$x00,$out ++ stvx_4w $xb0,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xc0,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xd0,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++Loop_vsx_4x: ++___ ++ foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; } ++ foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; } ++$code.=<<___; ++ ++ bdnz Loop_vsx_4x ++ ++ vadduwm $xd0,$xd0,$CTR ++ ++ vmrgew $xt0,$xa0,$xa1 # transpose data ++ vmrgew $xt1,$xa2,$xa3 ++ vmrgow $xa0,$xa0,$xa1 ++ vmrgow $xa2,$xa2,$xa3 ++ vmrgew $xt2,$xb0,$xb1 ++ vmrgew $xt3,$xb2,$xb3 ++ vpermdi $xa1,$xa0,$xa2,0b00 ++ vpermdi $xa3,$xa0,$xa2,0b11 ++ vpermdi $xa0,$xt0,$xt1,0b00 ++ vpermdi $xa2,$xt0,$xt1,0b11 ++ ++ vmrgow $xb0,$xb0,$xb1 ++ vmrgow $xb2,$xb2,$xb3 ++ vmrgew $xt0,$xc0,$xc1 ++ vmrgew $xt1,$xc2,$xc3 ++ vpermdi $xb1,$xb0,$xb2,0b00 ++ vpermdi $xb3,$xb0,$xb2,0b11 ++ vpermdi $xb0,$xt2,$xt3,0b00 ++ vpermdi $xb2,$xt2,$xt3,0b11 ++ ++ vmrgow $xc0,$xc0,$xc1 ++ vmrgow $xc2,$xc2,$xc3 ++ vmrgew $xt2,$xd0,$xd1 ++ vmrgew $xt3,$xd2,$xd3 ++ vpermdi $xc1,$xc0,$xc2,0b00 ++ vpermdi $xc3,$xc0,$xc2,0b11 ++ vpermdi $xc0,$xt0,$xt1,0b00 ++ vpermdi $xc2,$xt0,$xt1,0b11 ++ ++ vmrgow $xd0,$xd0,$xd1 ++ vmrgow $xd2,$xd2,$xd3 ++ vspltisw $xt0,4 ++ vadduwm $CTR,$CTR,$xt0 # next counter value ++ vpermdi $xd1,$xd0,$xd2,0b00 ++ vpermdi $xd3,$xd0,$xd2,0b11 ++ vpermdi $xd0,$xt2,$xt3,0b00 ++ vpermdi $xd2,$xt2,$xt3,0b11 ++ ++ vadduwm $xa0,$xa0,@K[0] ++ vadduwm $xb0,$xb0,@K[1] ++ vadduwm $xc0,$xc0,@K[2] ++ vadduwm $xd0,$xd0,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++ vadduwm $xa0,$xa1,@K[0] ++ vadduwm $xb0,$xb1,@K[1] ++ vadduwm $xc0,$xc1,@K[2] ++ vadduwm $xd0,$xd1,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++ vadduwm $xa0,$xa2,@K[0] ++ vadduwm $xb0,$xb2,@K[1] ++ vadduwm $xc0,$xc2,@K[2] ++ vadduwm $xd0,$xd2,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx ++ ++ vadduwm $xa0,$xa3,@K[0] ++ vadduwm $xb0,$xb3,@K[1] ++ vadduwm $xc0,$xc3,@K[2] ++ vadduwm $xd0,$xd3,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ mtctr r0 ++ bne Loop_outer_vsx ++ ++Ldone_vsx: ++ lwz r12,`$FRAME-4`($sp) # pull vrsave ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ $POP r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # restore vrsave ++ lvx v26,r10,$sp ++ addi r10,r10,32 ++ lvx v27,r11,$sp ++ addi r11,r11,32 ++ lvx v28,r10,$sp ++ addi r10,r10,32 ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp ++ mtlr r0 ++ addi $sp,$sp,$FRAME ++ blr ++ ++.align 4 ++Ltail_vsx: ++ addi r11,$sp,$LOCALS ++ mtctr $len ++ stvx_4w $xa0,$x00,r11 # offload block to stack ++ stvx_4w $xb0,$x10,r11 ++ stvx_4w $xc0,$x20,r11 ++ stvx_4w $xd0,$x30,r11 ++ subi r12,r11,1 # prepare for *++ptr ++ subi $inp,$inp,1 ++ subi $out,$out,1 ++ ++Loop_tail_vsx: ++ lbzu r6,1(r12) ++ lbzu r7,1($inp) ++ xor r6,r6,r7 ++ stbu r6,1($out) ++ bdnz Loop_tail_vsx ++ ++ stvx_4w $K[0],$x00,r11 # wipe copy of the block ++ stvx_4w $K[0],$x10,r11 ++ stvx_4w $K[0],$x20,r11 ++ stvx_4w $K[0],$x30,r11 ++ ++ b Ldone_vsx ++ .long 0 ++ .byte 0,12,0x04,1,0x80,0,5,0 ++ .long 0 ++.size .ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10 ++___ ++}}} ++ ++##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to ++# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info. ++# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value. ++# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel. ++# ++{{{ ++#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); ++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, ++ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3, ++ $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7, ++ $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31)); ++my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15)); ++my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3)); ++my @K = map("v$_",27,(24..26)); ++my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31)); ++my $xr0 = "v4"; ++my $CTR0 = "v22"; ++my $CTR1 = "v5"; ++my $beperm = "v31"; ++my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); ++my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7)); ++my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17)); ++my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21)); ++my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26)); ++ ++my $FRAME=$LOCALS+64+9*16; # 8*16 is for v24-v31 offload ++ ++sub VSX_lane_ROUND_8x { ++my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_; ++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); ++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); ++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); ++my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4)); ++my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5)); ++my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6)); ++my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17)); ++my @x=map("\"v$_\"",(0..31)); ++ ++ ( ++ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", #copy v30 to v13 ++ "&vxxlorc (@x[$c7], $xv9,$xv9)", ++ ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 ++ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", # Q1 ++ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", # Q2 ++ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", # Q3 ++ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", # Q4 ++ ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vxor (@x[$d4],@x[$d4],@x[$a4])", ++ "&vxor (@x[$d5],@x[$d5],@x[$a5])", ++ "&vxor (@x[$d6],@x[$d6],@x[$a6])", ++ "&vxor (@x[$d7],@x[$d7],@x[$a7])", ++ ++ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", ++ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", ++ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", ++ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", ++ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", ++ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", ++ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", ++ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", ++ ++ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", ++ "&vxxlorc (@x[$c7], $xv15,$xv15)", ++ "&vxxlorc (@x[$a7], $xv10,$xv10)", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", ++ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", ++ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", ++ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", ++ ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vxor (@x[$b4],@x[$b4],@x[$c4])", ++ "&vxor (@x[$b5],@x[$b5],@x[$c5])", ++ "&vxor (@x[$b6],@x[$b6],@x[$c6])", ++ "&vxor (@x[$b7],@x[$b7],@x[$c7])", ++ ++ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", ++ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", ++ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", ++ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", ++ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", ++ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", ++ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", ++ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", ++ ++ "&vxxlorc (@x[$a7], $xv13,$xv13)", ++ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", ++ "&vxxlorc (@x[$c7], $xv11,$xv11)", ++ ++ ++ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", ++ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", ++ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", ++ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", ++ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", ++ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", ++ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", ++ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", ++ ++ "&vxor (@x[$d0],@x[$d0],@x[$a0])", ++ "&vxor (@x[$d1],@x[$d1],@x[$a1])", ++ "&vxor (@x[$d2],@x[$d2],@x[$a2])", ++ "&vxor (@x[$d3],@x[$d3],@x[$a3])", ++ "&vxor (@x[$d4],@x[$d4],@x[$a4])", ++ "&vxor (@x[$d5],@x[$d5],@x[$a5])", ++ "&vxor (@x[$d6],@x[$d6],@x[$a6])", ++ "&vxor (@x[$d7],@x[$d7],@x[$a7])", ++ ++ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", ++ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", ++ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", ++ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", ++ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", ++ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", ++ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", ++ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", ++ ++ "&vxxlorc (@x[$c7], $xv15,$xv15)", ++ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", ++ "&vxxlorc (@x[$a7], $xv12,$xv12)", ++ ++ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", ++ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", ++ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", ++ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", ++ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", ++ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", ++ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", ++ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", ++ "&vxor (@x[$b0],@x[$b0],@x[$c0])", ++ "&vxor (@x[$b1],@x[$b1],@x[$c1])", ++ "&vxor (@x[$b2],@x[$b2],@x[$c2])", ++ "&vxor (@x[$b3],@x[$b3],@x[$c3])", ++ "&vxor (@x[$b4],@x[$b4],@x[$c4])", ++ "&vxor (@x[$b5],@x[$b5],@x[$c5])", ++ "&vxor (@x[$b6],@x[$b6],@x[$c6])", ++ "&vxor (@x[$b7],@x[$b7],@x[$c7])", ++ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", ++ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", ++ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", ++ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", ++ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", ++ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", ++ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", ++ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", ++ ++ "&vxxlorc (@x[$a7], $xv13,$xv13)", ++ ); ++} ++ ++$code.=<<___; ++ ++.globl .ChaCha20_ctr32_vsx_8x ++.align 5 ++.ChaCha20_ctr32_vsx_8x: ++ $STU $sp,-$FRAME($sp) ++ mflr r0 ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ mfspr r12,256 ++ stvx v24,r10,$sp ++ addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 ++ stvx v26,r10,$sp ++ addi r10,r10,32 ++ stvx v27,r11,$sp ++ addi r11,r11,32 ++ stvx v28,r10,$sp ++ addi r10,r10,32 ++ stvx v29,r11,$sp ++ addi r11,r11,32 ++ stvx v30,r10,$sp ++ stvx v31,r11,$sp ++ stw r12,`$FRAME-4`($sp) # save vrsave ++ li r12,-4096+63 ++ $PUSH r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # preserve 29 AltiVec registers ++ ++ bl Lconsts # returns pointer Lsigma in r12 ++ ++ lvx_4w @K[0],0,r12 # load sigma ++ addi r12,r12,0x70 ++ li $x10,16 ++ li $x20,32 ++ li $x30,48 ++ li r11,64 ++ ++ vspltisw $xa4,-16 # synthesize constants ++ vspltisw $xb4,12 # synthesize constants ++ vspltisw $xc4,8 # synthesize constants ++ vspltisw $xd4,7 # synthesize constants ++ ++ lvx $xa0,$x00,r12 # load [smashed] sigma ++ lvx $xa1,$x10,r12 ++ lvx $xa2,$x20,r12 ++ lvx $xa3,$x30,r12 ++ ++ vxxlor $xv9 ,$xa4,$xa4 #save shift val in vr9-12 ++ vxxlor $xv10 ,$xb4,$xb4 ++ vxxlor $xv11 ,$xc4,$xc4 ++ vxxlor $xv12 ,$xd4,$xd4 ++ vxxlor $xv22 ,$xa0,$xa0 #save sigma in vr22-25 ++ vxxlor $xv23 ,$xa1,$xa1 ++ vxxlor $xv24 ,$xa2,$xa2 ++ vxxlor $xv25 ,$xa3,$xa3 ++ ++ lvx_4w @K[1],0,$key # load key ++ lvx_4w @K[2],$x10,$key ++ lvx_4w @K[3],0,$ctr # load counter ++ vspltisw $xt3,4 ++ ++ ++ vxor $xt2,$xt2,$xt2 ++ lvx_4w $xt1,r11,r12 ++ vspltw $xa2,@K[3],0 #save the original count after spltw ++ vsldoi @K[3],@K[3],$xt2,4 ++ vsldoi @K[3],$xt2,@K[3],12 # clear @K[3].word[0] ++ vadduwm $xt1,$xa2,$xt1 ++ vadduwm $xt3,$xt1,$xt3 # next counter value ++ vspltw $xa0,@K[2],2 # save the K[2] spltw 2 and save v8. ++ ++ be?lvsl $beperm,0,$x10 # 0x00..0f ++ be?vspltisb $xt0,3 # 0x03..03 ++ be?vxor $beperm,$beperm,$xt0 # swap bytes within words ++ be?vxxlor $xv26 ,$beperm,$beperm ++ ++ vxxlor $xv0 ,@K[0],@K[0] # K0,k1,k2 to vr0,1,2 ++ vxxlor $xv1 ,@K[1],@K[1] ++ vxxlor $xv2 ,@K[2],@K[2] ++ vxxlor $xv3 ,@K[3],@K[3] ++ vxxlor $xv4 ,$xt1,$xt1 #CTR ->4, CTR+4-> 5 ++ vxxlor $xv5 ,$xt3,$xt3 ++ vxxlor $xv8 ,$xa0,$xa0 ++ ++ li r0,10 # inner loop counter ++ mtctr r0 ++ b Loop_outer_vsx_8x ++ ++.align 5 ++Loop_outer_vsx_8x: ++ vxxlorc $xa0,$xv22,$xv22 # load [smashed] sigma ++ vxxlorc $xa1,$xv23,$xv23 ++ vxxlorc $xa2,$xv24,$xv24 ++ vxxlorc $xa3,$xv25,$xv25 ++ vxxlorc $xa4,$xv22,$xv22 ++ vxxlorc $xa5,$xv23,$xv23 ++ vxxlorc $xa6,$xv24,$xv24 ++ vxxlorc $xa7,$xv25,$xv25 ++ ++ vspltw $xb0,@K[1],0 # smash the key ++ vspltw $xb1,@K[1],1 ++ vspltw $xb2,@K[1],2 ++ vspltw $xb3,@K[1],3 ++ vspltw $xb4,@K[1],0 # smash the key ++ vspltw $xb5,@K[1],1 ++ vspltw $xb6,@K[1],2 ++ vspltw $xb7,@K[1],3 ++ ++ vspltw $xc0,@K[2],0 ++ vspltw $xc1,@K[2],1 ++ vspltw $xc2,@K[2],2 ++ vspltw $xc3,@K[2],3 ++ vspltw $xc4,@K[2],0 ++ vspltw $xc7,@K[2],3 ++ vspltw $xc5,@K[2],1 ++ ++ vxxlorc $xd0,$xv4,$xv4 # smash the counter ++ vspltw $xd1,@K[3],1 ++ vspltw $xd2,@K[3],2 ++ vspltw $xd3,@K[3],3 ++ vxxlorc $xd4,$xv5,$xv5 # smash the counter ++ vspltw $xd5,@K[3],1 ++ vspltw $xd6,@K[3],2 ++ vspltw $xd7,@K[3],3 ++ vxxlorc $xc6,$xv8,$xv8 #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done ++ ++Loop_vsx_8x: ++___ ++ foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; } ++ foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; } ++$code.=<<___; ++ ++ bdnz Loop_vsx_8x ++ vxxlor $xv13 ,$xd4,$xd4 # save the register vr24-31 ++ vxxlor $xv14 ,$xd5,$xd5 # ++ vxxlor $xv15 ,$xd6,$xd6 # ++ vxxlor $xv16 ,$xd7,$xd7 # ++ ++ vxxlor $xv18 ,$xc4,$xc4 # ++ vxxlor $xv19 ,$xc5,$xc5 # ++ vxxlor $xv20 ,$xc6,$xc6 # ++ vxxlor $xv21 ,$xc7,$xc7 # ++ ++ vxxlor $xv6 ,$xb6,$xb6 # save vr23, so we get 8 regs ++ vxxlor $xv7 ,$xb7,$xb7 # save vr23, so we get 8 regs ++ be?vxxlorc $beperm,$xv26,$xv26 # copy back the the beperm. ++ ++ vxxlorc @K[0],$xv0,$xv0 #27 ++ vxxlorc @K[1],$xv1,$xv1 #24 ++ vxxlorc @K[2],$xv2,$xv2 #25 ++ vxxlorc @K[3],$xv3,$xv3 #26 ++ vxxlorc $CTR0,$xv4,$xv4 ++###changing to vertical ++ ++ vmrgew $xt0,$xa0,$xa1 # transpose data ++ vmrgew $xt1,$xa2,$xa3 ++ vmrgow $xa0,$xa0,$xa1 ++ vmrgow $xa2,$xa2,$xa3 ++ ++ vmrgew $xt2,$xb0,$xb1 ++ vmrgew $xt3,$xb2,$xb3 ++ vmrgow $xb0,$xb0,$xb1 ++ vmrgow $xb2,$xb2,$xb3 ++ ++ vadduwm $xd0,$xd0,$CTR0 ++ ++ vpermdi $xa1,$xa0,$xa2,0b00 ++ vpermdi $xa3,$xa0,$xa2,0b11 ++ vpermdi $xa0,$xt0,$xt1,0b00 ++ vpermdi $xa2,$xt0,$xt1,0b11 ++ vpermdi $xb1,$xb0,$xb2,0b00 ++ vpermdi $xb3,$xb0,$xb2,0b11 ++ vpermdi $xb0,$xt2,$xt3,0b00 ++ vpermdi $xb2,$xt2,$xt3,0b11 ++ ++ vmrgew $xt0,$xc0,$xc1 ++ vmrgew $xt1,$xc2,$xc3 ++ vmrgow $xc0,$xc0,$xc1 ++ vmrgow $xc2,$xc2,$xc3 ++ vmrgew $xt2,$xd0,$xd1 ++ vmrgew $xt3,$xd2,$xd3 ++ vmrgow $xd0,$xd0,$xd1 ++ vmrgow $xd2,$xd2,$xd3 ++ ++ vpermdi $xc1,$xc0,$xc2,0b00 ++ vpermdi $xc3,$xc0,$xc2,0b11 ++ vpermdi $xc0,$xt0,$xt1,0b00 ++ vpermdi $xc2,$xt0,$xt1,0b11 ++ vpermdi $xd1,$xd0,$xd2,0b00 ++ vpermdi $xd3,$xd0,$xd2,0b11 ++ vpermdi $xd0,$xt2,$xt3,0b00 ++ vpermdi $xd2,$xt2,$xt3,0b11 ++ ++ vspltisw $xt0,8 ++ vadduwm $CTR0,$CTR0,$xt0 # next counter value ++ vxxlor $xv4 ,$CTR0,$CTR0 #CTR+4-> 5 ++ ++ vadduwm $xa0,$xa0,@K[0] ++ vadduwm $xb0,$xb0,@K[1] ++ vadduwm $xc0,$xc0,@K[2] ++ vadduwm $xd0,$xd0,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xa0,$xa1,@K[0] ++ vadduwm $xb0,$xb1,@K[1] ++ vadduwm $xc0,$xc1,@K[2] ++ vadduwm $xd0,$xd1,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xa0,$xa2,@K[0] ++ vadduwm $xb0,$xb2,@K[1] ++ vadduwm $xc0,$xc2,@K[2] ++ vadduwm $xd0,$xd2,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xa0,$xa3,@K[0] ++ vadduwm $xb0,$xb3,@K[1] ++ vadduwm $xc0,$xc3,@K[2] ++ vadduwm $xd0,$xd3,@K[3] ++ ++ be?vperm $xa0,$xa0,$xa0,$beperm ++ be?vperm $xb0,$xb0,$xb0,$beperm ++ be?vperm $xc0,$xc0,$xc0,$beperm ++ be?vperm $xd0,$xd0,$xd0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x ++ ++ lvx_4w $xt0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xt0,$xt0,$xa0 ++ vxor $xt1,$xt1,$xb0 ++ vxor $xt2,$xt2,$xc0 ++ vxor $xt3,$xt3,$xd0 ++ ++ stvx_4w $xt0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31. ++#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0. ++ ++ vxxlorc $CTR1 ,$xv5,$xv5 ++ ++ vxxlorc $xcn4 ,$xv18,$xv18 ++ vxxlorc $xcn5 ,$xv19,$xv19 ++ vxxlorc $xcn6 ,$xv20,$xv20 ++ vxxlorc $xcn7 ,$xv21,$xv21 ++ ++ vxxlorc $xdn4 ,$xv13,$xv13 ++ vxxlorc $xdn5 ,$xv14,$xv14 ++ vxxlorc $xdn6 ,$xv15,$xv15 ++ vxxlorc $xdn7 ,$xv16,$xv16 ++ vadduwm $xdn4,$xdn4,$CTR1 ++ ++ vxxlorc $xb6 ,$xv6,$xv6 ++ vxxlorc $xb7 ,$xv7,$xv7 ++#use xa1->xr0, as xt0...in the block 4-7 ++ ++ vmrgew $xr0,$xa4,$xa5 # transpose data ++ vmrgew $xt1,$xa6,$xa7 ++ vmrgow $xa4,$xa4,$xa5 ++ vmrgow $xa6,$xa6,$xa7 ++ vmrgew $xt2,$xb4,$xb5 ++ vmrgew $xt3,$xb6,$xb7 ++ vmrgow $xb4,$xb4,$xb5 ++ vmrgow $xb6,$xb6,$xb7 ++ ++ vpermdi $xa5,$xa4,$xa6,0b00 ++ vpermdi $xa7,$xa4,$xa6,0b11 ++ vpermdi $xa4,$xr0,$xt1,0b00 ++ vpermdi $xa6,$xr0,$xt1,0b11 ++ vpermdi $xb5,$xb4,$xb6,0b00 ++ vpermdi $xb7,$xb4,$xb6,0b11 ++ vpermdi $xb4,$xt2,$xt3,0b00 ++ vpermdi $xb6,$xt2,$xt3,0b11 ++ ++ vmrgew $xr0,$xcn4,$xcn5 ++ vmrgew $xt1,$xcn6,$xcn7 ++ vmrgow $xcn4,$xcn4,$xcn5 ++ vmrgow $xcn6,$xcn6,$xcn7 ++ vmrgew $xt2,$xdn4,$xdn5 ++ vmrgew $xt3,$xdn6,$xdn7 ++ vmrgow $xdn4,$xdn4,$xdn5 ++ vmrgow $xdn6,$xdn6,$xdn7 ++ ++ vpermdi $xcn5,$xcn4,$xcn6,0b00 ++ vpermdi $xcn7,$xcn4,$xcn6,0b11 ++ vpermdi $xcn4,$xr0,$xt1,0b00 ++ vpermdi $xcn6,$xr0,$xt1,0b11 ++ vpermdi $xdn5,$xdn4,$xdn6,0b00 ++ vpermdi $xdn7,$xdn4,$xdn6,0b11 ++ vpermdi $xdn4,$xt2,$xt3,0b00 ++ vpermdi $xdn6,$xt2,$xt3,0b11 ++ ++ vspltisw $xr0,8 ++ vadduwm $CTR1,$CTR1,$xr0 # next counter value ++ vxxlor $xv5 ,$CTR1,$CTR1 #CTR+4-> 5 ++ ++ vadduwm $xan0,$xa4,@K[0] ++ vadduwm $xbn0,$xb4,@K[1] ++ vadduwm $xcn0,$xcn4,@K[2] ++ vadduwm $xdn0,$xdn4,@K[3] ++ ++ be?vperm $xan0,$xa4,$xa4,$beperm ++ be?vperm $xbn0,$xb4,$xb4,$beperm ++ be?vperm $xcn0,$xcn4,$xcn4,$beperm ++ be?vperm $xdn0,$xdn4,$xdn4,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xan0,$xa5,@K[0] ++ vadduwm $xbn0,$xb5,@K[1] ++ vadduwm $xcn0,$xcn5,@K[2] ++ vadduwm $xdn0,$xdn5,@K[3] ++ ++ be?vperm $xan0,$xan0,$xan0,$beperm ++ be?vperm $xbn0,$xbn0,$xbn0,$beperm ++ be?vperm $xcn0,$xcn0,$xcn0,$beperm ++ be?vperm $xdn0,$xdn0,$xdn0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xan0,$xa6,@K[0] ++ vadduwm $xbn0,$xb6,@K[1] ++ vadduwm $xcn0,$xcn6,@K[2] ++ vadduwm $xdn0,$xdn6,@K[3] ++ ++ be?vperm $xan0,$xan0,$xan0,$beperm ++ be?vperm $xbn0,$xbn0,$xbn0,$beperm ++ be?vperm $xcn0,$xcn0,$xcn0,$beperm ++ be?vperm $xdn0,$xdn0,$xdn0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ vadduwm $xan0,$xa7,@K[0] ++ vadduwm $xbn0,$xb7,@K[1] ++ vadduwm $xcn0,$xcn7,@K[2] ++ vadduwm $xdn0,$xdn7,@K[3] ++ ++ be?vperm $xan0,$xan0,$xan0,$beperm ++ be?vperm $xbn0,$xbn0,$xbn0,$beperm ++ be?vperm $xcn0,$xcn0,$xcn0,$beperm ++ be?vperm $xdn0,$xdn0,$xdn0,$beperm ++ ++ ${UCMP}i $len,0x40 ++ blt Ltail_vsx_8x_1 ++ ++ lvx_4w $xr0,$x00,$inp ++ lvx_4w $xt1,$x10,$inp ++ lvx_4w $xt2,$x20,$inp ++ lvx_4w $xt3,$x30,$inp ++ ++ vxor $xr0,$xr0,$xan0 ++ vxor $xt1,$xt1,$xbn0 ++ vxor $xt2,$xt2,$xcn0 ++ vxor $xt3,$xt3,$xdn0 ++ ++ stvx_4w $xr0,$x00,$out ++ stvx_4w $xt1,$x10,$out ++ addi $inp,$inp,0x40 ++ stvx_4w $xt2,$x20,$out ++ subi $len,$len,0x40 ++ stvx_4w $xt3,$x30,$out ++ addi $out,$out,0x40 ++ beq Ldone_vsx_8x ++ ++ mtctr r0 ++ bne Loop_outer_vsx_8x ++ ++Ldone_vsx_8x: ++ lwz r12,`$FRAME-4`($sp) # pull vrsave ++ li r10,`15+$LOCALS+64` ++ li r11,`31+$LOCALS+64` ++ $POP r0, `$FRAME+$LRSAVE`($sp) ++ mtspr 256,r12 # restore vrsave ++ lvx v24,r10,$sp ++ addi r10,r10,32 ++ lvx v25,r11,$sp ++ addi r11,r11,32 ++ lvx v26,r10,$sp ++ addi r10,r10,32 ++ lvx v27,r11,$sp ++ addi r11,r11,32 ++ lvx v28,r10,$sp ++ addi r10,r10,32 ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp ++ mtlr r0 ++ addi $sp,$sp,$FRAME ++ blr ++ ++.align 4 ++Ltail_vsx_8x: ++ addi r11,$sp,$LOCALS ++ mtctr $len ++ stvx_4w $xa0,$x00,r11 # offload block to stack ++ stvx_4w $xb0,$x10,r11 ++ stvx_4w $xc0,$x20,r11 ++ stvx_4w $xd0,$x30,r11 ++ subi r12,r11,1 # prepare for *++ptr ++ subi $inp,$inp,1 ++ subi $out,$out,1 ++ bl Loop_tail_vsx_8x ++Ltail_vsx_8x_1: ++ addi r11,$sp,$LOCALS ++ mtctr $len ++ stvx_4w $xan0,$x00,r11 # offload block to stack ++ stvx_4w $xbn0,$x10,r11 ++ stvx_4w $xcn0,$x20,r11 ++ stvx_4w $xdn0,$x30,r11 ++ subi r12,r11,1 # prepare for *++ptr ++ subi $inp,$inp,1 ++ subi $out,$out,1 ++ bl Loop_tail_vsx_8x ++ ++Loop_tail_vsx_8x: ++ lbzu r6,1(r12) ++ lbzu r7,1($inp) ++ xor r6,r6,r7 ++ stbu r6,1($out) ++ bdnz Loop_tail_vsx_8x ++ ++ stvx_4w $K[0],$x00,r11 # wipe copy of the block ++ stvx_4w $K[0],$x10,r11 ++ stvx_4w $K[0],$x20,r11 ++ stvx_4w $K[0],$x30,r11 ++ ++ b Ldone_vsx_8x ++ .long 0 ++ .byte 0,12,0x04,1,0x80,0,5,0 ++ .long 0 ++.size .ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x ++___ ++}}} ++ ++ ++$code.=<<___; ++.align 5 ++Lconsts: ++ mflr r0 ++ bcl 20,31,\$+4 ++ mflr r12 #vvvvv "distance between . and Lsigma ++ addi r12,r12,`64-8` ++ mtlr r0 ++ blr ++ .long 0 ++ .byte 0,12,0x14,0,0,0,0,0 ++ .space `64-9*4` ++Lsigma: ++ .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 ++ .long 1,0,0,0 ++ .long 2,0,0,0 ++ .long 3,0,0,0 ++ .long 4,0,0,0 ++___ ++$code.=<<___ if ($LITTLE_ENDIAN); ++ .long 0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001 ++ .long 0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300 ++___ ++$code.=<<___ if (!$LITTLE_ENDIAN); # flipped words ++ .long 0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d ++ .long 0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c ++___ ++$code.=<<___; ++ .long 0x61707865,0x61707865,0x61707865,0x61707865 ++ .long 0x3320646e,0x3320646e,0x3320646e,0x3320646e ++ .long 0x79622d32,0x79622d32,0x79622d32,0x79622d32 ++ .long 0x6b206574,0x6b206574,0x6b206574,0x6b206574 ++ .long 0,1,2,3 ++ .long 0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c ++.asciz "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by " ++.align 2 ++___ ++ ++foreach (split("\n",$code)) { ++ s/\`([^\`]*)\`/eval $1/ge; ++ ++ # instructions prefixed with '?' are endian-specific and need ++ # to be adjusted accordingly... ++ if ($flavour !~ /le$/) { # big-endian ++ s/be\?// or ++ s/le\?/#le#/ or ++ s/\?lvsr/lvsl/ or ++ s/\?lvsl/lvsr/ or ++ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or ++ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/; ++ } else { # little-endian ++ s/le\?// or ++ s/be\?/#be#/ or ++ s/\?([a-z]+)/$1/ or ++ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/; ++ } ++ ++ print $_,"\n"; ++} ++ ++close STDOUT or die "error closing STDOUT: $!"; +--- a/crypto/chacha/build.info ++++ b/crypto/chacha/build.info +@@ -5,6 +5,7 @@ GENERATE[chacha-x86.s]=asm/chacha-x86.pl + $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR) + GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl $(PERLASM_SCHEME) + GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl $(PERLASM_SCHEME) ++GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl $(PERLASM_SCHEME) + GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl $(PERLASM_SCHEME) + INCLUDE[chacha-armv4.o]=.. + GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME) +--- a/crypto/perlasm/ppc-xlate.pl ++++ b/crypto/perlasm/ppc-xlate.pl +@@ -288,6 +288,14 @@ my $vpermdi = sub { # xxpermdi + $dm = oct($dm) if ($dm =~ /^0/); + " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($dm<<8)|(10<<3)|7; + }; ++my $vxxlor = sub { # xxlor ++ my ($f, $vrt, $vra, $vrb) = @_; ++ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|6; ++}; ++my $vxxlorc = sub { # xxlor ++ my ($f, $vrt, $vra, $vrb) = @_; ++ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|1; ++}; + + # PowerISA 2.07 stuff + sub vcrypto_op { +@@ -370,6 +378,15 @@ my $addex = sub { + }; + my $vmsumudm = sub { vfour_vsr(@_, 35); }; + ++# PowerISA 3.1 stuff ++my $brd = sub { ++ my ($f, $ra, $rs) = @_; ++ " .long ".sprintf "0x%X",(31<<26)|($rs<<21)|($ra<<16)|(187<<1); ++}; ++my $vsrq = sub { vcrypto_op(@_, 517); }; ++ ++ ++ + while($line=<>) { + + $line =~ s|[#!;].*$||; # get rid of asm-style comments... +--- a/crypto/ppc_arch.h ++++ b/crypto/ppc_arch.h +@@ -24,5 +24,6 @@ extern unsigned int OPENSSL_ppccap_P; + # define PPC_MADD300 (1<<4) + # define PPC_MFTB (1<<5) + # define PPC_MFSPR268 (1<<6) ++# define PPC_BRD31 (1<<7) + + #endif +--- a/crypto/ppccap.c ++++ b/crypto/ppccap.c +@@ -108,15 +108,20 @@ void ChaCha20_ctr32_vmx(unsigned char *o + void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp, + size_t len, const unsigned int key[8], + const unsigned int counter[4]); ++void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp, ++ size_t len, const unsigned int key[8], ++ const unsigned int counter[4]); + void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, + size_t len, const unsigned int key[8], + const unsigned int counter[4]) + { +- OPENSSL_ppccap_P & PPC_CRYPTO207 +- ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) +- : OPENSSL_ppccap_P & PPC_ALTIVEC +- ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) +- : ChaCha20_ctr32_int(out, inp, len, key, counter); ++ OPENSSL_ppccap_P & PPC_BRD31 ++ ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter) ++ :OPENSSL_ppccap_P & PPC_CRYPTO207 ++ ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) ++ : OPENSSL_ppccap_P & PPC_ALTIVEC ++ ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) ++ : ChaCha20_ctr32_int(out, inp, len, key, counter); + } + #endif + +@@ -182,6 +187,7 @@ void OPENSSL_ppc64_probe(void); + void OPENSSL_altivec_probe(void); + void OPENSSL_crypto207_probe(void); + void OPENSSL_madd300_probe(void); ++void OPENSSL_brd31_probe(void); + + long OPENSSL_rdtsc_mftb(void); + long OPENSSL_rdtsc_mfspr268(void); +@@ -264,6 +270,7 @@ static unsigned long getauxval(unsigned + #define HWCAP2 26 /* AT_HWCAP2 */ + #define HWCAP_VEC_CRYPTO (1U << 25) + #define HWCAP_ARCH_3_00 (1U << 23) ++#define HWCAP_ARCH_3_1 (1U << 18) + + # if defined(__GNUC__) && __GNUC__>=2 + __attribute__ ((constructor)) +@@ -324,6 +331,9 @@ void OPENSSL_cpuid_setup(void) + if (__power_set(0xffffffffU<<17)) /* POWER9 and later */ + OPENSSL_ppccap_P |= PPC_MADD300; + ++ if (__power_set(0xffffffffU<<18)) /* POWER10 and later */ ++ OPENSSL_ppccap_P |= PPC_BRD31; ++ + return; + # endif + #endif +@@ -379,6 +389,10 @@ void OPENSSL_cpuid_setup(void) + if (hwcap2 & HWCAP_ARCH_3_00) { + OPENSSL_ppccap_P |= PPC_MADD300; + } ++ ++ if (hwcap2 & HWCAP_ARCH_3_1) { ++ OPENSSL_ppccap_P |= PPC_BRD31; ++ } + } + #endif + +--- a/crypto/ppccpuid.pl ++++ b/crypto/ppccpuid.pl +@@ -77,6 +77,17 @@ $code=<<___; + .long 0 + .byte 0,12,0x14,0,0,0,0,0 + ++.globl .OPENSSL_brd31_probe ++.align 4 ++.OPENSSL_brd31_probe: ++ xor r0,r0,r0 ++ brd r3,r0 ++ blr ++ .long 0 ++ .byte 0,12,0x14,0,0,0,0,0 ++.size .OPENSSL_brd31_probe,.-.OPENSSL_brd31_probe ++ ++ + .globl .OPENSSL_wipe_cpu + .align 4 + .OPENSSL_wipe_cpu: diff --git a/openssl-1_1-disable-test_srp-sslapi.patch b/openssl-1_1-disable-test_srp-sslapi.patch new file mode 100644 index 0000000..0699791 --- /dev/null +++ b/openssl-1_1-disable-test_srp-sslapi.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1i/test/sslapitest.c +=================================================================== +--- openssl-1.1.1i.orig/test/sslapitest.c ++++ openssl-1.1.1i/test/sslapitest.c +@@ -6766,7 +6766,7 @@ int setup_tests(void) + #endif + ADD_ALL_TESTS(test_ssl_clear, 2); + ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); +-#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) ++#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) && 0 + ADD_ALL_TESTS(test_srp, 6); + #endif + ADD_ALL_TESTS(test_info_callback, 6); diff --git a/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch new file mode 100644 index 0000000..a3f4fd7 --- /dev/null +++ b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch @@ -0,0 +1,23 @@ +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index cbbfab1..7576de8 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -14,6 +14,9 @@ + extern "C" { + #endif + ++#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x ++#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x) ++ + /*- + * Numeric release version identifier: + * MNNFFPPS: major minor fix patch status +@@ -40,7 +43,7 @@ extern "C" { + * major minor fix final patch/beta) + */ + # define OPENSSL_VERSION_NUMBER 0x1010117fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch b/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch new file mode 100644 index 0000000..cee3347 --- /dev/null +++ b/openssl-1_1-fips-bsc1215215_fips_in_version_string.patch @@ -0,0 +1,46 @@ +--- + include/openssl/opensslconf.h.in | 10 +++++----- + include/openssl/opensslv.h | 6 +++++- + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/include/openssl/opensslconf.h.in ++++ b/include/openssl/opensslconf.h.in +@@ -9,6 +9,11 @@ + * https://www.openssl.org/source/license.html + */ + ++/* Always build FIPS module */ ++#ifndef OPENSSL_FIPS ++# define OPENSSL_FIPS ++#endif ++ + #include + + #ifdef __cplusplus +@@ -155,11 +160,6 @@ extern "C" { + + #define RC4_INT {- $config{rc4_int} -} + +-/* Always build FIPS module */ +-#ifndef OPENSSL_FIPS +-# define OPENSSL_FIPS +-#endif +- + #ifdef __cplusplus + } + #endif +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -40,7 +40,11 @@ extern "C" { + * major minor fix final patch/beta) + */ + # define OPENSSL_VERSION_NUMBER 0x1010117fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) ++# ifdef OPENSSL_FIPS ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) ++# else ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) ++# endif + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl-1_1-fips-drbg-selftest.patch b/openssl-1_1-fips-drbg-selftest.patch new file mode 100644 index 0000000..81f2a83 --- /dev/null +++ b/openssl-1_1-fips-drbg-selftest.patch @@ -0,0 +1,588 @@ +--- + crypto/fips/fips_post.c | 3 + crypto/rand/build.info | 2 + crypto/rand/drbg_selftest.c | 537 ++++++++++++++++++++++++++++++++++++++++++++ + include/crypto/rand.h | 5 + 4 files changed, 546 insertions(+), 1 deletion(-) + +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -66,6 +66,7 @@ + + # include + # include "crypto/fips_int.h" ++# include "crypto/rand.h" + # include "fips_locl.h" + + /* Run all selftests */ +@@ -79,6 +80,8 @@ int FIPS_selftest(void) + if (!FIPS_selftest_drbg_all()) + rv = 0; + #endif ++ if (!FIPS_selftest_drbg_new()) ++ rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) +--- a/crypto/rand/build.info ++++ b/crypto/rand/build.info +@@ -1,6 +1,6 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ +- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c + + INCLUDE[drbg_ctr.o]=../modes +--- /dev/null ++++ b/crypto/rand/drbg_selftest.c +@@ -0,0 +1,537 @@ ++/* ++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "internal/nelem.h" ++#include ++#include ++#include ++#include ++#include "internal/thread_once.h" ++#include "crypto/rand.h" ++ ++typedef struct test_ctx_st { ++ const unsigned char *entropy; ++ size_t entropylen; ++ int entropycnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_CTX; ++ ++static int app_data_index = -1; ++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init) ++{ ++ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); ++ ++ return 1; ++} ++ ++enum drbg_kat_type { ++ NO_RESEED, ++ PR_FALSE, ++ PR_TRUE ++}; ++ ++enum drbg_df { ++ USE_DF, ++ NO_DF, ++ NA ++}; ++ ++struct drbg_kat_no_reseed { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_false { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinreseed; ++ const unsigned char *addinreseed; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_true { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinpr1; ++ const unsigned char *addin1; ++ const unsigned char *entropyinpr2; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat { ++ enum drbg_kat_type type; ++ enum drbg_df df; ++ int nid; ++ ++ size_t entropyinlen; ++ size_t noncelen; ++ size_t persstrlen; ++ size_t addinlen; ++ size_t retbyteslen; ++ ++ const void *t; ++}; ++ ++/* ++ * Excerpt from test/drbg_cavs_data.c ++ * DRBG test vectors from: ++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/ ++ */ ++ ++static const unsigned char kat1308_entropyin[] = { ++ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c, ++ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7, ++ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97, ++ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52, ++}; ++static const unsigned char kat1308_nonce[] = {0}; ++static const unsigned char kat1308_persstr[] = { ++ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2, ++ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39, ++ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45, ++ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3, ++}; ++static const unsigned char kat1308_addin0[] = { ++ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e, ++ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a, ++ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a, ++ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c, ++}; ++static const unsigned char kat1308_addin1[] = { ++ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19, ++ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a, ++ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e, ++ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4, ++}; ++static const unsigned char kat1308_retbits[] = { ++ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2, ++ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92, ++ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f, ++ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63, ++ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53, ++ 0x26, 0x32, 0xd0, 0xb8, ++}; ++static const struct drbg_kat_no_reseed kat1308_t = { ++ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr, ++ kat1308_addin0, kat1308_addin1, kat1308_retbits ++}; ++static const struct drbg_kat kat1308 = { ++ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t ++}; ++ ++static const unsigned char kat1465_entropyin[] = { ++ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64, ++ 0x87, 0xbe, 0xaa, 0xc0, ++}; ++static const unsigned char kat1465_nonce[] = { ++ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85, ++}; ++static const unsigned char kat1465_persstr[] = {0}; ++static const unsigned char kat1465_entropyinreseed[] = { ++ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5, ++ 0x1f, 0x4b, 0x7b, 0x51, ++}; ++static const unsigned char kat1465_addinreseed[] = { ++ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12, ++ 0x61, 0x9f, 0x26, 0x5f, ++}; ++static const unsigned char kat1465_addin0[] = { ++ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6, ++ 0x10, 0x5a, 0x73, 0x9c, ++}; ++static const unsigned char kat1465_addin1[] = { ++ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18, ++ 0x47, 0x99, 0x1f, 0xeb, ++}; ++static const unsigned char kat1465_retbits[] = { ++ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d, ++ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb, ++ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52, ++ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e, ++ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41, ++ 0x58, 0xdb, 0x27, 0xba, ++}; ++static const struct drbg_kat_pr_false kat1465_t = { ++ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr, ++ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0, ++ kat1465_addin1, kat1465_retbits ++}; ++static const struct drbg_kat kat1465 = { ++ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t ++}; ++ ++static const unsigned char kat3146_entropyin[] = { ++ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3, ++ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4, ++}; ++static const unsigned char kat3146_nonce[] = { ++ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3, ++ 0x50, 0x86, 0xca, 0xca, ++}; ++static const unsigned char kat3146_persstr[] = {0}; ++static const unsigned char kat3146_entropyinpr1[] = { ++ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda, ++ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15, ++}; ++static const unsigned char kat3146_addinpr1[] = { ++ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1, ++ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90, ++ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99, ++}; ++static const unsigned char kat3146_entropyinpr2[] = { ++ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7, ++ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34, ++}; ++static const unsigned char kat3146_addinpr2[] = { ++ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c, ++ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3, ++ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6, ++}; ++static const unsigned char kat3146_retbits[] = { ++ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f, ++ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28, ++ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76, ++ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87, ++ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45, ++ 0xd4, 0x30, 0x73, 0xbb, ++}; ++static const struct drbg_kat_pr_true kat3146_t = { ++ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr, ++ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2, ++ kat3146_addinpr2, kat3146_retbits ++}; ++static const struct drbg_kat kat3146 = { ++ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t ++}; ++ ++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 }; ++ ++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test); ++ ++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->entropycnt++; ++ *pout = (unsigned char *)t->entropy; ++ return t->entropylen; ++} ++ ++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->noncecnt++; ++ *pout = (unsigned char *)t->nonce; ++ return t->noncelen; ++} ++ ++/* ++ * Do a single NO_RESEED KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_no_reseed(const struct drbg_kat *td) ++{ ++ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_FALSE KAT: ++ * ++ * Instantiate ++ * Reseed ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_false(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinreseed; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_TRUE KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=true) ++ * Generate Random Bits (pr=true) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_true(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr1; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin1, td->addinlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr2; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++static int test_kats(int i) ++{ ++ const struct drbg_kat *td = drbg_test[i]; ++ int rv = 0; ++ ++ switch (td->type) { ++ case NO_RESEED: ++ if (!single_kat_no_reseed(td)) ++ goto err; ++ break; ++ case PR_FALSE: ++ if (!single_kat_pr_false(td)) ++ goto err; ++ break; ++ case PR_TRUE: ++ if (!single_kat_pr_true(td)) ++ goto err; ++ break; ++ default: /* cant happen */ ++ goto err; ++ } ++ rv = 1; ++err: ++ return rv; ++} ++ ++/*- ++ * Do one expected-error test: ++ * ++ * Instantiate with no entropy supplied ++ * ++ * Return 0 on failure. ++ */ ++static int test_drbg_sanity(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = 0; /* No entropy */ ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ ERR_set_mark(); ++ /* This must fail. */ ++ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ RAND_DRBG_uninstantiate(drbg); ++ ERR_pop_to_mark(); ++ ++err: ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++ ++int FIPS_selftest_drbg_new(void) ++{ ++ int i; ++ ++ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init)) ++ return 0; ++ ++ for (i = 0; i < drbg_test_nelem; i++) { ++ if (test_kats(i) <= 0) ++ return 0; ++ } ++ ++ if (test_drbg_sanity(&kat1465) <= 0) ++ return 0; ++ ++ return 1; ++} +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -150,4 +150,9 @@ void rand_pool_cleanup(void); + */ + void rand_pool_keep_random_devices_open(int keep); + ++/* ++ * Perform the DRBG KAT selftests ++ */ ++int FIPS_selftest_drbg_new(void); ++ + #endif diff --git a/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch new file mode 100644 index 0000000..53f67c9 --- /dev/null +++ b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch @@ -0,0 +1,117 @@ +--- + crypto/asn1/ameth_lib.c | 18 ++++++++++++++++++ + crypto/asn1/standard_methods.h | 29 +++++++++++++++++++++++++++++ + crypto/evp/c_alld.c | 6 +++++- + 3 files changed, 52 insertions(+), 1 deletion(-) + +Index: openssl-1.1.1w/crypto/asn1/ameth_lib.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/asn1/ameth_lib.c ++++ openssl-1.1.1w/crypto/asn1/ameth_lib.c +@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P + + int EVP_PKEY_asn1_get_count(void) + { ++#ifdef OPENSSL_FIPS ++ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods); ++#else + int num = OSSL_NELEM(standard_methods); ++#endif + if (app_methods) + num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods); + return num; +@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void) + + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx) + { ++#ifdef OPENSSL_FIPS ++ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods); ++#else + int num = OSSL_NELEM(standard_methods); ++#endif + if (idx < 0) + return NULL; + if (idx < num) ++#ifdef OPENSSL_FIPS ++ return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx]; ++#else + return standard_methods[idx]; ++#endif + idx -= num; + return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + } +@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_ + if (idx >= 0) + return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + } ++#ifdef OPENSSL_FIPS ++ ret = FIPS_mode() ? \ ++ OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \ ++ OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods)); ++#else + ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods)); ++#endif + if (!ret || !*ret) + return NULL; + return *ret; +Index: openssl-1.1.1w/crypto/asn1/standard_methods.h +=================================================================== +--- openssl-1.1.1w.orig/crypto/asn1/standard_methods.h ++++ openssl-1.1.1w/crypto/asn1/standard_methods.h +@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand + #endif + }; + ++static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = { ++#ifndef OPENSSL_NO_RSA ++ &rsa_asn1_meths[0], ++ &rsa_asn1_meths[1], ++#endif ++#ifndef OPENSSL_NO_DH ++ &dh_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_DSA ++ &dsa_asn1_meths[0], ++ &dsa_asn1_meths[1], ++ &dsa_asn1_meths[2], ++ &dsa_asn1_meths[3], ++ &dsa_asn1_meths[4], ++#endif ++#ifndef OPENSSL_NO_EC ++ &eckey_asn1_meth, ++#endif ++ &hmac_asn1_meth, ++#ifndef OPENSSL_NO_CMAC ++ &cmac_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_RSA ++ &rsa_pss_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_DH ++ &dhx_asn1_meth, ++#endif ++}; +Index: openssl-1.1.1w/crypto/evp/c_alld.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/evp/c_alld.c ++++ openssl-1.1.1w/crypto/evp/c_alld.c +@@ -11,13 +11,18 @@ + #include "internal/cryptlib.h" + #include + #include "crypto/evp.h" ++#include "crypto/fips_int.h" + #include + #include + + void openssl_add_all_digests_int(void) + { + #ifdef OPENSSL_FIPS +- if (!FIPS_mode()) { ++ /* ++ * This function is called from FIPS_selftest_ecdsa() before FIPS mode is ++ * turned on. That is the reason why we need to also check fips_in_post(). ++ */ ++ if (!FIPS_mode() && !fips_in_post()) { + #endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); diff --git a/openssl-1_1-jitterentropy-3.4.0.patch b/openssl-1_1-jitterentropy-3.4.0.patch new file mode 100644 index 0000000..b4b9d6e --- /dev/null +++ b/openssl-1_1-jitterentropy-3.4.0.patch @@ -0,0 +1,203 @@ +--- + Configurations/00-base-templates.conf | 2 - + crypto/fips/build.info | 3 +- + crypto/fips/fips.c | 8 +++++++ + crypto/fips/fips_entropy.c | 38 ++++++++++++++++++++++++++++++++++ + crypto/fips/fips_err.h | 1 + crypto/init.c | 4 +++ + crypto/rand/rand_unix.c | 30 +++++++++++++++++++++++++- + include/crypto/fips_int.h | 2 + + include/openssl/fips.h | 4 +++ + util/libcrypto.num | 2 + + 10 files changed, 91 insertions(+), 3 deletions(-) + +--- a/Configurations/00-base-templates.conf ++++ b/Configurations/00-base-templates.conf +@@ -96,7 +96,7 @@ my %targets=( + ex_libs => + sub { !defined($disabled{zlib}) + && defined($disabled{"zlib-dynamic"}) +- ? "-lz" : () }, ++ ? "-lz -ljitterentropy" : "-ljitterentropy" }, + HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares + RANLIB => sub { which("$config{cross_compile_prefix}ranlib") + ? "ranlib" : "" }, +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c \ ++ fips_entropy.c + + PROGRAMS=\ + fips_standalone_hmac +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -461,6 +461,14 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + ++ if (!FIPS_entropy_init()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_ENTROPY_INIT_FAILED); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ + /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */ + if (!FIPS_selftest()) { + fips_selftest_fail = 1; +--- /dev/null ++++ b/crypto/fips/fips_entropy.c +@@ -0,0 +1,38 @@ ++#include ++ ++#include "crypto/fips_int.h" ++#include "jitterentropy.h" ++ ++static struct rand_data* ec = NULL; ++ ++struct rand_data* FIPS_entropy_init(void) ++{ ++ if (ec != NULL) ++ /* Entropy source has been initiated and collector allocated */ ++ return ec; ++ /* If the initialization is successful, the call returns with 0 */ ++ if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) ++ /* Allocate entropy collector */ ++ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ return ec; ++} ++ ++void FIPS_entropy_cleanup(void) ++{ ++ /* Free entropy collector */ ++ if (ec != NULL) { ++ jent_entropy_collector_free(ec); ++ ec = NULL; ++ } ++} ++ ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) ++{ ++ ssize_t ent_bytes = -1; ++ ++ if (buf != NULL && buflen != 0 && FIPS_entropy_init()) { ++ /* Get entropy */ ++ ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ } ++ return ent_bytes; ++} +--- a/crypto/fips/fips_err.h ++++ b/crypto/fips/fips_err.h +@@ -135,6 +135,7 @@ static ERR_STRING_DATA FIPS_str_reasons[ + {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, + {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, + {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, ++ {ERR_REASON(FIPS_R_ENTROPY_INIT_FAILED), "entropy init failed"}, + {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), + "entropy not requested for reseed"}, + {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -27,6 +27,7 @@ + #include "crypto/dso_conf.h" + #include "internal/dso.h" + #include "crypto/store.h" ++#include "openssl/fips.h" + + static int stopped = 0; + +@@ -597,6 +598,9 @@ void OPENSSL_cleanup(void) + rand_cleanup_int(); + rand_drbg_cleanup_int(); + conf_modules_free_int(); ++#ifdef OPENSSL_FIPS ++ FIPS_entropy_cleanup(); ++#endif + #ifndef OPENSSL_NO_ENGINE + engine_cleanup_int(); + #endif +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -642,9 +642,37 @@ size_t rand_pool_acquire_entropy(RAND_PO + return rand_pool_entropy_available(pool); + # else + size_t entropy_available; ++ int in_post; ++ ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ /* Use jitter entropy in FIPS mode */ ++ for (in_post = fips_in_post(); in_post >= 0; --in_post) { ++ size_t bytes_needed; ++ unsigned char *buffer; ++ ssize_t bytes; ++ /* Maximum allowed number of consecutive unsuccessful attempts */ ++ int attempts = 3; ++ ++ bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); ++ while (bytes_needed != 0 && attempts-- > 0) { ++ buffer = rand_pool_add_begin(pool, bytes_needed); ++ bytes = FIPS_jitter_entropy(buffer, bytes_needed); ++ if (bytes > 0) { ++ rand_pool_add_end(pool, bytes, 8 * bytes); ++ bytes_needed -= bytes; ++ attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0) { ++ break; ++ } ++ } ++ } ++ entropy_available = rand_pool_entropy_available(pool); ++ return entropy_available; ++ } ++# endif + + # if defined(OPENSSL_RAND_SEED_GETRANDOM) +- int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { + { +--- a/include/crypto/fips_int.h ++++ b/include/crypto/fips_int.h +@@ -101,4 +101,6 @@ void fips_set_selftest_fail(void); + + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen); ++ + #endif +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -74,6 +74,9 @@ extern "C" { + BN_GENCB *cb); + int FIPS_dsa_paramgen_check_g(DSA *dsa); + ++ struct rand_data* FIPS_entropy_init(void); ++ void FIPS_entropy_cleanup(void); ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. +@@ -151,6 +154,7 @@ extern "C" { + # define FIPS_R_DRBG_NOT_INITIALISED 152 + # define FIPS_R_DRBG_STUCK 103 + # define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_INIT_FAILED 161 + # define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 + # define FIPS_R_ENTROPY_SOURCE_STUCK 142 + # define FIPS_R_ERROR_INITIALISING_DRBG 115 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4647,3 +4647,5 @@ fips_sli_PKCS5_PBKDF2_HMAC_is_approved + fips_sli_HMAC_is_approved 6608 1_1_1l EXIST::FUNCTION: + fips_sli_RAND_bytes_is_approved 6609 1_1_1l EXIST::FUNCTION: + fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: ++FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: ++FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: + diff --git a/openssl-1_1-openssl-config.patch b/openssl-1_1-openssl-config.patch new file mode 100644 index 0000000..1ba132a --- /dev/null +++ b/openssl-1_1-openssl-config.patch @@ -0,0 +1,556 @@ +--- + Configurations/descrip.mms.tmpl | 4 +-- + Configurations/unix-Makefile.tmpl | 22 ++++++++--------- + Configure | 2 - + INSTALL | 2 - + NEWS | 3 ++ + VMS/openssl_utils.com.in | 2 - + apps/CA.pl.in | 8 +++--- + apps/build.info | 6 ++-- + apps/tsget.in | 2 - + doc/HOWTO/certificates.txt | 2 - + doc/man1/CA.pl.pod | 36 ++++++++++++++--------------- + doc/man1/ca.pod | 4 +-- + doc/man1/rehash.pod | 10 ++++---- + doc/man1/tsget.pod | 4 +-- + doc/man1/verify.pod | 2 - + doc/man1/x509.pod | 2 - + doc/man3/OPENSSL_config.pod | 2 - + doc/man3/SSL_CTX_load_verify_locations.pod | 4 +-- + doc/man5/config.pod | 2 - + include/internal/cryptlib.h | 2 - + test/recipes/80-test_ca.t | 10 ++++---- + tools/build.info | 2 - + tools/c_rehash.in | 6 ++-- + 23 files changed, 71 insertions(+), 68 deletions(-) + +Index: openssl-1.1.1v/Configurations/descrip.mms.tmpl +=================================================================== +--- openssl-1.1.1v.orig/Configurations/descrip.mms.tmpl ++++ openssl-1.1.1v/Configurations/descrip.mms.tmpl +@@ -142,8 +142,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\ + INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -} + INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -} + {- output_off() if $disabled{apps}; "" -} +-BIN_SCRIPTS=[.tools]c_rehash.pl +-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl ++BIN_SCRIPTS=[.tools]c_rehash-1_1.pl ++MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl + {- output_on() if $disabled{apps}; "" -} + + APPS_OPENSSL={- use File::Spec::Functions; +Index: openssl-1.1.1v/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-1.1.1v.orig/Configurations/unix-Makefile.tmpl ++++ openssl-1.1.1v/Configurations/unix-Makefile.tmpl +@@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\ + INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -} + INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -} + {- output_off() if $disabled{apps}; "" -} +-BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash +-MISC_SCRIPTS=$(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget.pl:tsget ++BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash-1_1 ++MISC_SCRIPTS=$(BLDDIR)/apps/CA-1_1.pl $(BLDDIR)/apps/tsget-1_1.pl:tsget-1_1 + {- output_on() if $disabled{apps}; "" -} + + APPS_OPENSSL={- use File::Spec::Functions; +@@ -579,14 +579,14 @@ install_ssldirs: + : {- output_on() if windowsdll(); "" -}; \ + fi; \ + done +- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" +- @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" +- @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" +- @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" +- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \ +- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ +- cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ +- chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ ++ @$(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist" ++ @cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new" ++ @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new" ++ @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist" ++ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf" ]; then \ ++ $(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \ ++ cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \ ++ chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \ + fi + @$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" + @cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" +@@ -870,7 +870,7 @@ lint: + + generate_apps: + ( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \ +- < apps/openssl.cnf > apps/openssl-vms.cnf ) ++ < apps/openssl-1_1.cnf > apps/openssl-vms.cnf ) + + generate_crypto_bn: + ( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h ) +Index: openssl-1.1.1v/Configure +=================================================================== +--- openssl-1.1.1v.orig/Configure ++++ openssl-1.1.1v/Configure +@@ -35,7 +35,7 @@ my $usage="Usage: Configure [no- + # directories bin, lib, include, share/man, share/doc/openssl + # This becomes the value of INSTALLTOP in Makefile + # (Default: /usr/local) +-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys. ++# --openssldir OpenSSL data area, such as openssl-1_1.cnf, certificates and keys. + # If it's a relative directory, it will be added on the directory + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. +Index: openssl-1.1.1v/INSTALL +=================================================================== +--- openssl-1.1.1v.orig/INSTALL ++++ openssl-1.1.1v/INSTALL +@@ -296,7 +296,7 @@ + be undesirable if small executable size is an objective. + + no-autoload-config +- Don't automatically load the default openssl.cnf file. ++ Don't automatically load the default openssl-1_1.cnf file. + Typically OpenSSL will automatically load a system config + file which configures default ssl options. + +Index: openssl-1.1.1v/NEWS +=================================================================== +--- openssl-1.1.1v.orig/NEWS ++++ openssl-1.1.1v/NEWS +@@ -10,6 +10,9 @@ + o Fix excessive time spent checking DH q parameter value (CVE-2023-3817) + o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) + ++ IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master ++ configuration file openssl.cnf has been renamed to openssl-1_1.cnf. ++ + Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023] + + o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic +Index: openssl-1.1.1v/VMS/openssl_utils.com.in +=================================================================== +--- openssl-1.1.1v.orig/VMS/openssl_utils.com.in ++++ openssl-1.1.1v/VMS/openssl_utils.com.in +@@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v' + $ + $ IF F$TYPE(PERL) .EQS. "STRING" + $ THEN +-$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash.pl ++$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash-1_1.pl + $ ELSE + $ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH" + $ ENDIF +Index: openssl-1.1.1v/apps/CA.pl.in +=================================================================== +--- openssl-1.1.1v.orig/apps/CA.pl.in ++++ openssl-1.1.1v/apps/CA.pl.in +@@ -113,10 +113,10 @@ sub run + + + if ( $WHAT =~ /^(-\?|-h|-help)$/ ) { +- print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n"; +- print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n"; +- print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n"; +- print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n"; ++ print STDERR "usage: CA-1_1.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n"; ++ print STDERR " CA-1_1.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n"; ++ print STDERR " CA-1_1.pl -verify [-extra-verify extra-params] certfile ...\n"; ++ print STDERR " CA-1_1.pl -revoke [-extra-ca extra-params] certfile [reason]\n"; + exit 0; + } + if ($WHAT eq '-newcert' ) { +Index: openssl-1.1.1v/apps/build.info +=================================================================== +--- openssl-1.1.1v.orig/apps/build.info ++++ openssl-1.1.1v/apps/build.info +@@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}] + GENERATE[progs.h]=progs.pl $(APPS_OPENSSL) + DEPEND[progs.h]=../configdata.pm + +- SCRIPTS=CA.pl tsget.pl +- SOURCE[CA.pl]=CA.pl.in +- SOURCE[tsget.pl]=tsget.in ++ SCRIPTS=CA-1_1.pl tsget-1_1.pl ++ SOURCE[CA-1_1.pl]=CA.pl.in ++ SOURCE[tsget-1_1.pl]=tsget.in + ENDIF +Index: openssl-1.1.1v/apps/tsget.in +=================================================================== +--- openssl-1.1.1v.orig/apps/tsget.in ++++ openssl-1.1.1v/apps/tsget.in +@@ -47,7 +47,7 @@ sub create_curl { + $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; + $curl->setopt(CURLOPT_FAILONERROR, 1); + $curl->setopt(CURLOPT_USERAGENT, +- "OpenTSA tsget.pl/openssl-{- $config{version} -}"); ++ "OpenTSA tsget-1_1.pl/openssl-{- $config{version} -}"); + + # Options for POST method. + $curl->setopt(CURLOPT_UPLOAD, 1); +Index: openssl-1.1.1v/doc/HOWTO/certificates.txt +=================================================================== +--- openssl-1.1.1v.orig/doc/HOWTO/certificates.txt ++++ openssl-1.1.1v/doc/HOWTO/certificates.txt +@@ -16,7 +16,7 @@ Certificate authorities should read http + In all the cases shown below, the standard configuration file, as + compiled into openssl, will be used. You may find it in /etc/, + /usr/local/ssl/ or somewhere else. By default the file is named +-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. ++openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html. + You can specify a different configuration file using the + '-config {file}' argument with the commands shown below. + +Index: openssl-1.1.1v/doc/man1/CA.pl.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/CA.pl.pod ++++ openssl-1.1.1v/doc/man1/CA.pl.pod +@@ -2,16 +2,16 @@ + + =head1 NAME + +-CA.pl - friendlier interface for OpenSSL certificate programs ++CA-1_1.pl - friendlier interface for OpenSSL certificate programs + + =head1 SYNOPSIS + +-B ++B + B<-?> | + B<-h> | + B<-help> + +-B ++B + B<-newcert> | + B<-newreq> | + B<-newreq-nodes> | +@@ -23,15 +23,15 @@ B<-crl> | + B<-newca> + [B<-extra-cmd> extra-params] + +-B B<-pkcs12> [B<-extra-pkcs12> extra-params] [B] ++B B<-pkcs12> [B<-extra-pkcs12> extra-params] [B] + +-B B<-verify> [B<-extra-verify> extra-params] B... ++B B<-verify> [B<-extra-verify> extra-params] B... + +-B B<-revoke> [B<-extra-ca> extra-params] B [B] ++B B<-revoke> [B<-extra-ca> extra-params] B [B] + + =head1 DESCRIPTION + +-The B script is a perl script that supplies the relevant command line ++The B script is a perl script that supplies the relevant command line + arguments to the B command for some common certificate operations. + It is intended to simplify the process of certificate creation and management + by the use of some simple options. +@@ -136,19 +136,19 @@ Users should consult B command + + Create a CA hierarchy: + +- CA.pl -newca ++ CA-1_1.pl -newca + + Complete certificate creation example: create a CA, create a request, sign + the request and finally create a PKCS#12 file containing it. + +- CA.pl -newca +- CA.pl -newreq +- CA.pl -sign +- CA.pl -pkcs12 "My Test Certificate" ++ CA-1_1.pl -newca ++ CA-1_1.pl -newreq ++ CA-1_1.pl -sign ++ CA-1_1.pl -pkcs12 "My Test Certificate" + + =head1 DSA CERTIFICATES + +-Although the B creates RSA CAs and requests it is still possible to ++Although the B creates RSA CAs and requests it is still possible to + use it with DSA certificates and requests using the L command + directly. The following example shows the steps that would typically be taken. + +@@ -162,7 +162,7 @@ Create a DSA CA certificate and private + + Create the CA directories and files: + +- CA.pl -newca ++ CA-1_1.pl -newca + + enter cacert.pem when prompted for the CA filename. + +@@ -173,22 +173,22 @@ can optionally be created first): + + Sign the request: + +- CA.pl -sign ++ CA-1_1.pl -sign + + =head1 NOTES + +-Most of the filenames mentioned can be modified by editing the B script. ++Most of the filenames mentioned can be modified by editing the B script. + + If the demoCA directory already exists then the B<-newca> command will not + overwrite it and will do nothing. This can happen if a previous call using + the B<-newca> option terminated abnormally. To get the correct behaviour + delete the demoCA directory if it already exists. + +-Under some environments it may not be possible to run the B script ++Under some environments it may not be possible to run the B script + directly (for example Win32) and the default configuration file location may + be wrong. In this case the command: + +- perl -S CA.pl ++ perl -S CA-1_1.pl + + can be used and the B environment variable changed to point to + the correct path of the configuration file. +Index: openssl-1.1.1v/doc/man1/ca.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/ca.pod ++++ openssl-1.1.1v/doc/man1/ca.pod +@@ -698,7 +698,7 @@ the database has to be kept in memory. + The B command really needs rewriting or the required functionality + exposed at either a command or interface level so a more friendly utility + (perl script or GUI) can handle things properly. The script +-B helps a little but not very much. ++B helps a little but not very much. + + Any fields in a request that are not present in a policy are silently + deleted. This does not happen if the B<-preserveDN> option is used. To +@@ -754,7 +754,7 @@ are in year 2050 or later. + + =head1 SEE ALSO + +-L, L, L, L, ++L, L, L, L, + L, L + + =head1 COPYRIGHT +Index: openssl-1.1.1v/doc/man1/rehash.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/rehash.pod ++++ openssl-1.1.1v/doc/man1/rehash.pod +@@ -6,7 +6,7 @@ Original text by James Westby, contribut + =head1 NAME + + openssl-c_rehash, openssl-rehash, +-c_rehash, rehash - Create symbolic links to files named by the hash values ++c_rehash-1_1, rehash - Create symbolic links to files named by the hash values + + =head1 SYNOPSIS + +@@ -19,13 +19,13 @@ B<[-n]> + B<[-v]> + [ I...] + +-B ++B + I + + =head1 DESCRIPTION + +-On some platforms, the OpenSSL B command is available as +-an external script called B. They are functionally equivalent, ++On some platforms, the OpenSSL B command is available as ++an external script called B. They are functionally equivalent, + except for minor differences noted below. + + B scans directories and calculates a hash value of each +@@ -66,7 +66,7 @@ more than one such object appears in the + + =head2 Script Configuration + +-The B script ++The B script + uses the B program to compute the hashes and + fingerprints. If not found in the user's B, then set the + B environment variable to the full pathname. +Index: openssl-1.1.1v/doc/man1/tsget.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/tsget.pod ++++ openssl-1.1.1v/doc/man1/tsget.pod +@@ -35,7 +35,7 @@ line. + The tool sends the following HTTP request for each timestamp request: + + POST url HTTP/1.1 +- User-Agent: OpenTSA tsget.pl/ ++ User-Agent: OpenTSA tsget-1_1.pl/ + Host: : + Pragma: no-cache + Content-Type: application/timestamp-query +@@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must + =item B<-P> CA_path + + (HTTPS) The path containing the trusted CA certificates to verify the peer's +-certificate. The directory must be prepared with the B ++certificate. The directory must be prepared with the B + OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of + HTTPS. (Optional) + +Index: openssl-1.1.1v/doc/man1/verify.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/verify.pod ++++ openssl-1.1.1v/doc/man1/verify.pod +@@ -75,7 +75,7 @@ The file should contain one or more cert + A directory of trusted certificates. The certificates should have names + of the form: hash.0 or have symbolic links to them of this + form ("hash" is the hashed certificate subject name: see the B<-hash> option +-of the B utility). Under Unix the B script will automatically ++of the B utility). Under Unix the B script will automatically + create symbolic links to a directory of certificates. + + =item B<-no-CAfile> +Index: openssl-1.1.1v/doc/man1/x509.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man1/x509.pod ++++ openssl-1.1.1v/doc/man1/x509.pod +@@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec + before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding + of the distinguished name. In OpenSSL 1.0.0 and later it is based on a + canonical version of the DN using SHA1. This means that any directories using +-the old form must have their links rebuilt using B or similar. ++the old form must have their links rebuilt using B or similar. + + =head1 COPYRIGHT + +Index: openssl-1.1.1v/doc/man3/OPENSSL_config.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man3/OPENSSL_config.pod ++++ openssl-1.1.1v/doc/man3/OPENSSL_config.pod +@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp + + =head1 DESCRIPTION + +-OPENSSL_config() configures OpenSSL using the standard B and ++OPENSSL_config() configures OpenSSL using the standard B and + reads from the application section B. If B is NULL then + the default section, B, will be used. + Errors are silently ignored. +Index: openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man3/SSL_CTX_load_verify_locations.pod ++++ openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod +@@ -63,7 +63,7 @@ If more than one CA certificate with the + extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search + is performed in the ordering of the extension number, regardless of other + properties of the certificates. +-Use the B utility to create the necessary links. ++Use the B utility to create the necessary links. + + The certificates in B are only looked up when required, e.g. when + building the certificate chain or when actually performing the verification +@@ -137,7 +137,7 @@ Prepare the directory /some/where/certs + for use as B: + + cd /some/where/certs +- c_rehash . ++ c_rehash-1_1 . + + =head1 SEE ALSO + +Index: openssl-1.1.1v/doc/man5/config.pod +=================================================================== +--- openssl-1.1.1v.orig/doc/man5/config.pod ++++ openssl-1.1.1v/doc/man5/config.pod +@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat + =head1 DESCRIPTION + + The OpenSSL CONF library can be used to read configuration files. +-It is used for the OpenSSL master configuration file B ++It is used for the OpenSSL master configuration file B + and in a few other places like B files and certificate extension + files for the B utility. OpenSSL applications can also use the + CONF library for their own purposes. +Index: openssl-1.1.1v/include/internal/cryptlib.h +=================================================================== +--- openssl-1.1.1v.orig/include/internal/cryptlib.h ++++ openssl-1.1.1v/include/internal/cryptlib.h +@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO; + typedef struct mem_st MEM; + DEFINE_LHASH_OF(MEM); + +-# define OPENSSL_CONF "openssl.cnf" ++# define OPENSSL_CONF "openssl-1_1.cnf" + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR +Index: openssl-1.1.1v/test/recipes/80-test_ca.t +=================================================================== +--- openssl-1.1.1v.orig/test/recipes/80-test_ca.t ++++ openssl-1.1.1v/test/recipes/80-test_ca.t +@@ -27,27 +27,27 @@ plan tests => 5; + SKIP: { + $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"'; + skip "failed creating CA structure", 4 +- if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)), ++ if !ok(run(perlapp(["CA-1_1.pl","-newca"], stdin => undef)), + 'creating CA structure'); + + $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; + skip "failed creating new certificate request", 3 +- if !ok(run(perlapp(["CA.pl","-newreq"])), ++ if !ok(run(perlapp(["CA-1_1.pl","-newreq"])), + 'creating certificate request'); + + $ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"'; + skip "failed to sign certificate request", 2 +- if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0, ++ if !is(yes(cmdstr(perlapp(["CA-1_1.pl", "-sign"]))), 0, + 'signing certificate request'); + +- ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])), ++ ok(run(perlapp(["CA-1_1.pl", "-verify", "newcert.pem"])), + 'verifying new certificate'); + + skip "CT not configured, can't use -precert", 1 + if disabled("ct"); + + $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"'; +- ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)), ++ ok(run(perlapp(["CA-1_1.pl", "-precert"], stderr => undef)), + 'creating new pre-certificate'); + } + +Index: openssl-1.1.1v/tools/build.info +=================================================================== +--- openssl-1.1.1v.orig/tools/build.info ++++ openssl-1.1.1v/tools/build.info +@@ -1,5 +1,5 @@ + {- our $c_rehash_name = +- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash"; ++ $config{target} =~ /^(VC|vms)-/ ? "c_rehash-1_1.pl" : "c_rehash-1_1"; + "" -} + IF[{- !$disabled{apps} -}] + SCRIPTS={- $c_rehash_name -} +Index: openssl-1.1.1v/tools/c_rehash.in +=================================================================== +--- openssl-1.1.1v.orig/tools/c_rehash.in ++++ openssl-1.1.1v/tools/c_rehash.in +@@ -8,7 +8,7 @@ + # in the file LICENSE in the source distribution or at + # https://www.openssl.org/source/license.html + +-# Perl c_rehash script, scan all files in a directory ++# Perl c_rehash-1_1 script, scan all files in a directory + # and add symbolic links to their hash values. + + my $dir = {- quotify1($config{openssldir}) -}; +@@ -44,7 +44,7 @@ while ( $ARGV[0] =~ /^-/ ) { + } + + sub help { +- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n"; ++ print "Usage: c_rehash-1_1 [-old] [-h] [-help] [-v] [dirs...]\n"; + print " -old use old-style digest\n"; + print " -h or -help print this help text\n"; + print " -v print files removed and linked\n"; +@@ -73,7 +73,7 @@ if (! -x $openssl) { + } + } + if ($found == 0) { +- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; ++ print STDERR "c_rehash-1_1: rehashing skipped ('openssl-1_1' program not available)\n"; + exit 0; + } + } diff --git a/openssl-1_1-ossl-sli-000-fix-build-error.patch b/openssl-1_1-ossl-sli-000-fix-build-error.patch new file mode 100644 index 0000000..3714d48 --- /dev/null +++ b/openssl-1_1-ossl-sli-000-fix-build-error.patch @@ -0,0 +1,10 @@ +diff --git a/util/libcrypto.num b/util/libcrypto.num +index e4a490a82..2a778ce92 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4634,3 +4634,5 @@ EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: + EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: + EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: + EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: ++EC_GROUP_get0_field 6598 1_1_1l EXIST::FUNCTION:EC ++NONFIPS_selftest_check 6599 1_1_1l EXIST::FUNCTION: diff --git a/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch new file mode 100644 index 0000000..babe1cf --- /dev/null +++ b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch @@ -0,0 +1,111 @@ +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 43c916fc1..fab410b9e 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -472,16 +472,16 @@ int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) + */ + if (eckey->priv_key != NULL) { + if (BN_cmp(eckey->priv_key, order) >= 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_WRONG_ORDER); + goto err; + } + if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, + NULL, NULL, ctx)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, ERR_R_EC_LIB); + goto err; + } + if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_INVALID_PRIVATE_KEY); + goto err; + } + } +diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c +index 8794a6781..f38137388 100644 +--- a/crypto/ec/ecdh_ossl.c ++++ b/crypto/ec/ecdh_ossl.c +@@ -28,7 +28,7 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, + { + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_OSSL_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + #endif +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 3445abd02..9e9526241 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -204,7 +204,7 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, + + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_ECDSA_SIMPLE_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } + #endif +@@ -373,7 +373,7 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, + + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + #endif +diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c +index 035c2c092..4a6336248 100644 +--- a/crypto/fips/fips_sha_selftest.c ++++ b/crypto/fips/fips_sha_selftest.c +@@ -195,25 +195,25 @@ int FIPS_selftest_sha3(void) + + EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); + if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); + if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); + if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); + if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +index e4208cbfa..7af006e7b 100644 +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -130,8 +130,13 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_HKDF 155 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 ++# define FIPS_F_FIPS_SELFTEST_SHA3 156 ++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 157 ++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 158 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 + # define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 ++# define FIPS_F_OSSL_ECDSA_SIMPLE_VERIFY_SIG 159 ++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 160 + # define FIPS_F_RSA_BUILTIN_KEYGEN 116 + # define FIPS_F_RSA_OSSL_INIT 149 + # define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 diff --git a/openssl-1_1-ossl-sli-002-ran-make-update.patch b/openssl-1_1-ossl-sli-002-ran-make-update.patch new file mode 100644 index 0000000..70b96a1 --- /dev/null +++ b/openssl-1_1-ossl-sli-002-ran-make-update.patch @@ -0,0 +1,946 @@ +--- + apps/openssl-vms.cnf | 18 ++++ + crypto/dh/dh_err.c | 8 - + crypto/dsa/dsa_err.c | 8 + + crypto/ec/ec_err.c | 29 ++++++- + crypto/err/openssl.txt | 40 +++++++++ + crypto/evp/evp_err.c | 6 - + crypto/fips/fips_ers.c | 189 +++++++++++++++++++++++++++++++++++++++++++++-- + crypto/rsa/rsa_err.c | 23 +++-- + include/openssl/dherr.h | 15 +-- + include/openssl/dsaerr.h | 18 +--- + include/openssl/ecerr.h | 7 - + include/openssl/evperr.h | 19 ++-- + include/openssl/rsaerr.h | 32 +++---- + 13 files changed, 333 insertions(+), 79 deletions(-) + +--- a/apps/openssl-vms.cnf ++++ b/apps/openssl-vms.cnf +@@ -11,6 +11,24 @@ + # defined. + HOME = . + ++openssl_conf = openssl_init ++ ++[ openssl_init ] ++ ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines1.1.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef1.1.d ++ ++[ oid_section ] ++ + # Extra OBJECT IDENTIFIER info: + #oid_file = $ENV::HOME/.oid + oid_section = new_oids +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -26,8 +26,8 @@ static const ERR_STRING_DATA DH_str_func + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), + "dh_cms_set_shared_info"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, +- {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, +- {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), ++ "DH_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, +@@ -78,11 +78,11 @@ static const ERR_STRING_DATA DH_str_reas + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non fips method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), + "not suitable generator"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, +- {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, +--- a/crypto/dsa/dsa_err.c ++++ b/crypto/dsa/dsa_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -24,7 +24,8 @@ static const ERR_STRING_DATA DSA_str_fun + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, +- {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), ++ "DSA_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, +@@ -60,8 +61,9 @@ static const ERR_STRING_DATA DSA_str_rea + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), ++ "non fips dsa method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, +- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, +--- a/crypto/ec/ec_err.c ++++ b/crypto/ec/ec_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -27,9 +27,19 @@ static const ERR_STRING_DATA EC_str_func + "ecdh_simple_compute_key"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_SIGN_EX, 0), "ECDSA_do_sign_ex"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_VERIFY, 0), "ECDSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), ++ "ecdsa_s390x_nistp_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), ++ "ecdsa_s390x_nistp_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_EX, 0), "ECDSA_sign_ex"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), ++ "ecdsa_simple_sign_setup"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), ++ "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), ++ "ecdsa_simple_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"}, +@@ -193,6 +203,7 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRINT_FP, 0), "EC_KEY_print_fp"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2BUF, 0), "EC_KEY_priv2buf"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2OCT, 0), "EC_KEY_priv2oct"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PUBLIC_CHECK, 0), "ec_key_public_check"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, 0), + "EC_KEY_set_public_key_affine_coordinates"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SIMPLE_CHECK_KEY, 0), +@@ -266,6 +277,8 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0), + "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), ++ "ossl_ecdsa_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0), + "ossl_ecdsa_verify_sig"}, +@@ -284,6 +297,18 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), ++ "s390x_pkey_ecd_digestsign25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), ++ "s390x_pkey_ecd_digestsign448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), ++ "s390x_pkey_ecd_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), ++ "s390x_pkey_ecd_keygen448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), ++ "s390x_pkey_ecx_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), ++ "s390x_pkey_ecx_keygen448"}, + {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"}, + {0, NULL} + }; +@@ -298,6 +323,8 @@ static const ERR_STRING_DATA EC_str_reas + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, ++ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA), ++ "curve does not support ecdsa"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -408,6 +408,8 @@ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pu + DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt + DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey + DH_F_DH_CMS_SET_SHARED_INFO:116:dh_cms_set_shared_info ++DH_F_DH_COMPUTE_KEY:126:DH_compute_key ++DH_F_DH_GENERATE_PARAMETERS_EX:127:DH_generate_parameters_ex + DH_F_DH_METH_DUP:117:DH_meth_dup + DH_F_DH_METH_NEW:118:DH_meth_new + DH_F_DH_METH_SET1_NAME:119:DH_meth_set1_name +@@ -427,10 +429,13 @@ DH_F_PKEY_DH_INIT:125:pkey_dh_init + DH_F_PKEY_DH_KEYGEN:113:pkey_dh_keygen + DSA_F_DSAPARAMS_PRINT:100:DSAparams_print + DSA_F_DSAPARAMS_PRINT_FP:101:DSAparams_print_fp ++DSA_F_DSA_BUILTIN_KEYGEN:108:dsa_builtin_keygen + DSA_F_DSA_BUILTIN_PARAMGEN:125:dsa_builtin_paramgen + DSA_F_DSA_BUILTIN_PARAMGEN2:126:dsa_builtin_paramgen2 + DSA_F_DSA_DO_SIGN:112:DSA_do_sign + DSA_F_DSA_DO_VERIFY:113:DSA_do_verify ++DSA_F_DSA_GENERATE_KEY:109:DSA_generate_key ++DSA_F_DSA_GENERATE_PARAMETERS_EX:110:DSA_generate_parameters_ex + DSA_F_DSA_METH_DUP:127:DSA_meth_dup + DSA_F_DSA_METH_NEW:128:DSA_meth_new + DSA_F_DSA_METH_SET1_NAME:129:DSA_meth_set1_name +@@ -494,15 +499,15 @@ EC_F_ECDH_COMPUTE_KEY:246:ECDH_compute_k + EC_F_ECDH_SIMPLE_COMPUTE_KEY:257:ecdh_simple_compute_key + EC_F_ECDSA_DO_SIGN_EX:251:ECDSA_do_sign_ex + EC_F_ECDSA_DO_VERIFY:252:ECDSA_do_verify ++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig ++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig + EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex + EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup + EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new +-EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup + EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig + EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig +-EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig +-EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig ++EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode +@@ -610,6 +615,7 @@ EC_F_EC_KEY_PRINT:180:EC_KEY_print + EC_F_EC_KEY_PRINT_FP:181:EC_KEY_print_fp + EC_F_EC_KEY_PRIV2BUF:279:EC_KEY_priv2buf + EC_F_EC_KEY_PRIV2OCT:256:EC_KEY_priv2oct ++EC_F_EC_KEY_PUBLIC_CHECK:299:ec_key_public_check + EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES:229:\ + EC_KEY_set_public_key_affine_coordinates + EC_F_EC_KEY_SIMPLE_CHECK_KEY:258:ec_key_simple_check_key +@@ -735,6 +741,7 @@ EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher + EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key + EVP_F_AES_T4_XTS_INIT_KEY:208:aes_t4_xts_init_key + EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher ++EVP_F_AES_XTS_CIPHER:210:aes_xts_cipher + EVP_F_AES_XTS_INIT_KEY:209:aes_xts_init_key + EVP_F_ALG_MODULE_INIT:177:alg_module_init + EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key +@@ -844,6 +851,8 @@ FIPS_F_EVP_CIPHER_CTX_NEW:137:EVP_CIPHER + FIPS_F_EVP_CIPHER_CTX_RESET:122:EVP_CIPHER_CTX_reset + FIPS_F_EVP_CIPHERINIT_EX:124:EVP_CipherInit_ex + FIPS_F_EVP_DIGESTINIT_EX:125:EVP_DigestInit_ex ++FIPS_F_ECDSA_SIMPLE_SIGN_SIG:104:ecdsa_simple_sign_sig ++FIPS_F_ECDSA_SIMPLE_VERIFY_SIG:105:ecdsa_simple_verify_sig + FIPS_F_FIPS_CHECK_DSA:104:fips_check_dsa + FIPS_F_FIPS_CHECK_EC:142:fips_check_ec + FIPS_F_FIPS_CHECK_RSA:106:fips_check_rsa +@@ -874,9 +883,15 @@ FIPS_F_FIPS_SELFTEST_CMAC:130:FIPS_selft + FIPS_F_FIPS_SELFTEST_DES:111:FIPS_selftest_des + FIPS_F_FIPS_SELFTEST_DSA:112:FIPS_selftest_dsa + FIPS_F_FIPS_SELFTEST_ECDSA:133:FIPS_selftest_ecdsa ++FIPS_F_FIPS_SELFTEST_HKDF:136:FIPS_selftest_hkdf + FIPS_F_FIPS_SELFTEST_HMAC:113:FIPS_selftest_hmac ++FIPS_F_FIPS_SELFTEST_PBKDF2:138:FIPS_selftest_pbkdf2 + FIPS_F_FIPS_SELFTEST_SHA1:115:FIPS_selftest_sha1 + FIPS_F_FIPS_SELFTEST_SHA2:105:FIPS_selftest_sha2 ++FIPS_F_FIPS_SELFTEST_SHA3:141:FIPS_selftest_sha3 ++FIPS_F_FIPS_SELFTEST_SSH:142:FIPS_selftest_ssh ++FIPS_F_FIPS_SELFTEST_TLS:143:FIPS_selftest_tls ++FIPS_F_OSSL_ECDH_COMPUTE_KEY:144:ossl_ecdh_compute_key + FIPS_F_OSSL_ECDSA_SIGN_SIG:143:ossl_ecdsa_sign_sig + FIPS_F_OSSL_ECDSA_VERIFY_SIG:148:ossl_ecdsa_verify_sig + FIPS_F_RSA_BUILTIN_KEYGEN:116:rsa_builtin_keygen +@@ -1126,6 +1141,7 @@ RAND_F_RAND_PSEUDO_BYTES:126:RAND_pseudo + RAND_F_RAND_WRITE_FILE:112:RAND_write_file + RSA_F_CHECK_PADDING_MD:140:check_padding_md + RSA_F_ENCODE_PKCS1:146:encode_pkcs1 ++RSA_F_FIPS_RSA_BUILTIN_KEYGEN:168:fips_rsa_builtin_keygen + RSA_F_INT_RSA_VERIFY:145:int_rsa_verify + RSA_F_OLD_RSA_PRIV_DECODE:147:old_rsa_priv_decode + RSA_F_PKEY_PSS_INIT:165:pkey_pss_init +@@ -1140,6 +1156,8 @@ RSA_F_RSA_CHECK_KEY:123:RSA_check_key + RSA_F_RSA_CHECK_KEY_EX:160:RSA_check_key_ex + RSA_F_RSA_CMS_DECRYPT:159:rsa_cms_decrypt + RSA_F_RSA_CMS_VERIFY:158:rsa_cms_verify ++RSA_F_RSA_GENERATE_KEY_EX:169:RSA_generate_key_ex ++RSA_F_RSA_GENERATE_MULTI_PRIME_KEY:170:RSA_generate_multi_prime_key + RSA_F_RSA_ITEM_VERIFY:148:rsa_item_verify + RSA_F_RSA_METH_DUP:161:RSA_meth_dup + RSA_F_RSA_METH_NEW:162:RSA_meth_new +@@ -1175,12 +1193,18 @@ RSA_F_RSA_PADDING_CHECK_X931:128:RSA_pad + RSA_F_RSA_PARAM_DECODE:164:rsa_param_decode + RSA_F_RSA_PRINT:115:RSA_print + RSA_F_RSA_PRINT_FP:116:RSA_print_fp ++RSA_F_RSA_PRIVATE_DECRYPT:171:RSA_private_decrypt ++RSA_F_RSA_PRIVATE_ENCRYPT:172:RSA_private_encrypt + RSA_F_RSA_PRIV_DECODE:150:rsa_priv_decode + RSA_F_RSA_PRIV_ENCODE:138:rsa_priv_encode + RSA_F_RSA_PSS_GET_PARAM:151:rsa_pss_get_param + RSA_F_RSA_PSS_TO_CTX:155:rsa_pss_to_ctx ++RSA_F_RSA_PUBLIC_DECRYPT:173:RSA_public_decrypt ++RSA_F_RSA_PUBLIC_ENCRYPT:174:RSA_public_encrypt + RSA_F_RSA_PUB_DECODE:139:rsa_pub_decode + RSA_F_RSA_SETUP_BLINDING:136:RSA_setup_blinding ++RSA_F_RSA_SET_DEFAULT_METHOD:175:RSA_set_default_method ++RSA_F_RSA_SET_METHOD:176:RSA_set_method + RSA_F_RSA_SIGN:117:RSA_sign + RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING + RSA_F_RSA_VERIFY:119:RSA_verify +@@ -2189,8 +2213,10 @@ DH_R_INVALID_PARAMETER_NID:114:invalid p + DH_R_INVALID_PUBKEY:102:invalid public key + DH_R_KDF_PARAMETER_ERROR:112:kdf parameter error + DH_R_KEYS_NOT_SET:108:keys not set ++DH_R_KEY_SIZE_TOO_SMALL:126:key size too small + DH_R_MISSING_PUBKEY:125:missing pubkey + DH_R_MODULUS_TOO_LARGE:103:modulus too large ++DH_R_NON_FIPS_METHOD:127:non fips method + DH_R_NOT_SUITABLE_GENERATOR:120:not suitable generator + DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value +@@ -2204,9 +2230,12 @@ DSA_R_BN_ERROR:109:bn error + DSA_R_DECODE_ERROR:104:decode error + DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type + DSA_R_INVALID_PARAMETERS:112:invalid parameters ++DSA_R_KEY_SIZE_INVALID:114:key size invalid ++DSA_R_KEY_SIZE_TOO_SMALL:115:key size too small + DSA_R_MISSING_PARAMETERS:101:missing parameters + DSA_R_MISSING_PRIVATE_KEY:111:missing private key + DSA_R_MODULUS_TOO_LARGE:103:modulus too large ++DSA_R_NON_FIPS_DSA_METHOD:116:non fips dsa method + DSA_R_NO_PARAMETERS_SET:107:no parameters set + DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DSA_R_Q_NOT_PRIME:113:q not prime +@@ -2344,6 +2373,7 @@ EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: + EVP_R_DECODE_ERROR:114:decode error + EVP_R_DIFFERENT_KEY_TYPES:101:different key types + EVP_R_DIFFERENT_PARAMETERS:153:different parameters ++EVP_R_DISABLED_FOR_FIPS:185:disabled for fips + EVP_R_ERROR_LOADING_SECTION:165:error loading section + EVP_R_ERROR_SETTING_FIPS_MODE:166:error setting fips mode + EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key +@@ -2389,6 +2419,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREA + EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error + EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error + EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa ++EVP_R_TOO_LARGE:186:too large + EVP_R_UNKNOWN_CIPHER:160:unknown cipher + EVP_R_UNKNOWN_DIGEST:161:unknown digest + EVP_R_UNKNOWN_OPTION:169:unknown option +@@ -2711,11 +2742,13 @@ RSA_R_MODULUS_TOO_LARGE:105:modulus too + RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r + RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d + RSA_R_MP_R_NOT_PRIME:170:mp r not prime ++RSA_R_NON_FIPS_RSA_METHOD:171:non fips rsa method + RSA_R_NO_PUBLIC_EXPONENT:140:no public exponent + RSA_R_NULL_BEFORE_BLOCK_MISSING:113:null before block missing + RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES:172:n does not equal product of primes + RSA_R_N_DOES_NOT_EQUAL_P_Q:127:n does not equal p q + RSA_R_OAEP_DECODING_ERROR:121:oaep decoding error ++RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE:173:operation not allowed in fips mode + RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:148:\ + operation not supported for this keytype + RSA_R_PADDING_CHECK_FAILED:114:padding check failed +@@ -2737,6 +2770,7 @@ RSA_R_UNSUPPORTED_ENCRYPTION_TYPE:162:un + RSA_R_UNSUPPORTED_LABEL_SOURCE:163:unsupported label source + RSA_R_UNSUPPORTED_MASK_ALGORITHM:153:unsupported mask algorithm + RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter ++RSA_R_UNSUPPORTED_PARAMETERS:174:unsupported parameters + RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type + RSA_R_VALUE_MISSING:147:value missing + RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -192,7 +192,7 @@ static const ERR_STRING_DATA EVP_str_rea + "different key types"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), + "different parameters"}, +- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for fips"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), + "error loading section"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), +@@ -286,8 +286,6 @@ static const ERR_STRING_DATA EVP_str_rea + "wrap mode not allowed"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), + "wrong final block length"}, +- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), +- "xts data unit is too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, + {0, NULL} +--- a/crypto/fips/fips_ers.c ++++ b/crypto/fips/fips_ers.c +@@ -1,7 +1,186 @@ +-#include ++/* ++ * Generated by util/mkerr.pl DO NOT EDIT ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ + +-#ifdef OPENSSL_FIPS +-# include "fips_err.h" +-#else +-static void *dummy = &dummy; ++#include ++#include "crypto/fipserr.h" ++ ++#ifndef OPENSSL_NO_ERR ++ ++static const ERR_STRING_DATA FIPS_str_functs[] = { ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DRBG_RESEED, 0), "drbg_reseed"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_BUILTIN_PARAMGEN2, 0), ++ "dsa_builtin_paramgen2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_SIGN_SIG, 0), ++ "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, 0), ++ "ecdsa_simple_verify_sig"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_NEW, 0), ++ "EVP_CIPHER_CTX_new"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_RESET, 0), ++ "EVP_CIPHER_CTX_reset"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_DIGESTINIT_EX, 0), "EVP_DigestInit_ex"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_DSA, 0), "fips_check_dsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_EC, 0), "fips_check_ec"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_RSA, 0), "fips_check_rsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_BYTES, 0), "fips_drbg_bytes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_CHECK, 0), "fips_drbg_check"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_ERROR_CHECK, 0), ++ "fips_drbg_error_check"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_GENERATE, 0), ++ "FIPS_drbg_generate"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INIT, 0), "FIPS_drbg_init"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INSTANTIATE, 0), ++ "FIPS_drbg_instantiate"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_NEW, 0), "FIPS_drbg_new"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_SINGLE_KAT, 0), ++ "fips_drbg_single_kat"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_GET_ENTROPY, 0), "fips_get_entropy"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_MODULE_MODE_SET, 0), ++ "FIPS_module_mode_set"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_PKEY_SIGNATURE_TEST, 0), ++ "fips_pkey_signature_test"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_BYTES, 0), "FIPS_rand_bytes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SEED, 0), "FIPS_rand_seed"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SET_METHOD, 0), ++ "FIPS_rand_set_method"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_STATUS, 0), "FIPS_rand_status"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, 0), ++ "fips_rsa_builtin_keygen"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES, 0), "FIPS_selftest_aes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_CCM, 0), ++ "FIPS_selftest_aes_ccm"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_GCM, 0), ++ "FIPS_selftest_aes_gcm"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_XTS, 0), ++ "FIPS_selftest_aes_xts"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_CMAC, 0), ++ "FIPS_selftest_cmac"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_DES, 0), "FIPS_selftest_des"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_ECDSA, 0), ++ "FIPS_selftest_ecdsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HKDF, 0), ++ "FIPS_selftest_hkdf"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HMAC, 0), ++ "FIPS_selftest_hmac"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_PBKDF2, 0), ++ "FIPS_selftest_pbkdf2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA1, 0), ++ "FIPS_selftest_sha1"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA2, 0), ++ "FIPS_selftest_sha2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA3, 0), ++ "FIPS_selftest_sha3"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SSH, 0), "FIPS_selftest_ssh"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_TLS, 0), "FIPS_selftest_tls"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_OSSL_ECDH_COMPUTE_KEY, 0), ++ "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, 0), ++ "rsa_ossl_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, 0), ++ "rsa_ossl_private_encrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, 0), ++ "rsa_ossl_public_decrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, 0), ++ "rsa_ossl_public_encrypt"}, ++ {0, NULL} ++}; ++ ++static const ERR_STRING_DATA FIPS_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), ++ "additional input error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_TOO_LONG), ++ "additional input too long"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ALREADY_INSTANTIATED), ++ "already instantiated"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_DRBG_NOT_INITIALISED), ++ "drbg not initialised"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_ERROR_UNDETECTED), ++ "entropy error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), ++ "entropy not requested for reseed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_SOURCE_STUCK), ++ "entropy source stuck"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INITIALISING_DRBG), ++ "error initialising drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INSTANTIATING_DRBG), ++ "error instantiating drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), ++ "error retrieving additional input"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ENTROPY), ++ "error retrieving entropy"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_NONCE), ++ "error retrieving nonce"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FINGERPRINT_DOES_NOT_MATCH), ++ "fingerprint does not match"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_MODE_ALREADY_SET), ++ "fips mode already set"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_SELFTEST_FAILED), ++ "fips selftest failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FUNCTION_ERROR), "function error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR), "generate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR_UNDETECTED), ++ "generate error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INVALID_KEY_LENGTH), ++ "invalid key length"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_IN_ERROR_STATE), "in error state"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_KEY_TOO_SHORT), "key too short"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NONCE_ERROR_UNDETECTED), ++ "nonce error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NON_FIPS_METHOD), "non fips method"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST1_FAILURE), ++ "nopr test1 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST2_FAILURE), ++ "nopr test2 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOT_INSTANTIATED), "not instantiated"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PAIRWISE_TEST_FAILED), ++ "pairwise test failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_ERROR_UNDETECTED), ++ "personalisation error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_STRING_TOO_LONG), ++ "personalisation string too long"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), ++ "request length error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), ++ "request too large for drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_COUNTER_ERROR), ++ "reseed counter error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_ERROR), "reseed error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILED), "selftest failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILURE), "selftest failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_TEST_FAILURE), "test failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ERROR), ++ "uninstantiate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), ++ "uninstantiate zeroise error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_DRBG_TYPE), ++ "unsupported drbg type"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_PLATFORM), ++ "unsupported platform"}, ++ {0, NULL} ++}; ++ ++#endif ++ ++int ERR_load_FIPS_strings(void) ++{ ++#ifndef OPENSSL_NO_ERR ++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { ++ ERR_load_strings_const(FIPS_str_functs); ++ ERR_load_strings_const(FIPS_str_reasons); ++ } + #endif ++ return 1; ++} +--- a/crypto/rsa/rsa_err.c ++++ b/crypto/rsa/rsa_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -34,7 +34,8 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), ++ "RSA_generate_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), + "RSA_generate_multi_prime_key"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, +@@ -93,16 +94,21 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PARAM_DECODE, 0), "rsa_param_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT, 0), "RSA_print"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), ++ "RSA_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), ++ "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), ++ "RSA_set_default_method"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), + "RSA_sign_ASN1_OCTET_STRING"}, +@@ -111,8 +117,6 @@ static const ERR_STRING_DATA RSA_str_fun + "RSA_verify_ASN1_OCTET_STRING"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), + "RSA_verify_PKCS1_PSS_mgf1"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, + {0, NULL} + }; +@@ -193,8 +197,9 @@ static const ERR_STRING_DATA RSA_str_rea + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D), + "mp exponent not congruent to d"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), ++ "non fips rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, +- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), + "null before block missing"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), +@@ -204,7 +209,7 @@ static const ERR_STRING_DATA RSA_str_rea + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), + "oaep decoding error"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), +- "operation not allowed in FIPS mode"}, ++ "operation not allowed in fips mode"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -11,9 +11,7 @@ + #ifndef HEADER_DHERR_H + # define HEADER_DHERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -36,9 +34,8 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 + # define DH_F_DH_CMS_SET_SHARED_INFO 116 +-# define DH_F_DH_COMPUTE_KEY 203 +-# define DH_F_DH_GENERATE_KEY 202 +-# define DH_F_DH_GENERATE_PARAMETERS_EX 201 ++# define DH_F_DH_COMPUTE_KEY 126 ++# define DH_F_DH_GENERATE_PARAMETERS_EX 127 + # define DH_F_DH_METH_DUP 117 + # define DH_F_DH_METH_NEW 118 + # define DH_F_DH_METH_SET1_NAME 119 +@@ -76,14 +73,14 @@ int ERR_load_DH_strings(void); + # define DH_R_INVALID_PARAMETER_NID 114 + # define DH_R_INVALID_PUBKEY 102 + # define DH_R_KDF_PARAMETER_ERROR 112 +-# define DH_R_KEY_SIZE_TOO_SMALL 201 + # define DH_R_KEYS_NOT_SET 108 ++# define DH_R_KEY_SIZE_TOO_SMALL 126 + # define DH_R_MISSING_PUBKEY 125 + # define DH_R_MODULUS_TOO_LARGE 103 ++# define DH_R_NON_FIPS_METHOD 127 + # define DH_R_NOT_SUITABLE_GENERATOR 120 + # define DH_R_NO_PARAMETERS_SET 107 + # define DH_R_NO_PRIVATE_VALUE 100 +-# define DH_R_NON_FIPS_METHOD 202 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 + # define DH_R_SHARED_INFO_ERROR 113 +--- a/include/openssl/dsaerr.h ++++ b/include/openssl/dsaerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_DSAERR_H + # define HEADER_DSAERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -29,13 +27,13 @@ int ERR_load_DSA_strings(void); + */ + # define DSA_F_DSAPARAMS_PRINT 100 + # define DSA_F_DSAPARAMS_PRINT_FP 101 +-# define DSA_F_DSA_BUILTIN_KEYGEN 202 ++# define DSA_F_DSA_BUILTIN_KEYGEN 108 + # define DSA_F_DSA_BUILTIN_PARAMGEN 125 + # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 +-# define DSA_F_DSA_GENERATE_KEY 201 +-# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 + # define DSA_F_DSA_DO_SIGN 112 + # define DSA_F_DSA_DO_VERIFY 113 ++# define DSA_F_DSA_GENERATE_KEY 109 ++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 110 + # define DSA_F_DSA_METH_DUP 127 + # define DSA_F_DSA_METH_NEW 128 + # define DSA_F_DSA_METH_SET1_NAME 129 +@@ -63,13 +61,13 @@ int ERR_load_DSA_strings(void); + # define DSA_R_DECODE_ERROR 104 + # define DSA_R_INVALID_DIGEST_TYPE 106 + # define DSA_R_INVALID_PARAMETERS 112 +-# define DSA_R_KEY_SIZE_INVALID 201 +-# define DSA_R_KEY_SIZE_TOO_SMALL 202 ++# define DSA_R_KEY_SIZE_INVALID 114 ++# define DSA_R_KEY_SIZE_TOO_SMALL 115 + # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MISSING_PRIVATE_KEY 111 + # define DSA_R_MODULUS_TOO_LARGE 103 ++# define DSA_R_NON_FIPS_DSA_METHOD 116 + # define DSA_R_NO_PARAMETERS_SET 107 +-# define DSA_R_NON_FIPS_DSA_METHOD 200 + # define DSA_R_PARAMETER_ENCODING_ERROR 105 + # define DSA_R_Q_NOT_PRIME 113 + # define DSA_R_SEED_LEN_SMALL 110 +--- a/include/openssl/ecerr.h ++++ b/include/openssl/ecerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_ECERR_H + # define HEADER_ECERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -143,6 +141,7 @@ int ERR_load_EC_strings(void); + # define EC_F_EC_KEY_PRINT_FP 181 + # define EC_F_EC_KEY_PRIV2BUF 279 + # define EC_F_EC_KEY_PRIV2OCT 256 ++# define EC_F_EC_KEY_PUBLIC_CHECK 299 + # define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 229 + # define EC_F_EC_KEY_SIMPLE_CHECK_KEY 258 + # define EC_F_EC_KEY_SIMPLE_OCT2PRIV 259 +--- a/include/openssl/evperr.h ++++ b/include/openssl/evperr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -22,15 +22,15 @@ int ERR_load_EVP_strings(void); + * EVP function codes. + */ + # define EVP_F_AESNI_INIT_KEY 165 +-# define EVP_F_AESNI_XTS_INIT_KEY 233 ++# define EVP_F_AESNI_XTS_INIT_KEY 207 + # define EVP_F_AES_GCM_CTRL 196 + # define EVP_F_AES_INIT_KEY 133 + # define EVP_F_AES_OCB_CIPHER 169 + # define EVP_F_AES_T4_INIT_KEY 178 +-# define EVP_F_AES_T4_XTS_INIT_KEY 234 ++# define EVP_F_AES_T4_XTS_INIT_KEY 208 + # define EVP_F_AES_WRAP_CIPHER 170 +-# define EVP_F_AES_XTS_CIPHER 229 +-# define EVP_F_AES_XTS_INIT_KEY 235 ++# define EVP_F_AES_XTS_CIPHER 210 ++# define EVP_F_AES_XTS_INIT_KEY 209 + # define EVP_F_ALG_MODULE_INIT 177 + # define EVP_F_ARIA_CCM_INIT_KEY 175 + # define EVP_F_ARIA_GCM_CTRL 197 +@@ -146,9 +146,9 @@ int ERR_load_EVP_strings(void); + # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 + # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 + # define EVP_R_DECODE_ERROR 114 +-# define EVP_R_DISABLED_FOR_FIPS 200 + # define EVP_R_DIFFERENT_KEY_TYPES 101 + # define EVP_R_DIFFERENT_PARAMETERS 153 ++# define EVP_R_DISABLED_FOR_FIPS 185 + # define EVP_R_ERROR_LOADING_SECTION 165 + # define EVP_R_ERROR_SETTING_FIPS_MODE 166 + # define EVP_R_EXPECTING_AN_HMAC_KEY 174 +@@ -184,15 +184,15 @@ int ERR_load_EVP_strings(void); + # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 +-# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 ++# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_PARTIALLY_OVERLAPPING 162 + # define EVP_R_PBKDF2_ERROR 181 + # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 + # define EVP_R_PUBLIC_KEY_NOT_RSA 106 +-# define EVP_R_TOO_LARGE 201 ++# define EVP_R_TOO_LARGE 186 + # define EVP_R_UNKNOWN_CIPHER 160 + # define EVP_R_UNKNOWN_DIGEST 161 + # define EVP_R_UNKNOWN_OPTION 169 +@@ -208,7 +208,6 @@ int ERR_load_EVP_strings(void); + # define EVP_R_UNSUPPORTED_SALT_TYPE 126 + # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 + # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +-# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 +-# define EVP_R_XTS_DUPLICATED_KEYS 192 ++# define EVP_R_XTS_DUPLICATED_KEYS 183 + + #endif +--- a/include/openssl/rsaerr.h ++++ b/include/openssl/rsaerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_RSAERR_H + # define HEADER_RSAERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # ifdef __cplusplus + extern "C" +@@ -25,7 +23,7 @@ int ERR_load_RSA_strings(void); + */ + # define RSA_F_CHECK_PADDING_MD 140 + # define RSA_F_ENCODE_PKCS1 146 +-# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 ++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 168 + # define RSA_F_INT_RSA_VERIFY 145 + # define RSA_F_OLD_RSA_PRIV_DECODE 147 + # define RSA_F_PKEY_PSS_INIT 165 +@@ -40,8 +38,8 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_CHECK_KEY_EX 160 + # define RSA_F_RSA_CMS_DECRYPT 159 + # define RSA_F_RSA_CMS_VERIFY 158 +-# define RSA_F_RSA_GENERATE_KEY_EX 204 +-# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 ++# define RSA_F_RSA_GENERATE_KEY_EX 169 ++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 170 + # define RSA_F_RSA_ITEM_VERIFY 148 + # define RSA_F_RSA_METH_DUP 161 + # define RSA_F_RSA_METH_NEW 162 +@@ -77,18 +75,18 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_PARAM_DECODE 164 + # define RSA_F_RSA_PRINT 115 + # define RSA_F_RSA_PRINT_FP 116 ++# define RSA_F_RSA_PRIVATE_DECRYPT 171 ++# define RSA_F_RSA_PRIVATE_ENCRYPT 172 + # define RSA_F_RSA_PRIV_DECODE 150 + # define RSA_F_RSA_PRIV_ENCODE 138 +-# define RSA_F_RSA_PRIVATE_DECRYPT 200 +-# define RSA_F_RSA_PRIVATE_ENCRYPT 201 + # define RSA_F_RSA_PSS_GET_PARAM 151 + # define RSA_F_RSA_PSS_TO_CTX 155 ++# define RSA_F_RSA_PUBLIC_DECRYPT 173 ++# define RSA_F_RSA_PUBLIC_ENCRYPT 174 + # define RSA_F_RSA_PUB_DECODE 139 +-# define RSA_F_RSA_PUBLIC_DECRYPT 202 +-# define RSA_F_RSA_PUBLIC_ENCRYPT 203 + # define RSA_F_RSA_SETUP_BLINDING 136 +-# define RSA_F_RSA_SET_DEFAULT_METHOD 205 +-# define RSA_F_RSA_SET_METHOD 204 ++# define RSA_F_RSA_SET_DEFAULT_METHOD 175 ++# define RSA_F_RSA_SET_METHOD 176 + # define RSA_F_RSA_SIGN 117 + # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 + # define RSA_F_RSA_VERIFY 119 +@@ -139,19 +137,19 @@ int ERR_load_RSA_strings(void); + # define RSA_R_KEY_PRIME_NUM_INVALID 165 + # define RSA_R_KEY_SIZE_TOO_SMALL 120 + # define RSA_R_LAST_OCTET_INVALID 134 +-# define RSA_R_MISSING_PRIVATE_KEY 179 + # define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152 ++# define RSA_R_MISSING_PRIVATE_KEY 179 + # define RSA_R_MODULUS_TOO_LARGE 105 + # define RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R 168 + # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 + # define RSA_R_MP_R_NOT_PRIME 170 ++# define RSA_R_NON_FIPS_RSA_METHOD 171 + # define RSA_R_NO_PUBLIC_EXPONENT 140 +-# define RSA_R_NON_FIPS_RSA_METHOD 200 + # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 + # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 + # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + # define RSA_R_OAEP_DECODING_ERROR 121 +-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 ++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 173 + # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 + # define RSA_R_PADDING_CHECK_FAILED 114 + # define RSA_R_PKCS_DECODING_ERROR 159 +@@ -171,7 +169,7 @@ int ERR_load_RSA_strings(void); + # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 + # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 + # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 +-# define RSA_R_UNSUPPORTED_PARAMETERS 202 ++# define RSA_R_UNSUPPORTED_PARAMETERS 174 + # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 + # define RSA_R_VALUE_MISSING 147 + # define RSA_R_WRONG_SIGNATURE_LENGTH 119 diff --git a/openssl-1_1-ossl-sli-003-add-sli.patch b/openssl-1_1-ossl-sli-003-add-sli.patch new file mode 100644 index 0000000..5509b3d --- /dev/null +++ b/openssl-1_1-ossl-sli-003-add-sli.patch @@ -0,0 +1,3333 @@ +--- + crypto/cmac/cm_pmeth.c | 5 + crypto/cmac/cmac.c | 16 + crypto/dh/dh_pmeth.c | 4 + crypto/dsa/dsa_pmeth.c | 5 + crypto/ec/ec_pmeth.c | 13 + crypto/ec/ecx_meth.c | 2 + crypto/evp/digest.c | 2 + crypto/evp/e_aes.c | 70 +++ + crypto/evp/evp_enc.c | 3 + crypto/evp/evp_local.h | 4 + crypto/evp/kdf_lib.c | 11 + crypto/evp/m_sigver.c | 54 ++ + crypto/evp/p5_crpt2.c | 38 + + crypto/evp/p_open.c | 3 + crypto/evp/p_seal.c | 3 + crypto/evp/p_sign.c | 5 + crypto/evp/p_verify.c | 4 + crypto/evp/pkey_kdf.c | 5 + crypto/evp/pmeth_lib.c | 2 + crypto/fips/build.info | 2 + crypto/fips/fips_sli.c | 371 ++++++++++++++++ + crypto/hmac/hm_pmeth.c | 5 + crypto/hmac/hmac.c | 49 +- + crypto/hmac/hmac_local.h | 4 + crypto/kdf/hkdf.c | 8 + crypto/kdf/pbkdf2.c | 14 + crypto/kdf/scrypt.c | 7 + crypto/kdf/sshkdf.c | 13 + crypto/kdf/tls1_prf.c | 12 + crypto/poly1305/poly1305_pmeth.c | 4 + crypto/rand/rand_lib.c | 12 + crypto/rsa/rsa_pmeth.c | 61 ++ + crypto/sha/sha1_one.c | 5 + crypto/siphash/siphash_pmeth.c | 4 + crypto/sm2/sm2_pmeth.c | 5 + doc/man3/FIPS_service_level_indicator.pod | 110 +++++ + include/crypto/evp.h | 5 + include/crypto/fipserr.h | 121 +++++ + include/internal/fips_sli_local.h | 96 ++++ + include/openssl/fips_sli.h | 32 + + test/build.info | 6 + test/fips_slitest.c | 659 ++++++++++++++++++++++++++++++ + test/fips_slitest_helper.c | 489 ++++++++++++++++++++++ + test/fips_slitest_helper.h | 29 + + test/recipes/30-test_fips_sli.t | 4 + util/libcrypto.num | 11 + 46 files changed, 2345 insertions(+), 42 deletions(-) + +--- a/crypto/cmac/cm_pmeth.c ++++ b/crypto/cmac/cm_pmeth.c +@@ -72,7 +72,10 @@ static int cmac_signctx_init(EVP_PKEY_CT + static int cmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, + EVP_MD_CTX *mctx) + { +- return CMAC_Final(ctx->data, sig, siglen); ++ const int r = CMAC_Final(ctx->data, sig, siglen); ++ if (!fips_sli_is_approved_CMAC_CTX(ctx->data)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ return r; + } + + static int pkey_cmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -13,6 +13,7 @@ + #include "internal/cryptlib.h" + #include + #include ++#include "internal/fips_sli_local.h" + + struct CMAC_CTX_st { + /* Cipher context to use */ +@@ -26,8 +27,11 @@ struct CMAC_CTX_st { + unsigned char last_block[EVP_MAX_BLOCK_LENGTH]; + /* Number of bytes in last block: -1 means context not initialised */ + int nlast_block; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++fips_sli_define_for(CMAC_CTX) ++ + /* Make temporary keys K1 and K2 */ + + static void make_kn(unsigned char *k1, const unsigned char *l, int bl) +@@ -62,6 +66,7 @@ CMAC_CTX *CMAC_CTX_new(void) + + void CMAC_CTX_cleanup(CMAC_CTX *ctx) + { ++ ctx->sli = FIPS_UNSET; + EVP_CIPHER_CTX_reset(ctx->cctx); + OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); + OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); +@@ -97,6 +102,7 @@ int CMAC_CTX_copy(CMAC_CTX *out, const C + memcpy(out->tbl, in->tbl, bl); + memcpy(out->last_block, in->last_block, bl); + out->nlast_block = in->nlast_block; ++ out->sli = in->sli; + return 1; + } + +@@ -104,6 +110,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void + const EVP_CIPHER *cipher, ENGINE *impl) + { + static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 }; ++ ctx->sli = FIPS_UNSET; + /* All zeros means restart */ + if (!key && !cipher && !impl && keylen == 0) { + /* Not initialised */ +@@ -215,6 +222,15 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned c + OPENSSL_cleanse(out, bl); + return 0; + } ++ switch (EVP_CIPHER_nid(EVP_CIPHER_CTX_cipher(ctx->cctx))) { ++ case NID_aes_128_cbc: ++ case NID_aes_192_cbc: ++ case NID_aes_256_cbc: ++ fips_sli_approve_CMAC_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_CMAC_CTX(ctx); ++ } + return 1; + } + +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -466,6 +466,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + if (ret < 0) + return ret; + *keylen = ret; ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh); ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh); + return 1; + } + #ifndef OPENSSL_NO_CMS +@@ -493,6 +495,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) + goto err; + *keylen = dctx->kdf_outlen; ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh); ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh); + ret = 1; + err: + OPENSSL_clear_free(Z, Zlen); +--- a/crypto/dsa/dsa_pmeth.c ++++ b/crypto/dsa/dsa_pmeth.c +@@ -77,6 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *c + DSA_PKEY_CTX *dctx = ctx->data; + DSA *dsa = ctx->pkey->pkey.dsa; + ++ fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(ctx, dsa); ++ + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; + +@@ -96,6 +98,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX + DSA_PKEY_CTX *dctx = ctx->data; + DSA *dsa = ctx->pkey->pkey.dsa; + ++ fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(ctx, dsa); ++ + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; + +@@ -224,6 +228,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT + static int pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) + { + DSA *dsa = NULL; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + + if (ctx->pkey == NULL) { + DSAerr(DSA_F_PKEY_DSA_KEYGEN, DSA_R_NO_PARAMETERS_SET); +--- a/crypto/ec/ec_pmeth.c ++++ b/crypto/ec/ec_pmeth.c +@@ -122,6 +122,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ct + + type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1; + ++ fips_sli_check_curve_siggen_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec)); + ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + + if (ret <= 0) +@@ -143,6 +144,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX * + else + type = NID_sha1; + ++ fips_sli_check_curve_sigver_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec)); + ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + + return ret; +@@ -182,6 +184,8 @@ static int pkey_ec_derive(EVP_PKEY_CTX * + if (ret <= 0) + return 0; + *keylen = ret; ++ fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, eckey); ++ fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.ec); + return 1; + } + +@@ -208,6 +212,8 @@ static int pkey_ec_kdf_derive(EVP_PKEY_C + } + if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) + goto err; ++ /* ANSI-X9.63-KDF (X9_62) is FIPS-approved, but we don't have a selftest */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + /* Do KDF stuff */ + if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) +@@ -433,7 +439,12 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + else + ret = EC_KEY_set_group(ec, dctx->gen_group); + +- return ret ? EC_KEY_generate_key(ec) : 0; ++ if (ret) { ++ fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(ctx, ec); ++ return EC_KEY_generate_key(ec); ++ } else { ++ return 0; ++ } + } + + static const EVP_PKEY_METHOD ec_pkey_meth = { +--- a/crypto/ec/ecx_meth.c ++++ b/crypto/ec/ecx_meth.c +@@ -691,6 +691,7 @@ static int pkey_ecx_derive25519(EVP_PKEY + && X25519(key, privkey, pubkey) == 0)) + return 0; + *keylen = X25519_KEYLEN; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 1; + } + +@@ -704,6 +705,7 @@ static int pkey_ecx_derive448(EVP_PKEY_C + && X448(key, privkey, pubkey) == 0)) + return 0; + *keylen = X448_KEYLEN; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 1; + } + +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -40,6 +40,7 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) + if (ctx == NULL) + return 1; + ++ ctx->sli = FIPS_UNSET; + /* + * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because + * sometimes only copies of the context are ever finalised. +@@ -80,6 +81,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + { + EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); ++ ctx->sli = FIPS_UNSET; + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -4303,3 +4303,73 @@ BLOCK_CIPHER_custom(NID_aes, 192, 16, 12 + BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + #endif /* OPENSSL_NO_OCB */ ++ ++/* Use an explicit whitelist here (due to the number of ciphers and modes) */ ++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) { ++ /* switch on pointers is not entirely portable */ ++ if (cipher->do_cipher == aes_cbc_cipher ++ || cipher->do_cipher == aes_ecb_cipher ++ || cipher->do_cipher == aes_xts_cipher ++ || cipher->do_cipher == aes_ofb_cipher ++ || cipher->do_cipher == aes_cfb_cipher ++ || cipher->do_cipher == aes_cfb1_cipher ++ || cipher->do_cipher == aes_cfb8_cipher ++ || cipher->do_cipher == aes_ctr_cipher ++ || cipher->do_cipher == aes_gcm_cipher ++ || cipher->do_cipher == aes_gcm_tls_cipher ++ || cipher->do_cipher == aes_ccm_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_cbc_cipher /* AES-NI */ ++ || cipher->do_cipher == aesni_ecb_cipher ++ || cipher->do_cipher == aesni_xts_cipher ++ || cipher->do_cipher == aesni_ofb_cipher ++ || cipher->do_cipher == aesni_cfb_cipher ++ || cipher->do_cipher == aesni_cfb1_cipher ++ || cipher->do_cipher == aesni_cfb8_cipher ++ || cipher->do_cipher == aesni_ctr_cipher ++ || cipher->do_cipher == aesni_gcm_cipher ++ || cipher->do_cipher == aesni_ccm_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_cbc_cipher /* System/390 */ ++ || cipher->do_cipher == s390x_aes_ecb_cipher ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ || cipher->do_cipher == s390x_aes_ofb_cipher ++ || cipher->do_cipher == s390x_aes_cfb_cipher ++ || cipher->do_cipher == s390x_aes_cfb1_cipher ++ || cipher->do_cipher == s390x_aes_cfb8_cipher ++ || cipher->do_cipher == s390x_aes_ctr_cipher ++ || cipher->do_cipher == s390x_aes_gcm_cipher ++ || cipher->do_cipher == s390x_aes_gcm_tls_cipher ++ || cipher->do_cipher == s390x_aes_ccm_cipher ++ #endif ++ || cipher->do_cipher == aes_wrap_cipher /* key wrapping */ ++ ) { ++ switch (EVP_CIPHER_key_length(cipher) * 8) { ++ case 128: ++ case 192: ++ if (cipher->do_cipher == aes_xts_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_xts_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ #endif ++ ) ++ return FIPS_NONAPPROVED; ++ /* intended fall-through */ ++ case 256: ++ return FIPS_APPROVED; ++ } ++ } ++ /* disapproved for enc and dec: all others, including ++ * 3DES and AES modes ++ * aes_ocb_cipher */ ++ return FIPS_NONAPPROVED; ++} +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -32,6 +32,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX + #endif + if (c == NULL) + return 1; ++ c->sli = FIPS_UNSET; + if (c->cipher != NULL) { + if (c->cipher->cleanup && !c->cipher->cleanup(c)) + return 0; +@@ -116,6 +117,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + /* Restore encrypt and flags */ + ctx->encrypt = enc; + ctx->flags = flags; ++ ctx->sli = FIPS_UNSET; + } + #ifndef OPENSSL_NO_ENGINE + if (impl) { +@@ -237,6 +239,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + ctx->buf_len = 0; + ctx->final_used = 0; + ctx->block_mask = ctx->cipher->block_size - 1; ++ fips_sli_check_cipher_EVP_CIPHER_CTX(ctx, ctx->cipher); + return 1; + } + +--- a/crypto/evp/evp_local.h ++++ b/crypto/evp/evp_local.h +@@ -1,3 +1,4 @@ ++#include "internal/fips_sli_local.h" + /* + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. + * +@@ -19,6 +20,7 @@ struct evp_md_ctx_st { + EVP_PKEY_CTX *pctx; + /* Update function: usually copied from EVP_MD */ + int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_MD_CTX */ ; + + struct evp_cipher_ctx_st { +@@ -39,11 +41,13 @@ struct evp_cipher_ctx_st { + int final_used; + int block_mask; + unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_CIPHER_CTX */ ; + + struct evp_kdf_ctx_st { + const EVP_KDF_METHOD *kmeth; + EVP_KDF_IMPL *impl; /* Algorithm-specific data */ ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_KDF_CTX */ ; + + int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, +--- a/crypto/evp/kdf_lib.c ++++ b/crypto/evp/kdf_lib.c +@@ -17,6 +17,7 @@ + #include + #include "crypto/asn1.h" + #include "crypto/evp.h" ++#include "internal/fips_sli_local.h" + #include "internal/numbers.h" + #include "evp_local.h" + +@@ -82,6 +83,7 @@ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id) + } + + ret->kmeth = kmeth; ++ ret->sli = FIPS_UNSET; + return ret; + } + +@@ -101,6 +103,7 @@ void EVP_KDF_reset(EVP_KDF_CTX *ctx) + + if (ctx->kmeth->reset != NULL) + ctx->kmeth->reset(ctx->impl); ++ ctx->sli = FIPS_UNSET; + } + + int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...) +@@ -161,6 +164,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + if (ctx == NULL) + return 0; + +- return ctx->kmeth->derive(ctx->impl, key, keylen); ++ int ret = ctx->kmeth->derive(ctx->impl, key, keylen); ++ if (ctx->kmeth->fips_sli_is_approved(ctx->impl)) ++ fips_sli_approve_EVP_KDF_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_KDF_CTX(ctx); ++ ++ return ret; + } + +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -105,15 +105,21 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) { + if (!sigret) + return pctx->pmeth->signctx(pctx, sigret, siglen, ctx); +- if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) ++ if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { + r = pctx->pmeth->signctx(pctx, sigret, siglen, ctx); +- else { ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } else { + EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_dup(ctx->pctx); + if (!dctx) + return 0; + r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(dctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + EVP_PKEY_CTX_free(dctx); + } ++ /* stricter than necessary, ctx->digest might be set but unused */ ++ fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest); + return r; + } + if (pctx->pmeth->signctx) +@@ -124,8 +130,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { +- if (sctx) ++ if (sctx) { + r = ctx->pctx->pmeth->signctx(ctx->pctx, sigret, siglen, ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } + else + r = EVP_DigestFinal_ex(ctx, md, &mdlen); + } else { +@@ -136,16 +145,25 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + EVP_MD_CTX_free(tmp_ctx); + return 0; + } +- if (sctx) ++ if (sctx) { + r = tmp_ctx->pctx->pmeth->signctx(tmp_ctx->pctx, + sigret, siglen, tmp_ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(tmp_ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } + else + r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen); + EVP_MD_CTX_free(tmp_ctx); + } ++ /* stricter than necessary, ctx->digest might be set but unused */ ++ fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest); ++ + if (sctx || !r) + return r; +- if (EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen) <= 0) ++ r = EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ if (r <= 0) + return 0; + } else { + if (sctx) { +@@ -163,8 +181,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + const unsigned char *tbs, size_t tbslen) + { +- if (ctx->pctx->pmeth->digestsign != NULL) ++ if (ctx->pctx->pmeth->digestsign != NULL) { ++ /* digestsign is only used for ed25519 and ed448 signatures, so should ++ * be safe to disapprove it completely */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + return ctx->pctx->pmeth->digestsign(ctx, sigret, siglen, tbs, tbslen); ++ } + if (sigret != NULL && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) + return 0; + return EVP_DigestSignFinal(ctx, sigret, siglen); +@@ -178,9 +200,14 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + unsigned int mdlen = 0; + int vctx = 0; + +- if (ctx->pctx->pmeth->verifyctx) ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ ++ if (ctx->pctx->pmeth->verifyctx) { + vctx = 1; +- else ++ /* verifyctx seems to be unused by openssl, so should be safe to ++ * disapprove it */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } else + vctx = 0; + if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { + if (vctx) +@@ -204,14 +231,21 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + } + if (vctx || !r) + return r; +- return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); ++ const int res = EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ return res; + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + size_t siglen, const unsigned char *tbs, size_t tbslen) + { +- if (ctx->pctx->pmeth->digestverify != NULL) ++ if (ctx->pctx->pmeth->digestverify != NULL) { ++ /* digestverify is only used for ed25519 and ed448 signatures, so should ++ * be safe to disapprove it completely */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + return ctx->pctx->pmeth->digestverify(ctx, sigret, siglen, tbs, tbslen); ++ } + if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); +--- a/crypto/evp/p5_crpt2.c ++++ b/crypto/evp/p5_crpt2.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #include + #include + #include +@@ -24,13 +25,13 @@ + static void h__dump(const unsigned char *p, int len); + #endif + +-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, ++static int PKCS5_PBKDF2_HMAC_internal(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, +- const EVP_MD *digest, int keylen, unsigned char *out) ++ const EVP_MD *digest, int keylen, unsigned char *out, ++ EVP_KDF_CTX *kctx) + { + const char *empty = ""; + int rv = 1; +- EVP_KDF_CTX *kctx; + + /* Keep documented behaviour. */ + if (pass == NULL) { +@@ -42,9 +43,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + if (salt == NULL && saltlen == 0) + salt = (unsigned char *)empty; + +- kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); +- if (kctx == NULL) +- return 0; + if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 + || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, + salt, (size_t)saltlen) != 1 +@@ -53,8 +51,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + || EVP_KDF_derive(kctx, out, keylen) != 1) + rv = 0; + +- EVP_KDF_CTX_free(kctx); +- + # ifdef OPENSSL_DEBUG_PKCS5V2 + fprintf(stderr, "Password:\n"); + h__dump(pass, passlen); +@@ -67,6 +63,32 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + return rv; + } + ++int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out) ++{ ++ EVP_KDF_CTX *kctx; ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) ++ return 0; ++ int ret = PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out) ++{ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) ++ return 0; ++ PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx); ++ int ret = fips_sli_is_approved_EVP_KDF_CTX(kctx); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, + int keylen, unsigned char *out) +--- a/crypto/evp/p_open.c ++++ b/crypto/evp/p_open.c +@@ -8,6 +8,7 @@ + */ + + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #ifdef OPENSSL_NO_RSA + NON_EMPTY_TRANSLATION_UNIT + #else +@@ -47,6 +48,8 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, co + goto err; + } + ++ // EVP_PKEY_decrypt_old always uses RSA dec ++ fips_sli_disapprove_EVP_CIPHER_CTX(ctx); + i = EVP_PKEY_decrypt_old(key, ek, ekl, priv); + if ((i <= 0) || !EVP_CIPHER_CTX_set_key_length(ctx, i)) { + /* ERROR */ +--- a/crypto/evp/p_seal.c ++++ b/crypto/evp/p_seal.c +@@ -9,6 +9,7 @@ + + #include + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #include + #include + #include +@@ -44,6 +45,8 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, co + ekl[i] = + EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), + pubk[i]); ++ // EVP_PKEY_encrypt_old always uses RSA encryption ++ fips_sli_disapprove_EVP_CIPHER_CTX(ctx); + if (ekl[i] <= 0) { + rv = -1; + goto err; +--- a/crypto/evp/p_sign.c ++++ b/crypto/evp/p_sign.c +@@ -23,6 +23,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + size_t sltmp; + EVP_PKEY_CTX *pkctx = NULL; + ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ + *siglen = 0; + if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) { + if (!EVP_DigestFinal_ex(ctx, m, &m_len)) +@@ -37,6 +39,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + rv = EVP_MD_CTX_copy_ex(tmp_ctx, ctx); + if (rv) + rv = EVP_DigestFinal_ex(tmp_ctx, m, &m_len); ++ + EVP_MD_CTX_free(tmp_ctx); + if (!rv) + return 0; +@@ -53,6 +56,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + goto err; + if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) + goto err; ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + *siglen = sltmp; + i = 1; + err: +--- a/crypto/evp/p_verify.c ++++ b/crypto/evp/p_verify.c +@@ -22,6 +22,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + int i = 0; + EVP_PKEY_CTX *pkctx = NULL; + ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ + if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) { + if (!EVP_DigestFinal_ex(ctx, m, &m_len)) + goto err; +@@ -49,6 +51,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + goto err; + i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + err: + EVP_PKEY_CTX_free(pkctx); + return i; +--- a/crypto/evp/pkey_kdf.c ++++ b/crypto/evp/pkey_kdf.c +@@ -158,7 +158,10 @@ static int pkey_kdf_derive(EVP_PKEY_CTX + if (key == NULL) + return 1; + } +- return EVP_KDF_derive(kctx, key, *keylen); ++ int ret = EVP_KDF_derive(kctx, key, *keylen); ++ if (!fips_sli_is_approved_EVP_KDF_CTX(kctx)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ return ret; + } + + #ifndef OPENSSL_NO_SCRYPT +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -162,6 +162,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE + EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } ++ ret->sli = FIPS_UNSET; + ret->engine = e; + ret->pmeth = pmeth; + ret->operation = EVP_PKEY_OP_UNDEFINED; +@@ -299,6 +300,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_ + rctx->data = NULL; + rctx->app_data = NULL; + rctx->operation = pctx->operation; ++ rctx->sli = pctx->sli; + + if (pctx->pmeth->copy(rctx, pctx) > 0) + return rctx; +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c + + PROGRAMS=\ + fips_standalone_hmac +--- /dev/null ++++ b/crypto/fips/fips_sli.c +@@ -0,0 +1,371 @@ ++#include ++#include ++#include ++#include "crypto/evp.h" ++#include "../evp/evp_local.h" ++#include "../hmac/hmac_local.h" ++#include "internal/fips_sli_local.h" ++ ++/* Main part of the FIPS Service Level Indicator ++ If you want to quickly change its behaviour, you most likely want to start here ++ - beware of some exceptions, though... */ ++ ++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input) { ++ switch (state) { ++ case FIPS_UNSET: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ return state; ++ case FIPS_APPROVED: ++ case FIPS_NONAPPROVED: ++ case FIPS_ERROR: ++ return input; ++ } ++ break; ++ case FIPS_APPROVED: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ case FIPS_APPROVED: ++ return state; ++ case FIPS_NONAPPROVED: ++ case FIPS_ERROR: ++ return input; ++ } ++ break; ++ case FIPS_NONAPPROVED: ++ return state; ++ case FIPS_ERROR: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ case FIPS_APPROVED: ++ case FIPS_ERROR: ++ return state; ++ case FIPS_NONAPPROVED: ++ return input; ++ } ++ } ++ abort(); ++} ++ ++fips_sli_define_for(EVP_CIPHER_CTX) ++fips_sli_define_for(EVP_KDF_CTX) ++fips_sli_define_for(EVP_MD_CTX) ++fips_sli_define_for(EVP_PKEY_CTX) ++fips_sli_define_for(HMAC_CTX) ++ ++typedef enum curve_usage_e { ++ CURVE_KEYGEN, ++ CURVE_SIGGEN, ++ CURVE_SIGVER, ++ CURVE_DH ++} CURVE_USAGE; ++ ++/* Check whether a curve is okay for some type of usage */ ++static FIPS_STATUS get_fips_curve_status(const EC_GROUP *group, CURVE_USAGE u) { ++ if (group == NULL) { ++ return FIPS_ERROR; ++ } ++ ++ switch (u) { ++ case CURVE_KEYGEN: ++ switch (EC_GROUP_get_curve_name(group)) { ++ /* ACVP-tested curves for keygen: */ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case CURVE_SIGVER: ++ switch (EC_GROUP_get_curve_name(group)) { ++ case NID_X9_62_prime192v1: /* NIST P-192 */ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ /* nist k curves */ ++ case NID_sect233k1: ++ case NID_sect283k1: ++ case NID_sect409k1: ++ case NID_sect571k1: ++ /* nist b curves */ ++ case NID_sect233r1: ++ case NID_sect283r1: ++ case NID_sect409r1: ++ case NID_sect571r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case CURVE_SIGGEN: ++ case CURVE_DH: ++ switch (EC_GROUP_get_curve_name(group)) { ++ /* see crypto/ec/ec_curve.c:2800 */ ++ /* nist P curves*/ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ } ++ return FIPS_NONAPPROVED; ++} ++ ++#define make_fips_sli_check_curve(CTXTYPE, fn, usage) \ ++void fips_sli_check_curve_##fn##_##CTXTYPE(CTXTYPE *ctx, const EC_GROUP *group)\ ++{ \ ++ fips_sli_fsm_##CTXTYPE(ctx, get_fips_curve_status(group, usage)); \ ++} ++ ++make_fips_sli_check_curve(EVP_MD_CTX, siggen, CURVE_SIGGEN) ++make_fips_sli_check_curve(EVP_MD_CTX, sigver, CURVE_SIGVER) ++/* keygen missing because in this case we need more info than available here*/ ++make_fips_sli_check_curve(EVP_PKEY_CTX, siggen, CURVE_SIGGEN) ++make_fips_sli_check_curve(EVP_PKEY_CTX, sigver, CURVE_SIGVER) ++ ++typedef enum hash_usage_e { ++ HASH_SIGGEN, ++ HASH_SIGVER, ++ HASH_KDF_SSHKDF, ++ HASH_KDF_PBKDF2, ++ HASH_KDF_TLS, ++ HASH_RNG, ++ HASH_MAC ++} HASH_USAGE; ++ ++static FIPS_STATUS get_fips_hash_status(const EVP_MD *md, HASH_USAGE u) { ++ if (md == NULL) { ++ return FIPS_ERROR; ++ } ++ ++ switch (u) { ++ case HASH_KDF_TLS: ++ switch (EVP_MD_type(md)) { ++ case NID_sha256: /* TLSv1.2 */ ++ case NID_sha384: ++ case NID_sha512: ++ case NID_md5_sha1: /* used in TLS v1.0 / v1.1 */ ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case HASH_KDF_PBKDF2: ++ case HASH_KDF_SSHKDF: ++ case HASH_MAC: ++ switch (EVP_MD_type(md)) { ++ case NID_sha1: ++ case NID_sha224: ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha512_224: ++ case NID_sha512_256: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case HASH_RNG: ++ case HASH_SIGGEN: ++ case HASH_SIGVER: ++ switch (EVP_MD_type(md)) { ++ case NID_sha224: ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha512_224: ++ case NID_sha512_256: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ } ++ return FIPS_ERROR; ++} ++ ++#define make_fips_sli_check_hash(CTXTYPE, fn, usage) \ ++void fips_sli_check_hash_##fn##_##CTXTYPE(CTXTYPE *ctx, const EVP_MD *md) \ ++{ \ ++ fips_sli_fsm_##CTXTYPE(ctx, get_fips_hash_status(md, usage)); \ ++} ++ ++make_fips_sli_check_hash(EVP_MD_CTX, siggen, HASH_SIGGEN) ++make_fips_sli_check_hash(EVP_MD_CTX, sigver, HASH_SIGVER) ++make_fips_sli_check_hash(EVP_PKEY_CTX, siggen, HASH_SIGGEN) ++make_fips_sli_check_hash(EVP_PKEY_CTX, sigver, HASH_SIGVER) ++make_fips_sli_check_hash(HMAC_CTX, mac, HASH_MAC) ++/* KDF impl is a bit special - avoid changing everything just because of that */ ++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_SSHKDF); ++} ++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_PBKDF2); ++} ++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_TLS); ++} ++ ++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes) { ++ if (keylen_bytes >= 112/8) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); ++} ++ ++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ if (RSA_bits(rsa) >= 2048) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ const int len_n = RSA_bits(rsa); ++ ++ if (1024 <= len_n && len_n < 2048) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); // legacy use ++ else if (2048 <= len_n) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh) { ++ switch (DH_get_nid(dh)) { ++ /* RFC 3526 */ ++ case NID_modp_2048: ++ case NID_modp_3072: ++ case NID_modp_4096: ++ case NID_modp_6144: ++ case NID_modp_8192: ++ /* RFC 7919 */ ++ case NID_ffdhe2048: ++ case NID_ffdhe3072: ++ case NID_ffdhe4096: ++ case NID_ffdhe6144: ++ case NID_ffdhe8192: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } ++} ++ ++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status(EC_KEY_get0_group(ecdh), CURVE_DH)); ++} ++ ++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher) { ++ fips_sli_fsm_EVP_CIPHER_CTX(ctx, EVP_CIPHER_get_fips_status(cipher)); ++} ++ ++/** According to FIPS PUB 186-5. ++ * Not really helpful because nist P curves are the only allowed curves for ++ * KeyGen, and have h=1 anyway - but allow for future extensibility */ ++static FIPS_STATUS get_fips_keygen_ecdsa_order_status(const EC_KEY *ec) { ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *pwr14, *pwr16, *pwr24, *pwr32; ++ const BIGNUM * cofactor = EC_GROUP_get0_cofactor(EC_KEY_get0_group(ec)); ++ const int n = EC_GROUP_order_bits(EC_KEY_get0_group(ec)); ++ FIPS_STATUS ret = FIPS_NONAPPROVED; ++ ++ if (ctx == NULL) { ++ ret = FIPS_ERROR; ++ goto end; ++ } ++ ++ BN_CTX_start(ctx); ++ pwr14 = BN_CTX_get(ctx); ++ pwr16 = BN_CTX_get(ctx); ++ pwr24 = BN_CTX_get(ctx); ++ pwr32 = BN_CTX_get(ctx); ++ if (pwr32 == NULL) { ++ /* Sufficient to check the return value of the last BN_CTX_get() */ ++ ret = FIPS_ERROR; ++ goto end; ++ } ++ BN_set_bit(pwr14, 14); ++ BN_set_bit(pwr16, 16); ++ BN_set_bit(pwr24, 24); ++ BN_set_bit(pwr32, 32); ++ ++ if (224 < n && n <= 255) { ++ if (BN_cmp(cofactor, pwr14) != 1) ++ ret = FIPS_APPROVED; ++ } else if (256 < n && n <= 383) { ++ if (BN_cmp(cofactor, pwr16) != 1) ++ ret = FIPS_APPROVED; ++ ++ } else if (384 < n && n <= 511) { ++ if (BN_cmp(cofactor, pwr24) != 1) ++ ret = FIPS_APPROVED; ++ ++ } else if (n >= 512) { ++ if (BN_cmp(cofactor, pwr32) != 1) ++ ret = FIPS_APPROVED; ++ } ++ ++end: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return ret; ++} ++ ++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, ++ const EC_KEY *ec) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status( ++ EC_KEY_get0_group(ec), CURVE_KEYGEN)); ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_keygen_ecdsa_order_status(ec)); ++} ++ ++/* MINOR: refactor for sign/verify, too. See crypto/rsa/rsa_pmeth.c */ ++static FIPS_STATUS get_fips_padding_rsa_encdec_status(int pad_mode/*,usg: enc/dec*/) { ++ return FIPS_NONAPPROVED; ++} ++ ++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_padding_rsa_encdec_status(pad_mode)); ++} ++ ++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) { ++ fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, pad_mode); ++} +--- a/crypto/hmac/hm_pmeth.c ++++ b/crypto/hmac/hm_pmeth.c +@@ -128,8 +128,11 @@ static int hmac_signctx(EVP_PKEY_CTX *ct + if (!sig) + return 1; + +- if (!HMAC_Final(hctx->ctx, sig, &hlen)) ++ if (!HMAC_Final(hctx->ctx, sig, &hlen)) { ++ if (!fips_sli_is_approved_HMAC_CTX(hctx->ctx)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 0; ++ } + *siglen = (size_t)hlen; + return 1; + } +--- a/crypto/hmac/hmac.c ++++ b/crypto/hmac/hmac.c +@@ -23,6 +23,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + unsigned char pad[HMAC_MAX_MD_CBLOCK_SIZE]; + unsigned int keytmp_length; + unsigned char keytmp[HMAC_MAX_MD_CBLOCK_SIZE]; ++ ctx->sli = FIPS_UNSET; + + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) +@@ -83,9 +84,17 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + if (!EVP_DigestInit_ex(ctx->o_ctx, md, impl) + || !EVP_DigestUpdate(ctx->o_ctx, pad, EVP_MD_block_size(md))) + goto err; ++ ctx->sli_key_len = len; + } + if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->i_ctx)) + goto err; ++ /* On reuse, key/key_len might be NULL. Use cached value. */ ++ if (ctx->sli_key_len >= 112/8) { ++ fips_sli_approve_HMAC_CTX(ctx); ++ } else { ++ fips_sli_disapprove_HMAC_CTX(ctx); ++ } ++ fips_sli_check_hash_mac_HMAC_CTX(ctx, md); + rv = 1; + err: + if (reset) { +@@ -190,6 +199,7 @@ static int hmac_ctx_alloc_mds(HMAC_CTX * + + int HMAC_CTX_reset(HMAC_CTX *ctx) + { ++ ctx->sli = FIPS_UNSET; + hmac_ctx_cleanup(ctx); + if (!hmac_ctx_alloc_mds(ctx)) { + hmac_ctx_cleanup(ctx); +@@ -209,24 +219,22 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C + if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx)) + goto err; + dctx->md = sctx->md; ++ dctx->sli = sctx->sli; + return 1; + err: + hmac_ctx_cleanup(dctx); + return 0; + } + +-unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++static unsigned char *HMAC_internal(const EVP_MD *evp_md, const void *key, int key_len, + const unsigned char *d, size_t n, unsigned char *md, +- unsigned int *md_len) ++ unsigned int *md_len, HMAC_CTX *c) + { +- HMAC_CTX *c = NULL; + static unsigned char m[EVP_MAX_MD_SIZE]; + static const unsigned char dummy_key[1] = {'\0'}; + + if (md == NULL) + md = m; +- if ((c = HMAC_CTX_new()) == NULL) +- goto err; + + /* For HMAC_Init_ex, NULL key signals reuse. */ + if (key == NULL && key_len == 0) { +@@ -239,13 +247,40 @@ unsigned char *HMAC(const EVP_MD *evp_md + goto err; + if (!HMAC_Final(c, md, md_len)) + goto err; +- HMAC_CTX_free(c); + return md; + err: +- HMAC_CTX_free(c); + return NULL; + } + ++unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len) ++{ ++ HMAC_CTX *c = HMAC_CTX_new(); ++ unsigned char *ret = NULL; ++ if (c == NULL) ++ goto err; ++ ret = HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c); ++ HMAC_CTX_free(c); ++ err: ++ return ret; ++} ++ ++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len) ++{ ++ HMAC_CTX *c = HMAC_CTX_new(); ++ int ret = 0; ++ if (c == NULL) ++ goto err; ++ HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c); ++ ret = fips_sli_is_approved_HMAC_CTX(c); ++ HMAC_CTX_free(c); ++ err: ++ return ret; ++} ++ + void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) + { + EVP_MD_CTX_set_flags(ctx->i_ctx, flags); +--- a/crypto/hmac/hmac_local.h ++++ b/crypto/hmac/hmac_local.h +@@ -10,6 +10,8 @@ + #ifndef OSSL_CRYPTO_HMAC_LOCAL_H + # define OSSL_CRYPTO_HMAC_LOCAL_H + ++#include "internal/fips_sli_local.h" ++ + /* The current largest case is for SHA3-224 */ + #define HMAC_MAX_MD_CBLOCK_SIZE 144 + +@@ -18,6 +20,8 @@ struct hmac_ctx_st { + EVP_MD_CTX *md_ctx; + EVP_MD_CTX *i_ctx; + EVP_MD_CTX *o_ctx; ++ FIPS_STATUS sli; /* Service Level Indicator */ ++ size_t sli_key_len; /* SLI needs to cache keylen in case of context reuse */ + }; + + #endif +--- a/crypto/kdf/hkdf.c ++++ b/crypto/kdf/hkdf.c +@@ -222,6 +222,11 @@ static int kdf_hkdf_derive(EVP_KDF_IMPL + } + } + ++static int kdf_hkdf_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) { ++ return 0; /* can't check whether this is only used for DH / TLS1.3 because ++ this is handled by the application. Thus label HKDF as non-approved. */ ++} ++ + const EVP_KDF_METHOD hkdf_kdf_meth = { + EVP_KDF_HKDF, + kdf_hkdf_new, +@@ -230,7 +235,8 @@ const EVP_KDF_METHOD hkdf_kdf_meth = { + kdf_hkdf_ctrl, + kdf_hkdf_ctrl_str, + kdf_hkdf_size, +- kdf_hkdf_derive ++ kdf_hkdf_derive, ++ kdf_hkdf_fips_sli_is_approved + }; + + static int HKDF(const EVP_MD *evp_md, +--- a/crypto/kdf/pbkdf2.c ++++ b/crypto/kdf/pbkdf2.c +@@ -31,8 +31,16 @@ struct evp_kdf_impl_st { + size_t salt_len; + int iter; + const EVP_MD *md; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++static ossl_unused int fips_sli_is_approved_struct_evp_kdf_impl_st(const struct evp_kdf_impl_st *ctx); ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, fips_sli_get_hash_status_pbkdf2(ctx->md)); ++} ++ + static EVP_KDF_IMPL *kdf_pbkdf2_new(void) + { + EVP_KDF_IMPL *impl; +@@ -64,6 +72,7 @@ static void kdf_pbkdf2_init(EVP_KDF_IMPL + { + impl->iter = PKCS5_DEFAULT_ITER; + impl->md = EVP_sha1(); ++ impl->sli = FIPS_UNSET; + } + + static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, +@@ -175,6 +184,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + return 0; + } + ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); ++ + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); +@@ -188,7 +199,8 @@ const EVP_KDF_METHOD pbkdf2_kdf_meth = { + kdf_pbkdf2_ctrl, + kdf_pbkdf2_ctrl_str, + NULL, +- kdf_pbkdf2_derive ++ kdf_pbkdf2_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + /* +--- a/crypto/kdf/scrypt.c ++++ b/crypto/kdf/scrypt.c +@@ -266,6 +266,10 @@ static int kdf_scrypt_derive(EVP_KDF_IMP + impl->maxmem_bytes, key, keylen); + } + ++static int kdf_scrypt_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) { ++ return 0; /* not FIPS-approved */ ++} ++ + const EVP_KDF_METHOD scrypt_kdf_meth = { + EVP_KDF_SCRYPT, + kdf_scrypt_new, +@@ -274,7 +278,8 @@ const EVP_KDF_METHOD scrypt_kdf_meth = { + kdf_scrypt_ctrl, + kdf_scrypt_ctrl_str, + NULL, +- kdf_scrypt_derive ++ kdf_scrypt_derive, ++ kdf_scrypt_fips_sli_is_approved + }; + + #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) +--- a/crypto/kdf/sshkdf.c ++++ b/crypto/kdf/sshkdf.c +@@ -34,8 +34,19 @@ struct evp_kdf_impl_st { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++ ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_hash_status_sshkdf(ctx->md)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_kdf_keylen_status(ctx->key_len)); ++} ++ + static EVP_KDF_IMPL *kdf_sshkdf_new(void) + { + EVP_KDF_IMPL *impl; +@@ -196,6 +207,7 @@ static int kdf_sshkdf_derive(EVP_KDF_IMP + KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE); + return 0; + } ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + return SSHKDF(impl->md, impl->key, impl->key_len, + impl->xcghash, impl->xcghash_len, + impl->session_id, impl->session_id_len, +@@ -211,6 +223,7 @@ const EVP_KDF_METHOD sshkdf_kdf_meth = { + kdf_sshkdf_ctrl_str, + kdf_sshkdf_size, + kdf_sshkdf_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + static int SSHKDF(const EVP_MD *evp_md, +--- a/crypto/kdf/tls1_prf.c ++++ b/crypto/kdf/tls1_prf.c +@@ -35,8 +35,16 @@ struct evp_kdf_impl_st { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_hash_status_kdf_tls1_prf(ctx->md)); ++} ++ + static EVP_KDF_IMPL *kdf_tls1_prf_new(void) + { + EVP_KDF_IMPL *impl; +@@ -152,6 +160,7 @@ static int kdf_tls1_prf_derive(EVP_KDF_I + KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); + return 0; + } ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + return tls1_prf_alg(impl->md, impl->sec, impl->seclen, + impl->seed, impl->seedlen, + key, keylen); +@@ -165,7 +174,8 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth = + kdf_tls1_prf_ctrl, + kdf_tls1_prf_ctrl_str, + NULL, +- kdf_tls1_prf_derive ++ kdf_tls1_prf_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + static int tls1_prf_P_hash(const EVP_MD *md, +--- a/crypto/poly1305/poly1305_pmeth.c ++++ b/crypto/poly1305/poly1305_pmeth.c +@@ -108,8 +108,10 @@ static int poly1305_signctx(EVP_PKEY_CTX + POLY1305_PKEY_CTX *pctx = ctx->data; + + *siglen = POLY1305_DIGEST_SIZE; +- if (sig != NULL) ++ if (sig != NULL) { + Poly1305_Final(&pctx->ctx, sig); ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); // Poly1305 isn't an approved MAC ++ } + return 1; + } + +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -937,6 +937,13 @@ int RAND_priv_bytes(unsigned char *buf, + return 0; + } + ++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num) { ++ const RAND_METHOD *meth = RAND_get_rand_method(); ++ if (meth != NULL && meth != RAND_OpenSSL()) ++ return 0; ++ return 1; ++} ++ + int RAND_bytes(unsigned char *buf, int num) + { + const RAND_METHOD *meth = RAND_get_rand_method(); +@@ -947,6 +954,11 @@ int RAND_bytes(unsigned char *buf, int n + return -1; + } + ++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num) { ++ const RAND_METHOD *meth = RAND_get_rand_method(); ++ return meth == RAND_OpenSSL(); ++} ++ + #if OPENSSL_API_COMPAT < 0x10100000L + int RAND_pseudo_bytes(unsigned char *buf, int num) + { +--- a/crypto/rsa/rsa_pmeth.c ++++ b/crypto/rsa/rsa_pmeth.c +@@ -129,6 +129,7 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + RSA_PKEY_CTX *rctx = ctx->data; + RSA *rsa = ctx->pkey->pkey.rsa; + ++ fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); + if (rctx->md) { + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); +@@ -139,6 +140,8 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + unsigned int sltmp; + if (rctx->pad_mode != RSA_PKCS1_PADDING) + return -1; ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = RSA_sign_ASN1_OCTET_STRING(0, + tbs, tbslen, sig, &sltmp, rsa); + +@@ -154,11 +157,30 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); + return -1; + } ++ /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */ ++ /* ANSI X9.31 */ ++ switch (EVP_MD_type(rctx->md)) { ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } + memcpy(rctx->tbuf, tbs, tbslen); + rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); + ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, + sig, rsa, RSA_X931_PADDING); + } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + unsigned int sltmp; + ret = RSA_sign(EVP_MD_type(rctx->md), + tbs, tbslen, sig, &sltmp, rsa); +@@ -173,12 +195,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + rctx->md, rctx->mgf1md, + rctx->saltlen)) + return -1; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, + sig, rsa, RSA_NO_PADDING); + } else { + return -1; + } + } else { ++ fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */ + ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } +@@ -199,6 +223,23 @@ static int pkey_rsa_verifyrecover(EVP_PK + if (rctx->pad_mode == RSA_X931_PADDING) { + if (!setup_tbuf(rctx, ctx)) + return -1; ++ /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */ ++ /* ANSI X9.31 */ ++ switch (EVP_MD_type(rctx->md)) { ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } + ret = RSA_public_decrypt(siglen, sig, + rctx->tbuf, ctx->pkey->pkey.rsa, + RSA_X931_PADDING); +@@ -245,11 +286,15 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + RSA_PKEY_CTX *rctx = ctx->data; + RSA *rsa = ctx->pkey->pkey.rsa; + size_t rslen; ++ fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(ctx, rsa); + + if (rctx->md) { +- if (rctx->pad_mode == RSA_PKCS1_PADDING) ++ if (rctx->pad_mode == RSA_PKCS1_PADDING) { ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, + sig, siglen, rsa); ++ } + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); + return -1; +@@ -270,6 +315,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + rctx->tbuf, rctx->saltlen); + if (ret <= 0) + return 0; ++ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md); + return 1; + } else { + return -1; +@@ -277,6 +323,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + } else { + if (!setup_tbuf(rctx, ctx)) + return -1; ++ fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */ + rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, + rsa, rctx->pad_mode); + if (rslen == 0) +@@ -313,6 +360,8 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX + ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } ++ fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, rctx->pad_mode); ++ fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa); + if (ret < 0) + return ret; + *outlen = ret; +@@ -342,6 +391,8 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX + ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } ++ fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(ctx, rctx->pad_mode); ++ fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa); + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); + return ret; +@@ -747,9 +798,13 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + RSA_free(rsa); + return 0; + } +- if (ret > 0) ++ if (rctx->primes != 2) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ ++ if (ret > 0) { ++ fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(ctx, rsa); + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); +- else ++ } else + RSA_free(rsa); + return ret; + } +--- a/crypto/sha/sha1_one.c ++++ b/crypto/sha/sha1_one.c +@@ -26,3 +26,8 @@ unsigned char *SHA1(const unsigned char + OPENSSL_cleanse(&c, sizeof(c)); + return md; + } ++ ++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md) { ++ /* Only approved depending on usage context, so default to false */ ++ return 0; ++} +--- a/crypto/siphash/siphash_pmeth.c ++++ b/crypto/siphash/siphash_pmeth.c +@@ -109,8 +109,10 @@ static int siphash_signctx(EVP_PKEY_CTX + SIPHASH_PKEY_CTX *pctx = ctx->data; + + *siglen = SipHash_hash_size(&pctx->ctx); +- if (sig != NULL) ++ if (sig != NULL) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return SipHash_Final(&pctx->ctx, sig, *siglen); ++ } + return 1; + } + +--- a/crypto/sm2/sm2_pmeth.c ++++ b/crypto/sm2/sm2_pmeth.c +@@ -107,6 +107,7 @@ static int pkey_sm2_sign(EVP_PKEY_CTX *c + return 0; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = sm2_sign(tbs, tbslen, sig, &sltmp, ec); + + if (ret <= 0) +@@ -120,7 +121,7 @@ static int pkey_sm2_verify(EVP_PKEY_CTX + const unsigned char *tbs, size_t tbslen) + { + EC_KEY *ec = ctx->pkey->pkey.ec; +- ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_verify(tbs, tbslen, sig, siglen, ec); + } + +@@ -139,6 +140,7 @@ static int pkey_sm2_encrypt(EVP_PKEY_CTX + return 1; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_encrypt(ec, md, in, inlen, out, outlen); + } + +@@ -157,6 +159,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX + return 1; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_decrypt(ec, md, in, inlen, out, outlen); + } + +--- /dev/null ++++ b/doc/man3/FIPS_service_level_indicator.pod +@@ -0,0 +1,110 @@ ++=pod ++ ++=head1 NAME ++ ++C - get status of the FIPS Service Level Indicator (SLI) for context operations ++ ++C - get status of the FIPS SLI for standalone operations ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx); ++ ++ int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx); ++ ++ int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx); ++ ++ int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md); ++ ++ int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len); ++ ++ int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out); ++ ++ int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num); ++ ++ int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num); ++ ++=head1 DESCRIPTION ++ ++The service level indicator has two different usage scenarios. ++ ++=over 1 ++ ++=item C ++ ++Most operations happen on some form of a context, which also holds the SLI. ++This function returns whether the FIPS SLI indicates an approved operation or not. ++ ++After a disapproved operation is encountered, the SLI will continue to indicate this disapproved state. The SLI can only ++be reset by the various existing resetting functions such as C or reinitializing the ++context, e.g. via L. ++ ++=item C ++ ++Operations without a context (standalone functions) have a separate SLI with the name fips_sli_FNNAME_is_approved(). ++These indicator functions take the same parameters as their corresponding operation ++and may modify them just like their corresponding function might do. ++ ++In order to check the SLI status of an operation C, the function ++C must be called with the same set of parameters as C. ++Note that applications must check the return value of C according to its documentation B the return value of the SLI (see below for L). ++Both are orthogonal: the former reports about success and failure of C, and the latter whether a disapproved operation happened or not. ++Well-behaving applications check for both. ++ ++The following explicit indicators exist: ++ ++C ++ ++C ++ ++C ++ ++C ++ ++C ++ ++=back ++ ++=head1 Notes on the RNG ++ ++OpenSSL 1.1.1l implements a CTR DRBG with AES 128/192/256 (defaults to AES-256). ++See L/RAND_priv_bytes(). ++ ++Swapping out OPENSSL's RNG implementation (e.g. via L) is NOT allowed. ++ ++=head1 RETURN VALUES ++ ++C returns 0 if the previous operation(s) was unapproved or B was B, and returns 1 ++if the previous operation(s) were approved (or rather, no non-approved operations happened). ++ ++C returns 0 if an operation with a given set of parameters was unapproved, and returns 1 ++if the operation is approved with the given set of parameters. ++ ++These functions can be invoked at any time. ++ ++=head1 HISTORY ++ ++The FIPS SLI was added in OpenSSL 1.1.1.l. ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -9,6 +9,7 @@ + + #include + #include "internal/refcount.h" ++#include "internal/fips_sli_local.h" + + /* + * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag +@@ -36,6 +37,7 @@ struct evp_pkey_ctx_st { + /* implementation specific keygen data */ + int *keygen_info; + int keygen_info_count; ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_PKEY_CTX */ ; + + #define EVP_PKEY_FLAG_DYNAMIC 1 +@@ -123,6 +125,9 @@ typedef struct { + int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); + size_t (*size) (EVP_KDF_IMPL *impl); + int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); ++ /* KDFs are handled differently by the SLI because the EVP_KDF_IMPL, which ++ holds the required information, is defined implementation-dependent */ ++ int (*fips_sli_is_approved) (const EVP_KDF_IMPL *impl); + } EVP_KDF_METHOD; + + extern const EVP_KDF_METHOD pbkdf2_kdf_meth; +--- /dev/null ++++ b/include/crypto/fipserr.h +@@ -0,0 +1,121 @@ ++/* ++ * Generated by util/mkerr.pl DO NOT EDIT ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef HEADER_FIPSERR_H ++# define HEADER_FIPSERR_H ++ ++# include ++ ++# ifdef __cplusplus ++extern "C" ++# endif ++int ERR_load_FIPS_strings(void); ++ ++/* ++ * FIPS function codes. ++ */ ++# define FIPS_F_DRBG_RESEED 100 ++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 101 ++# define FIPS_F_DSA_DO_SIGN 102 ++# define FIPS_F_DSA_DO_VERIFY 103 ++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 104 ++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 105 ++# define FIPS_F_EVP_CIPHERINIT_EX 106 ++# define FIPS_F_EVP_CIPHER_CTX_NEW 107 ++# define FIPS_F_EVP_CIPHER_CTX_RESET 108 ++# define FIPS_F_EVP_DIGESTINIT_EX 109 ++# define FIPS_F_FIPS_CHECK_DSA 110 ++# define FIPS_F_FIPS_CHECK_EC 111 ++# define FIPS_F_FIPS_CHECK_RSA 112 ++# define FIPS_F_FIPS_DRBG_BYTES 113 ++# define FIPS_F_FIPS_DRBG_CHECK 114 ++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 115 ++# define FIPS_F_FIPS_DRBG_GENERATE 116 ++# define FIPS_F_FIPS_DRBG_INIT 117 ++# define FIPS_F_FIPS_DRBG_INSTANTIATE 118 ++# define FIPS_F_FIPS_DRBG_NEW 119 ++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 120 ++# define FIPS_F_FIPS_GET_ENTROPY 121 ++# define FIPS_F_FIPS_MODULE_MODE_SET 122 ++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 123 ++# define FIPS_F_FIPS_RAND_BYTES 124 ++# define FIPS_F_FIPS_RAND_SEED 125 ++# define FIPS_F_FIPS_RAND_SET_METHOD 126 ++# define FIPS_F_FIPS_RAND_STATUS 127 ++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 128 ++# define FIPS_F_FIPS_SELFTEST_AES 129 ++# define FIPS_F_FIPS_SELFTEST_AES_CCM 130 ++# define FIPS_F_FIPS_SELFTEST_AES_GCM 131 ++# define FIPS_F_FIPS_SELFTEST_AES_XTS 132 ++# define FIPS_F_FIPS_SELFTEST_CMAC 133 ++# define FIPS_F_FIPS_SELFTEST_DES 134 ++# define FIPS_F_FIPS_SELFTEST_ECDSA 135 ++# define FIPS_F_FIPS_SELFTEST_HKDF 136 ++# define FIPS_F_FIPS_SELFTEST_HMAC 137 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 138 ++# define FIPS_F_FIPS_SELFTEST_SHA1 139 ++# define FIPS_F_FIPS_SELFTEST_SHA2 140 ++# define FIPS_F_FIPS_SELFTEST_SHA3 141 ++# define FIPS_F_FIPS_SELFTEST_SSH 142 ++# define FIPS_F_FIPS_SELFTEST_TLS 143 ++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 144 ++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 145 ++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 146 ++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 147 ++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 148 ++ ++/* ++ * FIPS reason codes. ++ */ ++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 100 ++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 101 ++# define FIPS_R_ALREADY_INSTANTIATED 102 ++# define FIPS_R_DRBG_NOT_INITIALISED 103 ++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 ++# define FIPS_R_ENTROPY_SOURCE_STUCK 106 ++# define FIPS_R_ERROR_INITIALISING_DRBG 107 ++# define FIPS_R_ERROR_INSTANTIATING_DRBG 108 ++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 109 ++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 110 ++# define FIPS_R_ERROR_RETRIEVING_NONCE 111 ++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 112 ++# define FIPS_R_FIPS_MODE_ALREADY_SET 113 ++# define FIPS_R_FIPS_SELFTEST_FAILED 114 ++# define FIPS_R_FUNCTION_ERROR 115 ++# define FIPS_R_GENERATE_ERROR 116 ++# define FIPS_R_GENERATE_ERROR_UNDETECTED 117 ++# define FIPS_R_INSTANTIATE_ERROR 118 ++# define FIPS_R_INVALID_KEY_LENGTH 119 ++# define FIPS_R_IN_ERROR_STATE 120 ++# define FIPS_R_KEY_TOO_SHORT 121 ++# define FIPS_R_NONCE_ERROR_UNDETECTED 122 ++# define FIPS_R_NON_FIPS_METHOD 123 ++# define FIPS_R_NOPR_TEST1_FAILURE 124 ++# define FIPS_R_NOPR_TEST2_FAILURE 125 ++# define FIPS_R_NOT_INSTANTIATED 126 ++# define FIPS_R_PAIRWISE_TEST_FAILED 127 ++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 ++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 ++# define FIPS_R_PR_TEST1_FAILURE 130 ++# define FIPS_R_PR_TEST2_FAILURE 131 ++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 132 ++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 133 ++# define FIPS_R_RESEED_COUNTER_ERROR 134 ++# define FIPS_R_RESEED_ERROR 135 ++# define FIPS_R_SELFTEST_FAILED 136 ++# define FIPS_R_SELFTEST_FAILURE 137 ++# define FIPS_R_TEST_FAILURE 138 ++# define FIPS_R_UNINSTANTIATE_ERROR 139 ++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 140 ++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 141 ++# define FIPS_R_UNSUPPORTED_PLATFORM 142 ++ ++#endif +--- /dev/null ++++ b/include/internal/fips_sli_local.h +@@ -0,0 +1,96 @@ ++#ifndef FIPS_SLI_LOCAL_H_INCLUDED ++#define FIPS_SLI_LOCAL_H_INCLUDED ++ ++#include ++#include ++#include ++ ++/* status for SLI */ ++typedef enum fips_status_e { ++ FIPS_UNSET, ++ FIPS_APPROVED, ++ FIPS_NONAPPROVED, ++ FIPS_ERROR, ++} FIPS_STATUS; ++ ++ ++void fips_sli_approve_EVP_KDF_CTX(EVP_KDF_CTX *ctx); ++void fips_sli_approve_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_approve_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++void fips_sli_approve_HMAC_CTX(HMAC_CTX *ctx); ++ ++/* Unused: ++ * void fips_sli_approve_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++ */ ++void fips_sli_disapprove_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++void fips_sli_disapprove_EVP_KDF_CTX(EVP_KDF_CTX *ctx); ++void fips_sli_disapprove_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_disapprove_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++void fips_sli_disapprove_HMAC_CTX(HMAC_CTX *ctx); ++ ++//void fips_sli_error_EVP_KDF_CTX(EVP_KDF_CTX *ctx); /* unused */ ++//void fips_sli_error_HMAC_CTX(HMAC_CTX *ctx); ++//void fips_sli_error_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++void fips_sli_error_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_error_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++ ++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input); ++ ++#define fips_sli_define_basic_for(LNKG, FNNAME, CTXTYPE) \ ++static void fips_sli_fsm_##FNNAME(CTXTYPE *ctx, FIPS_STATUS input) { \ ++ if (ctx == NULL) \ ++ return; \ ++ ctx->sli = fips_sli_fsm_transition(ctx->sli, input); \ ++} \ ++LNKG int fips_sli_is_approved_##FNNAME(const CTXTYPE *ctx) { \ ++ if (ctx == NULL) \ ++ return 0; \ ++ return (ctx->sli == FIPS_UNSET) || (ctx->sli == FIPS_APPROVED); \ ++} ++ ++#define fips_sli_define_for(CTXTYPE) \ ++fips_sli_define_basic_for(, CTXTYPE, CTXTYPE) \ ++void fips_sli_approve_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_APPROVED); \ ++} \ ++void fips_sli_disapprove_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_NONAPPROVED); \ ++} \ ++void fips_sli_error_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_ERROR); \ ++} ++ ++void fips_sli_check_hash_siggen_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_sigver_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_mac_HMAC_CTX(HMAC_CTX * ctx, const EVP_MD * md); ++ ++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes); ++ ++/* Check if used curve is okay for and in this context */ ++void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); ++void fips_sli_check_curve_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); ++ ++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ec); ++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa); ++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa); ++ ++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh); ++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh); ++ ++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode); ++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode); ++ ++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher); ++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher); ++ ++#endif /* FIPS_SLI_LOCAL_H_INCLUDED */ +--- /dev/null ++++ b/include/openssl/fips_sli.h +@@ -0,0 +1,32 @@ ++#ifndef FIPS_SLI_H_INCLUDED ++#define FIPS_SLI_H_INCLUDED ++ ++#include ++#include ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++/* Interface for consumers to check if their usage of the services offered by ++ * this ctx was approved */ ++int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx); ++int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx); ++int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx); ++int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx); ++int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx); ++int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx); ++ ++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md); ++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len); ++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out); ++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num); ++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num); ++ ++# ifdef __cplusplus ++} ++# endif ++#endif // FIPS_SLI_H_INCLUDED +--- a/test/build.info ++++ b/test/build.info +@@ -52,7 +52,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + recordlentest drbgtest drbg_cavs_test sslbuffertest \ + time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ + servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \ +- sysdefaulttest errtest ssl_ctx_test gosttest ++ sysdefaulttest errtest ssl_ctx_test gosttest fips_slitest + + SOURCE[versions]=versions.c + INCLUDE[versions]=../include +@@ -575,6 +575,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + INCLUDE[gosttest]=../include .. + DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a + ++ SOURCE[fips_slitest]=fips_slitest.c fips_slitest_helper.c ++ INCLUDE[fips_slitest]=../include ++ DEPEND[fips_slitest]=../libcrypto libtestutil.a ++ + SOURCE[ssl_ctx_test]=ssl_ctx_test.c + INCLUDE[ssl_ctx_test]=../include + DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a +--- /dev/null ++++ b/test/fips_slitest.c +@@ -0,0 +1,659 @@ ++#include ++#include ++#include ++#include /* To see if OPENSSL_NO_EC is defined */ ++#ifndef OPENSSL_NO_EC ++# include ++#endif ++#ifndef OPENSSL_NO_RSA ++# include ++#endif ++#include ++ ++#include "testutil.h" ++#include "fips_slitest_helper.h" ++ ++static int test_sli_noop(void) { ++ int res = 0; /* 0 means test failure */ ++ EVP_MD_CTX* ctx = NULL; ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto end; ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(NULL))) ++ goto end; ++ res = 1; /* test case successful */ ++end: ++ EVP_MD_CTX_free(ctx); ++ return res; ++} ++ ++static int cmac_aes_cbc(void) { ++ int success = 0; ++ CMAC_CTX *ctx = NULL; ++ size_t maclen = 0; ++ ++ if (!TEST_ptr(ctx = CMAC_CTX_new())) ++ return 0; ++ if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_aes_128_cbc(), NULL)) ++ || !TEST_true(CMAC_Final(ctx, NULL, &maclen)) ++ ) { ++ CMAC_CTX_free(ctx); ++ return 0; ++ } ++ ++ uint8_t mac[maclen]; ++ ++ if (!TEST_true(maclen > 0) ++ || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16)) ++ || !TEST_true(CMAC_Final(ctx, mac, &maclen)) ++ || !TEST_true(fips_sli_is_approved_CMAC_CTX(ctx)) ++ ) ++ goto end; ++ success = 1; ++end: ++ CMAC_CTX_free(ctx); ++ return success; ++} ++ ++static int cmac_no_des(void) { ++ int success = 0; ++ CMAC_CTX *ctx = NULL; ++ size_t maclen = 0; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ TEST_note("Skipping test because DES is disabled in FIPS mode"); ++ return 1; ++ } ++#endif ++ ++ if (!TEST_ptr(ctx = CMAC_CTX_new())) ++ return 0; ++ if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_des_ede_cbc(), NULL)) ++ || !TEST_true(CMAC_Final(ctx, NULL, &maclen)) ++ ) { ++ CMAC_CTX_free(ctx); ++ return 0; ++ } ++ ++ uint8_t mac[maclen]; ++ ++ if (!TEST_true(maclen > 0) ++ || !TEST_int_eq(16, EVP_CIPHER_key_length(EVP_des_ede_cbc())) ++ || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16)) ++ || !TEST_true(CMAC_Final(ctx, mac, &maclen)) ++ || !TEST_false(fips_sli_is_approved_CMAC_CTX(ctx)) ++ ) ++ goto end; ++ success = 1; ++end: ++ CMAC_CTX_free(ctx); ++ return success; ++} ++ ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++} SLI_CMAC_TEST; ++ ++static const SLI_CMAC_TEST cmac_tests[] = { ++ // Cipher must fit to key length of 32 B ++ {1, NID_aes_256_cbc}, ++ {0, NID_camellia_256_cbc}, ++}; ++static const size_t cmac_tests_len = sizeof(cmac_tests) / sizeof(cmac_tests[0]); ++ ++static int cmac_via_md_ctx(int cmac_test_index) { ++ int success = 0; ++ EVP_MD_CTX *ctx = NULL; ++ const EVP_MD* md = NULL; ++ unsigned char* mac = NULL; ++ size_t maclen = 0; ++ ++ EVP_PKEY *key = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && cmac_tests[cmac_test_index].cipher_nid == NID_camellia_256_cbc) { ++ TEST_note("Skipping test because Camellia is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++ if (!TEST_true(get_cmac_key(cmac_tests[cmac_test_index].cipher_nid, ++ &key) == 1)) ++ goto end; ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto end; ++ // hash doesn't matter here but must be present... ++ if (!TEST_true(EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))) ++ goto end; ++ if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, key))) ++ goto end; ++ if (!TEST_true(EVP_DigestSignUpdate(ctx, get_msg_16(), 16))) ++ goto end; ++ size_t req = 0; ++ if (!TEST_true(EVP_DigestSignFinal(ctx, NULL, &req))) ++ goto end; ++ if (!TEST_true(req > 0)) ++ goto end; ++ if (!TEST_ptr(mac = OPENSSL_malloc(req))) ++ goto end; ++ maclen = req; ++ if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen))) ++ goto end; ++ if (cmac_tests[cmac_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ if (mac) ++ OPENSSL_free(mac); ++ EVP_MD_CTX_free(ctx); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_EC ++typedef struct { ++ int fips_approved; ++ int curve_nid; ++} SLI_ECDSA_TEST; ++ ++static const SLI_ECDSA_TEST ecdsa_tests[] = { ++ {0, NID_secp112r2}, ++ {1, NID_secp521r1}, ++#ifndef OPENSSL_NO_EC2M ++ {0, NID_sect163r1}, ++#endif ++ {0, NID_brainpoolP512r1}, ++}; ++static const size_t ecdsa_tests_len = sizeof(ecdsa_tests) / sizeof(ecdsa_tests[0]); ++ ++/* Adapted from openssl/test/ecdsatest.c */ ++static int ecdsa_via_EVP_DigestSign(int ecdsa_test_index) { ++ unsigned char *sig = NULL; ++ EC_KEY *eckey = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_MD_CTX *mctx = NULL; ++ size_t sig_len; ++ const int nid = ecdsa_tests[ecdsa_test_index].curve_nid; ++ int success = 0; ++ const uint8_t* tbs = get_msg_128(); ++ ++ TEST_note("testing ECDSA for curve %s", OBJ_nid2sn(nid)); ++ ++ if (!TEST_ptr(mctx = EVP_MD_CTX_new()) ++ || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) ++ || !TEST_true(EC_KEY_generate_key(eckey)) ++ || !TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))) ++ goto err; ++ ++ sig_len = ECDSA_size(eckey); ++ ++ if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)) ++ /* create a signature */ ++ || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) ++ || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) ++ || !TEST_int_le(sig_len, ECDSA_size(eckey))) ++ goto err; ++ ++ // SLI shows proper status for sign() ++ if (ecdsa_tests[ecdsa_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } ++ ++ /* positive test, verify with correct key, 1 return */ ++ if (!TEST_true(EVP_MD_CTX_reset(mctx)) ++ || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))) ++ goto err; ++ ++ /* a resetted and initialised ctx should be okay again */ ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ ++ if (!TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) ++ goto err; ++ ++ // SLI shows proper status for verify() ++ if (ecdsa_tests[ecdsa_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } ++ ++ success = 1; ++err: ++ EVP_PKEY_free(pkey); ++ if (mctx != NULL) ++ EVP_MD_CTX_free(mctx); ++ if (sig != NULL) ++ OPENSSL_free(sig); ++ return success; ++} ++#endif ++ ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++} SLI_CIPHER_TEST; ++ ++static const SLI_CIPHER_TEST cipher_tests[] = { ++ {1, NID_aes_128_cfb128}, ++ {1, NID_aes_256_gcm}, ++ {0, NID_des_ede3_cbc}, ++ {0, NID_des_ede3_cfb8}, ++ {0, NID_des_ofb64}, ++ {0, NID_des_ede_ecb}, ++ {0, NID_des_ede_ofb64}, ++ {0, NID_idea_cbc}, ++}; ++static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]); ++ ++static size_t get_ciphertext_len(size_t plaintextlen, const EVP_CIPHER *cipher) { ++ /* maximum value according to manpage */ ++ return plaintextlen + EVP_CIPHER_block_size(cipher); ++} ++ ++static int cipher(int cipher_test_index) { ++ int success = 0; ++ unsigned char *key = NULL, *iv = NULL, *ctext = NULL; ++ int ctext_written_len = 0; ++ const EVP_CIPHER *cipher = NULL; ++ EVP_CIPHER_CTX *ctx = NULL; ++ const uint8_t* const ptext = get_msg_16(); ++ const size_t ptext_len = 16; ++ const int cipher_nid = cipher_tests[cipher_test_index].cipher_nid; ++ ++ TEST_note("testing SLI for cipher %s", OBJ_nid2sn(cipher_nid)); ++ ++#ifdef OPENSSL_NO_IDEA ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is not supported in this build"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (cipher_nid) { ++ case NID_des_ofb64: ++ case NID_des_ede_ecb: ++ case NID_des_ede_ofb64: ++ case NID_idea_cbc: ++ TEST_note("Skipping test since DES/IDEA are disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid))) { ++ goto end; ++ } ++ ++ const size_t key_len = EVP_CIPHER_key_length(cipher); ++ const size_t iv_len = EVP_CIPHER_iv_length(cipher); ++ TEST_note("have keylen = %zd, ivlen = %zd", key_len, iv_len); ++ ++ if (!TEST_ptr(key = OPENSSL_malloc(key_len)) ++ || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher))) ++ || !TEST_true(RAND_bytes(key, key_len) == 1)) ++ goto end; ++ ++ if (iv_len != 0) { ++ if (!TEST_ptr(iv = OPENSSL_malloc(iv_len)) ++ || !TEST_true(RAND_bytes(iv, iv_len) == 1)) ++ goto end; ++ } ++ ++ int tmp_len = 0; ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) == 1) ++ || !TEST_true(EVP_EncryptUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len) == 1) ++ || !TEST_true(ctext_written_len <= get_ciphertext_len(ptext_len, cipher)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, ctext + ctext_written_len, &tmp_len) == 1)) ++ goto end; ++ ++ if (!TEST_true(ctext_written_len + tmp_len <= get_ciphertext_len(ptext_len, cipher))) ++ goto end; ++ ++ if (cipher_tests[cipher_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ EVP_CIPHER_CTX_free(ctx); ++ if (key != NULL) ++ OPENSSL_free(key); ++ if (iv != NULL) ++ OPENSSL_free(iv); ++ if (ctext != NULL) ++ OPENSSL_free(ctext); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_RSA ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++ uint8_t rsa_key_id; ++} SLI_SEALENV_TEST; ++ ++static const SLI_SEALENV_TEST sealenv_tests[] = { ++ // consider RSA enc/dec as always disapproved ++ {0, NID_aes_128_cfb128, 0}, ++ {0, NID_aes_256_gcm, 1}, ++ {0, NID_idea_cbc, 0}, ++ {0, NID_des_ede3_cbc, 2}, ++ {0, NID_aes_128_ecb, 0}, ++ {0, NID_aes_128_ecb, 3}, ++ {0, NID_aes_128_ccm, 3}, ++}; ++static const size_t sealenv_tests_len = sizeof(sealenv_tests) / sizeof(sealenv_tests[0]); ++ ++/* Asymmetric enc/dec */ ++static int sealenv(int sealenv_test_index) { ++ int success = 0; ++ RSA *rsa_pkey = RSA_new(); ++ EVP_PKEY *pkey = NULL; ++ const EVP_CIPHER *cipher = NULL; ++ const int cipher_nid = sealenv_tests[sealenv_test_index].cipher_nid; ++ EVP_CIPHER_CTX *ctx = NULL; ++ ++ uint8_t* enc_sym_key = NULL; ++ int enc_sym_key_len = 0; ++ ++ const uint8_t* const ptext = get_msg_128(); ++ const size_t ptext_len = 128; ++ unsigned char *iv = NULL, *ctext = NULL; ++ size_t ctext_len = 0; ++ int ctext_written_len = 0; ++ ++ switch (sealenv_tests[sealenv_test_index].rsa_key_id) { ++ case 0: ++ get_rsa_key1(rsa_pkey); ++ break; ++ case 1: ++ get_rsa_key2(rsa_pkey); ++ break; ++ case 2: ++ get_rsa_key3(rsa_pkey); ++ break; ++ case 3: ++ if (!TEST_int_eq(256, get_rsa_key2048p3(rsa_pkey))) ++ goto end; ++ break; ++ default: ++ goto end; ++ } ++ ++ TEST_note("RSA enc with key #%d, cipher %s", ++ sealenv_tests[sealenv_test_index].rsa_key_id, ++ OBJ_nid2sn(cipher_nid)); ++ ++#ifdef OPENSSL_NO_IDEA ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is not supported in this build"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_true(EVP_PKEY_assign_RSA(pkey, rsa_pkey)) ++ || !TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid)) ++ || !TEST_ptr(enc_sym_key = OPENSSL_malloc(EVP_PKEY_size(pkey))) ++ || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher))) ++ ) ++ goto end; ++ ++ const size_t iv_len = EVP_CIPHER_iv_length(cipher); ++ if (iv_len != 0) { ++ if (!TEST_ptr(iv = OPENSSL_malloc(iv_len))) ++ goto end; ++ } ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_true(1 == EVP_SealInit(ctx, cipher, &enc_sym_key, &enc_sym_key_len, iv, &pkey, 1)) ++ || !TEST_true(enc_sym_key_len > 0 && enc_sym_key_len <= EVP_PKEY_size(pkey)) ++ || !TEST_true(1 == EVP_SealUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len)) ++ ) ++ goto end; ++ ctext_len += ctext_written_len; ++ if (!TEST_true(1 == EVP_SealFinal(ctx, ctext + ctext_len, &ctext_written_len))) ++ goto end; ++ ctext_len += ctext_written_len; ++ if (!TEST_true(ctext_len <= get_ciphertext_len(ptext_len, cipher))) ++ goto end; ++ ++ if (sealenv_tests[sealenv_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ EVP_PKEY_free(pkey); /* also frees rsa_pkey */ ++ if (ctx != NULL) ++ EVP_CIPHER_CTX_free(ctx); ++ if (enc_sym_key != NULL) ++ OPENSSL_free(enc_sym_key); ++ if (iv != NULL) ++ OPENSSL_free(iv); ++ if (ctext != NULL) ++ OPENSSL_free(ctext); ++ return success; ++} ++#endif ++ ++typedef struct { ++ int fips_approved; ++ int iterations; ++ int nid_digest; ++ const uint8_t key_expected[32]; // length has to be 32 ++} SLI_PBKDF2_TEST; ++ ++static const SLI_PBKDF2_TEST pbkdf2_tests[] = { ++ { ++ 1, 4200, NID_sha256, { ++ 0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E, ++ 0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE ++ } ++ }, ++ { ++ 1, 1347, NID_sha256, { ++ 0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C, ++ 0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86 ++ } ++ }, ++ { ++ 1, 4200, NID_sha1, { ++ 0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE, ++ 0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A ++ } ++ }, ++ { ++ 1, 4200, NID_sha3_512, { ++ 0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65, ++ 0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09 ++ } ++ }, ++ { ++ 0, 1347, NID_md5, { ++ 0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2, ++ 0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36 ++ } ++ } ++}; ++static const size_t pbkdf2_tests_len = sizeof(pbkdf2_tests) / sizeof(pbkdf2_tests[0]); ++ ++static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) { ++ int success = 0; ++ const char password[] = "password"; ++ const unsigned char salt[] = {'s', 'a', 'l', 't'}; ++ const size_t password_len = sizeof(password) / sizeof(password[0]); ++ const size_t salt_len = sizeof(salt) / sizeof(salt[0]); ++ ++ int iter = pbkdf2_tests[pbkdf2_tests_idx].iterations; ++ const EVP_MD *digest = EVP_get_digestbynid(pbkdf2_tests[pbkdf2_tests_idx].nid_digest); ++ const size_t key_len = 32; ++ const size_t key_expected_len = key_len; ++ uint8_t* key = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (pbkdf2_tests[pbkdf2_tests_idx].nid_digest) { ++ case NID_md5: ++ TEST_note("Skipping test since MD5 is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(key = OPENSSL_malloc(key_len)) ++ || !TEST_true(1 == PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, ++ iter, digest, ++ key_len, key)) ++ || !TEST_true(fips_sli_PKCS5_PBKDF2_HMAC_is_approved(password, password_len, ++ salt, salt_len, ++ iter, digest, ++ key_len, key) == pbkdf2_tests[pbkdf2_tests_idx].fips_approved) ++ || !TEST_mem_eq(key, key_len, pbkdf2_tests[pbkdf2_tests_idx].key_expected, key_expected_len)) ++ goto end; ++ success = 1; ++end: ++ return success; ++} ++ ++typedef struct { ++ int fips_approved; ++ int digest_nid; ++} SLI_SSHKDF_TEST; ++ ++static const SLI_SSHKDF_TEST sshkdf_tests[] = { ++ {1, NID_sha256}, ++ {0, NID_md5}, ++}; ++static const size_t sshkdf_tests_len = sizeof(sshkdf_tests) / sizeof(sshkdf_tests[0]); ++ ++static int sshkdf(int sshkdf_test_idx) { ++ int success = 0; ++ const uint8_t *key = get_key_32(); ++ const uint8_t *xcghash = get_msg_128(); ++ const uint8_t *session_id = get_key_32(); ++ uint8_t kdfout[16]; ++ size_t kdfoutlen = sizeof(kdfout) / sizeof(kdfout[0]); ++ const int digest_nid = sshkdf_tests[sshkdf_test_idx].digest_nid; ++ EVP_KDF_CTX *ctx = NULL; ++ ++ TEST_note("SSHKDF with %s", OBJ_nid2sn(digest_nid)); ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (digest_nid) { ++ case NID_md5: ++ TEST_note("Skipping test since MD5 is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(ctx = EVP_KDF_CTX_new_id(NID_sshkdf)) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, EVP_get_digestbynid(digest_nid)) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, 32) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id, 32) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, 128) == 1) ++ || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx)) ++ || !TEST_true(EVP_KDF_derive(ctx, kdfout, kdfoutlen) == 1) ++ || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx) == sshkdf_tests[sshkdf_test_idx].fips_approved) ++ ) ++ goto end; ++ ++ EVP_KDF_reset(ctx); ++ ++ if (!TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx))) ++ goto end; ++ ++ success = 1; ++end: ++ EVP_KDF_CTX_free(ctx); ++ return success; ++} ++ ++static int rand_bytes() { ++ int success = 0; ++ unsigned char r[1]; ++ size_t rlen = sizeof(r) / sizeof(r[0]); ++ if (!TEST_true(fips_sli_RAND_bytes_is_approved(r, rlen) == 1) ++ || !TEST_true(RAND_bytes(r, rlen) == 1) ++ || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1) ++ || !TEST_true(RAND_priv_bytes(r, rlen) == 1) ++ || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1) ++ ) ++ goto end; ++ success = 1; ++end: ++ return success; ++} ++ ++int setup_tests(void) { ++ ADD_TEST(test_sli_noop); ++ ADD_TEST(cmac_aes_cbc); ++ ADD_TEST(cmac_no_des); ++ ADD_ALL_TESTS(cmac_via_md_ctx, cmac_tests_len); ++#ifdef OPENSSL_NO_EC ++ TEST_note("Elliptic curves are disabled."); ++#else ++ ADD_ALL_TESTS(ecdsa_via_EVP_DigestSign, ecdsa_tests_len); ++#endif ++ ADD_ALL_TESTS(cipher, cipher_tests_len); ++#ifdef OPENSSL_NO_RSA ++ TEST_note("RSA is disabled."); ++#else ++ ADD_ALL_TESTS(sealenv, sealenv_tests_len); ++#endif ++ ADD_ALL_TESTS(test_PKCS5_PBKDF2_HMAC, pbkdf2_tests_len); ++ ADD_ALL_TESTS(sshkdf, sshkdf_tests_len); ++ ADD_TEST(rand_bytes); ++ ++ return 1; /* success */ ++} +--- /dev/null ++++ b/test/fips_slitest_helper.c +@@ -0,0 +1,489 @@ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "testutil.h" ++#include "fips_slitest_helper.h" ++ ++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey) { ++ byte hkey[EVP_MAX_MD_SIZE]; ++ ++ int result = -1; ++ ++ if (!skey || !vkey) ++ return -1; ++ ++ if (*skey != NULL) { ++ EVP_PKEY_free(*skey); ++ *skey = NULL; ++ } ++ ++ if (*vkey != NULL) { ++ EVP_PKEY_free(*vkey); ++ *vkey = NULL; ++ } ++ ++ do { ++ const EVP_MD* md = EVP_sha256(); ++ int size = EVP_MD_size(md); ++ assert(size >= 16); ++ if (!(size >= 16)) { ++ printf("EVP_MD_size failed, error 0x%lx\n", ERR_get_error()); ++ break; /* failed */ ++ } ++ ++ assert(size <= sizeof(hkey)); ++ if (!(size <= sizeof(hkey))) { ++ printf("EVP_MD_size is too large\n"); ++ break; /* failed */ ++ } ++ ++ /* Generate bytes */ ++ int rc = RAND_bytes(hkey, size); ++ assert(rc == 1); ++ if (rc != 1) { ++ printf("RAND_bytes failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ //print_it("HMAC key", hkey, size); ++ ++ *skey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size); ++ assert(*skey != NULL); ++ if (*skey == NULL) { ++ printf("EVP_PKEY_new_mac_key 1st failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ *vkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size); ++ assert(*vkey != NULL); ++ if (*vkey == NULL) { ++ printf("EVP_PKEY_new_mac_key 2nd failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ result = 0; ++ ++ } while (0); ++ ++ OPENSSL_cleanse(hkey, sizeof(hkey)); ++ ++ /* Convert to 0/1 result */ ++ return !!result; ++} ++static const uint8_t msg[16] = { 0x71, 0x50, 0x00, 0x00, ++ 0xc0, 0xff, 0xee, 0x00, ++ 0xde, 0xad, 0xbe, 0xef, ++ 0x01, 0x02, 0x03, 0x04 ++ }; ++static const uint8_t msg128[128] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, ++ 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, ++ 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, ++ 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, ++ 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, ++ 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, ++ 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, ++ 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, ++ 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, ++ 101, 102, 103, 104, 105, 106, 107, 108, 109, ++ 110, 111, 112, 113, 114, 115, 116, 117, 118, ++ 119, 120, 121, 122, 123, 124, 125, 126, 127 ++ }; ++ ++static const uint8_t key16[16] = { 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef ++ }; ++static const uint8_t key32[32] = { 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef ++ }; ++ ++const uint8_t* get_msg_16() { ++ return msg; ++} ++ ++const uint8_t* get_msg_128() { ++ return msg128; ++} ++ ++const uint8_t* get_key_16() { ++ return key16; ++} ++ ++const uint8_t* get_key_32() { ++ return key32; ++} ++ ++void print_it(const char* label, const byte* buff, size_t len) { ++ if (!buff || !len) ++ return; ++ ++ if (label) ++ printf("%s: ", label); ++ ++ for (size_t i = 0; i < len; ++i) ++ printf("%02X", buff[i]); ++ ++ printf("\n"); ++} ++ ++int get_cmac_key(int cipher_nid, EVP_PKEY** out) { ++ int success = 0; ++ EVP_PKEY_CTX *ctx = NULL; ++ const size_t key_len = 32; ++ const uint8_t *key = get_key_32(); ++ const EVP_CIPHER *cipher = EVP_get_cipherbynid(cipher_nid); ++ ++ if (!(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL))) ++ goto end; ++ if (EVP_PKEY_keygen_init(ctx) != 1) ++ goto end; ++ if (cipher == NULL) ++ goto end; ++ if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_CIPHER, 0, (void*)cipher) <= 0) ++ goto end; ++ if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_SET_MAC_KEY, key_len, (void*)key) <= 0) ++ goto end; ++ if (!EVP_PKEY_keygen(ctx, out)) ++ goto end; ++ ++ success = 1; ++end: ++ ++ if (ctx) ++ EVP_PKEY_CTX_free(ctx); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_RSA ++# include ++ ++/* adapted from openssl/test/rsa_test.c */ ++# define SetKey \ ++ RSA_set0_key(key, \ ++ BN_bin2bn(n, sizeof(n)-1, NULL), \ ++ BN_bin2bn(e, sizeof(e)-1, NULL), \ ++ BN_bin2bn(d, sizeof(d)-1, NULL)); \ ++ RSA_set0_factors(key, \ ++ BN_bin2bn(p, sizeof(p)-1, NULL), \ ++ BN_bin2bn(q, sizeof(q)-1, NULL)); \ ++ RSA_set0_crt_params(key, \ ++ BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \ ++ BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \ ++ BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); ++ ++void get_rsa_key1(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" ++ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" ++ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" ++ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" ++ "\xF5"; ++ ++ static unsigned char e[] = "\x11"; ++ ++ static unsigned char d[] = ++ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" ++ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" ++ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" ++ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; ++ ++ static unsigned char p[] = ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89"; ++ ++ static unsigned char dmp1[] = ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; ++ ++ static unsigned char dmq1[] = ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51"; ++ ++ static unsigned char iqmp[] = ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; ++ ++ SetKey; ++} ++ ++void get_rsa_key2(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8" ++ "\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26" ++ "\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8" ++ "\x34\x77\xCF"; ++ ++ static unsigned char e[] = "\x3"; ++ ++ static unsigned char d[] = ++ "\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2" ++ "\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41" ++ "\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21" ++ "\xE5\xEB"; ++ ++ static unsigned char p[] = ++ "\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92" ++ "\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F"; ++ ++ static unsigned char dmp1[] = ++ "\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61" ++ "\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B"; ++ ++ static unsigned char dmq1[] = ++ "\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90" ++ "\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F"; ++ ++ static unsigned char iqmp[] = ++ "\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13" ++ "\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D"; ++ ++ SetKey; ++} ++ ++void get_rsa_key3(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" ++ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" ++ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" ++ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" ++ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" ++ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" ++ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" ++ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" ++ "\xCB"; ++ ++ static unsigned char e[] = "\x11"; ++ ++ static unsigned char d[] = ++ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" ++ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" ++ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" ++ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" ++ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" ++ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" ++ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" ++ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" ++ "\xC1"; ++ ++ static unsigned char p[] = ++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" ++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" ++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" ++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" ++ "\x99"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" ++ "\x03"; ++ ++ static unsigned char dmp1[] = ++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" ++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" ++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" ++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; ++ ++ static unsigned char dmq1[] = ++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" ++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" ++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" ++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; ++ ++ static unsigned char iqmp[] = ++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" ++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" ++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" ++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" ++ "\xF7"; ++ ++ SetKey; ++} ++ ++/* taken from openssl/test/rsa_mp_test.c */ ++#define NUM_EXTRA_PRIMES 1 ++/* Returns the public key length (256) on success */ ++int get_rsa_key2048p3(RSA *key) { ++ /* C90 requires string should <= 509 bytes */ ++ static const unsigned char n[] = ++ "\x92\x60\xd0\x75\x0a\xe1\x17\xee\xe5\x5c\x3f\x3d\xea\xba\x74\x91" ++ "\x75\x21\xa2\x62\xee\x76\x00\x7c\xdf\x8a\x56\x75\x5a\xd7\x3a\x15" ++ "\x98\xa1\x40\x84\x10\xa0\x14\x34\xc3\xf5\xbc\x54\xa8\x8b\x57\xfa" ++ "\x19\xfc\x43\x28\xda\xea\x07\x50\xa4\xc4\x4e\x88\xcf\xf3\xb2\x38" ++ "\x26\x21\xb8\x0f\x67\x04\x64\x43\x3e\x43\x36\xe6\xd0\x03\xe8\xcd" ++ "\x65\xbf\xf2\x11\xda\x14\x4b\x88\x29\x1c\x22\x59\xa0\x0a\x72\xb7" ++ "\x11\xc1\x16\xef\x76\x86\xe8\xfe\xe3\x4e\x4d\x93\x3c\x86\x81\x87" ++ "\xbd\xc2\x6f\x7b\xe0\x71\x49\x3c\x86\xf7\xa5\x94\x1c\x35\x10\x80" ++ "\x6a\xd6\x7b\x0f\x94\xd8\x8f\x5c\xf5\xc0\x2a\x09\x28\x21\xd8\x62" ++ "\x6e\x89\x32\xb6\x5c\x5b\xd8\xc9\x20\x49\xc2\x10\x93\x2b\x7a\xfa" ++ "\x7a\xc5\x9c\x0e\x88\x6a\xe5\xc1\xed\xb0\x0d\x8c\xe2\xc5\x76\x33" ++ "\xdb\x26\xbd\x66\x39\xbf\xf7\x3c\xee\x82\xbe\x92\x75\xc4\x02\xb4" ++ "\xcf\x2a\x43\x88\xda\x8c\xf8\xc6\x4e\xef\xe1\xc5\xa0\xf5\xab\x80" ++ "\x57\xc3\x9f\xa5\xc0\x58\x9c\x3e\x25\x3f\x09\x60\x33\x23\x00\xf9" ++ "\x4b\xea\x44\x87\x7b\x58\x8e\x1e\xdb\xde\x97\xcf\x23\x60\x72\x7a" ++ "\x09\xb7\x75\x26\x2d\x7e\xe5\x52\xb3\x31\x9b\x92\x66\xf0\x5a\x25"; ++ ++ static const unsigned char e[] = "\x01\x00\x01"; ++ ++ static const unsigned char d[] = ++ "\x6a\x7d\xf2\xca\x63\xea\xd4\xdd\xa1\x91\xd6\x14\xb6\xb3\x85\xe0" ++ "\xd9\x05\x6a\x3d\x6d\x5c\xfe\x07\xdb\x1d\xaa\xbe\xe0\x22\xdb\x08" ++ "\x21\x2d\x97\x61\x3d\x33\x28\xe0\x26\x7c\x9d\xd2\x3d\x78\x7a\xbd" ++ "\xe2\xaf\xcb\x30\x6a\xeb\x7d\xfc\xe6\x92\x46\xcc\x73\xf5\xc8\x7f" ++ "\xdf\x06\x03\x01\x79\xa2\x11\x4b\x76\x7d\xb1\xf0\x83\xff\x84\x1c" ++ "\x02\x5d\x7d\xc0\x0c\xd8\x24\x35\xb9\xa9\x0f\x69\x53\x69\xe9\x4d" ++ "\xf2\x3d\x2c\xe4\x58\xbc\x3b\x32\x83\xad\x8b\xba\x2b\x8f\xa1\xba" ++ "\x62\xe2\xdc\xe9\xac\xcf\xf3\x79\x9a\xae\x7c\x84\x00\x16\xf3\xba" ++ "\x8e\x00\x48\xc0\xb6\xcc\x43\x39\xaf\x71\x61\x00\x3a\x5b\xeb\x86" ++ "\x4a\x01\x64\xb2\xc1\xc9\x23\x7b\x64\xbc\x87\x55\x69\x94\x35\x1b" ++ "\x27\x50\x6c\x33\xd4\xbc\xdf\xce\x0f\x9c\x49\x1a\x7d\x6b\x06\x28" ++ "\xc7\xc8\x52\xbe\x4f\x0a\x9c\x31\x32\xb2\xed\x3a\x2c\x88\x81\xe9" ++ "\xaa\xb0\x7e\x20\xe1\x7d\xeb\x07\x46\x91\xbe\x67\x77\x76\xa7\x8b" ++ "\x5c\x50\x2e\x05\xd9\xbd\xde\x72\x12\x6b\x37\x38\x69\x5e\x2d\xd1" ++ "\xa0\xa9\x8a\x14\x24\x7c\x65\xd8\xa7\xee\x79\x43\x2a\x09\x2c\xb0" ++ "\x72\x1a\x12\xdf\x79\x8e\x44\xf7\xcf\xce\x0c\x49\x81\x47\xa9\xb1"; ++ ++ static const unsigned char p[] = ++ "\x06\x77\xcd\xd5\x46\x9b\xc1\xd5\x58\x00\x81\xe2\xf3\x0a\x36\xb1" ++ "\x6e\x29\x89\xd5\x2f\x31\x5f\x92\x22\x3b\x9b\x75\x30\x82\xfa\xc5" ++ "\xf5\xde\x8a\x36\xdb\xc6\xe5\x8f\xef\x14\x37\xd6\x00\xf9\xab\x90" ++ "\x9b\x5d\x57\x4c\xf5\x1f\x77\xc4\xbb\x8b\xdd\x9b\x67\x11\x45\xb2" ++ "\x64\xe8\xac\xa8\x03\x0f\x16\x0d\x5d\x2d\x53\x07\x23\xfb\x62\x0d" ++ "\xe6\x16\xd3\x23\xe8\xb3"; ++ ++ static const unsigned char q[] = ++ "\x06\x66\x9a\x70\x53\xd6\x72\x74\xfd\xea\x45\xc3\xc0\x17\xae\xde" ++ "\x79\x17\xae\x79\xde\xfc\x0e\xf7\xa4\x3a\x8c\x43\x8f\xc7\x8a\xa2" ++ "\x2c\x51\xc4\xd0\x72\x89\x73\x5c\x61\xbe\xfd\x54\x3f\x92\x65\xde" ++ "\x4d\x65\x71\x70\xf6\xf2\xe5\x98\xb9\x0f\xd1\x0b\xe6\x95\x09\x4a" ++ "\x7a\xdf\xf3\x10\x16\xd0\x60\xfc\xa5\x10\x34\x97\x37\x6f\x0a\xd5" ++ "\x5d\x8f\xd4\xc3\xa0\x5b"; ++ ++ static const unsigned char dmp1[] = ++ "\x05\x7c\x9e\x1c\xbd\x90\x25\xe7\x40\x86\xf5\xa8\x3b\x7a\x3f\x99" ++ "\x56\x95\x60\x3a\x7b\x95\x4b\xb8\xa0\xd7\xa5\xf1\xcc\xdc\x5f\xb5" ++ "\x8c\xf4\x62\x95\x54\xed\x2e\x12\x62\xc2\xe8\xf6\xde\xce\xed\x8e" ++ "\x77\x6d\xc0\x40\x25\x74\xb3\x5a\x2d\xaa\xe1\xac\x11\xcb\xe2\x2f" ++ "\x0a\x51\x23\x1e\x47\xb2\x05\x88\x02\xb2\x0f\x4b\xf0\x67\x30\xf0" ++ "\x0f\x6e\xef\x5f\xf7\xe7"; ++ ++ static const unsigned char dmq1[] = ++ "\x01\xa5\x6b\xbc\xcd\xe3\x0e\x46\xc6\x72\xf5\x04\x56\x28\x01\x22" ++ "\x58\x74\x5d\xbc\x1c\x3c\x29\x41\x49\x6c\x81\x5c\x72\xe2\xf7\xe5" ++ "\xa3\x8e\x58\x16\xe0\x0e\x37\xac\x1f\xbb\x75\xfd\xaf\xe7\xdf\xe9" ++ "\x1f\x70\xa2\x8f\x52\x03\xc0\x46\xd9\xf9\x96\x63\x00\x27\x7e\x5f" ++ "\x38\x60\xd6\x6b\x61\xe2\xaf\xbe\xea\x58\xd3\x9d\xbc\x75\x03\x8d" ++ "\x42\x65\xd6\x6b\x85\x97"; ++ ++ static const unsigned char iqmp[] = ++ "\x03\xa1\x8b\x80\xe4\xd8\x87\x25\x17\x5d\xcc\x8d\xa9\x8a\x22\x2b" ++ "\x6c\x15\x34\x6f\x80\xcc\x1c\x44\x04\x68\xbc\x03\xcd\x95\xbb\x69" ++ "\x37\x61\x48\xb4\x23\x13\x08\x16\x54\x6a\xa1\x7c\xf5\xd4\x3a\xe1" ++ "\x4f\xa4\x0c\xf5\xaf\x80\x85\x27\x06\x0d\x70\xc0\xc5\x19\x28\xfe" ++ "\xee\x8e\x86\x21\x98\x8a\x37\xb7\xe5\x30\x25\x70\x93\x51\x2d\x49" ++ "\x85\x56\xb3\x0c\x2b\x96"; ++ ++ static const unsigned char ex_prime[] = ++ "\x03\x89\x22\xa0\xb7\x3a\x91\xcb\x5e\x0c\xfd\x73\xde\xa7\x38\xa9" ++ "\x47\x43\xd6\x02\xbf\x2a\xb9\x3c\x48\xf3\x06\xd6\x58\x35\x50\x56" ++ "\x16\x5c\x34\x9b\x61\x87\xc8\xaa\x0a\x5d\x8a\x0a\xcd\x9c\x41\xd9" ++ "\x96\x24\xe0\xa9\x9b\x26\xb7\xa8\x08\xc9\xea\xdc\xa7\x15\xfb\x62" ++ "\xa0\x2d\x90\xe6\xa7\x55\x6e\xc6\x6c\xff\xd6\x10\x6d\xfa\x2e\x04" ++ "\x50\xec\x5c\x66\xe4\x05"; ++ ++ static const unsigned char ex_exponent[] = ++ "\x02\x0a\xcd\xc3\x82\xd2\x03\xb0\x31\xac\xd3\x20\x80\x34\x9a\x57" ++ "\xbc\x60\x04\x57\x25\xd0\x29\x9a\x16\x90\xb9\x1c\x49\x6a\xd1\xf2" ++ "\x47\x8c\x0e\x9e\xc9\x20\xc2\xd8\xe4\x8f\xce\xd2\x1a\x9c\xec\xb4" ++ "\x1f\x33\x41\xc8\xf5\x62\xd1\xa5\xef\x1d\xa1\xd8\xbd\x71\xc6\xf7" ++ "\xda\x89\x37\x2e\xe2\xec\x47\xc5\xb8\xe3\xb4\xe3\x5c\x82\xaa\xdd" ++ "\xb7\x58\x2e\xaf\x07\x79"; ++ ++ static const unsigned char ex_coefficient[] = ++ "\x00\x9c\x09\x88\x9b\xc8\x57\x08\x69\x69\xab\x2d\x9e\x29\x1c\x3c" ++ "\x6d\x59\x33\x12\x0d\x2b\x09\x2e\xaf\x01\x2c\x27\x01\xfc\xbd\x26" ++ "\x13\xf9\x2d\x09\x22\x4e\x49\x11\x03\x82\x88\x87\xf4\x43\x1d\xac" ++ "\xca\xec\x86\xf7\x23\xf1\x64\xf3\xf5\x81\xf0\x37\x36\xcf\x67\xff" ++ "\x1a\xff\x7a\xc7\xf9\xf9\x67\x2d\xa0\x9d\x61\xf8\xf6\x47\x5c\x2f" ++ "\xe7\x66\xe8\x3c\x3a\xe8"; ++ ++ BIGNUM **pris = NULL, **exps = NULL, **coeffs = NULL; ++ int rv = 256; /* public key length */ ++ ++ if (!TEST_int_eq(RSA_set0_key(key, ++ BN_bin2bn(n, sizeof(n) - 1, NULL), ++ BN_bin2bn(e, sizeof(e) - 1, NULL), ++ BN_bin2bn(d, sizeof(d) - 1, NULL)), 1)) ++ goto err; ++ ++ if (!TEST_int_eq(RSA_set0_factors(key, ++ BN_bin2bn(p, sizeof(p) - 1, NULL), ++ BN_bin2bn(q, sizeof(q) - 1, NULL)), 1)) ++ goto err; ++ ++ if (!TEST_int_eq(RSA_set0_crt_params(key, ++ BN_bin2bn(dmp1, sizeof(dmp1) - 1, NULL), ++ BN_bin2bn(dmq1, sizeof(dmq1) - 1, NULL), ++ BN_bin2bn(iqmp, sizeof(iqmp) - 1, ++ NULL)), 1)) ++ return 0; ++ ++ pris = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ exps = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ coeffs = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ if (!TEST_ptr(pris) || !TEST_ptr(exps) || !TEST_ptr(coeffs)) ++ goto err; ++ ++ pris[0] = BN_bin2bn(ex_prime, sizeof(ex_prime) - 1, NULL); ++ exps[0] = BN_bin2bn(ex_exponent, sizeof(ex_exponent) - 1, NULL); ++ coeffs[0] = BN_bin2bn(ex_coefficient, sizeof(ex_coefficient) - 1, NULL); ++ if (!TEST_ptr(pris[0]) || !TEST_ptr(exps[0]) || !TEST_ptr(coeffs[0])) ++ goto err; ++ ++ if (!TEST_true(RSA_set0_multi_prime_params(key, pris, exps, ++ coeffs, NUM_EXTRA_PRIMES))) ++ goto err; ++ ++ret: ++ OPENSSL_free(pris); ++ OPENSSL_free(exps); ++ OPENSSL_free(coeffs); ++ return rv; ++err: ++ if (pris != NULL) ++ BN_free(pris[0]); ++ if (exps != NULL) ++ BN_free(exps[0]); ++ if (coeffs != NULL) ++ BN_free(coeffs[0]); ++ rv = 0; ++ goto ret; ++} ++ ++#endif +--- /dev/null ++++ b/test/fips_slitest_helper.h +@@ -0,0 +1,29 @@ ++#ifndef __FIPS_SLITEST_HELPER_H__ ++#define __FIPS_SLITEST_HELPER_H__ ++ ++#include ++ ++typedef unsigned char byte; ++ ++/** Create a MAC key: one copy for macgen, one for macver (verification) ++ * Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz ++ */ ++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey); ++ ++/* Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz */ ++void print_it(const char* label, const byte* buff, size_t len); ++ ++int get_cmac_key(int cipher_nid, EVP_PKEY** out); ++ ++const uint8_t* get_msg_16(); ++const uint8_t* get_msg_128(); ++/* Get constant keys of specified length */ ++const uint8_t* get_key_16(); ++const uint8_t* get_key_32(); ++ ++void get_rsa_key1(RSA *key); ++void get_rsa_key2(RSA *key); ++void get_rsa_key3(RSA *key); ++int get_rsa_key2048p3(RSA *key); ++ ++#endif /* __FIPS_SLITEST_HELPER_H__ */ +--- /dev/null ++++ b/test/recipes/30-test_fips_sli.t +@@ -0,0 +1,4 @@ ++#!/usr/bin/env perl ++use OpenSSL::Test::Simple; ++ ++simple_test("test_fips_sli", "fips_slitest", "fips_sli"); +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4636,3 +4636,14 @@ EVP_KDF_size + EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: + EC_GROUP_get0_field 6598 1_1_1l EXIST::FUNCTION:EC + NONFIPS_selftest_check 6599 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_MD_CTX 6600 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_CMAC_CTX 6601 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_HMAC_CTX 6602 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_PKEY_CTX 6603 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_CIPHER_CTX 6604 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_KDF_CTX 6605 1_1_1l EXIST::FUNCTION: ++fips_sli_SHA1_is_approved 6606 1_1_1l EXIST::FUNCTION: ++fips_sli_PKCS5_PBKDF2_HMAC_is_approved 6607 1_1_1l EXIST::FUNCTION: ++fips_sli_HMAC_is_approved 6608 1_1_1l EXIST::FUNCTION: ++fips_sli_RAND_bytes_is_approved 6609 1_1_1l EXIST::FUNCTION: ++fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: diff --git a/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch new file mode 100644 index 0000000..949e7cb --- /dev/null +++ b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch @@ -0,0 +1,39 @@ +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 6adff696c..29b23f9f7 100644 +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -4366,6 +4366,21 @@ FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) { + /* intended fall-through */ + case 256: + return FIPS_APPROVED; ++ case 512: ++ if (cipher->do_cipher == aes_xts_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_xts_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ #endif ++ ) ++ return FIPS_APPROVED; ++ else ++ return FIPS_ERROR; + } + } + /* disapproved for enc and dec: all others, including +diff --git a/test/fips_slitest.c b/test/fips_slitest.c +index d32f748a6..9e37cf36b 100644 +--- a/test/fips_slitest.c ++++ b/test/fips_slitest.c +@@ -260,6 +260,8 @@ static const SLI_CIPHER_TEST cipher_tests[] = { + {0, NID_des_ede_ecb}, + {0, NID_des_ede_ofb64}, + {0, NID_idea_cbc}, ++ {1, NID_aes_128_xts}, ++ {1, NID_aes_256_xts}, + }; + static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]); + diff --git a/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch new file mode 100644 index 0000000..08f8aeb --- /dev/null +++ b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch @@ -0,0 +1,24 @@ +--- + crypto/fips/fips_sli.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/crypto/fips/fips_sli.c ++++ b/crypto/fips/fips_sli.c +@@ -328,14 +328,14 @@ static FIPS_STATUS get_fips_keygen_ecdsa + BN_set_bit(pwr24, 24); + BN_set_bit(pwr32, 32); + +- if (224 < n && n <= 255) { ++ if (224 <= n && n <= 255) { + if (BN_cmp(cofactor, pwr14) != 1) + ret = FIPS_APPROVED; +- } else if (256 < n && n <= 383) { ++ } else if (256 <= n && n <= 383) { + if (BN_cmp(cofactor, pwr16) != 1) + ret = FIPS_APPROVED; + +- } else if (384 < n && n <= 511) { ++ } else if (384 <= n && n <= 511) { + if (BN_cmp(cofactor, pwr24) != 1) + ret = FIPS_APPROVED; + diff --git a/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch new file mode 100644 index 0000000..21e5b42 --- /dev/null +++ b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch @@ -0,0 +1,52 @@ +Index: openssl-1.1.1l/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1l/crypto/rsa/rsa_pmeth.c +@@ -140,13 +140,11 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + unsigned int sltmp; + if (rctx->pad_mode != RSA_PKCS1_PADDING) + return -1; +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = RSA_sign_ASN1_OCTET_STRING(0, + tbs, tbslen, sig, &sltmp, rsa); +- + if (ret <= 0) + return ret; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = sltmp; + } else if (rctx->pad_mode == RSA_X931_PADDING) { + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { +@@ -179,13 +177,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, + sig, rsa, RSA_X931_PADDING); + } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); + unsigned int sltmp; + ret = RSA_sign(EVP_MD_type(rctx->md), + tbs, tbslen, sig, &sltmp, rsa); + if (ret <= 0) + return ret; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = sltmp; + } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { + if (!setup_tbuf(rctx, ctx)) +@@ -290,10 +287,13 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + + if (rctx->md) { + if (rctx->pad_mode == RSA_PKCS1_PADDING) { +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); +- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, +- sig, siglen, rsa); ++ int ret; ++ ret = RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, ++ sig, siglen, rsa); ++ if (ret <= 0) ++ return 0; ++ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md); ++ return ret; + } + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); diff --git a/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch new file mode 100644 index 0000000..409b39b --- /dev/null +++ b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch @@ -0,0 +1,14 @@ +Index: openssl-1.1.1l/crypto/kdf/pbkdf2.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/kdf/pbkdf2.c ++++ openssl-1.1.1l/crypto/kdf/pbkdf2.c +@@ -185,7 +185,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + } + + fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); +- ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_keylen_status(keylen)); + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); diff --git a/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch new file mode 100644 index 0000000..07216f6 --- /dev/null +++ b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch @@ -0,0 +1,136 @@ +--- + crypto/fips/fips_sli.c | 21 +++++++++++++++++++ + crypto/kdf/pbkdf2.c | 6 +++++ + include/internal/fips_sli_local.h | 3 ++ + test/fips_slitest.c | 41 ++++++++++++++++++++++---------------- + 4 files changed, 54 insertions(+), 17 deletions(-) + +--- a/crypto/fips/fips_sli.c ++++ b/crypto/fips/fips_sli.c +@@ -231,6 +231,27 @@ FIPS_STATUS fips_sli_get_kdf_keylen_stat + return FIPS_NONAPPROVED; + } + ++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes) { ++ if (saltlen_bytes >= 128/8) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter) { ++ if (iter >= 1000) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes) { ++ if (passlen_bytes >= 20) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ + void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { + fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); + } +--- a/crypto/kdf/pbkdf2.c ++++ b/crypto/kdf/pbkdf2.c +@@ -187,6 +187,12 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + fips_sli_fsm_struct_evp_kdf_impl_st(impl, + fips_sli_get_kdf_keylen_status(keylen)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_saltlen_status(impl->salt_len)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_iteration_status(impl->iter)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_passlen_status(impl->pass_len)); + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); +--- a/include/internal/fips_sli_local.h ++++ b/include/internal/fips_sli_local.h +@@ -70,6 +70,9 @@ FIPS_STATUS fips_sli_get_hash_status_ssh + FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md); + FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md); + FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes); ++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes); ++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter); ++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes); + + /* Check if used curve is okay for and in this context */ + void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); +--- a/test/fips_slitest.c ++++ b/test/fips_slitest.c +@@ -490,36 +490,41 @@ typedef struct { + int nid_digest; + const uint8_t key_expected[32]; // length has to be 32 + } SLI_PBKDF2_TEST; +- + static const SLI_PBKDF2_TEST pbkdf2_tests[] = { + { +- 1, 4200, NID_sha256, { +- 0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E, +- 0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE ++ 1, 4096, NID_sha1, { ++ 0x3D, 0x2E, 0xEC, 0x4F, 0xE4, 0x1C, 0x84, 0x9B, 0x80, 0xC8, 0xD8, 0x36, 0x62, 0xC0, 0xE4, 0x4A, ++ 0x8B, 0x29, 0x1A, 0x96, 0x4C, 0xF2, 0xF0, 0x70, 0x38, 0xB6, 0xB8, 0x9A, 0x48, 0x61, 0x2C, 0x5A ++ } ++ }, ++ { ++ 1, 4096, NID_sha256, { ++ 0x34, 0x8C, 0x89, 0xDB, 0xCB, 0xD3, 0x2B, 0x2F, 0x32, 0xD8, 0x14, 0xB8, 0x11, 0x6E, 0x84, 0xCF, ++ 0x2B, 0x17, 0x34, 0x7E, 0xBC, 0x18, 0x00, 0x18, 0x1C, 0x4E, 0x2A, 0x1F, 0xB8, 0xDD, 0x53, 0xE1 + } + }, + { + 1, 1347, NID_sha256, { +- 0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C, +- 0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86 ++ 0xD5, 0x99, 0x16, 0xFF, 0x8A, 0xBC, 0x26, 0x37, 0xAF, 0x4B, 0x26, 0xF1, 0x7E, 0x56, 0x8B, 0x7A, ++ 0x00, 0x16, 0xA9, 0xF2, 0x7D, 0x96, 0xDB, 0x33, 0x0A, 0xD0, 0x5F, 0xC3, 0x0C, 0x22, 0xA2, 0xD0 + } + }, + { +- 1, 4200, NID_sha1, { +- 0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE, +- 0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A ++ 1, 4096, NID_sha512, { ++ 0x8C, 0x05, 0x11, 0xF4, 0xC6, 0xE5, 0x97, 0xC6, 0xAC, 0x63, 0x15, 0xD8, 0xF0, 0x36, 0x2E, 0x22, ++ 0x5F, 0x3C, 0x50, 0x14, 0x95, 0xBA, 0x23, 0xB8, 0x68, 0xC0, 0x05, 0x17, 0x4D, 0xC4, 0xEE, 0x71 + } + }, + { +- 1, 4200, NID_sha3_512, { +- 0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65, +- 0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09 ++ 1, 4096, NID_sha3_512, { ++ 0xD6, 0x07, 0x91, 0xA4, 0xED, 0x27, 0x19, 0x5D, 0x81, 0x3F, 0x35, 0x51, 0x03, 0x51, 0xB9, 0xD1, ++ 0xFF, 0x9A, 0xD4, 0x26, 0x21, 0x53, 0x94, 0x46, 0x09, 0x50, 0xA4, 0xFE, 0x03, 0xDD, 0x9F, 0x54 + } + }, + { +- 0, 1347, NID_md5, { +- 0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2, +- 0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36 ++ 0, 4096, NID_md5, { ++ 0x8D, 0x5D, 0x0A, 0xAD, 0x94, 0xD1, 0x44, 0x20, 0x42, 0x9F, 0xBC, 0x7E, 0x5B, 0x08, 0x7D, 0x7A, ++ 0x55, 0x27, 0xE6, 0x5D, 0xFD, 0x0D, 0x48, 0x6A, 0x31, 0x0E, 0x8A, 0x7B, 0x6F, 0xF5, 0xA2, 0x1B + } + } + }; +@@ -527,8 +532,10 @@ static const size_t pbkdf2_tests_len = s + + static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) { + int success = 0; +- const char password[] = "password"; +- const unsigned char salt[] = {'s', 'a', 'l', 't'}; ++ const char password[] = "passwordPASSWORDpassword"; ++ const unsigned char salt[] = {'s', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', ++ 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', ++ 's', 'a', 'l', 't'}; + const size_t password_len = sizeof(password) / sizeof(password[0]); + const size_t salt_len = sizeof(salt) / sizeof(salt[0]); + diff --git a/openssl-1_1-paramgen-default_to_rfc7919.patch b/openssl-1_1-paramgen-default_to_rfc7919.patch new file mode 100644 index 0000000..8ec1f9f --- /dev/null +++ b/openssl-1_1-paramgen-default_to_rfc7919.patch @@ -0,0 +1,88 @@ +diff --git a/apps/dhparam.c b/apps/dhparam.c +index 98c7321..ac7feb4 100644 +--- a/apps/dhparam.c ++++ b/apps/dhparam.c +@@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv) + } else + #endif + { +- dh = DH_new(); +- BIO_printf(bio_err, +- "Generating DH parameters, %d bit long safe prime, generator %d\n", +- num, g); +- BIO_printf(bio_err, "This is going to take a long time\n"); +- if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ /* In FIPS mode, instead of generating DH parameters we use parameters from an approved group, ++ in this case, RFC-7919. */ ++ int param_nid; ++ switch (num) { ++ case 8192: ++ param_nid = NID_ffdhe8192; ++ break; ++ case 6144: ++ param_nid = NID_ffdhe6144; ++ break; ++ case 4096: ++ param_nid = NID_ffdhe4096; ++ break; ++ case 3072: ++ param_nid = NID_ffdhe3072; ++ break; ++ default: ++ param_nid = NID_ffdhe2048; ++ break; ++ } ++ dh = DH_new_by_nid(param_nid); ++ } else ++#endif /* OPENSSL_FIPS */ ++ { ++ dh = DH_new(); ++ BIO_printf(bio_err, ++ "Generating DH parameters, %d bit long safe prime, generator %d\n", ++ num, g); ++ BIO_printf(bio_err, "This is going to take a long time\n"); ++ if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { + BN_GENCB_free(cb); + ERR_print_errors(bio_err); + goto end; ++ } + } + } + +diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c +index 261c8a1..d281873 100644 +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) + DH_PKEY_CTX *dctx = ctx->data; + BN_GENCB *pcb; + int ret; ++ ++#ifdef OPENSSL_FIPS ++ /* In FIPS mode we default to an appropriate group. */ ++ if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) { ++ switch (dctx->prime_len) { ++ case 8192: ++ dctx->param_nid = NID_ffdhe8192; ++ break; ++ case 6144: ++ dctx->param_nid = NID_ffdhe6144; ++ break; ++ case 4096: ++ dctx->param_nid = NID_ffdhe4096; ++ break; ++ case 3072: ++ dctx->param_nid = NID_ffdhe3072; ++ break; ++ default: ++ dctx->param_nid = NID_ffdhe2048; ++ break; ++ } ++ } ++#endif /* OPENSSL_FIPS */ ++ + if (dctx->rfc5114_param) { + switch (dctx->rfc5114_param) { + case 1: diff --git a/openssl-1_1-seclevel.patch b/openssl-1_1-seclevel.patch new file mode 100644 index 0000000..e7cce59 --- /dev/null +++ b/openssl-1_1-seclevel.patch @@ -0,0 +1,160 @@ +diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c +--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200 +@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c + } + + static const int minbits_table[] = { 80, 112, 128, 192, 256 }; ++static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 }; + static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); + + /* +@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT + + if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) + return 0; +- +- return secbits >= minbits_table[level - 1]; ++ /* ++ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic ++ * disable SHA1 flag is not set. ++ */ ++ if ((ctx->param->flags & 0x40000000) || FIPS_mode()) ++ return secbits >= minbits_table[level - 1]; ++ return secbits >= minbits_digest_table[level - 1]; + } +diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod +--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200 +@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited + + =item B + +-Security level set to 112 bits of security. As a result RSA, DSA and DH keys +-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. ++Security level set to 112 bits of security with the exception of SHA1 allowed ++for signatures. ++As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys ++shorter than 224 bits are prohibited. + In addition to the level 1 exclusions any cipher suite using RC4 is also + prohibited. SSL version 3 is also not allowed. Compression is disabled. + +diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c +--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200 +@@ -27,6 +27,7 @@ + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, void *other, + void *ex); ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx); + + static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT; + static volatile int ssl_x509_store_ctx_idx = -1; +@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_ + X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); + + /* Set suite B flags if needed */ +- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); ++ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL)); + if (!X509_STORE_CTX_set_ex_data + (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) { + goto end; +@@ -953,12 +954,33 @@ static int ssl_security_default_callback + return 0; + break; + default: ++ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */ ++ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx)) ++ break; + if (bits < minbits) + return 0; + } + return 1; + } + ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx) ++{ ++ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */ ++ const CERT *c; ++ ++ if (FIPS_mode()) ++ return ret; ++ ++ if (ctx != NULL) { ++ c = ctx->cert; ++ } else { ++ c = s->cert; ++ } ++ if (tls1_cert_sigalgs_have_sha1(c)) ++ return 0; ++ return ret; ++} ++ + int ssl_security(const SSL *s, int op, int bits, int nid, void *other) + { + return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex); +diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h +--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200 ++++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200 +@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC + __owur int tls1_process_sigalgs(SSL *s); + __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); + __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); ++int tls1_cert_sigalgs_have_sha1(const CERT *c); + __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); + # ifndef OPENSSL_NO_EC + __owur int tls_check_sigalg_curve(const SSL *s, int curve); +diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c +--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200 ++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200 +@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int + return 0; + } + ++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen) ++{ ++ size_t i; ++ ++ for (i = 0; i < sigalgslen; i++, sigalgs++) { ++ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); ++ ++ if (lu == NULL) ++ continue; ++ if (lu->hash == NID_sha1) ++ return 1; ++ } ++ return 0; ++} ++ ++ ++int tls1_cert_sigalgs_have_sha1(const CERT *c) ++{ ++ if (c->client_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen)) ++ return 1; ++ } ++ if (c->conf_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen)) ++ return 1; ++ return 0; ++ } ++ return 1; ++} ++ + static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) + { + int sig_nid, use_pc_sigalgs = 0; +diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t +--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200 +@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver + ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), + "CA with PSS signature using SHA256"); + +-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), +- "Reject PSS signature using SHA1 and auth level 2"); ++ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"), ++ "Reject PSS signature using SHA1 and auth level 3"); + + ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "PSS signature using SHA256 and auth level 2"); diff --git a/openssl-1_1-serialize-jitterentropy-calls.patch b/openssl-1_1-serialize-jitterentropy-calls.patch new file mode 100644 index 0000000..367554f --- /dev/null +++ b/openssl-1_1-serialize-jitterentropy-calls.patch @@ -0,0 +1,80 @@ +--- + crypto/fips/fips_entropy.c | 40 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +--- a/crypto/fips/fips_entropy.c ++++ b/crypto/fips/fips_entropy.c +@@ -4,35 +4,71 @@ + #include "jitterentropy.h" + + static struct rand_data* ec = NULL; ++static CRYPTO_RWLOCK *jent_lock = NULL; ++static int stop = 0; + + struct rand_data* FIPS_entropy_init(void) + { +- if (ec != NULL) ++ if (ec != NULL) { + /* Entropy source has been initiated and collector allocated */ + return ec; ++ } ++ if (stop != 0) { ++ /* FIPS_entropy_cleanup() already called, don't initialize it again */ ++ return NULL; ++ } ++ if (jent_lock == NULL) { ++ /* Allocates a new lock to serialize access to jent library */ ++ jent_lock = CRYPTO_THREAD_lock_new(); ++ if (jent_lock == NULL) { ++ return NULL; ++ } ++ } ++ if (CRYPTO_THREAD_write_lock(jent_lock) == 0) { ++ return NULL; ++ } + /* If the initialization is successful, the call returns with 0 */ + if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) + /* Allocate entropy collector */ + ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ CRYPTO_THREAD_unlock(jent_lock); + return ec; + } + + void FIPS_entropy_cleanup(void) + { ++ if (jent_lock != NULL && stop == 0) { ++ CRYPTO_THREAD_write_lock(jent_lock); ++ } ++ /* Disable re-initialization in FIPS_entropy_init() */ ++ stop = 1; + /* Free entropy collector */ + if (ec != NULL) { + jent_entropy_collector_free(ec); + ec = NULL; + } ++ CRYPTO_THREAD_lock_free(jent_lock); ++ jent_lock = NULL; + } + + ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) + { + ssize_t ent_bytes = -1; + +- if (buf != NULL && buflen != 0 && FIPS_entropy_init()) { ++ /* ++ * Order is important. We need to call FIPS_entropy_init() before we ++ * acquire jent_lock, otherwise it can lead to deadlock. Once we have ++ * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called ++ * in the meantime. Then it's safe to read entropy. ++ */ ++ if (buf != NULL ++ && buflen != 0 ++ && FIPS_entropy_init() ++ && CRYPTO_THREAD_write_lock(jent_lock) != 0 ++ && stop == 0) { + /* Get entropy */ + ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ CRYPTO_THREAD_unlock(jent_lock); + } + return ent_bytes; + } diff --git a/openssl-1_1-shortcut-test_afalg_aes_cbc.patch b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch new file mode 100644 index 0000000..cf62f44 --- /dev/null +++ b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch @@ -0,0 +1,14 @@ +diff --git a/test/afalgtest.c b/test/afalgtest.c +index adb2977..c4f848a 100644 +--- a/test/afalgtest.c ++++ b/test/afalgtest.c +@@ -43,6 +43,9 @@ static ENGINE *e; + + static int test_afalg_aes_cbc(int keysize_idx) + { ++ /* This test fails in fips mode, so just shortcut out. */ ++ if ( FIPS_mode()) return 1; ++ + EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher; + unsigned char key[] = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b" diff --git a/openssl-1_1-use-include-directive.patch b/openssl-1_1-use-include-directive.patch new file mode 100644 index 0000000..10822c7 --- /dev/null +++ b/openssl-1_1-use-include-directive.patch @@ -0,0 +1,29 @@ +Index: openssl-1.1.1m/apps/openssl.cnf +=================================================================== +--- openssl-1.1.1m.orig/apps/openssl.cnf ++++ openssl-1.1.1m/apps/openssl.cnf +@@ -11,6 +11,24 @@ + # defined. + HOME = . + ++openssl_conf = openssl_init ++ ++[ openssl_init ] ++ ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines1.1.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef1.1.d ++ ++[ oid_section ] ++ + # Extra OBJECT IDENTIFIER info: + #oid_file = $ENV::HOME/.oid + oid_section = new_oids diff --git a/openssl-1_1-use-seclevel2-in-tests.patch b/openssl-1_1-use-seclevel2-in-tests.patch new file mode 100644 index 0000000..ca321ce --- /dev/null +++ b/openssl-1_1-use-seclevel2-in-tests.patch @@ -0,0 +1,38 @@ +Index: openssl-1.1.1d/test/ssl_test.c +=================================================================== +--- openssl-1.1.1d.orig/test/ssl_test.c ++++ openssl-1.1.1d/test/ssl_test.c +@@ -435,6 +440,7 @@ static int test_handshake(int idx) + #endif + if (test_ctx->method == SSL_TEST_METHOD_TLS) { + server_ctx = SSL_CTX_new(TLS_server_method()); ++ SSL_CTX_set_security_level(server_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx, + TLS_MAX_VERSION))) + goto err; +@@ -443,21 +449,25 @@ static int test_handshake(int idx) + SSL_TEST_SERVERNAME_CB_NONE) { + if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method()))) + goto err; ++ SSL_CTX_set_security_level(server2_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx, + TLS_MAX_VERSION))) + goto err; + } + client_ctx = SSL_CTX_new(TLS_client_method()); ++ SSL_CTX_set_security_level(client_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx, + TLS_MAX_VERSION))) + goto err; + + if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) { + resume_server_ctx = SSL_CTX_new(TLS_server_method()); ++ SSL_CTX_set_security_level(resume_server_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx, + TLS_MAX_VERSION))) + goto err; + resume_client_ctx = SSL_CTX_new(TLS_client_method()); ++ SSL_CTX_set_security_level(resume_client_ctx, 1); + if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx, + TLS_MAX_VERSION))) + goto err; diff --git a/openssl-1_1.changes b/openssl-1_1.changes new file mode 100644 index 0000000..2e1b714 --- /dev/null +++ b/openssl-1_1.changes @@ -0,0 +1,3980 @@ +------------------------------------------------------------------- +Tue Oct 15 12:46:08 UTC 2024 - Bernhard Wiedemann + +- Add reproducibledate.patch (boo#1231667) + +------------------------------------------------------------------- +Mon Jul 22 16:42:52 UTC 2024 - Pedro Monreal + +- Build with no-afalgeng [bsc#1226463] + +------------------------------------------------------------------- +Mon Jul 22 08:30:16 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1227138, CVE-2024-5535] + * SSL_select_next_proto buffer overread + * Add openssl-CVE-2024-5535.patch + +------------------------------------------------------------------- +Tue Jun 18 15:52:49 UTC 2024 - Martin Jambor + +- Fixed C99 violations in patches bsc1185319-FIPS-KAT-for-ECDSA.patch + (need to for explicity typecast) and + openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch + (missing include) to allow the package to build with GCC 14. + [boo#1225907] + +------------------------------------------------------------------- +Thu Jun 6 15:12:10 UTC 2024 - Peter Simons + +- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free + security vulnerability. Calling the function SSL_free_buffers() + potentially caused memory to be accessed that was previously + freed in some situations and a malicious attacker could attempt + to engineer a stituation where this occurs to facilitate a + denial-of-service attack. [CVE-2024-4741, bsc#1225551] + +------------------------------------------------------------------- +Mon May 6 12:11:02 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1222548, CVE-2024-2511] + * Fix unconstrained session cache growth in TLSv1.3 + * Add openssl-CVE-2024-2511.patch + +------------------------------------------------------------------- +Wed Feb 7 14:48:11 UTC 2024 - Pedro Monreal + +- Enable running the regression tests in FIPS mode. + +------------------------------------------------------------------- +Mon Feb 5 16:29:26 UTC 2024 - Otto Hollmann + +- Rename engines directories to the same name like in SLE: + /etc/ssl/engines1_1.d -> /etc/ssl/engines1.1.d + /etc/ssl/engdef1_1.d -> /etc/ssl/engdef1.1.d + * Add migration script to move files (bsc#1219562) + /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d + /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d + +------------------------------------------------------------------- +Tue Jan 30 14:15:25 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1219243, CVE-2024-0727] + * Add NULL checks where ContentInfo data can be NULL + * Add openssl-CVE-2024-0727.patch + +------------------------------------------------------------------- +Mon Jan 22 09:34:28 UTC 2024 - Otto Hollmann + +- Because OpenSSL 1.1.1 is no longer default, let's rename engine + directories to contain version of OpenSSL and let unversioned for + the default OpenSSL. [bsc#1194187, bsc#1207472, bsc#1218933] + * /etc/ssl/engines.d -> /etc/ssl/engines1_1.d + * /etc/ssl/engdef.d -> /etc/ssl/engdef1_1.d + * Update patches: + - openssl-1_1-ossl-sli-002-ran-make-update.patch + - openssl-1_1-use-include-directive.patch + +------------------------------------------------------------------- +Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann + +- Skip SHA1 test in 20-test_dgst.t when in FIPS mode + * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch +- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch + * bsc#1190652 - Provide a service to output module name/identifier + and version +- Sync patches with SLE: + * Merge openssl-keep_EVP_KDF_functions_version.patch into + openssl-1.1.1-evp-kdf.patch + * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch + * Remove openssl-no-date.patch + +------------------------------------------------------------------- +Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann + +- Security fix: [bsc#1216922, CVE-2023-5678] + * Fix excessive time spent in DH check / generation with large Q + parameter value. + * Applications that use the functions DH_generate_key() to generate + an X9.42 DH key may experience long delays. Likewise, + applications that use DH_check_pub_key(), DH_check_pub_key_ex + () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 + DH parameters may experience long delays. Where the key or + parameters that are being checked have been obtained from an + untrusted source this may lead to a Denial of Service. + * Add openssl-CVE-2023-5678.patch +- Remove trailing spaces from changelog + +------------------------------------------------------------------- +Thu Oct 19 15:03:14 UTC 2023 - Otto Hollmann + +- Performance enhancements for cryptography from OpenSSL 3.x + [jsc#PED-5086, jsc#PED-3514] + * Add patches: + - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch + - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch + - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch + - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch + - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch + - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch + +------------------------------------------------------------------- +Wed Oct 4 07:15:29 UTC 2023 - Otto Hollmann + +- Displays "fips" in the version string (bsc#1215215) + * Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch + +------------------------------------------------------------------- +Tue Sep 12 05:09:28 UTC 2023 - Otto Hollmann + +- Update to 1.1.1w: + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + (CVE-2023-4807) + +------------------------------------------------------------------- +Tue Aug 8 10:34:14 UTC 2023 - Otto Hollmann + +- Add missing FIPS patches from SLE: + * Add patches: + - bsc1185319-FIPS-KAT-for-ECDSA.patch + - bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch + - openssl-1.1.1-fips-fix-memory-leaks.patch + - openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch + - openssl-1_1-FIPS_drbg-rewire.patch + - openssl-1_1-Zeroization.patch + - openssl-1_1-fips-drbg-selftest.patch + - openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch + - openssl-1_1-jitterentropy-3.4.0.patch + - openssl-1_1-ossl-sli-000-fix-build-error.patch + - openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch + - openssl-1_1-ossl-sli-002-ran-make-update.patch + - openssl-1_1-ossl-sli-003-add-sli.patch + - openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch + - openssl-1_1-ossl-sli-005-EC_group_order_bits.patch + - openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch + - openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch + - openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch + - openssl-1_1-serialize-jitterentropy-calls.patch + - openssl-1_1-shortcut-test_afalg_aes_cbc.patch + - openssl-DH.patch + - openssl-FIPS-KAT-before-integrity-tests.patch + - openssl-fips-DH_selftest_shared_secret_KAT.patch + - openssl-fips-kdf-hkdf-selftest.patch + - openssl-kdf-selftest.patch + - openssl-kdf-ssh-selftest.patch + - openssl-kdf-tls-selftest.patch + - openssl-no-date.patch + - openssl-s_client-check-ocsp-status.patch + * Modify patches: + - openssl-1.1.1-fips.patch + - openssl-1_1-FIPS-fix-error-reason-codes.patch + * Remove patches: + - openssl-add_rfc3526_rfc7919.patch + - openssl-fips-dont_run_FIPS_module_installed.patch + - openssl-fips_fix_selftests_return_value.patch + * Add build and runtime dependency on jitterentropy +- Pass over with spec-cleaner + +------------------------------------------------------------------- +Tue Aug 1 16:12:36 UTC 2023 - Pedro Monreal + +- Update to 1.1.1v: + * Fix excessive time spent checking DH q parameter value + (bsc#1213853, CVE-2023-3817). The function DH_check() performs + various checks on DH parameters. After fixing CVE-2023-3446 it + was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A + correct q value, if present, cannot be larger than the modulus + p parameter, thus it is unnecessary to perform these checks if + q is larger than p. If DH_check() is called with such q parameter + value, DH_CHECK_INVALID_Q_VALUE return flag is set and the + computationally intensive checks are skipped. + * Fix DH_check() excessive time with over sized modulus + (bsc#1213487, CVE-2023-3446). The function DH_check() performs + various checks on DH parameters. One of those checks confirms + that the modulus ("p" parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use + a modulus which is over 10,000 bits in length. However the + DH_check() function checks numerous aspects of the key or + parameters that have been supplied. Some of those checks use the + supplied modulus value even if it has already been found to be + too large. A new limit has been added to DH_check of 32,768 bits. + Supplying a key/parameters with a modulus over this size will + simply cause DH_check() to fail. + * Update openssl.keyring with the OTC members that sign releases + * Rebase openssl-1_1-openssl-config.patch + * Remove security patches fixed upstream: + - openssl-CVE-2023-3446.patch + - openssl-CVE-2023-3446-test.patch + +------------------------------------------------------------------- +Mon Jul 24 12:40:38 UTC 2023 - Otto Hollmann + +- Dont pass zero length input to EVP_Cipher because assembler + optimized AES cannot handle zero size. [bsc#1213517] + * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch + +------------------------------------------------------------------- +Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal + +- Security fix: [bsc#1213487, CVE-2023-3446] + * Fix DH_check() excessive time with over sized modulus. + * The function DH_check() performs various checks on DH parameters. + One of those checks confirms that the modulus ("p" parameter) is + not too large. Trying to use a very large modulus is slow and + OpenSSL will not normally use a modulus which is over 10,000 bits + in length. + However the DH_check() function checks numerous aspects of the + key or parameters that have been supplied. Some of those checks + use the supplied modulus value even if it has already been found + to be too large. + A new limit has been added to DH_check of 32,768 bits. Supplying + a key/parameters with a modulus over this size will simply cause + DH_check() to fail. + * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch + +------------------------------------------------------------------- +Tue Jun 20 15:18:56 UTC 2023 - Otto Hollmann + +- Improve cross-package provides/conflicts [boo#1210313] + * Add Provides/Conflicts: ssl-devel + * Remove explicit conflicts with other devel-libraries + +------------------------------------------------------------------- +Wed May 31 08:31:09 UTC 2023 - Otto Hollmann + +- Update to 1.1.1u: + * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + + OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical + numeric text form. For gigantic sub-identifiers, this would take a very + long time, the time complexity being O(n^2) where n is the size of that + sub-identifier. (CVE-2023-2650, bsc#1211430) + + To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT + IDENTIFIER to canonical numeric text form if the size of that OBJECT + IDENTIFIER is 586 bytes or less, and fail otherwise. + + The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT + IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at + most 128 sub-identifiers, and that the maximum value that each sub- + identifier may have is 2^32-1 (4294967295 decimal). + + For each byte of every sub-identifier, only the 7 lower bits are part of + the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with + these restrictions may occupy is 32 * 128 / 7, which is approximately 586 + bytes. + + Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 + + * Reworked the Fix for the Timing Oracle in RSA Decryption + (CVE-2022-4304, bsc#1207534). The previous fix for this timing side + channel turned out to cause a severe 2-3x performance regression in the + typical use case compared to 1.1.1s. The new fix uses existing constant + time code paths, and restores the previous performance level while fully + eliminating all existing timing side channels. The fix was developed by + Bernd Edlinger with testing support by Hubert Kario. + + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that + it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. (CVE-2023-0466, bsc#1209873) + + * Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are + skipped for that certificate. A malicious CA could use this to + deliberately assert invalid certificate policies in order to circumvent + policy checking on the certificate altogether. + (CVE-2023-0465, bsc#1209878) + + * Limited the number of nodes created in a policy tree to mitigate against + CVE-2023-0464. The default limit is set to 1000 nodes, which should be + sufficient for most installations. If required, the limit can be + adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define + to a desired maximum number of nodes or zero to allow unlimited growth. + (CVE-2023-0464, bsc#1209624) + + * Rebased patch openssl-1_1-openssl-config.patch + * Removed patches: + - openssl-CVE-2023-0464.patch + - openssl-CVE-2023-0465.patch + - openssl-CVE-2023-0466.patch + * Update openssl.keyring with key + A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) + +------------------------------------------------------------------- +Mon May 29 07:31:07 UTC 2023 - Pedro Monreal + +- FIPS: Merge libopenssl1_1-hmac package into the library [bsc#1185116] + +------------------------------------------------------------------- +Mon Apr 3 07:40:43 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0465, bsc#1209878] + * Invalid certificate policies in leaf certificates are silently ignored + * Add openssl-CVE-2023-0465.patch +- Security Fix: [CVE-2023-0466, bsc#1209873] + * Certificate policy check not enabled + * Add openssl-CVE-2023-0466.patch + +------------------------------------------------------------------- +Fri Mar 24 15:53:47 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0464, bsc#1209624] + * Excessive Resource Usage Verifying X.509 Policy Constraints + * Add openssl-CVE-2023-0464.patch + +------------------------------------------------------------------- +Tue Feb 7 15:59:21 UTC 2023 - Otto Hollmann + +- Update to 1.1.1t: + * Fixed X.400 address type confusion in X.509 GeneralName. + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This + vulnerability may allow an attacker who can provide a certificate chain and + CRL (neither of which need have a valid signature) to pass arbitrary + pointers to a memcmp call, creating a possible read primitive, subject to + some constraints. Refer to the advisory for more information. Thanks to + David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] + + This issue has been fixed by changing the public header file definition of + GENERAL_NAME so that x400Address reflects the implementation. It was not + possible for any existing application to successfully use the existing + definition; however, if any application references the x400Address field + (e.g. in dead code), note that the type of this field has changed. There is + no ABI change. + * Fixed Use-after-free following BIO_new_NDEF. + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + [bsc#1207536, CVE-2023-0215] + * Fixed Double free after calling PEM_read_bio_ex. + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + [bsc#1207538, CVE-2022-4450] + [Kurt Roeckx, Matt Caswell] + * Fixed Timing Oracle in RSA Decryption. + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + [bsc#1207534, CVE-2022-4304] + * Rebased openssl-1_1-openssl-config.patch + * Update openssl.keyring with key + 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte) + +------------------------------------------------------------------- +Wed Dec 14 12:56:06 UTC 2022 - Pedro Monreal + +- Set OpenSSL 3.0 as the default openssl [bsc#1205042] + * For compatibility with OpenSSL 3.0, the OpenSSL master + configuration file openssl.cnf has been renamed to + openssl-1_1.cnf. The executables openssl, c_rehash, CA.pl and + tsget.pl have been also renamed to openssl-1_1, c_rehash-1_1, + CA-1_1.pl and tsget-1_1.pl, respectively. + * Add openssl-1_1-devel as conflicting with libopenssl-3-devel + * Add openssl-1_1-openssl-config.patch + +------------------------------------------------------------------- +Wed Dec 14 09:04:40 UTC 2022 - Otto Hollmann + +- POWER10 performance enhancements for cryptography [jsc#PED-512] + * openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch + * openssl-1_1-Fixed-counter-overflow.patch + * openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch + * openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch + * openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch + +------------------------------------------------------------------- +Wed Nov 2 12:00:40 UTC 2022 - Otto Hollmann + +- Updated openssl.keyring with key A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C + +- Update to 1.1.1s: + * Fixed a regression introduced in 1.1.1r version not refreshing the + certificate data to be signed before signing the certificate. + +- Update to 1.1.1r: + * Fixed the linux-mips64 Configure target which was missing the + SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that + platform. + * Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was + causing incorrect results in some cases as a result. + * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to + report correct results in some cases + * Fixed a regression introduced in 1.1.1o for re-signing certificates with + different key sizes + * Added the loongarch64 target + * Fixed a DRBG seed propagation thread safety issue + * Fixed a memory leak in tls13_generate_secret + * Fixed reported performance degradation on aarch64. Restored the + implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid + 32-bit lane assignment in CTR mode") for 64bit targets only, since it is + reportedly 2-17% slower and the silicon errata only affects 32bit targets. + The new algorithm is still used for 32 bit targets. + * Added a missing header for memcmp that caused compilation failure on some + platforms + +------------------------------------------------------------------- +Sat Sep 24 02:40:39 UTC 2022 - Jason Sikes + +- Added openssl-1_1-paramgen-default_to_rfc7919.patch + * bsc#1180995 + * Default to RFC7919 groups when generating ECDH parameters + using 'genpkey' or 'dhparam' in FIPS mode. + +------------------------------------------------------------------- +Thu Jul 7 02:17:23 UTC 2022 - Jason Sikes + +- update to 1.1.1q: + * [CVE-2022-2097, bsc#1201099] + * Addresses situations where AES OCB fails to encrypt some bytes + +------------------------------------------------------------------- +Tue Jun 28 14:19:34 UTC 2022 - Andreas Schwab + +- openssl-riscv64-config.patch: backport of riscv64 config support + +------------------------------------------------------------------- +Thu Jun 23 04:55:58 UTC 2022 - Jason Sikes + +- Update to 1.1.1p: + * bsc#1185637 - updated certificates required for testing that failed + when date is later than 1 June 2022 + - removed openssl-update_expired_certificates.patch + * [bsc#1200550, CVE-2022-2068] - more shell code injection issues in c_rehash + +------------------------------------------------------------------- +Thu Jun 2 20:54:04 UTC 2022 - Jason Sikes + +- Update to 1.1.1o: [CVE-2022-1292, bsc#1199166] + * Fixed a bug in the c_rehash script which was not properly sanitising + shell metacharacters to prevent command injection. + * Rebased openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * Rebased openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch + +- Added openssl-update_expired_certificates.patch + * Openssl failed tests because of expired certificates. + * bsc#1185637 + * Sourced from https://github.com/openssl/openssl/pull/18446/commits + +------------------------------------------------------------------- +Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal + +- Update to 1.1.1n: [bsc#1196877, CVE-2022-0778] + * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli + in BN_mod_sqrt() reachable when parsing certificates. + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK + (RFC 5489) to the list of ciphersuites providing Perfect Forward + Secrecy as required by SECLEVEL >= 3. + * Rebase openssl-1.1.1-fips.patch openssl-1.1.1-evp-kdf.patch + +------------------------------------------------------------------- +Fri Mar 4 13:11:14 UTC 2022 - Pedro Monreal + +- Security fix: [bsc#1192820, CVE-2002-20001] + * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows + remote attackers (from the client side) to send arbitrary + numbers that are actually not public keys, and trigger + expensive server-side DHE calculation. + * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST + * Rebase openssl-DEFAULT_SUSE_cipher.patch + +------------------------------------------------------------------- +Tue Feb 22 17:35:53 UTC 2022 - Pedro Monreal + +- Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187] + * In an INI-type file, the sections begin with a [section_name] + and they run until the next section begins. + * Rebase openssl-1_1-use-include-directive.patch + +------------------------------------------------------------------- +Fri Feb 11 12:32:11 UTC 2022 - Pedro Monreal + +- Pull libopenssl-1_1 when updating openssl-1_1 with the same + version. [bsc#1195792] + +------------------------------------------------------------------- +Fri Feb 4 12:29:24 UTC 2022 - Pedro Monreal + +- FIPS: Fix function and reason error codes [bsc#1182959] + * Add openssl-1_1-FIPS-fix-error-reason-codes.patch + +------------------------------------------------------------------- +Thu Feb 3 15:58:29 UTC 2022 - Pedro Monreal + +- Enable zlib compression support [bsc#1195149] + +------------------------------------------------------------------- +Fri Jan 28 17:33:51 UTC 2022 - Pedro Monreal + +- Backport cryptographic improvements from OpenSSL 3 [jsc#SLE-19742] + * Optimize RSA on armv8: openssl-1_1-Optimize-RSA-armv8.patch + * Optimize AES-XTS mode for aarch64: + openssl-1_1-Optimize-AES-XTS-aarch64.patch + * Optimize AES-GCM for uarchs with unroll and new instructions: + openssl-1_1-Optimize-AES-GCM-uarchs.patch + +------------------------------------------------------------------- +Fri Jan 28 17:33:23 UTC 2022 - Pedro Monreal + +- POWER10 performance enhancements for cryptography [jsc#SLE-18136] + * openssl-1_1-Optimize-ppc64.patch + +------------------------------------------------------------------- +Tue Dec 28 12:34:04 UTC 2021 - Pedro Monreal + +- Update to 1.1.1m: + * Avoid loading of a dynamic engine twice. + * Prioritise DANE TLSA issuer certs over peer certs +- Rebased patches: + * openssl-1.1.1-evp-kdf.patch + * openssl-1.1.1-system-cipherlist.patch + +------------------------------------------------------------------- +Mon Dec 6 22:21:15 UTC 2021 - Mark Post + +- Added openssl-1_1-use-include-directive.patch so that the default + /etc/ssl/openssl.cnf file will include any configuration files that + other packages might place into /etc/ssl/engines.d/ and + /etc/ssl/engdef.d/ This is a fix for bsc#1004463 where scripting was + being used to modify the openssl.cnf file. The scripting would fail + if either the default openssl.cnf file, or the sample openssl-ibmca + configuration file would be changed by upstream. +- Updated spec file to create the two new necessary directores for + the above patch. + +------------------------------------------------------------------- +Thu Nov 11 18:50:47 UTC 2021 - Giuliano Belinassi + +- Add support for livepatches (jsc#SLE-20049). +- Generate ipa-clones tarball artifact when livepatching is enabled. + +------------------------------------------------------------------- +Tue Nov 2 11:34:56 UTC 2021 - Andreas Schneider + +- Add missing libopenssl1_1-hmac 32bit package + +------------------------------------------------------------------- +Mon Nov 1 08:51:22 UTC 2021 - Dan Čermák + +- Drop openssl-no-date.patch + + Upstream added support for reproducible builds via SOURCE_DATE_EPOCH in + https://github.com/openssl/openssl/commit/8a8d9e190533ee41e8b231b18c7837f98f1ae231 + thereby making this patch obsolete as builds *should* still be reproducible. + +------------------------------------------------------------------- +Mon Sep 27 10:24:43 UTC 2021 - Pedro Monreal + +- Enforce crypto-policies for the upcoming Leap 15.4 and SLE 15-SP4 + +------------------------------------------------------------------- +Tue Aug 24 19:32:25 UTC 2021 - Pedro Monreal + +- Update to 1.1.1l: + * [bsc#1189520, CVE-2021-3711] Fixed an SM2 Decryption Buffer Overflow. + * [bsc#1189521, CVE-2021-3712] Fixed various read buffer overruns + processing ASN.1 strings + +------------------------------------------------------------------- +Wed Jul 28 10:05:34 UTC 2021 - Pedro Monreal + +- Require the crypto-policies package from libopenssl-1_1 + +------------------------------------------------------------------- +Mon May 17 14:28:52 UTC 2021 - Jason Sikes + +- Added openssl-add_rfc3526_rfc7919.patch + * Genpkey: "-pkeyopt dh_param:" can now choose modp_* (rfc3526) + and ffdhe* (rfc7919) groups. Example: + $ openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:ffdhe4096 + * DH_new_by_nid(), DH_get_nid(), and EVP_PKEY_CTX_set_dh_nid(): + NID_modp_* groups are now available, similar to NID_ffdhe*. + * Fixes bsc#1180995 - openssl s_server fails when FIPS is enabled + +------------------------------------------------------------------- +Thu Mar 25 23:51:47 UTC 2021 - Jason Sikes + +- Update to 1.1.1k + * Fixed a problem with verifying a certificate chain when using + the X509_V_FLAG_X509_STRICT flag. This flag enables additional + security checks of the certificates present in a certificate + chain. It is not set by default. ([CVE-2021-3450]) + [bsc#1183851] + + * Fixed an issue where an OpenSSL TLS server may crash if sent a + maliciously crafted renegotiation ClientHello message from a + client. If a TLSv1.2 renegotiation ClientHello omits the + signature_algorithms extension (where it was present in the + initial ClientHello), but includes a signature_algorithms_cert + extension then a NULL pointer dereference will result, leading + to a crash and a denial of service attack. + + A server is only vulnerable if it has TLSv1.2 and renegotiation + enabled (which is the default configuration). OpenSSL TLS + clients are not impacted by this issue. ([CVE-2021-3449]) + [bsc#1183852] + +------------------------------------------------------------------- +Tue Mar 2 19:40:25 UTC 2021 - Pedro Monreal + +- Fix unresolved error codes [bsc#1182959] +- Update patches: + * openssl-1.1.1-fips.patch + * openssl-1.1.1-evp-kdf.patch + +------------------------------------------------------------------- +Fri Feb 19 08:01:01 UTC 2021 - Pedro Monreal + +- Update to 1.1.1j + * Fixed the X509_issuer_and_serial_hash() function. It attempts + to create a unique hash value based on the issuer and serial + number data contained within an X509 certificate. However it + was failing to correctly handle any errors that may occur + while parsing the issuer field [bsc#1182331, CVE-2021-23841] + * Fixed the RSA_padding_check_SSLv23() function and the + RSA_SSLV23_PADDING padding mode to correctly check for + rollback attacks. + * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions. Previously they could overflow the + output length argument in some cases where the input length is + close to the maximum permissable length for an integer on the + platform. In such cases the return value from the function call + would be 1 (indicating success), but the output length value + would be negative. This could cause applications to behave + incorrectly or crash. [bsc#1182333, CVE-2021-23840] + * Fixed SRP_Calc_client_key so that it runs in constant time. + The previous implementation called BN_mod_exp without setting + BN_FLG_CONSTTIME. This could be exploited in a side channel + attack to recover the password. Since the attack is local host + only this is outside of the current OpenSSL threat model and + therefore no CVE is assigned. +- Rebase patches: + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + +------------------------------------------------------------------- +Sat Feb 6 14:44:12 UTC 2021 - Jason Sikes + +- Removed patch because it was causing problems with other servers. + * openssl-zero-pad-DHE-public-key.patch + * bsc#1181796 + +------------------------------------------------------------------- +Thu Feb 4 18:23:17 UTC 2021 - Jason Sikes + +- Zero pad the DHE public key in ClientKeyExchange for interoperability with + Windows Server 2019. + * openssl-zero-pad-DHE-public-key.patch + * bsc#1181796 + * sourced from https://github.com/openssl/openssl/pull/12331/files + +------------------------------------------------------------------- +Fri Jan 22 09:05:41 UTC 2021 - Pedro Monreal + +- Add version guards for the crypto-policies + +------------------------------------------------------------------- +Wed Jan 20 15:59:01 UTC 2021 - Pedro Monreal + +- Disable test_srp subsection from 90-test_sslapi.t test +- Use SECLEVEL 2 in 80-test_ssl_new.t +- Add patches: + * openssl-1_1-use-seclevel2-in-tests.patch + * openssl-1_1-disable-test_srp-sslapi.patch + +------------------------------------------------------------------- +Fri Jan 8 17:49:33 UTC 2021 - Pedro Monreal + +- Allow SHA1 in SECLEVEL 2 in non-FIPS mode +- Add openssl-1_1-seclevel.patch + +------------------------------------------------------------------- +Thu Dec 17 17:16:08 UTC 2020 - Pedro Monreal + +- Require the crypto-policies package [bsc#1180051] + +------------------------------------------------------------------- +Tue Dec 8 15:43:32 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1i (bsc#1179491) + * Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) +- Refresh openssl-1.1.1-fips-post-rand.patch + +------------------------------------------------------------------- +Thu Nov 19 10:54:53 UTC 2020 - Vítězslav Čížek + +- Use the centralized crypto policy profile (jsc#SLE-15832) + * add openssl-1.1.1-system-cipherlist.patch from Fedora + +------------------------------------------------------------------- +Mon Oct 12 15:22:54 UTC 2020 - Dominique Leuenberger + +- Escape rpm command %%expand when used in comment. + +------------------------------------------------------------------- +Tue Sep 22 20:43:59 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1h + * Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used + * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts +- refresh openssl-fips_selftest_upstream_drbg.patch + * DRBG internals got renamed back: + reseed_gen_counter -> generate_counter + reseed_prop_counter -> reseed_counter + +------------------------------------------------------------------- +Fri May 15 09:51:22 UTC 2020 - Vítězslav Čížek + +- Limit the DRBG selftests to not deplete entropy (bsc#1165274) + * fixes also Firefox crashing with Kerberos (bsc#1167132) + * update openssl-fips_selftest_upstream_drbg.patch + +------------------------------------------------------------------- +Tue Apr 21 13:47:04 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1g + * Fixed segmentation fault in SSL_check_chain (CVE-2020-1967, bsc#1169407) + Server or client applications that call the SSL_check_chain() function + during or after a TLS 1.3 handshake may crash due to a NULL pointer + dereference as a result of incorrect handling of the + "signature_algorithms_cert" TLS extension. The crash occurs if an invalid + or unrecognised signature algorithm is received from the peer. This could + be exploited by a malicious peer in a Denial of Service attack. + * Added AES consttime code for no-asm configurations + an optional constant time support for AES was added + when building openssl for no-asm. +- refresh patches: + * openssl-1.1.1-fips.patch + * openssl-1.1.1-fips-crng-test.patch + +------------------------------------------------------------------- +Tue Mar 31 14:05:24 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1f + * Revert the unexpected EOF reporting via SSL_ERROR_SSL +- refresh openssl-1.1.0-no-html.patch + +------------------------------------------------------------------- +Fri Mar 20 11:58:08 UTC 2020 - Vítězslav Čížek + +- Update to 1.1.1e + * Properly detect EOF while reading in libssl. Previously if we hit an EOF + while reading in libssl then we would report an error back to the + application (SSL_ERROR_SYSCALL) but errno would be 0. We now add + an error to the stack (which means we instead return SSL_ERROR_SSL) and + therefore give a hint as to what went wrong. + * Check that ed25519 and ed448 are allowed by the security level. Previously + signature algorithms not using an MD were not being checked that they were + allowed by the security level. + * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() + was not quite right. The behaviour was not consistent between resumption + and normal handshakes, and also not quite consistent with historical + behaviour. The behaviour in various scenarios has been clarified and + it has been updated to make it match historical behaviour as closely as + possible. + * Corrected the documentation of the return values from the EVP_DigestSign* + set of functions. The documentation mentioned negative values for some + errors, but this was never the case, so the mention of negative values + was removed. + * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. + The presence of this system service is determined at run-time. + * Added newline escaping functionality to a filename when using openssl dgst. + This output format is to replicate the output format found in the '*sum' + checksum programs. This aims to preserve backward compatibility. + * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just + the first value. +- Update bunch of patches as the internal crypto headers got reorganized +- drop openssl-1_1-CVE-2019-1551.patch (upstream) + +------------------------------------------------------------------- +Fri Mar 20 10:22:27 UTC 2020 - Vítězslav Čížek + +- openssl dgst: default to SHA256 only when called without a digest, + not when it couldn't be found (bsc#1166189) + * add openssl-unknown_dgst.patch + +------------------------------------------------------------------- +Wed Mar 4 08:23:23 UTC 2020 - Vítězslav Čížek + +- Limit the DRBG selftests to not deplete entropy (bsc#1165274) + * update openssl-fips_selftest_upstream_drbg.patch + +------------------------------------------------------------------- +Wed Feb 26 13:28:14 UTC 2020 - Vítězslav Čížek + +- Run FIPS DRBG selftests against the crypto/rand DRBG implementation + (bsc#1164557) + * add openssl-fips_selftest_upstream_drbg.patch + +------------------------------------------------------------------- +Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek + +- Use the newly build libcrypto shared library when computing the hmac + checksums in order to avoid a bootstrapping issue by BuildRequiring + libopenssl1_1 (bsc#1164102) + +------------------------------------------------------------------- +Thu Feb 20 13:35:05 UTC 2020 - Vítězslav Čížek + +- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) + * add openssl-fips_fix_selftests_return_value.patch + +------------------------------------------------------------------- +Tue Feb 18 22:49:46 UTC 2020 - Jason Sikes + +- Added SHA3 FIPS self-tests bsc#1155345 + * openssl-fips-add-SHA3-selftest.patch + +------------------------------------------------------------------- +Tue Jan 28 12:14:59 UTC 2020 - Pedro Monreal Gonzalez + +- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403] +- Add patches: + * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch + * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch + +------------------------------------------------------------------- +Thu Jan 23 14:32:28 UTC 2020 - Vítězslav Čížek + +- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our + layered FIPS initialization (bsc#1161789) + * openssl-fips-ignore_broken_atexit_test.patch + +------------------------------------------------------------------- +Wed Jan 22 13:59:15 UTC 2020 - Vítězslav Čížek + +- Import FIPS patches from SLE-15 + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips_mode.patch + * openssl-ship_fips_standalone_hmac.patch + * openssl-fips-clearerror.patch + * openssl-fips-selftests_in_nonfips_mode.patch + +------------------------------------------------------------------- +Tue Jan 21 16:08:21 UTC 2020 - Vítězslav Čížek + +- Don't run FIPS power-up self-tests when the checksum files aren't + installed (bsc#1042392) + * add openssl-fips-run_selftests_only_when_module_is_complete.patch + +------------------------------------------------------------------- +Tue Jan 21 11:10:42 UTC 2020 - Vítězslav Čížek + +- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) + * openssl-1.1.1-fips-crng-test.patch + * openssl-1.1.1-fips-post-rand.patch + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch +- keep EVP_KDF functions at version 1.1.1d for backward compatibility + * add openssl-keep_EVP_KDF_functions_version.patch + +------------------------------------------------------------------- +Fri Dec 20 13:44:06 UTC 2019 - Pedro Monreal Gonzalez + +- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] +- Add patches: + * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch + * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch + * openssl-s390xcpuid.pl-fix-comment.patch + * openssl-assembly-pack-accelerate-scalar-multiplication.patch + * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch + * openssl-s390x-assembly-pack-accelerate-ECDSA.patch + * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch + * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch + * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch + * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch + * openssl-Fix-9bf682f-which-broke-nistp224_method.patch + +------------------------------------------------------------------- +Wed Dec 18 16:29:46 UTC 2019 - Vítězslav Čížek + +- Obsolete libopenssl-1_0_0-devel in order to avoid conflict upon + upgrade from SLE-12 (bsc#1158499) +- remove useless Suggests: libopenssl1_1-hmac, there's no such + package anymore + +------------------------------------------------------------------- +Tue Dec 10 16:04:06 UTC 2019 - Pedro Monreal Gonzalez + +- Security fix: [bsc#1158809, CVE-2019-1551] + * Overflow bug in the x64_64 Montgomery squaring procedure used + in exponentiation with 512-bit moduli +- Add openssl-1_1-CVE-2019-1551.patch + +------------------------------------------------------------------- +Mon Oct 14 18:36:37 UTC 2019 - Jason Sikes + +- Merged upstream changes to allow NULL salt values in EVP_PBE_scrypt(). + * Revealed by nodejs12 during bsc#1149572. + * Modified openssl-jsc-SLE-8789-backport_KDF.patch + +------------------------------------------------------------------- +Mon Oct 14 08:45:39 UTC 2019 - Adam Majer + +- openssl-jsc-SLE-8789-backport_KDF.patch: retain old behaviour + of EVP_PBE_scrypt. When key output buffer is not provided, + only check if the input parameters are in valid range and + ignore passphrase/salt fields as they are only used in + the actual calculation. + +------------------------------------------------------------------- +Wed Sep 11 09:32:16 UTC 2019 - Vítězslav Čížek + +- Update to 1.1.1d (bsc#1133925, jsc#SLE-6430) + * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random + number generator (RNG). This was intended to include protection in the + event of a fork() system call in order to ensure that the parent and child + processes did not share the same RNG state. However this protection was not + being used in the default case. + (bsc#1150247, CVE-2019-1549) + * Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. + (bsc#1150003, CVE-2019-1547) + * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + (bsc#1150250, CVE-2019-1563) + * For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters, when loading a serialized key + or calling EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters(). + * Early start up entropy quality from the DEVRANDOM seed source has been + improved for older Linux systems. + * Changed DH_check to accept parameters with order q and 2q subgroups. + With order 2q subgroups the bit 0 of the private key is not secret + but DH_generate_key works around that by clearing bit 0 of the + private key for those. This avoids leaking bit 0 of the private key. + * Significantly reduce secure memory usage by the randomness pools. + * Revert the DEVRANDOM_WAIT feature for Linux systems +- drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch (upstream) +- refresh patches + * openssl-1.1.0-no-html.patch + * openssl-jsc-SLE-8789-backport_KDF.patch + +------------------------------------------------------------------- +Tue Sep 10 19:26:34 UTC 2019 - Jason Sikes + +- To avoid seperate certification of openssh server / client + move the SSH KDF (Key Derivation Function) into openssl. + * jsc#SLE-8789 + * Sourced from commit + 8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34 + in openssl master (introduce the SSH KDF) + and commit 5a285addbf39f91d567f95f04b2b41764127950d + in openssl master (backport EVP/KDF API framework) + * added openssl-jsc-SLE-8789-backport_KDF.patch + +------------------------------------------------------------------- +Thu Jun 6 10:06:45 UTC 2019 - Vítězslav Čížek + +- Use upstream patch for the locale crash (bsc#1135550) + * https://github.com/openssl/openssl/pull/8966 +- delete openssl-fix_underflow_in_errstr_handling.patch +- add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch + +------------------------------------------------------------------- +Thu Jun 6 10:03:03 UTC 2019 - Vítězslav Čížek + +- Add s390x vectorized support for ChaCha20 and Poly1305 + (jsc#SLE-6126, jsc#SLE-6129) + * 0001-s390x-assembly-pack-perlasm-support.patch + * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch + * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch + * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch + * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch + * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch +- delete 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch + +------------------------------------------------------------------- +Thu May 30 09:55:01 UTC 2019 - Vítězslav Čížek + +- Update to 1.1.1c (bsc#1133925, jsc#SLE-6430) + * Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543) + ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input + for every encryption operation. RFC 7539 specifies that the nonce value + (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length + and front pads the nonce with 0 bytes if it is less than 12 + bytes. However it also incorrectly allows a nonce to be set of up to 16 + bytes. In this case only the last 12 bytes are significant and any + additional leading bytes are ignored. + * Add build tests for C++. These are generated files that only do one + thing, to include one public OpenSSL head file each. This tests that + the public header files can be usefully included in a C++ application. + * Enable SHA3 pre-hashing for ECDSA and DSA. + * Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + * Reorganize the manual pages to consistently have RETURN VALUES, + EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust + util/fix-doc-nits accordingly. + * Add the missing accessor EVP_PKEY_get0_engine() + * Have apps like 's_client' and 's_server' output the signature scheme + along with other cipher suite parameters when debugging. + * Make OPENSSL_config() error agnostic again. + * Do the error handling in RSA decryption constant time. + * Ensure that SM2 only uses SM3 as digest algorithm +- drop upstreamed patches: + * openssl-fix-handling-of-GNU-strerror_r.patch + * 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch +- update keyring by including Richard Levitte's key + +------------------------------------------------------------------- +Tue May 28 08:21:52 UTC 2019 - Jiri Slaby + +- add 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch + (bnc#1136522) + +------------------------------------------------------------------- +Mon May 20 16:21:01 UTC 2019 - Vítězslav Čížek + +- Fix a crash caused by long locale messages (bsc#1135550) + * add openssl-fix_underflow_in_errstr_handling.patch + +------------------------------------------------------------------- +Mon Mar 4 13:01:18 UTC 2019 - Dominique Leuenberger + +- Drop bc and ed BuildRequires: I could not find any reference to + these tools being used during build or check. + +------------------------------------------------------------------- +Fri Mar 1 13:28:03 UTC 2019 - Vítězslav Čížek + +- Use upstream-approved patch for the handling of strerror_r + * https://github.com/openssl/openssl/pull/8371 +- add openssl-fix-handling-of-GNU-strerror_r.patch +- drop strerror.patch + +------------------------------------------------------------------- +Thu Feb 28 13:37:55 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 1.1.1b + * Added SCA hardening for modular field inversion in EC_GROUP + through a new dedicated field_inv() pointer in EC_METHOD. + * Change the info callback signals for the start and end of a post-handshake + message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START + and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get + confused by this and assume that a TLSv1.2 renegotiation has started. This + can break KeyUpdate handling. Instead we no longer signal the start and end + of a post handshake message exchange (although the messages themselves are + still signalled). This could break some applications that were expecting + the old signals. However without this KeyUpdate is not usable for many + applications. + * Fix a bug in the computation of the endpoint-pair shared secret used + by DTLS over SCTP. This breaks interoperability with older versions + of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime + switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling + interoperability with such broken implementations. However, enabling + this switch breaks interoperability with correct implementations. + * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0() + +------------------------------------------------------------------- +Thu Feb 28 12:10:33 UTC 2019 - Vítězslav Čížek + +- Add strerror.patch to avoid problems with strerror_r() not setting + the provided buf + +------------------------------------------------------------------- +Mon Feb 11 14:39:12 UTC 2019 - Vítězslav Čížek + +- Add s390x poly1305 vectorized implementation (fate#326351) + * https://github.com/openssl/openssl/pull/7991 +- add 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch + +------------------------------------------------------------------- +Thu Jan 10 15:20:07 UTC 2019 - Vítězslav Čížek + +- Add s390x chacha20 vectorized implementation (fate#326561) + * https://github.com/openssl/openssl/pull/6919 +- added patches: + 0001-s390x-assembly-pack-perlasm-support.patch + 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch + +------------------------------------------------------------------- +Tue Nov 20 14:31:28 UTC 2018 - Vítězslav Čížek + +- Update to 1.1.1a + * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for + the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names + are retained for backwards compatibility. + * Fixed the issue that RAND_add()/RAND_seed() silently discards random input + if its length exceeds 4096 bytes. The limit has been raised to a buffer size + of two gigabytes and the error handling improved. +- drop upstream patches: + * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch + * 0001-DSA-Check-for-sanity-of-input-parameters.patch + * 0001-DSA-mod-inverse-fix.patch + * openssl-CVE-2018-0734.patch + * openssl-CVE-2018-0735.patch + +------------------------------------------------------------------- +Mon Nov 5 12:53:54 UTC 2018 - Vítězslav Čížek + +- OpenSSL Security Advisory [30 October 2018] + * Timing vulnerability in ECDSA signature generation + (bsc#1113651, CVE-2018-0735) + * Timing vulnerability in DSA signature generation + (bsc#1113652, CVE-2018-0734) + * And more timing fixes +- Add patches: + * openssl-CVE-2018-0734.patch + * openssl-CVE-2018-0735.patch + * 0001-DSA-mod-inverse-fix.patch + * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch + +------------------------------------------------------------------- +Mon Nov 5 11:00:54 UTC 2018 - Vítězslav Čížek + +- Fix infinite loop in DSA generation with incorrect parameters + (bsc#1112209) + * 0001-DSA-Check-for-sanity-of-input-parameters.patch + +------------------------------------------------------------------- +Thu Oct 25 13:32:33 UTC 2018 - Cristian Rodríguez + +- Explictly select "getrandom" system call as the seed source, + it is the safer/best performing choice on linux. +- do not force -std=gnu99, pick the compiler default. + +------------------------------------------------------------------- +Tue Sep 11 13:49:06 UTC 2018 - Vítězslav Čížek + +- Update to 1.1.1 release + * This is the first official release of the OpenSSL 1.1.1 branch + which brings TLS 1.3 support +- remove all TLS 1.3 ciphers from the DEFAULT_SUSE cipher list as they + are configured differently + * modified openssl-DEFAULT_SUSE_cipher.patch +- drop obsolete openssl-pretend_we_are_not_beta.patch + +------------------------------------------------------------------- +Thu Aug 23 13:21:00 UTC 2018 - vcizek@suse.com + +- Update to 1.1.1-pre9 (Beta 7) + * Support for TLSv1.3 added + * Move the display of configuration data to configdata.pm. + * Allow GNU style "make variables" to be used with Configure. + * Add a STORE module (OSSL_STORE) + * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes + * Add multi-prime RSA (RFC 8017) support + * Add SM3 implemented according to GB/T 32905-2016 + * Add SM4 implemented according to GB/T 32907-2016. + * Add 'Maximum Fragment Length' TLS extension negotiation and support + * Add ARIA support + * Add SHA3 + * Rewrite of devcrypto engine + * Add support for SipHash + * Grand redesign of the OpenSSL random generator +- pretend the release is not a Beta, to avoid "OpenSSL version mismatch" + with OpenSSH + * add openssl-pretend_we_are_not_beta.patch +- drop FIPS support + * don't build with FIPS mode (not supported in 1.1.1) + * don't create the -hmac subpackages + - drop FIPS patches + * openssl-fips-clearerror.patch + * openssl-fips-dont-fall-back-to-default-digest.patch + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips-fix-odd-rsakeybits.patch + * openssl-fips-rsagen-d-bits.patch + * openssl-fips-selftests_in_nonfips_mode.patch + * openssl-fips_disallow_ENGINE_loading.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-1.1.0-fips.patch + * openssl-urandom-reseeding.patch + * openssl-CVE-2018-0737-fips.patch +- add TLS 1.3 ciphers to DEFAULT_SUSE +- merge openssl-1.0.1e-add-suse-default-cipher.patch and + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch to + openssl-DEFAULT_SUSE_cipher.patch +- drop patches: + * openssl-static-deps.patch (upstream) + * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch + * openssl-disable_rsa_keygen_tests_with_small_modulus.patch + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +- drop s390x patches + * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch + * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch + * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch + * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch + * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch + * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + +------------------------------------------------------------------- +Tue Aug 14 14:02:22 UTC 2018 - vcizek@suse.com + +- Update to 1.1.0i + OpenSSL Security Advisory [12 June 2018] + * Reject excessively large primes in DH key generation + (bsc#1097158, CVE-2018-0732) + * Make EVP_PKEY_asn1_new() a bit stricter about its input + * Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + * Change generating and checking of primes so that the error rate of not + being prime depends on the intended use based on the size of the input. + * Increase the number of Miller-Rabin rounds for DSA key generating to 64. + * Add blinding to ECDSA and DSA signatures to protect against side channel + attacks + * When unlocking a pass phrase protected PEM file or PKCS#8 container, we + now allow empty (zero character) pass phrases. + * Certificate time validation (X509_cmp_time) enforces stricter + compliance with RFC 5280. Fractional seconds and timezone offsets + are no longer allowed. + * Fixed a text canonicalisation bug in CMS +- drop patches (upstream): + * 0001-Limit-scope-of-CN-name-constraints.patch + * 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch + * 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch + * 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch +- refresh patches: + * openssl-1.1.0-fips.patch + * openssl-disable_rsa_keygen_tests_with_small_modulus.patch +- rename openssl-CVE-2018-0737.patch to openssl-CVE-2018-0737-fips.patch + as it now only includes changes to the fips code + +------------------------------------------------------------------- +Thu Aug 2 10:41:20 UTC 2018 - vcizek@suse.com + +- Add openssl(cli) Provide so the packages that require the openssl + binary can require this instead of the new openssl meta package + (bsc#1101470) +- Don't Require openssl-1_1 from the devel package, just Recommend it + +------------------------------------------------------------------- +Fri Jun 1 11:37:06 UTC 2018 - vcizek@suse.com + +- Suggest libopenssl1_1-hmac from libopenssl1_1 package to avoid + dependency issues during updates (bsc#1090765) + +------------------------------------------------------------------- +Tue May 29 08:53:01 UTC 2018 - vcizek@suse.com + +- Relax CN name restrictions (bsc#1084011) + * added patches: + 0001-Limit-scope-of-CN-name-constraints.patch + 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch + +------------------------------------------------------------------- +Thu May 10 09:37:19 UTC 2018 - vcizek@suse.com + +- OpenSSL Security Advisory [16 Apr 2018] + * Cache timing vulnerability in RSA Key Generation + (CVE-2018-0737, bsc#1089039) + * add openssl-CVE-2018-0737.patch + +------------------------------------------------------------------- +Thu May 10 09:32:43 UTC 2018 - vcizek@suse.com + +- Fix escaping in c_rehash (boo#1091961, bsc#1091963) + * add 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch + +------------------------------------------------------------------- +Wed Mar 28 14:34:49 UTC 2018 - vcizek@suse.com + +- Tolerate a Certificate using a non-supported group on server side + (boo#1084651) + * https://github.com/openssl/openssl/pull/5607 + * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch + +------------------------------------------------------------------- +Tue Mar 27 14:42:36 UTC 2018 - vcizek@suse.com + +- Update to 1.1.0h + OpenSSL Security Advisory [27 Mar 2018] + * Constructed ASN.1 types with a recursive definition could exceed + the stack (CVE-2018-0739) (bsc#1087102) + * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) + (bsc#1071906) +- refresh patches: + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + * openssl-1.1.0-fips.patch + * openssl-pkgconfig.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-static-deps.patch + +------------------------------------------------------------------- +Tue Feb 27 20:13:14 UTC 2018 - dimstar@opensuse.org + +- Move the libopenssl1_1_0-32bit obsoletes in baselibs.conf to the + new libopenssl1_1-32bit: it does not belong to the devel + package. + +------------------------------------------------------------------- +Fri Feb 16 12:01:50 UTC 2018 - vcizek@suse.com + +- Renamed from openssl-1_1_0 (bsc#1081335) + * All the minor versions of the 1.1.x openssl branch have the same + sonum and keep ABI compatibility + * obsolete the 1_1_0 packages +- update baselibs.conf with the new version names + +------------------------------------------------------------------- +Thu Feb 15 15:47:07 UTC 2018 - tchvatal@suse.com + +- Remove bit obsolete syntax +- Use %license macro + +------------------------------------------------------------------- +Mon Jan 22 15:29:33 UTC 2018 - schwab@suse.de + +- Don't disable afalgeng on aarch64 + +------------------------------------------------------------------- +Tue Jan 9 17:37:39 UTC 2018 - vcizek@suse.com + +- Add support for s390x CPACF enhancements (fate#321518) + patches taken from https://github.com/openssl/openssl/pull/2859: + * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch + * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch + * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch + * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch + * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch + * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + +------------------------------------------------------------------- +Tue Nov 28 09:54:38 UTC 2017 - dimstar@opensuse.org + +- Do not filter pkgconfig() provides/requires. + +------------------------------------------------------------------- +Tue Nov 28 08:24:53 UTC 2017 - dimstar@opensuse.org + +- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a + clean upgrade path as an aid to zypp (boo#1070003). + +------------------------------------------------------------------- +Thu Nov 2 19:56:54 UTC 2017 - vcizek@suse.com + +- Update to 1.1.0g + OpenSSL Security Advisory [02 Nov 2017] + * bn_sqrx8x_internal carry bug on x86_64 + (CVE-2017-3736) (bsc#1066242) + * Malformed X.509 IPAddressFamily could cause OOB read + (CVE-2017-3735) (bsc#1056058) +- drop 0001-Fix-a-TLSProxy-race-condition.patch (upstream) +- refresh 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + +------------------------------------------------------------------- +Fri Sep 1 11:33:46 UTC 2017 - vcizek@suse.com + +- update DEFAULT_SUSE cipher list (bsc#1055825) + * add CHACHA20-POLY1305 + * add ECDSA ciphers + * remove 3DES +- modified openssl-1.0.1e-add-suse-default-cipher.patch + +------------------------------------------------------------------- +Tue Aug 15 08:48:59 UTC 2017 - meissner@suse.com + +- do not require openssl1_1_0-targettype in devel-targettype, as it + is not built (it has no libraries) + +------------------------------------------------------------------- +Mon Aug 7 23:29:33 UTC 2017 - jengelh@inai.de + +- The description is supposed to describe the package, not the + development process or history. (Synchronize with the + already-updates descriptions in openssl-1_0_0.) +- Update historic copypasted boilerplate summaries + ("include files mandatory for development") + +------------------------------------------------------------------- +Thu Aug 3 07:04:30 UTC 2017 - tchvatal@suse.com + +- Disable the verbosity of the tests as we expose yet another race + condition in that + +------------------------------------------------------------------- +Tue Jul 18 11:06:41 UTC 2017 - vcizek@suse.com + +- Fix a race condition in tests to make the package build reliably + * https://github.com/openssl/openssl/issues/3562 + * 0001-Fix-a-TLSProxy-race-condition.patch + +------------------------------------------------------------------- +Tue Jul 18 05:50:05 UTC 2017 - jimmy@boombatower.com + +- Add Provides and Conflicts for -devel package in baselibs.conf. + +------------------------------------------------------------------- +Sun Jun 25 12:33:59 UTC 2017 - tchvatal@suse.com + +- Add patch openssl-no-date.patch to disable date inclusion in most + of the binaries +- Use autopatch to make things smaller +- Enable verbose output on the tests +- Paralelize depmod + +------------------------------------------------------------------- +Mon May 29 09:57:39 UTC 2017 - vcizek@suse.com + +- update to 1.1.0f + * bugfix only release +- disable RSA keygen tests, because they use too small modulus, which + is rejected by our CC/FIPS hardening patches + * added openssl-disable_rsa_keygen_tests_with_small_modulus.patch +- refreshed openssl-rsakeygen-minimum-distance.patch and + 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + +------------------------------------------------------------------- +Wed May 10 11:11:33 UTC 2017 - tchvatal@suse.com + +- Add conflict for any libopenssl-devel that is not in our version + +------------------------------------------------------------------- +Wed May 10 10:40:53 UTC 2017 - tchvatal@suse.com + +- Avoid the requires conflict between 1.1 and 1.0 openssl + +------------------------------------------------------------------- +Fri May 5 07:42:41 UTC 2017 - tchvatal@suse.com + +- Add conflict on docu packages + +------------------------------------------------------------------- +Wed May 3 12:48:11 UTC 2017 - vcizek@suse.com + +- drop unnecessary README.SUSE + +------------------------------------------------------------------- +Wed May 3 11:46:58 UTC 2017 - vcizek@suse.com + +- add openssl-1.1-fix-ppc64.patch from Marcus Meissner to fix build + on ppc64 + +------------------------------------------------------------------- +Wed May 3 09:06:06 UTC 2017 - tchvatal@suse.com + +- Fix build on aarch64 + +------------------------------------------------------------------- +Wed May 3 08:50:07 UTC 2017 - tchvatal@suse.com + +- Remove libpadlock conditional, no longer present + +------------------------------------------------------------------- +Tue May 2 10:28:38 UTC 2017 - tchvatal@suse.com + +- Update baselibs.conf to contain all the renamed packages + +------------------------------------------------------------------- +Wed Apr 26 12:43:47 UTC 2017 - vcizek@suse.com + +- re-enable tests on SLE-12 and below despite current failure, so + they are automatically run once the issue is resolved + +------------------------------------------------------------------- +Wed Apr 26 12:37:14 UTC 2017 - tchvatal@suse.com + +- Filter out the pkgconfig provides to force usage of the main + openssl package provides + +------------------------------------------------------------------- +Fri Apr 21 13:04:42 UTC 2017 - vcizek@suse.com + +- disable tests on SLE-12 and its derivates + * they fail because of glibc bug bsc#1035445 +- remove README-FIPS.txt (outdated) + +------------------------------------------------------------------- +Thu Apr 20 15:08:43 UTC 2017 - vcizek@suse.com + +- drop openssl-fipslocking.patch + The locking in 1.1.0 has been rewritten and converted to the new + threading API. The fips deadlock (at least bsc#991193) can't be + reproduced anymore. +- don't ship useless INSTALL* files + +------------------------------------------------------------------- +Thu Apr 20 10:16:43 UTC 2017 - vcizek@suse.com + +- simplify openssl-fips-dont-fall-back-to-default-digest.patch + The -non-fips-allow option was dropped in OpenSSL 1.1.0 +- drop openssl-no-egd.patch as OpenSSL 1.1.0 disables EGD at compile + time by default +- renumber the patches so the numbers are consequent + +------------------------------------------------------------------- +Tue Apr 18 19:51:39 UTC 2017 - tchvatal@suse.com + +- Update showciphers.c to work with new openssl + +------------------------------------------------------------------- +Tue Apr 18 19:17:42 UTC 2017 - tchvatal@suse.com + +- Add patch openssl-static-deps.patch to allow dependencies on + statically build libraries +- Refresh openssl-1-1.0-fips.patch to take in use the above approach +- Silence the install manpage rename phase + +------------------------------------------------------------------- +Thu Apr 13 12:17:53 UTC 2017 - tchvatal@suse.com + +- Start update to 1.1.0e basing of the 1.0.0 split release +- Drop patch merge_from_0.9.8k.patch the ppc64 should work out of the + box +- Drop patch openssl-engines-path.patch converted to configure option +- Drop patch openssl-1.0.2a-padlock64.patch code behind was redone + does not apply at all +- Drop patch openssl-fix-pod-syntax.diff mostly merged upstream or + not applicable +- Drop patch compression_methods_switch.patch as we do not need + to keep the compat on this release anymore +- Drop patch openssl-1.0.2a-ipv6-apps.patch which was upstreamed +- Drop upstreamed patch openssl-1.0.2a-default-paths.patch +- Drop obsolete patch openssl-1.0.0-c_rehash-compat.diff +- Drop obsolete patch openssl-missing_FIPS_ec_group_new_by_curve_name.patch +- Drop obsolete patch openssl-print_notice-NULL_crash.patch +- Drop obsolete patch openssl-randfile_fread_interrupt.patch +- Refresh patch openssl-truststore.patch +- Refresh baselibs.conf to correctly reflect soname +- Add patch openssl-1.1.0-fips.patch obsoleting bunch of older: + * openssl-1.0.2i-fips.patch + * openssl-1.0.2a-fips-ec.patch + * openssl-1.0.2a-fips-ctor.patch + * openssl-1.0.2i-new-fips-reqs.patch + * openssl-fips_disallow_x931_rand_method.patch +- Add new patch for upstream: + * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch +- Refresh patch openssl-pkgconfig.patch +- Drop patch openssl-gcc-attributes.patch as the code was redone +- Rebase patch 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +- Rebase patch openssl-no-egd.patch +- Rebase patch openssl-1.0.1e-add-suse-default-cipher.patch and + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch +- Rebase patch openssl-fips_disallow_ENGINE_loading.patch +- Rebase patch openssl-urandom-reseeding.patch +- Rebase patch openssl-fips-rsagen-d-bits.patch +- Rebase patch openssl-fips-selftests_in_nonfips_mode.patch +- Remove switch for ssl2 - no longer present +- Remve the buildinf.h parsing, should no longer be needed +- Drop the rehash in build, no longer needed +- Drop openssl-fips-hidden.patch as it is not really needed +- Do not sed in secure_getenv upstream does it in code on their own +- Do not install html converted manpages + * openssl-1.1.0-no-html.patch + +------------------------------------------------------------------- +Thu Apr 13 12:09:22 UTC 2017 - tchvatal@suse.com + +- Drop the symbol hiding patches to ease maintenance updates: + * 0005-libssl-Hide-library-private-symbols.patch + * 0001-libcrypto-Hide-library-private-symbols.patch + +------------------------------------------------------------------- +Thu Apr 13 11:52:35 UTC 2017 - tchvatal@suse.com + +- Add new patch for engines folders to allow co-installation + * openssl-engines-path.patch + +------------------------------------------------------------------- +Thu Apr 13 11:43:41 UTC 2017 - tchvatal@suse.com + +- Drop openssl-ocloexec.patch as it causes additional maintenance + burden we would like to avoid + +------------------------------------------------------------------- +Thu Apr 13 11:41:13 UTC 2017 - tchvatal@suse.com + +- Drop bug610223.patch as we moved to libdir + +------------------------------------------------------------------- +Thu Apr 13 11:37:37 UTC 2017 - tchvatal@suse.com + +- Move check to %check phase +- Split showciphers to separate file + +------------------------------------------------------------------- +Wed Apr 12 13:06:59 UTC 2017 - tchvatal@suse.com + +- Move openssl to /usr/lib64 from /lib64 + +------------------------------------------------------------------- +Wed Apr 12 13:04:04 UTC 2017 - tchvatal@suse.com + +- Remove some of the DSO setting code that is not needed +- Fix the showciphers binary + +------------------------------------------------------------------- +Wed Apr 12 12:05:32 UTC 2017 - tchvatal@suse.com + +- Rename to openssl-1_0_0 to allow instalation of multiple versions + +------------------------------------------------------------------- +Tue Apr 4 11:41:40 UTC 2017 - tchvatal@suse.com + +- Remove O3 from optflags, no need to not rely on distro wide settings +- Remove conditions for sle10 and sle11, we care only about sle12+ +- USE SUSE instead of SuSE in readme +- Pass over with spec-cleaner + +------------------------------------------------------------------- +Thu Feb 2 15:19:15 UTC 2017 - vcizek@suse.com + +- fix X509_CERT_FILE path (bsc#1022271) and rename + updated openssl-1.0.1e-truststore.diff to openssl-truststore.patch + +------------------------------------------------------------------- +Fri Jan 27 10:21:42 UTC 2017 - meissner@suse.com + +- Updated to openssl 1.0.2k + - bsc#1009528 / CVE-2016-7055: openssl: Montgomery multiplication may produce incorrect results + - bsc#1019334 / CVE-2016-7056: openssl: ECSDA P-256 timing attack key recovery + - bsc#1022085 / CVE-2017-3731: openssl: Truncated packet could crash via OOB read + - bsc#1022086 / CVE-2017-3732: openssl: BN_mod_exp may produce incorrect results on x86_64 + +------------------------------------------------------------------- +Fri Sep 30 10:53:56 UTC 2016 - vcizek@suse.com + +- resume reading from /dev/urandom when interrupted by a signal + (bsc#995075) + * add openssl-randfile_fread_interrupt.patch + +------------------------------------------------------------------- +Fri Sep 30 10:53:06 UTC 2016 - vcizek@suse.com + +- add FIPS changes from SP2: +- fix problems with locking in FIPS mode (bsc#992120) + * duplicates: bsc#991877, bsc#991193, bsc#990392, bsc#990428 + and bsc#990207 + * bring back openssl-fipslocking.patch +- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream) + (bsc#984323) +- don't check for /etc/system-fips (bsc#982268) + * add openssl-fips-dont_run_FIPS_module_installed.patch +- refresh openssl-fips-rsagen-d-bits.patch + +------------------------------------------------------------------- +Tue Sep 27 06:20:03 UTC 2016 - michael@stroeder.com + +- update to openssl-1.0.2j + * Missing CRL sanity check (CVE-2016-7052 bsc#1001148) + +------------------------------------------------------------------- +Fri Sep 23 08:22:01 UTC 2016 - vcizek@suse.com + +- OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) + Severity: High + * OCSP Status Request extension unbounded memory growth + (CVE-2016-6304) (bsc#999666) + Severity: Low + * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575) + * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249) + * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844) + * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419) + * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749) + * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819) + * Birthday attack against 64-bit block ciphers (SWEET32) + (CVE-2016-2183) (bsc#995359) + * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324) + * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377) + * Certificate message OOB reads (CVE-2016-6306) (bsc#999668) +- update to openssl-1.0.2i + * remove patches: + openssl-1.0.2a-new-fips-reqs.patch + openssl-1.0.2e-fips.patch + * add patches: + openssl-1.0.2i-fips.patch + openssl-1.0.2i-new-fips-reqs.patch + +------------------------------------------------------------------- +Wed Aug 3 12:41:41 UTC 2016 - vcizek@suse.com + +- fix crash in print_notice (bsc#998190) + * add openssl-print_notice-NULL_crash.patch + +------------------------------------------------------------------- +Tue May 3 14:43:47 UTC 2016 - vcizek@suse.com + +- OpenSSL Security Advisory [3rd May 2016] +- update to 1.0.2h (boo#977584, boo#977663) + * Prevent padding oracle in AES-NI CBC MAC check + A MITM attacker can use a padding oracle attack to decrypt traffic + when the connection uses an AES CBC cipher and the server support + AES-NI. + (CVE-2016-2107, boo#977616) + * Fix EVP_EncodeUpdate overflow + An overflow can occur in the EVP_EncodeUpdate() function which is used for + Base64 encoding of binary data. If an attacker is able to supply very large + amounts of input data then a length check can overflow resulting in a heap + corruption. + (CVE-2016-2105, boo#977614) + * Fix EVP_EncryptUpdate overflow + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker + is able to supply very large amounts of input data after a previous call to + EVP_EncryptUpdate() with a partial block then a length check can overflow + resulting in a heap corruption. + (CVE-2016-2106, boo#977615) + * Prevent ASN.1 BIO excessive memory allocation + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() + a short invalid encoding can casuse allocation of large amounts of memory + potentially consuming excessive resources or exhausting memory. + (CVE-2016-2109, boo#976942) + * EBCDIC overread + ASN1 Strings that are over 1024 bytes can cause an overread in applications + using the X509_NAME_oneline() function on EBCDIC systems. This could result + in arbitrary stack data being returned in the buffer. + (CVE-2016-2176, boo#978224) + * Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + * Remove LOW from the DEFAULT cipher list. This removes singles DES from the + default. + * Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + +------------------------------------------------------------------- +Fri Apr 15 16:55:05 UTC 2016 - dvaleev@suse.com + +- Remove a hack for bsc#936563 +- Drop bsc936563_hack.patch + +------------------------------------------------------------------- +Fri Apr 15 11:59:48 UTC 2016 - vcizek@suse.com + +- import fips patches from SLE-12 + * openssl-fips-clearerror.patch + * openssl-fips-dont-fall-back-to-default-digest.patch + * openssl-fips-fix-odd-rsakeybits.patch + * openssl-fips-rsagen-d-bits.patch + * openssl-fips-selftests_in_nonfips_mode.patch + * openssl-fips_RSA_compute_d_with_lcm.patch + * openssl-fips_disallow_ENGINE_loading.patch + * openssl-fips_disallow_x931_rand_method.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-urandom-reseeding.patch + +------------------------------------------------------------------- +Tue Mar 8 12:50:28 UTC 2016 - vcizek@suse.com + +- add support for "ciphers" providing no encryption (bsc#937085) + * don't build with -DSSL_FORBID_ENULL + +------------------------------------------------------------------- +Tue Mar 1 14:40:18 UTC 2016 - vcizek@suse.com + +- update to 1.0.2g (bsc#968044) + * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. + Builds that are not configured with "enable-weak-ssl-ciphers" will not + provide any "EXPORT" or "LOW" strength ciphers. + * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 + is by default disabled at build-time. Builds that are not configured with + "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, + users who want to negotiate SSLv2 via the version-flexible SSLv23_method() + will need to explicitly call either of: + SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); + or + SSL_clear_options(ssl, SSL_OP_NO_SSLv2); + (CVE-2016-0800) + * Fix a double-free in DSA code + (CVE-2016-0705) + * Disable SRP fake user seed to address a server memory leak. + Add a new method SRP_VBASE_get1_by_user that handles the seed properly. + (CVE-2016-0798) + * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption + (CVE-2016-0797) + *) Side channel attack on modular exponentiation + http://cachebleed.info. + (CVE-2016-0702) + *) Change the req app to generate a 2048-bit RSA/DSA key by default, + if no keysize is specified with default_bits. This fixes an + omission in an earlier change that changed all RSA/DSA key generation + apps to use 2048 bits by default. + +------------------------------------------------------------------- +Thu Jan 28 15:10:38 UTC 2016 - vcizek@suse.com + +- update to 1.0.2f (boo#963410) + *) DH small subgroups (boo#963413) + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + (CVE-2016-0701) + *) SSLv2 doesn't block disabled ciphers (boo#963415) + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + (CVE-2015-3197) + *) Reject DH handshakes with parameters shorter than 1024 bits. + +------------------------------------------------------------------- +Fri Dec 4 23:06:18 UTC 2015 - vcizek@suse.com + +- update to 1.0.2e + * fixes five security vulnerabilities + * Anon DH ServerKeyExchange with 0 p parameter + (CVE-2015-1794) (bsc#957984) + * BN_mod_exp may produce incorrect results on x86_64 + (CVE-2015-3193) (bsc#957814) + * Certificate verify crash with missing PSS parameter + (CVE-2015-3194) (bsc#957815) + * X509_ATTRIBUTE memory leak + (CVE-2015-3195) (bsc#957812) + * Race condition handling PSK identify hint + (CVE-2015-3196) (bsc#957813) +- pulled a refreshed fips patch from Fedora + * openssl-1.0.2a-fips.patch was replaced by + openssl-1.0.2e-fips.patch +- refresh openssl-ocloexec.patch + +------------------------------------------------------------------- +Thu Jul 9 13:32:34 UTC 2015 - vcizek@suse.com + +- update to 1.0.2d + * fixes CVE-2015-1793 (bsc#936746) + + Alternate chains certificate forgery + + During certificate verfification, OpenSSL will attempt to find an + alternative certificate chain if the first attempt to build such a chain + fails. An error in the implementation of this logic can mean that an + attacker could cause certain checks on untrusted certificates to be + bypassed, such as the CA flag, enabling them to use a valid leaf + certificate to act as a CA and "issue" an invalid certificate. +- drop openssl-fix_invalid_manpage_name.patch (upstream) + +------------------------------------------------------------------- +Thu Jul 2 14:46:36 UTC 2015 - dvaleev@suse.com + +- Workaround debugit crash on ppc64le with gcc5 + bsc936563_hack.patch (bsc#936563) + +------------------------------------------------------------------- +Wed Jul 1 09:26:26 UTC 2015 - normand@linux.vnet.ibm.com + +- update merge_from_0.9.8k.patch replacing __LP64__ by __LP64 + this is a change versus previous request 309611 + required to avoid build error for ppc64 + +------------------------------------------------------------------- +Fri Jun 26 00:11:20 UTC 2015 - crrodriguez@opensuse.org + +- Build with no-ssl3, for details on why this is needed read + rfc7568. Contrary to the "no-ssl2" option, this does not + require us to patch dependant packages as the relevant + functions are still available (SSLv3_(client|server)_method) + but will fail to negotiate. if removing SSL3 methods is desired + at a later time, option "no-ssl3-method" needs to be used. + +------------------------------------------------------------------- +Fri Jun 12 21:22:45 UTC 2015 - vcizek@suse.com + +- update to 1.0.2c + * Fix HMAC ABI incompatibility +- refreshed openssl-1.0.2a-fips.patch + +------------------------------------------------------------------- +Thu Jun 11 15:50:44 UTC 2015 - vcizek@suse.com + +- update to 1.0.2b + * Malformed ECParameters causes infinite loop (CVE-2015-1788) + * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) + * PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) + * CMS verify infinite loop with unknown hash function (CVE-2015-1792) + * Race condition handling NewSessionTicket (CVE-2015-1791) +- refreshed patches: + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + * 0001-libcrypto-Hide-library-private-symbols.patch + * openssl-1.0.2a-default-paths.patch + * openssl-1.0.2a-fips.patch + * compression_methods_switch.patch + * openssl-1.0.1e-add-test-suse-default-cipher-suite.patch + +------------------------------------------------------------------- +Sun May 24 12:13:14 UTC 2015 - vcizek@suse.com + +- update to 1.0.2a + * Major changes since 1.0.1: + - Suite B support for TLS 1.2 and DTLS 1.2 + - Support for DTLS 1.2 + - TLS automatic EC curve selection. + - API to set TLS supported signature algorithms and curves + - SSL_CONF configuration API. + - TLS Brainpool support. + - ALPN support. + - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. +- packaging changes: + * merged patches modifying CIPHER_LIST into one, dropping: + - openssl-1.0.1e-add-suse-default-cipher-header.patch + - openssl-libssl-noweakciphers.patch + * fix a manpage with invalid name + - added openssl-fix_invalid_manpage_name.patch + * remove a missing fips function + - openssl-missing_FIPS_ec_group_new_by_curve_name.patch + * reimported patches from Fedora + dropped patches: + - openssl-1.0.1c-default-paths.patch + - openssl-1.0.1c-ipv6-apps.patch + - openssl-1.0.1e-fips-ctor.patch + - openssl-1.0.1e-fips-ec.patch + - openssl-1.0.1e-fips.patch + - openssl-1.0.1e-new-fips-reqs.patch + - VIA_padlock_support_on_64systems.patch + added patches: + - openssl-1.0.2a-default-paths.patch + - openssl-1.0.2a-fips-ctor.patch + - openssl-1.0.2a-fips-ec.patch + - openssl-1.0.2a-fips.patch + - openssl-1.0.2a-ipv6-apps.patch + - openssl-1.0.2a-new-fips-reqs.patch + - openssl-1.0.2a-padlock64.patch + * dropped security fixes (upstream) + - openssl-CVE-2015-0209.patch + - openssl-CVE-2015-0286.patch + - openssl-CVE-2015-0287.patch + - openssl-CVE-2015-0288.patch + - openssl-CVE-2015-0289.patch + - openssl-CVE-2015-0293.patch + * upstream reformatted the sources, so all the patches have to + be refreshed + +------------------------------------------------------------------- +Thu Mar 19 14:26:01 UTC 2015 - vcizek@suse.com + +- security update: + * CVE-2015-0209 (bnc#919648) + - Fix a failure to NULL a pointer freed on error + * CVE-2015-0286 (bnc#922496) + - Segmentation fault in ASN1_TYPE_cmp + * CVE-2015-0287 (bnc#922499) + - ASN.1 structure reuse memory corruption + * CVE-2015-0288 x509: (bnc#920236) + - added missing public key is not NULL check + * CVE-2015-0289 (bnc#922500) + - PKCS7 NULL pointer dereferences + * CVE-2015-0293 (bnc#922488) + - Fix reachable assert in SSLv2 servers + * added patches: + openssl-CVE-2015-0209.patch + openssl-CVE-2015-0286.patch + openssl-CVE-2015-0287.patch + openssl-CVE-2015-0288.patch + openssl-CVE-2015-0289.patch + openssl-CVE-2015-0293.patch + +------------------------------------------------------------------- +Wed Feb 4 08:08:27 UTC 2015 - meissner@suse.com + +- The DATE stamp moved from crypto/Makefile to crypto/buildinf.h, + replace it there (bsc#915947) + +------------------------------------------------------------------- +Fri Jan 9 10:03:37 UTC 2015 - meissner@suse.com + +- openssl 1.0.1k release + bsc#912294 CVE-2014-3571: Fix DTLS segmentation fault in dtls1_get_record. + bsc#912292 CVE-2015-0206: Fix DTLS memory leak in dtls1_buffer_record. + bsc#911399 CVE-2014-3569: Fix issue where no-ssl3 configuration sets method to NULL. + bsc#912015 CVE-2014-3572: Abort handshake if server key exchange + message is omitted for ephemeral ECDH ciphersuites. + bsc#912014 CVE-2015-0204: Remove non-export ephemeral RSA code on client and server. + bsc#912293 CVE-2015-0205: Fixed issue where DH client certificates are accepted without verification. + bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues. + bsc#912296 CVE-2014-3570: Correct Bignum squaring. + and other bugfixes. +- openssl.keyring: use Matt Caswells current key. + pub 2048R/0E604491 2013-04-30 + uid Matt Caswell + uid Matt Caswell + sub 2048R/E3C21B70 2013-04-30 + +- openssl-1.0.1e-fips.patch: rediffed +- openssl-1.0.1i-noec2m-fix.patch: removed (upstream) +- openssl-ocloexec.patch: rediffed + +------------------------------------------------------------------- +Tue Nov 18 09:42:50 UTC 2014 - brian@aljex.com + +- suse_version 10.1 & 10.2 x86_64 can not enable-ec_nistp_64_gcc_128 + +------------------------------------------------------------------- +Mon Nov 17 12:34:12 UTC 2014 - meissner@suse.com + +- openssl-1.0.1i-noec2m-fix.patch: only report the Elliptic Curves + we actually support (not the binary ones) (bnc#905037) + +------------------------------------------------------------------- +Fri Nov 7 22:09:27 UTC 2014 - brian@aljex.com + +- openSUSE < 11.2 doesn't have accept4() + +------------------------------------------------------------------- +Tue Oct 21 19:58:31 UTC 2014 - crrodriguez@opensuse.org + +- openSSL 1.0.1j +* Fix SRTP Memory Leak (CVE-2014-3513) +* Session Ticket Memory Leak (CVE-2014-3567) +* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) +* Build option no-ssl3 is incomplete (CVE-2014-3568) + +------------------------------------------------------------------- +Thu Aug 21 15:05:43 UTC 2014 - meissner@suse.com + +- openssl.keyring: the 1.0.1i release was done by + Matt Caswell UK 0E604491 + +------------------------------------------------------------------- +Thu Aug 14 10:27:07 UTC 2014 - vcizek@suse.com + +- rename README.SuSE (old spelling) to README.SUSE (bnc#889013) + +------------------------------------------------------------------- +Wed Aug 13 17:43:21 UTC 2014 - vcizek@suse.com + +- update to 1.0.1i + * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the + SRP code can be overrun an internal buffer. Add sanity check that + g, A, B < N to SRP code. + (CVE-2014-3512) + * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate + TLS 1.0 instead of higher protocol versions when the ClientHello message + is badly fragmented. This allows a man-in-the-middle attacker to force a + downgrade to TLS 1.0 even if both the server and the client support a + higher protocol version, by modifying the client's TLS records. + (CVE-2014-3511) + * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject + to a denial of service attack. A malicious server can crash the client + with a null pointer dereference (read) by specifying an anonymous (EC)DH + ciphersuite and sending carefully crafted handshake messages. + (CVE-2014-3510) + * By sending carefully crafted DTLS packets an attacker could cause openssl + to leak memory. This can be exploited through a Denial of Service attack. + (CVE-2014-3507) + * An attacker can force openssl to consume large amounts of memory whilst + processing DTLS handshake messages. This can be exploited through a + Denial of Service attack. + (CVE-2014-3506) + * An attacker can force an error condition which causes openssl to crash + whilst processing DTLS packets due to memory being freed twice. This + can be exploited through a Denial of Service attack. + (CVE-2014-3505) + * If a multithreaded client connects to a malicious server using a resumed + session and the server sends an ec point format extension it could write + up to 255 bytes to freed memory. + (CVE-2014-3509) + * A malicious server can crash an OpenSSL client with a null pointer + dereference (read) by specifying an SRP ciphersuite even though it was not + properly negotiated with the client. This can be exploited through a + Denial of Service attack. + (CVE-2014-5139) + * A flaw in OBJ_obj2txt may cause pretty printing functions such as + X509_name_oneline, X509_name_print_ex et al. to leak some information + from the stack. Applications may be affected if they echo pretty printing + output to the attacker. + (CVE-2014-3508) + * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) + for corner cases. (Certain input points at infinity could lead to + bogus results, with non-infinity inputs mapped to infinity too.) +- refreshed patches: + * openssl-1.0.1e-new-fips-reqs.patch + * 0005-libssl-Hide-library-private-symbols.patch + (thanks to Marcus Meissner) + +------------------------------------------------------------------- +Mon Jul 21 10:49:35 UTC 2014 - jengelh@inai.de + +- Move manpages around: *.1ssl should be in openssl + (e.g. ciphers(1ssl) is also referenced by openssl(1)), + and *.3ssl should be in openssl-doc. + +------------------------------------------------------------------- +Tue Jun 24 08:22:24 UTC 2014 - meissner@suse.com + +- recommend: ca-certificates-mozilla instead of openssl-certs + +------------------------------------------------------------------- +Thu Jun 5 14:37:19 UTC 2014 - meissner@suse.com + +- updated openssl to 1.0.1h (bnc#880891): + - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer + overrun attack can be triggered by sending invalid DTLS fragments to + an OpenSSL DTLS client or server. This is potentially exploitable to + run arbitrary code on a vulnerable client or server. + - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous + ECDH ciphersuites are subject to a denial of service attack. +- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream +- CVE-2014-0198.patch: removed, upstream +- 0009-Fix-double-frees.patch: removed, upstream +- 0012-Fix-eckey_priv_encode.patch: removed, upstream +- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream +- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream +- 0020-Initialize-num-properly.patch: removed, upstream +- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream +- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream +- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream +- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream + +- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase +- openssl-1.0.1c-ipv6-apps.patch: refreshed +- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed + +------------------------------------------------------------------- +Wed May 21 12:19:53 UTC 2014 - vpereira@novell.com + +- Added new SUSE default cipher suite + openssl-1.0.1e-add-suse-default-cipher.patch + openssl-1.0.1e-add-suse-default-cipher-header.patch + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch + +------------------------------------------------------------------- +Fri May 9 04:42:46 UTC 2014 - crrodriguez@opensuse.org + +- Add upstream patches fixing coverity scan issues: +* 0018-fix-coverity-issues-966593-966596.patch +* 0020-Initialize-num-properly.patch +* 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch +* 0023-evp-prevent-underflow-in-base64-decoding.patch +* 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch +* 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch + +- Update 0001-libcrypto-Hide-library-private-symbols.patch + to cover more private symbols, now 98% complete and probably + not much more can be done to fix the rest of the ill-defined API. + +- openssl-fips-hidden.patch new, hides private symbols added by the + FIPS patches. + +- openssl-no-egd.patch disable the EGD (entropy gathering daemon) + interface, we have no EGD in the distro and obtaining entropy from + a place other than /dev/*random, the hardware rng or the openSSL + internal PRNG is an extremely bad & dangerous idea. + +- use secure_getenv instead of getenv everywhere. + +------------------------------------------------------------------- +Mon May 5 16:25:17 UTC 2014 - crrodriguez@opensuse.org + +- 0005-libssl-Hide-library-private-symbols.patch + Update to hide more symbols that are not part of + the public API + +- openssl-gcc-attributes.patch BUF_memdup also + needs attribute alloc_size as it returns memory + of size of the second parameter. + +- openssl-ocloexec.patch Update, accept() + also needs O_CLOEXEC. + +- 0009-Fix-double-frees.patch, 0017-Double-free-in-i2o_ECPublicKey.patch + fix various double frees (from upstream) + +- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should + return an error inmediately on failure of i2d_ECPrivateKey (from upstream) + +- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + From libressl, modified to work on linux systems that do not have + funopen() but fopencookie() instead. + Once upon a time, OS didn't have snprintf, which caused openssl to + bundle a *printf implementation. We know better nowadays, the glibc + implementation has buffer overflow checking, has sane failure modes + deal properly with threads, signals..etc.. + +- build with -fno-common as well. + +------------------------------------------------------------------- +Mon May 5 06:45:19 UTC 2014 - citypw@gmail.com + +- Fixed bug[ bnc#876282], CVE-2014-0198 openssl: OpenSSL NULL pointer dereference in do_ssl3_write + Add file: CVE-2014-0198.patch + +------------------------------------------------------------------- +Sun Apr 20 00:53:34 UTC 2014 - crrodriguez@opensuse.org + +- Build everything with full RELRO (-Wl,-z,relro,-z,now) +- Remove -fstack-protector from the hardcoded build options + it is already in RPM_OPT_FLAGS and is replaced by + -fstack-protector-strong with gcc 4.9 + +------------------------------------------------------------------- +Sun Apr 20 00:49:25 UTC 2014 - crrodriguez@opensuse.org + +- Remove the "gmp" and "capi" shared engines, nobody noticed + but they are just dummies that do nothing. + +------------------------------------------------------------------- +Sat Apr 19 22:29:10 UTC 2014 - crrodriguez@opensuse.org + +- Use enable-rfc3779 to allow projects such as rpki.net + to work in openSUSE and match the functionality + available in Debian/Fedora/etc + +------------------------------------------------------------------- +Sat Apr 19 22:22:01 UTC 2014 - crrodriguez@opensuse.org + +- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix + CVE-2010-5298 and disable the internal BUF_FREELISTS + functionality. it hides bugs like heartbleed and is + there only for systems on which malloc() free() are slow. + +- ensure we export MALLOC_CHECK and PERTURB during the test + suite, now that the freelist functionality is disabled it + will help to catch bugs before they hit users. + +------------------------------------------------------------------- +Sat Apr 19 03:45:20 UTC 2014 - crrodriguez@opensuse.org + +- openssl-libssl-noweakciphers.patch do not offer "export" + or "low" quality ciphers by default. using such ciphers + is not forbidden but requires an explicit request + +------------------------------------------------------------------- +Fri Apr 18 14:07:47 UTC 2014 - crrodriguez@opensuse.org + +- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does + not return memory of "num * old_num" but only "num" size + fortunately this function is currently unused. + +------------------------------------------------------------------- +Fri Apr 11 02:40:34 UTC 2014 - crrodriguez@opensuse.org + +- openssl-gcc-attributes.patch + * annotate memory allocation wrappers with attribute(alloc_size) + so the compiler can tell us if it knows they are being misused + * OPENSSL_showfatal is annotated with attribute printf to detect + format string problems. + +- It is time to try to disable SSLv2 again, it was tried a while + ago but broke too many things, nowadays Debian, Ubuntu, the BSDs + all have disabled it, most components are already fixed. + I will fix the remaining fallout if any. (email me) + +------------------------------------------------------------------- +Tue Apr 8 08:12:38 UTC 2014 - dmueller@suse.com + +- update to 1.0.1g: + * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) + * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) + * Workaround for the "TLS hang bug" (see FAQ and PR#2771) +- remove CVE-2014-0076.patch + +- openssl.keyring: upstream changed to: + pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson + uid Dr Stephen Henson + uid Dr Stephen Henson + +------------------------------------------------------------------- +Tue Mar 25 08:11:11 UTC 2014 - shchang@suse.com + +- Fix bug[ bnc#869945] CVE-2014-0076: openssl: Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack + Add file: CVE-2014-0076.patch + +------------------------------------------------------------------- +Mon Mar 3 06:44:52 UTC 2014 - shchang@suse.com + +- additional changes required for FIPS validation( from Fedora repo) + Add patch file: openssl-1.0.1e-new-fips-reqs.patch + +------------------------------------------------------------------- +Sat Jan 11 08:42:54 UTC 2014 - shchang@suse.com + +- Remove GCC option "-O3" for compiliation issue of ARM version + Modify: openssl.spec + +------------------------------------------------------------------- +Fri Jan 10 14:43:20 UTC 2014 - shchang@suse.com + +- Adjust the installation path( libopenssl/hmac into /lib or /lib64) + Modify files: README-FIPS.txt openssl.spec + +------------------------------------------------------------------- +Thu Jan 9 23:08:29 UTC 2014 - andreas.stieger@gmx.de + +- 1.0.1f: + * Fix for TLS record tampering bug CVE-2013-4353 +- already included: + * Fix for TLS version checking bug CVE-2013-6449 + * Fix for DTLS retransmission bug CVE-2013-6450 +- removed patches: + * CVE-2013-6449.patch, committed upstream + * CVE-2013-6450.patch, committed upstream + * SSL_get_certificate-broken.patch, committed upstream + * openssl-1.0.1e-bnc822642.patch, committed upstream +- modified patches: + * openssl-1.0.1e-fips.patch, adjust for upstream changes + * openssl-fix-pod-syntax.diff, adjust for upstream changes + +------------------------------------------------------------------- +Wed Jan 8 22:01:36 UTC 2014 - andreas.stieger@gmx.de + +- add a gpg keyring for source tarball + +------------------------------------------------------------------- +Wed Jan 8 10:57:24 UTC 2014 - shchang@suse.com + +- Fixed bnc#857850, openssl doesn't load engine + Modify file: openssl.spec + +------------------------------------------------------------------- +Thu Jan 2 17:28:41 UTC 2014 - shchang@suse.com + +- Fixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss + Add file: CVE-2013-6450.patch + +------------------------------------------------------------------- +Sun Dec 22 08:10:55 UTC 2013 - shchang@suse.com + +- Fixed bnc#856687, openssl: crash when using TLS 1.2 + Add file: CVE-2013-6449.patch + +------------------------------------------------------------------- +Tue Dec 17 13:57:40 UTC 2013 - meissner@suse.com + +- compression_methods_switch.patch: setenv might not be successful + if a surrounding library or application filters it, like e.g. sudo. + As setenv() does not seem to be useful anyway, remove it. + bnc#849377 + +------------------------------------------------------------------- +Mon Dec 16 04:28:09 UTC 2013 - shchang@suse.com + +- Adjust the installation path. + Modify files: README-FIPS.txt openssl.spec + +------------------------------------------------------------------- +Fri Dec 6 08:07:06 UTC 2013 - lnussel@suse.de + +- don't own /etc/ssl/certs, it's owned by ca-certificates + +------------------------------------------------------------------- +Tue Dec 3 12:51:15 UTC 2013 - meissner@suse.com + +- Actually enable it (in a building way) for openSUSE and SLES, + as we intended. +- Add README-FIPS.txt from SLE 11. + +------------------------------------------------------------------- +Mon Dec 2 21:15:41 UTC 2013 - crrodriguez@opensuse.org + +- Restrict the (broken beyond build) FIPS certification code + to SLE releases only, it has no value in openSUSE at all. + +------------------------------------------------------------------- +Sat Nov 23 08:23:59 UTC 2013 - shchang@suse.com + +- Patches for OpenSSL FIPS-140-2/3 certification + Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch, + openssl-1.0.1e-fips-ctor.patch + +------------------------------------------------------------------- +Wed Oct 23 02:59:05 UTC 2013 - crrodriguez@opensuse.org + +- 0001-libcrypto-Hide-library-private-symbols.patch + This patch implements the libcrpto part complimentary to + 0005-libssl-Hide-library-private-symbols.patch. + This patch is however not 100% complete, as some private library + symbols are declared in public headers that shall not be touched + or are defined/declared in "perlasm". (tested in 13.1, 12.3, factory) + +- openSSL defaults to -O3 optimization level but we override + it with RPM_OPT_FLAGS, ensure we use -O3 like upstream. + +------------------------------------------------------------------- +Fri Oct 11 12:24:14 UTC 2013 - meissner@suse.com + +- openssl-1.0.1c-ipv6-apps.patch: + Support ipv6 in the openssl s_client / s_server commandline app. + +------------------------------------------------------------------- +Fri Sep 27 10:26:43 UTC 2013 - dmacvicar@suse.de + +- VPN openconnect problem (DTLS handshake failed) + (git 9fe4603b8, bnc#822642, openssl ticket#2984) + +------------------------------------------------------------------- +Wed Sep 4 18:56:38 UTC 2013 - guillaume@opensuse.org + +- Fix armv6l arch (armv7 was previously used to build armv6 which + lead to illegal instruction when used) + +------------------------------------------------------------------- +Mon Aug 12 06:05:03 UTC 2013 - shchang@suse.com + +- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken + modify patch file: SSL_get_certificate-broken.patch + +------------------------------------------------------------------- +Fri Aug 9 23:24:14 UTC 2013 - crrodriguez@opensuse.org + +- Via padlock is only found in x86 and x86_64 CPUs, remove + the shared module for other archs. + +------------------------------------------------------------------- +Wed Aug 7 18:30:45 UTC 2013 - crrodriguez@opensuse.org + +- Cleanup engines that are of no use in a modern linux distro +- The following engines stay: +* libcapi.so --> usable in case you have third party /dev/crypto +* libgmp.so --> may help to doing some maths using GMP +* libgost.so --> implements the GOST block cipher +* libpadlock.so --> VIA padlock support +- Al other are removed because they require third party propietary + shared libraries nowhere to be found or that we can test. + +------------------------------------------------------------------- +Wed Aug 7 18:30:23 UTC 2013 - crrodriguez@opensuse.org + +- openssl-pkgconfig.patch: Here we go.. For applications +to benefit fully of features provided by openSSL engines +(rdrand, aes-ni..etc) either builtin or in DSO form applications +have to call ENGINE_load_builtin_engines() or OPENSSL_config() +unfortunately from a total of 68 apps/libraries linked to libcrypto +in a desktop system, only 4 do so, and there is a sea of buggy +code that I dont feel like fixing. +Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files +so the needed operation becomes implicit the next time such apps +are recompiled, see OPENSSL_config(3) +Unfortunately this does not fix everything, because there are apps +not using pkgconfig or using it incorrectly, but it is a good start. + +------------------------------------------------------------------- +Wed Aug 7 09:33:55 UTC 2013 - dmueller@suse.com + +- add openssl-1.0.1c-default-paths.patch: + Fix from Fedora for openssl s_client not setting + CApath by default + +------------------------------------------------------------------- +Sat Aug 3 21:15:07 UTC 2013 - crrodriguez@opensuse.org + +- 0005-libssl-Hide-library-private-symbols.patch: hide + private symbols, this *only* applies to libssl where + it is straightforward to do so as applications should + not be using any of the symbols declared/defined in headers + that the library does not install. + A separate patch MAY be provided in the future for libcrypto + where things are much more complicated and threfore requires + careful testing. + +------------------------------------------------------------------- +Mon Jul 29 08:06:48 UTC 2013 - meissner@suse.com + +- compression_methods_switch.patch: Disable compression by default to + avoid the CRIME attack (CVE-2012-4929 bnc#793420) + + Can be override by setting environment variable + OPENSSL_NO_DEFAULT_ZLIB=no + +------------------------------------------------------------------- +Tue Jul 2 09:02:59 UTC 2013 - lnussel@suse.de + +- Don't use the legacy /etc/ssl/certs directory anymore but rather + the p11-kit generated /var/lib/ca-certificates/openssl one + (fate#314991, openssl-1.0.1e-truststore.diff) + +------------------------------------------------------------------- +Sat Jun 29 22:47:54 UTC 2013 - crrodriguez@opensuse.org + +- Build enable-ec_nistp_64_gcc_128, ecdh is many times faster + but only works in x86_64. + According to the openSSL team +"it is superior to the default in multiple regards (speed, and also +security as the new implementations are secure against timing +attacks)" +It is not enabled by default due to the build system being unable +to detect if the compiler supports __uint128_t. + +------------------------------------------------------------------- +Thu Jun 20 07:58:33 UTC 2013 - coolo@suse.com + +- pick openssl-fix-pod-syntax.diff out of the upstream RT to fix + build with perl 5.18 + +------------------------------------------------------------------- +Sat May 25 10:10:07 UTC 2013 - i@marguerite.su + +- add %if tag for BuildArch. sles may also need latest openssl. + +------------------------------------------------------------------- +Fri Feb 22 16:00:16 UTC 2013 - dmueller@suse.com + +- disable fstack-protector on aarch64 + +------------------------------------------------------------------- +Tue Feb 12 00:08:06 UTC 2013 - hrvoje.senjan@gmail.com + +- Update to 1.0.1e + o Bugfix release (bnc#803004) +- Drop openssl-1.0.1d-s3-packet.patch, included upstream + +------------------------------------------------------------------- +Sun Feb 10 20:33:51 UTC 2013 - hrvoje.senjan@gmail.com + +- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes + bnc#803004, openssl ticket#2975 + +------------------------------------------------------------------- +Tue Feb 5 16:00:17 UTC 2013 - meissner@suse.com + +- update to version 1.0.1d, fixing security issues + o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. + o Include the fips configuration module. + o Fix OCSP bad key DoS attack CVE-2013-0166 + o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 + bnc#802184 + o Fix for TLS AESNI record handling flaw CVE-2012-2686 + +------------------------------------------------------------------- +Mon Nov 12 08:39:31 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#784994] - VIA padlock support on 64 systems + e_padlock: add support for x86_64 gcc + +------------------------------------------------------------------- +Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org + +- Open Internal file descriptors with O_CLOEXEC, leaving + those open across fork()..execve() makes a perfect + vector for a side-channel attack... + +------------------------------------------------------------------- +Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com + +- fix build on armv5 (bnc#774710) + +------------------------------------------------------------------- +Thu May 10 19:18:06 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 1.0.1c for the complete list of changes see + NEWS, this only list packaging changes. +- Drop aes-ni patch, no longer needed as it is builtin in openssl + now. +- Define GNU_SOURCE and use -std=gnu99 to build the package. +- Use LFS_CFLAGS in platforms where it matters. + +------------------------------------------------------------------- +Fri May 4 12:09:57 UTC 2012 - lnussel@suse.de + +- don't install any demo or expired certs at all + +------------------------------------------------------------------- +Mon Apr 23 05:57:35 UTC 2012 - gjhe@suse.com + +- update to latest stable verison 1.0.0i + including the following patches: + CVE-2012-2110.path + Bug748738_Tolerate_bad_MIME_headers.patch + bug749213-Free-headers-after-use.patch + bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch + CVE-2012-1165.patch + CVE-2012-0884.patch + bug749735.patch + +------------------------------------------------------------------- +Tue Mar 27 09:16:37 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#749735] - Memory leak when creating public keys. + fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack + CVE-2012-0884 + +------------------------------------------------------------------- +Thu Mar 22 03:24:20 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#751946] - S/MIME verification may erroneously fail + CVE-2012-1165 + +------------------------------------------------------------------- +Wed Mar 21 02:44:41 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#749213]-Free headers after use in error message + and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt + +------------------------------------------------------------------- +Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com + +- license update: OpenSSL + +------------------------------------------------------------------- +Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's + asn1 parser. + CVE-2006-7250 + +------------------------------------------------------------------- +Thu Feb 2 06:55:12 UTC 2012 - gjhe@suse.com + +- Update to version 1.0.0g fix the following: + DTLS DoS attack (CVE-2012-0050) + +------------------------------------------------------------------- +Wed Jan 11 05:35:18 UTC 2012 - gjhe@suse.com + +- Update to version 1.0.0f fix the following: + DTLS Plaintext Recovery Attack (CVE-2011-4108) + Uninitialized SSL 3.0 Padding (CVE-2011-4576) + Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) + SGC Restart DoS Attack (CVE-2011-4619) + Invalid GOST parameters DoS Attack (CVE-2012-0027) + +------------------------------------------------------------------- +Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org + +- AES-NI: Check the return value of Engine_add() + if the ENGINE_add() call fails: it ends up adding a reference + to a freed up ENGINE which is likely to subsequently contain garbage + This will happen if an ENGINE with the same name is added multiple + times,for example different libraries. [bnc#720601] + +------------------------------------------------------------------- +Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org + +- Build with -DSSL_FORBID_ENULL so servers are not + able to use the NULL encryption ciphers (Those offering no + encryption whatsoever). + +------------------------------------------------------------------- +Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org + +- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210 + see http://openssl.org/news/secadv_20110906.txt for details. + +------------------------------------------------------------------- +Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org + +- Add upstream patch that calls ENGINE_register_all_complete() + in ENGINE_load_builtin_engines() saving us from adding dozens + of calls to such function to calling applications. + +------------------------------------------------------------------- +Fri Aug 5 19:09:42 UTC 2011 - crrodriguez@opensuse.org + +- remove -fno-strict-aliasing from CFLAGS no longer needed + and is likely to slow down stuff. + +------------------------------------------------------------------- +Mon Jul 25 19:07:32 UTC 2011 - jengelh@medozas.de + +- Edit baselibs.conf to provide libopenssl-devel-32bit too + +------------------------------------------------------------------- +Fri Jun 24 04:51:50 UTC 2011 - gjhe@novell.com + +- update to latest stable version 1.0.0d. + patch removed(already in the new package): + CVE-2011-0014 + patch added: + ECDSA_signatures_timing_attack.patch + +------------------------------------------------------------------- +Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com + +- fix bug[bnc#693027]. + Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + http://eprint.iacr.org/2011/232.pdf + [Billy Bob Brumley and Nicola Tuveri] + +------------------------------------------------------------------- +Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org + +- added openssl as dependency in the devel package + +------------------------------------------------------------------- +Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com + +- fix bug [bnc#670526] + CVE-2011-0014,OCSP stapling vulnerability + +------------------------------------------------------------------- +Sat Jan 15 19:58:51 UTC 2011 - cristian.rodriguez@opensuse.org + +- Add patch from upstream in order to support AES-NI instruction + set present on current Intel and AMD processors + +------------------------------------------------------------------- +Mon Jan 10 11:45:27 CET 2011 - meissner@suse.de + +- enable -DPURIFY to avoid valgrind errors. + +------------------------------------------------------------------- +Thu Dec 9 07:04:32 UTC 2010 - gjhe@novell.com + +- update to stable version 1.0.0c. + patch included: + CVE-2010-1633_and_CVE-2010-0742.patch + patchset-19727.diff + CVE-2010-2939.patch + CVE-2010-3864.patch + +------------------------------------------------------------------- +Thu Nov 18 07:53:12 UTC 2010 - gjhe@novell.com + +- fix bug [bnc#651003] + CVE-2010-3864 + +------------------------------------------------------------------- +Sat Sep 25 08:55:02 UTC 2010 - gjhe@novell.com + +- fix bug [bnc#629905] + CVE-2010-2939 + +------------------------------------------------------------------- +Wed Jul 28 20:55:18 UTC 2010 - cristian.rodriguez@opensuse.org + +- Exclude static libraries, see what breaks and fix that + instead + +------------------------------------------------------------------- +Wed Jun 30 08:47:39 UTC 2010 - jengelh@medozas.de + +- fix two compile errors on SPARC + +------------------------------------------------------------------- +Tue Jun 15 09:53:54 UTC 2010 - bg@novell.com + +- -fstack-protector is not supported on hppa + +------------------------------------------------------------------- +Fri Jun 4 07:11:28 UTC 2010 - gjhe@novell.com + +- fix bnc #610642 + CVE-2010-0742 + CVE-2010-1633 + +------------------------------------------------------------------- +Mon May 31 03:06:39 UTC 2010 - gjhe@novell.com + +- fix bnc #610223,change Configure to tell openssl to load engines + from /%{_lib} instead of %{_libdir} + +------------------------------------------------------------------- +Mon May 10 16:11:54 UTC 2010 - aj@suse.de + +- Do not compile in build time but use mtime of changes file instead. + This allows build-compare to identify that no changes have happened. + +------------------------------------------------------------------- +Tue May 4 02:55:52 UTC 2010 - gjhe@novell.com + +- build libopenssl to /%{_lib} dir,and keep only one + libopenssl-devel for new developping programs. + +------------------------------------------------------------------- +Tue Apr 27 05:44:32 UTC 2010 - gjhe@novell.com + +- build libopenssl and libopenssl-devel to a version directory + +------------------------------------------------------------------- +Sat Apr 24 09:46:37 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Wed Apr 21 13:54:15 UTC 2010 - lnussel@suse.de + +- also create old certificate hash in /etc/ssl/certs for + compatibility with applications that still link against 0.9.8 + +------------------------------------------------------------------- +Mon Apr 12 16:12:08 CEST 2010 - meissner@suse.de + +- Disable our own build targets, instead use the openSSL provided ones + as they are now good (or should be good at least). + +- add -Wa,--noexecstack to the Configure call, this is the upstream + approved way to avoid exec-stack marking + +------------------------------------------------------------------- +Mon Apr 12 04:57:17 UTC 2010 - gjhe@novell.com + +- update to 1.0.0 + Merge the following patches from 0.9.8k: + openssl-0.9.6g-alpha.diff + openssl-0.9.7f-ppc64.diff + openssl-0.9.8-flags-priority.dif + openssl-0.9.8-sparc.dif + openssl-allow-arch.diff + openssl-hppa-config.diff + +------------------------------------------------------------------- +Fri Apr 9 11:42:51 CEST 2010 - meissner@suse.de + +- fixed "exectuable stack" for libcrypto.so issue on i586 by + adjusting the assembler output during MMX builds. + +------------------------------------------------------------------- +Wed Apr 7 14:08:05 CEST 2010 - meissner@suse.de + +- Openssl is now partially converted to libdir usage upstream, + merge that in to fix lib64 builds. + +------------------------------------------------------------------- +Thu Mar 25 02:18:22 UTC 2010 - gjhe@novell.com + +- fix security bug [bnc#590833] + CVE-2010-0740 + +------------------------------------------------------------------- +Mon Mar 22 06:29:14 UTC 2010 - gjhe@novell.com + +- update to version 0.9.8m + Merge the following patches from 0.9.8k: + bswap.diff + non-exec-stack.diff + openssl-0.9.6g-alpha.diff + openssl-0.9.7f-ppc64.diff + openssl-0.9.8-flags-priority.dif + openssl-0.9.8-sparc.dif + openssl-allow-arch.diff + openssl-hppa-config.diff + +------------------------------------------------------------------- +Fri Feb 5 01:24:55 UTC 2010 - jengelh@medozas.de + +- build openssl for sparc64 + +------------------------------------------------------------------- +Mon Dec 14 16:11:11 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source +- package documentation as noarch + +------------------------------------------------------------------- +Tue Nov 3 19:09:35 UTC 2009 - coolo@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Tue Sep 1 10:21:16 CEST 2009 - gjhe@novell.com + +- fix Bug [bnc#526319] + +------------------------------------------------------------------- +Wed Aug 26 11:24:16 CEST 2009 - coolo@novell.com + +- use %patch0 for Patch0 + +------------------------------------------------------------------- +Fri Jul 3 11:53:48 CEST 2009 - gjhe@novell.com + +- update to version 0.9.8k +- patches merged upstream: + openssl-CVE-2008-5077.patch + openssl-CVE-2009-0590.patch + openssl-CVE-2009-0591.patch + openssl-CVE-2009-0789.patch + openssl-CVE-2009-1377.patch + openssl-CVE-2009-1378.patch + openssl-CVE-2009-1379.patch + openssl-CVE-2009-1386.patch + openssl-CVE-2009-1387.patch + +------------------------------------------------------------------- +Tue Jun 30 05:17:26 CEST 2009 - gjhe@novell.com + +- fix security bug [bnc#509031] + CVE-2009-1386 + CVE-2009-1387 + +------------------------------------------------------------------- +Tue Jun 30 05:16:39 CEST 2009 - gjhe@novell.com + +- fix security bug [bnc#504687] + CVE-2009-1377 + CVE-2009-1378 + CVE-2009-1379 + +------------------------------------------------------------------- +Wed Apr 15 12:28:29 CEST 2009 - gjhe@suse.de + +- fix security bug [bnc#489641] + CVE-2009-0590 + CVE-2009-0591 + CVE-2009-0789 + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Dec 18 08:15:12 CET 2008 - jshi@suse.de + +- fix security bug [bnc#459468] + CVE-2008-5077 + +------------------------------------------------------------------- +Tue Dec 9 11:32:50 CET 2008 - xwhu@suse.de + +- Disable optimization for s390x + +------------------------------------------------------------------- +Mon Dec 8 12:12:14 CET 2008 - xwhu@suse.de + +- Disable optimization of md4 + +------------------------------------------------------------------- +Mon Nov 10 10:22:04 CET 2008 - xwhu@suse.de + +- Disable optimization of ripemd [bnc#442740] + +------------------------------------------------------------------- +Tue Oct 14 09:08:47 CEST 2008 - xwhu@suse.de + +- Passing string as struct cause openssl segment-fault [bnc#430141] + +------------------------------------------------------------------- +Wed Jul 16 12:02:37 CEST 2008 - mkoenig@suse.de + +- do not require openssl-certs, but rather recommend it + to avoid dependency cycle [bnc#408865] + +------------------------------------------------------------------- +Wed Jul 9 12:53:27 CEST 2008 - mkoenig@suse.de + +- remove the certs subpackage from the openssl package + and move the CA root certificates into a package of its own + +------------------------------------------------------------------- +Tue Jun 24 09:09:04 CEST 2008 - mkoenig@suse.de + +- update to version 0.9.8h +- openssl does not ship CA root certificates anymore + keep certificates that SuSE is already shipping +- resolves bad array index (function has been removed) [bnc#356549] +- removed patches + openssl-0.9.8g-fix_dh_for_certain_moduli.patch + openssl-CVE-2008-0891.patch + openssl-CVE-2008-1672.patch + +------------------------------------------------------------------- +Wed May 28 15:04:08 CEST 2008 - mkoenig@suse.de + +- fix OpenSSL Server Name extension crash (CVE-2008-0891) + and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672) + [bnc#394317] + +------------------------------------------------------------------- +Wed May 21 20:48:39 CEST 2008 - cthiel@suse.de + +- fix baselibs.conf + +------------------------------------------------------------------- +Tue Apr 22 14:39:35 CEST 2008 - mkoenig@suse.de + +- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844] + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Mon Nov 5 14:27:06 CET 2007 - mkoenig@suse.de + +- fix Diffie-Hellman failure with certain prime lengths + +------------------------------------------------------------------- +Mon Oct 22 15:00:21 CEST 2007 - mkoenig@suse.de + +- update to version 0.9.8g: + * fix some bugs introduced with 0.9.8f + +------------------------------------------------------------------- +Mon Oct 15 11:17:14 CEST 2007 - mkoenig@suse.de + +- update to version 0.9.8f: + * fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995 +- patches merged upstream: + openssl-0.9.8-key_length.patch + openssl-CVE-2007-3108-bug296511 + openssl-CVE-2007-5135.patch + openssl-gcc42.patch + openssl-gcc42_b.patch + openssl-s390-config.diff + +------------------------------------------------------------------- +Mon Oct 1 11:29:55 CEST 2007 - mkoenig@suse.de + +- fix buffer overflow CVE-2007-5135 [#329208] + +------------------------------------------------------------------- +Wed Sep 5 11:39:26 CEST 2007 - mkoenig@suse.de + +- fix another gcc 4.2 build problem [#307669] + +------------------------------------------------------------------- +Fri Aug 3 14:17:27 CEST 2007 - coolo@suse.de + +- provide the version obsoleted (#293401) + +------------------------------------------------------------------- +Wed Aug 1 18:01:45 CEST 2007 - werner@suse.de + +- Add patch from CVS for RSA key reconstruction vulnerability + (CVE-2007-3108, VU#724968, bug #296511) + +------------------------------------------------------------------- +Thu May 24 16:18:50 CEST 2007 - mkoenig@suse.de + +- fix build with gcc-4.2 + openssl-gcc42.patch +- do not install example scripts with executable permissions + +------------------------------------------------------------------- +Mon Apr 30 01:32:44 CEST 2007 - ro@suse.de + +- adapt requires + +------------------------------------------------------------------- +Fri Apr 27 15:25:13 CEST 2007 - mkoenig@suse.de + +- Do not use dots in package name +- explicitly build with gcc-4.1 because of currently unresolved + failures with gcc-4.2 + +------------------------------------------------------------------- +Wed Apr 25 12:32:44 CEST 2007 - mkoenig@suse.de + +- Split/rename package to follow library packaging policy [#260219] + New package libopenssl0.9.8 containing shared libs + openssl-devel package renamed to libopenssl-devel + New package openssl-certs containing certificates +- add zlib-devel to Requires of devel package +- remove old Obsoletes and Conflicts + openssls (Last used Nov 2000) + ssleay (Last used 6.2) + +------------------------------------------------------------------- +Mon Apr 23 11:17:57 CEST 2007 - mkoenig@suse.de + +- Fix key length [#254905,#262477] + +------------------------------------------------------------------- +Tue Mar 6 10:38:10 CET 2007 - mkoenig@suse.de + +- update to version 0.9.8e: + * patches merged upstream: + openssl-CVE-2006-2940-fixup.patch + openssl-0.9.8d-padlock-static.patch + +------------------------------------------------------------------- +Tue Jan 9 14:30:28 CET 2007 - mkoenig@suse.de + +- fix PadLock support [#230823] + +------------------------------------------------------------------- +Thu Nov 30 14:33:51 CET 2006 - mkoenig@suse.de + +- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198 + +------------------------------------------------------------------- +Mon Nov 6 18:35:10 CET 2006 - poeml@suse.de + +- configure with 'zlib' instead of 'zlib-dynamic'. Build with the + latter, there are problems opening the libz when running on the + Via Epia or vmware platforms. [#213305] + +------------------------------------------------------------------- +Wed Oct 4 15:07:55 CEST 2006 - poeml@suse.de + +- add patch for the CVE-2006-2940 fix: the newly introduced limit + on DH modulus size could lead to a crash when exerted. [#208971] + Discovered and fixed after the 0.9.8d release. + +------------------------------------------------------------------- +Fri Sep 29 18:37:01 CEST 2006 - poeml@suse.de + +- update to 0.9.8d + *) Introduce limits to prevent malicious keys being able to + cause a denial of service. (CVE-2006-2940) + *) Fix ASN.1 parsing of certain invalid structures that can result + in a denial of service. (CVE-2006-2937) + *) Fix buffer overflow in SSL_get_shared_ciphers() function. + (CVE-2006-3738) + *) Fix SSL client code which could crash if connecting to a + malicious SSLv2 server. (CVE-2006-4343) + *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites + match only those. Before that, "AES256-SHA" would be interpreted + as a pattern and match "AES128-SHA" too (since AES128-SHA got + the same strength classification in 0.9.7h) as we currently only + have a single AES bit in the ciphersuite description bitmap. + That change, however, also applied to ciphersuite strings such as + "RC4-MD5" that intentionally matched multiple ciphersuites -- + namely, SSL 2.0 ciphersuites in addition to the more common ones + from SSL 3.0/TLS 1.0. + So we change the selection algorithm again: Naming an explicit + ciphersuite selects this one ciphersuite, and any other similar + ciphersuite (same bitmap) from *other* protocol versions. + Thus, "RC4-MD5" again will properly select both the SSL 2.0 + ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. + Since SSL 2.0 does not have any ciphersuites for which the + 128/256 bit distinction would be relevant, this works for now. + The proper fix will be to use different bits for AES128 and + AES256, which would have avoided the problems from the beginning; + however, bits are scarce, so we can only do this in a new release + (not just a patchlevel) when we can change the SSL_CIPHER + definition to split the single 'unsigned long mask' bitmap into + multiple values to extend the available space. +- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected + [openssl.org #1397] + +------------------------------------------------------------------- +Fri Sep 8 20:33:40 CEST 2006 - schwab@suse.de + +- Fix inverted logic. + +------------------------------------------------------------------- +Wed Sep 6 17:56:08 CEST 2006 - poeml@suse.de + +- update to 0.9.8c + Changes between 0.9.8b and 0.9.8c [05 Sep 2006] + *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher + (CVE-2006-4339) [Ben Laurie and Google Security Team] + *) Add AES IGE and biIGE modes. [Ben Laurie] + *) Change the Unix randomness entropy gathering to use poll() when + possible instead of select(), since the latter has some + undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller] + *) Disable "ECCdraft" ciphersuites more thoroughly. Now special + treatment in ssl/ssl_ciph.s makes sure that these ciphersuites + cannot be implicitly activated as part of, e.g., the "AES" alias. + However, please upgrade to OpenSSL 0.9.9[-dev] for + non-experimental use of the ECC ciphersuites to get TLS extension + support, which is required for curve and point format negotiation + to avoid potential handshake problems. [Bodo Moeller] + *) Disable rogue ciphersuites: + - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") + - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") + - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") + The latter two were purportedly from + draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really + appear there. + Also deactive the remaining ciphersuites from + draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as + unofficial, and the ID has long expired. [Bodo Moeller] + *) Fix RSA blinding Heisenbug (problems sometimes occured on + dual-core machines) and other potential thread-safety issues. + [Bodo Moeller] + *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key + versions), which is now available for royalty-free use + (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). + Also, add Camellia TLS ciphersuites from RFC 4132. + To minimize changes between patchlevels in the OpenSSL 0.9.8 + series, Camellia remains excluded from compilation unless OpenSSL + is configured with 'enable-camellia'. [NTT] + *) Disable the padding bug check when compression is in use. The padding + bug check assumes the first packet is of even length, this is not + necessarily true if compresssion is enabled and can result in false + positives causing handshake failure. The actual bug test is ancient + code so it is hoped that implementations will either have fixed it by + now or any which still have the bug do not support compression. + [Steve Henson] + Changes between 0.9.8a and 0.9.8b [04 May 2006] + *) When applying a cipher rule check to see if string match is an explicit + cipher suite and only match that one cipher suite if it is. [Steve Henson] + *) Link in manifests for VC++ if needed. [Austin Ziegler ] + *) Update support for ECC-based TLS ciphersuites according to + draft-ietf-tls-ecc-12.txt with proposed changes (but without + TLS extensions, which are supported starting with the 0.9.9 + branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila] + *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support + opaque EVP_CIPHER_CTX handling. [Steve Henson] + *) Fixes and enhancements to zlib compression code. We now only use + "zlib1.dll" and use the default __cdecl calling convention on Win32 + to conform with the standards mentioned here: + http://www.zlib.net/DLL_FAQ.txt + Static zlib linking now works on Windows and the new --with-zlib-include + --with-zlib-lib options to Configure can be used to supply the location + of the headers and library. Gracefully handle case where zlib library + can't be loaded. [Steve Henson] + *) Several fixes and enhancements to the OID generation code. The old code + sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't + handle numbers larger than ULONG_MAX, truncated printing and had a + non standard OBJ_obj2txt() behaviour. [Steve Henson] + *) Add support for building of engines under engine/ as shared libraries + under VC++ build system. [Steve Henson] + *) Corrected the numerous bugs in the Win32 path splitter in DSO. + Hopefully, we will not see any false combination of paths any more. + [Richard Levitte] +- enable Camellia cipher. There is a royalty free license to the + patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html. + NOTE: the license forbids patches to the cipher. +- build with zlib-dynamic and add zlib-devel to BuildRequires. + Allows compression of data in TLS, although few application would + actually use it since there is no standard for negotiating the + compression method. The only one I know if is stunnel. + +------------------------------------------------------------------- +Fri Jun 2 15:00:58 CEST 2006 - poeml@suse.de + +- fix built-in ENGINESDIR for 64 bit architectures. We change only + the builtin search path for engines, not the path where engines + are packaged. Path can be overridden with the OPENSSL_ENGINES + environment variable. [#179094] + +------------------------------------------------------------------- +Wed Jan 25 21:30:41 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 16 13:13:13 CET 2006 - mc@suse.de + +- fix build problems on s390x (openssl-s390-config.diff) +- build with -fstack-protector + +------------------------------------------------------------------- +Mon Nov 7 16:30:49 CET 2005 - dmueller@suse.de + +- build with non-executable stack + +------------------------------------------------------------------- +Thu Oct 20 17:37:47 CEST 2005 - poeml@suse.de + +- fix unguarded free() which can cause a segfault in the ca + commandline app [#128655] + +------------------------------------------------------------------- +Thu Oct 13 15:10:28 CEST 2005 - poeml@suse.de + +- add Geotrusts Equifax Root1 CA certificate, which needed to + verify the authenticity of you.novell.com [#121966] + +------------------------------------------------------------------- +Tue Oct 11 15:34:07 CEST 2005 - poeml@suse.de + +- update to 0.9.8a + *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING + (part of SSL_OP_ALL). This option used to disable the + countermeasure against man-in-the-middle protocol-version + rollback in the SSL 2.0 server implementation, which is a bad + idea. (CAN-2005-2969) + *) Add two function to clear and return the verify parameter flags. + *) Keep cipherlists sorted in the source instead of sorting them at + runtime, thus removing the need for a lock. + *) Avoid some small subgroup attacks in Diffie-Hellman. + *) Add functions for well-known primes. + *) Extended Windows CE support. + *) Initialize SSL_METHOD structures at compile time instead of during + runtime, thus removing the need for a lock. + *) Make PKCS7_decrypt() work even if no certificate is supplied by + attempting to decrypt each encrypted key in turn. Add support to + smime utility. + +------------------------------------------------------------------- +Thu Sep 29 18:53:08 CEST 2005 - poeml@suse.de + +- update to 0.9.8 + see CHANGES file or http://www.openssl.org/news/changelog.html +- adjust patches +- drop obsolete openssl-no-libc.diff +- disable libica patch until it has been ported + +------------------------------------------------------------------- +Fri May 20 11:27:12 CEST 2005 - poeml@suse.de + +- update to 0.9.7g. The significant changes are: + *) Fixes for newer kerberos headers. NB: the casts are needed because + the 'length' field is signed on one version and unsigned on another + with no (?) obvious way to tell the difference, without these VC++ + complains. Also the "definition" of FAR (blank) is no longer included + nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up + some needed definitions. + *) Added support for proxy certificates according to RFC 3820. + Because they may be a security thread to unaware applications, + they must be explicitely allowed in run-time. See + docs/HOWTO/proxy_certificates.txt for further information. + +------------------------------------------------------------------- +Tue May 17 16:28:51 CEST 2005 - schwab@suse.de + +- Include %cflags_profile_generate in ${CC} since it is required for + linking as well. +- Remove explicit reference to libc. + +------------------------------------------------------------------- +Fri Apr 8 17:27:27 CEST 2005 - poeml@suse.de + +- update to 0.9.7f. The most significant changes are: + o Several compilation issues fixed. + o Many memory allocation failure checks added. + o Improved comparison of X509 Name type. + o Mandatory basic checks on certificates. + o Performance improvements. + (for a complete list see http://www.openssl.org/source/exp/CHANGES) +- adjust openssl-0.9.7f-ppc64.diff +- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435] + +------------------------------------------------------------------- +Tue Jan 4 16:47:02 CET 2005 - poeml@suse.de + +- update to 0.9.7e + *) Avoid a race condition when CRLs are checked in a multi + threaded environment. This would happen due to the reordering + of the revoked entries during signature checking and serial + number lookup. Now the encoding is cached and the serial + number sort performed under a lock. Add new STACK function + sk_is_sorted(). + *) Add Delta CRL to the extension code. + *) Various fixes to s3_pkt.c so alerts are sent properly. + *) Reduce the chances of duplicate issuer name and serial numbers + (in violation of RFC3280) using the OpenSSL certificate + creation utilities. This is done by creating a random 64 bit + value for the initial serial number when a serial number file + is created or when a self signed certificate is created using + 'openssl req -x509'. The initial serial number file is created + using 'openssl x509 -next_serial' in CA.pl rather than being + initialized to 1. +- remove obsolete patches +- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch + Makefile, not Makefile.ssl +- fixup for spaces in names of man pages not needed now +- pack /usr/bin/openssl_fips_fingerprint +- in rpm post/postun script, run /sbin/ldconfig directly (the macro + is deprecated) + +------------------------------------------------------------------- +Mon Oct 18 15:03:28 CEST 2004 - poeml@suse.de + +- don't install openssl.doxy file [#45210] + +------------------------------------------------------------------- +Thu Jul 29 16:56:44 CEST 2004 - poeml@suse.de + +- apply patch from CVS to fix segfault in S/MIME encryption + (http://cvs.openssl.org/chngview?cn=12081, regression in + openssl-0.9.7d) [#43386] + +------------------------------------------------------------------- +Mon Jul 12 15:22:31 CEST 2004 - mludvig@suse.cz + +- Updated VIA PadLock engine. + +------------------------------------------------------------------- +Wed Jun 30 21:45:01 CEST 2004 - mludvig@suse.cz + +- Updated openssl-0.9.7d-padlock-engine.diff with support for + AES192, AES256 and RNG. + +------------------------------------------------------------------- +Tue Jun 15 16:18:36 CEST 2004 - poeml@suse.de + +- update IBM ICA patch to last night's version. Fixes ibmca_init() + to reset ibmca_dso=NULL after calling DSO_free(), if the device + driver could not be loaded. The bug lead to a segfault triggered + by stunnel, which does autoload available engines [#41874] +- patch from CVS: make stack API more robust (return NULL for + out-of-range indexes). Fixes another possible segfault during + engine detection (could also triggered by stunnel) +- add patch from Michal Ludvig for VIA PadLock support + +------------------------------------------------------------------- +Wed Jun 2 20:44:40 CEST 2004 - poeml@suse.de + +- add root certificate for the ICP-Brasil CA [#41546] + +------------------------------------------------------------------- +Thu May 13 19:53:48 CEST 2004 - poeml@suse.de + +- add patch to use default_md for CRLs too [#40435] + +------------------------------------------------------------------- +Tue May 4 20:45:19 CEST 2004 - poeml@suse.de + +- update ICA patch to apr292004 release [#39695] + +------------------------------------------------------------------- +Thu Mar 18 13:47:09 CET 2004 - poeml@suse.de + +- update to 0.9.7d + o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug + (CAN-2004-0112) + o Security: Fix null-pointer assignment in do_change_cipher_spec() + (CAN-2004-0079) + o Allow multiple active certificates with same subject in CA index + o Multiple X590 verification fixes + o Speed up HMAC and other operations +- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around + IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has + OPENSSL_NO_IDEA around it +- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the + pod file) +- permissions of lib/pkgconfig fixed + +------------------------------------------------------------------- +Wed Feb 25 20:42:39 CET 2004 - poeml@suse.de + +- update to 0.9.7c + *) Fix various bugs revealed by running the NISCC test suite: + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + *) New -ignore_err option in ocsp application to stop the server + exiting on the first error in a request. + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional + extra data after the compression methods not only for TLS 1.0 + but also for SSL 3.0 (as required by the specification). + *) Change X509_certificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + *) Change AES_cbc_encrypt() so it outputs exact multiple of + blocks during encryption. + *) Various fixes to base64 BIO and non blocking I/O. On write + flushes were not handled properly if the BIO retried. On read + data was not being buffered properly and had various logic bugs. + This also affects blocking I/O when the data being decoded is a + certain size. + *) Various S/MIME bugfixes and compatibility changes: + output correct application/pkcs7 MIME type if + PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. + Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening + of files as .eml work). Correctly handle very long lines in MIME + parser. +- update ICA patch + quote: This version of the engine patch has updated error handling in + the DES/SHA code, and turns RSA blinding off for hardware + accelerated RSA ops. +- filenames of some man pages contain spaces now. Replace them with + underscores +- fix compiler warnings in showciphers.c +- fix permissions of /usr/%_lib/pkgconfig + +------------------------------------------------------------------- +Sat Jan 10 10:55:59 CET 2004 - adrian@suse.de + +- add %run_ldconfig +- remove unneeded PreRequires + +------------------------------------------------------------------- +Tue Nov 18 14:07:53 CET 2003 - poeml@suse.de + +- ditch annoying mail to root about moved locations [#31969] + +------------------------------------------------------------------- +Wed Aug 13 22:30:13 CEST 2003 - poeml@suse.de + +- enable profile feedback based optimizations (except AES which + becomes slower) +- add -fno-strict-aliasing, due to warnings about code where + dereferencing type-punned pointers will break strict aliasing +- make a readlink function if readlink is not available + +------------------------------------------------------------------- +Mon Aug 4 16:16:57 CEST 2003 - ro@suse.de + +- fixed manpages symlinks + +------------------------------------------------------------------- +Wed Jul 30 15:37:37 CEST 2003 - meissner@suse.de + +- Fix Makefile to create pkgconfig file with lib64 on lib64 systems. + +------------------------------------------------------------------- +Sun Jul 27 15:51:04 CEST 2003 - poeml@suse.de + +- don't explicitely strip binaries since RPM handles it, and may + keep the stripped information somewhere + +------------------------------------------------------------------- +Tue Jul 15 16:29:16 CEST 2003 - meissner@suse.de + +- -DMD32_REG_T=int for ppc64 and s390x. + +------------------------------------------------------------------- +Thu Jul 10 23:14:22 CEST 2003 - poeml@suse.de + +- update ibm ICA patch to 20030708 release (libica-1.3) + +------------------------------------------------------------------- +Mon May 12 23:27:07 CEST 2003 - poeml@suse.de + +- package the openssl.pc file for pkgconfig + +------------------------------------------------------------------- +Wed Apr 16 16:04:32 CEST 2003 - poeml@suse.de + +- update to 0.9.7b. The most significant changes are: + o New library section OCSP. + o Complete rewrite of ASN1 code. + o CRL checking in verify code and openssl utility. + o Extension copying in 'ca' utility. + o Flexible display options in 'ca' utility. + o Provisional support for international characters with UTF8. + o Support for external crypto devices ('engine') is no longer + a separate distribution. + o New elliptic curve library section. + o New AES (Rijndael) library section. + o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, + Linux x86_64, Linux 64-bit on Sparc v9 + o Extended support for some platforms: VxWorks + o Enhanced support for shared libraries. + o Now only builds PIC code when shared library support is requested. + o Support for pkg-config. + o Lots of new manuals. + o Makes symbolic links to or copies of manuals to cover all described + functions. + o Change DES API to clean up the namespace (some applications link also + against libdes providing similar functions having the same name). + Provide macros for backward compatibility (will be removed in the + future). + o Unify handling of cryptographic algorithms (software and engine) + to be available via EVP routines for asymmetric and symmetric ciphers. + o NCONF: new configuration handling routines. + o Change API to use more 'const' modifiers to improve error checking + and help optimizers. + o Finally remove references to RSAref. + o Reworked parts of the BIGNUM code. + o Support for new engines: Broadcom ubsec, Accelerated Encryption + Processing, IBM 4758. + o A few new engines added in the demos area. + o Extended and corrected OID (object identifier) table. + o PRNG: query at more locations for a random device, automatic query for + EGD style random sources at several locations. + o SSL/TLS: allow optional cipher choice according to server's preference. + o SSL/TLS: allow server to explicitly set new session ids. + o SSL/TLS: support Kerberos cipher suites (RFC2712). + Only supports MIT Kerberos for now. + o SSL/TLS: allow more precise control of renegotiations and sessions. + o SSL/TLS: add callback to retrieve SSL/TLS messages. + o SSL/TLS: support AES cipher suites (RFC3268). +- adapt the ibmca patch +- remove openssl-nocrypt.diff, openssl's crypt() vanished +- configuration syntax has changed ($sys_id added before $lflags) + +------------------------------------------------------------------- +Thu Feb 20 11:55:34 CET 2003 - poeml@suse.de + +- update to bugfix release 0.9.6i: + - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize + information leaked via timing by performing a MAC computation + even if incorrrect block cipher padding has been found. This + is a countermeasure against active attacks where the attacker + has to distinguish between bad padding and a MAC verification + error. (CAN-2003-0078) + - a few more small bugfixes (mainly missing assertions) + +------------------------------------------------------------------- +Fri Dec 6 10:07:20 CET 2002 - poeml@suse.de + +- update to 0.9.6h (last release in the 0.9.6 series) + o New configuration targets for Tandem OSS and A/UX. + o New OIDs for Microsoft attributes. + o Better handling of SSL session caching. + o Better comparison of distinguished names. + o Better handling of shared libraries in a mixed GNU/non-GNU environment. + o Support assembler code with Borland C. + o Fixes for length problems. + o Fixes for uninitialised variables. + o Fixes for memory leaks, some unusual crashes and some race conditions. + o Fixes for smaller building problems. + o Updates of manuals, FAQ and other instructive documents. +- add a call to make depend +- fix sed expression (lib -> lib64) to replace multiple occurences + on one line + +------------------------------------------------------------------- +Mon Nov 4 13:16:09 CET 2002 - stepan@suse.de + +- fix openssl for alpha ev56 cpus + +------------------------------------------------------------------- +Thu Oct 24 12:57:36 CEST 2002 - poeml@suse.de + +- own the /usr/share/ssl directory [#20849] +- openssl-hppa-config.diff can be applied on all architectures + +------------------------------------------------------------------- +Mon Sep 30 16:07:49 CEST 2002 - bg@suse.de + +- enable hppa distribution; use only pa1.1 architecture. + +------------------------------------------------------------------- +Tue Sep 17 17:13:46 CEST 2002 - froh@suse.de + +- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953) + +------------------------------------------------------------------- +Mon Aug 12 18:34:58 CEST 2002 - poeml@suse.de + +- update to 0.9.6g and drop the now included ASN1 check patch. + Other change: + - Use proper error handling instead of 'assertions' in buffer + overflow checks added in 0.9.6e. This prevents DoS (the + assertions could call abort()). + +------------------------------------------------------------------- +Fri Aug 9 19:49:59 CEST 2002 - kukuk@suse.de + +- Fix requires of openssl-devel subpackage + +------------------------------------------------------------------- +Tue Aug 6 15:18:59 MEST 2002 - draht@suse.de + +- Correction for changes in the ASN1 code, assembled in + openssl-0.9.6e-cvs-20020802-asn1_lib.diff + +------------------------------------------------------------------- +Thu Aug 1 00:53:33 CEST 2002 - poeml@suse.de + +- update to 0.9.6e. Major changes: + o Various security fixes (sanity checks to asn1_get_length(), + various remote buffer overflows) + o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the + countermeasure against a vulnerability in the CBC ciphersuites + in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to + be incompatible with buggy SSL implementations +- update ibmca crypto hardware patch (security issues fixed) +- gcc 3.1 version detection is fixed, we can drop the patch +- move the most used man pages from the -doc to the main package + [#9913] and resolve man page conflicts by putting them into ssl + sections [#17239] +- spec file: use PreReq for %post script + +------------------------------------------------------------------- +Fri Jul 12 17:59:10 CEST 2002 - poeml@suse.de + +- update to 0.9.6d. Major changes: + o Various SSL/TLS library bugfixes. + o Fix DH parameter generation for 'non-standard' generators. + Complete Changelog: http://www.openssl.org/news/changelog.html +- supposed to fix a session caching failure occuring with postfix +- simplify local configuration for the architectures +- there's a new config variable: $shared_ldflag +- use RPM_OPT_FLAGS in favor of predifined cflags by appending them + at the end +- validate config data (config --check-sanity) +- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982] +- move configuration to /etc/ssl [#14387] +- mark openssl.cnf %config (noreplace) + +------------------------------------------------------------------- +Sat Jul 6 20:28:56 CEST 2002 - schwab@suse.de + +- Include to get crypt prototype. + +------------------------------------------------------------------- +Fri Jul 5 08:51:16 CEST 2002 - kukuk@suse.de + +- Remove crypt prototype from des.h header file, too. + +------------------------------------------------------------------- +Mon Jun 10 11:38:16 CEST 2002 - meissner@suse.de + +- enhanced ppc64 support (needs seperate config), reenabled make check + +------------------------------------------------------------------- +Fri May 31 14:54:06 CEST 2002 - olh@suse.de + +- add ppc64 support, temporary disable make check + +------------------------------------------------------------------- +Thu Apr 18 16:30:01 CEST 2002 - meissner@suse.de + +- fixed x86_64 build, added bc to needed_for_build (used by tests) + +------------------------------------------------------------------- +Wed Apr 17 16:56:34 CEST 2002 - ro@suse.de + +- fixed gcc version determination +- drop sun4c support/always use sparcv8 +- ignore return code from showciphers + +------------------------------------------------------------------- +Fri Mar 15 16:54:44 CET 2002 - poeml@suse.de + +- add settings for sparc to build shared objects. Note that all + sparcs (sun4[mdu]) are recognized as linux-sparcv7 + +------------------------------------------------------------------- +Wed Feb 6 14:23:44 CET 2002 - kukuk@suse.de + +- Remove crypt function from libcrypto.so.0 [Bug #13056] + +------------------------------------------------------------------- +Sun Feb 3 22:32:16 CET 2002 - poeml@suse.de + +- add settings for mips to build shared objects +- print out all settings to the build log + +------------------------------------------------------------------- +Tue Jan 29 12:42:58 CET 2002 - poeml@suse.de + +- update to 0.9.6c: + o bug fixes + o support for hardware crypto devices (Cryptographic Appliances, + Broadcom, and Accelerated Encryption Processing) +- add IBMCA patch for IBM eServer Cryptographic Accelerator Device + Driver (#12565) (forward ported from 0.9.6b) + (http://www-124.ibm.com/developerworks/projects/libica/) +- tell Configure how to build shared libs for s390 and s390x +- tweak Makefile.org to use %_libdir +- clean up spec file +- add README.SuSE as source file instead of in a patch + +------------------------------------------------------------------- +Wed Dec 5 10:59:59 CET 2001 - uli@suse.de + +- disabled "make test" for ARM (destest segfaults, the other tests + seem to succeed) + +------------------------------------------------------------------- +Wed Dec 5 02:39:16 CET 2001 - ro@suse.de + +- removed subpackage src + +------------------------------------------------------------------- +Wed Nov 28 13:28:42 CET 2001 - uli@suse.de + +- needs -ldl on ARM, too + +------------------------------------------------------------------- +Mon Nov 19 17:48:31 MET 2001 - mls@suse.de + +- made mips big endian, fixed shared library creation for mips + +------------------------------------------------------------------- +Fri Aug 31 11:19:46 CEST 2001 - rolf@suse.de + +- added root certificates [BUG#9913] +- move from /usr/ssh to /usr/share/ssl + +------------------------------------------------------------------- +Wed Jul 18 10:27:54 CEST 2001 - rolf@suse.de + +- update to 0.9.6b +- switch to engine version of openssl, which supports hardware + encryption for a few popular devices +- check wether shared libraries have been generated + +------------------------------------------------------------------- +Thu Jul 5 15:06:03 CEST 2001 - rolf@suse.de + +- appliy PRNG security patch + +------------------------------------------------------------------- +Tue Jun 12 10:52:34 EDT 2001 - bk@suse.de + +- added support for s390x + +------------------------------------------------------------------- +Mon May 7 21:02:30 CEST 2001 - kukuk@suse.de + +- Fix building of shared libraries on SPARC, too. + +------------------------------------------------------------------- +Mon May 7 11:36:53 MEST 2001 - rolf@suse.de + +- Fix ppc and s390 shared library builds +- resolved conflict in manpage naming: + rand.3 is now sslrand.3 [BUG#7643] + +------------------------------------------------------------------- +Tue May 1 22:32:48 CEST 2001 - schwab@suse.de + +- Fix ia64 configuration. +- Fix link command. + +------------------------------------------------------------------- +Thu Apr 26 03:17:52 CEST 2001 - bjacke@suse.de + +- updated to 0.96a + +------------------------------------------------------------------- +Wed Apr 18 12:56:48 CEST 2001 - kkaempf@suse.de + +- provide .so files in -devel package only + +------------------------------------------------------------------- +Tue Apr 17 02:45:36 CEST 2001 - bjacke@suse.de + +- resolve file name conflict (#6966) + +------------------------------------------------------------------- +Wed Mar 21 10:12:59 MET 2001 - rolf@suse.de + +- new subpackage openssl-src [BUG#6383] +- added README.SuSE which explains where to find the man pages [BUG#6717] + +------------------------------------------------------------------- +Fri Dec 15 18:09:16 CET 2000 - sf@suse.de + +- changed CFLAG to -O1 to make the tests run successfully + +------------------------------------------------------------------- +Mon Dec 11 13:33:55 CET 2000 - rolf@suse.de + +- build openssl with no-idea and no-rc5 to meet US & RSA regulations +- build with -fPIC on all platforms (especially IA64) + +------------------------------------------------------------------- +Wed Nov 22 11:27:39 MET 2000 - rolf@suse.de + +- rename openssls to openssl-devel and add shared libs and header files +- new subpackge openssl-doc for manpages and documentation +- use BuildRoot + +------------------------------------------------------------------- +Fri Oct 27 16:53:45 CEST 2000 - schwab@suse.de + +- Add link-time links for libcrypto and libssl. +- Make sure that LD_LIBRARY_PATH is passed down to sub-makes. + +------------------------------------------------------------------- +Mon Oct 2 17:33:07 MEST 2000 - rolf@suse.de + +- update to 0.9.6 + +------------------------------------------------------------------- +Mon Apr 10 23:04:15 CEST 2000 - bk@suse.de + +- fix support for s390-linux + +------------------------------------------------------------------- +Mon Apr 10 18:01:46 MEST 2000 - rolf@suse.de + +- new version 0.9.5a + +------------------------------------------------------------------- +Sun Apr 9 02:51:42 CEST 2000 - bk@suse.de + +- add support for s390-linux + +------------------------------------------------------------------- +Mon Mar 27 19:25:25 CEST 2000 - kukuk@suse.de + +- Use sparcv7 for SPARC + +------------------------------------------------------------------- +Wed Mar 1 16:42:00 MET 2000 - rolf@suse.de + +- move manpages back, as too many conflict with system manuals + +------------------------------------------------------------------- +Wed Mar 1 11:23:21 MET 2000 - rolf@suse.de + +- move manpages to %{_mandir} +- include static libraries + +------------------------------------------------------------------- +Wed Mar 1 02:52:17 CET 2000 - bk@suse.de + +- added subpackage source openssls, needed for ppp_ssl + +------------------------------------------------------------------- +Tue Feb 29 12:50:48 MET 2000 - rolf@suse.de + +- new version 0.9.5 + +------------------------------------------------------------------- +Thu Feb 24 15:43:38 CET 2000 - schwab@suse.de + +- add support for ia64-linux + +------------------------------------------------------------------- +Mon Jan 31 13:05:59 CET 2000 - kukuk@suse.de + +- Create and add libcrypto.so.0 and libssl.so.0 + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Wed Sep 1 12:30:08 MEST 1999 - rolf@suse.de + +- new version 0.9.4 + +------------------------------------------------------------------- +Wed May 26 16:26:49 MEST 1999 - rolf@suse.de + +- new version 0.9.3 with new layout +- alpha asm disabled by default now, no patch needed + +------------------------------------------------------------------- +Thu May 20 09:38:09 MEST 1999 - ro@suse.de + +- disable asm for alpha: seems incomplete + +------------------------------------------------------------------- +Mon May 17 17:43:34 MEST 1999 - rolf@suse.de + +- don't use -DNO_IDEA + +------------------------------------------------------------------- +Wed May 12 16:10:03 MEST 1999 - rolf@suse.de + +- first version 0.9.2b diff --git a/openssl-1_1.spec b/openssl-1_1.spec new file mode 100644 index 0000000..964f2a8 --- /dev/null +++ b/openssl-1_1.spec @@ -0,0 +1,549 @@ +# +# spec file for package openssl-1_1 +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define ssletcdir %{_sysconfdir}/ssl +%define maj_min 1.1 +%define _rname openssl +%global sslengcnf %{ssletcdir}/engines1.1.d +%global sslengdef %{ssletcdir}/engdef1.1.d +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +# Enable livepatching support for SLE15-SP4 onwards. It requires +# compiler support introduced there. +%define livepatchable 1 +# Set variables for livepatching. +%define _other %{_topdir}/OTHER +%define tar_basename %{_rname}-livepatch-%{version}-%{release} +%define tar_package_name %{tar_basename}.%{_arch}.tar.xz +%define clones_dest_dir %{tar_basename}/%{_arch} +%else +# Unsupported operating system. +%define livepatchable 0 +%endif +%ifnarch x86_64 +# Unsupported architectures must have livepatch disabled. +%define livepatchable 0 +%endif +Name: openssl-1_1 +# Don't forget to update the version in the "openssl" meta-package! +Version: 1.1.1w +Release: 0 +Summary: Secure Sockets and Transport Layer Security +License: OpenSSL +Group: Productivity/Networking/Security +URL: https://www.openssl.org/ +Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz +# to get mtime of file: +Source1: %{name}.changes +Source2: baselibs.conf +Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc +# https://www.openssl.org/about/ +# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring +Source4: %{_rname}.keyring +Source5: showciphers.c +# PATCH-FIX-OPENSUSE: do not install html mans it takes ages +Patch1: openssl-1.1.0-no-html.patch +Patch2: openssl-truststore.patch +Patch3: openssl-pkgconfig.patch +Patch4: openssl-DEFAULT_SUSE_cipher.patch +Patch5: openssl-ppc64-config.patch +Patch6: openssl-riscv64-config.patch +# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129 +Patch8: 0001-s390x-assembly-pack-perlasm-support.patch +Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch +Patch10: 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch +Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch +Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch +Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch +# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto) +Patch16: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch +Patch17: openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch +Patch18: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch +Patch19: openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch +Patch20: openssl-s390xcpuid.pl-fix-comment.patch +Patch21: openssl-assembly-pack-accelerate-scalar-multiplication.patch +Patch22: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch +Patch23: openssl-s390x-assembly-pack-accelerate-ECDSA.patch +Patch24: openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch +Patch25: openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch +Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch +Patch27: openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch +Patch28: openssl-Fix-9bf682f-which-broke-nistp224_method.patch +# FIPS patches +Patch30: openssl-1.1.1-fips.patch +Patch31: openssl-1.1.1-fips-post-rand.patch +Patch32: openssl-1.1.1-fips-crng-test.patch +Patch33: openssl-1.1.0-issuer-hash.patch +Patch34: openssl-fips-run_selftests_only_when_module_is_complete.patch +Patch35: openssl-ship_fips_standalone_hmac.patch +Patch36: openssl-fips_mode.patch +Patch37: openssl-1.1.1-evp-kdf.patch +Patch38: openssl-1.1.1-ssh-kdf.patch +Patch40: openssl-fips-selftests_in_nonfips_mode.patch +Patch41: openssl-fips-clearerror.patch +Patch42: openssl-fips-ignore_broken_atexit_test.patch +Patch45: openssl-fips-add-SHA3-selftest.patch +Patch46: openssl-fips_selftest_upstream_drbg.patch +Patch47: openssl-unknown_dgst.patch +# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) +Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch +Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch +# PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements +# from SP800-56Arev3 SLE-15-SP2 +Patch52: openssl-DH.patch +Patch53: openssl-kdf-selftest.patch +Patch54: openssl-kdf-tls-selftest.patch +Patch55: openssl-kdf-ssh-selftest.patch +Patch56: openssl-fips-DH_selftest_shared_secret_KAT.patch +# PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2 +Patch57: openssl-fips-kdf-hkdf-selftest.patch +Patch58: openssl-1.1.1-system-cipherlist.patch +# PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration +Patch59: openssl-1_1-seclevel.patch +Patch60: openssl-1_1-use-seclevel2-in-tests.patch +Patch61: openssl-1_1-disable-test_srp-sslapi.patch +# PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography +Patch69: openssl-1_1-Optimize-ppc64.patch +# PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3 +Patch70: openssl-1_1-Optimize-RSA-armv8.patch +Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch +Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch +# PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test +Patch73: openssl-FIPS-KAT-before-integrity-tests.patch +# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes +Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch +#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string +Patch75: openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch +# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode +Patch76: openssl-1_1-paramgen-default_to_rfc7919.patch +# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf +Patch77: openssl-1_1-use-include-directive.patch +# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT +Patch78: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch +Patch79: bsc1185319-FIPS-KAT-for-ECDSA.patch +Patch80: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch +Patch82: openssl-1_1-shortcut-test_afalg_aes_cbc.patch +# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components +Patch84: openssl-1_1-Zeroization.patch +# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator +Patch85: openssl-1_1-ossl-sli-000-fix-build-error.patch +Patch86: openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch +Patch87: openssl-1_1-ossl-sli-002-ran-make-update.patch +Patch88: openssl-1_1-ossl-sli-003-add-sli.patch +# PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy +Patch89: openssl-1_1-jitterentropy-3.4.0.patch +# PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled +Patch90: openssl-1.1.1-fips-fix-memory-leaks.patch +# PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG +Patch91: openssl-1_1-FIPS_drbg-rewire.patch +# PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation +Patch92: openssl-1_1-fips-drbg-selftest.patch +# PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472 +# FIPS: List only approved digest and pubkey algorithms +Patch93: openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch +# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator +Patch94: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch +Patch95: openssl-1_1-ossl-sli-005-EC_group_order_bits.patch +Patch96: openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch +Patch97: openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch +# PATCH-FIX-UPSTREAM jsc#PED-512 +# POWER10 performance enhancements for cryptography +Patch98: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch +Patch99: openssl-1_1-Fixed-counter-overflow.patch +Patch100: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch +Patch101: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch +Patch102: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch +# PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl +Patch103: openssl-1_1-openssl-config.patch +# PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe +Patch104: openssl-1_1-serialize-jitterentropy-calls.patch +# PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl +Patch105: openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch +# PATCH-FIX-SUSE bsc#1212623 openssl s_client does not honor ocsp revocation status +Patch106: openssl-s_client-check-ocsp-status.patch +# PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher +Patch107: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch +#PATCH-FIX-SUSE bsc#1215215 FIPS: Add "fips" to version string +Patch108: openssl-1_1-fips-bsc1215215_fips_in_version_string.patch +# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514 +# POWER10 performance enhancements for cryptography +Patch109: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch +Patch110: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch +Patch111: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch +Patch112: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch +Patch113: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch +Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch +# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or +# checking excessively long X9.42 DH keys or parameters may be very slow +Patch115: openssl-CVE-2023-5678.patch +# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode +Patch116: openssl-Skip_SHA1-test-in-FIPS-mode.patch +# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference +Patch117: openssl-CVE-2024-0727.patch +# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with session handling in TLSv1.3 +Patch118: openssl-CVE-2024-2511.patch +# PATCH-FIX-UPSTREAM bsc#1225551 CVE-2024-4741: use After Free with SSL_free_buffers +Patch119: openssl-CVE-2024-4741.patch +# PATCH-FIX-UPSTREAM: bsc#1227138 CVE-2024-5535: SSL_select_next_proto buffer overread +Patch120: openssl-CVE-2024-5535.patch +Patch121: reproducibledate.patch +BuildRequires: jitterentropy-devel >= 3.4.0 +BuildRequires: pkgconfig +BuildRequires: pkgconfig(zlib) +Requires: libjitterentropy3 >= 3.4.0 +Provides: ssl +Requires: libopenssl1_1 = %{version}-%{release} +# Needed for clean upgrade path, boo#1070003 +Obsoletes: openssl-1_0_0 +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: openssl-1_1_0 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Requires: crypto-policies +%endif + +%description +OpenSSL is a software library to be used in applications that need to +secure communications over computer networks against eavesdropping or +need to ascertain the identity of the party at the other end. +OpenSSL contains an implementation of the SSL and TLS protocols. + +%package -n libopenssl1_1 +Summary: Secure Sockets and Transport Layer Security +Group: Productivity/Networking/Security +Recommends: ca-certificates-mozilla +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Requires: crypto-policies +%endif +Conflicts: %{name} < %{version}-%{release} +# Merge back the hmac files bsc#1185116 +Provides: libopenssl1_1-hmac = %{version}-%{release} +Obsoletes: libopenssl1_1-hmac < %{version}-%{release} +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0-hmac +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-hmac + +%description -n libopenssl1_1 +OpenSSL is a software library to be used in applications that need to +secure communications over computer networks against eavesdropping or +need to ascertain the identity of the party at the other end. +OpenSSL contains an implementation of the SSL and TLS protocols. + +%package -n libopenssl-1_1-devel +Summary: Development files for OpenSSL +Group: Development/Libraries/C and C++ +Requires: jitterentropy-devel >= 3.4.0 +Requires: libopenssl1_1 = %{version} +Requires: pkgconfig(zlib) +Recommends: %{name} = %{version} +Conflicts: ssl-devel +Provides: ssl-devel +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl-1_1_0-devel +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-devel + +%description -n libopenssl-1_1-devel +This subpackage contains header files for developing applications +that want to make use of the OpenSSL C API. + +%package doc +Summary: Additional Package Documentation +Group: Productivity/Networking/Security +Conflicts: openssl-doc +Provides: openssl-doc = %{version} +Obsoletes: openssl-doc < %{version} +BuildArch: noarch + +%description doc +This package contains optional documentation provided in addition to +this package's base documentation. + +%prep +%autosetup -p1 -n %{_rname}-%{version} + +cp apps/openssl.cnf apps/openssl-1_1.cnf + +%build +%ifarch armv5el armv5tel +export MACHINE=armv5el +%endif +%ifarch armv6l armv6hl +export MACHINE=armv6l +%endif + +./config \ + no-idea \ + no-afalgeng \ + enable-rfc3779 \ +%ifarch x86_64 aarch64 ppc64le + enable-ec_nistp_64_gcc_128 \ +%endif + enable-camellia \ + zlib \ + no-ec2m \ + --prefix=%{_prefix} \ + --libdir=%{_lib} \ + --openssldir=%{ssletcdir} \ + %{optflags} \ +%if %{livepatchable} + -fpatchable-function-entry=16,14 -fdump-ipa-clones \ +%endif + -Wa,--noexecstack \ + -Wl,-z,relro,-z,now \ + -fno-common \ + -DTERMIO \ + -DPURIFY \ + -D_GNU_SOURCE \ + -DOPENSSL_NO_BUF_FREELISTS \ + $(getconf LFS_CFLAGS) \ + -Wall \ + --with-rand-seed=getrandom \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config + +# Show build configuration +perl configdata.pm --dump + +util/mkdef.pl crypto update +%make_build depend +%make_build all + +%check +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +LD_LIBRARY_PATH=`pwd` make test -j1 + +# Create the hmac files required to run the regression tests in FIPS mode +LD_LIBRARY_PATH=`pwd` %{buildroot}%{_bindir}/fips_standalone_hmac \ + libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac +LD_LIBRARY_PATH=`pwd` %{buildroot}%{_bindir}/fips_standalone_hmac \ + libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac +OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \ + -test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \ + -test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \ + -test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \ + -test_bad_dtls -test_comp -test_key_share -test_renegotiation \ + -test_sslcbcpadding -test_sslcertstatus -test_sslextension \ + -test_sslmessages -test_sslrecords -test_sslsessiontick \ + -test_sslsigalgs -test_sslsignature -test_sslskewith0p \ + -test_sslversions -test_sslvertol -test_tls13alerts \ + -test_tls13cookie -test_tls13downgrade -test_tls13hrr \ + -test_tls13kexmodes -test_tls13messages -test_tls13psk \ + -test_tlsextms -test_ca -test_cipherlist -test_cms \ + -test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \ + -test_sslapi -test_tls13ccs -test_ec' test -j1 + +# show ciphers +gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto +LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers + +%install + +%if %{livepatchable} + +# Ipa-clones are files generated by gcc which logs changes made across +# functions, and we need to know such changes to build livepatches +# correctly. These files are intended to be used by the livepatch +# developers and may be retrieved by using `osc getbinaries`. +# +# Create list of ipa-clones. +find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list + +# Create ipa-clones destination folder and move clones there. +mkdir -p ipa-clones/%{clones_dest_dir} +while read f; do + _dest=ipa-clones/%{clones_dest_dir}/$f + mkdir -p ${_dest%/*} + cp $f $_dest +done < ipa-clones.list + +# Create tar package with the clone files. +tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename} + +# Copy tar package to the OTHERS folder +cp %{tar_package_name} %{_other} + +%endif # livepatchable + +%make_install %{?_smp_mflags} +# kill static libs +rm -f %{buildroot}%{_libdir}/lib*.a + +# Rename the openssl CLI to openssl-1_1 +mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/openssl-1_1 + +# Install the openssl-1_1.cnf config file +install -m 644 apps/openssl-1_1.cnf %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf + +# remove the cnf.dist +rm -f %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf.dist +rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf +rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf.dist +ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl + +mkdir %{buildroot}/%{_datadir}/ssl +mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ +# Create the two directories into which packages will drop their configuration +# files. +mkdir %{buildroot}/%{sslengcnf} +mkdir %{buildroot}/%{sslengdef} + +# avoid file conflicts with man pages from other packages +# +pushd %{buildroot}/%{_mandir} +# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. +# replace spaces by underscores +#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done +which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } +for i in man?/*; do + if test -L $i ; then + LDEST=`readlink $i` + rm -f $i ${i}ssl + ln -sf ${LDEST}ssl ${i}ssl + else + mv $i ${i}ssl + fi + case "$i" in + *.1) + # these are the pages mentioned in openssl(1). They go into the main package. + echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; + *) + # the rest goes into the openssl-doc package. + echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; + esac +done +popd + +# Do not install demo scripts executable under /usr/share/doc +find demos -type f -perm /111 -exec chmod 644 {} \; + +# Place showciphers.c for %%doc macro +cp %{SOURCE5} . + +# the hmac hashes: +# +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the expand of +# the macro is too late. +# remark: This is the same as running +# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' +%{expand:%%global __os_install_post {%__os_install_post + +# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1) +export LD_LIBRARY_PATH="%{buildroot}%{_libdir}" + +%{buildroot}%{_bindir}/fips_standalone_hmac \ + %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ + %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac + +# As fips_standalone_hmac now uses the very same library it checksums, +# the libcrypto hmac needs to be saved to a temporary file, otherwise +# the library will detect the empty hmac and abort due to a wrong checksum +%{buildroot}%{_bindir}/fips_standalone_hmac \ + %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ + %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac + +# rename the temporary checksum to its proper name +mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac +unset LD_LIBRARY_PATH + +}} + +%pre +# Migrate old engines.d to engines1.1.d.rpmsave +if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then + mkdir %{ssletcdir}/engines1.1.d.rpmsave ||: + mv -v %{ssletcdir}/engines.d/* %{ssletcdir}/engines1.1.d.rpmsave ||: + rmdir %{ssletcdir}/engines.d ||: +fi + +# Migrate old engdef.d to engdef1.1.d.rpmsave +if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then + mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||: + mv -v %{ssletcdir}/engdef.d/* %{ssletcdir}/engdef1.1.d.rpmsave ||: + rmdir %{ssletcdir}/engdef.d ||: +fi + +%posttrans +# Restore engines1.1.d.rpmsave to engines1.1.d +if [ -d %{ssletcdir}/engines1.1.d.rpmsave ]; then + mv -v %{ssletcdir}/engines1.1.d.rpmsave/* %{ssletcdir}/engines1.1.d ||: + rmdir %{ssletcdir}/engines1.1.d.rpmsave ||: +fi + +# Restore engdef1.1.d.rpmsave to engdef1.1.d +if [ -d %{ssletcdir}/engdef1.1.d.rpmsave ]; then + mv -v %{ssletcdir}/engdef1.1.d.rpmsave/* %{ssletcdir}/engdef1.1.d ||: + rmdir %{ssletcdir}/engdef1.1.d.rpmsave ||: +fi + +# Move engines1_1.d to engines1.1.d +if [ -d %{ssletcdir}/engines1_1.d ]; then + mv -v %{ssletcdir}/engines1_1.d/* %{ssletcdir}/engines1.1.d ||: + rmdir %{ssletcdir}/engines1_1.d ||: +fi + +# Move engdef1_1.d to engdef1.1.d +if [ -d %{ssletcdir}/engdef1_1.d ]; then + mv -v %{ssletcdir}/engdef1_1.d/* %{ssletcdir}/engdef1.1.d ||: + rmdir %{ssletcdir}/engdef1_1.d ||: +fi + +%post -n libopenssl1_1 -p /sbin/ldconfig +%postun -n libopenssl1_1 -p /sbin/ldconfig + +%files -n libopenssl1_1 +%license LICENSE +%{_libdir}/libssl.so.%{maj_min} +%{_libdir}/libcrypto.so.%{maj_min} +%{_libdir}/.libssl.so.%{maj_min}.hmac +%{_libdir}/.libcrypto.so.%{maj_min}.hmac +%{_libdir}/engines-%{maj_min} + +%files -n libopenssl-1_1-devel +%{_includedir}/%{_rname}/ +%{_includedir}/ssl +%{_libdir}/libssl.so +%{_libdir}/libcrypto.so +%{_libdir}/pkgconfig/libcrypto.pc +%{_libdir}/pkgconfig/libssl.pc +%{_libdir}/pkgconfig/openssl.pc + +%files doc -f filelist.doc +%doc doc/* demos +%doc showciphers.c + +%files -f filelist +%doc CHANGE* NEWS README +%dir %{ssletcdir} +%config (noreplace) %{ssletcdir}/openssl-1_1.cnf +%attr(700,root,root) %{ssletcdir}/private +%dir %{sslengcnf} +%dir %{sslengdef} +%dir %{_datadir}/ssl +%{_datadir}/ssl/misc +%{_bindir}/c_rehash-1_1 +%{_bindir}/fips_standalone_hmac +%{_bindir}/openssl-1_1 + +%changelog diff --git a/openssl-CVE-2023-5678.patch b/openssl-CVE-2023-5678.patch new file mode 100644 index 0000000..325f3a4 --- /dev/null +++ b/openssl-CVE-2023-5678.patch @@ -0,0 +1,174 @@ +From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Fri, 20 Oct 2023 09:18:19 +0200 +Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet + +We already check for an excessively large P in DH_generate_key(), but not in +DH_check_pub_key(), and none of them check for an excessively large Q. + +This change adds all the missing excessive size checks of P and Q. + +It's to be noted that behaviours surrounding excessively sized P and Q +differ. DH_check() raises an error on the excessively sized P, but only +sets a flag for the excessively sized Q. This behaviour is mimicked in +DH_check_pub_key(). + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/22518) + +(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) +--- + crypto/dh/dh_check.c | 12 ++++++++++++ + crypto/dh/dh_err.c | 3 ++- + crypto/dh/dh_key.c | 12 ++++++++++++ + crypto/err/openssl.txt | 1 + + include/crypto/dherr.h | 2 +- + include/openssl/dh.h | 6 +++--- + include/openssl/dherr.h | 3 ++- + 7 files changed, 33 insertions(+), 6 deletions(-) + +Index: openssl-1.1.1w/crypto/dh/dh_err.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/dh/dh_err.c ++++ openssl-1.1.1w/crypto/dh/dh_err.c +@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_func + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, +@@ -87,6 +88,7 @@ static const ERR_STRING_DATA DH_str_reas + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +Index: openssl-1.1.1w/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1w.orig/crypto/err/openssl.txt ++++ openssl-1.1.1w/crypto/err/openssl.txt +@@ -404,6 +404,7 @@ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin + DH_F_DH_CHECK:126:DH_check + DH_F_DH_CHECK_EX:121:DH_check_ex + DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex ++DH_F_DH_CHECK_PUB_KEY:128:DH_check_pub_key + DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex + DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt + DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey +@@ -2226,6 +2227,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_Q_VALUE:102:bad q value +Index: openssl-1.1.1w/include/openssl/dherr.h +=================================================================== +--- openssl-1.1.1w.orig/include/openssl/dherr.h ++++ openssl-1.1.1w/include/openssl/dherr.h +@@ -31,6 +31,7 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CHECK 126 + # define DH_F_DH_CHECK_EX 121 + # define DH_F_DH_CHECK_PARAMS_EX 122 ++# define DH_F_DH_CHECK_PUB_KEY 128 + # define DH_F_DH_CHECK_PUB_KEY_EX 123 + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 +@@ -84,6 +85,7 @@ int ERR_load_DH_strings(void); + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + +Index: openssl-1.1.1w/crypto/dh/dh_check.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/dh/dh_check.c ++++ openssl-1.1.1w/crypto/dh/dh_check.c +@@ -260,6 +260,18 @@ static int dh_check_pub_key_int(const DH + */ + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + { ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + return dh_check_pub_key_int(dh, dh->q, pub_key, ret); + } + +Index: openssl-1.1.1w/crypto/dh/dh_key.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1w/crypto/dh/dh_key.c +@@ -51,6 +51,12 @@ int DH_compute_key(unsigned char *key, c + int ret = 0, i; + volatile size_t npad = 0, mask = 1; + ++ if (dh->q != NULL ++ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + /* compute the key; ret is constant unless compute_key is external */ + if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) + return ret; +@@ -147,6 +153,12 @@ static int generate_key(DH *dh) + return 0; + } + ++ if (dh->q != NULL ++ && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +Index: openssl-1.1.1w/doc/man3/DH_generate_parameters.pod +=================================================================== +--- openssl-1.1.1w.orig/doc/man3/DH_generate_parameters.pod ++++ openssl-1.1.1w/doc/man3/DH_generate_parameters.pod +@@ -73,6 +73,10 @@ The generator B is not suitable. + Note that the lack of this bit doesn't guarantee that B is + suitable, unless B

is known to be a strong prime. + ++=item DH_MODULUS_TOO_LARGE ++ ++The modulus is too large. ++ + =back + + DH_check() confirms that the Diffie-Hellman parameters B are valid. The +Index: openssl-1.1.1w/include/openssl/dh.h +=================================================================== +--- openssl-1.1.1w.orig/include/openssl/dh.h ++++ openssl-1.1.1w/include/openssl/dh.h +@@ -78,8 +78,9 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 diff --git a/openssl-CVE-2024-0727.patch b/openssl-CVE-2024-0727.patch new file mode 100644 index 0000000..8e0b906 --- /dev/null +++ b/openssl-CVE-2024-0727.patch @@ -0,0 +1,158 @@ +From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 19 Jan 2024 11:28:58 +0000 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reviewed-by: Tomas Mraz +Reviewed-by: Hugo Landau +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/23362) + +(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) +--- + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + crypto/pkcs12/p12_mutl.c | 5 +++++ + crypto/pkcs12/p12_npas.c | 5 +++-- + crypto/pkcs7/pk7_mime.c | 7 +++++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +Index: openssl-1.1.1w/crypto/pkcs12/p12_add.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/pkcs12/p12_add.c ++++ openssl-1.1.1w/crypto/pkcs12/p12_add.c +@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -132,6 +138,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7ENCDATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -159,6 +171,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, ++ PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + } +Index: openssl-1.1.1w/crypto/pkcs12/p12_mutl.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/pkcs12/p12_mutl.c ++++ openssl-1.1.1w/crypto/pkcs12/p12_mutl.c +@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (!p12->mac->iter) +Index: openssl-1.1.1w/crypto/pkcs12/p12_npas.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/pkcs12/p12_npas.c ++++ openssl-1.1.1w/crypto/pkcs12/p12_npas.c +@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +Index: openssl-1.1.1w/crypto/pkcs7/pk7_mime.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/pkcs7/pk7_mime.c ++++ openssl-1.1.1w/crypto/pkcs7/pk7_mime.c +@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p + { + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(p7->type); +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + +Index: openssl-1.1.1w/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1w.orig/crypto/err/openssl.txt ++++ openssl-1.1.1w/crypto/err/openssl.txt +@@ -1079,6 +1079,7 @@ PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_set + PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac + PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes + PKCS12_F_PKCS12_UNPACK_P7DATA:131:PKCS12_unpack_p7data ++PKCS12_F_PKCS12_UNPACK_P7ENCDATA:233:PKCS12_unpack_p7encdata + PKCS12_F_PKCS12_VERIFY_MAC:126:PKCS12_verify_mac + PKCS12_F_PKCS8_ENCRYPT:125:PKCS8_encrypt + PKCS12_F_PKCS8_SET0_PBE:132:PKCS8_set0_pbe +Index: openssl-1.1.1w/crypto/pkcs12/pk12err.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/pkcs12/pk12err.c ++++ openssl-1.1.1w/crypto/pkcs12/pk12err.c +@@ -58,6 +58,8 @@ static const ERR_STRING_DATA PKCS12_str_ + "PKCS12_unpack_authsafes"}, + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7DATA, 0), + "PKCS12_unpack_p7data"}, ++ {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7ENCDATA, 0), ++ "PKCS12_unpack_p7encdata"}, + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_VERIFY_MAC, 0), + "PKCS12_verify_mac"}, + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS8_ENCRYPT, 0), "PKCS8_encrypt"}, +Index: openssl-1.1.1w/include/openssl/pkcs12err.h +=================================================================== +--- openssl-1.1.1w.orig/include/openssl/pkcs12err.h ++++ openssl-1.1.1w/include/openssl/pkcs12err.h +@@ -49,6 +49,7 @@ int ERR_load_PKCS12_strings(void); + # define PKCS12_F_PKCS12_SET_MAC 123 + # define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 130 + # define PKCS12_F_PKCS12_UNPACK_P7DATA 131 ++# define PKCS12_F_PKCS12_UNPACK_P7ENCDATA 233 + # define PKCS12_F_PKCS12_VERIFY_MAC 126 + # define PKCS12_F_PKCS8_ENCRYPT 125 + # define PKCS12_F_PKCS8_SET0_PBE 132 diff --git a/openssl-CVE-2024-2511.patch b/openssl-CVE-2024-2511.patch new file mode 100644 index 0000000..71c33d8 --- /dev/null +++ b/openssl-CVE-2024-2511.patch @@ -0,0 +1,118 @@ +From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Mar 2024 15:43:53 +0000 +Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 + +In TLSv1.3 we create a new session object for each ticket that we send. +We do this by duplicating the original session. If SSL_OP_NO_TICKET is in +use then the new session will be added to the session cache. However, if +early data is not in use (and therefore anti-replay protection is being +used), then multiple threads could be resuming from the same session +simultaneously. If this happens and a problem occurs on one of the threads, +then the original session object could be marked as not_resumable. When we +duplicate the session object this not_resumable status gets copied into the +new session object. The new session object is then added to the session +cache even though it is not_resumable. + +Subsequently, another bug means that the session_id_length is set to 0 for +sessions that are marked as not_resumable - even though that session is +still in the cache. Once this happens the session can never be removed from +the cache. When that object gets to be the session cache tail object the +cache never shrinks again and grows indefinitely. + +CVE-2024-2511 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24044) + +(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce) +--- + ssl/ssl_lib.c | 5 +++-- + ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ + ssl/statem/statem_srvr.c | 5 ++--- + 3 files changed, 27 insertions(+), 11 deletions(-) + +Index: openssl-1.1.1w/ssl/ssl_lib.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/ssl_lib.c ++++ openssl-1.1.1w/ssl/ssl_lib.c +@@ -3524,9 +3524,10 @@ void ssl_update_cache(SSL *s, int mode) + + /* + * If the session_id_length is 0, we are not supposed to cache it, and it +- * would be rather hard to do anyway :-) ++ * would be rather hard to do anyway :-). Also if the session has already ++ * been marked as not_resumable we should not cache it for later reuse. + */ +- if (s->session->session_id_length == 0) ++ if (s->session->session_id_length == 0 || s->session->not_resumable) + return; + + /* +Index: openssl-1.1.1w/ssl/ssl_sess.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/ssl_sess.c ++++ openssl-1.1.1w/ssl/ssl_sess.c +@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void) + return ss; + } + +-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) +-{ +- return ssl_session_dup(src, 1); +-} +- + /* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) ++static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION + return NULL; + } + ++SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) ++{ ++ return ssl_session_dup_intern(src, 1); ++} ++ ++/* ++ * Used internally when duplicating a session which might be already shared. ++ * We will have resumed the original session. Subsequently we might have marked ++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to ++ * resume from. ++ */ ++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) ++{ ++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); ++ ++ if (sess != NULL) ++ sess->not_resumable = 0; ++ ++ return sess; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) +Index: openssl-1.1.1w/ssl/statem/statem_srvr.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/statem/statem_srvr.c ++++ openssl-1.1.1w/ssl/statem/statem_srvr.c +@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, W + * so the following won't overwrite an ID that we're supposed + * to send back. + */ +- if (s->session->not_resumable || +- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) +- && !s->hit)) ++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) ++ && !s->hit) + s->session->session_id_length = 0; + + if (usetls13) { diff --git a/openssl-CVE-2024-4741.patch b/openssl-CVE-2024-4741.patch new file mode 100644 index 0000000..c093774 --- /dev/null +++ b/openssl-CVE-2024-4741.patch @@ -0,0 +1,41 @@ +@@ -, +, @@ +--- + ssl/record/methods/tls_common.c | 8 ++++++++ + 1 file changed, 8 insertions(+) +Index: openssl-1.1.1w/ssl/record/ssl3_buffer.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/record/ssl3_buffer.c 2023-09-11 14:08:11.000000000 +0000 ++++ openssl-1.1.1w/ssl/record/ssl3_buffer.c 2024-06-12 07:58:27.817211675 +0000 +@@ -179,5 +179,7 @@ int ssl3_release_read_buffer(SSL *s) + b = RECORD_LAYER_get_rbuf(&s->rlayer); + OPENSSL_free(b->buf); + b->buf = NULL; ++ s->rlayer.packet = NULL; ++ s->rlayer.packet_length = 0; + return 1; + } +Index: openssl-1.1.1w/ssl/record/rec_layer_s3.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/record/rec_layer_s3.c 2023-09-11 14:08:11.000000000 +0000 ++++ openssl-1.1.1w/ssl/record/rec_layer_s3.c 2024-06-12 07:58:27.817211675 +0000 +@@ -17,6 +17,7 @@ + #include "record_local.h" + #include "../packet_local.h" + #include "internal/cryptlib.h" ++#include "internal/cryptlib.h" + + #if defined(OPENSSL_SMALL_FOOTPRINT) || \ + !( defined(AESNI_ASM) && ( \ +@@ -238,6 +239,12 @@ int ssl3_read_n(SSL *s, size_t n, size_t + s->rlayer.packet_length = 0; + /* ... now we can act as if 'extend' was set */ + } ++ if (!ossl_assert(s->rlayer.packet != NULL)) { ++ /* does not happen */ ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, ++ ERR_R_INTERNAL_ERROR); ++ return -1; ++ } + + len = s->rlayer.packet_length; + pkt = rb->buf + align; diff --git a/openssl-CVE-2024-5535.patch b/openssl-CVE-2024-5535.patch new file mode 100644 index 0000000..d78defd --- /dev/null +++ b/openssl-CVE-2024-5535.patch @@ -0,0 +1,234 @@ +From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) +--- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +Index: openssl-1.1.1w/ssl/ssl_lib.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/ssl_lib.c ++++ openssl-1.1.1w/ssl/ssl_lib.c +@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +Index: openssl-1.1.1w/ssl/statem/extensions_clnt.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/statem/extensions_clnt.c ++++ openssl-1.1.1w/ssl/statem/extensions_clnt.c +@@ -1599,7 +1599,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *p + PACKET_data(pkt), + PACKET_remaining(pkt), + s->ctx->ext.npn_select_cb_arg) != +- SSL_TLSEXT_ERR_OK) { ++ SSL_TLSEXT_ERR_OK ++ || selected_len == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, + SSL_R_BAD_EXTENSION); + return 0; +@@ -1630,6 +1631,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET * + size_t chainidx) + { + size_t len; ++ PACKET confpkt, protpkt; ++ int valid = 0; + + /* We must have requested it. */ + if (!s->s3->alpn_sent) { +@@ -1650,6 +1653,30 @@ int tls_parse_stoc_alpn(SSL *s, PACKET * + SSL_R_BAD_EXTENSION); + return 0; + } ++ ++ /* It must be a protocol that we sent */ ++ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ++ ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { ++ if (PACKET_remaining(&protpkt) != len) ++ continue; ++ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { ++ /* Valid protocol found */ ++ valid = 1; ++ break; ++ } ++ } ++ ++ if (!valid) { ++ /* The protocol sent from the server does not match one we advertised */ ++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, ++ SSL_R_BAD_EXTENSION); ++ return 0; ++ } ++ + OPENSSL_free(s->s3->alpn_selected); + s->s3->alpn_selected = OPENSSL_malloc(len); + if (s->s3->alpn_selected == NULL) { +Index: openssl-1.1.1w/doc/man3/SSL_CTX_set_alpn_select_cb.pod +=================================================================== +--- openssl-1.1.1w.orig/doc/man3/SSL_CTX_set_alpn_select_cb.pod ++++ openssl-1.1.1w/doc/man3/SSL_CTX_set_alpn_select_cb.pod +@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_sel + SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to + set the list of protocols available to be negotiated. The B must be in + protocol-list format, described below. The length of B is specified in +-B. ++B. Setting B to 0 clears any existing list of ALPN ++protocols and no ALPN extension will be sent to the server. + + SSL_CTX_set_alpn_select_cb() sets the application callback B used by a + server to select which protocol to use for the incoming connection. When B +@@ -73,9 +74,16 @@ B and B, B, B list that + matches an item in the B, B list is selected, and returned + in B, B. The B value will point into either B or +-B, so it should be copied immediately. If no match is found, the first +-item in B, B is returned in B, B. This +-function can also be used in the NPN callback. ++B, so it should be copied immediately. The client list must include at ++least one valid (nonempty) protocol entry in the list. ++ ++The SSL_select_next_proto() helper function can be useful from either the ALPN ++callback or the NPN callback (described below). If no match is found, the first ++item in B, B is returned in B, B and ++B is returned. This can be useful when implementating ++the NPN callback. In the ALPN case, the value returned in B and B ++must be ignored if B has been returned from ++SSL_select_next_proto(). + + SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a + client needs to select a protocol from the server's provided list, and a +@@ -85,9 +93,10 @@ must be set to point to the selected pro + The length of the protocol name must be written into B. The + server's advertised protocols are provided in B and B. The + callback can assume that B is syntactically valid. The client must +-select a protocol. It is fatal to the connection if this callback returns +-a value other than B. The B parameter is the pointer +-set via SSL_CTX_set_next_proto_select_cb(). ++select a protocol (although it may be an empty, zero length protocol). It is ++fatal to the connection if this callback returns a value other than ++B or if the zero length protocol is selected. The B ++parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). + + SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called + when a TLS server needs a list of supported protocols for Next Protocol +@@ -149,7 +158,8 @@ A match was found and is returned in B, B is returned in +-B, B. ++B, B (or B and 0 in the case where the first entry in ++B is invalid). + + =back + +Index: openssl-1.1.1w/ssl/statem/extensions_srvr.c +=================================================================== +--- openssl-1.1.1w.orig/ssl/statem/extensions_srvr.c ++++ openssl-1.1.1w/ssl/statem/extensions_srvr.c +@@ -1558,9 +1558,10 @@ EXT_RETURN tls_construct_stoc_next_proto + return EXT_RETURN_FAIL; + } + s->s3->npn_seen = 1; ++ return EXT_RETURN_SENT; + } + +- return EXT_RETURN_SENT; ++ return EXT_RETURN_NOT_SENT; + } + #endif + diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch new file mode 100644 index 0000000..46745b2 --- /dev/null +++ b/openssl-DEFAULT_SUSE_cipher.patch @@ -0,0 +1,63 @@ +Index: openssl-1.1.1/ssl/ssl_ciph.c +=================================================================== +--- openssl-1.1.1.orig/ssl/ssl_ciph.c 2018-09-11 14:48:23.000000000 +0200 ++++ openssl-1.1.1/ssl/ssl_ciph.c 2018-09-11 16:38:40.412543331 +0200 +@@ -1567,7 +1567,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + */ + ok = 1; + rule_p = rule_str; +- if (strncmp(rule_str, "DEFAULT", 7) == 0) { ++ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { ++ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, ++ &head, &tail, ca_list, c); ++ rule_p += 12; ++ if (*rule_p == ':') ++ rule_p++; ++ } ++ else if (strncmp(rule_str, "DEFAULT", 7) == 0) { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, + &head, &tail, ca_list, c); + rule_p += 7; +Index: openssl-1.1.1/include/openssl/ssl.h +=================================================================== +--- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200 ++++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200 +@@ -171,6 +171,10 @@ extern "C" { + * This applies to ciphersuites for TLSv1.2 and below. + */ + # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" ++# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ ++ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ ++ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ ++ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" + /* This is the default set of TLSv1.3 ciphersuites */ + # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +Index: openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t 2018-09-11 16:38:23.292423281 +0200 +@@ -0,0 +1,23 @@ ++#! /usr/bin/env perl ++ ++use strict; ++use warnings; ++ ++use OpenSSL::Test qw/:DEFAULT/; ++use OpenSSL::Test::Utils; ++ ++setup("test_default_ciphersuites"); ++ ++plan tests => 6; ++ ++my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); ++ ++foreach my $cipherlist (@cipher_suites) { ++ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), ++ "openssl ciphers works with ciphersuite $cipherlist"); ++ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), ++ "$cipherlist shouldn't contain MD5, DES or RC4\n"); ++ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), ++ "$cipherlist should contain TLSv1.3 ciphers\n"); ++} ++ diff --git a/openssl-DH.patch b/openssl-DH.patch new file mode 100644 index 0000000..173d1bf --- /dev/null +++ b/openssl-DH.patch @@ -0,0 +1,3294 @@ +Index: openssl-1.1.1m/crypto/bn/bn_const.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/bn/bn_const.c ++++ openssl-1.1.1m/crypto/bn/bn_const.c +@@ -8,6 +8,10 @@ + */ + + #include ++#include "crypto/bn_dh.h" ++ ++#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src) ++ + + /*- + * "First Oakley Default Group" from RFC2409, section 6.1. +@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_1536[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); ++ return COPY_BN(bn, _bignum_modp_1536_p); + } + + /*- +@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_2048[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); ++ return COPY_BN(bn, _bignum_modp_2048_p); + } + + /*- +@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_3072[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); ++ return COPY_BN(bn, _bignum_modp_3072_p); + } + + /*- +@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_4096[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); ++ return COPY_BN(bn, _bignum_modp_4096_p); + } + + /*- +@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_6144[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); ++ return COPY_BN(bn, _bignum_modp_6144_p); + } + + /*- +@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_8192[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59, +- 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, +- 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, +- 0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA, +- 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, +- 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, +- 0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66, +- 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, +- 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, +- 0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D, +- 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, +- 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, +- 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7, +- 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, +- 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, +- 0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8, +- 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, +- 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, +- 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D, +- 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, +- 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, +- 0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D, +- 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, +- 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, +- 0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68, +- 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, +- 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, +- 0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B, +- 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, +- 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, +- 0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF, +- 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, +- 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); ++ return COPY_BN(bn, _bignum_modp_8192_p); + } +Index: openssl-1.1.1m/crypto/bn/bn_dh.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/bn/bn_dh.c ++++ openssl-1.1.1m/crypto/bn/bn_dh.c +@@ -11,474 +11,995 @@ + #include "internal/nelem.h" + + #ifndef OPENSSL_NO_DH +-#include +-#include "crypto/bn_dh.h" +-/* DH parameters from RFC5114 */ ++# include ++# include "crypto/bn_dh.h" + + # if BN_BITS2 == 64 +-static const BN_ULONG dh1024_160_p[] = { +- 0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL, +- 0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL, +- 0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL, +- 0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL, +- 0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL, +- 0xB10B8F96A080E01DULL +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL, +- 0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL, +- 0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL, +- 0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL, +- 0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL, +- 0xA4D1CBD5C3FD3412ULL +-}; +- +-static const BN_ULONG dh1024_160_q[] = { +- 0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL +-}; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL, +- 0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL, +- 0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL, +- 0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL, +- 0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL, +- 0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL, +- 0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL, +- 0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL, +- 0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL, +- 0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL, +- 0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL +-}; +- +-static const BN_ULONG dh2048_224_g[] = { +- 0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL, +- 0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL, +- 0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL, +- 0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL, +- 0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL, +- 0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL, +- 0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL, +- 0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL, +- 0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL, +- 0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL, +- 0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL +-}; +- +-static const BN_ULONG dh2048_224_q[] = { +- 0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL, +- 0x00000000801C0D34ULL +-}; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL, +- 0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL, +- 0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL, +- 0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL, +- 0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL, +- 0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL, +- 0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL, +- 0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL, +- 0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL, +- 0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL, +- 0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL +-}; +- +-static const BN_ULONG dh2048_256_g[] = { +- 0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL, +- 0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL, +- 0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL, +- 0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL, +- 0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL, +- 0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL, +- 0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL, +- 0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL, +- 0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL, +- 0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL, +- 0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL +-}; +- +-static const BN_ULONG dh2048_256_q[] = { +- 0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL, +- 0x8CF83642A709A097ULL +-}; +- +-/* Primes from RFC 7919 */ +-static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; +- +-static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; +- +-static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL, +- 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, +- 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, +- 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, +- 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, +- 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, +- 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, +- 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, +- 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, +- 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, +- 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, +- 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, +- 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, +- 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, +- 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, +- 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, +- 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, +- 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, +- 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, +- 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, +- 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, +- 0xFFFFFFFFFFFFFFFFULL +-}; ++# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo ++# else ++# define BN_DEF(lo, hi) lo, hi ++# endif + +-static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL, +- 0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, +- 0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, +- 0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, +- 0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, +- 0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, +- 0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, +- 0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, +- 0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, +- 0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, +- 0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, +- 0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, +- 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, +- 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, +- 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, +- 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, +- 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; ++/* DH parameters from RFC3526 */ + +-static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL, +- 0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL, +- 0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL, +- 0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL, +- 0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL, +- 0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL, +- 0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL, +- 0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL, +- 0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL, +- 0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL, +- 0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL, +- 0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL, +- 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL, +- 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL, +- 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL, +- 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL, +- 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL, +- 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL, +- 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL, +- 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL, +- 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL, +- 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL, +- 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, +- 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, +- 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, +- 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, +- 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, +- 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, +- 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, +- 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, +- 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, +- 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, +- 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/* ++ * "1536-bit MODP Group" from RFC3526, Section 2. ++ * ++ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } ++ * ++ * RFC3526 specifies a generator of 2. ++ * RFC2312 specifies a generator of 22. ++ */ ++static const BN_ULONG modp_1536_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_1536_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) ++}; ++ ++/*- ++ * "2048-bit MODP Group" from RFC3526, Section 3. ++ * ++ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_2048_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "3072-bit MODP Group" from RFC3526, Section 4. ++ * ++ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_3072_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "4096-bit MODP Group" from RFC3526, Section 5. ++ * ++ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_4096_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "6144-bit MODP Group" from RFC3526, Section 6. ++ * ++ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_6144_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/* ++ * "8192-bit MODP Group" from RFC3526, Section 7. ++ * ++ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_8192_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), ++ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), ++ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), ++ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), ++ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), ++ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), ++ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), ++ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), ++ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), ++ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), ++ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), ++ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), ++ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), ++ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), ++ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), ++ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), ++ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), ++ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), ++ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), ++ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), ++ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), ++ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), ++ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), ++ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), ++ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), ++ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), ++ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), ++ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), ++ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), ++ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), ++ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), ++ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), ++ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# elif BN_BITS2 == 32 +- ++/* DH parameters from RFC5114 */ + static const BN_ULONG dh1024_160_p[] = { +- 0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF, +- 0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA, +- 0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C, +- 0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286, +- 0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E, +- 0xA080E01D, 0xB10B8F96 +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59, +- 0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08, +- 0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F, +- 0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E, +- 0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442, +- 0xC3FD3412, 0xA4D1CBD5 ++ BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7), ++ BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F), ++ BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA), ++ BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D), ++ BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE), ++ BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286), ++ BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC), ++ BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96) + }; +- + static const BN_ULONG dh1024_160_q[] = { +- 0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87 ++ BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), ++ (BN_ULONG)0xF518AA87 + }; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2, +- 0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E, +- 0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1, +- 0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A, +- 0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714, +- 0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0, +- 0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0, +- 0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152, +- 0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40, +- 0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5, +- 0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E ++static const BN_ULONG dh1024_160_g[] = { ++ BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE), ++ BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1), ++ BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08), ++ BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3), ++ BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4), ++ BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E), ++ BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2), ++ BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5) + }; + +-static const BN_ULONG dh2048_224_g[] = { +- 0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1, +- 0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE, +- 0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F, +- 0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137, +- 0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3, +- 0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2, +- 0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0, +- 0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001, +- 0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01, +- 0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B, +- 0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF ++static const BN_ULONG dh2048_224_p[] = { ++ BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538), ++ BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1), ++ BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E), ++ BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C), ++ BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1), ++ BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A), ++ BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7), ++ BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130), ++ BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0), ++ BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11), ++ BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF), ++ BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152), ++ BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A), ++ BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D), ++ BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5), ++ BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E) + }; +- + static const BN_ULONG dh2048_224_q[] = { +- 0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE, +- 0x801C0D34 ++ BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), ++ BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 + }; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227, +- 0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A, +- 0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79, +- 0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5, +- 0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267, +- 0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF, +- 0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF, +- 0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64, +- 0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45, +- 0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608, +- 0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D ++static const BN_ULONG dh2048_224_g[] = { ++ BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F), ++ BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C), ++ BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE), ++ BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3), ++ BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4), ++ BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137), ++ BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F), ++ BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45), ++ BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2), ++ BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504), ++ BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727), ++ BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001), ++ BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77), ++ BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E), ++ BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B), ++ BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF) + }; + +-static const BN_ULONG dh2048_256_g[] = { +- 0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148, +- 0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428, +- 0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15, +- 0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73, +- 0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1, +- 0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982, +- 0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5, +- 0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8, +- 0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A, +- 0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F, +- 0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B ++static const BN_ULONG dh2048_256_p[] = { ++ BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA), ++ BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330), ++ BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A), ++ BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6), ++ BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83), ++ BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5), ++ BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A), ++ BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1), ++ BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF), ++ BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11), ++ BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672), ++ BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64), ++ BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911), ++ BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1), ++ BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608), ++ BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D) + }; +- + static const BN_ULONG dh2048_256_q[] = { +- 0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976, +- 0xA709A097, 0x8CF83642 ++ BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), ++ BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) ++}; ++static const BN_ULONG dh2048_256_g[] = { ++ BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF), ++ BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784), ++ BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428), ++ BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB), ++ BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2), ++ BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73), ++ BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF), ++ BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2), ++ BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982), ++ BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A), ++ BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931), ++ BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8), ++ BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B), ++ BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150), ++ BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F), ++ BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B) + }; + + /* Primes from RFC 7919 */ +- + static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851, +- 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, +- 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, +- 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, +- 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, +- 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, +- 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, +- 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, +- 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, +- 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, +- 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, +- 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, +- 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, +- 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, +- 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, +- 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, +- 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, +- 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, +- 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, +- 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, +- 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, +- 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D, +- 0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, +- 0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, +- 0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, +- 0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, +- 0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, +- 0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, +- 0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, +- 0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, +- 0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, +- 0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, +- 0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, +- 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, +- 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, +- 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, +- 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, +- 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94, +- 0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5, +- 0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB, +- 0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A, +- 0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD, +- 0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C, +- 0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C, +- 0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7, +- 0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74, +- 0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69, +- 0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C, +- 0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526, +- 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810, +- 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D, +- 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B, +- 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023, +- 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA, +- 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092, +- 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB, +- 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33, +- 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442, +- 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E, +- 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, +- 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, +- 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, +- 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, +- 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, +- 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, +- 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, +- 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, +- 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, +- 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, +- 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7), ++ BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506), ++ BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5), ++ BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C), ++ BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE), ++ BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A), ++ BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194), ++ BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316), ++ BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C), ++ BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987), ++ BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0), ++ BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7), ++ BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C), ++ BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142), ++ BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69), ++ BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31), ++ BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB), ++ BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283), ++ BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2), ++ BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E), ++ BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF), ++ BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5), ++ BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA), ++ BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B), ++ BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36), ++ BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3), ++ BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660), ++ BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563), ++ BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E), ++ BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1), ++ BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4), ++ BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18), ++ BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# else +-# error "unsupported BN_BITS2" +-# endif +- + /* Macro to make a BIGNUM from static data */ + + # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \ +@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = { + + static const BN_ULONG value_2 = 2; + +-const BIGNUM _bignum_const_2 = +- { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; ++const BIGNUM _bignum_const_2 = { ++ (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA ++}; + + make_dh_bn(dh1024_160_p) +-make_dh_bn(dh1024_160_g) + make_dh_bn(dh1024_160_q) ++make_dh_bn(dh1024_160_g) + make_dh_bn(dh2048_224_p) +-make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_224_q) ++make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_256_p) +-make_dh_bn(dh2048_256_g) + make_dh_bn(dh2048_256_q) ++make_dh_bn(dh2048_256_g) + + make_dh_bn(ffdhe2048_p) ++make_dh_bn(ffdhe2048_q) + make_dh_bn(ffdhe3072_p) ++make_dh_bn(ffdhe3072_q) + make_dh_bn(ffdhe4096_p) ++make_dh_bn(ffdhe4096_q) + make_dh_bn(ffdhe6144_p) ++make_dh_bn(ffdhe6144_q) + make_dh_bn(ffdhe8192_p) ++make_dh_bn(ffdhe8192_q) + ++make_dh_bn(modp_1536_p) ++make_dh_bn(modp_1536_q) ++make_dh_bn(modp_2048_p) ++make_dh_bn(modp_2048_q) ++make_dh_bn(modp_3072_p) ++make_dh_bn(modp_3072_q) ++make_dh_bn(modp_4096_p) ++make_dh_bn(modp_4096_q) ++make_dh_bn(modp_6144_p) ++make_dh_bn(modp_6144_q) ++make_dh_bn(modp_8192_p) ++make_dh_bn(modp_8192_q) + +-#endif ++#endif /* OPENSSL_NO_DH */ +Index: openssl-1.1.1m/crypto/dh/dh_check.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_check.c ++++ openssl-1.1.1m/crypto/dh/dh_check.c +@@ -10,6 +10,7 @@ + #include + #include "internal/cryptlib.h" + #include ++#include + #include "dh_local.h" + + # define DH_NUMBER_ITERATIONS_FOR_PRIME 64 +@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; + ++ if (FIPS_mode()) { ++ int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid; ++ ++ return nid != NID_undef; ++ } ++ + *ret = 0; + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh) + return errflags == 0; + } + ++/* Note: according to documentation - this only checks the params */ + int DH_check(const DH *dh, int *ret) + { + int ok = 0, r, q_good = 0; +@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret) + if (!DH_check_params(dh, ret)) + return 0; + ++ if (FIPS_mode()) /* we allow only well-known params */ ++ return 1; ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co + return errflags == 0; + } + +-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret) + { + int ok = 0; + BIGNUM *tmp = NULL; +@@ -187,28 +198,68 @@ int DH_check_pub_key(const DH *dh, const + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; ++ + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); ++ /* Step(1): Verify pub_key >= 2 */ + if (tmp == NULL || !BN_set_word(tmp, 1)) + goto err; +- if (BN_cmp(pub_key, tmp) <= 0) ++ if (BN_cmp(pub_key, tmp) <= 0) { + *ret |= DH_CHECK_PUBKEY_TOO_SMALL; ++ goto err; ++ } ++ /* Step(1): Verify pub_key <= p-2 */ + if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1)) + goto err; +- if (BN_cmp(pub_key, tmp) >= 0) ++ if (BN_cmp(pub_key, tmp) >= 0) { + *ret |= DH_CHECK_PUBKEY_TOO_LARGE; ++ goto err; ++ } ++ ++ if (q != NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); + +- if (dh->q != NULL) { + /* Check pub_key^q == 1 mod p */ +- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) ++ if (tmp == NULL || !BN_mod_exp(tmp, pub_key, q, dh->p, ctx)) + goto err; +- if (!BN_is_one(tmp)) ++ if (!BN_is_one(tmp)) { + *ret |= DH_CHECK_PUBKEY_INVALID; ++ goto err; ++ } + } + + ok = 1; + err: +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } + return ok; + } ++ ++/* ++ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation. ++ */ ++int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ return dh_check_pub_key_int(dh, dh->q, pub_key, ret); ++} ++ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ BIGNUM *q = dh->q; ++ ++ if (q == NULL) { ++ if (dh_get_known_q(dh, &q) == 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ return 0; ++ } ++ } ++ ++ return dh_check_pub_key_int(dh, q, pub_key, ret); ++} ++ +Index: openssl-1.1.1m/crypto/dh/dh_gen.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1m/crypto/dh/dh_gen.c +@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i + BN_GENCB *cb) + { + #ifdef OPENSSL_FIPS +- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) +- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ if (FIPS_mode()) { + DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); + return 0; + } +@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret, + int g, ok = -1; + BN_CTX *ctx = NULL; + +-#ifdef OPENSSL_FIPS +- if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); +- return 0; +- } +- +- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { +- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); +- goto err; +- } +-#endif +- + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +Index: openssl-1.1.1m/crypto/dh/dh_key.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1m/crypto/dh/dh_key.c +@@ -128,10 +128,18 @@ static int generate_key(DH *dh) + BIGNUM *pub_key = NULL, *priv_key = NULL; + + #ifdef OPENSSL_FIPS +- if (FIPS_mode() +- && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { +- DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); +- return 0; ++ if (FIPS_mode()) { ++ if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++ if (dh->nid == NID_undef) ++ dh_cache_nid(dh); ++ if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2 ++ || dh->length < 224) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } + } + #endif + +@@ -167,7 +175,15 @@ static int generate_key(DH *dh) + } + + if (generate_new_key) { +- if (dh->q) { ++ if (FIPS_mode()) { ++ do { ++ if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) ++ goto err; ++ if (!BN_add_word(priv_key, 1)) ++ goto err; ++ } ++ while (BN_num_bits(priv_key) > dh->length); ++ } else if (dh->q) { + do { + if (!BN_priv_rand_range(priv_key, dh->q)) + goto err; +@@ -203,6 +219,15 @@ static int generate_key(DH *dh) + } + /* We MUST free prk before any further use of priv_key */ + BN_clear_free(prk); ++ ++ if (FIPS_mode()) { ++ int check_result; ++ ++ if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY); ++ goto err; ++ } ++ } + } + + dh->pub_key = pub_key; +@@ -225,6 +250,7 @@ static int compute_key(unsigned char *ke + BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *tmp; ++ BIGNUM *p1; + int ret = -1; + int check_result; + +@@ -271,6 +297,18 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); + goto err; + } ++ ++ if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ if ((p1 = BN_CTX_get(ctx)) == NULL ++ || !BN_sub(p1, dh->p, BN_value_one()) ++ || BN_cmp(p1, tmp) <= 0) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } + + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); + err: +Index: openssl-1.1.1m/crypto/dh/dh_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_lib.c ++++ openssl-1.1.1m/crypto/dh/dh_lib.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include "internal/cryptlib.h" + #include "internal/refcount.h" + #include +@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine) + goto err; + } + ++ ret->nid = NID_undef; ++ + return ret; + + err: +@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU + dh->g = g; + } + +- if (q != NULL) { ++ dh->nid = NID_undef; ++ dh_cache_nid(dh); ++ ++ if (q != NULL && dh->nid == NID_undef) { + dh->length = BN_num_bits(q); + } + +Index: openssl-1.1.1m/crypto/dh/dh_local.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_local.h ++++ openssl-1.1.1m/crypto/dh/dh_local.h +@@ -35,6 +35,7 @@ struct dh_st { + const DH_METHOD *meth; + ENGINE *engine; + CRYPTO_RWLOCK *lock; ++ int nid; + }; + + struct dh_method { +@@ -55,3 +56,12 @@ struct dh_method { + int (*generate_params) (DH *dh, int prime_len, int generator, + BN_GENCB *cb); + }; ++ ++void dh_cache_nid(DH *dh); ++ ++/* Obtain known q value based on nid or p */ ++int dh_get_known_q(const DH *dh, BIGNUM **q); ++ ++/* FIPS mode only check which requires nid set and looks up q based on it. */ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret); ++ +Index: openssl-1.1.1m/crypto/dh/dh_rfc7919.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_rfc7919.c ++++ openssl-1.1.1m/crypto/dh/dh_rfc7919.c +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* DH parameters from RFC7919 and RFC3526 */ ++ + #include + #include "internal/cryptlib.h" + #include "dh_local.h" +@@ -14,14 +16,19 @@ + #include + #include "crypto/bn_dh.h" + +-static DH *dh_param_init(const BIGNUM *p, int32_t nbits) ++static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits) + { + DH *dh = DH_new(); + if (dh == NULL) + return NULL; + dh->p = (BIGNUM *)p; ++ /* ++ * We do not set q as it would enable the inefficient and ++ * unnecessary pubkey modular exponentiation check. ++ */ + dh->g = (BIGNUM *)&_bignum_const_2; + dh->length = nbits; ++ dh->nid = nid; + return dh; + } + +@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid) + { + switch (nid) { + case NID_ffdhe2048: +- return dh_param_init(&_bignum_ffdhe2048_p, 225); ++ return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225); + case NID_ffdhe3072: +- return dh_param_init(&_bignum_ffdhe3072_p, 275); ++ return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275); + case NID_ffdhe4096: +- return dh_param_init(&_bignum_ffdhe4096_p, 325); ++ return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325); + case NID_ffdhe6144: +- return dh_param_init(&_bignum_ffdhe6144_p, 375); ++ return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375); + case NID_ffdhe8192: +- return dh_param_init(&_bignum_ffdhe8192_p, 400); ++ return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400); ++ case NID_modp_2048: ++ return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225); ++ case NID_modp_3072: ++ return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275); ++ case NID_modp_4096: ++ return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325); ++ case NID_modp_6144: ++ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375); ++ case NID_modp_8192: ++ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400); ++ case NID_modp_1536: ++ if (!FIPS_mode()) ++ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175); ++ /* fallthrough */ + default: + DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); + return NULL; + } + } + +-int DH_get_nid(const DH *dh) ++static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout) + { + int nid; ++ const BIGNUM *q; ++ int length; + + if (BN_get_word(dh->g) != 2) + return NID_undef; +- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) ++ ++ if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) { + nid = NID_ffdhe2048; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) ++ q = &_bignum_ffdhe2048_q; ++ length = 225; ++ } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) { + nid = NID_ffdhe3072; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) ++ q = &_bignum_ffdhe3072_q; ++ length = 275; ++ } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) { + nid = NID_ffdhe4096; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) ++ q = &_bignum_ffdhe4096_q; ++ length = 325; ++ } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) { + nid = NID_ffdhe6144; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) ++ q = &_bignum_ffdhe6144_q; ++ length = 375; ++ } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) { + nid = NID_ffdhe8192; +- else ++ q = &_bignum_ffdhe8192_q; ++ length = 400; ++ } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) { ++ nid = NID_modp_2048; ++ q = &_bignum_modp_2048_q; ++ length = 225; ++ } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) { ++ nid = NID_modp_3072; ++ q = &_bignum_modp_3072_q; ++ length = 275; ++ } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) { ++ nid = NID_modp_4096; ++ q = &_bignum_modp_4096_q; ++ length = 325; ++ } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) { ++ nid = NID_modp_6144; ++ q = &_bignum_modp_6144_q; ++ length = 375; ++ } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) { ++ nid = NID_modp_8192; ++ q = &_bignum_modp_8192_q; ++ length = 400; ++ } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) { ++ nid = NID_modp_1536; ++ q = &_bignum_modp_1536_q; ++ length = 175; ++ } else { + return NID_undef; ++ } ++ + if (dh->q != NULL) { +- BIGNUM *q = BN_dup(dh->p); ++ /* Check that q matches the known q. */ ++ if (BN_cmp(dh->q, q)) ++ return NID_undef; ++ } else if (qout != NULL) { ++ *qout = (BIGNUM *)q; ++ } + +- /* Check q = p * 2 + 1 we already know q is odd, so just shift right */ +- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q)) +- nid = NID_undef; +- BN_free(q); ++ if (lout != NULL) { ++ *lout = length; + } + return nid; + } ++ ++int DH_get_nid(const DH *dh) ++{ ++ if (dh->nid != NID_undef) { ++ return dh->nid; ++ } ++ return dh_match_group(dh, NULL, NULL); ++} ++ ++void dh_cache_nid(DH *dh) ++{ ++ dh->nid = dh_match_group(dh, NULL, &dh->length); ++} ++ ++int dh_get_known_q(const DH *dh, BIGNUM **q) ++{ ++ return dh_match_group(dh, q, NULL) != NID_undef; ++} ++ +Index: openssl-1.1.1m/crypto/ec/ecdh_ossl.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1m/crypto/ec/ecdh_ossl.c +@@ -42,9 +42,14 @@ int ossl_ecdh_compute_key(unsigned char + } + + /*- +- * This implementation is based on the following primitives in the IEEE 1363 standard: ++ * This implementation is based on the following primitives in the ++ * IEEE 1363 standard: + * - ECKAS-DH1 + * - ECSVDP-DH ++ * ++ * It also conforms to SP800-56A r3 ++ * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman ++ * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A. + */ + int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh) +@@ -75,6 +80,10 @@ int ecdh_simple_compute_key(unsigned cha + + group = EC_KEY_get0_group(ecdh); + ++ /* ++ * Step(1) - Compute the point tmp = cofactor * owners_private_key ++ * * peer_public_key. ++ */ + if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) { + if (!EC_GROUP_get_cofactor(group, x, NULL) || + !BN_mul(x, x, priv_key, ctx)) { +@@ -94,11 +103,20 @@ int ecdh_simple_compute_key(unsigned cha + goto err; + } + ++ /* ++ * Step(2) : If point tmp is at infinity then clear intermediate values and ++ * exit. Note: getting affine coordinates returns 0 if point is at infinity. ++ * Step(3a) : Get x-coordinate of point x = tmp.x ++ */ + if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) { + ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE); + goto err; + } + ++ /* ++ * Step(3b) : convert x to a byte string, using the field-element-to-byte ++ * string conversion routine defined in Appendix C.2 ++ */ + buflen = (EC_GROUP_get_degree(group) + 7) / 8; + len = BN_num_bytes(x); + if (len > buflen) { +@@ -123,6 +141,8 @@ int ecdh_simple_compute_key(unsigned cha + ret = 1; + + err: ++ /* Step(4) : Destroy all intermediate calculations */ ++ BN_clear(x); + EC_POINT_clear_free(tmp); + BN_CTX_end(ctx); + BN_CTX_free(ctx); +Index: openssl-1.1.1m/crypto/ec/ecdsa_ossl.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1m/crypto/ec/ecdsa_ossl.c +@@ -104,7 +104,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke + } + } + +- k = BN_new(); /* this value is later returned in *kinvp */ ++ k = BN_secure_new(); /* this value is later returned in *kinvp */ + r = BN_new(); /* this value is later returned in *rp */ + X = BN_new(); + if (k == NULL || r == NULL || X == NULL) { +Index: openssl-1.1.1m/crypto/ec/ec_key.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1m/crypto/ec/ec_key.c +@@ -244,61 +244,117 @@ int ossl_ec_key_gen(EC_KEY *eckey) + return eckey->group->meth->keygen(eckey); + } + ++/* ++ * ECC Key generation. ++ * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" ++ * ++ * Params: ++ * eckey An EC key object that contains domain params. The generated keypair ++ * is stored in this object. ++ * Returns 1 if the keypair was generated or 0 otherwise. ++ */ + int ec_key_simple_generate_key(EC_KEY *eckey) + { + int ok = 0; +- BN_CTX *ctx = NULL; + BIGNUM *priv_key = NULL; + const BIGNUM *order = NULL; + EC_POINT *pub_key = NULL; +- +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; ++ const EC_GROUP *group = eckey->group; + + if (eckey->priv_key == NULL) { +- priv_key = BN_new(); ++ priv_key = BN_secure_new(); + if (priv_key == NULL) + goto err; + } else + priv_key = eckey->priv_key; + +- order = EC_GROUP_get0_order(eckey->group); ++ /* ++ * Steps (1-2): Check domain parameters and security strength. ++ * These steps must be done by the user. This would need to be ++ * stated in the security policy. ++ */ ++ ++ order = EC_GROUP_get0_order(group); + if (order == NULL) + goto err; + ++ /* ++ * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]). ++ * Although this is slightly different from the standard, it is effectively ++ * equivalent as it gives an unbiased result ranging from 1..n-1. It is also ++ * faster as the standard needs to retry more often. Also doing ++ * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into ++ * rand so the simpler backward compatible method has been used here. ++ */ + do + if (!BN_priv_rand_range(priv_key, order)) + goto err; + while (BN_is_zero(priv_key)) ; + + if (eckey->pub_key == NULL) { +- pub_key = EC_POINT_new(eckey->group); ++ pub_key = EC_POINT_new(group); + if (pub_key == NULL) + goto err; + } else + pub_key = eckey->pub_key; + +- if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) ++ /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */ ++ if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL)) + goto err; + +- eckey->priv_key = priv_key; + eckey->pub_key = pub_key; ++ pub_key = NULL; ++ ++ if (FIPS_mode()) { ++ eckey->priv_key = NULL; ++ if (EC_KEY_check_key(eckey) <= 0) { ++ eckey->pub_key = NULL; ++ goto err; ++ } ++ } ++ ++ eckey->priv_key = priv_key; ++ priv_key = NULL; + + ok = 1; + + err: +- if (eckey->pub_key == NULL) +- EC_POINT_free(pub_key); +- if (eckey->priv_key != priv_key) +- BN_free(priv_key); +- BN_CTX_free(ctx); ++ /* Step (9): If there is an error return an invalid keypair. */ ++ if (!ok) { ++ BN_clear(eckey->priv_key); ++ if (eckey->pub_key != NULL) ++ EC_POINT_set_to_infinity(group, eckey->pub_key); ++ } ++ ++ EC_POINT_free(pub_key); ++ BN_clear_free(priv_key); + return ok; + } + + int ec_key_simple_generate_public_key(EC_KEY *eckey) + { +- return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, ++ BIGNUM *priv_key; ++ ++ /* ++ * See SP800-56AR3 5.6.1.2.2: Step (8) ++ * pub_key = priv_key * G (where G is a point on the curve) ++ */ ++ int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, + NULL, NULL); ++ ++ if (ret <= 0 || !FIPS_mode()) ++ return ret; ++ ++ /* no need to perform private key test, temporarily hide it */ ++ priv_key = eckey->priv_key; ++ eckey->priv_key = NULL; ++ ret = EC_KEY_check_key(eckey); ++ eckey->priv_key = priv_key; ++ ++ if (ret <= 0) ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ ++ return ret; + } + + int EC_KEY_check_key(const EC_KEY *eckey) +@@ -316,47 +372,100 @@ int EC_KEY_check_key(const EC_KEY *eckey + return eckey->group->meth->keycheck(eckey); + } + +-int ec_key_simple_check_key(const EC_KEY *eckey) ++/* ++ * Check the range of the EC public key. ++ * See SP800-56A R3 Section 5.6.2.3.3 (Part 2) ++ * i.e. ++ * - If q = odd prime p: Verify that xQ and yQ are integers in the ++ * interval[0, p − 1], OR ++ * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits. ++ * Returns 1 if the public key has a valid range, otherwise it returns 0. ++ */ ++static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key) + { +- int ok = 0; +- BN_CTX *ctx = NULL; +- const BIGNUM *order = NULL; ++ int ret = 0; ++ BIGNUM *x, *y; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (y == NULL) ++ goto err; ++ ++ if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx)) ++ goto err; ++ ++ if (EC_METHOD_get_field_type(key->group->meth) == NID_X9_62_prime_field) { ++ if (BN_is_negative(x) ++ || BN_cmp(x, key->group->field) >= 0 ++ || BN_is_negative(y) ++ || BN_cmp(y, key->group->field) >= 0) { ++ goto err; ++ } ++ } else { ++ int m = EC_GROUP_get_degree(key->group); ++ if (BN_num_bits(x) > m || BN_num_bits(y) > m) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ BN_CTX_end(ctx); ++ return ret; ++} ++ ++/* ++ * ECC Key validation as specified in SP800-56A R3. ++ * Section 5.6.2.3.3 ECC Full Public-Key Validation. ++ */ ++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ++{ ++ int ret = 0; + EC_POINT *point = NULL; ++ const BIGNUM *order = NULL; + + if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER); ++ ECerr(0, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + ++ /* 5.6.2.3.3 (Step 1): Q != infinity */ + if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_AT_INFINITY); +- goto err; ++ ECerr(0, EC_R_POINT_AT_INFINITY); ++ return 0; + } + +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; +- if ((point = EC_POINT_new(eckey->group)) == NULL) ++ point = EC_POINT_new(eckey->group); ++ if (point == NULL) ++ return 0; ++ ++ /* 5.6.2.3.3 (Step 2) Test if the public key is in range */ ++ if (!ec_key_public_range_check(ctx, eckey)) { ++ ECerr(0, EC_R_COORDINATES_OUT_OF_RANGE); + goto err; ++ } + +- /* testing whether the pub_key is on the elliptic curve */ ++ /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */ + if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); ++ ECerr(0, EC_R_POINT_IS_NOT_ON_CURVE); + goto err; + } +- /* testing whether pub_key * order is the point at infinity */ ++ + order = eckey->group->order; + if (BN_is_zero(order)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_GROUP_ORDER); ++ ECerr(0, EC_R_INVALID_GROUP_ORDER); + goto err; + } ++ /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB); ++ ECerr(0, ERR_R_EC_LIB); + goto err; + } + if (!EC_POINT_is_at_infinity(eckey->group, point)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER); ++ ECerr(0, EC_R_WRONG_ORDER); + goto err; + } ++ + /* + * in case the priv_key is present : check if generator * priv_key == + * pub_key +@@ -376,10 +485,40 @@ int ec_key_simple_check_key(const EC_KEY + goto err; + } + } ++ ++ ret = 1; ++ err: ++ EC_POINT_free(point); ++ return ret; ++} ++ ++ ++/* ++ * ECC Key validation as specified in SP800-56A R3. ++ * Section 5.6.2.3.3 ECC Full Public-Key Validation ++ * NOTES: ++ * Before calling this method in fips mode, there should be an assurance that ++ * an approved elliptic-curve group is used. ++ * Returns 1 if the key is valid, otherwise it returns 0. ++ */ ++int ec_key_simple_check_key(const EC_KEY *eckey) ++{ ++ int ok = 0; ++ BN_CTX *ctx = NULL; ++ ++ if (eckey == NULL) { ++ ECerr(0, ERR_R_PASSED_NULL_PARAMETER); ++ return 0; ++ } ++ if ((ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ if (!ec_key_public_check(eckey, ctx)) ++ goto err; ++ + ok = 1; + err: + BN_CTX_free(ctx); +- EC_POINT_free(point); + return ok; + } + +@@ -417,12 +556,10 @@ int EC_KEY_set_public_key_affine_coordin + goto err; + + /* +- * Check if retrieved coordinates match originals and are less than field +- * order: if not values are out of range. ++ * Check if retrieved coordinates match originals. The range check is done ++ * inside EC_KEY_check_key(). + */ +- if (BN_cmp(x, tx) || BN_cmp(y, ty) +- || (BN_cmp(x, key->group->field) >= 0) +- || (BN_cmp(y, key->group->field) >= 0)) { ++ if (BN_cmp(x, tx) || BN_cmp(y, ty)) { + ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; +Index: openssl-1.1.1m/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1m/crypto/ec/ec_local.h +@@ -610,6 +610,8 @@ int ec_key_simple_generate_key(EC_KEY *e + int ec_key_simple_generate_public_key(EC_KEY *eckey); + int ec_key_simple_check_key(const EC_KEY *eckey); + ++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx); ++ + int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); + + /* EC_METHOD definitions */ +Index: openssl-1.1.1m/crypto/ec/ec_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_lib.c ++++ openssl-1.1.1m/crypto/ec/ec_lib.c +@@ -454,6 +454,11 @@ int EC_GROUP_get_curve_name(const EC_GRO + return group->curve_name; + } + ++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group) ++{ ++ return group->field; ++} ++ + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) + { + group->asn1_flag = flag; +Index: openssl-1.1.1m/crypto/evp/p_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/evp/p_lib.c ++++ openssl-1.1.1m/crypto/evp/p_lib.c +@@ -545,7 +545,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p + + int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) + { +- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX; ++ int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ? ++ EVP_PKEY_DH : EVP_PKEY_DHX; + int ret = EVP_PKEY_assign(pkey, type, key); + + if (ret) +Index: openssl-1.1.1m/include/crypto/bn_dh.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/bn_dh.h ++++ openssl-1.1.1m/include/crypto/bn_dh.h +@@ -9,16 +9,35 @@ + + #define declare_dh_bn(x) \ + extern const BIGNUM _bignum_dh##x##_p; \ ++ extern const BIGNUM _bignum_dh##x##_q; \ + extern const BIGNUM _bignum_dh##x##_g; \ +- extern const BIGNUM _bignum_dh##x##_q; + + declare_dh_bn(1024_160) + declare_dh_bn(2048_224) + declare_dh_bn(2048_256) + ++extern const BIGNUM _bignum_const_2; ++ + extern const BIGNUM _bignum_ffdhe2048_p; + extern const BIGNUM _bignum_ffdhe3072_p; + extern const BIGNUM _bignum_ffdhe4096_p; + extern const BIGNUM _bignum_ffdhe6144_p; + extern const BIGNUM _bignum_ffdhe8192_p; +-extern const BIGNUM _bignum_const_2; ++extern const BIGNUM _bignum_ffdhe2048_q; ++extern const BIGNUM _bignum_ffdhe3072_q; ++extern const BIGNUM _bignum_ffdhe4096_q; ++extern const BIGNUM _bignum_ffdhe6144_q; ++extern const BIGNUM _bignum_ffdhe8192_q; ++ ++extern const BIGNUM _bignum_modp_1536_p; ++extern const BIGNUM _bignum_modp_2048_p; ++extern const BIGNUM _bignum_modp_3072_p; ++extern const BIGNUM _bignum_modp_4096_p; ++extern const BIGNUM _bignum_modp_6144_p; ++extern const BIGNUM _bignum_modp_8192_p; ++extern const BIGNUM _bignum_modp_1536_q; ++extern const BIGNUM _bignum_modp_2048_q; ++extern const BIGNUM _bignum_modp_3072_q; ++extern const BIGNUM _bignum_modp_4096_q; ++extern const BIGNUM _bignum_modp_6144_q; ++extern const BIGNUM _bignum_modp_8192_q; +Index: openssl-1.1.1m/crypto/objects/obj_dat.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/obj_dat.h ++++ openssl-1.1.1m/crypto/objects/obj_dat.h +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1196 ++#define NUM_NID 1202 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2276,9 +2276,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"SSHKDF", "sshkdf", NID_sshkdf}, ++ {"modp_1536", "modp_1536", NID_modp_1536}, ++ {"modp_2048", "modp_2048", NID_modp_2048}, ++ {"modp_3072", "modp_3072", NID_modp_3072}, ++ {"modp_4096", "modp_4096", NID_modp_4096}, ++ {"modp_6144", "modp_6144", NID_modp_6144}, ++ {"modp_8192", "modp_8192", NID_modp_8192}, + }; + +-#define NUM_SN 1187 ++#define NUM_SN 1193 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -3121,6 +3127,12 @@ static const unsigned int sn_objs[NUM_SN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1196, /* "modp_1536" */ ++ 1197, /* "modp_2048" */ ++ 1198, /* "modp_3072" */ ++ 1199, /* "modp_4096" */ ++ 1200, /* "modp_6144" */ ++ 1201, /* "modp_8192" */ + 136, /* "msCTLSign" */ + 135, /* "msCodeCom" */ + 134, /* "msCodeInd" */ +@@ -3469,7 +3481,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1187 ++#define NUM_LN 1193 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4305,6 +4317,12 @@ static const unsigned int ln_objs[NUM_LN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1196, /* "modp_1536" */ ++ 1197, /* "modp_2048" */ ++ 1198, /* "modp_3072" */ ++ 1199, /* "modp_4096" */ ++ 1200, /* "modp_6144" */ ++ 1201, /* "modp_8192" */ + 481, /* "nSRecord" */ + 173, /* "name" */ + 681, /* "onBasis" */ +Index: openssl-1.1.1m/crypto/objects/objects.txt +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/objects.txt ++++ openssl-1.1.1m/crypto/objects/objects.txt +@@ -1648,6 +1648,13 @@ id-pkinit 5 : pkInit + : ffdhe4096 + : ffdhe6144 + : ffdhe8192 ++# NIDs for RFC3526 DH parameters ++ : modp_1536 ++ : modp_2048 ++ : modp_3072 ++ : modp_4096 ++ : modp_6144 ++ : modp_8192 + + # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) + +Index: openssl-1.1.1m/crypto/objects/obj_mac.num +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/obj_mac.num ++++ openssl-1.1.1m/crypto/objects/obj_mac.num +@@ -1193,3 +1193,9 @@ magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 + sshkdf 1195 ++modp_1536 1196 ++modp_2048 1197 ++modp_3072 1198 ++modp_4096 1199 ++modp_6144 1200 ++modp_8192 1201 +Index: openssl-1.1.1m/doc/man3/DH_new_by_nid.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man3/DH_new_by_nid.pod ++++ openssl-1.1.1m/doc/man3/DH_new_by_nid.pod +@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find + + #include + DH *DH_new_by_nid(int nid); +- int *DH_get_nid(const DH *dh); ++ int DH_get_nid(const DH *dh); + + =head1 DESCRIPTION + + DH_new_by_nid() creates and returns a DH structure containing named parameters + B. Currently B must be B, B, +-B, B or B. ++B, B, B, ++B, B, B, ++B, B or B. + + DH_get_nid() determines if the parameters contained in B match + any named set. It returns the NID corresponding to the matching parameters or +Index: openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets + If B is zero (the default) then no padding is performed. + + EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to +-B as defined in RFC7919. The B parameter must be B, +-B, B, B, B +-or B to clear the stored value. This macro can be called during +-parameter or key generation. ++I as defined in RFC7919 or RFC3526. The I parameter must be ++B, B, B, B, ++B, B, B, B, ++B, B, B or B to clear ++the stored value. This macro can be called during parameter or key generation. + The nid parameter and the rfc5114 parameter are mutually exclusive. + + The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are +Index: openssl-1.1.1m/include/openssl/ec.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/ec.h ++++ openssl-1.1.1m/include/openssl/ec.h +@@ -212,6 +212,12 @@ void EC_GROUP_set_curve_name(EC_GROUP *g + */ + int EC_GROUP_get_curve_name(const EC_GROUP *group); + ++/** Gets the field of an EC_GROUP ++ * \param group EC_GROUP object ++ * \return the group field ++ */ ++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group); ++ + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); + int EC_GROUP_get_asn1_flag(const EC_GROUP *group); + +Index: openssl-1.1.1m/include/openssl/obj_mac.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/obj_mac.h ++++ openssl-1.1.1m/include/openssl/obj_mac.h +@@ -5103,6 +5103,24 @@ + #define SN_ffdhe8192 "ffdhe8192" + #define NID_ffdhe8192 1130 + ++#define SN_modp_1536 "modp_1536" ++#define NID_modp_1536 1196 ++ ++#define SN_modp_2048 "modp_2048" ++#define NID_modp_2048 1197 ++ ++#define SN_modp_3072 "modp_3072" ++#define NID_modp_3072 1198 ++ ++#define SN_modp_4096 "modp_4096" ++#define NID_modp_4096 1199 ++ ++#define SN_modp_6144 "modp_6144" ++#define NID_modp_6144 1200 ++ ++#define SN_modp_8192 "modp_8192" ++#define NID_modp_8192 1201 ++ + #define SN_ISO_UA "ISO-UA" + #define NID_ISO_UA 1150 + #define OBJ_ISO_UA OBJ_member_body,804L +Index: openssl-1.1.1m/ssl/s3_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/s3_lib.c ++++ openssl-1.1.1m/ssl/s3_lib.c +@@ -4846,13 +4846,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey + EVP_PKEY *ssl_dh_to_pkey(DH *dh) + { + EVP_PKEY *ret; ++ DH *dhp = NULL; ++ + if (dh == NULL) + return NULL; ++ ++ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) { ++ int bits = DH_bits(dh); ++ BIGNUM *p, *g; ++ ++ dhp = DH_new(); ++ if (dhp == NULL) ++ return NULL; ++ g = BN_new(); ++ if (g == NULL || !BN_set_word(g, 2)) { ++ DH_free(dhp); ++ BN_free(g); ++ return NULL; ++ } ++ ++ if (bits >= 7000) ++ p = BN_get_rfc3526_prime_8192(NULL); ++ else if (bits >= 5000) ++ p = BN_get_rfc3526_prime_6144(NULL); ++ else if (bits >= 3800) ++ p = BN_get_rfc3526_prime_4096(NULL); ++ else if (bits >= 2500) ++ p = BN_get_rfc3526_prime_3072(NULL); ++ else ++ p = BN_get_rfc3526_prime_2048(NULL); ++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { ++ DH_free(dhp); ++ BN_free(p); ++ BN_free(g); ++ return NULL; ++ } ++ dh = dhp; ++ } ++ + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { ++ DH_free(dhp); + EVP_PKEY_free(ret); + return NULL; + } ++ DH_free(dhp); + return ret; + } + #endif +Index: openssl-1.1.1m/test/ectest.c +=================================================================== +--- openssl-1.1.1m.orig/test/ectest.c ++++ openssl-1.1.1m/test/ectest.c +@@ -1208,6 +1208,42 @@ static int internal_curve_test_method(in + return r; + } + ++static int group_field_test(void) ++{ ++ int r = 1; ++ BIGNUM *secp521r1_field = NULL; ++ BIGNUM *sect163r2_field = NULL; ++ EC_GROUP *secp521r1_group = NULL; ++ EC_GROUP *sect163r2_group = NULL; ++ ++ BN_hex2bn(&secp521r1_field, ++ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFF"); ++ ++ BN_hex2bn(§163r2_field, ++ "08000000000000000000000000000000" ++ "00000000C9"); ++ ++ secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); ++ if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) ++ r = 0; ++ ++ # ifndef OPENSSL_NO_EC2M ++ sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); ++ if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) ++ r = 0; ++ # endif ++ ++ EC_GROUP_free(secp521r1_group); ++ EC_GROUP_free(sect163r2_group); ++ BN_free(secp521r1_field); ++ BN_free(sect163r2_field); ++ return r; ++} ++ + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + /* + * nistp_test_params contains magic numbers for testing our optimized +@@ -1876,6 +1912,61 @@ err: + return r; + } + ++static int check_ec_key_field_public_range_test(int id) ++{ ++ int ret = 0, type = 0; ++ const EC_POINT *pub = NULL; ++ const EC_GROUP *group = NULL; ++ const EC_METHOD *meth = NULL; ++ const BIGNUM *field = NULL; ++ BIGNUM *x = NULL, *y = NULL; ++ EC_KEY *key = NULL; ++ ++ if (!(TEST_ptr(x = BN_new()) ++ && TEST_ptr(y = BN_new()) ++ && TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) ++ && TEST_ptr(group = EC_KEY_get0_group(key)) ++ && TEST_ptr(meth = EC_GROUP_method_of(group)) ++ && TEST_ptr(field = EC_GROUP_get0_field(group)) ++ && TEST_int_gt(EC_KEY_generate_key(key), 0) ++ && TEST_int_gt(EC_KEY_check_key(key), 0) ++ && TEST_ptr(pub = EC_KEY_get0_public_key(key)) ++ && TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, ++ NULL), 0))) ++ goto err; ++ ++ /* ++ * Make the public point out of range by adding the field (which will still ++ * be the same point on the curve). The add is different for char2 fields. ++ */ ++ type = EC_METHOD_get_field_type(meth); ++#ifndef OPENSSL_NO_EC2M ++ if (type == NID_X9_62_characteristic_two_field) { ++ /* test for binary curves */ ++ if (!TEST_true(BN_GF2m_add(x, x, field))) ++ goto err; ++ } else ++#endif ++ if (type == NID_X9_62_prime_field) { ++ /* test for prime curves */ ++ if (!TEST_true(BN_add(x, x, field))) ++ goto err; ++ } else { ++ /* this should never happen */ ++ TEST_error("Unsupported EC_METHOD field_type"); ++ goto err; ++ } ++ if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) ++ goto err; ++ ++ ret = 1; ++err: ++ BN_free(x); ++ BN_free(y); ++ EC_KEY_free(key); ++ return ret; ++} ++ + /*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) +@@ -2254,8 +2345,10 @@ int setup_tests(void) + # endif + ADD_ALL_TESTS(internal_curve_test, crv_len); + ADD_ALL_TESTS(internal_curve_test_method, crv_len); ++ ADD_TEST(group_field_test); + + ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); ++ ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); + ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); + ADD_ALL_TESTS(custom_generator_test, crv_len); + #endif /* OPENSSL_NO_EC */ +Index: openssl-1.1.1m/crypto/ec/ec_kmeth.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_kmeth.c ++++ openssl-1.1.1m/crypto/ec/ec_kmeth.c +@@ -148,6 +148,14 @@ int ECDH_compute_key(void *out, size_t o + outlen = seclen; + memcpy(out, sec, outlen); + } ++ ++ if (FIPS_mode()) { ++ if (EC_KEY_check_key(eckey) <= 0) { ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ return 0; ++ } ++ } ++ + OPENSSL_clear_free(sec, seclen); + return outlen; + } +Index: openssl-1.1.1m/ssl/t1_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/t1_lib.c ++++ openssl-1.1.1m/ssl/t1_lib.c +@@ -2479,7 +2479,7 @@ DH *ssl_get_auto_dh(SSL *s) + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); +- else if (dh_secbits >= 112) ++ else if (dh_secbits >= 112 || FIPS_mode()) + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); diff --git a/openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch b/openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch new file mode 100644 index 0000000..1ab25a1 --- /dev/null +++ b/openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch @@ -0,0 +1,533 @@ +From 9bf682f62bd819d2fbceb95eeabd61dd4532240f Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Thu, 11 Jul 2019 10:23:49 +0200 +Subject: [PATCH 09205/10000] Enable curve-spefific ECDSA implementations via + EC_METHOD + +which are already enabled for ECDH. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9348) +--- + crypto/ec/ec2_smpl.c | 3 + + crypto/ec/ec_local.h | 15 +++++ + crypto/ec/ecdsa_ossl.c | 107 ++++++++++++++++++++++++------------ + crypto/ec/ecp_mont.c | 3 + + crypto/ec/ecp_nist.c | 3 + + crypto/ec/ecp_nistp224.c | 3 + + crypto/ec/ecp_nistp256.c | 3 + + crypto/ec/ecp_nistp521.c | 3 + + crypto/ec/ecp_nistz256.c | 3 + + crypto/ec/ecp_s390x_nistp.c | 3 + + crypto/ec/ecp_smpl.c | 3 + + crypto/err/openssl.txt | 5 ++ + include/openssl/ecerr.h | 1 + + 13 files changed, 119 insertions(+), 36 deletions(-) + +Index: openssl-1.1.1e/crypto/ec/ec2_smpl.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ec2_smpl.c 2020-03-20 13:03:13.823258089 +0100 ++++ openssl-1.1.1e/crypto/ec/ec2_smpl.c 2020-03-20 13:03:17.247276054 +0100 +@@ -956,6 +956,9 @@ const EC_METHOD *EC_GF2m_simple_method(v + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + ec_GF2m_simple_ladder_pre, +Index: openssl-1.1.1e/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ec_local.h 2020-03-20 13:03:13.823258089 +0100 ++++ openssl-1.1.1e/crypto/ec/ec_local.h 2020-03-20 13:03:17.251276075 +0100 +@@ -179,6 +179,14 @@ struct ec_method_st { + /* custom ECDH operation */ + int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh); ++ /* custom ECDSA */ ++ int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp, ++ BIGNUM **rp); ++ ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen, ++ const BIGNUM *kinv, const BIGNUM *r, ++ EC_KEY *eckey); ++ int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen, ++ const ECDSA_SIG *sig, EC_KEY *eckey); + /* Inverse modulo order */ + int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r, + const BIGNUM *x, BN_CTX *); +@@ -656,6 +664,13 @@ int ossl_ecdsa_verify(int type, const un + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); + int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); ++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp); ++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey); ++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey); + + int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, + const uint8_t public_key[32], const uint8_t private_key[32]); +Index: openssl-1.1.1e/crypto/ec/ecdsa_ossl.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecdsa_ossl.c 2020-03-20 13:03:13.823258089 +0100 ++++ openssl-1.1.1e/crypto/ec/ecdsa_ossl.c 2020-03-20 13:03:54.463471314 +0100 +@@ -14,6 +14,41 @@ + #include "crypto/bn.h" + #include "ec_local.h" + ++int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp) ++{ ++ if (eckey->group->meth->ecdsa_sign_setup == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return 0; ++ } ++ ++ return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); ++} ++ ++ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey) ++{ ++ if (eckey->group->meth->ecdsa_sign_sig == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return NULL; ++ } ++ ++ return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len, ++ in_kinv, in_r, eckey); ++} ++ ++int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey) ++{ ++ if (eckey->group->meth->ecdsa_verify_sig == NULL) { ++ ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA); ++ return 0; ++ } ++ ++ return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey); ++} ++ + int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) +@@ -145,15 +180,15 @@ static int ecdsa_sign_setup(EC_KEY *ecke + return ret; + } + +-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, +- BIGNUM **rp) ++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, ++ BIGNUM **rp) + { + return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0); + } + +-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, +- const BIGNUM *in_kinv, const BIGNUM *in_r, +- EC_KEY *eckey) ++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, ++ const BIGNUM *in_kinv, const BIGNUM *in_r, ++ EC_KEY *eckey) + { + int ok = 0, i; + BIGNUM *kinv = NULL, *s, *m = NULL; +@@ -167,35 +202,35 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + priv_key = EC_KEY_get0_private_key(eckey); + + if (group == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + if (priv_key == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY); + return NULL; + } + + if (!EC_KEY_can_sign(eckey)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); + return NULL; + } + + ret = ECDSA_SIG_new(); + if (ret == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE); + return NULL; + } + ret->r = BN_new(); + ret->s = BN_new(); + if (ret->r == NULL || ret->s == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + s = ret->s; + + if ((ctx = BN_CTX_new()) == NULL + || (m = BN_new()) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + +@@ -207,25 +242,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + if (8 * dgst_len > i) + dgst_len = (i + 7) / 8; + if (!BN_bin2bn(dgst, dgst_len, m)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + /* If still too long, truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + do { + if (in_kinv == NULL || in_r == NULL) { + if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB); + goto err; + } + ckinv = kinv; + } else { + ckinv = in_kinv; + if (BN_copy(ret->r, in_r) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + } +@@ -239,11 +274,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + */ + if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx) + || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + if (!bn_mod_add_fixed_top(s, s, m, order)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + /* +@@ -252,7 +287,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + */ + if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx) + || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB); + goto err; + } + +@@ -262,7 +297,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns + * generate new kinv and r values + */ + if (in_kinv != NULL && in_r != NULL) { +- ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); ++ ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } else { +@@ -314,8 +349,8 @@ int ossl_ecdsa_verify(int type, const un + return ret; + } + +-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, +- const ECDSA_SIG *sig, EC_KEY *eckey) ++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, ++ const ECDSA_SIG *sig, EC_KEY *eckey) + { + int ret = -1, i; + BN_CTX *ctx; +@@ -328,18 +363,18 @@ int ossl_ecdsa_verify_sig(const unsigned + /* check input values */ + if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || + (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS); + return -1; + } + + if (!EC_KEY_can_sign(eckey)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); + return -1; + } + + ctx = BN_CTX_new(); + if (ctx == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + return -1; + } + BN_CTX_start(ctx); +@@ -348,26 +383,26 @@ int ossl_ecdsa_verify_sig(const unsigned + m = BN_CTX_get(ctx); + X = BN_CTX_get(ctx); + if (X == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + + order = EC_GROUP_get0_order(group); + if (order == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || + BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || + BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE); + ret = 0; /* signature is invalid */ + goto err; + } + /* calculate tmp1 = inv(S) mod order */ + if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* digest -> m */ +@@ -378,41 +413,41 @@ int ossl_ecdsa_verify_sig(const unsigned + if (8 * dgst_len > i) + dgst_len = (i + 7) / 8; + if (!BN_bin2bn(dgst, dgst_len, m)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* If still too long truncate remaining bits with a shift */ + if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* u1 = m * tmp mod order */ + if (!BN_mod_mul(u1, m, u2, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* u2 = r * w mod q */ + if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + + if ((point = EC_POINT_new(group)) == NULL) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB); + goto err; + } + + if (!BN_nnmod(u1, X, order, ctx)) { +- ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB); ++ ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB); + goto err; + } + /* if the signature is correct u1 is equal to sig->r */ +Index: openssl-1.1.1e/crypto/ec/ecp_mont.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_mont.c 2020-03-20 13:03:13.823258089 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_mont.c 2020-03-20 13:03:17.251276075 +0100 +@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +Index: openssl-1.1.1e/crypto/ec/ecp_nist.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_nist.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_nist.c 2020-03-20 13:03:17.251276075 +0100 +@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +Index: openssl-1.1.1e/crypto/ec/ecp_nistp224.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_nistp224.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_nistp224.c 2020-03-20 13:03:17.251276075 +0100 +@@ -291,6 +291,9 @@ const EC_METHOD *EC_GFp_nistp224_method( + ec_key_simple_generate_public_key, + 0, /* keycopy */ + 0, /* keyfinish */ ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + ecdh_simple_compute_key, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ +Index: openssl-1.1.1e/crypto/ec/ecp_nistp256.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_nistp256.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_nistp256.c 2020-03-20 13:03:17.251276075 +0100 +@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +Index: openssl-1.1.1e/crypto/ec/ecp_nistp521.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_nistp521.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_nistp521.c 2020-03-20 13:03:17.251276075 +0100 +@@ -1669,6 +1669,9 @@ const EC_METHOD *EC_GFp_nistp521_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +Index: openssl-1.1.1e/crypto/ec/ecp_nistz256.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_nistz256.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_nistz256.c 2020-03-20 13:03:17.251276075 +0100 +@@ -1720,6 +1720,9 @@ const EC_METHOD *EC_GFp_nistz256_method( + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + ecp_nistz256_inv_mod_ord, /* can be #define-d NULL */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +Index: openssl-1.1.1e/crypto/ec/ecp_s390x_nistp.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_s390x_nistp.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_s390x_nistp.c 2020-03-20 13:03:17.251276075 +0100 +@@ -175,6 +175,9 @@ const EC_METHOD *EC_GFp_s390x_nistp##bit + NULL, /* keycopy */ \ + NULL, /* keyfinish */ \ + ecdh_simple_compute_key, \ ++ ecdsa_simple_sign_setup, \ ++ ecdsa_simple_sign_sig, \ ++ ecdsa_simple_verify_sig, \ + NULL, /* field_inverse_mod_ord */ \ + ec_GFp_simple_blind_coordinates, \ + ec_GFp_simple_ladder_pre, \ +Index: openssl-1.1.1e/crypto/ec/ecp_smpl.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_smpl.c 2020-03-20 13:03:13.827258110 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_smpl.c 2020-03-20 13:03:17.251276075 +0100 +@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(vo + 0, /* keycopy */ + 0, /* keyfinish */ + ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, + 0, /* field_inverse_mod_ord */ + ec_GFp_simple_blind_coordinates, + ec_GFp_simple_ladder_pre, +Index: openssl-1.1.1e/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1e.orig/crypto/err/openssl.txt 2020-03-20 13:03:13.831258131 +0100 ++++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-20 13:03:17.251276075 +0100 +@@ -496,6 +496,9 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex + EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup + EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new + EC_F_ECDSA_VERIFY:253:ECDSA_verify ++EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup ++EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig ++EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode +@@ -657,6 +660,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_ + EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey + EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode + EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key ++EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup + EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig + EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig + EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl +@@ -2133,6 +2137,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too sma + EC_R_CANNOT_INVERT:165:cannot invert + EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range + EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh ++EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa + EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing + EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure + EC_R_DECODE_ERROR:142:decode error +Index: openssl-1.1.1e/include/openssl/ecerr.h +=================================================================== +--- openssl-1.1.1e.orig/include/openssl/ecerr.h 2020-03-20 13:03:13.831258131 +0100 ++++ openssl-1.1.1e/include/openssl/ecerr.h 2020-03-20 13:03:17.251276075 +0100 +@@ -41,6 +41,9 @@ int ERR_load_EC_strings(void); + # define EC_F_ECDSA_SIGN_EX 254 + # define EC_F_ECDSA_SIGN_SETUP 248 + # define EC_F_ECDSA_SIG_NEW 265 ++# define EC_F_ECDSA_SIMPLE_SIGN_SETUP 310 ++# define EC_F_ECDSA_SIMPLE_SIGN_SIG 311 ++# define EC_F_ECDSA_SIMPLE_VERIFY_SIG 312 + # define EC_F_ECDSA_VERIFY 253 + # define EC_F_ECD_ITEM_VERIFY 270 + # define EC_F_ECKEY_PARAM2TYPE 223 +@@ -185,6 +188,7 @@ int ERR_load_EC_strings(void); + # define EC_F_O2I_ECPUBLICKEY 152 + # define EC_F_OLD_EC_PRIV_DECODE 222 + # define EC_F_OSSL_ECDH_COMPUTE_KEY 247 ++# define EC_F_OSSL_ECDSA_SIGN_SETUP 300 + # define EC_F_OSSL_ECDSA_SIGN_SIG 249 + # define EC_F_OSSL_ECDSA_VERIFY_SIG 250 + # define EC_F_PKEY_ECD_CTRL 271 +@@ -212,6 +216,7 @@ int ERR_load_EC_strings(void); + # define EC_R_CANNOT_INVERT 165 + # define EC_R_COORDINATES_OUT_OF_RANGE 146 + # define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160 ++# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170 + # define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159 + # define EC_R_D2I_ECPKPARAMETERS_FAILURE 117 + # define EC_R_DECODE_ERROR 142 diff --git a/openssl-FIPS-KAT-before-integrity-tests.patch b/openssl-FIPS-KAT-before-integrity-tests.patch new file mode 100644 index 0000000..3f3a93f --- /dev/null +++ b/openssl-FIPS-KAT-before-integrity-tests.patch @@ -0,0 +1,26 @@ +Index: openssl-1.1.1l/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips.c ++++ openssl-1.1.1l/crypto/fips/fips.c +@@ -453,15 +453,17 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + +- if (!verify_checksums()) { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, +- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */ ++ if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + +- if (!FIPS_selftest()) { ++ /* Run the HMAC verification after the KATs for FIPS 140-3 compliance */ ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; diff --git a/openssl-Fix-9bf682f-which-broke-nistp224_method.patch b/openssl-Fix-9bf682f-which-broke-nistp224_method.patch new file mode 100644 index 0000000..bbcf5c7 --- /dev/null +++ b/openssl-Fix-9bf682f-which-broke-nistp224_method.patch @@ -0,0 +1,57 @@ +From 653b883b97f72a15d35d21246696881aa65311e2 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Thu, 15 Aug 2019 22:51:57 +0200 +Subject: [PATCH] Fix 9bf682f which broke nistp224_method + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9607) +--- + crypto/ec/ecp_nistp224.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.1.1d/crypto/ec/ecp_nistp224.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp224.c 2020-01-23 13:45:11.104632265 +0100 ++++ openssl-1.1.1d/crypto/ec/ecp_nistp224.c 2020-01-23 13:45:11.208632883 +0100 +@@ -291,10 +291,10 @@ const EC_METHOD *EC_GFp_nistp224_method( + ec_key_simple_generate_public_key, + 0, /* keycopy */ + 0, /* keyfinish */ ++ ecdh_simple_compute_key, + ecdsa_simple_sign_setup, + ecdsa_simple_sign_sig, + ecdsa_simple_verify_sig, +- ecdh_simple_compute_key, + 0, /* field_inverse_mod_ord */ + 0, /* blind_coordinates */ + 0, /* ladder_pre */ +Index: openssl-1.1.1d/crypto/ec/build.info +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/build.info 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/ec/build.info 2020-01-23 13:45:11.208632883 +0100 +@@ -20,6 +20,9 @@ GENERATE[ecp_nistz256-avx2.s]=asm/ecp_ni + GENERATE[ecp_nistz256-sparcv9.S]=asm/ecp_nistz256-sparcv9.pl $(PERLASM_SCHEME) + INCLUDE[ecp_nistz256-sparcv9.o]=.. + ++INCLUDE[ecp_s390x_nistp.o]=.. ++INCLUDE[ecx_meth.o]=.. ++ + GENERATE[ecp_nistz256-armv4.S]=asm/ecp_nistz256-armv4.pl $(PERLASM_SCHEME) + INCLUDE[ecp_nistz256-armv4.o]=.. + GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl $(PERLASM_SCHEME) +Index: openssl-1.1.1d/include/openssl/ecerr.h +=================================================================== +--- openssl-1.1.1d.orig/include/openssl/ecerr.h 2020-01-23 13:45:11.108632290 +0100 ++++ openssl-1.1.1d/include/openssl/ecerr.h 2020-01-23 13:45:11.208632883 +0100 +@@ -38,6 +38,8 @@ int ERR_load_EC_strings(void); + # define EC_F_ECDH_SIMPLE_COMPUTE_KEY 257 + # define EC_F_ECDSA_DO_SIGN_EX 251 + # define EC_F_ECDSA_DO_VERIFY 252 ++# define EC_F_ECDSA_S390X_NISTP_SIGN_SIG 313 ++# define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG 314 + # define EC_F_ECDSA_SIGN_EX 254 + # define EC_F_ECDSA_SIGN_SETUP 248 + # define EC_F_ECDSA_SIG_NEW 265 diff --git a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch new file mode 100644 index 0000000..7c57d6b --- /dev/null +++ b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch @@ -0,0 +1,495 @@ +From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001 +From: Danny Tsen +Date: Tue, 22 Aug 2023 15:58:53 -0400 +Subject: [PATCH] Improve performance for 6x unrolling with vpermxor + instruction + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21812) +--- + crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- + 1 file changed, 95 insertions(+), 50 deletions(-) + +diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl +index 60cf86f52aed2..38b9405a283b7 100755 +--- a/crypto/aes/asm/aesp8-ppc.pl ++++ b/crypto/aes/asm/aesp8-ppc.pl +@@ -99,11 +99,12 @@ + .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev + .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev + .long 0,0,0,0 ?asis ++.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe + Lconsts: + mflr r0 + bcl 20,31,\$+4 + mflr $ptr #vvvvv "distance between . and rcon +- addi $ptr,$ptr,-0x48 ++ addi $ptr,$ptr,-0x58 + mtlr r0 + blr + .long 0 +@@ -2405,7 +2406,7 @@ () + my $key_=$key2; + my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); + $x00=0 if ($flavour =~ /osx/); +-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); ++my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); + my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); + my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); + my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys +@@ -2460,6 +2461,18 @@ () + li $x70,0x70 + mtspr 256,r0 + ++ # Reverse eighty7 to 0x010101..87 ++ xxlor 2, 32+$eighty7, 32+$eighty7 ++ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 ++ xxlor 1, 32+$eighty7, 32+$eighty7 ++ ++ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe ++ mr $x70, r6 ++ bl Lconsts ++ lxvw4x 0, $x40, r6 # load XOR contents ++ mr r6, $x70 ++ li $x70,0x70 ++ + subi $rounds,$rounds,3 # -4 in total + + lvx $rndkey0,$x00,$key1 # load key schedule +@@ -2502,69 +2515,77 @@ () + ?vperm v31,v31,$twk5,$keyperm + lvx v25,$x10,$key_ # pre-load round[2] + ++ # Switch to use the following codes with 0x010101..87 to generate tweak. ++ # eighty7 = 0x010101..87 ++ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits ++ # vand tmp, tmp, eighty7 # last byte with carry ++ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) ++ # xxlor vsx, 0, 0 ++ # vpermxor tweak, tweak, tmp, vsx ++ + vperm $in0,$inout,$inptail,$inpperm + subi $inp,$inp,31 # undo "caller" + vxor $twk0,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vand $tmp,$tmp,$eighty7 + vxor $out0,$in0,$twk0 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + + lvx_u $in1,$x10,$inp + vxor $twk1,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in1,$in1,$in1,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out1,$in1,$twk1 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + + lvx_u $in2,$x20,$inp + andi. $taillen,$len,15 + vxor $twk2,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in2,$in2,$in2,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out2,$in2,$twk2 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + + lvx_u $in3,$x30,$inp + sub $len,$len,$taillen + vxor $twk3,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in3,$in3,$in3,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out3,$in3,$twk3 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + + lvx_u $in4,$x40,$inp + subi $len,$len,0x60 + vxor $twk4,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in4,$in4,$in4,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out4,$in4,$twk4 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + + lvx_u $in5,$x50,$inp + addi $inp,$inp,0x60 + vxor $twk5,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in5,$in5,$in5,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out5,$in5,$twk5 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 + + vxor v31,v31,$rndkey0 + mtctr $rounds +@@ -2590,6 +2611,8 @@ () + lvx v25,$x10,$key_ # round[4] + bdnz Loop_xts_enc6x + ++ xxlor 32+$eighty7, 1, 1 # 0x010101..87 ++ + subic $len,$len,96 # $len-=96 + vxor $in0,$twk0,v31 # xor with last round key + vcipher $out0,$out0,v24 +@@ -2599,7 +2622,6 @@ () + vaddubm $tweak,$tweak,$tweak + vcipher $out2,$out2,v24 + vcipher $out3,$out3,v24 +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out4,$out4,v24 + vcipher $out5,$out5,v24 + +@@ -2607,7 +2629,8 @@ () + vand $tmp,$tmp,$eighty7 + vcipher $out0,$out0,v25 + vcipher $out1,$out1,v25 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + vcipher $out2,$out2,v25 + vcipher $out3,$out3,v25 + vxor $in1,$twk1,v31 +@@ -2618,13 +2641,13 @@ () + + and r0,r0,$len + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out0,$out0,v26 + vcipher $out1,$out1,v26 + vand $tmp,$tmp,$eighty7 + vcipher $out2,$out2,v26 + vcipher $out3,$out3,v26 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + vcipher $out4,$out4,v26 + vcipher $out5,$out5,v26 + +@@ -2638,7 +2661,6 @@ () + vaddubm $tweak,$tweak,$tweak + vcipher $out0,$out0,v27 + vcipher $out1,$out1,v27 +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out2,$out2,v27 + vcipher $out3,$out3,v27 + vand $tmp,$tmp,$eighty7 +@@ -2646,7 +2668,8 @@ () + vcipher $out5,$out5,v27 + + addi $key_,$sp,$FRAME+15 # rewind $key_ +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + vcipher $out0,$out0,v28 + vcipher $out1,$out1,v28 + vxor $in3,$twk3,v31 +@@ -2655,7 +2678,6 @@ () + vcipher $out2,$out2,v28 + vcipher $out3,$out3,v28 + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out4,$out4,v28 + vcipher $out5,$out5,v28 + lvx v24,$x00,$key_ # re-pre-load round[1] +@@ -2663,7 +2685,8 @@ () + + vcipher $out0,$out0,v29 + vcipher $out1,$out1,v29 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + vcipher $out2,$out2,v29 + vcipher $out3,$out3,v29 + vxor $in4,$twk4,v31 +@@ -2673,14 +2696,14 @@ () + vcipher $out5,$out5,v29 + lvx v25,$x10,$key_ # re-pre-load round[2] + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + + vcipher $out0,$out0,v30 + vcipher $out1,$out1,v30 + vand $tmp,$tmp,$eighty7 + vcipher $out2,$out2,v30 + vcipher $out3,$out3,v30 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + vcipher $out4,$out4,v30 + vcipher $out5,$out5,v30 + vxor $in5,$twk5,v31 +@@ -2690,7 +2713,6 @@ () + vcipherlast $out0,$out0,$in0 + lvx_u $in0,$x00,$inp # load next input block + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vcipherlast $out1,$out1,$in1 + lvx_u $in1,$x10,$inp + vcipherlast $out2,$out2,$in2 +@@ -2703,7 +2725,10 @@ () + vcipherlast $out4,$out4,$in4 + le?vperm $in2,$in2,$in2,$leperm + lvx_u $in4,$x40,$inp +- vxor $tweak,$tweak,$tmp ++ xxlor 10, 32+$in0, 32+$in0 ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 ++ xxlor 32+$in0, 10, 10 + vcipherlast $tmp,$out5,$in5 # last block might be needed + # in stealing mode + le?vperm $in3,$in3,$in3,$leperm +@@ -2736,6 +2761,8 @@ () + mtctr $rounds + beq Loop_xts_enc6x # did $len-=96 borrow? + ++ xxlor 32+$eighty7, 2, 2 # 0x870101..01 ++ + addic. $len,$len,0x60 + beq Lxts_enc6x_zero + cmpwi $len,0x20 +@@ -3112,6 +3139,18 @@ () + li $x70,0x70 + mtspr 256,r0 + ++ # Reverse eighty7 to 0x010101..87 ++ xxlor 2, 32+$eighty7, 32+$eighty7 ++ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 ++ xxlor 1, 32+$eighty7, 32+$eighty7 ++ ++ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe ++ mr $x70, r6 ++ bl Lconsts ++ lxvw4x 0, $x40, r6 # load XOR contents ++ mr r6, $x70 ++ li $x70,0x70 ++ + subi $rounds,$rounds,3 # -4 in total + + lvx $rndkey0,$x00,$key1 # load key schedule +@@ -3159,64 +3198,64 @@ () + vxor $twk0,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vand $tmp,$tmp,$eighty7 + vxor $out0,$in0,$twk0 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + + lvx_u $in1,$x10,$inp + vxor $twk1,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in1,$in1,$in1,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out1,$in1,$twk1 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + + lvx_u $in2,$x20,$inp + andi. $taillen,$len,15 + vxor $twk2,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in2,$in2,$in2,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out2,$in2,$twk2 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + + lvx_u $in3,$x30,$inp + sub $len,$len,$taillen + vxor $twk3,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in3,$in3,$in3,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out3,$in3,$twk3 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + + lvx_u $in4,$x40,$inp + subi $len,$len,0x60 + vxor $twk4,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in4,$in4,$in4,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out4,$in4,$twk4 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + + lvx_u $in5,$x50,$inp + addi $inp,$inp,0x60 + vxor $twk5,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in5,$in5,$in5,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out5,$in5,$twk5 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 + + vxor v31,v31,$rndkey0 + mtctr $rounds +@@ -3242,6 +3281,8 @@ () + lvx v25,$x10,$key_ # round[4] + bdnz Loop_xts_dec6x + ++ xxlor 32+$eighty7, 1, 1 ++ + subic $len,$len,96 # $len-=96 + vxor $in0,$twk0,v31 # xor with last round key + vncipher $out0,$out0,v24 +@@ -3251,7 +3292,6 @@ () + vaddubm $tweak,$tweak,$tweak + vncipher $out2,$out2,v24 + vncipher $out3,$out3,v24 +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out4,$out4,v24 + vncipher $out5,$out5,v24 + +@@ -3259,7 +3299,8 @@ () + vand $tmp,$tmp,$eighty7 + vncipher $out0,$out0,v25 + vncipher $out1,$out1,v25 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + vncipher $out2,$out2,v25 + vncipher $out3,$out3,v25 + vxor $in1,$twk1,v31 +@@ -3270,13 +3311,13 @@ () + + and r0,r0,$len + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out0,$out0,v26 + vncipher $out1,$out1,v26 + vand $tmp,$tmp,$eighty7 + vncipher $out2,$out2,v26 + vncipher $out3,$out3,v26 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + vncipher $out4,$out4,v26 + vncipher $out5,$out5,v26 + +@@ -3290,7 +3331,6 @@ () + vaddubm $tweak,$tweak,$tweak + vncipher $out0,$out0,v27 + vncipher $out1,$out1,v27 +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out2,$out2,v27 + vncipher $out3,$out3,v27 + vand $tmp,$tmp,$eighty7 +@@ -3298,7 +3338,8 @@ () + vncipher $out5,$out5,v27 + + addi $key_,$sp,$FRAME+15 # rewind $key_ +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + vncipher $out0,$out0,v28 + vncipher $out1,$out1,v28 + vxor $in3,$twk3,v31 +@@ -3307,7 +3348,6 @@ () + vncipher $out2,$out2,v28 + vncipher $out3,$out3,v28 + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out4,$out4,v28 + vncipher $out5,$out5,v28 + lvx v24,$x00,$key_ # re-pre-load round[1] +@@ -3315,7 +3355,8 @@ () + + vncipher $out0,$out0,v29 + vncipher $out1,$out1,v29 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + vncipher $out2,$out2,v29 + vncipher $out3,$out3,v29 + vxor $in4,$twk4,v31 +@@ -3325,14 +3366,14 @@ () + vncipher $out5,$out5,v29 + lvx v25,$x10,$key_ # re-pre-load round[2] + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + + vncipher $out0,$out0,v30 + vncipher $out1,$out1,v30 + vand $tmp,$tmp,$eighty7 + vncipher $out2,$out2,v30 + vncipher $out3,$out3,v30 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + vncipher $out4,$out4,v30 + vncipher $out5,$out5,v30 + vxor $in5,$twk5,v31 +@@ -3342,7 +3383,6 @@ () + vncipherlast $out0,$out0,$in0 + lvx_u $in0,$x00,$inp # load next input block + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vncipherlast $out1,$out1,$in1 + lvx_u $in1,$x10,$inp + vncipherlast $out2,$out2,$in2 +@@ -3355,7 +3395,10 @@ () + vncipherlast $out4,$out4,$in4 + le?vperm $in2,$in2,$in2,$leperm + lvx_u $in4,$x40,$inp +- vxor $tweak,$tweak,$tmp ++ xxlor 10, 32+$in0, 32+$in0 ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 ++ xxlor 32+$in0, 10, 10 + vncipherlast $out5,$out5,$in5 + le?vperm $in3,$in3,$in3,$leperm + lvx_u $in5,$x50,$inp +@@ -3386,6 +3429,8 @@ () + mtctr $rounds + beq Loop_xts_dec6x # did $len-=96 borrow? + ++ xxlor 32+$eighty7, 2, 2 ++ + addic. $len,$len,0x60 + beq Lxts_dec6x_zero + cmpwi $len,0x20 diff --git a/openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch b/openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch new file mode 100644 index 0000000..56e6a5d --- /dev/null +++ b/openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch @@ -0,0 +1,30 @@ +From 3ded2288a45d2cc3a27a1b08d29499cbcec52c0e Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Fri, 12 Jul 2019 13:47:32 +0200 +Subject: [PATCH 09207/10000] OPENSSL_s390xcap.pod: list msa9 facility bit + (155) + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9348) +--- + doc/man3/OPENSSL_s390xcap.pod | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +index e45da4467f..1f4ee85fdf 100644 +--- a/doc/man3/OPENSSL_s390xcap.pod ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -72,6 +72,7 @@ the numbering is continuous across 64-bit mask boundaries. + #134 1<<57 vector packed decimal facility + #135 1<<56 vector enhancements facility 1 + #146 1<<45 message-security assist extension 8 ++ #155 1<<36 message-security assist extension 9 + + kimd : + # 1 1<<62 KIMD-SHA-1 +-- +2.24.0 + diff --git a/openssl-Skip_SHA1-test-in-FIPS-mode.patch b/openssl-Skip_SHA1-test-in-FIPS-mode.patch new file mode 100644 index 0000000..b8907d8 --- /dev/null +++ b/openssl-Skip_SHA1-test-in-FIPS-mode.patch @@ -0,0 +1,15 @@ +Index: openssl-1.1.1w/test/recipes/20-test_dgst.t +=================================================================== +--- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t ++++ openssl-1.1.1w/test/recipes/20-test_dgst.t +@@ -104,8 +105,8 @@ SKIP: { + } + + SKIP: { +- skip "dgst with engine is not supported by this OpenSSL build", 1 +- if disabled("engine") || disabled("dynamic-engine"); ++ skip "dgst with engine is not supported by this OpenSSL build or we are in FIPS mode", 1 ++ if disabled("engine") || disabled("dynamic-engine") || ($ENV{OPENSSL_FORCE_FIPS_MODE}); + + subtest "SHA1 generation by engine with `dgst` CLI" => sub { + plan tests => 1; diff --git a/openssl-assembly-pack-accelerate-scalar-multiplication.patch b/openssl-assembly-pack-accelerate-scalar-multiplication.patch new file mode 100644 index 0000000..048756b --- /dev/null +++ b/openssl-assembly-pack-accelerate-scalar-multiplication.patch @@ -0,0 +1,311 @@ +From 1461e66706f24da657d7322706d1165ae515533f Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Tue, 9 Jul 2019 10:25:04 +0200 +Subject: [PATCH 09204/10000] s390x assembly pack: accelerate scalar + multiplication + +for NIST P-256, P-384 and P-521 using PCC instruction. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9348) +--- + crypto/ec/build.info | 3 +- + crypto/ec/ec_curve.c | 42 +++++--- + crypto/ec/ec_local.h | 5 + + crypto/ec/ecp_s390x_nistp.c | 197 ++++++++++++++++++++++++++++++++++++ + 4 files changed, 234 insertions(+), 13 deletions(-) + create mode 100644 crypto/ec/ecp_s390x_nistp.c + +Index: openssl-1.1.1d/crypto/ec/ec_curve.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ec_curve.c ++++ openssl-1.1.1d/crypto/ec/ec_curve.c +@@ -2829,16 +2829,25 @@ static const ec_list_element curve_list[ + {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, + "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ +- {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, ++ {NID_secp384r1, &_EC_NIST_PRIME_384.h, ++# if defined(S390X_NISTP_ASM) ++ EC_GFp_s390x_nistp384_method, ++# else ++ 0, ++# endif + "NIST/SECG curve over a 384 bit prime field"}, +-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, +- "NIST/SECG curve over a 521 bit prime field"}, ++ ++ {NID_secp521r1, &_EC_NIST_PRIME_521.h, ++# if defined(S390X_NISTP_ASM) ++ EC_GFp_s390x_nistp521_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++ EC_GFp_nistp521_method, + #else +- {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, +- "NIST/SECG curve over a 521 bit prime field"}, ++ 0, + #endif +- /* X9.62 curves */ ++ "NIST/SECG curve over a 521 bit prime field"}, ++ ++ /* X9.62 curves */ + {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, + "NIST/X9.62/SECG curve over a 192 bit prime field"}, + {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, +@@ -2854,6 +2863,8 @@ static const ec_list_element curve_list[ + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + #if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, ++# elif defined(S390X_NISTP_ASM) ++ EC_GFp_s390x_nistp256_method, + #elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp256_method, + #else +Index: openssl-1.1.1d/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1d/crypto/ec/ec_local.h +@@ -587,6 +587,11 @@ int ec_group_simple_order_bits(const EC_ + */ + const EC_METHOD *EC_GFp_nistz256_method(void); + #endif ++#ifdef S390X_NISTP_ASM ++const EC_METHOD *EC_GFp_s390x_nistp256_method(void); ++const EC_METHOD *EC_GFp_s390x_nistp384_method(void); ++const EC_METHOD *EC_GFp_s390x_nistp521_method(void); ++#endif + + size_t ec_key_simple_priv2oct(const EC_KEY *eckey, + unsigned char *buf, size_t len); +Index: openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c +@@ -0,0 +1,197 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include "ec_local.h" ++#include "s390x_arch.h" ++ ++/* Size of parameter blocks */ ++#define S390X_SIZE_PARAM 4096 ++ ++/* Size of fields in parameter blocks */ ++#define S390X_SIZE_P256 32 ++#define S390X_SIZE_P384 48 ++#define S390X_SIZE_P521 80 ++ ++/* Offsets of fields in PCC parameter blocks */ ++#define S390X_OFF_RES_X(n) (0 * n) ++#define S390X_OFF_RES_Y(n) (1 * n) ++#define S390X_OFF_SRC_X(n) (2 * n) ++#define S390X_OFF_SRC_Y(n) (3 * n) ++#define S390X_OFF_SCALAR(n) (4 * n) ++ ++static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, ++ size_t num, const EC_POINT *points[], ++ const BIGNUM *scalars[], ++ BN_CTX *ctx, unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ BIGNUM *x, *y; ++ const EC_POINT *point_ptr = NULL; ++ const BIGNUM *scalar_ptr = NULL; ++ BN_CTX *new_ctx = NULL; ++ int rc = -1; ++ ++ if (ctx == NULL) { ++ ctx = new_ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ return 0; ++ } ++ ++ BN_CTX_start(ctx); ++ ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (x == NULL || y == NULL) { ++ rc = 0; ++ goto ret; ++ } ++ ++ /* ++ * Use PCC for EC keygen and ECDH key derivation: ++ * scalar * generator and scalar * peer public key, ++ * scalar in [0,order). ++ */ ++ if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0) ++ || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) { ++ ++ if (num == 0) { ++ point_ptr = EC_GROUP_get0_generator(group); ++ scalar_ptr = scalar; ++ } else { ++ point_ptr = points[0]; ++ scalar_ptr = scalars[0]; ++ } ++ ++ if (EC_POINT_is_at_infinity(group, point_ptr) == 1 ++ || BN_is_zero(scalar_ptr)) { ++ rc = EC_POINT_set_to_infinity(group, r); ++ goto ret; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ if (group->meth->point_get_affine_coordinates(group, point_ptr, ++ x, y, ctx) != 1 ++ || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1 ++ || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1 ++ || BN_bn2binpad(scalar_ptr, ++ param + S390X_OFF_SCALAR(len), len) == -1 ++ || s390x_pcc(fc, param) != 0 ++ || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL ++ || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL ++ || group->meth->point_set_affine_coordinates(group, r, ++ x, y, ctx) != 1) ++ goto ret; ++ ++ rc = 1; ++ } ++ ++ret: ++ /* Otherwise use default. */ ++ if (rc == -1) ++ rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); ++ OPENSSL_cleanse(param, sizeof(param)); ++ BN_CTX_end(ctx); ++ BN_CTX_free(new_ctx); ++ return rc; ++} ++ ++#define EC_GFP_S390X_NISTP_METHOD(bits) \ ++ \ ++static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \ ++ EC_POINT *r, \ ++ const BIGNUM *scalar, \ ++ size_t num, \ ++ const EC_POINT *points[], \ ++ const BIGNUM *scalars[], \ ++ BN_CTX *ctx) \ ++{ \ ++ return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points, \ ++ scalars, ctx, \ ++ S390X_SCALAR_MULTIPLY_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ ++{ \ ++ static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \ ++ EC_FLAGS_DEFAULT_OCT, \ ++ NID_X9_62_prime_field, \ ++ ec_GFp_simple_group_init, \ ++ ec_GFp_simple_group_finish, \ ++ ec_GFp_simple_group_clear_finish, \ ++ ec_GFp_simple_group_copy, \ ++ ec_GFp_simple_group_set_curve, \ ++ ec_GFp_simple_group_get_curve, \ ++ ec_GFp_simple_group_get_degree, \ ++ ec_group_simple_order_bits, \ ++ ec_GFp_simple_group_check_discriminant, \ ++ ec_GFp_simple_point_init, \ ++ ec_GFp_simple_point_finish, \ ++ ec_GFp_simple_point_clear_finish, \ ++ ec_GFp_simple_point_copy, \ ++ ec_GFp_simple_point_set_to_infinity, \ ++ ec_GFp_simple_set_Jprojective_coordinates_GFp, \ ++ ec_GFp_simple_get_Jprojective_coordinates_GFp, \ ++ ec_GFp_simple_point_set_affine_coordinates, \ ++ ec_GFp_simple_point_get_affine_coordinates, \ ++ NULL, /* point_set_compressed_coordinates */ \ ++ NULL, /* point2oct */ \ ++ NULL, /* oct2point */ \ ++ ec_GFp_simple_add, \ ++ ec_GFp_simple_dbl, \ ++ ec_GFp_simple_invert, \ ++ ec_GFp_simple_is_at_infinity, \ ++ ec_GFp_simple_is_on_curve, \ ++ ec_GFp_simple_cmp, \ ++ ec_GFp_simple_make_affine, \ ++ ec_GFp_simple_points_make_affine, \ ++ ec_GFp_s390x_nistp##bits##_mul, \ ++ NULL, /* precompute_mult */ \ ++ NULL, /* have_precompute_mult */ \ ++ ec_GFp_simple_field_mul, \ ++ ec_GFp_simple_field_sqr, \ ++ NULL, /* field_div */ \ ++ ec_GFp_simple_field_inv, \ ++ NULL, /* field_encode */ \ ++ NULL, /* field_decode */ \ ++ NULL, /* field_set_to_one */ \ ++ ec_key_simple_priv2oct, \ ++ ec_key_simple_oct2priv, \ ++ NULL, /* set_private */ \ ++ ec_key_simple_generate_key, \ ++ ec_key_simple_check_key, \ ++ ec_key_simple_generate_public_key, \ ++ NULL, /* keycopy */ \ ++ NULL, /* keyfinish */ \ ++ ecdh_simple_compute_key, \ ++ NULL, /* field_inverse_mod_ord */ \ ++ ec_GFp_simple_blind_coordinates, \ ++ ec_GFp_simple_ladder_pre, \ ++ ec_GFp_simple_ladder_step, \ ++ ec_GFp_simple_ladder_post \ ++ }; \ ++ static const EC_METHOD *ret; \ ++ \ ++ if (OPENSSL_s390xcap_P.pcc[1] \ ++ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ ++ ret = &EC_GFp_s390x_nistp##bits##_meth; \ ++ else \ ++ ret = EC_GFp_mont_method(); \ ++ \ ++ return ret; \ ++} ++ ++EC_GFP_S390X_NISTP_METHOD(256) ++EC_GFP_S390X_NISTP_METHOD(384) ++EC_GFP_S390X_NISTP_METHOD(521) +Index: openssl-1.1.1d/Configurations/00-base-templates.conf +=================================================================== +--- openssl-1.1.1d.orig/Configurations/00-base-templates.conf ++++ openssl-1.1.1d/Configurations/00-base-templates.conf +@@ -289,6 +289,7 @@ my %targets=( + template => 1, + cpuid_asm_src => "s390xcap.c s390xcpuid.S", + bn_asm_src => "asm/s390x.S s390x-mont.S s390x-gf2m.s", ++ ec_asm_src => "ecp_s390x_nistp.c", + aes_asm_src => "aes-s390x.S aes-ctr.fake aes-xts.fake", + sha1_asm_src => "sha1-s390x.S sha256-s390x.S sha512-s390x.S", + rc4_asm_src => "rc4-s390x.s", +Index: openssl-1.1.1d/Configure +=================================================================== +--- openssl-1.1.1d.orig/Configure ++++ openssl-1.1.1d/Configure +@@ -1400,6 +1400,9 @@ unless ($disabled{asm}) { + if ($target{ec_asm_src} =~ /x25519/) { + push @{$config{lib_defines}}, "X25519_ASM"; + } ++ if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) { ++ push @{$config{lib_defines}}, "S390X_NISTP_ASM"; ++ } + if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) { + push @{$config{dso_defines}}, "PADLOCK_ASM"; + } diff --git a/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch b/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch new file mode 100644 index 0000000..71e5a26 --- /dev/null +++ b/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch @@ -0,0 +1,16 @@ +--- + crypto/evp/e_aes.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -2742,6 +2742,9 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX + { + EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx); + ++ if (!len) ++ return 1; ++ + if (dat->stream.cbc) + (*dat->stream.cbc) (in, out, len, &dat->ks, + EVP_CIPHER_CTX_iv_noconst(ctx), diff --git a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch new file mode 100644 index 0000000..498db7f --- /dev/null +++ b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch @@ -0,0 +1,2197 @@ +From 01d901e470d9e035a3bd78e77b9438a4cc0da785 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Wed, 12 Jul 2023 12:25:22 +1000 +Subject: [PATCH] ec: 56-bit Limb Solinas' Strategy for secp384r1 + +Adopt a 56-bit redundant-limb Solinas' reduction approach for efficient +modular multiplication in P384. This has the affect of accelerating +digital signing by 446% and verification by 106%. The implementation +strategy and names of methods are the same as that provided in +ecp_nistp224 and ecp_nistp521. + +As in Commit 1036749883cc ("ec: Add run time code selection for p521 +field operations"), allow for run time selection of implementation for +felem_{square,mul}, where an assembly implementation is proclaimed to +be present when ECP_NISTP384_ASM is present. + +Signed-off-by: Rohan McLure + +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/21471) +--- + crypto/ec/build.info | 3 +- + crypto/ec/ec_curve.c | 4 + + crypto/ec/ec_lib.c | 8 + + crypto/ec/ec_local.h | 27 +- + crypto/ec/ecp_nistp384.c | 1988 ++++++++++++++++++++++++++++++++++++++ + crypto/err/openssl.txt | 4 + include/openssl/ecerr.h | 3 + 7 files changed, 2035 insertions(+), 2 deletions(-) + create mode 100644 crypto/ec/ecp_nistp384.c + +Index: openssl-1.1.1w/crypto/ec/ec_curve.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/ec/ec_curve.c ++++ openssl-1.1.1w/crypto/ec/ec_curve.c +@@ -2833,6 +2833,8 @@ static const ec_list_element curve_list[ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, + # if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++ ossl_ec_GFp_nistp384_method, + # else + 0, + # endif +Index: openssl-1.1.1w/crypto/ec/ec_lib.c +=================================================================== +--- openssl-1.1.1w.orig/crypto/ec/ec_lib.c ++++ openssl-1.1.1w/crypto/ec/ec_lib.c +@@ -75,12 +75,16 @@ void EC_pre_comp_free(EC_GROUP *group) + case PCT_nistp256: + EC_nistp256_pre_comp_free(group->pre_comp.nistp256); + break; ++ case PCT_nistp384: ++ ossl_ec_nistp384_pre_comp_free(group->pre_comp.nistp384); ++ break; + case PCT_nistp521: + EC_nistp521_pre_comp_free(group->pre_comp.nistp521); + break; + #else + case PCT_nistp224: + case PCT_nistp256: ++ case PCT_nistp384: + case PCT_nistp521: + break; + #endif +@@ -160,12 +164,16 @@ int EC_GROUP_copy(EC_GROUP *dest, const + case PCT_nistp256: + dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256); + break; ++ case PCT_nistp384: ++ dest->pre_comp.nistp384 = ossl_ec_nistp384_pre_comp_dup(src->pre_comp.nistp384); ++ break; + case PCT_nistp521: + dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521); + break; + #else + case PCT_nistp224: + case PCT_nistp256: ++ case PCT_nistp384: + case PCT_nistp521: + break; + #endif +Index: openssl-1.1.1w/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1w.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1w/crypto/ec/ec_local.h +@@ -207,6 +207,7 @@ struct ec_method_st { + */ + typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; + typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; ++typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; + typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; + typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; + typedef struct ec_pre_comp_st EC_PRE_COMP; +@@ -268,12 +269,13 @@ struct ec_group_st { + */ + enum { + PCT_none, +- PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, ++ PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, + PCT_ec + } pre_comp_type; + union { + NISTP224_PRE_COMP *nistp224; + NISTP256_PRE_COMP *nistp256; ++ NISTP384_PRE_COMP *nistp384; + NISTP521_PRE_COMP *nistp521; + NISTZ256_PRE_COMP *nistz256; + EC_PRE_COMP *ec; +@@ -330,6 +332,7 @@ static ossl_inline int ec_point_is_compa + + NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); + NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); ++NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); + NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); + NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); + NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); +@@ -338,6 +341,7 @@ EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_C + void EC_pre_comp_free(EC_GROUP *group); + void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); + void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); ++void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); + void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); + void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); + void EC_ec_pre_comp_free(EC_PRE_COMP *); +@@ -543,6 +547,27 @@ int ec_GFp_nistp256_points_mul(const EC_ + int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); + int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); + ++/* method functions in ecp_nistp384.c */ ++int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); ++int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, ++ const BIGNUM *a, const BIGNUM *n, ++ BN_CTX *); ++int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, ++ const EC_POINT *point, ++ BIGNUM *x, BIGNUM *y, ++ BN_CTX *ctx); ++int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, size_t num, ++ const EC_POINT *points[], const BIGNUM *scalars[], ++ BN_CTX *); ++int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, size_t num, ++ const EC_POINT *points[], ++ const BIGNUM *scalars[], BN_CTX *ctx); ++int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); ++int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); ++const EC_METHOD *ossl_ec_GFp_nistp384_method(void); ++ + /* method functions in ecp_nistp521.c */ + int ec_GFp_nistp521_group_init(EC_GROUP *group); + int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, +Index: openssl-1.1.1w/crypto/ec/ecp_nistp384.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1w/crypto/ec/ecp_nistp384.c +@@ -0,0 +1,1993 @@ ++/* ++ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* Copyright 2023 IBM Corp. ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++/* ++ * Designed for 56-bit limbs by Rohan McLure . ++ * The layout is based on that of ecp_nistp{224,521}.c, allowing even for asm ++ * acceleration of felem_{square,mul} as supported in these files. ++ */ ++ ++#include ++#ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 ++NON_EMPTY_TRANSLATION_UNIT ++#else ++#include ++#include ++#include "ec_local.h" ++ ++#include "internal/numbers.h" ++ ++#ifndef INT128_MAX ++# error "Your compiler doesn't appear to support 128-bit integer types" ++#endif ++ ++typedef uint8_t u8; ++typedef uint64_t u64; ++ ++/* ++ * The underlying field. P384 operates over GF(2^384-2^128-2^96+2^32-1). We ++ * can serialize an element of this field into 48 bytes. We call this an ++ * felem_bytearray. ++ */ ++ ++typedef u8 felem_bytearray[48]; ++ ++/* ++ * These are the parameters of P384, taken from FIPS 186-3, section D.1.2.4. ++ * These values are big-endian. ++ */ ++static const felem_bytearray nistp384_curve_params[5] = { ++ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, ++ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a = -3 */ ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC}, ++ {0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, /* b */ ++ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, ++ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, ++ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF}, ++ {0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, /* x */ ++ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, ++ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, ++ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7}, ++ {0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, /* y */ ++ 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, ++ 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, ++ 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F}, ++}; ++ ++/*- ++ * The representation of field elements. ++ * ------------------------------------ ++ * ++ * We represent field elements with seven values. These values are either 64 or ++ * 128 bits and the field element represented is: ++ * v[0]*2^0 + v[1]*2^56 + v[2]*2^112 + ... + v[6]*2^336 (mod p) ++ * Each of the seven values is called a 'limb'. Since the limbs are spaced only ++ * 56 bits apart, but are greater than 56 bits in length, the most significant ++ * bits of each limb overlap with the least significant bits of the next ++ * ++ * This representation is considered to be 'redundant' in the sense that ++ * intermediate values can each contain more than a 56-bit value in each limb. ++ * Reduction causes all but the final limb to be reduced to contain a value less ++ * than 2^56, with the final value represented allowed to be larger than 2^384, ++ * inasmuch as we can be sure that arithmetic overflow remains impossible. The ++ * reduced value must of course be congruent to the unreduced value. ++ * ++ * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a ++ * 'widefelem', featuring enough bits to store the result of a multiplication ++ * and even some further arithmetic without need for immediate reduction. ++ */ ++ ++#define NLIMBS 7 ++ ++typedef uint64_t limb; ++typedef uint128_t widelimb; ++typedef limb limb_aX __attribute((__aligned__(1))); ++typedef limb felem[NLIMBS]; ++typedef widelimb widefelem[2*NLIMBS-1]; ++ ++static const limb bottom56bits = 0xffffffffffffff; ++ ++/* Helper functions (de)serialising reduced field elements in little endian */ ++static void bin48_to_felem(felem out, const u8 in[48]) ++{ ++ memset(out, 0, 56); ++ out[0] = (*((limb *) & in[0])) & bottom56bits; ++ out[1] = (*((limb_aX *) & in[7])) & bottom56bits; ++ out[2] = (*((limb_aX *) & in[14])) & bottom56bits; ++ out[3] = (*((limb_aX *) & in[21])) & bottom56bits; ++ out[4] = (*((limb_aX *) & in[28])) & bottom56bits; ++ out[5] = (*((limb_aX *) & in[35])) & bottom56bits; ++ memmove(&out[6], &in[42], 6); ++} ++ ++static void felem_to_bin48(u8 out[48], const felem in) ++{ ++ memset(out, 0, 48); ++ (*((limb *) & out[0])) |= (in[0] & bottom56bits); ++ (*((limb_aX *) & out[7])) |= (in[1] & bottom56bits); ++ (*((limb_aX *) & out[14])) |= (in[2] & bottom56bits); ++ (*((limb_aX *) & out[21])) |= (in[3] & bottom56bits); ++ (*((limb_aX *) & out[28])) |= (in[4] & bottom56bits); ++ (*((limb_aX *) & out[35])) |= (in[5] & bottom56bits); ++ memmove(&out[42], &in[6], 6); ++} ++ ++/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ ++static int BN_to_felem(felem out, const BIGNUM *bn) ++{ ++ felem_bytearray b_out; ++ int num_bytes; ++ ++ if (BN_is_negative(bn)) { ++ ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); ++ return 0; ++ } ++ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); ++ if (num_bytes < 0) { ++ ECerr(EC_F_BN_TO_FELEM, EC_R_BIGNUM_OUT_OF_RANGE); ++ return 0; ++ } ++ bin48_to_felem(out, b_out); ++ return 1; ++} ++ ++/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ ++static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) ++{ ++ felem_bytearray b_out; ++ ++ felem_to_bin48(b_out, in); ++ return BN_lebin2bn(b_out, sizeof(b_out), out); ++} ++ ++/*- ++ * Field operations ++ * ---------------- ++ */ ++ ++static void felem_one(felem out) ++{ ++ out[0] = 1; ++ memset(&out[1], 0, sizeof(limb) * (NLIMBS-1)); ++} ++ ++static void felem_assign(felem out, const felem in) ++{ ++ memcpy(out, in, sizeof(felem)); ++} ++ ++/* felem_sum64 sets out = out + in. */ ++static void felem_sum64(felem out, const felem in) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] += in[i]; ++} ++ ++/* felem_scalar sets out = in * scalar */ ++static void felem_scalar(felem out, const felem in, limb scalar) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] = in[i] * scalar; ++} ++ ++/* felem_scalar64 sets out = out * scalar */ ++static void felem_scalar64(felem out, limb scalar) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] *= scalar; ++} ++ ++/* felem_scalar128 sets out = out * scalar */ ++static void felem_scalar128(widefelem out, limb scalar) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < 2*NLIMBS-1; i++) ++ out[i] *= scalar; ++} ++ ++/*- ++ * felem_neg sets |out| to |-in| ++ * On entry: ++ * in[i] < 2^60 - 2^29 ++ * On exit: ++ * out[i] < 2^60 ++ */ ++static void felem_neg(felem out, const felem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^12 * p redundantly with each limb ++ * of the form 2^60 + ... ++ */ ++ static const limb two60m52m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 52) ++ - (((limb) 1) << 4); ++ static const limb two60p44m12 = (((limb) 1) << 60) ++ + (((limb) 1) << 44) ++ - (((limb) 1) << 12); ++ static const limb two60m28m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 28) ++ - (((limb) 1) << 4); ++ static const limb two60m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 4); ++ ++ out[0] = two60p44m12 - in[0]; ++ out[1] = two60m52m4 - in[1]; ++ out[2] = two60m28m4 - in[2]; ++ out[3] = two60m4 - in[3]; ++ out[4] = two60m4 - in[4]; ++ out[5] = two60m4 - in[5]; ++ out[6] = two60m4 - in[6]; ++} ++ ++/*- ++ * felem_diff64 subtracts |in| from |out| ++ * On entry: ++ * in[i] < 2^60 - 2^52 - 2^4 ++ * On exit: ++ * out[i] < out_orig[i] + 2^60 + 2^44 ++ */ ++static void felem_diff64(felem out, const felem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^12 * p redundantly with each limb ++ * of the form 2^60 + ... ++ */ ++ ++ static const limb two60m52m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 52) ++ - (((limb) 1) << 4); ++ static const limb two60p44m12 = (((limb) 1) << 60) ++ + (((limb) 1) << 44) ++ - (((limb) 1) << 12); ++ static const limb two60m28m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 28) ++ - (((limb) 1) << 4); ++ static const limb two60m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 4); ++ ++ out[0] += two60p44m12 - in[0]; ++ out[1] += two60m52m4 - in[1]; ++ out[2] += two60m28m4 - in[2]; ++ out[3] += two60m4 - in[3]; ++ out[4] += two60m4 - in[4]; ++ out[5] += two60m4 - in[5]; ++ out[6] += two60m4 - in[6]; ++} ++ ++/* ++ * in[i] < 2^63 ++ * out[i] < out_orig[i] + 2^64 + 2^48 ++ */ ++static void felem_diff_128_64(widefelem out, const felem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^16 * p redundantly with each limb ++ * of the form 2^64 + ... ++ */ ++ ++ static const widelimb two64m56m8 = (((widelimb) 1) << 64) ++ - (((widelimb) 1) << 56) ++ - (((widelimb) 1) << 8); ++ static const widelimb two64m32m8 = (((widelimb) 1) << 64) ++ - (((widelimb) 1) << 32) ++ - (((widelimb) 1) << 8); ++ static const widelimb two64m8 = (((widelimb) 1) << 64) ++ - (((widelimb) 1) << 8); ++ static const widelimb two64p48m16 = (((widelimb) 1) << 64) ++ + (((widelimb) 1) << 48) ++ - (((widelimb) 1) << 16); ++ unsigned int i; ++ ++ out[0] += two64p48m16; ++ out[1] += two64m56m8; ++ out[2] += two64m32m8; ++ out[3] += two64m8; ++ out[4] += two64m8; ++ out[5] += two64m8; ++ out[6] += two64m8; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] -= in[i]; ++} ++ ++/* ++ * in[i] < 2^127 - 2^119 - 2^71 ++ * out[i] < out_orig[i] + 2^127 + 2^111 ++ */ ++static void felem_diff128(widefelem out, const widefelem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^415 * p redundantly with each limb ++ * of the form 2^127 + ... ++ */ ++ ++ static const widelimb two127 = ((widelimb) 1) << 127; ++ static const widelimb two127m71 = (((widelimb) 1) << 127) ++ - (((widelimb) 1) << 71); ++ static const widelimb two127p111m79m71 = (((widelimb) 1) << 127) ++ + (((widelimb) 1) << 111) ++ - (((widelimb) 1) << 79) ++ - (((widelimb) 1) << 71); ++ static const widelimb two127m119m71 = (((widelimb) 1) << 127) ++ - (((widelimb) 1) << 119) ++ - (((widelimb) 1) << 71); ++ static const widelimb two127m95m71 = (((widelimb) 1) << 127) ++ - (((widelimb) 1) << 95) ++ - (((widelimb) 1) << 71); ++ unsigned int i; ++ ++ out[0] += two127; ++ out[1] += two127m71; ++ out[2] += two127m71; ++ out[3] += two127m71; ++ out[4] += two127m71; ++ out[5] += two127m71; ++ out[6] += two127p111m79m71; ++ out[7] += two127m119m71; ++ out[8] += two127m95m71; ++ out[9] += two127m71; ++ out[10] += two127m71; ++ out[11] += two127m71; ++ out[12] += two127m71; ++ ++ for (i = 0; i < 2*NLIMBS-1; i++) ++ out[i] -= in[i]; ++} ++ ++static void felem_square_ref(widefelem out, const felem in) ++{ ++ felem inx2; ++ felem_scalar(inx2, in, 2); ++ ++ out[0] = ((uint128_t) in[0]) * in[0]; ++ ++ out[1] = ((uint128_t) in[0]) * inx2[1]; ++ ++ out[2] = ((uint128_t) in[0]) * inx2[2] ++ + ((uint128_t) in[1]) * in[1]; ++ ++ out[3] = ((uint128_t) in[0]) * inx2[3] ++ + ((uint128_t) in[1]) * inx2[2]; ++ ++ out[4] = ((uint128_t) in[0]) * inx2[4] ++ + ((uint128_t) in[1]) * inx2[3] ++ + ((uint128_t) in[2]) * in[2]; ++ ++ out[5] = ((uint128_t) in[0]) * inx2[5] ++ + ((uint128_t) in[1]) * inx2[4] ++ + ((uint128_t) in[2]) * inx2[3]; ++ ++ out[6] = ((uint128_t) in[0]) * inx2[6] ++ + ((uint128_t) in[1]) * inx2[5] ++ + ((uint128_t) in[2]) * inx2[4] ++ + ((uint128_t) in[3]) * in[3]; ++ ++ out[7] = ((uint128_t) in[1]) * inx2[6] ++ + ((uint128_t) in[2]) * inx2[5] ++ + ((uint128_t) in[3]) * inx2[4]; ++ ++ out[8] = ((uint128_t) in[2]) * inx2[6] ++ + ((uint128_t) in[3]) * inx2[5] ++ + ((uint128_t) in[4]) * in[4]; ++ ++ out[9] = ((uint128_t) in[3]) * inx2[6] ++ + ((uint128_t) in[4]) * inx2[5]; ++ ++ out[10] = ((uint128_t) in[4]) * inx2[6] ++ + ((uint128_t) in[5]) * in[5]; ++ ++ out[11] = ((uint128_t) in[5]) * inx2[6]; ++ ++ out[12] = ((uint128_t) in[6]) * in[6]; ++} ++ ++static void felem_mul_ref(widefelem out, const felem in1, const felem in2) ++{ ++ out[0] = ((uint128_t) in1[0]) * in2[0]; ++ ++ out[1] = ((uint128_t) in1[0]) * in2[1] ++ + ((uint128_t) in1[1]) * in2[0]; ++ ++ out[2] = ((uint128_t) in1[0]) * in2[2] ++ + ((uint128_t) in1[1]) * in2[1] ++ + ((uint128_t) in1[2]) * in2[0]; ++ ++ out[3] = ((uint128_t) in1[0]) * in2[3] ++ + ((uint128_t) in1[1]) * in2[2] ++ + ((uint128_t) in1[2]) * in2[1] ++ + ((uint128_t) in1[3]) * in2[0]; ++ ++ out[4] = ((uint128_t) in1[0]) * in2[4] ++ + ((uint128_t) in1[1]) * in2[3] ++ + ((uint128_t) in1[2]) * in2[2] ++ + ((uint128_t) in1[3]) * in2[1] ++ + ((uint128_t) in1[4]) * in2[0]; ++ ++ out[5] = ((uint128_t) in1[0]) * in2[5] ++ + ((uint128_t) in1[1]) * in2[4] ++ + ((uint128_t) in1[2]) * in2[3] ++ + ((uint128_t) in1[3]) * in2[2] ++ + ((uint128_t) in1[4]) * in2[1] ++ + ((uint128_t) in1[5]) * in2[0]; ++ ++ out[6] = ((uint128_t) in1[0]) * in2[6] ++ + ((uint128_t) in1[1]) * in2[5] ++ + ((uint128_t) in1[2]) * in2[4] ++ + ((uint128_t) in1[3]) * in2[3] ++ + ((uint128_t) in1[4]) * in2[2] ++ + ((uint128_t) in1[5]) * in2[1] ++ + ((uint128_t) in1[6]) * in2[0]; ++ ++ out[7] = ((uint128_t) in1[1]) * in2[6] ++ + ((uint128_t) in1[2]) * in2[5] ++ + ((uint128_t) in1[3]) * in2[4] ++ + ((uint128_t) in1[4]) * in2[3] ++ + ((uint128_t) in1[5]) * in2[2] ++ + ((uint128_t) in1[6]) * in2[1]; ++ ++ out[8] = ((uint128_t) in1[2]) * in2[6] ++ + ((uint128_t) in1[3]) * in2[5] ++ + ((uint128_t) in1[4]) * in2[4] ++ + ((uint128_t) in1[5]) * in2[3] ++ + ((uint128_t) in1[6]) * in2[2]; ++ ++ out[9] = ((uint128_t) in1[3]) * in2[6] ++ + ((uint128_t) in1[4]) * in2[5] ++ + ((uint128_t) in1[5]) * in2[4] ++ + ((uint128_t) in1[6]) * in2[3]; ++ ++ out[10] = ((uint128_t) in1[4]) * in2[6] ++ + ((uint128_t) in1[5]) * in2[5] ++ + ((uint128_t) in1[6]) * in2[4]; ++ ++ out[11] = ((uint128_t) in1[5]) * in2[6] ++ + ((uint128_t) in1[6]) * in2[5]; ++ ++ out[12] = ((uint128_t) in1[6]) * in2[6]; ++} ++ ++/*- ++ * Reduce thirteen 128-bit coefficients to seven 64-bit coefficients. ++ * in[i] < 2^128 - 2^125 ++ * out[i] < 2^56 for i < 6, ++ * out[6] <= 2^48 ++ * ++ * The technique in use here stems from the format of the prime modulus: ++ * P384 = 2^384 - delta ++ * ++ * Thus we can reduce numbers of the form (X + 2^384 * Y) by substituting ++ * them with (X + delta Y), with delta = 2^128 + 2^96 + (-2^32 + 1). These ++ * coefficients are still quite large, and so we repeatedly apply this ++ * technique on high-order bits in order to guarantee the desired bounds on ++ * the size of our output. ++ * ++ * The three phases of elimination are as follows: ++ * [1]: Y = 2^120 (in[12] | in[11] | in[10] | in[9]) ++ * [2]: Y = 2^8 (acc[8] | acc[7]) ++ * [3]: Y = 2^48 (acc[6] >> 48) ++ * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d) ++ */ ++static void felem_reduce(felem out, const widefelem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^76 * p redundantly with each limb ++ * of the form 2^124 + ... ++ */ ++ static const widelimb two124m68 = (((widelimb) 1) << 124) ++ - (((widelimb) 1) << 68); ++ static const widelimb two124m116m68 = (((widelimb) 1) << 124) ++ - (((widelimb) 1) << 116) ++ - (((widelimb) 1) << 68); ++ static const widelimb two124p108m76 = (((widelimb) 1) << 124) ++ + (((widelimb) 1) << 108) ++ - (((widelimb) 1) << 76); ++ static const widelimb two124m92m68 = (((widelimb) 1) << 124) ++ - (((widelimb) 1) << 92) ++ - (((widelimb) 1) << 68); ++ widelimb temp, acc[9]; ++ unsigned int i; ++ ++ memcpy(acc, in, sizeof(widelimb) * 9); ++ ++ acc[0] += two124p108m76; ++ acc[1] += two124m116m68; ++ acc[2] += two124m92m68; ++ acc[3] += two124m68; ++ acc[4] += two124m68; ++ acc[5] += two124m68; ++ acc[6] += two124m68; ++ ++ /* [1]: Eliminate in[9], ..., in[12] */ ++ acc[8] += in[12] >> 32; ++ acc[7] += (in[12] & 0xffffffff) << 24; ++ acc[7] += in[12] >> 8; ++ acc[6] += (in[12] & 0xff) << 48; ++ acc[6] -= in[12] >> 16; ++ acc[5] -= ((in[12] & 0xffff) << 40); ++ acc[6] += in[12] >> 48; ++ acc[5] += (in[12] & 0xffffffffffff) << 8; ++ ++ acc[7] += in[11] >> 32; ++ acc[6] += (in[11] & 0xffffffff) << 24; ++ acc[6] += in[11] >> 8; ++ acc[5] += (in[11] & 0xff) << 48; ++ acc[5] -= in[11] >> 16; ++ acc[4] -= ((in[11] & 0xffff) << 40); ++ acc[5] += in[11] >> 48; ++ acc[4] += (in[11] & 0xffffffffffff) << 8; ++ ++ acc[6] += in[10] >> 32; ++ acc[5] += (in[10] & 0xffffffff) << 24; ++ acc[5] += in[10] >> 8; ++ acc[4] += (in[10] & 0xff) << 48; ++ acc[4] -= in[10] >> 16; ++ acc[3] -= ((in[10] & 0xffff) << 40); ++ acc[4] += in[10] >> 48; ++ acc[3] += (in[10] & 0xffffffffffff) << 8; ++ ++ acc[5] += in[9] >> 32; ++ acc[4] += (in[9] & 0xffffffff) << 24; ++ acc[4] += in[9] >> 8; ++ acc[3] += (in[9] & 0xff) << 48; ++ acc[3] -= in[9] >> 16; ++ acc[2] -= ((in[9] & 0xffff) << 40); ++ acc[3] += in[9] >> 48; ++ acc[2] += (in[9] & 0xffffffffffff) << 8; ++ ++ /* ++ * [2]: Eliminate acc[7], acc[8], that is the 7 and eighth limbs, as ++ * well as the contributions made from eliminating higher limbs. ++ * acc[7] < in[7] + 2^120 + 2^56 < in[7] + 2^121 ++ * acc[8] < in[8] + 2^96 ++ */ ++ acc[4] += acc[8] >> 32; ++ acc[3] += (acc[8] & 0xffffffff) << 24; ++ acc[3] += acc[8] >> 8; ++ acc[2] += (acc[8] & 0xff) << 48; ++ acc[2] -= acc[8] >> 16; ++ acc[1] -= ((acc[8] & 0xffff) << 40); ++ acc[2] += acc[8] >> 48; ++ acc[1] += (acc[8] & 0xffffffffffff) << 8; ++ ++ acc[3] += acc[7] >> 32; ++ acc[2] += (acc[7] & 0xffffffff) << 24; ++ acc[2] += acc[7] >> 8; ++ acc[1] += (acc[7] & 0xff) << 48; ++ acc[1] -= acc[7] >> 16; ++ acc[0] -= ((acc[7] & 0xffff) << 40); ++ acc[1] += acc[7] >> 48; ++ acc[0] += (acc[7] & 0xffffffffffff) << 8; ++ ++ /*- ++ * acc[k] < in[k] + 2^124 + 2^121 ++ * < in[k] + 2^125 ++ * < 2^128, for k <= 6 ++ */ ++ ++ /* ++ * Carry 4 -> 5 -> 6 ++ * This has the effect of ensuring that these more significant limbs ++ * will be small in value after eliminating high bits from acc[6]. ++ */ ++ acc[5] += acc[4] >> 56; ++ acc[4] &= 0x00ffffffffffffff; ++ ++ acc[6] += acc[5] >> 56; ++ acc[5] &= 0x00ffffffffffffff; ++ ++ /*- ++ * acc[6] < in[6] + 2^124 + 2^121 + 2^72 + 2^16 ++ * < in[6] + 2^125 ++ * < 2^128 ++ */ ++ ++ /* [3]: Eliminate high bits of acc[6] */ ++ temp = acc[6] >> 48; ++ acc[6] &= 0x0000ffffffffffff; ++ ++ /* temp < 2^80 */ ++ ++ acc[3] += temp >> 40; ++ acc[2] += (temp & 0xffffffffff) << 16; ++ acc[2] += temp >> 16; ++ acc[1] += (temp & 0xffff) << 40; ++ acc[1] -= temp >> 24; ++ acc[0] -= (temp & 0xffffff) << 32; ++ acc[0] += temp; ++ ++ /*- ++ * acc[k] < acc_old[k] + 2^64 + 2^56 ++ * < in[k] + 2^124 + 2^121 + 2^72 + 2^64 + 2^56 + 2^16 , k < 4 ++ */ ++ ++ /* Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ ++ acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */ ++ acc[0] &= 0x00ffffffffffffff; ++ ++ acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */ ++ acc[1] &= 0x00ffffffffffffff; ++ ++ acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */ ++ acc[2] &= 0x00ffffffffffffff; ++ ++ /*- ++ * acc[k] < acc_old[k] + 2^72 + 2^16 ++ * < in[k] + 2^124 + 2^121 + 2^73 + 2^64 + 2^56 + 2^17 ++ * < in[k] + 2^125 ++ * < 2^128 , k < 4 ++ */ ++ ++ acc[4] += acc[3] >> 56; /*- ++ * acc[4] < acc_old[4] + 2^72 + 2^16 ++ * < 2^72 + 2^56 + 2^16 ++ */ ++ acc[3] &= 0x00ffffffffffffff; ++ ++ acc[5] += acc[4] >> 56; /*- ++ * acc[5] < acc_old[5] + 2^16 + 1 ++ * < 2^56 + 2^16 + 1 ++ */ ++ acc[4] &= 0x00ffffffffffffff; ++ ++ acc[6] += acc[5] >> 56; /* acc[6] < 2^48 + 1 <= 2^48 */ ++ acc[5] &= 0x00ffffffffffffff; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] = acc[i]; ++} ++ ++#if defined(ECP_NISTP384_ASM) ++static void felem_square_wrapper(widefelem out, const felem in); ++static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2); ++ ++static void (*felem_square_p)(widefelem out, const felem in) = ++ felem_square_wrapper; ++static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) = ++ felem_mul_wrapper; ++ ++void p384_felem_square(widefelem out, const felem in); ++void p384_felem_mul(widefelem out, const felem in1, const felem in2); ++ ++# if defined(_ARCH_PPC64) ++# include "crypto/ppc_arch.h" ++# endif ++ ++static void felem_select(void) ++{ ++ /* Default */ ++ felem_square_p = felem_square_ref; ++ felem_mul_p = felem_mul_ref; ++} ++ ++static void felem_square_wrapper(widefelem out, const felem in) ++{ ++ felem_select(); ++ felem_square_p(out, in); ++} ++ ++static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2) ++{ ++ felem_select(); ++ felem_mul_p(out, in1, in2); ++} ++ ++# define felem_square felem_square_p ++# define felem_mul felem_mul_p ++#else ++# define felem_square felem_square_ref ++# define felem_mul felem_mul_ref ++#endif ++ ++static ossl_inline void felem_square_reduce(felem out, const felem in) ++{ ++ widefelem tmp; ++ ++ felem_square(tmp, in); ++ felem_reduce(out, tmp); ++} ++ ++static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2) ++{ ++ widefelem tmp; ++ ++ felem_mul(tmp, in1, in2); ++ felem_reduce(out, tmp); ++} ++ ++/*- ++ * felem_inv calculates |out| = |in|^{-1} ++ * ++ * Based on Fermat's Little Theorem: ++ * a^p = a (mod p) ++ * a^{p-1} = 1 (mod p) ++ * a^{p-2} = a^{-1} (mod p) ++ */ ++static void felem_inv(felem out, const felem in) ++{ ++ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6; ++ unsigned int i = 0; ++ ++ felem_square_reduce(ftmp, in); /* 2^1 */ ++ felem_mul_reduce(ftmp, ftmp, in); /* 2^1 + 2^0 */ ++ felem_assign(ftmp2, ftmp); ++ ++ felem_square_reduce(ftmp, ftmp); /* 2^2 + 2^1 */ ++ felem_mul_reduce(ftmp, ftmp, in); /* 2^2 + 2^1 * 2^0 */ ++ felem_assign(ftmp3, ftmp); ++ ++ for (i = 0; i < 3; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^5 + 2^4 + 2^3 */ ++ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 */ ++ felem_assign(ftmp4, ftmp); ++ ++ for (i = 0; i < 6; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^11 + ... + 2^6 */ ++ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^11 + ... + 2^0 */ ++ ++ for (i = 0; i < 3; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^14 + ... + 2^3 */ ++ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^14 + ... + 2^0 */ ++ felem_assign(ftmp5, ftmp); ++ ++ for (i = 0; i < 15; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^29 + ... + 2^15 */ ++ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^29 + ... + 2^0 */ ++ felem_assign(ftmp6, ftmp); ++ ++ for (i = 0; i < 30; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^59 + ... + 2^30 */ ++ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^59 + ... + 2^0 */ ++ felem_assign(ftmp4, ftmp); ++ ++ for (i = 0; i < 60; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^119 + ... + 2^60 */ ++ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^119 + ... + 2^0 */ ++ felem_assign(ftmp4, ftmp); ++ ++ for (i = 0; i < 120; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^239 + ... + 2^120 */ ++ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^239 + ... + 2^0 */ ++ ++ for (i = 0; i < 15; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^254 + ... + 2^15 */ ++ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^254 + ... + 2^0 */ ++ ++ for (i = 0; i < 31; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^285 + ... + 2^31 */ ++ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^285 + ... + 2^31 + 2^29 + ... + 2^0 */ ++ ++ for (i = 0; i < 2; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^2 */ ++ felem_mul_reduce(ftmp, ftmp2, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^0 */ ++ ++ for (i = 0; i < 94; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 */ ++ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 + 2^29 + ... + 2^0 */ ++ ++ for (i = 0; i < 2; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 */ ++ felem_mul_reduce(ftmp, in, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 + 2^0 */ ++ ++ memcpy(out, ftmp, sizeof(felem)); ++} ++ ++/* ++ * Zero-check: returns a limb with all bits set if |in| == 0 (mod p) ++ * and 0 otherwise. We know that field elements are reduced to ++ * 0 < in < 2p, so we only need to check two cases: ++ * 0 and 2^384 - 2^128 - 2^96 + 2^32 - 1 ++ * in[k] < 2^56, k < 6 ++ * in[6] <= 2^48 ++ */ ++static limb felem_is_zero(const felem in) ++{ ++ limb zero, p384; ++ ++ zero = in[0] | in[1] | in[2] | in[3] | in[4] | in[5] | in[6]; ++ zero = ((int64_t) (zero) - 1) >> 63; ++ p384 = (in[0] ^ 0x000000ffffffff) | (in[1] ^ 0xffff0000000000) ++ | (in[2] ^ 0xfffffffffeffff) | (in[3] ^ 0xffffffffffffff) ++ | (in[4] ^ 0xffffffffffffff) | (in[5] ^ 0xffffffffffffff) ++ | (in[6] ^ 0xffffffffffff); ++ p384 = ((int64_t) (p384) - 1) >> 63; ++ ++ return (zero | p384); ++} ++ ++static int felem_is_zero_int(const void *in) ++{ ++ return (int)(felem_is_zero(in) & ((limb) 1)); ++} ++ ++/*- ++ * felem_contract converts |in| to its unique, minimal representation. ++ * Assume we've removed all redundant bits. ++ * On entry: ++ * in[k] < 2^56, k < 6 ++ * in[6] <= 2^48 ++ */ ++static void felem_contract(felem out, const felem in) ++{ ++ static const int64_t two56 = ((limb) 1) << 56; ++ ++ /* ++ * We know for a fact that 0 <= |in| < 2*p, for p = 2^384 - 2^128 - 2^96 + 2^32 - 1 ++ * Perform two successive, idempotent subtractions to reduce if |in| >= p. ++ */ ++ ++ int64_t tmp[NLIMBS], cond[5], a; ++ unsigned int i; ++ ++ memcpy(tmp, in, sizeof(felem)); ++ ++ /* Case 1: a = 1 iff |in| >= 2^384 */ ++ a = (in[6] >> 48); ++ tmp[0] += a; ++ tmp[0] -= a << 32; ++ tmp[1] += a << 40; ++ tmp[2] += a << 16; ++ tmp[6] &= 0x0000ffffffffffff; ++ ++ /* ++ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be ++ * non-zero, so we only need one step ++ */ ++ ++ a = tmp[0] >> 63; ++ tmp[0] += a & two56; ++ tmp[1] -= a & 1; ++ ++ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ ++ tmp[2] += tmp[1] >> 56; ++ tmp[1] &= 0x00ffffffffffffff; ++ ++ tmp[3] += tmp[2] >> 56; ++ tmp[2] &= 0x00ffffffffffffff; ++ ++ tmp[4] += tmp[3] >> 56; ++ tmp[3] &= 0x00ffffffffffffff; ++ ++ tmp[5] += tmp[4] >> 56; ++ tmp[4] &= 0x00ffffffffffffff; ++ ++ tmp[6] += tmp[5] >> 56; /* tmp[6] < 2^48 */ ++ tmp[5] &= 0x00ffffffffffffff; ++ ++ /* ++ * Case 2: a = all ones if p <= |in| < 2^384, 0 otherwise ++ */ ++ ++ /* 0 iff (2^129..2^383) are all one */ ++ cond[0] = ((tmp[6] | 0xff000000000000) & tmp[5] & tmp[4] & tmp[3] & (tmp[2] | 0x0000000001ffff)) + 1; ++ /* 0 iff 2^128 bit is one */ ++ cond[1] = (tmp[2] | ~0x00000000010000) + 1; ++ /* 0 iff (2^96..2^127) bits are all one */ ++ cond[2] = ((tmp[2] | 0xffffffffff0000) & (tmp[1] | 0x0000ffffffffff)) + 1; ++ /* 0 iff (2^32..2^95) bits are all zero */ ++ cond[3] = (tmp[1] & ~0xffff0000000000) | (tmp[0] & ~((int64_t) 0x000000ffffffff)); ++ /* 0 iff (2^0..2^31) bits are all one */ ++ cond[4] = (tmp[0] | 0xffffff00000000) + 1; ++ ++ /* ++ * In effect, invert our conditions, so that 0 values become all 1's, ++ * any non-zero value in the low-order 56 bits becomes all 0's ++ */ ++ for (i = 0; i < 5; i++) ++ cond[i] = ((cond[i] & 0x00ffffffffffffff) - 1) >> 63; ++ ++ /* ++ * The condition for determining whether in is greater than our ++ * prime is given by the following condition. ++ */ ++ ++ /* First subtract 2^384 - 2^129 cheaply */ ++ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); ++ tmp[6] &= ~a; ++ tmp[5] &= ~a; ++ tmp[4] &= ~a; ++ tmp[3] &= ~a; ++ tmp[2] &= ~a | 0x0000000001ffff; ++ ++ /* ++ * Subtract 2^128 - 2^96 by ++ * means of disjoint cases. ++ */ ++ ++ /* subtract 2^128 if that bit is present, and add 2^96 */ ++ a = cond[0] & cond[1]; ++ tmp[2] &= ~a | 0xfffffffffeffff; ++ tmp[1] += a & ((int64_t) 1 << 40); ++ ++ /* otherwise, clear bits 2^127 .. 2^96 */ ++ a = cond[0] & ~cond[1] & (cond[2] & (~cond[3] | cond[4])); ++ tmp[2] &= ~a | 0xffffffffff0000; ++ tmp[1] &= ~a | 0x0000ffffffffff; ++ ++ /* finally, subtract the last 2^32 - 1 */ ++ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); ++ tmp[0] += a & (-((int64_t) 1 << 32) + 1); ++ ++ /* ++ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be ++ * non-zero, so we only need one step ++ */ ++ a = tmp[0] >> 63; ++ tmp[0] += a & two56; ++ tmp[1] -= a & 1; ++ ++ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ ++ tmp[2] += tmp[1] >> 56; ++ tmp[1] &= 0x00ffffffffffffff; ++ ++ tmp[3] += tmp[2] >> 56; ++ tmp[2] &= 0x00ffffffffffffff; ++ ++ tmp[4] += tmp[3] >> 56; ++ tmp[3] &= 0x00ffffffffffffff; ++ ++ tmp[5] += tmp[4] >> 56; ++ tmp[4] &= 0x00ffffffffffffff; ++ ++ tmp[6] += tmp[5] >> 56; ++ tmp[5] &= 0x00ffffffffffffff; ++ ++ memcpy(out, tmp, sizeof(felem)); ++} ++ ++/*- ++ * Group operations ++ * ---------------- ++ * ++ * Building on top of the field operations we have the operations on the ++ * elliptic curve group itself. Points on the curve are represented in Jacobian ++ * coordinates ++ */ ++ ++/*- ++ * point_double calculates 2*(x_in, y_in, z_in) ++ * ++ * The method is taken from: ++ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b ++ * ++ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed. ++ * while x_out == y_in is not (maybe this works, but it's not tested). ++ */ ++static void ++point_double(felem x_out, felem y_out, felem z_out, ++ const felem x_in, const felem y_in, const felem z_in) ++{ ++ widefelem tmp, tmp2; ++ felem delta, gamma, beta, alpha, ftmp, ftmp2; ++ ++ felem_assign(ftmp, x_in); ++ felem_assign(ftmp2, x_in); ++ ++ /* delta = z^2 */ ++ felem_square_reduce(delta, z_in); /* delta[i] < 2^56 */ ++ ++ /* gamma = y^2 */ ++ felem_square_reduce(gamma, y_in); /* gamma[i] < 2^56 */ ++ ++ /* beta = x*gamma */ ++ felem_mul_reduce(beta, x_in, gamma); /* beta[i] < 2^56 */ ++ ++ /* alpha = 3*(x-delta)*(x+delta) */ ++ felem_diff64(ftmp, delta); /* ftmp[i] < 2^60 + 2^58 + 2^44 */ ++ felem_sum64(ftmp2, delta); /* ftmp2[i] < 2^59 */ ++ felem_scalar64(ftmp2, 3); /* ftmp2[i] < 2^61 */ ++ felem_mul_reduce(alpha, ftmp, ftmp2); /* alpha[i] < 2^56 */ ++ ++ /* x' = alpha^2 - 8*beta */ ++ felem_square(tmp, alpha); /* tmp[i] < 2^115 */ ++ felem_assign(ftmp, beta); /* ftmp[i] < 2^56 */ ++ felem_scalar64(ftmp, 8); /* ftmp[i] < 2^59 */ ++ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ ++ ++ /* z' = (y + z)^2 - gamma - delta */ ++ felem_sum64(delta, gamma); /* delta[i] < 2^57 */ ++ felem_assign(ftmp, y_in); /* ftmp[i] < 2^56 */ ++ felem_sum64(ftmp, z_in); /* ftmp[i] < 2^56 */ ++ felem_square(tmp, ftmp); /* tmp[i] < 2^115 */ ++ felem_diff_128_64(tmp, delta); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(z_out, tmp); /* z_out[i] < 2^56 */ ++ ++ /* y' = alpha*(4*beta - x') - 8*gamma^2 */ ++ felem_scalar64(beta, 4); /* beta[i] < 2^58 */ ++ felem_diff64(beta, x_out); /* beta[i] < 2^60 + 2^58 + 2^44 */ ++ felem_mul(tmp, alpha, beta); /* tmp[i] < 2^119 */ ++ felem_square(tmp2, gamma); /* tmp2[i] < 2^115 */ ++ felem_scalar128(tmp2, 8); /* tmp2[i] < 2^118 */ ++ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^119 + 2^111 */ ++ felem_reduce(y_out, tmp); /* tmp[i] < 2^56 */ ++} ++ ++/* copy_conditional copies in to out iff mask is all ones. */ ++static void copy_conditional(felem out, const felem in, limb mask) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] ^= mask & (in[i] ^ out[i]); ++} ++ ++/*- ++ * point_add calculates (x1, y1, z1) + (x2, y2, z2) ++ * ++ * The method is taken from ++ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, ++ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity). ++ * ++ * This function includes a branch for checking whether the two input points ++ * are equal (while not equal to the point at infinity). See comment below ++ * on constant-time. ++ */ ++static void point_add(felem x3, felem y3, felem z3, ++ const felem x1, const felem y1, const felem z1, ++ const int mixed, const felem x2, const felem y2, ++ const felem z2) ++{ ++ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; ++ widefelem tmp, tmp2; ++ limb x_equal, y_equal, z1_is_zero, z2_is_zero; ++ limb points_equal; ++ ++ z1_is_zero = felem_is_zero(z1); ++ z2_is_zero = felem_is_zero(z2); ++ ++ /* ftmp = z1z1 = z1**2 */ ++ felem_square_reduce(ftmp, z1); /* ftmp[i] < 2^56 */ ++ ++ if (!mixed) { ++ /* ftmp2 = z2z2 = z2**2 */ ++ felem_square_reduce(ftmp2, z2); /* ftmp2[i] < 2^56 */ ++ ++ /* u1 = ftmp3 = x1*z2z2 */ ++ felem_mul_reduce(ftmp3, x1, ftmp2); /* ftmp3[i] < 2^56 */ ++ ++ /* ftmp5 = z1 + z2 */ ++ felem_assign(ftmp5, z1); /* ftmp5[i] < 2^56 */ ++ felem_sum64(ftmp5, z2); /* ftmp5[i] < 2^57 */ ++ ++ /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */ ++ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ ++ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^117 + 2^64 + 2^48 */ ++ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^65 + 2^49 */ ++ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ ++ ++ /* ftmp2 = z2 * z2z2 */ ++ felem_mul_reduce(ftmp2, ftmp2, z2); /* ftmp2[i] < 2^56 */ ++ ++ /* s1 = ftmp6 = y1 * z2**3 */ ++ felem_mul_reduce(ftmp6, y1, ftmp2); /* ftmp6[i] < 2^56 */ ++ } else { ++ /* ++ * We'll assume z2 = 1 (special case z2 = 0 is handled later) ++ */ ++ ++ /* u1 = ftmp3 = x1*z2z2 */ ++ felem_assign(ftmp3, x1); /* ftmp3[i] < 2^56 */ ++ ++ /* ftmp5 = 2*z1z2 */ ++ felem_scalar(ftmp5, z1, 2); /* ftmp5[i] < 2^57 */ ++ ++ /* s1 = ftmp6 = y1 * z2**3 */ ++ felem_assign(ftmp6, y1); /* ftmp6[i] < 2^56 */ ++ } ++ /* ftmp3[i] < 2^56, ftmp5[i] < 2^57, ftmp6[i] < 2^56 */ ++ ++ /* u2 = x2*z1z1 */ ++ felem_mul(tmp, x2, ftmp); /* tmp[i] < 2^115 */ ++ ++ /* h = ftmp4 = u2 - u1 */ ++ felem_diff_128_64(tmp, ftmp3); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(ftmp4, tmp); /* ftmp[4] < 2^56 */ ++ ++ x_equal = felem_is_zero(ftmp4); ++ ++ /* z_out = ftmp5 * h */ ++ felem_mul_reduce(z_out, ftmp5, ftmp4); /* z_out[i] < 2^56 */ ++ ++ /* ftmp = z1 * z1z1 */ ++ felem_mul_reduce(ftmp, ftmp, z1); /* ftmp[i] < 2^56 */ ++ ++ /* s2 = tmp = y2 * z1**3 */ ++ felem_mul(tmp, y2, ftmp); /* tmp[i] < 2^115 */ ++ ++ /* r = ftmp5 = (s2 - s1)*2 */ ++ felem_diff_128_64(tmp, ftmp6); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ ++ y_equal = felem_is_zero(ftmp5); ++ felem_scalar64(ftmp5, 2); /* ftmp5[i] < 2^57 */ ++ ++ /* ++ * The formulae are incorrect if the points are equal, in affine coordinates ++ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this ++ * happens. ++ * ++ * We use bitwise operations to avoid potential side-channels introduced by ++ * the short-circuiting behaviour of boolean operators. ++ * ++ * The special case of either point being the point at infinity (z1 and/or ++ * z2 are zero), is handled separately later on in this function, so we ++ * avoid jumping to point_double here in those special cases. ++ * ++ * Notice the comment below on the implications of this branching for timing ++ * leaks and why it is considered practically irrelevant. ++ */ ++ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); ++ ++ if (points_equal) { ++ /* ++ * This is obviously not constant-time but it will almost-never happen ++ * for ECDH / ECDSA. ++ */ ++ point_double(x3, y3, z3, x1, y1, z1); ++ return; ++ } ++ ++ /* I = ftmp = (2h)**2 */ ++ felem_assign(ftmp, ftmp4); /* ftmp[i] < 2^56 */ ++ felem_scalar64(ftmp, 2); /* ftmp[i] < 2^57 */ ++ felem_square_reduce(ftmp, ftmp); /* ftmp[i] < 2^56 */ ++ ++ /* J = ftmp2 = h * I */ ++ felem_mul_reduce(ftmp2, ftmp4, ftmp); /* ftmp2[i] < 2^56 */ ++ ++ /* V = ftmp4 = U1 * I */ ++ felem_mul_reduce(ftmp4, ftmp3, ftmp); /* ftmp4[i] < 2^56 */ ++ ++ /* x_out = r**2 - J - 2V */ ++ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ ++ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^64 + 2^48 */ ++ felem_assign(ftmp3, ftmp4); /* ftmp3[i] < 2^56 */ ++ felem_scalar64(ftmp4, 2); /* ftmp4[i] < 2^57 */ ++ felem_diff_128_64(tmp, ftmp4); /* tmp[i] < 2^117 + 2^65 + 2^49 */ ++ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ ++ ++ /* y_out = r(V-x_out) - 2 * s1 * J */ ++ felem_diff64(ftmp3, x_out); /* ftmp3[i] < 2^60 + 2^56 + 2^44 */ ++ felem_mul(tmp, ftmp5, ftmp3); /* tmp[i] < 2^116 */ ++ felem_mul(tmp2, ftmp6, ftmp2); /* tmp2[i] < 2^115 */ ++ felem_scalar128(tmp2, 2); /* tmp2[i] < 2^116 */ ++ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^116 + 2^111 */ ++ felem_reduce(y_out, tmp); /* y_out[i] < 2^56 */ ++ ++ copy_conditional(x_out, x2, z1_is_zero); ++ copy_conditional(x_out, x1, z2_is_zero); ++ copy_conditional(y_out, y2, z1_is_zero); ++ copy_conditional(y_out, y1, z2_is_zero); ++ copy_conditional(z_out, z2, z1_is_zero); ++ copy_conditional(z_out, z1, z2_is_zero); ++ felem_assign(x3, x_out); ++ felem_assign(y3, y_out); ++ felem_assign(z3, z_out); ++} ++ ++/*- ++ * Base point pre computation ++ * -------------------------- ++ * ++ * Two different sorts of precomputed tables are used in the following code. ++ * Each contain various points on the curve, where each point is three field ++ * elements (x, y, z). ++ * ++ * For the base point table, z is usually 1 (0 for the point at infinity). ++ * This table has 16 elements: ++ * index | bits | point ++ * ------+---------+------------------------------ ++ * 0 | 0 0 0 0 | 0G ++ * 1 | 0 0 0 1 | 1G ++ * 2 | 0 0 1 0 | 2^95G ++ * 3 | 0 0 1 1 | (2^95 + 1)G ++ * 4 | 0 1 0 0 | 2^190G ++ * 5 | 0 1 0 1 | (2^190 + 1)G ++ * 6 | 0 1 1 0 | (2^190 + 2^95)G ++ * 7 | 0 1 1 1 | (2^190 + 2^95 + 1)G ++ * 8 | 1 0 0 0 | 2^285G ++ * 9 | 1 0 0 1 | (2^285 + 1)G ++ * 10 | 1 0 1 0 | (2^285 + 2^95)G ++ * 11 | 1 0 1 1 | (2^285 + 2^95 + 1)G ++ * 12 | 1 1 0 0 | (2^285 + 2^190)G ++ * 13 | 1 1 0 1 | (2^285 + 2^190 + 1)G ++ * 14 | 1 1 1 0 | (2^285 + 2^190 + 2^95)G ++ * 15 | 1 1 1 1 | (2^285 + 2^190 + 2^95 + 1)G ++ * ++ * The reason for this is so that we can clock bits into four different ++ * locations when doing simple scalar multiplies against the base point. ++ * ++ * Tables for other points have table[i] = iG for i in 0 .. 16. ++ */ ++ ++/* gmul is the table of precomputed base points */ ++static const felem gmul[16][3] = { ++{{0, 0, 0, 0, 0, 0, 0}, ++ {0, 0, 0, 0, 0, 0, 0}, ++ {0, 0, 0, 0, 0, 0, 0}}, ++{{0x00545e3872760ab7, 0x00f25dbf55296c3a, 0x00e082542a385502, 0x008ba79b9859f741, ++ 0x0020ad746e1d3b62, 0x0005378eb1c71ef3, 0x0000aa87ca22be8b}, ++ {0x00431d7c90ea0e5f, 0x00b1ce1d7e819d7a, 0x0013b5f0b8c00a60, 0x00289a147ce9da31, ++ 0x0092dc29f8f41dbd, 0x002c6f5d9e98bf92, 0x00003617de4a9626}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00024711cc902a90, 0x00acb2e579ab4fe1, 0x00af818a4b4d57b1, 0x00a17c7bec49c3de, ++ 0x004280482d726a8b, 0x00128dd0f0a90f3b, 0x00004387c1c3fa3c}, ++ {0x002ce76543cf5c3a, 0x00de6cee5ef58f0a, 0x00403e42fa561ca6, 0x00bc54d6f9cb9731, ++ 0x007155f925fb4ff1, 0x004a9ce731b7b9bc, 0x00002609076bd7b2}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00e74c9182f0251d, 0x0039bf54bb111974, 0x00b9d2f2eec511d2, 0x0036b1594eb3a6a4, ++ 0x00ac3bb82d9d564b, 0x00f9313f4615a100, 0x00006716a9a91b10}, ++ {0x0046698116e2f15c, 0x00f34347067d3d33, 0x008de4ccfdebd002, 0x00e838c6b8e8c97b, ++ 0x006faf0798def346, 0x007349794a57563c, 0x00002629e7e6ad84}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x0075300e34fd163b, 0x0092e9db4e8d0ad3, 0x00254be9f625f760, 0x00512c518c72ae68, ++ 0x009bfcf162bede5a, 0x00bf9341566ce311, 0x0000cd6175bd41cf}, ++ {0x007dfe52af4ac70f, 0x0002159d2d5c4880, 0x00b504d16f0af8d0, 0x0014585e11f5e64c, ++ 0x0089c6388e030967, 0x00ffb270cbfa5f71, 0x00009a15d92c3947}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x0033fc1278dc4fe5, 0x00d53088c2caa043, 0x0085558827e2db66, 0x00c192bef387b736, ++ 0x00df6405a2225f2c, 0x0075205aa90fd91a, 0x0000137e3f12349d}, ++ {0x00ce5b115efcb07e, 0x00abc3308410deeb, 0x005dc6fc1de39904, 0x00907c1c496f36b4, ++ 0x0008e6ad3926cbe1, 0x00110747b787928c, 0x0000021b9162eb7e}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x008180042cfa26e1, 0x007b826a96254967, 0x0082473694d6b194, 0x007bd6880a45b589, ++ 0x00c0a5097072d1a3, 0x0019186555e18b4e, 0x000020278190e5ca}, ++ {0x00b4bef17de61ac0, 0x009535e3c38ed348, 0x002d4aa8e468ceab, 0x00ef40b431036ad3, ++ 0x00defd52f4542857, 0x0086edbf98234266, 0x00002025b3a7814d}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00b238aa97b886be, 0x00ef3192d6dd3a32, 0x0079f9e01fd62df8, 0x00742e890daba6c5, ++ 0x008e5289144408ce, 0x0073bbcc8e0171a5, 0x0000c4fd329d3b52}, ++ {0x00c6f64a15ee23e7, 0x00dcfb7b171cad8b, 0x00039f6cbd805867, 0x00de024e428d4562, ++ 0x00be6a594d7c64c5, 0x0078467b70dbcd64, 0x0000251f2ed7079b}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x000e5cc25fc4b872, 0x005ebf10d31ef4e1, 0x0061e0ebd11e8256, 0x0076e026096f5a27, ++ 0x0013e6fc44662e9a, 0x0042b00289d3597e, 0x000024f089170d88}, ++ {0x001604d7e0effbe6, 0x0048d77cba64ec2c, 0x008166b16da19e36, 0x006b0d1a0f28c088, ++ 0x000259fcd47754fd, 0x00cc643e4d725f9a, 0x00007b10f3c79c14}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00430155e3b908af, 0x00b801e4fec25226, 0x00b0d4bcfe806d26, 0x009fc4014eb13d37, ++ 0x0066c94e44ec07e8, 0x00d16adc03874ba2, 0x000030c917a0d2a7}, ++ {0x00edac9e21eb891c, 0x00ef0fb768102eff, 0x00c088cef272a5f3, 0x00cbf782134e2964, ++ 0x0001044a7ba9a0e3, 0x00e363f5b194cf3c, 0x00009ce85249e372}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x001dd492dda5a7eb, 0x008fd577be539fd1, 0x002ff4b25a5fc3f1, 0x0074a8a1b64df72f, ++ 0x002ba3d8c204a76c, 0x009d5cff95c8235a, 0x0000e014b9406e0f}, ++ {0x008c2e4dbfc98aba, 0x00f30bb89f1a1436, 0x00b46f7aea3e259c, 0x009224454ac02f54, ++ 0x00906401f5645fa2, 0x003a1d1940eabc77, 0x00007c9351d680e6}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x005a35d872ef967c, 0x0049f1b7884e1987, 0x0059d46d7e31f552, 0x00ceb4869d2d0fb6, ++ 0x00e8e89eee56802a, 0x0049d806a774aaf2, 0x0000147e2af0ae24}, ++ {0x005fd1bd852c6e5e, 0x00b674b7b3de6885, 0x003b9ea5eb9b6c08, 0x005c9f03babf3ef7, ++ 0x00605337fecab3c7, 0x009a3f85b11bbcc8, 0x0000455470f330ec}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x002197ff4d55498d, 0x00383e8916c2d8af, 0x00eb203f34d1c6d2, 0x0080367cbd11b542, ++ 0x00769b3be864e4f5, 0x0081a8458521c7bb, 0x0000c531b34d3539}, ++ {0x00e2a3d775fa2e13, 0x00534fc379573844, 0x00ff237d2a8db54a, 0x00d301b2335a8882, ++ 0x000f75ea96103a80, 0x0018fecb3cdd96fa, 0x0000304bf61e94eb}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00b2afc332a73dbd, 0x0029a0d5bb007bc5, 0x002d628eb210f577, 0x009f59a36dd05f50, ++ 0x006d339de4eca613, 0x00c75a71addc86bc, 0x000060384c5ea93c}, ++ {0x00aa9641c32a30b4, 0x00cc73ae8cce565d, 0x00ec911a4df07f61, 0x00aa4b762ea4b264, ++ 0x0096d395bb393629, 0x004efacfb7632fe0, 0x00006f252f46fa3f}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00567eec597c7af6, 0x0059ba6795204413, 0x00816d4e6f01196f, 0x004ae6b3eb57951d, ++ 0x00420f5abdda2108, 0x003401d1f57ca9d9, 0x0000cf5837b0b67a}, ++ {0x00eaa64b8aeeabf9, 0x00246ddf16bcb4de, 0x000e7e3c3aecd751, 0x0008449f04fed72e, ++ 0x00307b67ccf09183, 0x0017108c3556b7b1, 0x0000229b2483b3bf}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00e7c491a7bb78a1, 0x00eafddd1d3049ab, 0x00352c05e2bc7c98, 0x003d6880c165fa5c, ++ 0x00b6ac61cc11c97d, 0x00beeb54fcf90ce5, 0x0000dc1f0b455edc}, ++ {0x002db2e7aee34d60, 0x0073b5f415a2d8c0, 0x00dd84e4193e9a0c, 0x00d02d873467c572, ++ 0x0018baaeda60aee5, 0x0013fb11d697c61e, 0x000083aafcc3a973}, ++ {1, 0, 0, 0, 0, 0, 0}} ++}; ++ ++/* ++ * select_point selects the |idx|th point from a precomputation table and ++ * copies it to out. ++ * ++ * pre_comp below is of the size provided in |size|. ++ */ ++static void select_point(const limb idx, unsigned int size, ++ const felem pre_comp[][3], felem out[3]) ++{ ++ unsigned int i, j; ++ limb *outlimbs = &out[0][0]; ++ ++ memset(out, 0, sizeof(*out) * 3); ++ ++ for (i = 0; i < size; i++) { ++ const limb *inlimbs = &pre_comp[i][0][0]; ++ limb mask = i ^ idx; ++ ++ mask |= mask >> 4; ++ mask |= mask >> 2; ++ mask |= mask >> 1; ++ mask &= 1; ++ mask--; ++ for (j = 0; j < NLIMBS * 3; j++) ++ outlimbs[j] |= inlimbs[j] & mask; ++ } ++} ++ ++/* get_bit returns the |i|th bit in |in| */ ++static char get_bit(const felem_bytearray in, int i) ++{ ++ if (i < 0 || i >= 384) ++ return 0; ++ return (in[i >> 3] >> (i & 7)) & 1; ++} ++ ++/* ++ * Interleaved point multiplication using precomputed point multiples: The ++ * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars ++ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the ++ * generator, using certain (large) precomputed multiples in g_pre_comp. ++ * Output point (X, Y, Z) is stored in x_out, y_out, z_out ++ */ ++static void batch_mul(felem x_out, felem y_out, felem z_out, ++ const felem_bytearray scalars[], ++ const unsigned int num_points, const u8 *g_scalar, ++ const int mixed, const felem pre_comp[][17][3], ++ const felem g_pre_comp[16][3]) ++{ ++ int i, skip; ++ unsigned int num, gen_mul = (g_scalar != NULL); ++ felem nq[3], tmp[4]; ++ limb bits; ++ u8 sign, digit; ++ ++ /* set nq to the point at infinity */ ++ memset(nq, 0, sizeof(nq)); ++ ++ /* ++ * Loop over all scalars msb-to-lsb, interleaving additions of multiples ++ * of the generator (last quarter of rounds) and additions of other ++ * points multiples (every 5th round). ++ */ ++ skip = 1; /* save two point operations in the first ++ * round */ ++ for (i = (num_points ? 380 : 98); i >= 0; --i) { ++ /* double */ ++ if (!skip) ++ point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); ++ ++ /* add multiples of the generator */ ++ if (gen_mul && (i <= 98)) { ++ bits = get_bit(g_scalar, i + 285) << 3; ++ if (i < 95) { ++ bits |= get_bit(g_scalar, i + 190) << 2; ++ bits |= get_bit(g_scalar, i + 95) << 1; ++ bits |= get_bit(g_scalar, i); ++ } ++ /* select the point to add, in constant time */ ++ select_point(bits, 16, g_pre_comp, tmp); ++ if (!skip) { ++ /* The 1 argument below is for "mixed" */ ++ point_add(nq[0], nq[1], nq[2], ++ nq[0], nq[1], nq[2], 1, ++ tmp[0], tmp[1], tmp[2]); ++ } else { ++ memcpy(nq, tmp, 3 * sizeof(felem)); ++ skip = 0; ++ } ++ } ++ ++ /* do other additions every 5 doublings */ ++ if (num_points && (i % 5 == 0)) { ++ /* loop over all scalars */ ++ for (num = 0; num < num_points; ++num) { ++ bits = get_bit(scalars[num], i + 4) << 5; ++ bits |= get_bit(scalars[num], i + 3) << 4; ++ bits |= get_bit(scalars[num], i + 2) << 3; ++ bits |= get_bit(scalars[num], i + 1) << 2; ++ bits |= get_bit(scalars[num], i) << 1; ++ bits |= get_bit(scalars[num], i - 1); ++ ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); ++ ++ /* ++ * select the point to add or subtract, in constant time ++ */ ++ select_point(digit, 17, pre_comp[num], tmp); ++ felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative ++ * point */ ++ copy_conditional(tmp[1], tmp[3], (-(limb) sign)); ++ ++ if (!skip) { ++ point_add(nq[0], nq[1], nq[2], ++ nq[0], nq[1], nq[2], mixed, ++ tmp[0], tmp[1], tmp[2]); ++ } else { ++ memcpy(nq, tmp, 3 * sizeof(felem)); ++ skip = 0; ++ } ++ } ++ } ++ } ++ felem_assign(x_out, nq[0]); ++ felem_assign(y_out, nq[1]); ++ felem_assign(z_out, nq[2]); ++} ++ ++/* Precomputation for the group generator. */ ++struct nistp384_pre_comp_st { ++ felem g_pre_comp[16][3]; ++ CRYPTO_REF_COUNT refcnt; ++ CRYPTO_RWLOCK *refcnt_lock; ++}; ++ ++const EC_METHOD *ossl_ec_GFp_nistp384_method(void) ++{ ++ static const EC_METHOD ret = { ++ EC_FLAGS_DEFAULT_OCT, ++ NID_X9_62_prime_field, ++ ossl_ec_GFp_nistp384_group_init, ++ ec_GFp_simple_group_finish, ++ ec_GFp_simple_group_clear_finish, ++ ec_GFp_nist_group_copy, ++ ossl_ec_GFp_nistp384_group_set_curve, ++ ec_GFp_simple_group_get_curve, ++ ec_GFp_simple_group_get_degree, ++ ec_group_simple_order_bits, ++ ec_GFp_simple_group_check_discriminant, ++ ec_GFp_simple_point_init, ++ ec_GFp_simple_point_finish, ++ ec_GFp_simple_point_clear_finish, ++ ec_GFp_simple_point_copy, ++ ec_GFp_simple_point_set_to_infinity, ++ ec_GFp_simple_set_Jprojective_coordinates_GFp, ++ ec_GFp_simple_get_Jprojective_coordinates_GFp, ++ ec_GFp_simple_point_set_affine_coordinates, ++ ossl_ec_GFp_nistp384_point_get_affine_coordinates, ++ 0, /* point_set_compressed_coordinates */ ++ 0, /* point2oct */ ++ 0, /* oct2point */ ++ ec_GFp_simple_add, ++ ec_GFp_simple_dbl, ++ ec_GFp_simple_invert, ++ ec_GFp_simple_is_at_infinity, ++ ec_GFp_simple_is_on_curve, ++ ec_GFp_simple_cmp, ++ ec_GFp_simple_make_affine, ++ ec_GFp_simple_points_make_affine, ++ ossl_ec_GFp_nistp384_points_mul, ++ ossl_ec_GFp_nistp384_precompute_mult, ++ ossl_ec_GFp_nistp384_have_precompute_mult, ++ ec_GFp_nist_field_mul, ++ ec_GFp_nist_field_sqr, ++ 0, /* field_div */ ++ ec_GFp_simple_field_inv, ++ 0, /* field_encode */ ++ 0, /* field_decode */ ++ 0, /* field_set_to_one */ ++ ec_key_simple_priv2oct, ++ ec_key_simple_oct2priv, ++ 0, /* set private */ ++ ec_key_simple_generate_key, ++ ec_key_simple_check_key, ++ ec_key_simple_generate_public_key, ++ 0, /* keycopy */ ++ 0, /* keyfinish */ ++ ecdh_simple_compute_key, ++ ecdsa_simple_sign_setup, ++ ecdsa_simple_sign_sig, ++ ecdsa_simple_verify_sig, ++ 0, /* field_inverse_mod_ord */ ++ 0, /* blind_coordinates */ ++ 0, /* ladder_pre */ ++ 0, /* ladder_step */ ++ 0 /* ladder_post */ ++ }; ++ ++ return &ret; ++} ++ ++/******************************************************************************/ ++/* ++ * FUNCTIONS TO MANAGE PRECOMPUTATION ++ */ ++ ++static NISTP384_PRE_COMP *nistp384_pre_comp_new(void) ++{ ++ NISTP384_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); ++ ++ if (ret == NULL || (ret->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL) { ++ OPENSSL_free(ret); ++ return NULL; ++ } ++ ++ ret->refcnt = 1; ++ return ret; ++} ++ ++NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *p) ++{ ++ int i; ++ ++ if (p != NULL) ++ CRYPTO_UP_REF(&p->refcnt, &i, p->refcnt_lock); ++ return p; ++} ++ ++void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *p) ++{ ++ int i; ++ ++ if (p == NULL) ++ return; ++ ++ CRYPTO_DOWN_REF(&p->refcnt, &i, p->refcnt_lock); ++ REF_PRINT_COUNT("ec_nistp384", p); ++ if (i > 0) ++ return; ++ REF_ASSERT_ISNT(i < 0); ++ ++ CRYPTO_THREAD_lock_free(p->refcnt_lock); ++ OPENSSL_free(p); ++} ++ ++/******************************************************************************/ ++/* ++ * OPENSSL EC_METHOD FUNCTIONS ++ */ ++ ++int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group) ++{ ++ int ret; ++ ++ ret = ec_GFp_simple_group_init(group); ++ group->a_is_minus3 = 1; ++ return ret; ++} ++ ++int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, ++ const BIGNUM *a, const BIGNUM *b, ++ BN_CTX *ctx) ++{ ++ int ret = 0; ++ BIGNUM *curve_p, *curve_a, *curve_b; ++#ifndef FIPS_MODULE ++ BN_CTX *new_ctx = NULL; ++ ++ if (ctx == NULL) ++ ctx = new_ctx = BN_CTX_new(); ++#endif ++ if (ctx == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ curve_p = BN_CTX_get(ctx); ++ curve_a = BN_CTX_get(ctx); ++ curve_b = BN_CTX_get(ctx); ++ if (curve_b == NULL) ++ goto err; ++ BN_bin2bn(nistp384_curve_params[0], sizeof(felem_bytearray), curve_p); ++ BN_bin2bn(nistp384_curve_params[1], sizeof(felem_bytearray), curve_a); ++ BN_bin2bn(nistp384_curve_params[2], sizeof(felem_bytearray), curve_b); ++ if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) { ++ ECerr(EC_F_EC_GFP_NISTP384_GROUP_SET_CURVE, EC_R_WRONG_CURVE_PARAMETERS); ++ goto err; ++ } ++ group->field_mod_func = BN_nist_mod_384; ++ ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); ++ err: ++ BN_CTX_end(ctx); ++#ifndef FIPS_MODULE ++ BN_CTX_free(new_ctx); ++#endif ++ return ret; ++} ++ ++/* ++ * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = ++ * (X/Z^2, Y/Z^3) ++ */ ++int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, ++ const EC_POINT *point, ++ BIGNUM *x, BIGNUM *y, ++ BN_CTX *ctx) ++{ ++ felem z1, z2, x_in, y_in, x_out, y_out; ++ widefelem tmp; ++ ++ if (EC_POINT_is_at_infinity(group, point)) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINT_GET_AFFINE_COORDINATES, EC_R_POINT_AT_INFINITY); ++ return 0; ++ } ++ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || ++ (!BN_to_felem(z1, point->Z))) ++ return 0; ++ felem_inv(z2, z1); ++ felem_square(tmp, z2); ++ felem_reduce(z1, tmp); ++ felem_mul(tmp, x_in, z1); ++ felem_reduce(x_in, tmp); ++ felem_contract(x_out, x_in); ++ if (x != NULL) { ++ if (!felem_to_BN(x, x_out)) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB); ++ return 0; ++ } ++ } ++ felem_mul(tmp, z1, z2); ++ felem_reduce(z1, tmp); ++ felem_mul(tmp, y_in, z1); ++ felem_reduce(y_in, tmp); ++ felem_contract(y_out, y_in); ++ if (y != NULL) { ++ if (!felem_to_BN(y, y_out)) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINT_GET_AFFINE_COORDINATES, ERR_R_BN_LIB); ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++/* points below is of size |num|, and tmp_felems is of size |num+1/ */ ++static void make_points_affine(size_t num, felem points[][3], ++ felem tmp_felems[]) ++{ ++ /* ++ * Runs in constant time, unless an input is the point at infinity (which ++ * normally shouldn't happen). ++ */ ++ ec_GFp_nistp_points_make_affine_internal(num, ++ points, ++ sizeof(felem), ++ tmp_felems, ++ (void (*)(void *))felem_one, ++ felem_is_zero_int, ++ (void (*)(void *, const void *)) ++ felem_assign, ++ (void (*)(void *, const void *)) ++ felem_square_reduce, ++ (void (*)(void *, const void *, const void*)) ++ felem_mul_reduce, ++ (void (*)(void *, const void *)) ++ felem_inv, ++ (void (*)(void *, const void *)) ++ felem_contract); ++} ++ ++/* ++ * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL ++ * values Result is stored in r (r can equal one of the inputs). ++ */ ++int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, size_t num, ++ const EC_POINT *points[], ++ const BIGNUM *scalars[], BN_CTX *ctx) ++{ ++ int ret = 0; ++ int j; ++ int mixed = 0; ++ BIGNUM *x, *y, *z, *tmp_scalar; ++ felem_bytearray g_secret; ++ felem_bytearray *secrets = NULL; ++ felem (*pre_comp)[17][3] = NULL; ++ felem *tmp_felems = NULL; ++ unsigned int i; ++ int num_bytes; ++ int have_pre_comp = 0; ++ size_t num_points = num; ++ felem x_in, y_in, z_in, x_out, y_out, z_out; ++ NISTP384_PRE_COMP *pre = NULL; ++ felem(*g_pre_comp)[3] = NULL; ++ EC_POINT *generator = NULL; ++ const EC_POINT *p = NULL; ++ const BIGNUM *p_scalar = NULL; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ z = BN_CTX_get(ctx); ++ tmp_scalar = BN_CTX_get(ctx); ++ if (tmp_scalar == NULL) ++ goto err; ++ ++ if (scalar != NULL) { ++ pre = group->pre_comp.nistp384; ++ if (pre) ++ /* we have precomputation, try to use it */ ++ g_pre_comp = &pre->g_pre_comp[0]; ++ else ++ /* try to use the standard precomputation */ ++ g_pre_comp = (felem(*)[3]) gmul; ++ generator = EC_POINT_new(group); ++ if (generator == NULL) ++ goto err; ++ /* get the generator from precomputation */ ++ if (!felem_to_BN(x, g_pre_comp[1][0]) || ++ !felem_to_BN(y, g_pre_comp[1][1]) || ++ !felem_to_BN(z, g_pre_comp[1][2])) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINTS_MUL, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!ec_GFp_simple_set_Jprojective_coordinates_GFp(group, ++ generator, ++ x, y, z, ctx)) ++ goto err; ++ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) ++ /* precomputation matches generator */ ++ have_pre_comp = 1; ++ else ++ /* ++ * we don't have valid precomputation: treat the generator as a ++ * random point ++ */ ++ num_points++; ++ } ++ ++ if (num_points > 0) { ++ if (num_points >= 2) { ++ /* ++ * unless we precompute multiples for just one point, converting ++ * those into affine form is time well spent ++ */ ++ mixed = 1; ++ } ++ secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); ++ pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); ++ if (mixed) ++ tmp_felems = ++ OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1)); ++ if ((secrets == NULL) || (pre_comp == NULL) ++ || (mixed && (tmp_felems == NULL))) ++ goto err; ++ ++ /* ++ * we treat NULL scalars as 0, and NULL points as points at infinity, ++ * i.e., they contribute nothing to the linear combination ++ */ ++ for (i = 0; i < num_points; ++i) { ++ if (i == num) { ++ /* ++ * we didn't have a valid precomputation, so we pick the ++ * generator ++ */ ++ p = EC_GROUP_get0_generator(group); ++ p_scalar = scalar; ++ } else { ++ /* the i^th point */ ++ p = points[i]; ++ p_scalar = scalars[i]; ++ } ++ if (p_scalar != NULL && p != NULL) { ++ /* reduce scalar to 0 <= scalar < 2^384 */ ++ if ((BN_num_bits(p_scalar) > 384) ++ || (BN_is_negative(p_scalar))) { ++ /* ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINTS_MUL, ERR_R_BN_LIB); ++ goto err; ++ } ++ num_bytes = BN_bn2lebinpad(tmp_scalar, ++ secrets[i], sizeof(secrets[i])); ++ } else { ++ num_bytes = BN_bn2lebinpad(p_scalar, ++ secrets[i], sizeof(secrets[i])); ++ } ++ if (num_bytes < 0) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINTS_MUL, ERR_R_BN_LIB); ++ goto err; ++ } ++ /* precompute multiples */ ++ if ((!BN_to_felem(x_out, p->X)) || ++ (!BN_to_felem(y_out, p->Y)) || ++ (!BN_to_felem(z_out, p->Z))) ++ goto err; ++ memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); ++ memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); ++ memcpy(pre_comp[i][1][2], z_out, sizeof(felem)); ++ for (j = 2; j <= 16; ++j) { ++ if (j & 1) { ++ point_add(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], ++ pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 0, ++ pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]); ++ } else { ++ point_double(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], ++ pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]); ++ } ++ } ++ } ++ } ++ if (mixed) ++ make_points_affine(num_points * 17, pre_comp[0], tmp_felems); ++ } ++ ++ /* the scalar for the generator */ ++ if (scalar != NULL && have_pre_comp) { ++ memset(g_secret, 0, sizeof(g_secret)); ++ /* reduce scalar to 0 <= scalar < 2^384 */ ++ if ((BN_num_bits(scalar) > 384) || (BN_is_negative(scalar))) { ++ /* ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINTS_MUL, ERR_R_BN_LIB); ++ goto err; ++ } ++ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); ++ } else { ++ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); ++ } ++ /* do the multiplication with generator precomputation */ ++ batch_mul(x_out, y_out, z_out, ++ (const felem_bytearray(*))secrets, num_points, ++ g_secret, ++ mixed, (const felem(*)[17][3])pre_comp, ++ (const felem(*)[3])g_pre_comp); ++ } else { ++ /* do the multiplication without generator precomputation */ ++ batch_mul(x_out, y_out, z_out, ++ (const felem_bytearray(*))secrets, num_points, ++ NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); ++ } ++ /* reduce the output to its unique minimal representation */ ++ felem_contract(x_in, x_out); ++ felem_contract(y_in, y_out); ++ felem_contract(z_in, z_out); ++ if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || ++ (!felem_to_BN(z, z_in))) { ++ ECerr(EC_F_EC_GFP_NISTP384_POINTS_MUL, ERR_R_BN_LIB); ++ goto err; ++ } ++ ret = ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, ++ ctx); ++ ++ err: ++ BN_CTX_end(ctx); ++ EC_POINT_free(generator); ++ OPENSSL_free(secrets); ++ OPENSSL_free(pre_comp); ++ OPENSSL_free(tmp_felems); ++ return ret; ++} ++ ++int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ++{ ++ int ret = 0; ++ NISTP384_PRE_COMP *pre = NULL; ++ int i, j; ++ BIGNUM *x, *y; ++ EC_POINT *generator = NULL; ++ felem tmp_felems[16]; ++#ifndef FIPS_MODULE ++ BN_CTX *new_ctx = NULL; ++#endif ++ ++ /* throw away old precomputation */ ++ EC_pre_comp_free(group); ++ ++#ifndef FIPS_MODULE ++ if (ctx == NULL) ++ ctx = new_ctx = BN_CTX_new(); ++#endif ++ if (ctx == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (y == NULL) ++ goto err; ++ /* get the generator */ ++ if (group->generator == NULL) ++ goto err; ++ generator = EC_POINT_new(group); ++ if (generator == NULL) ++ goto err; ++ BN_bin2bn(nistp384_curve_params[3], sizeof(felem_bytearray), x); ++ BN_bin2bn(nistp384_curve_params[4], sizeof(felem_bytearray), y); ++ if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) ++ goto err; ++ if ((pre = nistp384_pre_comp_new()) == NULL) ++ goto err; ++ /* ++ * if the generator is the standard one, use built-in precomputation ++ */ ++ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) { ++ memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); ++ goto done; ++ } ++ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) || ++ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) || ++ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z))) ++ goto err; ++ /* compute 2^95*G, 2^190*G, 2^285*G */ ++ for (i = 1; i <= 4; i <<= 1) { ++ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], ++ pre->g_pre_comp[i][0], pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]); ++ for (j = 0; j < 94; ++j) { ++ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], ++ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2]); ++ } ++ } ++ /* g_pre_comp[0] is the point at infinity */ ++ memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0])); ++ /* the remaining multiples */ ++ /* 2^95*G + 2^190*G */ ++ point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1], pre->g_pre_comp[6][2], ++ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2], 0, ++ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); ++ /* 2^95*G + 2^285*G */ ++ point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1], pre->g_pre_comp[10][2], ++ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, ++ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); ++ /* 2^190*G + 2^285*G */ ++ point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], ++ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, ++ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2]); ++ /* 2^95*G + 2^190*G + 2^285*G */ ++ point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1], pre->g_pre_comp[14][2], ++ pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], 0, ++ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); ++ for (i = 1; i < 8; ++i) { ++ /* odd multiples: add G */ ++ point_add(pre->g_pre_comp[2 * i + 1][0], pre->g_pre_comp[2 * i + 1][1], pre->g_pre_comp[2 * i + 1][2], ++ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], 0, ++ pre->g_pre_comp[1][0], pre->g_pre_comp[1][1], pre->g_pre_comp[1][2]); ++ } ++ make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems); ++ ++ done: ++ SETPRECOMP(group, nistp384, pre); ++ ret = 1; ++ pre = NULL; ++ err: ++ BN_CTX_end(ctx); ++ EC_POINT_free(generator); ++#ifndef FIPS_MODULE ++ BN_CTX_free(new_ctx); ++#endif ++ ossl_ec_nistp384_pre_comp_free(pre); ++ return ret; ++} ++ ++int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group) ++{ ++ return HAVEPRECOMP(group, nistp384); ++} ++#endif /* OPENSSL_NO_EC_NISTP_64_GCC_128 */ +Index: openssl-1.1.1w/crypto/ec/build.info +=================================================================== +--- openssl-1.1.1w.orig/crypto/ec/build.info ++++ openssl-1.1.1w/crypto/ec/build.info +@@ -3,7 +3,8 @@ SOURCE[../../libcrypto]=\ + ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c \ + ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c \ + ec2_smpl.c ec_ameth.c ec_pmeth.c eck_prn.c \ +- ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \ ++ ecp_nistp224.c ecp_nistp256.c ecp_nistp384.c ecp_nistp521.c \ ++ ecp_nistputil.c \ + ecp_oct.c ec2_oct.c ec_oct.c ec_kmeth.c ecdh_ossl.c ecdh_kdf.c \ + ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c ecx_meth.c \ + curve448/f_generic.c curve448/scalar.c \ +Index: openssl-1.1.1w/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1w.orig/crypto/err/openssl.txt ++++ openssl-1.1.1w/crypto/err/openssl.txt +@@ -562,6 +562,10 @@ EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE:230 + EC_F_EC_GFP_NISTP256_POINTS_MUL:231:ec_GFp_nistp256_points_mul + EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES:232:\ + ec_GFp_nistp256_point_get_affine_coordinates ++EC_F_EC_GFP_NISTP384_GROUP_SET_CURVE:315:ec_GFp_nistp384_group_set_curve ++EC_F_EC_GFP_NISTP384_POINT_GET_AFFINE_COORDINATES:316:\ ++ ec_GFp_nistp385_point_get_affine_coordinates ++EC_F_EC_GFP_NISTP384_POINTS_MUL:317:ec_GFp_nistp384_points_mul + EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE:233:ec_GFp_nistp521_group_set_curve + EC_F_EC_GFP_NISTP521_POINTS_MUL:234:ec_GFp_nistp521_points_mul + EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES:235:\ +Index: openssl-1.1.1w/include/openssl/ecerr.h +=================================================================== +--- openssl-1.1.1w.orig/include/openssl/ecerr.h ++++ openssl-1.1.1w/include/openssl/ecerr.h +@@ -93,6 +93,9 @@ int ERR_load_EC_strings(void); + # define EC_F_EC_GFP_NISTP256_GROUP_SET_CURVE 230 + # define EC_F_EC_GFP_NISTP256_POINTS_MUL 231 + # define EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES 232 ++# define EC_F_EC_GFP_NISTP384_GROUP_SET_CURVE 315 ++# define EC_F_EC_GFP_NISTP384_POINT_GET_AFFINE_COORDINATES 316 ++# define EC_F_EC_GFP_NISTP384_POINTS_MUL 317 + # define EC_F_EC_GFP_NISTP521_GROUP_SET_CURVE 233 + # define EC_F_EC_GFP_NISTP521_POINTS_MUL 234 + # define EC_F_EC_GFP_NISTP521_POINT_GET_AFFINE_COORDINATES 235 diff --git a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch new file mode 100644 index 0000000..85685cf --- /dev/null +++ b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch @@ -0,0 +1,65 @@ +From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Fri, 23 Jun 2023 16:41:48 +1000 +Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul} + wrappers + +Runtime selection of implementations for felem_{square,mul} depends on +felem_{square,mul}_wrapper functions, which overwrite function points in +a similar design to that of .plt.got sections used by program loaders +during dynamic linking. + +There's no reason why these functions need to have external linkage. +Mark static. + +Signed-off-by: Rohan McLure + +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/21471) +--- + crypto/ec/ecp_nistp521.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c +index 97815cac1f13..32a9268ecf17 100644 +--- a/crypto/ec/ecp_nistp521.c ++++ b/crypto/ec/ecp_nistp521.c +@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in) + } + + #if defined(ECP_NISTP521_ASM) +-void felem_square_wrapper(largefelem out, const felem in); +-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); ++static void felem_square_wrapper(largefelem out, const felem in); ++static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); + + static void (*felem_square_p)(largefelem out, const felem in) = + felem_square_wrapper; +@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2); + # include "../ppc_arch.h" + # endif + +-void felem_select(void) ++static void felem_select(void) + { + # if defined(_ARCH_PPC64) + if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { +@@ -707,13 +707,13 @@ void felem_select(void) + felem_mul_p = felem_mul_ref; + } + +-void felem_square_wrapper(largefelem out, const felem in) ++static void felem_square_wrapper(largefelem out, const felem in) + { + felem_select(); + felem_square_p(out, in); + } + +-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) ++static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) + { + felem_select(); + felem_mul_p(out, in1, in2); diff --git a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch new file mode 100644 index 0000000..f120df2 --- /dev/null +++ b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch @@ -0,0 +1,410 @@ +From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Wed, 31 May 2023 14:32:26 +1000 +Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul} + +Add an assembly implementation of felem_{square,mul}, which will be +implemented whenever Altivec support is present and the core implements +ISA 3.0 (Power 9) or greater. + +Signed-off-by: Rohan McLure + +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/21471) +--- + crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++++++++++ + crypto/ec/build.info | 2 + crypto/ec/ecp_nistp384.c | 9 + 3 files changed, 366 insertions(+) + create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl + +--- /dev/null ++++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl +@@ -0,0 +1,355 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++# ++# ==================================================================== ++# Written by Rohan McLure for the OpenSSL ++# project. ++# ==================================================================== ++# ++# p384 lower-level primitives for PPC64 using vector instructions. ++# ++ ++use strict; ++use warnings; ++ ++my $flavour = shift; ++my $output = ""; ++while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} ++if (!$output) { ++ $output = "-"; ++} ++ ++my ($xlate, $dir); ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open OUT,"| \"$^X\" $xlate $flavour $output"; ++*STDOUT=*OUT; ++ ++my $code = ""; ++ ++my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); ++ ++my $vzero = "v32"; ++ ++sub startproc($) ++{ ++ my ($name) = @_; ++ ++ $code.=<<___; ++ .globl ${name} ++ .align 5 ++${name}: ++ ++___ ++} ++ ++sub endproc($) ++{ ++ my ($name) = @_; ++ ++ $code.=<<___; ++ blr ++ .size ${name},.-${name} ++ ++___ ++} ++ ++ ++sub push_vrs($$) ++{ ++ my ($min, $max) = @_; ++ ++ my $count = $max - $min + 1; ++ ++ $code.=<<___; ++ mr $savesp,$sp ++ stdu $sp,-16*`$count+1`($sp) ++ ++___ ++ for (my $i = $min; $i <= $max; $i++) { ++ my $mult = $max - $i + 1; ++ $code.=<<___; ++ stxv $i,-16*$mult($savesp) ++___ ++ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++sub pop_vrs($$) ++{ ++ my ($min, $max) = @_; ++ ++ $code.=<<___; ++ ld $savesp,0($sp) ++___ ++ for (my $i = $min; $i <= $max; $i++) { ++ my $mult = $max - $i + 1; ++ $code.=<<___; ++ lxv $i,-16*$mult($savesp) ++___ ++ } ++ ++ $code.=<<___; ++ mr $sp,$savesp ++ ++___ ++} ++ ++sub load_vrs($$) ++{ ++ my ($pointer, $reg_list) = @_; ++ ++ for (my $i = 0; $i <= 6; $i++) { ++ my $offset = $i * 8; ++ $code.=<<___; ++ lxsd $reg_list->[$i],$offset($pointer) ++___ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++sub store_vrs($$) ++{ ++ my ($pointer, $reg_list) = @_; ++ ++ for (my $i = 0; $i <= 12; $i++) { ++ my $offset = $i * 16; ++ $code.=<<___; ++ stxv $reg_list->[$i],$offset($pointer) ++___ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++$code.=<<___; ++.machine "any" ++.text ++ ++___ ++ ++{ ++ # mul/square common ++ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43"); ++ my ($zero, $one) = ("r8", "r9"); ++ my $out = "v51"; ++ ++ { ++ # ++ # p384_felem_mul ++ # ++ ++ my ($in1p, $in2p) = ("r4", "r5"); ++ my @in1 = map("v$_",(44..50)); ++ my @in2 = map("v$_",(35..41)); ++ ++ startproc("p384_felem_mul"); ++ ++ push_vrs(52, 63); ++ ++ $code.=<<___; ++ vspltisw $vzero,0 ++ ++___ ++ ++ load_vrs($in1p, \@in1); ++ load_vrs($in2p, \@in2); ++ ++ $code.=<<___; ++ vmsumudm $out,$in1[0],$in2[0],$vzero ++ stxv $out,0($outp) ++ ++ xxpermdi $t1,$in1[0],$in1[1],0b00 ++ xxpermdi $t2,$in2[1],$in2[0],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,16($outp) ++ ++ xxpermdi $t2,$in2[2],$in2[1],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in1[2],$in2[0],$out ++ stxv $out,32($outp) ++ ++ xxpermdi $t2,$in2[1],$in2[0],0b00 ++ xxpermdi $t3,$in1[2],$in1[3],0b00 ++ xxpermdi $t4,$in2[3],$in2[2],0b00 ++ vmsumudm $out,$t1,$t4,$vzero ++ vmsumudm $out,$t3,$t2,$out ++ stxv $out,48($outp) ++ ++ xxpermdi $t2,$in2[4],$in2[3],0b00 ++ xxpermdi $t4,$in2[2],$in2[1],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ vmsumudm $out,$in1[4],$in2[0],$out ++ stxv $out,64($outp) ++ ++ xxpermdi $t2,$in2[5],$in2[4],0b00 ++ xxpermdi $t4,$in2[3],$in2[2],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ xxpermdi $t4,$in2[1],$in2[0],0b00 ++ xxpermdi $t1,$in1[4],$in1[5],0b00 ++ vmsumudm $out,$t1,$t4,$out ++ stxv $out,80($outp) ++ ++ xxpermdi $t1,$in1[0],$in1[1],0b00 ++ xxpermdi $t2,$in2[6],$in2[5],0b00 ++ xxpermdi $t4,$in2[4],$in2[3],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ xxpermdi $t2,$in2[2],$in2[1],0b00 ++ xxpermdi $t1,$in1[4],$in1[5],0b00 ++ vmsumudm $out,$t1,$t2,$out ++ vmsumudm $out,$in1[6],$in2[0],$out ++ stxv $out,96($outp) ++ ++ xxpermdi $t1,$in1[1],$in1[2],0b00 ++ xxpermdi $t2,$in2[6],$in2[5],0b00 ++ xxpermdi $t3,$in1[3],$in1[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ xxpermdi $t3,$in2[2],$in2[1],0b00 ++ xxpermdi $t1,$in1[5],$in1[6],0b00 ++ vmsumudm $out,$t1,$t3,$out ++ stxv $out,112($outp) ++ ++ xxpermdi $t1,$in1[2],$in1[3],0b00 ++ xxpermdi $t3,$in1[4],$in1[5],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ vmsumudm $out,$in1[6],$in2[2],$out ++ stxv $out,128($outp) ++ ++ xxpermdi $t1,$in1[3],$in1[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ xxpermdi $t1,$in1[5],$in1[6],0b00 ++ vmsumudm $out,$t1,$t4,$out ++ stxv $out,144($outp) ++ ++ vmsumudm $out,$t3,$t2,$vzero ++ vmsumudm $out,$in1[6],$in2[4],$out ++ stxv $out,160($outp) ++ ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,176($outp) ++ ++ vmsumudm $out,$in1[6],$in2[6],$vzero ++ stxv $out,192($outp) ++___ ++ ++ endproc("p384_felem_mul"); ++ } ++ ++ { ++ # ++ # p384_felem_square ++ # ++ ++ my ($inp) = ("r4"); ++ my @in = map("v$_",(44..50)); ++ my @inx2 = map("v$_",(35..41)); ++ ++ startproc("p384_felem_square"); ++ ++ push_vrs(52, 63); ++ ++ $code.=<<___; ++ vspltisw $vzero,0 ++ ++___ ++ ++ load_vrs($inp, \@in); ++ ++ $code.=<<___; ++ li $zero,0 ++ li $one,1 ++ mtvsrdd $t1,$one,$zero ++___ ++ ++ for (my $i = 0; $i <= 6; $i++) { ++ $code.=<<___; ++ vsld $inx2[$i],$in[$i],$t1 ++___ ++ } ++ ++ $code.=<<___; ++ vmsumudm $out,$in[0],$in[0],$vzero ++ stxv $out,0($outp) ++ ++ vmsumudm $out,$in[0],$inx2[1],$vzero ++ stxv $out,16($outp) ++ ++ vmsumudm $out,$in[0],$inx2[2],$vzero ++ vmsumudm $out,$in[1],$in[1],$out ++ stxv $out,32($outp) ++ ++ xxpermdi $t1,$in[0],$in[1],0b00 ++ xxpermdi $t2,$inx2[3],$inx2[2],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,48($outp) ++ ++ xxpermdi $t4,$inx2[4],$inx2[3],0b00 ++ vmsumudm $out,$t1,$t4,$vzero ++ vmsumudm $out,$in[2],$in[2],$out ++ stxv $out,64($outp) ++ ++ xxpermdi $t2,$inx2[5],$inx2[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in[2],$inx2[3],$out ++ stxv $out,80($outp) ++ ++ xxpermdi $t2,$inx2[6],$inx2[5],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in[2],$inx2[4],$out ++ vmsumudm $out,$in[3],$in[3],$out ++ stxv $out,96($outp) ++ ++ xxpermdi $t3,$in[1],$in[2],0b00 ++ vmsumudm $out,$t3,$t2,$vzero ++ vmsumudm $out,$in[3],$inx2[4],$out ++ stxv $out,112($outp) ++ ++ xxpermdi $t1,$in[2],$in[3],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in[4],$in[4],$out ++ stxv $out,128($outp) ++ ++ xxpermdi $t1,$in[3],$in[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,144($outp) ++ ++ vmsumudm $out,$in[4],$inx2[6],$vzero ++ vmsumudm $out,$in[5],$in[5],$out ++ stxv $out,160($outp) ++ ++ vmsumudm $out,$in[5],$inx2[6],$vzero ++ stxv $out,176($outp) ++ ++ vmsumudm $out,$in[6],$in[6],$vzero ++ stxv $out,192($outp) ++___ ++ ++ endproc("p384_felem_square"); ++ } ++} ++ ++$code =~ s/\`([^\`]*)\`/eval $1/gem; ++print $code; ++close STDOUT or die "error closing STDOUT: $!"; +--- a/crypto/ec/build.info ++++ b/crypto/ec/build.info +@@ -31,6 +31,8 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n + INCLUDE[ecp_nistz256-armv8.o]=.. + GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME) + ++GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl $(PERLASM_SCHEME) ++INCLUDE[ecp_nistp384.o]=.. + GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl $(PERLASM_SCHEME) + + GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME) +--- a/crypto/ec/ecp_nistp384.c ++++ b/crypto/ec/ecp_nistp384.c +@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const + + static void felem_select(void) + { ++# if defined(_ARCH_PPC64) ++ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { ++ felem_square_p = p384_felem_square; ++ felem_mul_p = p384_felem_mul; ++ ++ return; ++ } ++# endif ++ + /* Default */ + felem_square_p = felem_square_ref; + felem_mul_p = felem_mul_ref; diff --git a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch new file mode 100644 index 0000000..a2918d9 --- /dev/null +++ b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch @@ -0,0 +1,76 @@ +From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Tue, 15 Aug 2023 15:20:20 +1000 +Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1 + +Substitutions in the felem_reduce() method feature unecessary +parentheses, remove them. + +Signed-off-by: Rohan McLure + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/21749) +--- + crypto/ec/ecp_nistp384.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c +index 14f9530d07c6..ff68f9cc7ad0 100644 +--- a/crypto/ec/ecp_nistp384.c ++++ b/crypto/ec/ecp_nistp384.c +@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[7] += in[12] >> 8; + acc[6] += (in[12] & 0xff) << 48; + acc[6] -= in[12] >> 16; +- acc[5] -= ((in[12] & 0xffff) << 40); ++ acc[5] -= (in[12] & 0xffff) << 40; + acc[6] += in[12] >> 48; + acc[5] += (in[12] & 0xffffffffffff) << 8; + +@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[6] += in[11] >> 8; + acc[5] += (in[11] & 0xff) << 48; + acc[5] -= in[11] >> 16; +- acc[4] -= ((in[11] & 0xffff) << 40); ++ acc[4] -= (in[11] & 0xffff) << 40; + acc[5] += in[11] >> 48; + acc[4] += (in[11] & 0xffffffffffff) << 8; + +@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[5] += in[10] >> 8; + acc[4] += (in[10] & 0xff) << 48; + acc[4] -= in[10] >> 16; +- acc[3] -= ((in[10] & 0xffff) << 40); ++ acc[3] -= (in[10] & 0xffff) << 40; + acc[4] += in[10] >> 48; + acc[3] += (in[10] & 0xffffffffffff) << 8; + +@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[4] += in[9] >> 8; + acc[3] += (in[9] & 0xff) << 48; + acc[3] -= in[9] >> 16; +- acc[2] -= ((in[9] & 0xffff) << 40); ++ acc[2] -= (in[9] & 0xffff) << 40; + acc[3] += in[9] >> 48; + acc[2] += (in[9] & 0xffffffffffff) << 8; + +@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[3] += acc[8] >> 8; + acc[2] += (acc[8] & 0xff) << 48; + acc[2] -= acc[8] >> 16; +- acc[1] -= ((acc[8] & 0xffff) << 40); ++ acc[1] -= (acc[8] & 0xffff) << 40; + acc[2] += acc[8] >> 48; + acc[1] += (acc[8] & 0xffffffffffff) << 8; + +@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[2] += acc[7] >> 8; + acc[1] += (acc[7] & 0xff) << 48; + acc[1] -= acc[7] >> 16; +- acc[0] -= ((acc[7] & 0xffff) << 40); ++ acc[0] -= (acc[7] & 0xffff) << 40; + acc[1] += acc[7] >> 48; + acc[0] += (acc[7] & 0xffffffffffff) << 8; + diff --git a/openssl-fips-DH_selftest_shared_secret_KAT.patch b/openssl-fips-DH_selftest_shared_secret_KAT.patch new file mode 100644 index 0000000..279a0ef --- /dev/null +++ b/openssl-fips-DH_selftest_shared_secret_KAT.patch @@ -0,0 +1,82 @@ +Index: openssl-1.1.1d/crypto/fips/fips_dh_selftest.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips_dh_selftest.c 2020-09-08 20:40:41.313074570 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_dh_selftest.c 2020-09-08 20:41:05.337219024 +0200 +@@ -119,6 +119,41 @@ static const unsigned char dh_test_2048_ + 0xEC, 0x55, 0xF6, 0xCC + }; + ++static const unsigned char dh_test_2048_shared_secret[] = { ++ 0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc, ++ 0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb, ++ 0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0, ++ 0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8, ++ 0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc, ++ 0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03, ++ 0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14, ++ 0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c, ++ 0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe, ++ 0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b, ++ 0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef, ++ 0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57, ++ 0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8, ++ 0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74, ++ 0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa, ++ 0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5, ++ 0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc, ++ 0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92, ++ 0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc, ++ 0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb, ++ 0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a, ++ 0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87, ++ 0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31, ++ 0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a, ++ 0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0, ++ 0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa, ++ 0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8, ++ 0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28, ++ 0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0, ++ 0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76, ++ 0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e, ++ 0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b ++}; ++ + int FIPS_selftest_dh() + { + DH *dh = NULL; +@@ -127,6 +162,7 @@ int FIPS_selftest_dh() + int len; + BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; + const BIGNUM *pub_key; ++ unsigned char *shared_secret = NULL; + + fips_load_key_component(p, dh_test_2048); + fips_load_key_component(g, dh_test_2048); +@@ -162,6 +198,19 @@ int FIPS_selftest_dh() + memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) + goto err; + ++ /* Shared secret KAT test */ ++ len = DH_size(dh); ++ if ((shared_secret = OPENSSL_malloc(len)) == NULL) ++ goto err; ++ ++ if ((len = DH_compute_key(shared_secret, pub_key, dh)) == -1) ++ goto err; ++ ++ if (len != sizeof(dh_test_2048_shared_secret) || ++ (memcmp(shared_secret, dh_test_2048_shared_secret, len) != 0)) { ++ goto err; ++ } ++ + ret = 1; + + err: +@@ -175,6 +224,7 @@ int FIPS_selftest_dh() + } + + OPENSSL_free(pub_key_bin); ++ OPENSSL_free(shared_secret); + return ret; + } + #endif diff --git a/openssl-fips-add-SHA3-selftest.patch b/openssl-fips-add-SHA3-selftest.patch new file mode 100644 index 0000000..27074c9 --- /dev/null +++ b/openssl-fips-add-SHA3-selftest.patch @@ -0,0 +1,347 @@ +Index: openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips_hmac_selftest.c ++++ openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c +@@ -55,12 +55,23 @@ + #include + + #ifdef OPENSSL_FIPS ++ ++#define MAX_SHA3_KEY_LENGTH 200 ++ + typedef struct { + const EVP_MD *(*alg) (void); + const char *key, *iv; + unsigned char kaval[EVP_MAX_MD_SIZE]; + } HMAC_KAT; + ++typedef struct { ++ const EVP_MD *(*alg) (void); ++ unsigned char key[MAX_SHA3_KEY_LENGTH]; ++ size_t keylen; /* strlen() doesn't work with NIST test vector keys */ ++ const char *iv; ++ unsigned char kaval[EVP_MAX_MD_SIZE]; ++} HMAC_KAT_SHA3; ++ + static const HMAC_KAT vector[] = { + {EVP_sha1, + /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ +@@ -111,6 +122,289 @@ static const HMAC_KAT vector[] = { + }, + }; + ++static const HMAC_KAT_SHA3 vector_SHA3[] = { ++ /* using SHA3-224 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-224.pdf */ ++ {EVP_sha3_224, ++ {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b}, ++ 0x1c, ++ "Sample message for keylenblocklen", ++ {0x07, 0x86, 0x95, 0xee, 0xcc, 0x22, 0x7c, 0x63, ++ 0x6a, 0xd3, 0x1d, 0x06, 0x3a, 0x15, 0xdd, 0x05, ++ 0xa7, 0xe8, 0x19, 0xa6, 0x6e, 0xc6, 0xd8, 0xde, ++ 0x1e, 0x19, 0x3e, 0x59}, ++ }, ++ /* using SHA3-256 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-256.pdf */ ++ {EVP_sha3_256, ++ {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, ++ 0x30, ++ "Sample message for keylenblocklen", ++ {0x9b, 0xcf, 0x2c, 0x23, 0x8e, 0x23, 0x5c, 0x3c, ++ 0xe8, 0x84, 0x04, 0xe8, 0x13, 0xbd, 0x2f, 0x3a, ++ 0x97, 0x18, 0x5a, 0xc6, 0xf2, 0x38, 0xc6, 0x3d, ++ 0x62, 0x29, 0xa0, 0x0b, 0x07, 0x97, 0x42, 0x58}, ++ }, ++ /* using SHA3-384 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-384.pdf */ ++ {EVP_sha3_384, ++ {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, ++ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, ++ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, ++ 0x30, ++ "Sample message for keylenblocklen", ++ {0xe5, 0xae, 0x4c, 0x73, 0x9f, 0x45, 0x52, 0x79, ++ 0x36, 0x8e, 0xbf, 0x36, 0xd4, 0xf5, 0x35, 0x4c, ++ 0x95, 0xaa, 0x18, 0x4c, 0x89, 0x9d, 0x38, 0x70, ++ 0xe4, 0x60, 0xeb, 0xc2, 0x88, 0xef, 0x1f, 0x94, ++ 0x70, 0x05, 0x3f, 0x73, 0xf7, 0xc6, 0xda, 0x2a, ++ 0x71, 0xbc, 0xae, 0xc3, 0x8c, 0xe7, 0xd6, 0xac}, ++ }, ++ ++ ++ ++ /* using SHA3-512 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-512.pdf */ ++ {EVP_sha3_512, ++ {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, ++ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, ++ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, ++ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, ++ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, ++ 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}, ++ 0x40, ++ "Sample message for keylenblocklen", ++ {0x5f, 0x46, 0x4f, 0x5e, 0x5b, 0x78, 0x48, 0xe3, ++ 0x88, 0x5e, 0x49, 0xb2, 0xc3, 0x85, 0xf0, 0x69, ++ 0x49, 0x85, 0xd0, 0xe3, 0x89, 0x66, 0x24, 0x2d, ++ 0xc4, 0xa5, 0xfe, 0x3f, 0xea, 0x4b, 0x37, 0xd4, ++ 0x6b, 0x65, 0xce, 0xce, 0xd5, 0xdc, 0xf5, 0x94, ++ 0x38, 0xdd, 0x84, 0x0b, 0xab, 0x22, 0x26, 0x9f, ++ 0x0b, 0xa7, 0xfe, 0xbd, 0xb9, 0xfc, 0xf7, 0x46, ++ 0x02, 0xa3, 0x56, 0x66, 0xb2, 0xa3, 0x29, 0x15}, ++ }, ++}; ++ ++ + int FIPS_selftest_hmac() + { + int n; +@@ -118,7 +412,9 @@ int FIPS_selftest_hmac() + unsigned char out[EVP_MAX_MD_SIZE]; + const EVP_MD *md; + const HMAC_KAT *t; ++ const HMAC_KAT_SHA3 *t3; + ++ /* SHA1 and SHA2 */ + for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { + md = (*t->alg) (); + HMAC(md, t->key, strlen(t->key), +@@ -128,6 +424,18 @@ int FIPS_selftest_hmac() + FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); + return 0; + } ++ } ++ ++ /* SHA3 */ ++ for (n = 0, t3 = vector_SHA3; n < sizeof(vector_SHA3) / sizeof(vector_SHA3[0]); n++, t3++) { ++ md = (*t3->alg) (); ++ HMAC(md, t3->key, t3->keylen, ++ (const unsigned char *)t3->iv, strlen(t3->iv), out, &outlen); ++ ++ if (memcmp(out, t3->kaval, outlen)) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); ++ return 0; ++ } + } + return 1; + } diff --git a/openssl-fips-clearerror.patch b/openssl-fips-clearerror.patch new file mode 100644 index 0000000..814f508 --- /dev/null +++ b/openssl-fips-clearerror.patch @@ -0,0 +1,12 @@ +Index: openssl-1.1.1d/crypto/o_init.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.556634952 +0100 ++++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:11.572635047 +0100 +@@ -49,6 +49,7 @@ static void init_fips_mode(void) + NONFIPS_selftest_check(); + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); ++ ERR_clear_error(); + } else { + /* abort if selftest failed */ + FIPS_selftest_check(); diff --git a/openssl-fips-ignore_broken_atexit_test.patch b/openssl-fips-ignore_broken_atexit_test.patch new file mode 100644 index 0000000..ff4f17a --- /dev/null +++ b/openssl-fips-ignore_broken_atexit_test.patch @@ -0,0 +1,22 @@ +Index: openssl-1.1.1d/test/recipes/90-test_shlibload.t +=================================================================== +--- openssl-1.1.1d.orig/test/recipes/90-test_shlibload.t 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/recipes/90-test_shlibload.t 2020-01-23 15:22:27.355814857 +0100 +@@ -23,7 +23,7 @@ plan skip_all => "Test is disabled on AI + plan skip_all => "Test is disabled on VMS" if config('target') =~ m|^vms|; + plan skip_all => "Test only supported in a dso build" if disabled("dso"); + +-plan tests => 10; ++plan tests => 9; + + # When libssl and libcrypto are compiled on Linux with "-rpath", but not + # "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, +@@ -56,7 +56,7 @@ unlink $filename; + ($fh, $filename) = tempfile(); + ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])), + "running shlibloadtest -no_atexit $filename"); +-ok(!check_atexit($fh)); ++#ok(!check_atexit($fh)); + unlink $filename; + + sub shlib { diff --git a/openssl-fips-kdf-hkdf-selftest.patch b/openssl-fips-kdf-hkdf-selftest.patch new file mode 100644 index 0000000..5e2a369 --- /dev/null +++ b/openssl-fips-kdf-hkdf-selftest.patch @@ -0,0 +1,103 @@ +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -114,6 +114,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -16,6 +16,49 @@ + #include + + #ifdef OPENSSL_FIPS ++ ++int FIPS_selftest_hkdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, ++ "label", (size_t)5) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int FIPS_selftest_pbkdf2(void) + { + int ret = 0; +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -110,6 +110,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ssh()) + rv = 0; ++ if (!FIPS_selftest_hkdf()) ++ rv = 0; + + return rv; + } +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -127,6 +127,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_TLS 153 + # define FIPS_F_FIPS_SELFTEST_SSH 154 ++# define FIPS_F_FIPS_SELFTEST_HKDF 155 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -79,6 +79,7 @@ int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); + int FIPS_selftest_tls(void); + int FIPS_selftest_ssh(void); ++int FIPS_selftest_hkdf(void); + + int fips_in_post(void); + diff --git a/openssl-fips-run_selftests_only_when_module_is_complete.patch b/openssl-fips-run_selftests_only_when_module_is_complete.patch new file mode 100644 index 0000000..7cc2edd --- /dev/null +++ b/openssl-fips-run_selftests_only_when_module_is_complete.patch @@ -0,0 +1,24 @@ +Index: openssl-1.1.1d/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.368633835 +0100 ++++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:21.316692954 +0100 +@@ -454,15 +454,15 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + +- if (!FIPS_selftest()) { ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; + } + +- if (!verify_checksums()) { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, +- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; + goto end; diff --git a/openssl-fips-selftests_in_nonfips_mode.patch b/openssl-fips-selftests_in_nonfips_mode.patch new file mode 100644 index 0000000..fca3655 --- /dev/null +++ b/openssl-fips-selftests_in_nonfips_mode.patch @@ -0,0 +1,74 @@ +Index: openssl-1.1.1d/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.416634119 +0100 ++++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:11.556634952 +0100 +@@ -486,6 +486,44 @@ int FIPS_module_mode_set(int onoff) + return ret; + } + ++/* In non-FIPS mode, the selftests must succeed if the ++ * checksum files are present ++ */ ++void NONFIPS_selftest_check(void) ++{ ++ int rv; ++ char *hmacpath; ++ char path[PATH_MAX+1]; ++ ++ if (fips_selftest_fail) ++ { ++ /* check if the checksum files are installed */ ++ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); ++ if (rv < 0) ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ ++ hmacpath = make_hmac_path(path); ++ if (hmacpath == NULL) ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ ++ if (access(hmacpath, F_OK)) ++ { ++ /* no hmac file is present, ignore the failed selftests */ ++ if (errno == ENOENT) ++ { ++ free(hmacpath); ++ return; ++ } ++ /* we fail on any other error */ ++ } ++ /* if the file exists, but the selftests failed ++ (eg wrong checksum), we fail too */ ++ free(hmacpath); ++ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); ++ } ++ /* otherwise ok, selftests were successful */ ++} ++ + static CRYPTO_THREAD_ID fips_threadid; + static int fips_thread_set = 0; + +Index: openssl-1.1.1d/crypto/o_init.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.536634832 +0100 ++++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:17.000667299 +0100 +@@ -45,6 +45,8 @@ static void init_fips_mode(void) + */ + + if (buf[0] != '1') { ++ /* abort if selftest failed and the module is complete */ ++ NONFIPS_selftest_check(); + /* drop down to non-FIPS mode if it is not requested */ + FIPS_mode_set(0); + } else { +Index: openssl-1.1.1d/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1d.orig/include/openssl/fips.h 2020-01-23 13:45:11.344633691 +0100 ++++ openssl-1.1.1d/include/openssl/fips.h 2020-01-23 13:45:11.556634952 +0100 +@@ -65,6 +65,7 @@ extern "C" { + int FIPS_selftest(void); + int FIPS_selftest_failed(void); + int FIPS_selftest_drbg_all(void); ++ void NONFIPS_selftest_check(void); + + int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, + const EVP_MD *evpmd, const unsigned char *seed_in, diff --git a/openssl-fips_mode.patch b/openssl-fips_mode.patch new file mode 100644 index 0000000..1d5b024 --- /dev/null +++ b/openssl-fips_mode.patch @@ -0,0 +1,20 @@ +Index: openssl-1.1.1d/apps/openssl.c +=================================================================== +--- openssl-1.1.1d.orig/apps/openssl.c 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/apps/openssl.c 2020-01-23 13:45:11.452634334 +0100 +@@ -151,8 +151,15 @@ int main(int argc, char *argv[]) + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + if (getenv("OPENSSL_FIPS")) { ++#ifdef OPENSSL_FIPS ++ if (!FIPS_mode_set(1)) { ++ ERR_print_errors(bio_err); ++ return 1; ++ } ++#else + BIO_printf(bio_err, "FIPS mode not supported.\n"); + return 1; ++#endif + } + + if (!apps_startup()) { diff --git a/openssl-fips_selftest_upstream_drbg.patch b/openssl-fips_selftest_upstream_drbg.patch new file mode 100644 index 0000000..db45ca7 --- /dev/null +++ b/openssl-fips_selftest_upstream_drbg.patch @@ -0,0 +1,1825 @@ +Index: openssl-1.1.1g/crypto/fips/drbgtest.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.1.1g/crypto/fips/drbgtest.c 2020-05-15 16:20:15.962172616 +0200 +@@ -0,0 +1,1179 @@ ++/* ++ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include "internal/nelem.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include "../crypto/rand/rand_local.h" ++#include "../include/crypto/rand.h" ++ ++#if defined(_WIN32) ++# include ++#endif ++ ++ ++#if defined(OPENSSL_SYS_UNIX) ++# include ++# include ++# include ++#endif ++ ++#include "../../test/drbgtest.h" ++ ++typedef struct drbg_selftest_data_st { ++ int post; ++ int nid; ++ unsigned int flags; ++ ++ /* KAT data for no PR */ ++ const unsigned char *entropy; ++ size_t entropylen; ++ const unsigned char *nonce; ++ size_t noncelen; ++ const unsigned char *pers; ++ size_t perslen; ++ const unsigned char *adin; ++ size_t adinlen; ++ const unsigned char *entropyreseed; ++ size_t entropyreseedlen; ++ const unsigned char *adinreseed; ++ size_t adinreseedlen; ++ const unsigned char *adin2; ++ size_t adin2len; ++ const unsigned char *expected; ++ size_t exlen; ++ const unsigned char *kat2; ++ size_t kat2len; ++ ++ /* KAT data for PR */ ++ const unsigned char *entropy_pr; ++ size_t entropylen_pr; ++ const unsigned char *nonce_pr; ++ size_t noncelen_pr; ++ const unsigned char *pers_pr; ++ size_t perslen_pr; ++ const unsigned char *adin_pr; ++ size_t adinlen_pr; ++ const unsigned char *entropypr_pr; ++ size_t entropyprlen_pr; ++ const unsigned char *ading_pr; ++ size_t adinglen_pr; ++ const unsigned char *entropyg_pr; ++ size_t entropyglen_pr; ++ const unsigned char *kat_pr; ++ size_t katlen_pr; ++ const unsigned char *kat2_pr; ++ size_t kat2len_pr; ++} DRBG_SELFTEST_DATA; ++ ++#define make_drbg_test_data(nid, flag, pr, post) {\ ++ post, nid, flag, \ ++ pr##_entropyinput, sizeof(pr##_entropyinput), \ ++ pr##_nonce, sizeof(pr##_nonce), \ ++ pr##_personalizationstring, sizeof(pr##_personalizationstring), \ ++ pr##_additionalinput, sizeof(pr##_additionalinput), \ ++ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ ++ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ ++ pr##_additionalinput2, sizeof(pr##_additionalinput2), \ ++ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ ++ pr##_returnedbits, sizeof(pr##_returnedbits), \ ++ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ ++ pr##_pr_nonce, sizeof(pr##_pr_nonce), \ ++ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ ++ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ ++ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ ++ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ ++ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ ++ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ ++ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \ ++ } ++ ++#define make_drbg_test_data_use_df(nid, pr, p) \ ++ make_drbg_test_data(nid, 0, pr, p) ++ ++#define make_drbg_test_data_no_df(nid, pr, p) \ ++ make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p) ++ ++static DRBG_SELFTEST_DATA drbg_test[] = { ++ make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df, 0), ++ make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df, 0), ++ make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df, 1), ++ make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0), ++ make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0), ++ make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1), ++}; ++ ++static int app_data_index; ++ ++/* ++ * Test context data, attached as EXDATA to the RAND_DRBG ++ */ ++typedef struct test_ctx_st { ++ const unsigned char *entropy; ++ size_t entropylen; ++ int entropycnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_CTX; ++ ++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->entropycnt++; ++ *pout = (unsigned char *)t->entropy; ++ return t->entropylen; ++} ++ ++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->noncecnt++; ++ *pout = (unsigned char *)t->nonce; ++ return t->noncelen; ++} ++ ++ /* ++ * Disable CRNG testing if it is enabled. ++ * If the DRBG is ready or in an error state, this means an instantiate cycle ++ * for which the default personalisation string is used. ++ */ ++static int disable_crngt(RAND_DRBG *drbg) ++{ ++ static const char pers[] = DRBG_DEFAULT_PERS_STRING; ++ const int instantiate = drbg->state != DRBG_UNINITIALISED; ++ ++ if (drbg->get_entropy != rand_crngt_get_entropy) ++ return 1; ++ ++ if ((instantiate && !RAND_DRBG_uninstantiate(drbg)) ++ || !RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy, ++ &rand_drbg_cleanup_entropy, ++ &rand_drbg_get_nonce, ++ &rand_drbg_cleanup_nonce) ++ || (instantiate ++ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers, ++ sizeof(pers) - 1))) ++ return 0; ++ return 1; ++} ++ ++static int uninstantiate(RAND_DRBG *drbg) ++{ ++ int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); ++ ++ ERR_clear_error(); ++ return ret; ++} ++ ++/* ++ * Do a single KAT test. Return 0 on failure. ++ */ ++static int single_kat(DRBG_SELFTEST_DATA *td) ++{ ++ RAND_DRBG *drbg = NULL; ++ TEST_CTX t; ++ int failures = 0; ++ unsigned char buff[1024]; ++ ++ /* ++ * Test without PR: Instantiate DRBG with test entropy, nonce and ++ * personalisation string. ++ */ ++ if ((drbg = RAND_DRBG_new(td->nid, td->flags, NULL)) == NULL) ++ return 0; ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL) ++ || !disable_crngt(drbg)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = td->entropy; ++ t.entropylen = td->entropylen; ++ t.nonce = td->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ if (!RAND_DRBG_instantiate(drbg, td->pers, td->perslen) ++ || !RAND_DRBG_generate(drbg, buff, td->exlen, 0, ++ td->adin, td->adinlen) ++ || memcmp(td->expected, buff, td->exlen)) ++ failures++; ++ ++ /* Reseed DRBG with test entropy and additional input */ ++ t.entropy = td->entropyreseed; ++ t.entropylen = td->entropyreseedlen; ++ if (!RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0) ++ || !RAND_DRBG_generate(drbg, buff, td->kat2len, 0, ++ td->adin2, td->adin2len) ++ || memcmp(td->kat2, buff, td->kat2len)) ++ failures++; ++ uninstantiate(drbg); ++ ++ /* ++ * Now test with PR: Instantiate DRBG with test entropy, nonce and ++ * personalisation string. ++ */ ++ if (!RAND_DRBG_set(drbg, td->nid, td->flags) ++ || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) ++ failures++; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ t.entropy = td->entropy_pr; ++ t.entropylen = td->entropylen_pr; ++ t.nonce = td->nonce_pr; ++ t.noncelen = td->noncelen_pr; ++ t.entropycnt = 0; ++ t.noncecnt = 0; ++ if (!RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr)) ++ failures++; ++ ++ /* ++ * Now generate with PR: we need to supply entropy as this will ++ * perform a reseed operation. ++ */ ++ t.entropy = td->entropypr_pr; ++ t.entropylen = td->entropyprlen_pr; ++ if (!RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1, ++ td->adin_pr, td->adinlen_pr) ++ || memcmp(td->kat_pr, buff, td->katlen_pr)) ++ failures++; ++ ++ /* ++ * Now generate again with PR: supply new entropy again. ++ */ ++ t.entropy = td->entropyg_pr; ++ t.entropylen = td->entropyglen_pr; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1, ++ td->ading_pr, td->adinglen_pr) ++ || memcmp(td->kat2_pr, buff, td->kat2len_pr)) ++ failures++; ++ ++err: ++ uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/* ++ * Initialise a DRBG based on selftest data ++ */ ++static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t) ++{ ++ if (!RAND_DRBG_set(drbg, td->nid, td->flags) ++ || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) ++ return 0; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, t); ++ t->entropy = td->entropy; ++ t->entropylen = td->entropylen; ++ t->nonce = td->nonce; ++ t->noncelen = td->noncelen; ++ t->entropycnt = 0; ++ t->noncecnt = 0; ++ return 1; ++} ++ ++/* ++ * Initialise and instantiate DRBG based on selftest data ++ */ ++static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, ++ TEST_CTX *t) ++{ ++ if (!init(drbg, td, t) ++ || !RAND_DRBG_instantiate(drbg, td->pers, td->perslen)) ++ return 0; ++ return 1; ++} ++ ++/* ++ * Perform extensive error checking as required by SP800-90. ++ * Induce several failure modes and check an error condition is set. ++ */ ++static int error_check(DRBG_SELFTEST_DATA *td) ++{ ++ static char zero[sizeof(RAND_DRBG)]; ++ RAND_DRBG *drbg = NULL; ++ TEST_CTX t; ++ unsigned char buff[1024]; ++ unsigned int reseed_counter_tmp; ++ int ret = 0; ++ ++ if (!(drbg = RAND_DRBG_new(0, 0, NULL)) ++ || !disable_crngt(drbg)) ++ goto err; ++ ++ /* ++ * Personalisation string tests ++ */ ++ ++ /* Test detection of too large personalisation string */ ++ if (!init(drbg, td, &t) ++ || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0) ++ goto err; ++ ++ /* ++ * Entropy source tests ++ */ ++ ++ /* Test entropy source failure detection: i.e. returns no data */ ++ t.entropylen = 0; ++ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0) ++ goto err; ++ ++ /* Try to generate output from uninstantiated DRBG */ ++ if (RAND_DRBG_generate(drbg, buff, td->exlen, 0, ++ td->adin, td->adinlen) ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Test insufficient entropy */ ++ if (!init(drbg, td, &t)) ++ goto err; ++ t.entropylen = drbg->min_entropylen - 1; ++ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Test too much entropy */ ++ if (!init(drbg, td, &t)) ++ goto err; ++ t.entropylen = drbg->max_entropylen + 1; ++ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* ++ * Nonce tests ++ */ ++ ++ /* Test too small nonce */ ++ if (drbg->min_noncelen) { ++ if (!init(drbg, td, &t)) ++ goto err; ++ t.noncelen = drbg->min_noncelen - 1; ++ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ } ++ ++ /* Test too large nonce */ ++ if (drbg->max_noncelen) { ++ if (!init(drbg, td, &t)) ++ goto err; ++ t.noncelen = drbg->max_noncelen + 1; ++ if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ } ++ ++ /* Instantiate with valid data, Check generation is now OK */ ++ if (!instantiate(drbg, td, &t) ++ || !RAND_DRBG_generate(drbg, buff, td->exlen, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ ++ /* Request too much data for one request */ ++ if (RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0, ++ td->adin, td->adinlen)) ++ goto err; ++ ++ /* Try too large additional input */ ++ if (RAND_DRBG_generate(drbg, buff, td->exlen, 0, ++ td->adin, drbg->max_adinlen + 1)) ++ goto err; ++ ++ /* ++ * Check prediction resistance request fails if entropy source ++ * failure. ++ */ ++ t.entropylen = 0; ++ if (RAND_DRBG_generate(drbg, buff, td->exlen, 1, ++ td->adin, td->adinlen) ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Instantiate again with valid data */ ++ if (!instantiate(drbg, td, &t)) ++ goto err; ++ reseed_counter_tmp = drbg->generate_counter; ++ drbg->generate_counter = drbg->reseed_interval; ++ ++ /* Generate output and check entropy has been requested for reseed */ ++ t.entropycnt = 0; ++ if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0, ++ td->adin, td->adinlen) ++ || t.entropycnt != 1 ++ || drbg->generate_counter != reseed_counter_tmp + 1 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* ++ * Check prediction resistance request fails if entropy source ++ * failure. ++ */ ++ t.entropylen = 0; ++ if (RAND_DRBG_generate(drbg, buff, td->exlen, 1, ++ td->adin, td->adinlen) ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Test reseed counter works */ ++ if (!instantiate(drbg, td, &t)) ++ goto err; ++ reseed_counter_tmp = drbg->generate_counter; ++ drbg->generate_counter = drbg->reseed_interval; ++ ++ /* Generate output and check entropy has been requested for reseed */ ++ t.entropycnt = 0; ++ if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0, ++ td->adin, td->adinlen) ++ || t.entropycnt != 1 ++ || drbg->generate_counter != reseed_counter_tmp + 1 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* ++ * Explicit reseed tests ++ */ ++ ++ /* Test explicit reseed with too large additional input */ ++ if (!instantiate(drbg, td, &t) ++ || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0) ++ goto err; ++ ++ /* Test explicit reseed with entropy source failure */ ++ t.entropylen = 0; ++ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Test explicit reseed with too much entropy */ ++ if (!instantiate(drbg, td, &t)) ++ goto err; ++ t.entropylen = drbg->max_entropylen + 1; ++ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Test explicit reseed with too little entropy */ ++ if (!instantiate(drbg, td, &t)) ++ goto err; ++ t.entropylen = drbg->min_entropylen - 1; ++ if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0 ++ || !uninstantiate(drbg)) ++ goto err; ++ ++ /* Standard says we have to check uninstantiate really zeroes */ ++ /* ++ * RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(), ++ * but right after that it resets drbg->data.ctr using RAND_DRBG_set(), so ++ * the following memcmp will fail. ++ */ ++#if 0 ++ if (memcmp(zero, &drbg->data, sizeof(drbg->data))) ++ goto err; ++#endif ++ ++ ret = 1; ++ ++err: ++ uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return ret; ++} ++ ++static int test_kats(int i) ++{ ++ DRBG_SELFTEST_DATA *td = &drbg_test[i]; ++ int rv = 0; ++ ++ if (!single_kat(td)) ++ goto err; ++ rv = 1; ++ ++err: ++ return rv; ++} ++ ++static int test_error_checks(int i) ++{ ++ DRBG_SELFTEST_DATA *td = &drbg_test[i]; ++ int rv = 0; ++ ++ if (!error_check(td)) ++ goto err; ++ rv = 1; ++ ++err: ++ return rv; ++} ++ ++/* ++ * Hook context data, attached as EXDATA to the RAND_DRBG ++ */ ++typedef struct hook_ctx_st { ++ RAND_DRBG *drbg; ++ /* ++ * Currently, all DRBGs use the same get_entropy() callback. ++ * The tests however, don't assume this and store ++ * the original callback for every DRBG separately. ++ */ ++ RAND_DRBG_get_entropy_fn get_entropy; ++ /* forces a failure of the get_entropy() call if nonzero */ ++ int fail; ++ /* counts successful reseeds */ ++ int reseed_count; ++} HOOK_CTX; ++ ++static HOOK_CTX master_ctx, public_ctx, private_ctx; ++ ++static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg) ++{ ++ return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++} ++ ++/* Intercepts and counts calls to the get_entropy() callback */ ++static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ size_t ret; ++ HOOK_CTX *ctx = get_hook_ctx(drbg); ++ ++ if (ctx->fail != 0) ++ return 0; ++ ++ ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len, ++ prediction_resistance); ++ ++ if (ret != 0) ++ ctx->reseed_count++; ++ return ret; ++} ++ ++/* Installs a hook for the get_entropy() callback of the given drbg */ ++static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx) ++{ ++ memset(ctx, 0, sizeof(*ctx)); ++ ctx->drbg = drbg; ++ ctx->get_entropy = drbg->get_entropy; ++ drbg->get_entropy = get_entropy_hook; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, ctx); ++} ++ ++/* Installs the hook for the get_entropy() callback of the given drbg */ ++static void unhook_drbg(RAND_DRBG *drbg) ++{ ++ HOOK_CTX *ctx = get_hook_ctx(drbg); ++ ++ drbg->get_entropy = ctx->get_entropy; ++ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data); ++} ++ ++/* Resets the given hook context */ ++static void reset_hook_ctx(HOOK_CTX *ctx) ++{ ++ ctx->fail = 0; ++ ctx->reseed_count = 0; ++} ++ ++/* Resets all drbg hook contexts */ ++static void reset_drbg_hook_ctx(void) ++{ ++ reset_hook_ctx(&master_ctx); ++ reset_hook_ctx(&public_ctx); ++ reset_hook_ctx(&private_ctx); ++} ++ ++/* ++ * Generates random output using RAND_bytes() and RAND_priv_bytes() ++ * and checks whether the three shared DRBGs were reseeded as ++ * expected. ++ * ++ * |expect_success|: expected outcome (as reported by RAND_status()) ++ * |master|, |public|, |private|: pointers to the three shared DRBGs ++ * |expect_xxx_reseed| = ++ * 1: it is expected that the specified DRBG is reseeded ++ * 0: it is expected that the specified DRBG is not reseeded ++ * -1: don't check whether the specified DRBG was reseeded or not ++ * |reseed_time|: if nonzero, used instead of time(NULL) to set the ++ * |before_reseed| time. ++ */ ++static int test_drbg_reseed(int expect_success, ++ RAND_DRBG *master, ++ RAND_DRBG *public, ++ RAND_DRBG *private, ++ int expect_master_reseed, ++ int expect_public_reseed, ++ int expect_private_reseed, ++ time_t reseed_time ++ ) ++{ ++ unsigned char buf[32]; ++ time_t before_reseed, after_reseed; ++ int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR); ++ ++ /* ++ * step 1: check preconditions ++ */ ++ ++ /* Test whether seed propagation is enabled */ ++ if (master->reseed_counter == 0 ++ || public->reseed_counter == 0 ++ || private->reseed_counter == 0) ++ return 0; ++ ++ /* Check whether the master DRBG's reseed counter is the largest one */ ++ if (public->reseed_counter > master->reseed_counter ++ || private->reseed_counter > master->reseed_counter) ++ return 0; ++ ++ /* ++ * step 2: generate random output ++ */ ++ ++ if (reseed_time == 0) ++ reseed_time = time(NULL); ++ ++ /* Generate random output from the public and private DRBG */ ++ before_reseed = expect_master_reseed == 1 ? reseed_time : 0; ++ if (RAND_bytes(buf, sizeof(buf)) != expect_success ++ || RAND_priv_bytes(buf, sizeof(buf)) != expect_success) ++ return 0; ++ after_reseed = time(NULL); ++ ++ ++ /* ++ * step 3: check postconditions ++ */ ++ ++ /* Test whether reseeding succeeded as expected */ ++ if (master->state != expected_state ++ || public->state != expected_state ++ || private->state != expected_state) ++ return 0; ++ ++ if (expect_master_reseed >= 0) { ++ /* Test whether master DRBG was reseeded as expected */ ++ if (master_ctx.reseed_count != expect_master_reseed) ++ return 0; ++ } ++ ++ if (expect_public_reseed >= 0) { ++ /* Test whether public DRBG was reseeded as expected */ ++ if (public_ctx.reseed_count != expect_public_reseed) ++ return 0; ++ } ++ ++ if (expect_private_reseed >= 0) { ++ /* Test whether public DRBG was reseeded as expected */ ++ if (private_ctx.reseed_count != expect_private_reseed) ++ return 0; ++ } ++ ++ if (expect_success == 1) { ++ /* Test whether all three reseed counters are synchronized */ ++ if (public->reseed_counter != master->reseed_counter ++ || private->reseed_counter != master->reseed_counter) ++ return 0; ++ ++ /* Test whether reseed time of master DRBG is set correctly */ ++ if (before_reseed > master->reseed_time ++ || master->reseed_time > after_reseed) ++ return 0; ++ ++ /* Test whether reseed times of child DRBGs are synchronized with master */ ++ if (public->reseed_time < master->reseed_time ++ || private->reseed_time < master->reseed_time) ++ return 0; ++ } else { ++ ERR_clear_error(); ++ } ++ ++ return 1; ++} ++ ++ ++#if defined(OPENSSL_SYS_UNIX) ++/* ++ * Test whether master, public and private DRBG are reseeded after ++ * forking the process. ++ */ ++static int test_drbg_reseed_after_fork(RAND_DRBG *master, ++ RAND_DRBG *public, ++ RAND_DRBG *private) ++{ ++ pid_t pid; ++ int status=0; ++ ++ pid = fork(); ++ if (pid < 0) ++ return 0; ++ ++ if (pid > 0) { ++ /* I'm the parent; wait for the child and check its exit code */ ++ return (waitpid(pid, &status, 0) == pid) && status == 0; ++ } ++ ++ /* I'm the child; check whether all three DRBGs reseed. */ ++ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)) ++ status = 1; ++ ++ /* Remove hooks */ ++ unhook_drbg(master); ++ unhook_drbg(public); ++ unhook_drbg(private); ++ exit(status); ++} ++#endif ++ ++/* ++ * Test whether the default rand_method (RAND_OpenSSL()) is ++ * setup correctly, in particular whether reseeding works ++ * as designed. ++ */ ++static int test_rand_drbg_reseed(void) ++{ ++ RAND_DRBG *master, *public, *private; ++ unsigned char rand_add_buf[256]; ++ int rv=0; ++ time_t before_reseed; ++ ++ /* Check whether RAND_OpenSSL() is the default method */ ++ if (RAND_get_rand_method() != RAND_OpenSSL()) ++ return 0; ++ ++ /* All three DRBGs should be non-null */ ++ if (!(master = RAND_DRBG_get0_master()) ++ || !(public = RAND_DRBG_get0_public()) ++ || !(private = RAND_DRBG_get0_private())) ++ return 0; ++ ++ /* There should be three distinct DRBGs, two of them chained to master */ ++ if (public == private ++ || public == master ++ || private == master ++ || public->parent != master ++ || private->parent != master) ++ return 0; ++ ++ /* Disable CRNG testing for the master DRBG */ ++ if (!disable_crngt(master)) ++ return 0; ++ ++ /* uninstantiate the three global DRBGs */ ++ RAND_DRBG_uninstantiate(private); ++ RAND_DRBG_uninstantiate(public); ++ RAND_DRBG_uninstantiate(master); ++ ++ ++ /* Install hooks for the following tests */ ++ hook_drbg(master, &master_ctx); ++ hook_drbg(public, &public_ctx); ++ hook_drbg(private, &private_ctx); ++ ++ ++ /* ++ * Test initial seeding of shared DRBGs ++ */ ++ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++ ++ /* ++ * Test initial state of shared DRBGs ++ */ ++ if (!test_drbg_reseed(1, master, public, private, 0, 0, 0, 0)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++ /* ++ * Test whether the public and private DRBG are both reseeded when their ++ * reseed counters differ from the master's reseed counter. ++ */ ++ master->reseed_counter++; ++ if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++ /* ++ * Test whether the public DRBG is reseeded when its reseed counter differs ++ * from the master's reseed counter. ++ */ ++ master->reseed_counter++; ++ private->reseed_counter++; ++ if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++ /* ++ * Test whether the private DRBG is reseeded when its reseed counter differs ++ * from the master's reseed counter. ++ */ ++ master->reseed_counter++; ++ public->reseed_counter++; ++ if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++#if defined(OPENSSL_SYS_UNIX) ++ if (!test_drbg_reseed_after_fork(master, public, private)) ++ goto error; ++#endif ++ ++ /* fill 'randomness' buffer with some arbitrary data */ ++ memset(rand_add_buf, 'r', sizeof(rand_add_buf)); ++ ++ /* ++ * Test whether all three DRBGs are reseeded by RAND_add(). ++ * The before_reseed time has to be measured here and passed into the ++ * test_drbg_reseed() test, because the master DRBG gets already reseeded ++ * in RAND_add(), whence the check for the condition ++ * before_reseed <= master->reseed_time will fail if the time value happens ++ * to increase between the RAND_add() and the test_drbg_reseed() call. ++ */ ++ before_reseed = time(NULL); ++ RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); ++ if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, ++ before_reseed)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++ ++ /* ++ * Test whether none of the DRBGs is reseed if the master fails to reseed ++ */ ++ master_ctx.fail = 1; ++ master->reseed_counter++; ++ RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf)); ++ if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0)) ++ goto error; ++ reset_drbg_hook_ctx(); ++ ++ rv = 1; ++ ++error: ++ /* Remove hooks */ ++ unhook_drbg(master); ++ unhook_drbg(public); ++ unhook_drbg(private); ++ ++ return rv; ++} ++ ++#if defined(OPENSSL_THREADS) ++static int multi_thread_rand_bytes_succeeded = 1; ++static int multi_thread_rand_priv_bytes_succeeded = 1; ++ ++static void run_multi_thread_test(void) ++{ ++ unsigned char buf[256]; ++ time_t start = time(NULL); ++ RAND_DRBG *public = NULL, *private = NULL; ++ ++ if (!(public = RAND_DRBG_get0_public()) ++ || !(private = RAND_DRBG_get0_private())) { ++ multi_thread_rand_bytes_succeeded = 0; ++ return; ++ } ++ RAND_DRBG_set_reseed_time_interval(private, 1); ++ RAND_DRBG_set_reseed_time_interval(public, 1); ++ ++ do { ++ if (RAND_bytes(buf, sizeof(buf)) <= 0) ++ multi_thread_rand_bytes_succeeded = 0; ++ if (RAND_priv_bytes(buf, sizeof(buf)) <= 0) ++ multi_thread_rand_priv_bytes_succeeded = 0; ++ } ++ while(time(NULL) - start < 5); ++} ++ ++# if defined(OPENSSL_SYS_WINDOWS) ++ ++typedef HANDLE thread_t; ++ ++static DWORD WINAPI thread_run(LPVOID arg) ++{ ++ run_multi_thread_test(); ++ /* ++ * Because we're linking with a static library, we must stop each ++ * thread explicitly, or so says OPENSSL_thread_stop(3) ++ */ ++ OPENSSL_thread_stop(); ++ return 0; ++} ++ ++static int run_thread(thread_t *t) ++{ ++ *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL); ++ return *t != NULL; ++} ++ ++static int wait_for_thread(thread_t thread) ++{ ++ return WaitForSingleObject(thread, INFINITE) == 0; ++} ++ ++# else ++ ++typedef pthread_t thread_t; ++ ++static void *thread_run(void *arg) ++{ ++ run_multi_thread_test(); ++ /* ++ * Because we're linking with a static library, we must stop each ++ * thread explicitly, or so says OPENSSL_thread_stop(3) ++ */ ++ OPENSSL_thread_stop(); ++ return NULL; ++} ++ ++static int run_thread(thread_t *t) ++{ ++ return pthread_create(t, NULL, thread_run, NULL) == 0; ++} ++ ++static int wait_for_thread(thread_t thread) ++{ ++ return pthread_join(thread, NULL) == 0; ++} ++ ++# endif ++ ++/* ++ * The main thread will also run the test, so we'll have THREADS+1 parallel ++ * tests running ++ */ ++# define THREADS 3 ++ ++static int test_multi_thread(void) ++{ ++ thread_t t[THREADS]; ++ int i; ++ ++ for (i = 0; i < THREADS; i++) ++ run_thread(&t[i]); ++ run_multi_thread_test(); ++ for (i = 0; i < THREADS; i++) ++ wait_for_thread(t[i]); ++ ++ if (!multi_thread_rand_bytes_succeeded) ++ return 0; ++ if (!multi_thread_rand_priv_bytes_succeeded) ++ return 0; ++ ++ return 1; ++} ++#endif ++ ++/* ++ * Test that instantiation with RAND_seed() works as expected ++ * ++ * If no os entropy source is available then RAND_seed(buffer, bufsize) ++ * is expected to succeed if and only if the buffer length is at least ++ * rand_drbg_seedlen(master) bytes. ++ * ++ * If an os entropy source is available then RAND_seed(buffer, bufsize) ++ * is expected to succeed always. ++ */ ++static int test_rand_seed(void) ++{ ++ RAND_DRBG *master = NULL; ++ unsigned char rand_buf[256]; ++ size_t rand_buflen; ++ size_t required_seed_buflen = 0; ++ ++ if (!(master = RAND_DRBG_get0_master()) ++ || !disable_crngt(master)) ++ return 0; ++ ++#ifdef OPENSSL_RAND_SEED_NONE ++ required_seed_buflen = rand_drbg_seedlen(master); ++#endif ++ ++ memset(rand_buf, 0xCD, sizeof(rand_buf)); ++ ++ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) { ++ RAND_DRBG_uninstantiate(master); ++ RAND_seed(rand_buf, rand_buflen); ++ ++ if (RAND_status() != (rand_buflen >= required_seed_buflen)) ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ++ * Test that adding additional data with RAND_add() works as expected ++ * when the master DRBG is instantiated (and below its reseed limit). ++ * ++ * This should succeed regardless of whether an os entropy source is ++ * available or not. ++ */ ++static int test_rand_add(void) ++{ ++ unsigned char rand_buf[256]; ++ size_t rand_buflen; ++ ++ memset(rand_buf, 0xCD, sizeof(rand_buf)); ++ ++ /* make sure it's instantiated */ ++ RAND_seed(rand_buf, sizeof(rand_buf)); ++ if (!RAND_status()) ++ return 0; ++ ++ for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) { ++ RAND_add(rand_buf, rand_buflen, 0.0); ++ if (!RAND_status()) ++ return 0; ++ } ++ ++ return 1; ++} ++ ++/* ++ * A list of the FIPS DRGB types. ++ */ ++static const struct s_drgb_types { ++ int nid; ++ int flags; ++} drgb_types[] = { ++ { NID_aes_128_ctr, 0 }, ++ { NID_aes_192_ctr, 0 }, ++ { NID_aes_256_ctr, 0 }, ++}; ++ ++/* Six cases for each covers seed sizes up to 32 bytes */ ++static const size_t crngt_num_cases = 6; ++ ++static size_t crngt_case, crngt_idx; ++ ++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md, ++ unsigned int *md_size) ++{ ++ size_t i, z; ++ ++ if (crngt_idx >= crngt_num_cases) ++ return 0; ++ /* Generate a block of unique data unless this is the duplication point */ ++ z = crngt_idx++; ++ if (z > 0 && crngt_case == z) ++ z--; ++ for (i = 0; i < CRNGT_BUFSIZ; i++) ++ buf[i] = (unsigned char)(i + 'A' + z); ++ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); ++} ++ ++static int test_crngt(int n) ++{ ++ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases; ++ RAND_DRBG *drbg = NULL; ++ unsigned char buff[100]; ++ size_t ent; ++ int res = 0; ++ int expect; ++ ++ if (!rand_crngt_single_init()) ++ return 0; ++ rand_crngt_cleanup(); ++ ++ if (!(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL))) ++ return 0; ++ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ; ++ crngt_case = n % crngt_num_cases; ++ crngt_idx = 0; ++ crngt_get_entropy = &crngt_entropy_cb; ++ if (!rand_crngt_init()) ++ goto err; ++#ifndef OPENSSL_FIPS ++ if (!RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy, ++ &rand_crngt_cleanup_entropy, ++ &rand_drbg_get_nonce, ++ &rand_drbg_cleanup_nonce)) ++ goto err; ++#endif ++ expect = crngt_case == 0 || crngt_case > ent; ++ if (RAND_DRBG_instantiate(drbg, NULL, 0) != expect) ++ goto err; ++ if (!expect) ++ goto fin; ++ if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)) ++ goto err; ++ ++ expect = crngt_case == 0 || crngt_case > 2 * ent; ++ if (RAND_DRBG_reseed(drbg, NULL, 0, 0) != expect) ++ goto err; ++ if (!expect) ++ goto fin; ++ if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)) ++ goto err; ++ ++fin: ++ res = 1; ++err: ++#if 0 ++ if (!res) ++ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases, ++ crngt_case, crngt_idx); ++#endif ++ uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ crngt_get_entropy = &rand_crngt_get_entropy_cb; ++ return res; ++} ++ ++int FIPS_selftest_drbg(void) ++{ ++ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); ++ int i; ++ ++ for (i = 0; i < OSSL_NELEM(drbg_test); i++) { ++ if (!test_kats(i)) ++ return 0; ++ } ++ for (i = 0; i < OSSL_NELEM(drbg_test); i++) { ++ if (!test_error_checks(i)) ++ return 0; ++ } ++ ++#if 0 ++ if (!test_rand_drbg_reseed()) ++ return 0; ++ if (!test_rand_seed()) ++ return 0; ++ if (!test_rand_add()) ++ return 0; ++#if defined(OPENSSL_THREADS) ++ if (!test_multi_thread()) ++ return 0; ++#endif ++ for (i = 0; i < crngt_num_cases * OSSL_NELEM(drgb_types); i++) { ++ if (!test_crngt(i)) ++ return 0; ++ } ++#endif ++ return 1; ++} ++ +Index: openssl-1.1.1g/crypto/fips/drbgtest.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.1.1g/crypto/fips/drbgtest.h 2020-05-15 16:19:01.662586731 +0200 +@@ -0,0 +1,579 @@ ++/* ++ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * Known answer tests for SP800-90 DRBG CTR mode. ++ */ ++ ++ ++/* ++ * AES-128 use df PR ++ */ ++static const unsigned char aes_128_use_df_pr_entropyinput[] = { ++ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, ++ 0xc8, 0xdb, 0xff, 0x12 ++}; ++static const unsigned char aes_128_use_df_pr_nonce[] = { ++ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 ++}; ++static const unsigned char aes_128_use_df_pr_personalizationstring[] = { ++ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, ++ 0xd7, 0xd7, 0x01, 0x67 ++}; ++static const unsigned char aes_128_use_df_pr_additionalinput[] = { ++ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, ++ 0x9a, 0x47, 0x08, 0x76 ++}; ++static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { ++ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, ++ 0x09, 0xfb, 0xa3, 0xb6 ++}; ++static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { ++ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, ++ 0x66, 0x1c, 0xea, 0x5b ++}; ++static const unsigned char aes_128_use_df_pr_additionalinput2[] = { ++ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, ++ 0x3f, 0x5e, 0x31, 0x06 ++}; ++static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { ++ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, ++ 0xa7, 0xe3, 0xa8, 0x67 ++}; ++static const unsigned char aes_128_use_df_pr_returnedbits[] = { ++ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, ++ 0x0f, 0x38, 0x43, 0xc6 ++}; ++ ++ ++/* ++ * AES-128 use df no PR ++ */ ++static const unsigned char aes_128_use_df_entropyinput[] = { ++ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, ++ 0x9d, 0x7d, 0x1c, 0x9b ++}; ++static const unsigned char aes_128_use_df_nonce[] = { ++ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96, ++}; ++static const unsigned char aes_128_use_df_personalizationstring[] = { ++ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, ++ 0x38, 0x66, 0xba, 0x1b ++}; ++static const unsigned char aes_128_use_df_additionalinput[] = { ++ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, ++ 0xb5, 0xe2, 0xb2, 0x41 ++}; ++static const unsigned char aes_128_use_df_int_returnedbits[] = { ++ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, ++ 0xe7, 0x57, 0x11, 0xb4 ++}; ++static const unsigned char aes_128_use_df_entropyinputreseed[] = { ++ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, ++ 0xc7, 0xc4, 0x9e, 0x39 ++}; ++static const unsigned char aes_128_use_df_additionalinputreseed[] = { ++ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, ++ 0xc8, 0x93, 0xfa, 0x84 ++}; ++static const unsigned char aes_128_use_df_additionalinput2[] = { ++ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, ++ 0x06, 0x0c, 0x15, 0x2c ++}; ++static const unsigned char aes_128_use_df_returnedbits[] = { ++ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, ++ 0x46, 0x81, 0xc7, 0x19 ++}; ++ ++ ++/* ++ * AES-192 use df PR ++ */ ++static const unsigned char aes_192_use_df_pr_entropyinput[] = { ++ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, ++ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d ++}; ++static const unsigned char aes_192_use_df_pr_nonce[] = { ++ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, ++ 0xd1, 0x80, 0x78, 0xfa ++}; ++static const unsigned char aes_192_use_df_pr_personalizationstring[] = { ++ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, ++ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, ++ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 ++}; ++static const unsigned char aes_192_use_df_pr_additionalinput[] = { ++ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, ++ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, ++ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 ++}; ++static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { ++ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, ++ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5, ++}; ++static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { ++ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, ++ 0x19, 0x30, 0x6b, 0x67 ++}; ++static const unsigned char aes_192_use_df_pr_additionalinput2[] = { ++ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, ++ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, ++ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 ++}; ++static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { ++ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, ++ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e, ++}; ++static const unsigned char aes_192_use_df_pr_returnedbits[] = { ++ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, ++ 0x7e, 0x1a, 0x2b, 0x83 ++}; ++ ++ ++/* ++ * AES-192 use df no PR ++ */ ++static const unsigned char aes_192_use_df_entropyinput[] = { ++ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, ++ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b, ++}; ++static const unsigned char aes_192_use_df_nonce[] = { ++ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, ++ 0x77, 0xd7, 0x41, 0x0e ++}; ++static const unsigned char aes_192_use_df_personalizationstring[] = { ++ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, ++ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, ++ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 ++}; ++static const unsigned char aes_192_use_df_additionalinput[] = { ++ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, ++ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, ++ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 ++}; ++static const unsigned char aes_192_use_df_int_returnedbits[] = { ++ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, ++ 0xb7, 0xed, 0xe9, 0xea ++}; ++static const unsigned char aes_192_use_df_entropyinputreseed[] = { ++ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, ++ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01, ++}; ++static const unsigned char aes_192_use_df_additionalinputreseed[] = { ++ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, ++ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, ++ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 ++}; ++static const unsigned char aes_192_use_df_additionalinput2[] = { ++ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, ++ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, ++ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 ++}; ++static const unsigned char aes_192_use_df_returnedbits[] = { ++ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, ++ 0x1a, 0xf9, 0x13, 0x28 ++}; ++ ++ ++/* ++ * AES-256 use df PR ++ */ ++static const unsigned char aes_256_use_df_pr_entropyinput[] = { ++ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, ++ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, ++ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a ++}; ++static const unsigned char aes_256_use_df_pr_nonce[] = { ++ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, ++ 0x2b, 0x36, 0xff, 0xa4 ++}; ++static const unsigned char aes_256_use_df_pr_personalizationstring[] = { ++ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, ++ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, ++ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d ++}; ++static const unsigned char aes_256_use_df_pr_additionalinput[] = { ++ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, ++ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, ++ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde ++}; ++static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { ++ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, ++ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, ++ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 ++}; ++static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { ++ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, ++ 0x17, 0xab, 0x3c, 0x7a ++}; ++static const unsigned char aes_256_use_df_pr_additionalinput2[] = { ++ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, ++ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, ++ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 ++}; ++static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { ++ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, ++ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, ++ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f ++}; ++static const unsigned char aes_256_use_df_pr_returnedbits[] = { ++ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, ++ 0xd9, 0xe2, 0x97, 0x00 ++}; ++ ++ ++/* ++ * AES-256 use df no PR ++ */ ++static const unsigned char aes_256_use_df_entropyinput[] = { ++ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, ++ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, ++ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 ++}; ++static const unsigned char aes_256_use_df_nonce[] = { ++ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, ++ 0x4c, 0x44, 0x84, 0x40 ++}; ++static const unsigned char aes_256_use_df_personalizationstring[] = { ++ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, ++ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, ++ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 ++}; ++static const unsigned char aes_256_use_df_additionalinput[] = { ++ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, ++ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, ++ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 ++}; ++static const unsigned char aes_256_use_df_int_returnedbits[] = { ++ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, ++ 0x28, 0x0c, 0x3b, 0xc1 ++}; ++static const unsigned char aes_256_use_df_entropyinputreseed[] = { ++ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, ++ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, ++ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e ++}; ++static const unsigned char aes_256_use_df_additionalinputreseed[] = { ++ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, ++ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, ++ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 ++}; ++static const unsigned char aes_256_use_df_additionalinput2[] = { ++ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, ++ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, ++ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d ++}; ++static const unsigned char aes_256_use_df_returnedbits[] = { ++ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, ++ 0xfa, 0xfd, 0x35, 0x5e ++}; ++ ++ ++/* ++ * AES-128 no df PR ++ */ ++static const unsigned char aes_128_no_df_pr_entropyinput[] = { ++ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, ++ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, ++ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a ++}; ++static const unsigned char aes_128_no_df_pr_nonce[] = { ++ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1, ++}; ++static const unsigned char aes_128_no_df_pr_personalizationstring[] = { ++ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, ++ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, ++ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 ++}; ++static const unsigned char aes_128_no_df_pr_additionalinput[] = { ++ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, ++ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, ++ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 ++}; ++static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { ++ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, ++ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, ++ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e ++}; ++static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { ++ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, ++ 0xaf, 0x19, 0x32, 0x16 ++}; ++static const unsigned char aes_128_no_df_pr_additionalinput2[] = { ++ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, ++ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, ++ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 ++}; ++static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { ++ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, ++ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, ++ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 ++}; ++static const unsigned char aes_128_no_df_pr_returnedbits[] = { ++ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, ++ 0x57, 0x82, 0x33, 0xaf ++}; ++ ++ ++/* ++ * AES-128 no df no PR ++ */ ++static const unsigned char aes_128_no_df_entropyinput[] = { ++ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, ++ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, ++ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 ++}; ++static const unsigned char aes_128_no_df_nonce[] = { ++ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13, ++}; ++static const unsigned char aes_128_no_df_personalizationstring[] = { ++ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, ++ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, ++ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce ++}; ++static const unsigned char aes_128_no_df_additionalinput[] = { ++ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, ++ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, ++ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 ++}; ++static const unsigned char aes_128_no_df_int_returnedbits[] = { ++ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, ++ 0xed, 0x3e, 0x65, 0xc2 ++}; ++static const unsigned char aes_128_no_df_entropyinputreseed[] = { ++ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, ++ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, ++ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 ++}; ++static const unsigned char aes_128_no_df_additionalinputreseed[] = { ++ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, ++ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, ++ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 ++}; ++static const unsigned char aes_128_no_df_additionalinput2[] = { ++ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, ++ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, ++ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 ++}; ++static const unsigned char aes_128_no_df_returnedbits[] = { ++ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, ++ 0x81, 0x37, 0x19, 0xd4 ++}; ++ ++ ++/* ++ * AES-192 no df PR ++ */ ++static const unsigned char aes_192_no_df_pr_entropyinput[] = { ++ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, ++ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, ++ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, ++ 0x17, 0x1f, 0x8d, 0x9a ++}; ++static const unsigned char aes_192_no_df_pr_nonce[] = { ++ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, ++ 0x61, 0x5c, 0xee, 0x0f ++}; ++static const unsigned char aes_192_no_df_pr_personalizationstring[] = { ++ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, ++ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, ++ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, ++ 0x57, 0x2e, 0xe7, 0x55 ++}; ++static const unsigned char aes_192_no_df_pr_additionalinput[] = { ++ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, ++ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, ++ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, ++ 0xe2, 0xd0, 0x0c, 0x2f ++}; ++static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { ++ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, ++ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, ++ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, ++ 0x1d, 0x30, 0xb3, 0x78 ++}; ++static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { ++ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, ++ 0x7e, 0x3e, 0x0c, 0x26 ++}; ++static const unsigned char aes_192_no_df_pr_additionalinput2[] = { ++ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, ++ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, ++ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, ++ 0x0c, 0x4b, 0xee, 0x6e ++}; ++static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { ++ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, ++ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, ++ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, ++ 0x8e, 0x0a, 0x83, 0xdf ++}; ++static const unsigned char aes_192_no_df_pr_returnedbits[] = { ++ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, ++ 0xb9, 0xa1, 0x21, 0x68 ++}; ++ ++ ++/* ++ * AES-192 no df no PR ++ */ ++static const unsigned char aes_192_no_df_entropyinput[] = { ++ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, ++ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, ++ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, ++ 0x94, 0xc3, 0x59, 0x63 ++}; ++static const unsigned char aes_192_no_df_nonce[] = { ++ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, ++ 0x29, 0xfd, 0x45, 0x71 ++}; ++static const unsigned char aes_192_no_df_personalizationstring[] = { ++ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, ++ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, ++ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, ++ 0x3b, 0x88, 0xce, 0x35 ++}; ++static const unsigned char aes_192_no_df_additionalinput[] = { ++ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, ++ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, ++ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, ++ 0x3e, 0xbe, 0xd4, 0x8e ++}; ++static const unsigned char aes_192_no_df_int_returnedbits[] = { ++ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, ++ 0x45, 0xe7, 0x4a, 0xc5 ++}; ++static const unsigned char aes_192_no_df_entropyinputreseed[] = { ++ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, ++ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, ++ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, ++ 0x9b, 0xcb, 0x7e, 0x75 ++}; ++static const unsigned char aes_192_no_df_additionalinputreseed[] = { ++ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, ++ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, ++ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, ++ 0x5d, 0x7a, 0x25, 0x79 ++}; ++static const unsigned char aes_192_no_df_additionalinput2[] = { ++ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, ++ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, ++ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, ++ 0x91, 0x6a, 0xe3, 0x5f ++}; ++static const unsigned char aes_192_no_df_returnedbits[] = { ++ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, ++ 0x66, 0x67, 0x2c, 0x92 ++}; ++ ++ ++/* ++ * AES-256 no df PR ++ */ ++static const unsigned char aes_256_no_df_pr_entropyinput[] = { ++ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, ++ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, ++ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, ++ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c, ++}; ++static const unsigned char aes_256_no_df_pr_nonce[] = { ++ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, ++ 0xcc, 0x4b, 0xee, 0x2e ++}; ++static const unsigned char aes_256_no_df_pr_personalizationstring[] = { ++ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, ++ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, ++ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, ++ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06, ++}; ++static const unsigned char aes_256_no_df_pr_additionalinput[] = { ++ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, ++ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, ++ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, ++ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e, ++}; ++static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { ++ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, ++ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, ++ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, ++ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f, ++}; ++static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { ++ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, ++ 0x79, 0x60, 0x93, 0xcf ++}; ++static const unsigned char aes_256_no_df_pr_additionalinput2[] = { ++ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, ++ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, ++ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, ++ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb, ++}; ++static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { ++ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, ++ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, ++ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, ++ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f, ++}; ++static const unsigned char aes_256_no_df_pr_returnedbits[] = { ++ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, ++ 0x2d, 0x5f, 0x4a, 0x46 ++}; ++ ++ ++/* ++ * AES-256 no df no PR ++ */ ++static const unsigned char aes_256_no_df_entropyinput[] = { ++ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, ++ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, ++ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, ++ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3, ++}; ++static const unsigned char aes_256_no_df_nonce[] = { ++ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, ++ 0x43, 0x96, 0xb9, 0xf0 ++}; ++static const unsigned char aes_256_no_df_personalizationstring[] = { ++ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, ++ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, ++ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, ++ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d, ++}; ++static const unsigned char aes_256_no_df_additionalinput[] = { ++ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, ++ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, ++ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, ++ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17, ++}; ++static const unsigned char aes_256_no_df_int_returnedbits[] = { ++ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, ++ 0xd2, 0x25, 0x75, 0x0e ++}; ++static const unsigned char aes_256_no_df_entropyinputreseed[] = { ++ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, ++ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, ++ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, ++ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb, ++}; ++static const unsigned char aes_256_no_df_additionalinputreseed[] = { ++ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, ++ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, ++ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, ++ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29, ++}; ++static const unsigned char aes_256_no_df_additionalinput2[] = { ++ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, ++ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, ++ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, ++ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6, ++}; ++static const unsigned char aes_256_no_df_returnedbits[] = { ++ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, ++ 0xf6, 0x02, 0x32, 0xe2 ++}; +Index: openssl-1.1.1g/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1g.orig/crypto/fips/fips_post.c 2020-05-15 16:18:44.030685013 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-05-15 16:19:01.662586731 +0200 +@@ -51,7 +51,6 @@ + + #include + #include +-#include + #include + #include + #include +Index: openssl-1.1.1g/crypto/fips/build.info +=================================================================== +--- openssl-1.1.1g.orig/crypto/fips/build.info 2020-05-15 16:18:44.030685013 +0200 ++++ openssl-1.1.1g/crypto/fips/build.info 2020-05-15 16:19:01.662586731 +0200 +@@ -2,7 +2,7 @@ LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ + fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ +- fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ ++ fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ + fips_dh_selftest.c fips_ers.c +Index: openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c +=================================================================== +--- openssl-1.1.1g.orig/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:18:44.030685013 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-05-15 16:19:01.666586709 +0200 +@@ -774,6 +774,7 @@ int FIPS_drbg_health_check(DRBG_CTX *dct + return rv; + } + ++#if 0 + int FIPS_selftest_drbg(void) + { + DRBG_CTX *dctx; +@@ -798,6 +799,7 @@ int FIPS_selftest_drbg(void) + FIPS_drbg_free(dctx); + return rv; + } ++#endif + + int FIPS_selftest_drbg_all(void) + { +Index: openssl-1.1.1g/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1g.orig/crypto/fips/fips.c 2020-05-15 16:18:44.030685013 +0200 ++++ openssl-1.1.1g/crypto/fips/fips.c 2020-05-15 16:19:01.666586709 +0200 +@@ -50,7 +50,6 @@ + #define _GNU_SOURCE + + #include +-#include + #include + #include + #include diff --git a/openssl-kdf-selftest.patch b/openssl-kdf-selftest.patch new file mode 100644 index 0000000..5fdcdf8 --- /dev/null +++ b/openssl-kdf-selftest.patch @@ -0,0 +1,131 @@ +Index: openssl-1.1.1m/crypto/fips/build.info +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/build.info ++++ openssl-1.1.1m/crypto/fips/build.info +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c + + PROGRAMS=\ + fips_standalone_hmac +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -0,0 +1,64 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++int FIPS_selftest_pbkdf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[32]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, ++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, ++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, ++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++#endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -104,6 +104,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; ++ if (!FIPS_selftest_pbkdf2()) ++ rv = 0; + return rv; + } + +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -76,6 +76,7 @@ void FIPS_drbg_stick(int onoff); + int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); ++int FIPS_selftest_pbkdf2(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -124,6 +124,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_DSA 112 + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -111,6 +111,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-kdf-ssh-selftest.patch b/openssl-kdf-ssh-selftest.patch new file mode 100644 index 0000000..363e6b3 --- /dev/null +++ b/openssl-kdf-ssh-selftest.patch @@ -0,0 +1,122 @@ +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -101,4 +101,68 @@ err: + return ret; + } + ++int FIPS_selftest_ssh(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[8]; ++ ++ /* Test data from NIST CAVS 14.1 test vectors */ ++ const unsigned char key[] = { ++ 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a, ++ 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a, ++ 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa, ++ 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78, ++ 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2, ++ 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90, ++ 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80, ++ 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2, ++ 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08, ++ 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43, ++ 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14, ++ 0x4e ++ }; ++ const unsigned char xcghash[] = { ++ 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, ++ 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, ++ 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 ++ }; ++ const unsigned char sessid[] = { ++ 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, ++ 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, ++ 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 ++ }; ++ const unsigned char expected[sizeof(out)] = { ++ 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6 ++ }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, ++ sizeof(xcghash)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, sessid, ++ sizeof(sessid)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, ++ (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV) <= 0) ++ goto err; ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ goto err; ++ if (memcmp(out, expected, sizeof(expected))) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SSH, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + #endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -108,6 +108,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_tls()) + rv = 0; ++ if (!FIPS_selftest_ssh()) ++ rv = 0; + + return rv; + } +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -78,6 +78,7 @@ int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); + int FIPS_selftest_tls(void); ++int FIPS_selftest_ssh(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -126,6 +126,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_HMAC 113 + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_TLS 153 ++# define FIPS_F_FIPS_SELFTEST_SSH 154 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -113,6 +113,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-kdf-tls-selftest.patch b/openssl-kdf-tls-selftest.patch new file mode 100644 index 0000000..9ee4659 --- /dev/null +++ b/openssl-kdf-tls-selftest.patch @@ -0,0 +1,99 @@ +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -61,4 +61,44 @@ err: + return ret; + } + ++int FIPS_selftest_tls(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[16]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, ++ "secret", (size_t)6) <= 0) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) ++ goto err; ++ ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ goto err; ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0, ++ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + #endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -106,6 +106,9 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_pbkdf2()) + rv = 0; ++ if (!FIPS_selftest_tls()) ++ rv = 0; ++ + return rv; + } + +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -77,6 +77,7 @@ int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); ++int FIPS_selftest_tls(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -125,6 +125,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 ++# define FIPS_F_FIPS_SELFTEST_TLS 153 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -112,6 +112,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch new file mode 100644 index 0000000..862be2c --- /dev/null +++ b/openssl-pkgconfig.patch @@ -0,0 +1,22 @@ +Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100 ++++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100 +@@ -843,7 +843,7 @@ libcrypto.pc: + echo 'Version: '$(VERSION); \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(LIB_EX_LIBS)'; \ +- echo 'Cflags: -I$${includedir}' ) > libcrypto.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc + + libssl.pc: + @ ( echo 'prefix=$(INSTALLTOP)'; \ +@@ -860,7 +860,7 @@ libssl.pc: + echo 'Version: '$(VERSION); \ + echo 'Requires.private: libcrypto'; \ + echo 'Libs: -L$${libdir} -lssl'; \ +- echo 'Cflags: -I$${includedir}' ) > libssl.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc + + openssl.pc: + @ ( echo 'prefix=$(INSTALLTOP)'; \ diff --git a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch new file mode 100644 index 0000000..ecfecb5 --- /dev/null +++ b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch @@ -0,0 +1,96 @@ +From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Wed, 16 Aug 2023 16:52:47 +1000 +Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm + +Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as +VSX enabled systems make extensive use of renaming, and so writebacks in +felem_{mul,square}() can be reordered for best cache effects. + +Remove stack allocations. This in turn fixes unmatched push/pops in +felem_{mul,square}(). + +Signed-off-by: Rohan McLure + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/21749) +--- + crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 ----------------------------- + 1 file changed, 49 deletions(-) + +diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl +index 3f86b391af69..28f4168e5218 100755 +--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl ++++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl +@@ -62,51 +62,6 @@ ($) + ___ + } + +- +-sub push_vrs($$) +-{ +- my ($min, $max) = @_; +- +- my $count = $max - $min + 1; +- +- $code.=<<___; +- mr $savesp,$sp +- stdu $sp,-16*`$count+1`($sp) +- +-___ +- for (my $i = $min; $i <= $max; $i++) { +- my $mult = $max - $i + 1; +- $code.=<<___; +- stxv $i,-16*$mult($savesp) +-___ +- +- } +- +- $code.=<<___; +- +-___ +-} +- +-sub pop_vrs($$) +-{ +- my ($min, $max) = @_; +- +- $code.=<<___; +- ld $savesp,0($sp) +-___ +- for (my $i = $min; $i <= $max; $i++) { +- my $mult = $max - $i + 1; +- $code.=<<___; +- lxv $i,-16*$mult($savesp) +-___ +- } +- +- $code.=<<___; +- mr $sp,$savesp +- +-___ +-} +- + sub load_vrs($$) + { + my ($pointer, $reg_list) = @_; +@@ -162,8 +117,6 @@ ($$) + + startproc("p384_felem_mul"); + +- push_vrs(52, 63); +- + $code.=<<___; + vspltisw $vzero,0 + +@@ -268,8 +221,6 @@ ($$) + + startproc("p384_felem_square"); + +- push_vrs(52, 63); +- + $code.=<<___; + vspltisw $vzero,0 + diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch new file mode 100644 index 0000000..02724c0 --- /dev/null +++ b/openssl-ppc64-config.patch @@ -0,0 +1,18 @@ +Index: openssl-1.1.1-pre3/config +=================================================================== +--- openssl-1.1.1-pre3.orig/config 2018-03-20 15:24:38.037441210 +0100 ++++ openssl-1.1.1-pre3/config 2018-03-20 15:26:20.163043492 +0100 +@@ -552,12 +552,7 @@ case "$GUESSOS" in + OUT="linux-ppc64" + else + OUT="linux-ppc" +- if (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null); then +- :; +- else +- __CNF_CFLAGS="$__CNF_CFLAGS -m32" +- __CNF_CXXFLAGS="$__CNF_CXXFLAGS -m32" +- fi ++ (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || OUT="linux-ppc64" + fi + ;; + ppc64le-*-linux2) OUT="linux-ppc64le" ;; diff --git a/openssl-riscv64-config.patch b/openssl-riscv64-config.patch new file mode 100644 index 0000000..c45ef1e --- /dev/null +++ b/openssl-riscv64-config.patch @@ -0,0 +1,12 @@ +Index: openssl-1.1.1p/config +=================================================================== +--- openssl-1.1.1p.orig/config ++++ openssl-1.1.1p/config +@@ -639,6 +639,7 @@ case "$GUESSOS" in + OUT="linux-elf" + fi ;; + *86-*-linux1) OUT="linux-aout" ;; ++ riscv64-*-linux?) OUT="linux64-riscv64" ;; + *-*-linux?) OUT="linux-generic32" ;; + sun4[uv]*-*-solaris2) + OUT="solaris-sparcv9-$CC" diff --git a/openssl-s390x-assembly-pack-accelerate-ECDSA.patch b/openssl-s390x-assembly-pack-accelerate-ECDSA.patch new file mode 100644 index 0000000..767fb39 --- /dev/null +++ b/openssl-s390x-assembly-pack-accelerate-ECDSA.patch @@ -0,0 +1,278 @@ +From 58c35587eacba090414522a6506cb86f2d0e91af Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Thu, 11 Jul 2019 10:38:18 +0200 +Subject: [PATCH 09206/10000] s390x assembly pack: accelerate ECDSA + +for NIST P-256, P-384 and P-521 using KDSA instruction. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9348) +--- + crypto/ec/ecp_s390x_nistp.c | 202 +++++++++++++++++++++++++++++++++++- + crypto/err/openssl.txt | 2 + + 2 files changed, 200 insertions(+), 4 deletions(-) + +Index: openssl-1.1.1e/crypto/ec/ecp_s390x_nistp.c +=================================================================== +--- openssl-1.1.1e.orig/crypto/ec/ecp_s390x_nistp.c 2020-03-20 13:13:44.618571104 +0100 ++++ openssl-1.1.1e/crypto/ec/ecp_s390x_nistp.c 2020-03-20 13:14:20.398759363 +0100 +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include "ec_local.h" + #include "s390x_arch.h" + +@@ -28,6 +29,15 @@ + #define S390X_OFF_SRC_Y(n) (3 * n) + #define S390X_OFF_SCALAR(n) (4 * n) + ++/* Offsets of fields in KDSA parameter blocks */ ++#define S390X_OFF_R(n) (0 * n) ++#define S390X_OFF_S(n) (1 * n) ++#define S390X_OFF_H(n) (2 * n) ++#define S390X_OFF_K(n) (3 * n) ++#define S390X_OFF_X(n) (3 * n) ++#define S390X_OFF_RN(n) (4 * n) ++#define S390X_OFF_Y(n) (4 * n) ++ + static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, + size_t num, const EC_POINT *points[], +@@ -106,6 +116,163 @@ ret: + return rc; + } + ++static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, ++ int dgstlen, ++ const BIGNUM *kinv, ++ const BIGNUM *r, ++ EC_KEY *eckey, ++ unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ int ok = 0; ++ BIGNUM *k; ++ ECDSA_SIG *sig; ++ const EC_GROUP *group; ++ const BIGNUM *privkey; ++ int off; ++ ++ group = EC_KEY_get0_group(eckey); ++ privkey = EC_KEY_get0_private_key(eckey); ++ if (group == NULL || privkey == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS); ++ return NULL; ++ } ++ ++ if (!EC_KEY_can_sign(eckey)) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ return NULL; ++ } ++ ++ k = BN_secure_new(); ++ sig = ECDSA_SIG_new(); ++ if (k == NULL || sig == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ sig->r = BN_new(); ++ sig->s = BN_new(); ++ if (sig->r == NULL || sig->s == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ memset(param, 0, sizeof(param)); ++ off = len - (dgstlen > len ? len : dgstlen); ++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); ++ ++ if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ if (r == NULL || kinv == NULL) { ++ /* ++ * Generate random k and copy to param param block. RAND_priv_bytes ++ * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce ++ * because kdsa instruction constructs an in-range, invertible nonce ++ * internally implementing counter-measures for RNG weakness. ++ */ ++ if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ++ EC_R_RANDOM_NUMBER_GENERATION_FAILED); ++ goto ret; ++ } ++ } else { ++ /* Reconstruct k = (k^-1)^-1. */ ++ if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 ++ || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ /* Turns KDSA internal nonce-generation off. */ ++ fc |= S390X_KDSA_D; ++ } ++ ++ if (s390x_kdsa(fc, param, NULL, 0) != 0) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB); ++ goto ret; ++ } ++ ++ if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL ++ || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ ok = 1; ++ret: ++ OPENSSL_cleanse(param, sizeof(param)); ++ if (ok != 1) { ++ ECDSA_SIG_free(sig); ++ sig = NULL; ++ } ++ BN_clear_free(k); ++ return sig; ++} ++ ++static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen, ++ const ECDSA_SIG *sig, EC_KEY *eckey, ++ unsigned int fc, int len) ++{ ++ unsigned char param[S390X_SIZE_PARAM]; ++ int rc = -1; ++ BN_CTX *ctx; ++ BIGNUM *x, *y; ++ const EC_GROUP *group; ++ const EC_POINT *pubkey; ++ int off; ++ ++ group = EC_KEY_get0_group(eckey); ++ pubkey = EC_KEY_get0_public_key(eckey); ++ if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS); ++ return -1; ++ } ++ ++ if (!EC_KEY_can_sign(eckey)) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ++ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING); ++ return -1; ++ } ++ ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ BN_CTX_start(ctx); ++ ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (x == NULL || y == NULL) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE); ++ goto ret; ++ } ++ ++ memset(param, 0, sizeof(param)); ++ off = len - (dgstlen > len ? len : dgstlen); ++ memcpy(param + S390X_OFF_H(len) + off, dgst, len - off); ++ ++ if (group->meth->point_get_affine_coordinates(group, pubkey, ++ x, y, ctx) != 1 ++ || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1 ++ || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1 ++ || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1 ++ || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) { ++ ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB); ++ goto ret; ++ } ++ ++ rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0; ++ret: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return rc; ++} ++ + #define EC_GFP_S390X_NISTP_METHOD(bits) \ + \ + static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group, \ +@@ -122,6 +289,29 @@ static int ec_GFp_s390x_nistp##bits##_mu + S390X_SIZE_P##bits); \ + } \ + \ ++static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned \ ++ char *dgst, \ ++ int dgstlen, \ ++ const BIGNUM *kinv,\ ++ const BIGNUM *r, \ ++ EC_KEY *eckey) \ ++{ \ ++ return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey, \ ++ S390X_ECDSA_SIGN_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ ++static int ecdsa_s390x_nistp##bits##_verify_sig(const \ ++ unsigned char *dgst, \ ++ int dgstlen, \ ++ const ECDSA_SIG *sig, \ ++ EC_KEY *eckey) \ ++{ \ ++ return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey, \ ++ S390X_ECDSA_VERIFY_P##bits, \ ++ S390X_SIZE_P##bits); \ ++} \ ++ \ + const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void) \ + { \ + static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = { \ +@@ -176,8 +366,8 @@ const EC_METHOD *EC_GFp_s390x_nistp##bit + NULL, /* keyfinish */ \ + ecdh_simple_compute_key, \ + ecdsa_simple_sign_setup, \ +- ecdsa_simple_sign_sig, \ +- ecdsa_simple_verify_sig, \ ++ ecdsa_s390x_nistp##bits##_sign_sig, \ ++ ecdsa_s390x_nistp##bits##_verify_sig, \ + NULL, /* field_inverse_mod_ord */ \ + ec_GFp_simple_blind_coordinates, \ + ec_GFp_simple_ladder_pre, \ +@@ -186,8 +376,12 @@ const EC_METHOD *EC_GFp_s390x_nistp##bit + }; \ + static const EC_METHOD *ret; \ + \ +- if (OPENSSL_s390xcap_P.pcc[1] \ +- & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ ++ if ((OPENSSL_s390xcap_P.pcc[1] \ ++ & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits)) \ ++ && (OPENSSL_s390xcap_P.kdsa[0] \ ++ & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits)) \ ++ && (OPENSSL_s390xcap_P.kdsa[0] \ ++ & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits))) \ + ret = &EC_GFp_s390x_nistp##bits##_meth; \ + else \ + ret = EC_GFp_mont_method(); \ +Index: openssl-1.1.1e/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1e.orig/crypto/err/openssl.txt 2020-03-20 13:13:44.618571104 +0100 ++++ openssl-1.1.1e/crypto/err/openssl.txt 2020-03-20 13:14:02.446664907 +0100 +@@ -499,6 +499,8 @@ EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup + EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig + EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig ++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig ++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode diff --git a/openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch b/openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch new file mode 100644 index 0000000..f3c0dd7 --- /dev/null +++ b/openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch @@ -0,0 +1,1467 @@ +From 19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Thu, 19 Sep 2019 15:31:27 +0200 +Subject: [PATCH] s390x assembly pack: accelerate X25519, X448, Ed25519 and + Ed448 + +using PCC and KDSA instructions. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/10004) +--- + CHANGES | 4 + + crypto/dh/dh_pmeth.c | 14 +- + crypto/dsa/dsa_pmeth.c | 7 +- + crypto/ec/build.info | 2 +- + crypto/ec/ec_curve.c | 12 +- + crypto/ec/ec_local.h | 2 +- + crypto/ec/ec_pmeth.c | 7 +- + crypto/ec/ecx_meth.c | 672 +++++++++++++++++++++++++++++- + crypto/err/openssl.txt | 6 + + crypto/evp/pkey_kdf.c | 20 +- + crypto/evp/pkey_mac.c | 28 +- + crypto/evp/pmeth_lib.c | 65 +-- + crypto/include/internal/evp_int.h | 37 +- + crypto/rsa/rsa_pmeth.c | 14 +- + crypto/s390x_arch.h | 11 + + crypto/s390xcap.c | 12 +- + crypto/s390xcpuid.pl | 56 +++ + crypto/sm2/sm2_pmeth.c | 7 +- + doc/man3/OPENSSL_s390xcap.pod | 8 + + include/openssl/ecerr.h | 6 + + 20 files changed, 914 insertions(+), 76 deletions(-) + +Index: openssl-1.1.1d/crypto/dh/dh_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/dh/dh_pmeth.c ++++ openssl-1.1.1d/crypto/dh/dh_pmeth.c +@@ -478,7 +478,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + return 0; + } + +-const EVP_PKEY_METHOD dh_pkey_meth = { ++static const EVP_PKEY_METHOD dh_pkey_meth = { + EVP_PKEY_DH, + EVP_PKEY_FLAG_FIPS, + pkey_dh_init, +@@ -512,7 +512,12 @@ const EVP_PKEY_METHOD dh_pkey_meth = { + pkey_dh_ctrl_str + }; + +-const EVP_PKEY_METHOD dhx_pkey_meth = { ++const EVP_PKEY_METHOD *dh_pkey_method(void) ++{ ++ return &dh_pkey_meth; ++} ++ ++static const EVP_PKEY_METHOD dhx_pkey_meth = { + EVP_PKEY_DHX, + EVP_PKEY_FLAG_FIPS, + pkey_dh_init, +@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = { + pkey_dh_ctrl, + pkey_dh_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *dhx_pkey_method(void) ++{ ++ return &dhx_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/dsa/dsa_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/dsa/dsa_pmeth.c ++++ openssl-1.1.1d/crypto/dsa/dsa_pmeth.c +@@ -243,7 +243,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX + return DSA_generate_key(pkey->pkey.dsa); + } + +-const EVP_PKEY_METHOD dsa_pkey_meth = { ++static const EVP_PKEY_METHOD dsa_pkey_meth = { + EVP_PKEY_DSA, + EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_dsa_init, +@@ -275,3 +275,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = { + pkey_dsa_ctrl, + pkey_dsa_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *dsa_pkey_method(void) ++{ ++ return &dsa_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/ec/ec_curve.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ec_curve.c ++++ openssl-1.1.1d/crypto/ec/ec_curve.c +@@ -2830,7 +2830,7 @@ static const ec_list_element curve_list[ + "SECG curve over a 256 bit prime field"}, + /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, +-# if defined(S390X_NISTP_ASM) ++# if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, + # else + 0, +@@ -2838,7 +2838,7 @@ static const ec_list_element curve_list[ + "NIST/SECG curve over a 384 bit prime field"}, + + {NID_secp521r1, &_EC_NIST_PRIME_521.h, +-# if defined(S390X_NISTP_ASM) ++# if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp521_method, + # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp521_method, +@@ -2863,7 +2863,7 @@ static const ec_list_element curve_list[ + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + #if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +-# elif defined(S390X_NISTP_ASM) ++# elif defined(S390X_EC_ASM) + EC_GFp_s390x_nistp256_method, + #elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) + EC_GFp_nistp256_method, +Index: openssl-1.1.1d/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1d/crypto/ec/ec_local.h +@@ -595,7 +595,7 @@ int ec_group_simple_order_bits(const EC_ + */ + const EC_METHOD *EC_GFp_nistz256_method(void); + #endif +-#ifdef S390X_NISTP_ASM ++#ifdef S390X_EC_ASM + const EC_METHOD *EC_GFp_s390x_nistp256_method(void); + const EC_METHOD *EC_GFp_s390x_nistp384_method(void); + const EC_METHOD *EC_GFp_s390x_nistp521_method(void); +Index: openssl-1.1.1d/crypto/ec/ec_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ec_pmeth.c ++++ openssl-1.1.1d/crypto/ec/ec_pmeth.c +@@ -436,7 +436,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + return ret ? EC_KEY_generate_key(ec) : 0; + } + +-const EVP_PKEY_METHOD ec_pkey_meth = { ++static const EVP_PKEY_METHOD ec_pkey_meth = { + EVP_PKEY_EC, + EVP_PKEY_FLAG_FIPS, + pkey_ec_init, +@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = { + pkey_ec_ctrl, + pkey_ec_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *ec_pkey_method(void) ++{ ++ return &ec_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/ec/ecx_meth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c ++++ openssl-1.1.1d/crypto/ec/ecx_meth.c +@@ -715,7 +715,7 @@ static int pkey_ecx_ctrl(EVP_PKEY_CTX *c + return -2; + } + +-const EVP_PKEY_METHOD ecx25519_pkey_meth = { ++static const EVP_PKEY_METHOD ecx25519_pkey_meth = { + EVP_PKEY_X25519, + 0, 0, 0, 0, 0, 0, 0, + pkey_ecx_keygen, +@@ -725,7 +725,7 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth + 0 + }; + +-const EVP_PKEY_METHOD ecx448_pkey_meth = { ++static const EVP_PKEY_METHOD ecx448_pkey_meth = { + EVP_PKEY_X448, + 0, 0, 0, 0, 0, 0, 0, + pkey_ecx_keygen, +@@ -818,7 +818,7 @@ static int pkey_ecd_ctrl(EVP_PKEY_CTX *c + return -2; + } + +-const EVP_PKEY_METHOD ed25519_pkey_meth = { ++static const EVP_PKEY_METHOD ed25519_pkey_meth = { + EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM, + 0, 0, 0, 0, 0, 0, + pkey_ecx_keygen, +@@ -829,7 +829,7 @@ const EVP_PKEY_METHOD ed25519_pkey_meth + pkey_ecd_digestverify25519 + }; + +-const EVP_PKEY_METHOD ed448_pkey_meth = { ++static const EVP_PKEY_METHOD ed448_pkey_meth = { + EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, + 0, 0, 0, 0, 0, 0, + pkey_ecx_keygen, +@@ -839,3 +839,667 @@ const EVP_PKEY_METHOD ed448_pkey_meth = + pkey_ecd_digestsign448, + pkey_ecd_digestverify448 + }; ++ ++#ifdef S390X_EC_ASM ++# include "s390x_arch.h" ++ ++static void s390x_x25519_mod_p(unsigned char u[32]) ++{ ++ unsigned char u_red[32]; ++ unsigned int c = 0; ++ int i; ++ ++ memcpy(u_red, u, sizeof(u_red)); ++ ++ c += (unsigned int)u_red[31] + 19; ++ u_red[31] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 30; c > 0 && i >= 0; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ if (u_red[0] & 0x80) { ++ u_red[0] &= 0x7f; ++ memcpy(u, u_red, sizeof(u_red)); ++ } ++} ++ ++static void s390x_x448_mod_p(unsigned char u[56]) ++{ ++ unsigned char u_red[56]; ++ unsigned int c = 0; ++ int i; ++ ++ memcpy(u_red, u, sizeof(u_red)); ++ ++ c += (unsigned int)u_red[55] + 1; ++ u_red[55] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 54; i >= 28; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ c += (unsigned int)u_red[27] + 1; ++ u_red[27] = (unsigned char)c; ++ c >>= 8; ++ ++ for (i = 26; c > 0 && i >= 0; i--) { ++ c += (unsigned int)u_red[i]; ++ u_red[i] = (unsigned char)c; ++ c >>= 8; ++ } ++ ++ if (u_red[0] & 0x80) { ++ u_red[0] &= 0x7f; ++ memcpy(u, u_red, sizeof(u_red)); ++ } ++} ++ ++static int s390x_x25519_mul(unsigned char u_dst[32], ++ const unsigned char u_src[32], ++ const unsigned char d_src[32]) ++{ ++ union { ++ struct { ++ unsigned char u_dst[32]; ++ unsigned char u_src[32]; ++ unsigned char d_src[32]; ++ } x25519; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ s390x_flip_endian32(param.x25519.u_src, u_src); ++ param.x25519.u_src[0] &= 0x7f; ++ s390x_x25519_mod_p(param.x25519.u_src); ++ ++ s390x_flip_endian32(param.x25519.d_src, d_src); ++ param.x25519.d_src[31] &= 248; ++ param.x25519.d_src[0] &= 127; ++ param.x25519.d_src[0] |= 64; ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, ¶m.x25519) ? 0 : 1; ++ if (rc == 1) ++ s390x_flip_endian32(u_dst, param.x25519.u_dst); ++ ++ OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src)); ++ return rc; ++} ++ ++static int s390x_x448_mul(unsigned char u_dst[56], ++ const unsigned char u_src[56], ++ const unsigned char d_src[56]) ++{ ++ union { ++ struct { ++ unsigned char u_dst[64]; ++ unsigned char u_src[64]; ++ unsigned char d_src[64]; ++ } x448; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ memcpy(param.x448.u_src, u_src, 56); ++ memcpy(param.x448.d_src, d_src, 56); ++ ++ s390x_flip_endian64(param.x448.u_src, param.x448.u_src); ++ s390x_x448_mod_p(param.x448.u_src); ++ ++ s390x_flip_endian64(param.x448.d_src, param.x448.d_src); ++ param.x448.d_src[63] &= 252; ++ param.x448.d_src[8] |= 128; ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, ¶m.x448) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst); ++ memcpy(u_dst, param.x448.u_dst, 56); ++ } ++ ++ OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src)); ++ return rc; ++} ++ ++static int s390x_ed25519_mul(unsigned char x_dst[32], ++ unsigned char y_dst[32], ++ const unsigned char x_src[32], ++ const unsigned char y_src[32], ++ const unsigned char d_src[32]) ++{ ++ union { ++ struct { ++ unsigned char x_dst[32]; ++ unsigned char y_dst[32]; ++ unsigned char x_src[32]; ++ unsigned char y_src[32]; ++ unsigned char d_src[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ s390x_flip_endian32(param.ed25519.x_src, x_src); ++ s390x_flip_endian32(param.ed25519.y_src, y_src); ++ s390x_flip_endian32(param.ed25519.d_src, d_src); ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, ¶m.ed25519) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian32(x_dst, param.ed25519.x_dst); ++ s390x_flip_endian32(y_dst, param.ed25519.y_dst); ++ } ++ ++ OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src)); ++ return rc; ++} ++ ++static int s390x_ed448_mul(unsigned char x_dst[57], ++ unsigned char y_dst[57], ++ const unsigned char x_src[57], ++ const unsigned char y_src[57], ++ const unsigned char d_src[57]) ++{ ++ union { ++ struct { ++ unsigned char x_dst[64]; ++ unsigned char y_dst[64]; ++ unsigned char x_src[64]; ++ unsigned char y_src[64]; ++ unsigned char d_src[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ int rc; ++ ++ memset(¶m, 0, sizeof(param)); ++ ++ memcpy(param.ed448.x_src, x_src, 57); ++ memcpy(param.ed448.y_src, y_src, 57); ++ memcpy(param.ed448.d_src, d_src, 57); ++ s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src); ++ s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src); ++ s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src); ++ ++ rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, ¶m.ed448) ? 0 : 1; ++ if (rc == 1) { ++ s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst); ++ s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst); ++ memcpy(x_dst, param.ed448.x_dst, 57); ++ memcpy(y_dst, param.ed448.y_dst, 57); ++ } ++ ++ OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src)); ++ return rc; ++} ++ ++static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator[] = { ++ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0) ++ goto err; ++ ++ privkey[0] &= 248; ++ privkey[31] &= 127; ++ privkey[31] |= 64; ++ ++ if (s390x_x25519_mul(pubkey, generator, privkey) != 1) ++ goto err; ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, X25519_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator[] = { ++ 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0) ++ goto err; ++ ++ privkey[0] &= 252; ++ privkey[55] |= 128; ++ ++ if (s390x_x448_mul(pubkey, generator, privkey) != 1) ++ goto err; ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, X448_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator_x[] = { ++ 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, ++ 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, ++ 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21 ++ }; ++ static const unsigned char generator_y[] = { ++ 0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, ++ }; ++ unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH]; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0) ++ goto err; ++ ++ SHA512(privkey, 32, buff); ++ buff[0] &= 248; ++ buff[31] &= 63; ++ buff[31] |= 64; ++ ++ if (s390x_ed25519_mul(x_dst, pubkey, ++ generator_x, generator_y, buff) != 1) ++ goto err; ++ ++ pubkey[31] |= ((x_dst[0] & 0x01) << 7); ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ return 0; ++} ++ ++static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ++{ ++ static const unsigned char generator_x[] = { ++ 0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b, ++ 0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12, ++ 0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47, ++ 0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22, ++ 0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00 ++ }; ++ static const unsigned char generator_y[] = { ++ 0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e, ++ 0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a, ++ 0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c, ++ 0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88, ++ 0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00 ++ }; ++ unsigned char x_dst[57], buff[114]; ++ ECX_KEY *key; ++ unsigned char *privkey = NULL, *pubkey; ++ EVP_MD_CTX *hashctx = NULL; ++ ++ key = OPENSSL_zalloc(sizeof(*key)); ++ if (key == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ pubkey = key->pubkey; ++ ++ privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN); ++ if (privkey == NULL) { ++ ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0) ++ goto err; ++ ++ hashctx = EVP_MD_CTX_new(); ++ if (hashctx == NULL) ++ goto err; ++ if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1) ++ goto err; ++ if (EVP_DigestUpdate(hashctx, privkey, 57) != 1) ++ goto err; ++ if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1) ++ goto err; ++ ++ buff[0] &= -4; ++ buff[55] |= 0x80; ++ buff[56] = 0; ++ ++ if (s390x_ed448_mul(x_dst, pubkey, ++ generator_x, generator_y, buff) != 1) ++ goto err; ++ ++ pubkey[56] |= ((x_dst[0] & 0x01) << 7); ++ ++ EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key); ++ EVP_MD_CTX_free(hashctx); ++ return 1; ++ err: ++ OPENSSL_secure_clear_free(privkey, ED448_KEYLEN); ++ key->privkey = NULL; ++ OPENSSL_free(key); ++ EVP_MD_CTX_free(hashctx); ++ return 0; ++} ++ ++static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ const unsigned char *privkey, *pubkey; ++ ++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) ++ return 0; ++ ++ if (key != NULL) ++ return s390x_x25519_mul(key, pubkey, privkey); ++ ++ *keylen = X25519_KEYLEN; ++ return 1; ++} ++ ++static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key, ++ size_t *keylen) ++{ ++ const unsigned char *privkey, *pubkey; ++ ++ if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey)) ++ return 0; ++ ++ if (key != NULL) ++ return s390x_x448_mul(key, pubkey, privkey); ++ ++ *keylen = X448_KEYLEN; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx, ++ unsigned char *sig, size_t *siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[64]; ++ unsigned char priv[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ int rc; ++ ++ if (sig == NULL) { ++ *siglen = ED25519_SIGSIZE; ++ return 1; ++ } ++ ++ if (*siglen < ED25519_SIGSIZE) { ++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL); ++ return 0; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv)); ++ ++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, ¶m.ed25519, tbs, tbslen); ++ OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv)); ++ if (rc != 0) ++ return 0; ++ ++ s390x_flip_endian32(sig, param.ed25519.sig); ++ s390x_flip_endian32(sig + 32, param.ed25519.sig + 32); ++ ++ *siglen = ED25519_SIGSIZE; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx, ++ unsigned char *sig, size_t *siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[128]; ++ unsigned char priv[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ int rc; ++ ++ if (sig == NULL) { ++ *siglen = ED448_SIGSIZE; ++ return 1; ++ } ++ ++ if (*siglen < ED448_SIGSIZE) { ++ ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL); ++ return 0; ++ } ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57); ++ ++ rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, ¶m.ed448, tbs, tbslen); ++ OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv)); ++ if (rc != 0) ++ return 0; ++ ++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig); ++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); ++ memcpy(sig, param.ed448.sig, 57); ++ memcpy(sig + 57, param.ed448.sig + 64, 57); ++ ++ *siglen = ED448_SIGSIZE; ++ return 1; ++} ++ ++static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx, ++ const unsigned char *sig, ++ size_t siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[64]; ++ unsigned char pub[32]; ++ } ed25519; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ ++ if (siglen != ED25519_SIGSIZE) ++ return 0; ++ ++ memset(¶m, 0, sizeof(param)); ++ s390x_flip_endian32(param.ed25519.sig, sig); ++ s390x_flip_endian32(param.ed25519.sig + 32, sig + 32); ++ s390x_flip_endian32(param.ed25519.pub, edkey->pubkey); ++ ++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519, ++ ¶m.ed25519, tbs, tbslen) == 0 ? 1 : 0; ++} ++ ++static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx, ++ const unsigned char *sig, ++ size_t siglen, ++ const unsigned char *tbs, ++ size_t tbslen) ++{ ++ union { ++ struct { ++ unsigned char sig[128]; ++ unsigned char pub[64]; ++ } ed448; ++ unsigned long long buff[512]; ++ } param; ++ const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx; ++ ++ if (siglen != ED448_SIGSIZE) ++ return 0; ++ ++ memset(¶m, 0, sizeof(param)); ++ memcpy(param.ed448.sig, sig, 57); ++ s390x_flip_endian64(param.ed448.sig, param.ed448.sig); ++ memcpy(param.ed448.sig + 64, sig + 57, 57); ++ s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64); ++ memcpy(param.ed448.pub, edkey->pubkey, 57); ++ s390x_flip_endian64(param.ed448.pub, param.ed448.pub); ++ ++ return s390x_kdsa(S390X_EDDSA_VERIFY_ED448, ++ ¶m.ed448, tbs, tbslen) == 0 ? 1 : 0; ++} ++ ++static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = { ++ EVP_PKEY_X25519, ++ 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_keygen25519, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_derive25519, ++ pkey_ecx_ctrl, ++ 0 ++}; ++ ++static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = { ++ EVP_PKEY_X448, ++ 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_keygen448, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecx_derive448, ++ pkey_ecx_ctrl, ++ 0 ++}; ++static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = { ++ EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecd_keygen25519, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ pkey_ecd_ctrl, ++ 0, ++ s390x_pkey_ecd_digestsign25519, ++ s390x_pkey_ecd_digestverify25519 ++}; ++ ++static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = { ++ EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM, ++ 0, 0, 0, 0, 0, 0, ++ s390x_pkey_ecd_keygen448, ++ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ++ pkey_ecd_ctrl, ++ 0, ++ s390x_pkey_ecd_digestsign448, ++ s390x_pkey_ecd_digestverify448 ++}; ++#endif ++ ++const EVP_PKEY_METHOD *ecx25519_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)) ++ return &ecx25519_s390x_pkey_meth; ++#endif ++ return &ecx25519_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ecx448_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)) ++ return &ecx448_s390x_pkey_meth; ++#endif ++ return &ecx448_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ed25519_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) ++ && OPENSSL_s390xcap_P.kdsa[0] ++ & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)) ++ return &ed25519_s390x_pkey_meth; ++#endif ++ return &ed25519_pkey_meth; ++} ++ ++const EVP_PKEY_METHOD *ed448_pkey_method(void) ++{ ++#ifdef S390X_EC_ASM ++ if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448) ++ && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)) ++ return &ed448_s390x_pkey_meth; ++#endif ++ return &ed448_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/err/openssl.txt +=================================================================== +--- openssl-1.1.1d.orig/crypto/err/openssl.txt ++++ openssl-1.1.1d/crypto/err/openssl.txt +@@ -678,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_ + EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen + EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen + EC_F_PKEY_EC_SIGN:218:pkey_ec_sign ++EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519 ++EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448 ++EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519 ++EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448 ++EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519 ++EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448 + EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive + ENGINE_F_DIGEST_UPDATE:198:digest_update + ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl +Index: openssl-1.1.1d/crypto/evp/pkey_kdf.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/evp/pkey_kdf.c ++++ openssl-1.1.1d/crypto/evp/pkey_kdf.c +@@ -162,7 +162,7 @@ static int pkey_kdf_derive(EVP_PKEY_CTX + } + + #ifndef OPENSSL_NO_SCRYPT +-const EVP_PKEY_METHOD scrypt_pkey_meth = { ++static const EVP_PKEY_METHOD scrypt_pkey_meth = { + EVP_PKEY_SCRYPT, + 0, + pkey_kdf_init, +@@ -191,9 +191,14 @@ const EVP_PKEY_METHOD scrypt_pkey_meth = + pkey_kdf_ctrl, + pkey_kdf_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *scrypt_pkey_method(void) ++{ ++ return &scrypt_pkey_meth; ++} + #endif + +-const EVP_PKEY_METHOD tls1_prf_pkey_meth = { ++static const EVP_PKEY_METHOD tls1_prf_pkey_meth = { + EVP_PKEY_TLS1_PRF, + EVP_PKEY_FLAG_FIPS, + pkey_kdf_init, +@@ -223,7 +228,12 @@ const EVP_PKEY_METHOD tls1_prf_pkey_meth + pkey_kdf_ctrl_str + }; + +-const EVP_PKEY_METHOD hkdf_pkey_meth = { ++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void) ++{ ++ return &tls1_prf_pkey_meth; ++} ++ ++static const EVP_PKEY_METHOD hkdf_pkey_meth = { + EVP_PKEY_HKDF, + EVP_PKEY_FLAG_FIPS, + pkey_kdf_init, +@@ -253,3 +263,7 @@ const EVP_PKEY_METHOD hkdf_pkey_meth = { + pkey_kdf_ctrl_str + }; + ++const EVP_PKEY_METHOD *hkdf_pkey_method(void) ++{ ++ return &hkdf_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/evp/pmeth_lib.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/evp/pmeth_lib.c ++++ openssl-1.1.1d/crypto/evp/pmeth_lib.c +@@ -17,60 +17,67 @@ + #include "crypto/evp.h" + #include "internal/numbers.h" + ++typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void); + typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); + + static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; + + /* This array needs to be in order of NIDs */ +-static const EVP_PKEY_METHOD *standard_methods[] = { ++static pmeth_fn standard_methods[] = { + #ifndef OPENSSL_NO_RSA +- &rsa_pkey_meth, ++ rsa_pkey_method, + #endif + #ifndef OPENSSL_NO_DH +- &dh_pkey_meth, ++ dh_pkey_method, + #endif + #ifndef OPENSSL_NO_DSA +- &dsa_pkey_meth, ++ dsa_pkey_method, + #endif + #ifndef OPENSSL_NO_EC +- &ec_pkey_meth, ++ ec_pkey_method, + #endif +- &hmac_pkey_meth, ++ hmac_pkey_method, + #ifndef OPENSSL_NO_CMAC +- &cmac_pkey_meth, ++ cmac_pkey_method, + #endif + #ifndef OPENSSL_NO_RSA +- &rsa_pss_pkey_meth, ++ rsa_pss_pkey_method, + #endif + #ifndef OPENSSL_NO_DH +- &dhx_pkey_meth, ++ dhx_pkey_method, + #endif + #ifndef OPENSSL_NO_SCRYPT +- &scrypt_pkey_meth, ++ scrypt_pkey_method, + #endif +- &tls1_prf_pkey_meth, ++ tls1_prf_pkey_method, + #ifndef OPENSSL_NO_EC +- &ecx25519_pkey_meth, +- &ecx448_pkey_meth, ++ ecx25519_pkey_method, ++ ecx448_pkey_method, + #endif +- &hkdf_pkey_meth, ++ hkdf_pkey_method, + #ifndef OPENSSL_NO_POLY1305 +- &poly1305_pkey_meth, ++ poly1305_pkey_method, + #endif + #ifndef OPENSSL_NO_SIPHASH +- &siphash_pkey_meth, ++ siphash_pkey_method, + #endif + #ifndef OPENSSL_NO_EC +- &ed25519_pkey_meth, +- &ed448_pkey_meth, ++ ed25519_pkey_method, ++ ed448_pkey_method, + #endif + #ifndef OPENSSL_NO_SM2 +- &sm2_pkey_meth, ++ sm2_pkey_method, + #endif + }; + +-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, +- pmeth); ++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); ++ ++static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b) ++{ ++ return ((*a)->pkey_id - ((**b)())->pkey_id); ++} ++ ++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func); + + static int pmeth_cmp(const EVP_PKEY_METHOD *const *a, + const EVP_PKEY_METHOD *const *b) +@@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH + return ((*a)->pkey_id - (*b)->pkey_id); + } + +-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *, +- pmeth); +- + const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type) + { ++ pmeth_fn *ret; + EVP_PKEY_METHOD tmp; +- const EVP_PKEY_METHOD *t = &tmp, **ret; ++ const EVP_PKEY_METHOD *t = &tmp; + tmp.pkey_id = type; + if (app_pkey_methods) { + int idx; +@@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin + if (idx >= 0) + return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx); + } +- ret = OBJ_bsearch_pmeth(&t, standard_methods, +- sizeof(standard_methods) / +- sizeof(EVP_PKEY_METHOD *)); ++ ret = OBJ_bsearch_pmeth_func(&t, standard_methods, ++ sizeof(standard_methods) / ++ sizeof(pmeth_fn)); + if (!ret || !*ret) + return NULL; +- return *ret; ++ return (**ret)(); + } + + static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) +@@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void) + const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx) + { + if (idx < OSSL_NELEM(standard_methods)) +- return standard_methods[idx]; ++ return (standard_methods[idx])(); + if (app_pkey_methods == NULL) + return NULL; + idx -= OSSL_NELEM(standard_methods); +Index: openssl-1.1.1d/include/crypto/evp.h +=================================================================== +--- openssl-1.1.1d.orig/include/crypto/evp.h ++++ openssl-1.1.1d/include/crypto/evp.h +@@ -93,24 +93,24 @@ DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD) + + void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx); + +-extern const EVP_PKEY_METHOD cmac_pkey_meth; +-extern const EVP_PKEY_METHOD dh_pkey_meth; +-extern const EVP_PKEY_METHOD dhx_pkey_meth; +-extern const EVP_PKEY_METHOD dsa_pkey_meth; +-extern const EVP_PKEY_METHOD ec_pkey_meth; +-extern const EVP_PKEY_METHOD sm2_pkey_meth; +-extern const EVP_PKEY_METHOD ecx25519_pkey_meth; +-extern const EVP_PKEY_METHOD ecx448_pkey_meth; +-extern const EVP_PKEY_METHOD ed25519_pkey_meth; +-extern const EVP_PKEY_METHOD ed448_pkey_meth; +-extern const EVP_PKEY_METHOD hmac_pkey_meth; +-extern const EVP_PKEY_METHOD rsa_pkey_meth; +-extern const EVP_PKEY_METHOD rsa_pss_pkey_meth; +-extern const EVP_PKEY_METHOD scrypt_pkey_meth; +-extern const EVP_PKEY_METHOD tls1_prf_pkey_meth; +-extern const EVP_PKEY_METHOD hkdf_pkey_meth; +-extern const EVP_PKEY_METHOD poly1305_pkey_meth; +-extern const EVP_PKEY_METHOD siphash_pkey_meth; ++const EVP_PKEY_METHOD *cmac_pkey_method(void); ++const EVP_PKEY_METHOD *dh_pkey_method(void); ++const EVP_PKEY_METHOD *dhx_pkey_method(void); ++const EVP_PKEY_METHOD *dsa_pkey_method(void); ++const EVP_PKEY_METHOD *ec_pkey_method(void); ++const EVP_PKEY_METHOD *sm2_pkey_method(void); ++const EVP_PKEY_METHOD *ecx25519_pkey_method(void); ++const EVP_PKEY_METHOD *ecx448_pkey_method(void); ++const EVP_PKEY_METHOD *ed25519_pkey_method(void); ++const EVP_PKEY_METHOD *ed448_pkey_method(void); ++const EVP_PKEY_METHOD *hmac_pkey_method(void); ++const EVP_PKEY_METHOD *rsa_pkey_method(void); ++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void); ++const EVP_PKEY_METHOD *scrypt_pkey_method(void); ++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void); ++const EVP_PKEY_METHOD *hkdf_pkey_method(void); ++const EVP_PKEY_METHOD *poly1305_pkey_method(void); ++const EVP_PKEY_METHOD *siphash_pkey_method(void); + + /* struct evp_kdf_impl_st is defined by the implementation */ + typedef struct evp_kdf_impl_st EVP_KDF_IMPL; +@@ -396,6 +396,7 @@ const EVP_CIPHER *EVP_##cname##_ecb(void + + #define X25519_KEYLEN 32 + #define X448_KEYLEN 56 ++#define ED25519_KEYLEN 32 + #define ED448_KEYLEN 57 + + #define MAX_KEYLEN ED448_KEYLEN +Index: openssl-1.1.1d/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1d/crypto/rsa/rsa_pmeth.c +@@ -754,7 +754,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + return ret; + } + +-const EVP_PKEY_METHOD rsa_pkey_meth = { ++static const EVP_PKEY_METHOD rsa_pkey_meth = { + EVP_PKEY_RSA, + EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_rsa_init, +@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = { + pkey_rsa_ctrl_str + }; + ++const EVP_PKEY_METHOD *rsa_pkey_method(void) ++{ ++ return &rsa_pkey_meth; ++} ++ + /* + * Called for PSS sign or verify initialisation: checks PSS parameter + * sanity and sets any restrictions on key usage. +@@ -836,7 +841,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c + return 1; + } + +-const EVP_PKEY_METHOD rsa_pss_pkey_meth = { ++static const EVP_PKEY_METHOD rsa_pss_pkey_meth = { + EVP_PKEY_RSA_PSS, + EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, + pkey_rsa_init, +@@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth + pkey_rsa_ctrl, + pkey_rsa_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void) ++{ ++ return &rsa_pss_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/s390x_arch.h +=================================================================== +--- openssl-1.1.1d.orig/crypto/s390x_arch.h ++++ openssl-1.1.1d/crypto/s390x_arch.h +@@ -30,6 +30,9 @@ int s390x_pcc(unsigned int fc, void *par + int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in, + size_t len); + ++void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]); ++void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]); ++ + /* + * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by + * the STFLE instruction followed by the 64-bit word pairs returned by +@@ -123,6 +126,10 @@ extern struct OPENSSL_s390xcap_st OPENSS + # define S390X_SCALAR_MULTIPLY_P256 64 + # define S390X_SCALAR_MULTIPLY_P384 65 + # define S390X_SCALAR_MULTIPLY_P521 66 ++# define S390X_SCALAR_MULTIPLY_ED25519 72 ++# define S390X_SCALAR_MULTIPLY_ED448 73 ++# define S390X_SCALAR_MULTIPLY_X25519 80 ++# define S390X_SCALAR_MULTIPLY_X448 81 + + /* kdsa */ + # define S390X_ECDSA_VERIFY_P256 1 +@@ -131,6 +138,10 @@ extern struct OPENSSL_s390xcap_st OPENSS + # define S390X_ECDSA_SIGN_P256 9 + # define S390X_ECDSA_SIGN_P384 10 + # define S390X_ECDSA_SIGN_P521 11 ++# define S390X_EDDSA_VERIFY_ED25519 32 ++# define S390X_EDDSA_VERIFY_ED448 36 ++# define S390X_EDDSA_SIGN_ED25519 40 ++# define S390X_EDDSA_SIGN_ED448 44 + + /* Register 0 Flags */ + # define S390X_DECRYPT 0x80 +Index: openssl-1.1.1d/crypto/s390xcap.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/s390xcap.c ++++ openssl-1.1.1d/crypto/s390xcap.c +@@ -615,14 +615,22 @@ static int parse_env(struct OPENSSL_s390 + /*.pcc = */{S390X_CAPBIT(S390X_QUERY), + S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384) +- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)}, ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)}, + /*.kdsa = */{S390X_CAPBIT(S390X_QUERY) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521) + | S390X_CAPBIT(S390X_ECDSA_SIGN_P256) + | S390X_CAPBIT(S390X_ECDSA_SIGN_P384) +- | S390X_CAPBIT(S390X_ECDSA_SIGN_P521), ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521) ++ | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519) ++ | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448) ++ | S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519) ++ | S390X_CAPBIT(S390X_EDDSA_SIGN_ED448), + 0ULL}, + }; + +Index: openssl-1.1.1d/crypto/s390xcpuid.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl ++++ openssl-1.1.1d/crypto/s390xcpuid.pl +@@ -493,6 +493,62 @@ s390x_kdsa: + ___ + } + ++################ ++# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]) ++{ ++my ($dst,$src) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_flip_endian32 ++.type s390x_flip_endian32,\@function ++.align 16 ++s390x_flip_endian32: ++ lrvg %r0,0(%r0,$src) ++ lrvg %r1,8(%r0,$src) ++ lrvg %r4,16(%r0,$src) ++ lrvg %r5,24(%r0,$src) ++ stg %r0,24(%r0,$dst) ++ stg %r1,16(%r0,$dst) ++ stg %r4,8(%r0,$dst) ++ stg %r5,0(%r0,$dst) ++ br $ra ++.size s390x_flip_endian32,.-s390x_flip_endian32 ++___ ++} ++ ++################ ++# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]) ++{ ++my ($dst,$src) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_flip_endian64 ++.type s390x_flip_endian64,\@function ++.align 16 ++s390x_flip_endian64: ++ stmg %r6,%r9,6*$SIZE_T($sp) ++ ++ lrvg %r0,0(%r0,$src) ++ lrvg %r1,8(%r0,$src) ++ lrvg %r4,16(%r0,$src) ++ lrvg %r5,24(%r0,$src) ++ lrvg %r6,32(%r0,$src) ++ lrvg %r7,40(%r0,$src) ++ lrvg %r8,48(%r0,$src) ++ lrvg %r9,56(%r0,$src) ++ stg %r0,56(%r0,$dst) ++ stg %r1,48(%r0,$dst) ++ stg %r4,40(%r0,$dst) ++ stg %r5,32(%r0,$dst) ++ stg %r6,24(%r0,$dst) ++ stg %r7,16(%r0,$dst) ++ stg %r8,8(%r0,$dst) ++ stg %r9,0(%r0,$dst) ++ ++ lmg %r6,%r9,6*$SIZE_T($sp) ++ br $ra ++.size s390x_flip_endian64,.-s390x_flip_endian64 ++___ ++} ++ + $code.=<<___; + .section .init + brasl $ra,OPENSSL_cpuid_setup +Index: openssl-1.1.1d/crypto/sm2/sm2_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/sm2/sm2_pmeth.c ++++ openssl-1.1.1d/crypto/sm2/sm2_pmeth.c +@@ -283,7 +283,7 @@ static int pkey_sm2_digest_custom(EVP_PK + return EVP_DigestUpdate(mctx, z, (size_t)mdlen); + } + +-const EVP_PKEY_METHOD sm2_pkey_meth = { ++static const EVP_PKEY_METHOD sm2_pkey_meth = { + EVP_PKEY_SM2, + 0, + pkey_sm2_init, +@@ -323,3 +323,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = { + + pkey_sm2_digest_custom + }; ++ ++const EVP_PKEY_METHOD *sm2_pkey_method(void) ++{ ++ return &sm2_pkey_meth; ++} +Index: openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod +=================================================================== +--- openssl-1.1.1d.orig/doc/man3/OPENSSL_s390xcap.pod ++++ openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod +@@ -159,6 +159,10 @@ Disables the KM-XTS-AES and and the KIMD + # 64 1<<63 PCC-Scalar-Multiply-P256 + # 65 1<<62 PCC-Scalar-Multiply-P384 + # 66 1<<61 PCC-Scalar-Multiply-P521 ++ # 72 1<<55 PCC-Scalar-Multiply-Ed25519 ++ # 73 1<<54 PCC-Scalar-Multiply-Ed448 ++ # 80 1<<47 PCC-Scalar-Multiply-X25519 ++ # 81 1<<46 PCC-Scalar-Multiply-X448 + + kdsa : + # 1 1<<62 KDSA-ECDSA-Verify-P256 +@@ -167,6 +171,10 @@ Disables the KM-XTS-AES and and the KIMD + # 9 1<<54 KDSA-ECDSA-Sign-P256 + # 10 1<<53 KDSA-ECDSA-Sign-P384 + # 11 1<<52 KDSA-ECDSA-Sign-P521 ++ # 32 1<<31 KDSA-EdDSA-Verify-Ed25519 ++ # 36 1<<27 KDSA-EdDSA-Verify-Ed448 ++ # 40 1<<23 KDSA-EdDSA-Sign-Ed25519 ++ # 44 1<<19 KDSA-EdDSA-Sign-Ed448 + : + + =head1 RETURN VALUES +Index: openssl-1.1.1d/include/openssl/ecerr.h +=================================================================== +--- openssl-1.1.1d.orig/include/openssl/ecerr.h ++++ openssl-1.1.1d/include/openssl/ecerr.h +@@ -206,6 +206,12 @@ int ERR_load_EC_strings(void); + # define EC_F_PKEY_EC_KEYGEN 199 + # define EC_F_PKEY_EC_PARAMGEN 219 + # define EC_F_PKEY_EC_SIGN 218 ++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519 303 ++# define EC_F_S390X_PKEY_ECD_DIGESTSIGN448 304 ++# define EC_F_S390X_PKEY_ECD_KEYGEN25519 305 ++# define EC_F_S390X_PKEY_ECD_KEYGEN448 306 ++# define EC_F_S390X_PKEY_ECX_KEYGEN25519 307 ++# define EC_F_S390X_PKEY_ECX_KEYGEN448 308 + # define EC_F_VALIDATE_ECX_DERIVE 278 + + /* +Index: openssl-1.1.1d/Configure +=================================================================== +--- openssl-1.1.1d.orig/Configure ++++ openssl-1.1.1d/Configure +@@ -1401,7 +1401,7 @@ unless ($disabled{asm}) { + push @{$config{lib_defines}}, "X25519_ASM"; + } + if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) { +- push @{$config{lib_defines}}, "S390X_NISTP_ASM"; ++ push @{$config{lib_defines}}, "S390X_EC_ASM"; + } + if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) { + push @{$config{dso_defines}}, "PADLOCK_ASM"; +Index: openssl-1.1.1d/crypto/cmac/cm_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/cmac/cm_pmeth.c ++++ openssl-1.1.1d/crypto/cmac/cm_pmeth.c +@@ -127,7 +127,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C + return -2; + } + +-const EVP_PKEY_METHOD cmac_pkey_meth = { ++static const EVP_PKEY_METHOD cmac_pkey_meth = { + EVP_PKEY_CMAC, + EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS, + pkey_cmac_init, +@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = { + pkey_cmac_ctrl, + pkey_cmac_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *cmac_pkey_method(void) ++{ ++ return &cmac_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/hmac/hm_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/hmac/hm_pmeth.c ++++ openssl-1.1.1d/crypto/hmac/hm_pmeth.c +@@ -178,7 +178,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C + return -2; + } + +-const EVP_PKEY_METHOD hmac_pkey_meth = { ++static const EVP_PKEY_METHOD hmac_pkey_meth = { + EVP_PKEY_HMAC, + EVP_PKEY_FLAG_FIPS, + pkey_hmac_init, +@@ -210,3 +210,9 @@ const EVP_PKEY_METHOD hmac_pkey_meth = { + pkey_hmac_ctrl, + pkey_hmac_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *hmac_pkey_method(void) ++{ ++ return &hmac_pkey_meth; ++} ++ +Index: openssl-1.1.1d/crypto/poly1305/poly1305_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/poly1305/poly1305_pmeth.c ++++ openssl-1.1.1d/crypto/poly1305/poly1305_pmeth.c +@@ -160,7 +160,7 @@ static int pkey_poly1305_ctrl_str(EVP_PK + return -2; + } + +-const EVP_PKEY_METHOD poly1305_pkey_meth = { ++static const EVP_PKEY_METHOD poly1305_pkey_meth = { + EVP_PKEY_POLY1305, + EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */ + pkey_poly1305_init, +@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth + pkey_poly1305_ctrl, + pkey_poly1305_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *poly1305_pkey_method(void) ++{ ++ return &poly1305_pkey_meth; ++} +Index: openssl-1.1.1d/crypto/siphash/siphash_pmeth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/siphash/siphash_pmeth.c ++++ openssl-1.1.1d/crypto/siphash/siphash_pmeth.c +@@ -171,7 +171,7 @@ static int pkey_siphash_ctrl_str(EVP_PKE + return -2; + } + +-const EVP_PKEY_METHOD siphash_pkey_meth = { ++static const EVP_PKEY_METHOD siphash_pkey_meth = { + EVP_PKEY_SIPHASH, + EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */ + pkey_siphash_init, +@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth + pkey_siphash_ctrl, + pkey_siphash_ctrl_str + }; ++ ++const EVP_PKEY_METHOD *siphash_pkey_method(void) ++{ ++ return &siphash_pkey_meth; ++} diff --git a/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch new file mode 100644 index 0000000..fd18ab3 --- /dev/null +++ b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch @@ -0,0 +1,673 @@ +diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h +index 64e7ebb..34e04b4 100644 +--- a/crypto/s390x_arch.h ++++ b/crypto/s390x_arch.h +@@ -52,6 +52,9 @@ __attribute__ ((visibility("hidden"))) + #endif + extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + ++/* Max number of 64-bit words currently returned by STFLE */ ++# define S390X_STFLE_MAX 3 ++ + /* convert facility bit number or function code to bit mask */ + # define S390X_CAPBIT(i) (1ULL << (63 - (i) % 64)) + +@@ -71,9 +74,15 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + # define S390X_KMA 0xb0 + + /* Facility Bit Numbers */ +-# define S390X_VX 129 +-# define S390X_VXD 134 +-# define S390X_VXE 135 ++# define S390X_MSA 17 /* message-security-assist */ ++# define S390X_STCKF 25 /* store-clock-fast */ ++# define S390X_MSA5 57 /* message-security-assist-ext. 5 */ ++# define S390X_MSA3 76 /* message-security-assist-ext. 3 */ ++# define S390X_MSA4 77 /* message-security-assist-ext. 4 */ ++# define S390X_VX 129 /* vector */ ++# define S390X_VXD 134 /* vector packed decimal */ ++# define S390X_VXE 135 /* vector enhancements 1 */ ++# define S390X_MSA8 146 /* message-security-assist-ext. 8 */ + + /* Function Codes */ + +@@ -81,6 +90,9 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + # define S390X_QUERY 0 + + /* kimd/klmd */ ++# define S390X_SHA_1 1 ++# define S390X_SHA_256 2 ++# define S390X_SHA_512 3 + # define S390X_SHA3_224 32 + # define S390X_SHA3_256 33 + # define S390X_SHA3_384 34 +@@ -94,7 +106,12 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + # define S390X_AES_192 19 + # define S390X_AES_256 20 + ++/* km */ ++# define S390X_XTS_AES_128 50 ++# define S390X_XTS_AES_256 52 ++ + /* prno */ ++# define S390X_SHA_512_DRNG 3 + # define S390X_TRNG 114 + + /* Register 0 Flags */ +diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c +index 1097c70..da6af34 100644 +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -13,15 +13,51 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "crypto/ctype.h" + #include "s390x_arch.h" + ++#define LEN 128 ++#define STR_(S) #S ++#define STR(S) STR_(S) ++ ++#define TOK_FUNC(NAME) \ ++ (sscanf(tok_begin, \ ++ " " STR(NAME) " : %" STR(LEN) "[^:] : " \ ++ "%" STR(LEN) "s %" STR(LEN) "s ", \ ++ tok[0], tok[1], tok[2]) == 2) { \ ++ \ ++ off = (tok[0][0] == '~') ? 1 : 0; \ ++ if (sscanf(tok[0] + off, "%llx", &cap->NAME[0]) != 1) \ ++ goto ret; \ ++ if (off) \ ++ cap->NAME[0] = ~cap->NAME[0]; \ ++ \ ++ off = (tok[1][0] == '~') ? 1 : 0; \ ++ if (sscanf(tok[1] + off, "%llx", &cap->NAME[1]) != 1) \ ++ goto ret; \ ++ if (off) \ ++ cap->NAME[1] = ~cap->NAME[1]; \ ++ } ++ ++#define TOK_CPU(NAME) \ ++ (sscanf(tok_begin, \ ++ " %" STR(LEN) "s %" STR(LEN) "s ", \ ++ tok[0], tok[1]) == 1 \ ++ && !strcmp(tok[0], #NAME)) { \ ++ memcpy(cap, &NAME, sizeof(*cap)); \ ++ } ++ + static sigjmp_buf ill_jmp; + static void ill_handler(int sig) + { + siglongjmp(ill_jmp, sig); + } + ++static const char *env; ++static int parse_env(struct OPENSSL_s390xcap_st *cap); ++ + void OPENSSL_s390x_facilities(void); ++void OPENSSL_s390x_functions(void); + void OPENSSL_vx_probe(void); + + struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +@@ -33,6 +69,7 @@ void OPENSSL_cpuid_setup(void) + { + sigset_t oset; + struct sigaction ill_act, oact_ill, oact_fpe; ++ struct OPENSSL_s390xcap_st cap; + + if (OPENSSL_s390xcap_P.stfle[0]) + return; +@@ -40,6 +77,12 @@ void OPENSSL_cpuid_setup(void) + /* set a bit that will not be tested later */ + OPENSSL_s390xcap_P.stfle[0] |= S390X_CAPBIT(0); + ++ env = getenv("OPENSSL_s390xcap"); ++ if (env != NULL) { ++ if (!parse_env(&cap)) ++ env = NULL; ++ } ++ + memset(&ill_act, 0, sizeof(ill_act)); + ill_act.sa_handler = ill_handler; + sigfillset(&ill_act.sa_mask); +@@ -54,6 +97,12 @@ void OPENSSL_cpuid_setup(void) + if (sigsetjmp(ill_jmp, 1) == 0) + OPENSSL_s390x_facilities(); + ++ if (env != NULL) { ++ OPENSSL_s390xcap_P.stfle[0] &= cap.stfle[0]; ++ OPENSSL_s390xcap_P.stfle[1] &= cap.stfle[1]; ++ OPENSSL_s390xcap_P.stfle[2] &= cap.stfle[2]; ++ } ++ + /* protection against disabled vector facility */ + if ((OPENSSL_s390xcap_P.stfle[2] & S390X_CAPBIT(S390X_VX)) + && (sigsetjmp(ill_jmp, 1) == 0)) { +@@ -67,4 +116,470 @@ void OPENSSL_cpuid_setup(void) + sigaction(SIGFPE, &oact_fpe, NULL); + sigaction(SIGILL, &oact_ill, NULL); + sigprocmask(SIG_SETMASK, &oset, NULL); ++ ++ OPENSSL_s390x_functions(); ++ ++ if (env != NULL) { ++ OPENSSL_s390xcap_P.kimd[0] &= cap.kimd[0]; ++ OPENSSL_s390xcap_P.kimd[1] &= cap.kimd[1]; ++ OPENSSL_s390xcap_P.klmd[0] &= cap.klmd[0]; ++ OPENSSL_s390xcap_P.klmd[1] &= cap.klmd[1]; ++ OPENSSL_s390xcap_P.km[0] &= cap.km[0]; ++ OPENSSL_s390xcap_P.km[1] &= cap.km[1]; ++ OPENSSL_s390xcap_P.kmc[0] &= cap.kmc[0]; ++ OPENSSL_s390xcap_P.kmc[1] &= cap.kmc[1]; ++ OPENSSL_s390xcap_P.kmac[0] &= cap.kmac[0]; ++ OPENSSL_s390xcap_P.kmac[1] &= cap.kmac[1]; ++ OPENSSL_s390xcap_P.kmctr[0] &= cap.kmctr[0]; ++ OPENSSL_s390xcap_P.kmctr[1] &= cap.kmctr[1]; ++ OPENSSL_s390xcap_P.kmo[0] &= cap.kmo[0]; ++ OPENSSL_s390xcap_P.kmo[1] &= cap.kmo[1]; ++ OPENSSL_s390xcap_P.kmf[0] &= cap.kmf[0]; ++ OPENSSL_s390xcap_P.kmf[1] &= cap.kmf[1]; ++ OPENSSL_s390xcap_P.prno[0] &= cap.prno[0]; ++ OPENSSL_s390xcap_P.prno[1] &= cap.prno[1]; ++ OPENSSL_s390xcap_P.kma[0] &= cap.kma[0]; ++ OPENSSL_s390xcap_P.kma[1] &= cap.kma[1]; ++ } ++} ++ ++static int parse_env(struct OPENSSL_s390xcap_st *cap) ++{ ++ /*- ++ * CPU model data ++ * (only the STFLE- and QUERY-bits relevant to libcrypto are set) ++ */ ++ ++ /*- ++ * z900 (2000) - z/Architecture POP SA22-7832-00 ++ * Facility detection would fail on real hw (no STFLE). ++ */ ++ static const struct OPENSSL_s390xcap_st z900 = { ++ .stfle = {0ULL, 0ULL, 0ULL, 0ULL}, ++ .kimd = {0ULL, 0ULL}, ++ .klmd = {0ULL, 0ULL}, ++ .km = {0ULL, 0ULL}, ++ .kmc = {0ULL, 0ULL}, ++ .kmac = {0ULL, 0ULL}, ++ .kmctr = {0ULL, 0ULL}, ++ .kmo = {0ULL, 0ULL}, ++ .kmf = {0ULL, 0ULL}, ++ .prno = {0ULL, 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z990 (2003) - z/Architecture POP SA22-7832-02 ++ * Implements MSA. Facility detection would fail on real hw (no STFLE). ++ */ ++ static const struct OPENSSL_s390xcap_st z990 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA), ++ 0ULL, 0ULL, 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1), ++ 0ULL}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kmctr = {0ULL, 0ULL}, ++ .kmo = {0ULL, 0ULL}, ++ .kmf = {0ULL, 0ULL}, ++ .prno = {0ULL, 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z9 (2005) - z/Architecture POP SA22-7832-04 ++ * Implements MSA and MSA1. ++ */ ++ static const struct OPENSSL_s390xcap_st z9 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF), ++ 0ULL, 0ULL, 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256), ++ 0ULL}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kmctr = {0ULL, 0ULL}, ++ .kmo = {0ULL, 0ULL}, ++ .kmf = {0ULL, 0ULL}, ++ .prno = {0ULL, 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z10 (2008) - z/Architecture POP SA22-7832-06 ++ * Implements MSA and MSA1-2. ++ */ ++ static const struct OPENSSL_s390xcap_st z10 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF), ++ 0ULL, 0ULL, 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ 0ULL}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kmctr = {0ULL, 0ULL}, ++ .kmo = {0ULL, 0ULL}, ++ .kmf = {0ULL, 0ULL}, ++ .prno = {0ULL, 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z196 (2010) - z/Architecture POP SA22-7832-08 ++ * Implements MSA and MSA1-4. ++ */ ++ static const struct OPENSSL_s390xcap_st z196 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF), ++ S390X_CAPBIT(S390X_MSA3) ++ | S390X_CAPBIT(S390X_MSA4), ++ 0ULL, 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ S390X_CAPBIT(S390X_GHASH)}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256) ++ | S390X_CAPBIT(S390X_XTS_AES_128) ++ | S390X_CAPBIT(S390X_XTS_AES_256), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmctr = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmo = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmf = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .prno = {0ULL, 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * zEC12 (2012) - z/Architecture POP SA22-7832-09 ++ * Implements MSA and MSA1-4. ++ */ ++ static const struct OPENSSL_s390xcap_st zEC12 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF), ++ S390X_CAPBIT(S390X_MSA3) ++ | S390X_CAPBIT(S390X_MSA4), ++ 0ULL, 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ S390X_CAPBIT(S390X_GHASH)}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256) ++ | S390X_CAPBIT(S390X_XTS_AES_128) ++ | S390X_CAPBIT(S390X_XTS_AES_256), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmctr = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmo = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmf = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .prno = {0ULL, 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z13 (2015) - z/Architecture POP SA22-7832-10 ++ * Implements MSA and MSA1-5. ++ */ ++ static const struct OPENSSL_s390xcap_st z13 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF) ++ | S390X_CAPBIT(S390X_MSA5), ++ S390X_CAPBIT(S390X_MSA3) ++ | S390X_CAPBIT(S390X_MSA4), ++ S390X_CAPBIT(S390X_VX), ++ 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ S390X_CAPBIT(S390X_GHASH)}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256) ++ | S390X_CAPBIT(S390X_XTS_AES_128) ++ | S390X_CAPBIT(S390X_XTS_AES_256), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmctr = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmo = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmf = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .prno = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_512_DRNG), ++ 0ULL}, ++ .kma = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z14 (2017) - z/Architecture POP SA22-7832-11 ++ * Implements MSA and MSA1-8. ++ */ ++ static const struct OPENSSL_s390xcap_st z14 = { ++ .stfle = {S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF) ++ | S390X_CAPBIT(S390X_MSA5), ++ S390X_CAPBIT(S390X_MSA3) ++ | S390X_CAPBIT(S390X_MSA4), ++ S390X_CAPBIT(S390X_VX) ++ | S390X_CAPBIT(S390X_VXD) ++ | S390X_CAPBIT(S390X_VXE) ++ | S390X_CAPBIT(S390X_MSA8), ++ 0ULL}, ++ .kimd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512) ++ | S390X_CAPBIT(S390X_SHA3_224) ++ | S390X_CAPBIT(S390X_SHA3_256) ++ | S390X_CAPBIT(S390X_SHA3_384) ++ | S390X_CAPBIT(S390X_SHA3_512) ++ | S390X_CAPBIT(S390X_SHAKE_128) ++ | S390X_CAPBIT(S390X_SHAKE_256), ++ S390X_CAPBIT(S390X_GHASH)}, ++ .klmd = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512) ++ | S390X_CAPBIT(S390X_SHA3_224) ++ | S390X_CAPBIT(S390X_SHA3_256) ++ | S390X_CAPBIT(S390X_SHA3_384) ++ | S390X_CAPBIT(S390X_SHA3_512) ++ | S390X_CAPBIT(S390X_SHAKE_128) ++ | S390X_CAPBIT(S390X_SHAKE_256), ++ 0ULL}, ++ .km = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256) ++ | S390X_CAPBIT(S390X_XTS_AES_128) ++ | S390X_CAPBIT(S390X_XTS_AES_256), ++ 0ULL}, ++ .kmc = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmac = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmctr = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmo = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .kmf = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ .prno = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_512_DRNG), ++ S390X_CAPBIT(S390X_TRNG)}, ++ .kma = {S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ }; ++ ++ char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1]; ++ int rc, off, i, n; ++ ++ buff = malloc(strlen(env) + 1); ++ if (buff == NULL) ++ return 0; ++ ++ rc = 0; ++ memset(cap, ~0, sizeof(*cap)); ++ strcpy(buff, env); ++ ++ tok_begin = buff + strspn(buff, ";"); ++ strtok(tok_begin, ";"); ++ tok_end = strtok(NULL, ";"); ++ ++ while (tok_begin != NULL) { ++ /* stfle token */ ++ if ((n = sscanf(tok_begin, ++ " stfle : %" STR(LEN) "[^:] : " ++ "%" STR(LEN) "[^:] : %" STR(LEN) "s ", ++ tok[0], tok[1], tok[2]))) { ++ for (i = 0; i < n; i++) { ++ off = (tok[i][0] == '~') ? 1 : 0; ++ if (sscanf(tok[i] + off, "%llx", &cap->stfle[i]) != 1) ++ goto ret; ++ if (off) ++ cap->stfle[i] = ~cap->stfle[i]; ++ } ++ } ++ ++ /* query function tokens */ ++ else if TOK_FUNC(kimd) ++ else if TOK_FUNC(klmd) ++ else if TOK_FUNC(km) ++ else if TOK_FUNC(kmc) ++ else if TOK_FUNC(kmac) ++ else if TOK_FUNC(kmctr) ++ else if TOK_FUNC(kmo) ++ else if TOK_FUNC(kmf) ++ else if TOK_FUNC(prno) ++ else if TOK_FUNC(kma) ++ ++ /* CPU model tokens */ ++ else if TOK_CPU(z900) ++ else if TOK_CPU(z990) ++ else if TOK_CPU(z9) ++ else if TOK_CPU(z10) ++ else if TOK_CPU(z196) ++ else if TOK_CPU(zEC12) ++ else if TOK_CPU(z13) ++ else if TOK_CPU(z14) ++ ++ /* whitespace(ignored) or invalid tokens */ ++ else { ++ while (*tok_begin != '\0') { ++ if (!ossl_isspace(*tok_begin)) ++ goto ret; ++ tok_begin++; ++ } ++ } ++ ++ tok_begin = tok_end; ++ tok_end = strtok(NULL, ";"); ++ } ++ ++ rc = 1; ++ret: ++ free(buff); ++ return rc; + } +diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl +index 5cbb962..3602301 100755 +--- a/crypto/s390xcpuid.pl ++++ b/crypto/s390xcpuid.pl +@@ -38,7 +38,26 @@ OPENSSL_s390x_facilities: + stg %r0,S390X_STFLE+8(%r4) # wipe capability vectors + stg %r0,S390X_STFLE+16(%r4) + stg %r0,S390X_STFLE+24(%r4) +- stg %r0,S390X_KIMD(%r4) ++ ++ .long 0xb2b04000 # stfle 0(%r4) ++ brc 8,.Ldone ++ lghi %r0,1 ++ .long 0xb2b04000 # stfle 0(%r4) ++ brc 8,.Ldone ++ lghi %r0,2 ++ .long 0xb2b04000 # stfle 0(%r4) ++.Ldone: ++ br $ra ++.size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities ++ ++.globl OPENSSL_s390x_functions ++.type OPENSSL_s390x_functions,\@function ++.align 16 ++OPENSSL_s390x_functions: ++ lghi %r0,0 ++ larl %r4,OPENSSL_s390xcap_P ++ ++ stg %r0,S390X_KIMD(%r4) # wipe capability vectors + stg %r0,S390X_KIMD+8(%r4) + stg %r0,S390X_KLMD(%r4) + stg %r0,S390X_KLMD+8(%r4) +@@ -59,14 +78,6 @@ OPENSSL_s390x_facilities: + stg %r0,S390X_KMA(%r4) + stg %r0,S390X_KMA+8(%r4) + +- .long 0xb2b04000 # stfle 0(%r4) +- brc 8,.Ldone +- lghi %r0,1 +- .long 0xb2b04000 # stfle 0(%r4) +- brc 8,.Ldone +- lghi %r0,2 +- .long 0xb2b04000 # stfle 0(%r4) +-.Ldone: + lmg %r2,%r3,S390X_STFLE(%r4) + tmhl %r2,0x4000 # check for message-security-assist + jz .Lret +@@ -123,7 +134,7 @@ OPENSSL_s390x_facilities: + + .Lret: + br $ra +-.size OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities ++.size OPENSSL_s390x_functions,.-OPENSSL_s390x_functions + + .globl OPENSSL_rdtsc + .type OPENSSL_rdtsc,\@function diff --git a/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch new file mode 100644 index 0000000..a51ee86 --- /dev/null +++ b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch @@ -0,0 +1,208 @@ +From d68af00685c4a76e9545882e350717ae5e4071df Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Tue, 31 Jan 2017 12:43:35 +0100 +Subject: [PATCH] s390x assembly pack: add OPENSSL_s390xcap man page. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Andy Polyakov +Reviewed-by: Rich Salz +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/6813) +--- + doc/man3/OPENSSL_s390xcap.pod | 173 ++++++++++++++++++++++++++++++++++ + util/private.num | 1 + + 2 files changed, 174 insertions(+) + create mode 100644 doc/man3/OPENSSL_s390xcap.pod + +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +new file mode 100644 +index 00000000000..550136a82b8 +--- /dev/null ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -0,0 +1,173 @@ ++=pod ++ ++=head1 NAME ++ ++OPENSSL_s390xcap - the IBM z processor capabilities vector ++ ++=head1 SYNOPSIS ++ ++ env OPENSSL_s390xcap=... ++ ++=head1 DESCRIPTION ++ ++libcrypto supports z/Architecture instruction set extensions. These ++extensions are denoted by individual bits in the capabilities vector. ++When libcrypto is initialized, the bits returned by the STFLE instruction ++and by the QUERY functions are stored in the vector. ++ ++To change the set of instructions available to an application, you can ++set the OPENSSL_s390xcap environment variable before you start the ++application. After initialization, the capability vector is ANDed bitwise ++with a mask which is derived from the environment variable. ++ ++The environment variable is a semicolon-separated list of tokens which is ++processed from left to right (whitespace is ignored): ++ ++ OPENSSL_s390xcap=";;..." ++ ++There are three types of tokens: ++ ++=over 4 ++ ++=item ++ ++The name of a processor generation. A bit in the environment variable's ++mask is set to one if and only if the specified processor generation ++implements the corresponding instruction set extension. Possible values ++are z900, z990, z9, z10, z196, zEC12, z13 and z14. ++ ++=item :: ++ ++The name of an instruction followed by two 64-bit masks. The part of the ++environment variable's mask corresponding to the specified instruction is ++set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc, ++kmac, kmctr, kmo, kmf, prno and kma. ++ ++=item stfle::: ++ ++Store-facility-list-extended (stfle) followed by three 64-bit masks. The ++part of the environment variable's mask corresponding to the stfle ++instruction is set to the specified 192-bit mask. ++ ++=back ++ ++The 64-bit masks are specified in hexadecimal notation. The 0x prefix is ++optional. Prefix a mask with a tilde (~) to denote a bitwise NOT operation. ++ ++The following is a list of significant bits for each instruction. Colon ++rows separate the individual 64-bit masks. The bit numbers in the first ++column are consistent with [1], that is, 0 denotes the leftmost bit and ++the numbering is continuous across 64-bit mask boundaries. ++ ++ Bit Mask Facility/Function ++ ++ stfle: ++ # 17 1<<46 message-security assist ++ # 25 1<<38 store-clock-fast facility ++ : ++ # 76 1<<51 message-security assist extension 3 ++ # 77 1<<50 message-security assist extension 4 ++ : ++ #129 1<<62 vector facility ++ #134 1<<57 vector packed decimal facility ++ #135 1<<56 vector enhancements facility 1 ++ #146 1<<45 message-security assist extension 8 ++ ++ kimd : ++ # 1 1<<62 KIMD-SHA-1 ++ # 2 1<<61 KIMD-SHA-256 ++ # 3 1<<60 KIMD-SHA-512 ++ # 32 1<<31 KIMD-SHA3-224 ++ # 33 1<<30 KIMD-SHA3-256 ++ # 34 1<<29 KIMD-SHA3-384 ++ # 35 1<<28 KIMD-SHA3-512 ++ # 36 1<<27 KIMD-SHAKE-128 ++ # 37 1<<26 KIMD-SHAKE-256 ++ : ++ # 65 1<<62 KIMD-GHASH ++ ++ klmd : ++ # 32 1<<31 KLMD-SHA3-224 ++ # 33 1<<30 KLMD-SHA3-256 ++ # 34 1<<29 KLMD-SHA3-384 ++ # 35 1<<28 KLMD-SHA3-512 ++ # 36 1<<27 KLMD-SHAKE-128 ++ # 37 1<<26 KLMD-SHAKE-256 ++ : ++ ++ km : ++ # 18 1<<45 KM-AES-128 ++ # 19 1<<44 KM-AES-192 ++ # 20 1<<43 KM-AES-256 ++ # 50 1<<13 KM-XTS-AES-128 ++ # 52 1<<11 KM-XTS-AES-256 ++ : ++ ++ kmc : ++ # 18 1<<45 KMC-AES-128 ++ # 19 1<<44 KMC-AES-192 ++ # 20 1<<43 KMC-AES-256 ++ : ++ ++ kmac : ++ # 18 1<<45 KMAC-AES-128 ++ # 19 1<<44 KMAC-AES-192 ++ # 20 1<<43 KMAC-AES-256 ++ : ++ ++ kmctr: ++ : ++ ++ kmo : ++ # 18 1<<45 KMO-AES-128 ++ # 19 1<<44 KMO-AES-192 ++ # 20 1<<43 KMO-AES-256 ++ : ++ ++ kmf : ++ # 18 1<<45 KMF-AES-128 ++ # 19 1<<44 KMF-AES-192 ++ # 20 1<<43 KMF-AES-256 ++ : ++ ++ prno : ++ : ++ ++ kma : ++ # 18 1<<45 KMA-GCM-AES-128 ++ # 19 1<<44 KMA-GCM-AES-192 ++ # 20 1<<43 KMA-GCM-AES-256 ++ : ++ ++=head1 EXAMPLES ++ ++Disables all instruction set extensions which the z196 processor does not implement: ++ ++ OPENSSL_s390xcap="z196" ++ ++Disables the vector facility: ++ ++ OPENSSL_s390xcap="stfle:~0:~0:~0x4000000000000000" ++ ++Disables the KM-XTS-AES and and the KIMD-SHAKE function codes: ++ ++ OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0" ++ ++=head1 RETURN VALUES ++ ++Not available. ++ ++=head1 SEE ALSO ++ ++[1] z/Architecture Principles of Operation, SA22-7832-11 ++ ++=head1 COPYRIGHT ++ ++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff --git a/util/private.num b/util/private.num +index c456578c335..2bfe987b437 100644 +--- a/util/private.num ++++ b/util/private.num +@@ -3,6 +3,7 @@ + # assembly language, etc. + # + OPENSSL_ia32cap environment ++OPENSSL_s390xcap environment + OPENSSL_MALLOC_FD environment + OPENSSL_MALLOC_FAILURES environment + OPENSSL_instrument_bus assembler diff --git a/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch b/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch new file mode 100644 index 0000000..26b21f5 --- /dev/null +++ b/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch @@ -0,0 +1,377 @@ +diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h +index 34e04b4..a156c97 100644 +--- a/crypto/s390x_arch.h ++++ b/crypto/s390x_arch.h +@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in, size_t len, unsigned char *out, + unsigned int fc, void *param); + void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in, + size_t len, unsigned char *out, unsigned int fc, void *param); ++int s390x_pcc(unsigned int fc, void *param); ++int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in, ++ size_t len); + + /* + * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by +@@ -45,6 +48,8 @@ struct OPENSSL_s390xcap_st { + unsigned long long kmf[2]; + unsigned long long prno[2]; + unsigned long long kma[2]; ++ unsigned long long pcc[2]; ++ unsigned long long kdsa[2]; + }; + + #if defined(__GNUC__) && defined(__linux) +@@ -72,6 +77,8 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + # define S390X_KMF 0x90 + # define S390X_PRNO 0xa0 + # define S390X_KMA 0xb0 ++# define S390X_PCC 0xc0 ++# define S390X_KDSA 0xd0 + + /* Facility Bit Numbers */ + # define S390X_MSA 17 /* message-security-assist */ +@@ -83,6 +90,7 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + # define S390X_VXD 134 /* vector packed decimal */ + # define S390X_VXE 135 /* vector enhancements 1 */ + # define S390X_MSA8 146 /* message-security-assist-ext. 8 */ ++# define S390X_MSA9 155 /* message-security-assist-ext. 9 */ + + /* Function Codes */ + +@@ -114,10 +122,24 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; + # define S390X_SHA_512_DRNG 3 + # define S390X_TRNG 114 + ++/* pcc */ ++# define S390X_SCALAR_MULTIPLY_P256 64 ++# define S390X_SCALAR_MULTIPLY_P384 65 ++# define S390X_SCALAR_MULTIPLY_P521 66 ++ ++/* kdsa */ ++# define S390X_ECDSA_VERIFY_P256 1 ++# define S390X_ECDSA_VERIFY_P384 2 ++# define S390X_ECDSA_VERIFY_P521 3 ++# define S390X_ECDSA_SIGN_P256 9 ++# define S390X_ECDSA_SIGN_P384 10 ++# define S390X_ECDSA_SIGN_P521 11 ++ + /* Register 0 Flags */ + # define S390X_DECRYPT 0x80 + # define S390X_KMA_LPC 0x100 + # define S390X_KMA_LAAD 0x200 + # define S390X_KMA_HS 0x400 ++# define S390X_KDSA_D 0x80 + + #endif +diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c +index da6af34..3d762fd 100644 +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -140,6 +140,10 @@ void OPENSSL_cpuid_setup(void) + OPENSSL_s390xcap_P.prno[1] &= cap.prno[1]; + OPENSSL_s390xcap_P.kma[0] &= cap.kma[0]; + OPENSSL_s390xcap_P.kma[1] &= cap.kma[1]; ++ OPENSSL_s390xcap_P.pcc[0] &= cap.pcc[0]; ++ OPENSSL_s390xcap_P.pcc[1] &= cap.pcc[1]; ++ OPENSSL_s390xcap_P.kdsa[0] &= cap.kdsa[0]; ++ OPENSSL_s390xcap_P.kdsa[1] &= cap.kdsa[1]; + } + } + +@@ -166,6 +170,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + .kmf = {0ULL, 0ULL}, + .prno = {0ULL, 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {0ULL, 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -192,6 +198,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + .kmf = {0ULL, 0ULL}, + .prno = {0ULL, 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {0ULL, 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -223,6 +231,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + .kmf = {0ULL, 0ULL}, + .prno = {0ULL, 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {0ULL, 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -260,6 +270,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + .kmf = {0ULL, 0ULL}, + .prno = {0ULL, 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {0ULL, 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -316,6 +328,9 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + 0ULL}, + .prno = {0ULL, 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -372,6 +387,9 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + 0ULL}, + .prno = {0ULL, 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -432,6 +450,9 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + | S390X_CAPBIT(S390X_SHA_512_DRNG), + 0ULL}, + .kma = {0ULL, 0ULL}, ++ .pcc = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kdsa = {0ULL, 0ULL}, + }; + + /*- +@@ -511,6 +532,101 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + | S390X_CAPBIT(S390X_AES_192) + | S390X_CAPBIT(S390X_AES_256), + 0ULL}, ++ .pcc = {S390X_CAPBIT(S390X_QUERY), ++ 0ULL}, ++ .kdsa = {0ULL, 0ULL}, ++ }; ++ ++ /*- ++ * z15 (2019) - z/Architecture POP SA22-7832-12 ++ * Implements MSA and MSA1-9. ++ */ ++ static const struct OPENSSL_s390xcap_st z15 = { ++ /*.stfle = */{S390X_CAPBIT(S390X_MSA) ++ | S390X_CAPBIT(S390X_STCKF) ++ | S390X_CAPBIT(S390X_MSA5), ++ S390X_CAPBIT(S390X_MSA3) ++ | S390X_CAPBIT(S390X_MSA4), ++ S390X_CAPBIT(S390X_VX) ++ | S390X_CAPBIT(S390X_VXD) ++ | S390X_CAPBIT(S390X_VXE) ++ | S390X_CAPBIT(S390X_MSA8), ++ 0ULL}, ++ /*.kimd = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512) ++ | S390X_CAPBIT(S390X_SHA3_224) ++ | S390X_CAPBIT(S390X_SHA3_256) ++ | S390X_CAPBIT(S390X_SHA3_384) ++ | S390X_CAPBIT(S390X_SHA3_512) ++ | S390X_CAPBIT(S390X_SHAKE_128) ++ | S390X_CAPBIT(S390X_SHAKE_256), ++ S390X_CAPBIT(S390X_GHASH)}, ++ /*.klmd = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_1) ++ | S390X_CAPBIT(S390X_SHA_256) ++ | S390X_CAPBIT(S390X_SHA_512) ++ | S390X_CAPBIT(S390X_SHA3_224) ++ | S390X_CAPBIT(S390X_SHA3_256) ++ | S390X_CAPBIT(S390X_SHA3_384) ++ | S390X_CAPBIT(S390X_SHA3_512) ++ | S390X_CAPBIT(S390X_SHAKE_128) ++ | S390X_CAPBIT(S390X_SHAKE_256), ++ 0ULL}, ++ /*.km = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256) ++ | S390X_CAPBIT(S390X_XTS_AES_128) ++ | S390X_CAPBIT(S390X_XTS_AES_256), ++ 0ULL}, ++ /*.kmc = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmac = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmctr = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmo = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.kmf = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.prno = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SHA_512_DRNG), ++ S390X_CAPBIT(S390X_TRNG)}, ++ /*.kma = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_AES_128) ++ | S390X_CAPBIT(S390X_AES_192) ++ | S390X_CAPBIT(S390X_AES_256), ++ 0ULL}, ++ /*.pcc = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384) ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521), ++ 0ULL}, ++ /*.kdsa = */{S390X_CAPBIT(S390X_QUERY) ++ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256) ++ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384) ++ | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521) ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P256) ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P384) ++ | S390X_CAPBIT(S390X_ECDSA_SIGN_P521), ++ 0ULL}, + }; + + char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1]; +@@ -554,6 +670,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + else if TOK_FUNC(kmf) + else if TOK_FUNC(prno) + else if TOK_FUNC(kma) ++ else if TOK_FUNC(pcc) ++ else if TOK_FUNC(kdsa) + + /* CPU model tokens */ + else if TOK_CPU(z900) +@@ -564,6 +682,7 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + else if TOK_CPU(zEC12) + else if TOK_CPU(z13) + else if TOK_CPU(z14) ++ else if TOK_CPU(z15) + + /* whitespace(ignored) or invalid tokens */ + else { +diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl +index 3602301..344f4f6 100755 +--- a/crypto/s390xcpuid.pl ++++ b/crypto/s390xcpuid.pl +@@ -77,8 +77,13 @@ OPENSSL_s390x_functions: + stg %r0,S390X_PRNO+8(%r4) + stg %r0,S390X_KMA(%r4) + stg %r0,S390X_KMA+8(%r4) ++ stg %r0,S390X_PCC(%r4) ++ stg %r0,S390X_PCC+8(%r4) ++ stg %r0,S390X_KDSA(%r4) ++ stg %r0,S390X_KDSA+8(%r4) + + lmg %r2,%r3,S390X_STFLE(%r4) ++ + tmhl %r2,0x4000 # check for message-security-assist + jz .Lret + +@@ -102,6 +107,13 @@ OPENSSL_s390x_functions: + la %r1,S390X_KMAC(%r4) + .long 0xb91e0042 # kmac %r4,%r2 + ++ tmhh %r3,0x0003 # check for message-security-assist-3 ++ jz .Lret ++ ++ lghi %r0,S390X_QUERY # query pcc capability vector ++ la %r1,S390X_PCC(%r4) ++ .long 0xb92c0000 # pcc ++ + tmhh %r3,0x0004 # check for message-security-assist-4 + jz .Lret + +@@ -125,6 +137,7 @@ OPENSSL_s390x_functions: + .long 0xb93c0042 # prno %r4,%r2 + + lg %r2,S390X_STFLE+16(%r4) ++ + tmhl %r2,0x2000 # check for message-security-assist-8 + jz .Lret + +@@ -132,6 +145,13 @@ OPENSSL_s390x_functions: + la %r1,S390X_KMA(%r4) + .long 0xb9294022 # kma %r2,%r4,%r2 + ++ tmhl %r2,0x0010 # check for message-security-assist-9 ++ jz .Lret ++ ++ lghi %r0,S390X_QUERY # query kdsa capability vector ++ la %r1,S390X_KDSA(%r4) ++ .long 0xb93a0002 # kdsa %r0,%r2 ++ + .Lret: + br $ra + .size OPENSSL_s390x_functions,.-OPENSSL_s390x_functions +@@ -422,6 +442,57 @@ s390x_kma: + ___ + } + ++################ ++# void s390x_pcc(unsigned int fc, void *param) ++{ ++my ($fc,$param) = map("%r$_",(2..3)); ++$code.=<<___; ++.globl s390x_pcc ++.type s390x_pcc,\@function ++.align 16 ++s390x_pcc: ++ lr %r0,$fc ++ l${g}r %r1,$param ++ lhi %r2,0 ++ ++ .long 0xb92c0000 # pcc ++ brc 1,.-4 # pay attention to "partial completion" ++ brc 7,.Lpcc_err # if CC==0 return 0, else return 1 ++.Lpcc_out: ++ br $ra ++.Lpcc_err: ++ lhi %r2,1 ++ j .Lpcc_out ++.size s390x_pcc,.-s390x_pcc ++___ ++} ++ ++################ ++# void s390x_kdsa(unsigned int fc, void *param, ++# const unsigned char *in, size_t len) ++{ ++my ($fc,$param,$in,$len) = map("%r$_",(2..5)); ++$code.=<<___; ++.globl s390x_kdsa ++.type s390x_kdsa,\@function ++.align 16 ++s390x_kdsa: ++ lr %r0,$fc ++ l${g}r %r1,$param ++ lhi %r2,0 ++ ++ .long 0xb93a0004 # kdsa %r0,$in ++ brc 1,.-4 # pay attention to "partial completion" ++ brc 7,.Lkdsa_err # if CC==0 return 0, else return 1 ++.Lkdsa_out: ++ br $ra ++.Lkdsa_err: ++ lhi %r2,1 ++ j .Lkdsa_out ++.size s390x_kdsa,.-s390x_kdsa ++___ ++} ++ + $code.=<<___; + .section .init + brasl $ra,OPENSSL_cpuid_setup diff --git a/openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch b/openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch new file mode 100644 index 0000000..6a1177b --- /dev/null +++ b/openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch @@ -0,0 +1,41 @@ +From 2281be2ed4a7df462677661d30b13826ae6b3e26 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Tue, 24 Sep 2019 14:44:27 +0200 +Subject: [PATCH 09530/10000] s390x assembly pack: cleanse only sensitive + fields + +of instruction parameter blocks. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/10004) +--- + crypto/ec/ecp_s390x_nistp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c +index be81f0b8f0..9533698b0f 100644 +--- a/crypto/ec/ecp_s390x_nistp.c ++++ b/crypto/ec/ecp_s390x_nistp.c +@@ -110,7 +110,7 @@ ret: + /* Otherwise use default. */ + if (rc == -1) + rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); +- OPENSSL_cleanse(param, sizeof(param)); ++ OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len); + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + return rc; +@@ -203,7 +203,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst, + + ok = 1; + ret: +- OPENSSL_cleanse(param, sizeof(param)); ++ OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len); + if (ok != 1) { + ECDSA_SIG_free(sig); + sig = NULL; +-- +2.24.0 + diff --git a/openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch b/openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch new file mode 100644 index 0000000..703c159 --- /dev/null +++ b/openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch @@ -0,0 +1,46 @@ +From ac037dc874a721ca81a33b4314e26cef4a7e8d48 Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Tue, 24 Sep 2019 23:20:00 +0200 +Subject: [PATCH 09529/10000] s390x assembly pack: fix OPENSSL_s390xcap z15 cpu + mask + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/10004) +--- + crypto/s390xcap.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c +index 5123e14fa6..3e6aeae1df 100644 +--- a/crypto/s390xcap.c ++++ b/crypto/s390xcap.c +@@ -578,7 +578,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + S390X_CAPBIT(S390X_VX) + | S390X_CAPBIT(S390X_VXD) + | S390X_CAPBIT(S390X_VXE) +- | S390X_CAPBIT(S390X_MSA8), ++ | S390X_CAPBIT(S390X_MSA8) ++ | S390X_CAPBIT(S390X_MSA9), + 0ULL}, + /*.kimd = */{S390X_CAPBIT(S390X_QUERY) + | S390X_CAPBIT(S390X_SHA_1) +@@ -642,11 +643,10 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap) + | S390X_CAPBIT(S390X_AES_192) + | S390X_CAPBIT(S390X_AES_256), + 0ULL}, +- /*.pcc = */{S390X_CAPBIT(S390X_QUERY) +- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) ++ /*.pcc = */{S390X_CAPBIT(S390X_QUERY), ++ S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256) + | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384) +- | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521), +- 0ULL}, ++ | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)}, + /*.kdsa = */{S390X_CAPBIT(S390X_QUERY) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256) + | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384) +-- +2.24.0 + diff --git a/openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch b/openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch new file mode 100644 index 0000000..59b40cc --- /dev/null +++ b/openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch @@ -0,0 +1,26 @@ +From b3681e2641999be6c1f70e66497fe384d683a07e Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Tue, 24 Sep 2019 23:03:19 +0200 +Subject: [PATCH 09528/10000] s390x assembly pack: fix msa3 stfle bit detection + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/10004) +--- + crypto/s390xcpuid.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.1.1d/crypto/s390xcpuid.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl 2020-01-23 13:45:11.064632028 +0100 ++++ openssl-1.1.1d/crypto/s390xcpuid.pl 2020-01-23 13:45:11.188632764 +0100 +@@ -107,7 +107,7 @@ OPENSSL_s390x_functions: + la %r1,S390X_KMAC(%r4) + .long 0xb91e0042 # kmac %r4,%r2 + +- tmhh %r3,0x0003 # check for message-security-assist-3 ++ tmhh %r3,0x0008 # check for message-security-assist-3 + jz .Lret + + lghi %r0,S390X_QUERY # query pcc capability vector diff --git a/openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch b/openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch new file mode 100644 index 0000000..9dc66cb --- /dev/null +++ b/openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch @@ -0,0 +1,67 @@ +From da93b5cc2bc931b998f33ee432bc1ae2b38fccca Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Wed, 26 Jun 2019 23:41:35 +0200 +Subject: [PATCH 08968/10000] s390x assembly pack: update OPENSSL_s390xcap(3) + +Add description of capability vector's pcc and kma parts. + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9258) +--- + doc/man3/OPENSSL_s390xcap.pod | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +Index: openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod +=================================================================== +--- openssl-1.1.1d.orig/doc/man3/OPENSSL_s390xcap.pod ++++ openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod +@@ -34,14 +34,14 @@ There are three types of tokens: + The name of a processor generation. A bit in the environment variable's + mask is set to one if and only if the specified processor generation + implements the corresponding instruction set extension. Possible values +-are z900, z990, z9, z10, z196, zEC12, z13 and z14. ++are z900, z990, z9, z10, z196, zEC12, z13, z14 and z15. + + =item :: + + The name of an instruction followed by two 64-bit masks. The part of the + environment variable's mask corresponding to the specified instruction is + set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc, +-kmac, kmctr, kmo, kmf, prno and kma. ++kmac, kmctr, kmo, kmf, prno, kma, pcc and kdsa. + + =item stfle::: + +@@ -153,13 +153,28 @@ Disables the KM-XTS-AES and and the KIMD + + OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0" + ++ pcc : ++ : ++ # 64 1<<63 PCC-Scalar-Multiply-P256 ++ # 65 1<<62 PCC-Scalar-Multiply-P384 ++ # 66 1<<61 PCC-Scalar-Multiply-P521 ++ ++ kdsa : ++ # 1 1<<62 KDSA-ECDSA-Verify-P256 ++ # 2 1<<61 KDSA-ECDSA-Verify-P384 ++ # 3 1<<60 KDSA-ECDSA-Verify-P521 ++ # 9 1<<54 KDSA-ECDSA-Sign-P256 ++ # 10 1<<53 KDSA-ECDSA-Sign-P384 ++ # 11 1<<52 KDSA-ECDSA-Sign-P521 ++ : ++ + =head1 RETURN VALUES + + Not available. + + =head1 SEE ALSO + +-[1] z/Architecture Principles of Operation, SA22-7832-11 ++[1] z/Architecture Principles of Operation, SA22-7832-12 + + =head1 COPYRIGHT + diff --git a/openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch b/openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch new file mode 100644 index 0000000..7abdf15 --- /dev/null +++ b/openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch @@ -0,0 +1,127 @@ +Index: openssl-1.1.1d/crypto/ec/ecx_meth.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c ++++ openssl-1.1.1d/crypto/ec/ecx_meth.c +@@ -842,6 +842,7 @@ static const EVP_PKEY_METHOD ed448_pkey_ + + #ifdef S390X_EC_ASM + # include "s390x_arch.h" ++# include "internal/constant_time.h" + + static void s390x_x25519_mod_p(unsigned char u[32]) + { +@@ -855,16 +856,16 @@ static void s390x_x25519_mod_p(unsigned + u_red[31] = (unsigned char)c; + c >>= 8; + +- for (i = 30; c > 0 && i >= 0; i--) { ++ for (i = 30; i >= 0; i--) { + c += (unsigned int)u_red[i]; + u_red[i] = (unsigned char)c; + c >>= 8; + } + +- if (u_red[0] & 0x80) { +- u_red[0] &= 0x7f; +- memcpy(u, u_red, sizeof(u_red)); +- } ++ c = (u_red[0] & 0x80) >> 7; ++ u_red[0] &= 0x7f; ++ constant_time_cond_swap_buff(0 - (unsigned char)c, ++ u, u_red, sizeof(u_red)); + } + + static void s390x_x448_mod_p(unsigned char u[56]) +@@ -889,16 +890,14 @@ static void s390x_x448_mod_p(unsigned ch + u_red[27] = (unsigned char)c; + c >>= 8; + +- for (i = 26; c > 0 && i >= 0; i--) { ++ for (i = 26; i >= 0; i--) { + c += (unsigned int)u_red[i]; + u_red[i] = (unsigned char)c; + c >>= 8; + } + +- if (u_red[0] & 0x80) { +- u_red[0] &= 0x7f; +- memcpy(u, u_red, sizeof(u_red)); +- } ++ constant_time_cond_swap_buff(0 - (unsigned char)c, ++ u, u_red, sizeof(u_red)); + } + + static int s390x_x25519_mul(unsigned char u_dst[32], +@@ -954,7 +953,7 @@ static int s390x_x448_mul(unsigned char + memcpy(param.x448.d_src, d_src, 56); + + s390x_flip_endian64(param.x448.u_src, param.x448.u_src); +- s390x_x448_mod_p(param.x448.u_src); ++ s390x_x448_mod_p(param.x448.u_src + 8); + + s390x_flip_endian64(param.x448.d_src, param.x448.d_src); + param.x448.d_src[63] &= 252; +Index: openssl-1.1.1d/include/internal/constant_timeh +=================================================================== +--- openssl-1.1.1d.orig/include/internal/constant_time.h ++++ openssl-1.1.1d/include/internal/constant_time.h +@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co + } + + /* ++ * mask must be 0xFF or 0x00. ++ * "constant time" is per len. ++ * ++ * if (mask) { ++ * unsigned char tmp[len]; ++ * ++ * memcpy(tmp, a, len); ++ * memcpy(a, b); ++ * memcpy(b, tmp); ++ * } ++ */ ++static ossl_inline void constant_time_cond_swap_buff(unsigned char mask, ++ unsigned char *a, ++ unsigned char *b, ++ size_t len) ++{ ++ size_t i; ++ unsigned char tmp; ++ ++ for (i = 0; i < len; i++) { ++ tmp = a[i] ^ b[i]; ++ tmp &= mask; ++ a[i] ^= tmp; ++ b[i] ^= tmp; ++ } ++} ++ ++/* + * table is a two dimensional array of bytes. Each row has rowsize elements. + * Copies row number idx into out. rowsize and numrows are not considered + * private. +Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt +=================================================================== +--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evppkey.txt ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt +@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb + + PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw + ++PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ++ + Derive=Alice-448 + PeerKey=Bob-448-PUBLIC + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d +@@ -830,6 +832,11 @@ Derive=Bob-448-Raw + PeerKey=Alice-448-PUBLIC-Raw + SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d + ++# Self-generated non-canonical ++Derive=Alice-448-Raw ++PeerKey=Bob-448-PUBLIC-Raw-NonCanonical ++SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb ++ + # Illegal sign/verify operations with X448 key + + Sign=Alice-448 diff --git a/openssl-s390xcpuid.pl-fix-comment.patch b/openssl-s390xcpuid.pl-fix-comment.patch new file mode 100644 index 0000000..0342dfd --- /dev/null +++ b/openssl-s390xcpuid.pl-fix-comment.patch @@ -0,0 +1,38 @@ +From 9baa4d5f4c9f596faba2b3e219b367a09c472d1d Mon Sep 17 00:00:00 2001 +From: Patrick Steuer +Date: Wed, 3 Jul 2019 18:02:11 +0200 +Subject: [PATCH 09203/10000] s390xcpuid.pl: fix comment + +Signed-off-by: Patrick Steuer + +Reviewed-by: Richard Levitte +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/9348) +--- + crypto/s390xcpuid.pl | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: openssl-1.1.1d/crypto/s390xcpuid.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl ++++ openssl-1.1.1d/crypto/s390xcpuid.pl +@@ -431,7 +431,7 @@ ___ + } + + ################ +-# void s390x_pcc(unsigned int fc, void *param) ++# int s390x_pcc(unsigned int fc, void *param) + { + my ($fc,$param) = map("%r$_",(2..3)); + $code.=<<___; +@@ -456,8 +456,8 @@ ___ + } + + ################ +-# void s390x_kdsa(unsigned int fc, void *param, +-# const unsigned char *in, size_t len) ++# int s390x_kdsa(unsigned int fc, void *param, ++# const unsigned char *in, size_t len) + { + my ($fc,$param,$in,$len) = map("%r$_",(2..5)); + $code.=<<___; diff --git a/openssl-s_client-check-ocsp-status.patch b/openssl-s_client-check-ocsp-status.patch new file mode 100644 index 0000000..cbd4161 --- /dev/null +++ b/openssl-s_client-check-ocsp-status.patch @@ -0,0 +1,492 @@ +commit c43f598838acaf3b98df4fce4b6babb663d2f902 +Author: Otto Hollmann +Date: Fri Jun 30 11:15:30 2023 +0200 + + Add OCSP_RESPONSE_check_status(), a function to check OCSP response for revoked certificate in s_client. + +--- + apps/s_client.c | 10 + + crypto/ocsp/ocsp_vfy.c | 31 +++++ + doc/man3/OCSP_response_status.pod | 15 ++ + include/openssl/ocsp.h | 1 + test/recipes/80-test_ocsp_check.t | 90 +++++++++++++++++ + test/recipes/80-test_ocsp_check_data/ca.pem | 19 +++ + test/recipes/80-test_ocsp_check_data/index-revoked.txt | 2 + test/recipes/80-test_ocsp_check_data/index-valid.txt | 2 + test/recipes/80-test_ocsp_check_data/ocsp.key | 28 +++++ + test/recipes/80-test_ocsp_check_data/ocsp.pem | 75 ++++++++++++++ + test/recipes/80-test_ocsp_check_data/server.key | 28 +++++ + test/recipes/80-test_ocsp_check_data/server.pem | 75 ++++++++++++++ + util/libcrypto.num | 1 + 13 files changed, 372 insertions(+), 5 deletions(-) + +--- a/apps/s_client.c ++++ b/apps/s_client.c +@@ -3390,7 +3390,7 @@ static void print_stuff(BIO *bio, SSL *s + static int ocsp_resp_cb(SSL *s, void *arg) + { + const unsigned char *p; +- int len; ++ int len, ret; + OCSP_RESPONSE *rsp; + len = SSL_get_tlsext_status_ocsp_resp(s, &p); + BIO_puts(arg, "OCSP response: "); +@@ -3407,8 +3407,14 @@ static int ocsp_resp_cb(SSL *s, void *ar + BIO_puts(arg, "\n======================================\n"); + OCSP_RESPONSE_print(arg, rsp, 0); + BIO_puts(arg, "======================================\n"); ++ ret = OCSP_RESPONSE_check_status(rsp); + OCSP_RESPONSE_free(rsp); +- return 1; ++ if (ret <= -1) { ++ BIO_puts(arg, "unable to verify OCSP response\n"); ++ } else if (ret == 0) { ++ BIO_puts(arg, "revoked certificate found in OCSP response\n"); ++ } ++ return ret; + } + # endif + +--- a/crypto/ocsp/ocsp_vfy.c ++++ b/crypto/ocsp/ocsp_vfy.c +@@ -433,3 +433,34 @@ static int ocsp_req_find_signer(X509 **p + } + return 0; + } ++ ++/* ++ * Check an OCSP response for revoked certificate. Return a negative value on ++ * error; 0 if the response is not acceptable (in which case the handshake ++ * will fail) or a positive value if it is acceptable (no revoked certificate ++ * is found). ++ */ ++ ++int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o) ++{ ++ int i; ++ OCSP_BASICRESP *br = NULL; ++ OCSP_RESPDATA *rd = NULL; ++ OCSP_SINGLERESP *single = NULL; ++ OCSP_RESPBYTES *rb = o->responseBytes; ++ if (rb == NULL) ++ return -1; ++ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) ++ return -1; ++ if ((br = OCSP_response_get1_basic(o)) == NULL) ++ return -1; ++ rd = &br->tbsResponseData; ++ for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { ++ if (!sk_OCSP_SINGLERESP_value(rd->responses, i)) ++ continue; ++ single = sk_OCSP_SINGLERESP_value(rd->responses, i); ++ if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) ++ return 0; ++ } ++ return 1; ++} +--- a/doc/man3/OCSP_response_status.pod ++++ b/doc/man3/OCSP_response_status.pod +@@ -2,8 +2,8 @@ + + =head1 NAME + +-OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, +-OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, ++OCSP_response_status, OCSP_RESPONSE_check_status, OCSP_response_get1_basic, ++OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, + OCSP_RESPID_set_by_key, OCSP_RESPID_match, + OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions + +@@ -12,6 +12,7 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - O + #include + + int OCSP_response_status(OCSP_RESPONSE *resp); ++ int OCSP_RESPONSE_check_status(OCSP_RESPONSE *resp); + OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); + OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); + void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); +@@ -34,6 +35,10 @@ B + B, B + B, or B. + ++OCSP_RESPONSE_check_status() check status of the OCSP response I. It ++returns a negative value on error; 0 if the response is not acceptable ++(e.g. contains revoked certificate) or a positive value if it is acceptable. ++ + OCSP_response_get1_basic() decodes and returns the B structure + contained in B. + +@@ -65,7 +70,11 @@ uses the parameters contained in digest + + =head1 RETURN VALUES + +-OCSP_RESPONSE_status() returns a status value. ++OCSP_response_status() returns a status value. ++ ++OCSP_RESPONSE_check_status() returns a result of check - negative value on ++error; 0 if the response is not acceptable; positive value if response is ++acceptable. + + OCSP_response_get1_basic() returns an B structure pointer or + B if an error occurred. +--- a/include/openssl/ocsp.h ++++ b/include/openssl/ocsp.h +@@ -340,6 +340,7 @@ const char *OCSP_crl_reason_str(long s); + + int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); + int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); ++int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o); + + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check.t +@@ -0,0 +1,90 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use warnings; ++ ++use IPC::Open2; ++use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/; ++use OpenSSL::Test::Utils; ++ ++setup("test_ocsp_check"); ++ ++plan tests => 2; ++ ++my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh"); ++my $apps_openssl = bldtop_file("apps", "openssl"); ++my $ca = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.pem"); ++my $ca_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.key"); ++my $ocsp = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.pem"); ++my $ocsp_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.key"); ++my $server = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.pem"); ++my $server_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.key"); ++my $index; ++my $ocsp_port = 9999; ++my $https_port = 8443; ++# 20 July 2023 so we don't get certificate expiry errors. ++my @check_time=("-attime", "1689811200"); ++ ++sub run_test { ++ my $id = shift; ++ my $connect_good = 0; ++ ++ if ($id == 0) { ++ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-valid.txt"); ++ } ++ if ($id == 1) { ++ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-revoked.txt"); ++ } ++ # OCSP responder ++ my @o_cmd = ("ocsp", "-index", $index, "-port", "$ocsp_port", "-rsigner", $ocsp, "-rkey", $ocsp_key, "-CA", $ca, "-nrequest", "1", @check_time); ++ # server ++ my @s_cmd = ("s_server", "-www", "-status_url", "http://127.0.0.1:$ocsp_port", "-accept", "$https_port", "-cert", $server, "-key", $server_key, "-state", "-CAfile", $ca, "-naccept", "1", @check_time); ++ # client ++ my @c_cmd = ("s_client", "-connect", ":$https_port", "-CAfile", $ca, "-status", "-verify_return_error", "-strict", @check_time); ++ ++ # Run the OCSP responder ++ my $o_pid = open2(my $o_out, my $o_in, $shlib_wrap, $apps_openssl, @o_cmd); ++ ++ # Start up the server ++ my $s_pid = open2(my $s_out, my $s_in, $shlib_wrap, $apps_openssl, @s_cmd); ++ while (<$s_out>) { ++ chomp; ++ if (/^ACCEPT$/) { ++ print "Server ready\n"; ++ last; ++ } ++ } ++ ++ # Start up the client ++ my $c_pid = open2(my $c_out, my $c_in, $shlib_wrap, $apps_openssl, @c_cmd); ++ if ($id == 0) { ++ # Do the "GET", which will cause the client to finish ++ print $c_in "GET /\r\n"; ++ } ++ ++ waitpid($c_pid, 0); ++ waitpid($s_pid, 0); ++ waitpid($o_pid, 0); ++ ++ # Check the client output ++ while (<$c_out>) { ++ chomp; ++ if ($id == 0) { ++ $connect_good = 1 if /^Content-type: text/; ++ } ++ if ($id == 1) { ++ $connect_good = 1 if /^revoked certificate found in OCSP response/; ++ } ++ } ++ print STDERR "Connection failed\n" if ! ok($connect_good); ++} ++ ++for my $index (0..1) { ++ run_test($index) ++} +\ No newline at end of file +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ca.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDBTCCAe2gAwIBAgIUZot4eag1ZaofYsMIB7HIzq8+zGEwDQYJKoZIhvcNAQEL ++BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMzA3MTIwOTI5NDdaFw0zMzA3MDkw ++OTI5NDdaMBIxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB ++DwAwggEKAoIBAQDRRSlP0gUVVlzMkEtVzX95n5lM+P36lyNgevKqY1Dl3ygPAzaq ++HRUBsgcxdDwWwMPO2u5UJOWaQ80nwFGROwX8WrRoBTvsUZ+URyXx98tHrhnD6wI9 ++v30xYGN0RU2Ef2XnMvThhKRQVZJJWAHFPWZdPes0/g3H4FGJudOQJUHpiDD1UEF+ ++cWxyujhVbvBFCX+mBS+r/tn75axjsUqmbxwCE7TK3CD0JdvlLUYxtybvozYoONot ++/mFleCMmPaTzPHan+iXNHp4Tn+3Ssndo3uiTr0pEbGgSOy2PppbZmv0ml0+CSLN4 ++G8VaBBf7VTMayowEmmDgTpsOTi9tJqW2CcGzAgMBAAGjUzBRMB0GA1UdDgQWBBRj ++L87V9mqTdWYMCNNBb6Hay7OwPjAfBgNVHSMEGDAWgBRjL87V9mqTdWYMCNNBb6Ha ++y7OwPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC09qzufLI/ ++AoBscY8e9Q4pRhzeVVAKQ6yAZiO2O0o3trI5xKqD3iD0pOC7Mbfg0e0lneK6ovpd ++J178HwF4PMdiwvPH0KkAf0DaB96nC6U6oGQmItq8668jeVBjat0UCP3xiLmLhhAl ++mnnsgFC1eALmpWQPVlixUaXF4ri3R0QBUcc2kIV5zr1P3LJVboMSgCZULvrlfQLC ++kA0GdCCf6h08AFHRaIW8EE3I1IHNZc7eQcmnCLewHU5cPAYJ69GjhblSLS8kbpXK ++k7BllPLkk99zc/94okTasTjUkmha3RhRqMNL8jrYVc1m7H4U+4XUyh1y4C4Nmz18 ++fBbrMxN2SCXM ++-----END CERTIFICATE----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/index-revoked.txt +@@ -0,0 +1,2 @@ ++V 240711093229Z 1000 unknown /CN=OCSP ++R 240711093313Z 230621000000Z 1001 unknown /CN=Server +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/index-valid.txt +@@ -0,0 +1,2 @@ ++V 240711093229Z 1000 unknown /CN=OCSP ++V 240711093313Z 1001 unknown /CN=Server +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ocsp.key +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZ2OLi8cpvoinQ ++bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ ++4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi ++moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j ++vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 ++bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S ++647ud7enAgMBAAECggEAFy+JbQxn9nwExZ2Cy4wWGFM0lF5vPhhmu4IpRTIhB4Vo ++gIYbIg5y6/vBhidWRYICUVXP2ZrkLTVd97kxlqBmuCzdeZAcEKXxavacoAfaK142 ++n2mDaP+CsgPzGJMfj2nXOLxvlxNd+qBey1J/oDC8+eEl/yqfwLT5hiA/2dz08hI6 ++IU0BudOB6H5iBK74MJsubdm0tsY4iqTykXeiR+n5dvVGDXLUX74BDHlD9O7AAo10 ++h74Vw22luigsV0spCVLoOYy6z9KMkOaHZRruPmF3UCsfJZFY2y6uMapvbdgUavr9 ++5fpsx40ep/mjRkYainHfJK1YkV/AoTxKjPQu2owJIQKBgQD0akN75lGXaAMQ0oEA ++1UrvZg75BQxPN+3qVtyynoQGVh58uRIaeG4DQdtc4nNPYI6o6NGbJk4T4wXU7W/3 ++XUr+U/LdSGpHfM9gXGCUNgoJeUKY3NLUGdE4DIGDiJrmJfd5NDj37+PAQUTLBO49 ++A0+BPnictZPffXuXCGL7lt7hYQKBgQDkLD9jV6HNtv8pAxFdQM+89NhWZCvpuTAs ++rihG3ebblBotMuGsrZDJ75UKq5wPEGCZWDc5q2h8L6CiyQF7Vht4/pi4NEhsA9My ++5hOGUJJVvvFmEIYz0GoCGqoDqag1XpKx8MYMvcc52bhzsYCy+dpnqraISeyiFPLM ++hdy+3jROBwKBgAqKEoLjOZ13xLoS+bEZgXO1SOwABbncxYuXV0j0gOjtCb+DE37E ++tqm5S0ZEFYjUtxIdh/xSuIcvAO9flbZq9XLmF9Dm8H5IqYCUOy3o7qHd8rs4unae ++7mCmWWdcmqFV/cfiMpquY3nE1rySZ9uFqwX9taG8SrYWaR/oIqyKou3BAoGBAJgX ++2oT4s/UxJzKKRffYLOEygEZN7WuVMsSFrnlWjv0M4soAIaf95gaFOd7r91GfRBTT ++VbSOSk6FXNlFjUROaG+lnd0jlKbTgeNqs9cTPAgGCFlVaG9/XDpc1bktTN+OU9Bi ++w1FY60TnmOkdh8FFhM0XYSbFyANeXV3xWOytp0XfAoGBAO2FkR3oGd3DSJmeljwJ ++HciEmlYCk38z93mZXiDTh4axS+mxAMYVRXt0dDUveyImlpcGi9coYmQPEzgk6spQ ++DOeRzRQcWQWfny9/UoGFU/Kv6QmpteAWaSjinBWKONx9d5AGzAkzms79tS8JMeL5 +++wlkyD8NclbRA+ILu+V8HLed ++-----END PRIVATE KEY----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ocsp.pem +@@ -0,0 +1,75 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 4096 (0x1000) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Root CA ++ Validity ++ Not Before: Jul 12 09:32:29 2023 GMT ++ Not After : Jul 11 09:32:29 2024 GMT ++ Subject: CN=OCSP ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:d9:d8:e2:e2:f1:ca:6f:a2:29:d0:6e:ce:18:12: ++ 69:3d:19:d4:0d:72:0f:7e:cc:14:47:cb:f6:11:24: ++ 5f:9b:6d:da:de:20:dc:1e:2d:88:a0:1e:0d:83:de: ++ b7:09:9e:b8:d7:90:d0:26:77:4f:1a:0f:4c:7e:e2: ++ 2a:b9:f1:3b:f2:e4:fe:3c:55:9f:9c:d5:1d:d7:52: ++ cd:58:41:1d:b4:b0:a8:27:33:cc:3e:b8:5d:92:5f: ++ 15:f5:f0:87:72:df:5a:4d:12:b6:21:dc:9f:23:56: ++ 90:62:9a:83:0f:f5:d0:b6:da:23:41:e2:44:ca:7f: ++ 53:91:33:a1:da:2a:71:cc:f3:08:37:27:35:ef:f6: ++ 55:68:21:08:00:83:20:26:24:ea:10:5e:14:3c:2a: ++ 7d:40:3a:3d:e3:be:9d:49:82:6d:a1:23:87:b6:31: ++ 38:e0:8e:b6:93:f6:c2:b1:3d:72:19:90:a9:d3:c2: ++ 76:57:f3:c3:29:13:d1:ef:b1:0e:d7:57:60:9d:62: ++ 63:2b:cb:e2:fa:f5:7e:bc:6e:5d:d2:d5:e8:ac:0e: ++ 37:88:bc:73:ed:cf:a4:de:9d:9b:3b:c3:16:ee:a7: ++ 2e:ce:b5:d3:8a:47:16:bf:98:38:7d:0b:be:97:1e: ++ 23:4f:a2:e9:14:17:53:55:67:dd:d2:eb:8e:ee:77: ++ b7:a7 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: ++ CA:FALSE ++ X509v3 Subject Key Identifier: ++ 2B:C9:AC:45:83:BB:96:5B:73:77:1A:F8:DB:F9:98:44:C6:E8:55:95 ++ X509v3 Authority Key Identifier: ++ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 02:87:49:a3:6f:c4:59:38:94:f9:f7:1a:ff:6f:4c:b4:6b:bd: ++ d2:79:98:5c:90:a8:49:45:ec:91:4e:ac:45:ec:8d:81:7f:ce: ++ ea:2f:93:c1:40:49:d4:c7:f2:ae:c0:60:1d:7d:65:91:83:63: ++ 51:4c:f0:ce:ef:81:dc:43:a6:b3:01:39:66:52:2d:1d:08:16: ++ a7:a7:54:78:e6:7a:06:49:5f:86:37:12:48:42:ab:37:a9:c0: ++ 04:98:70:45:50:9e:6d:30:6d:6d:81:05:79:1b:5c:2b:75:b9: ++ a8:46:22:4a:80:c9:ab:7c:f7:b2:63:69:ed:08:31:32:bd:8e: ++ f8:d7:8e:8e:29:8e:f6:b0:52:c2:a3:19:c1:e0:88:de:de:94: ++ 4f:f1:a5:9b:1c:1c:c0:11:79:7f:df:38:1b:97:a9:6c:26:fc: ++ 7e:31:f5:78:ba:c1:1d:e6:7c:e1:8e:b3:c5:91:fc:f6:5f:44: ++ 18:44:0b:15:c8:94:a5:a7:02:58:2f:be:f4:e4:80:0a:ce:8e: ++ 33:36:dd:0f:39:d3:b6:ae:57:d2:46:b4:a2:d1:49:c9:29:a7: ++ a0:a7:62:a7:2e:2d:7d:91:94:12:f7:55:13:54:d5:4e:4d:eb: ++ 1f:78:a7:9e:a9:93:f9:6c:a9:ec:97:2e:c6:04:67:fa:95:47: ++ 1e:2c:d2:74 ++-----BEGIN CERTIFICATE----- ++MIIC6jCCAdKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v ++dCBDQTAeFw0yMzA3MTIwOTMyMjlaFw0yNDA3MTEwOTMyMjlaMA8xDTALBgNVBAMM ++BE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ2OLi8cpvoinQ ++bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ ++4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi ++moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j ++vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 ++bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S ++647ud7enAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCvJrEWDu5Zbc3ca +++Nv5mETG6FWVMB8GA1UdIwQYMBaAFGMvztX2apN1ZgwI00FvodrLs7A+MA0GCSqG ++SIb3DQEBCwUAA4IBAQACh0mjb8RZOJT59xr/b0y0a73SeZhckKhJReyRTqxF7I2B ++f87qL5PBQEnUx/KuwGAdfWWRg2NRTPDO74HcQ6azATlmUi0dCBanp1R45noGSV+G ++NxJIQqs3qcAEmHBFUJ5tMG1tgQV5G1wrdbmoRiJKgMmrfPeyY2ntCDEyvY74146O ++KY72sFLCoxnB4Ije3pRP8aWbHBzAEXl/3zgbl6lsJvx+MfV4usEd5nzhjrPFkfz2 ++X0QYRAsVyJSlpwJYL7705IAKzo4zNt0POdO2rlfSRrSi0UnJKaegp2KnLi19kZQS ++91UTVNVOTesfeKeeqZP5bKnsly7GBGf6lUceLNJ0 ++-----END CERTIFICATE----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/server.key +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDb4qMIdALYSZd7 ++/RBJ5PTRZS23d4SkIxZuOGXiSdYNyDNqg+jZZ5HPJu1ZcZFZ7AYINCAnk/yv1rPd ++Aoz50sZKTjHacQZLhaSds0PlN5/TrkwU0WUbalFWm5D6LB+VlDdkOSWSO3UNo23n ++X3wBMCWL9tTqNCwzNx8o3P6L8gjEOyOU3lIB3DU0FgGZN0Fkk7ZrbZxoln78Hcgf ++wBxWC2SafOwU9zofjdcEQr4Q6kAKDK1M7EYbq8U67BUS7SRRoj2Ub6KNhTGCuH5f ++0M4umykvong4bvqYqmrpAM0qV/F0ngus8qJgAH21AeHAvG9iuP/AphbslKFl+Me5 ++3J3/2A/lAgMBAAECggEAAsC9Ist1B6kwNNSvwgUUTZTTNDNSXU21J68cE2+yNtz1 ++S9WX8jTaPfoySYbi93m9f5fLeUNgjAEHonI4Op55bg+5jw8QMZzcOT83z+RY42kQ ++ucf/WI8Fsqxi7cbkpFZFNUOD5WdKKWAM7bMj1c35Al4WP1Jk5UVA5h2SMEVY97/x ++2TeQIzxBVX7w8d3jSHQXizWLB06IRs0F1Kpp0qIXJ558GcWEYVLk7ORIcJACWJSh ++UmhmtUVXI5OoWTTk4Ac7wus5GlCaLkwZ1RxV8iSwlQ5dhEBdDPRofrH9QgeULJrq ++l+G+Cv32FizTzC3QuiPrXrbfPVxffYZuJ5g2RORh9wKBgQD4IqS3WzXYOoKwkA5d ++8rVAL55tTE8I7/GZCoMrmRsXKV/30gJjhDlf5TyKWpFB7gcxBBZhd+lK/daH8d+S ++EAeBdN45VM/xbQkVKyfOQMQ5JuKmLJUyUP7yevMDZ0TYWQGDWmnVMzhfICIKWQvM ++lnPqCHFeYx+zWFBTDukr+aitywKBgQDi2sY1KAJiC24M7DILvjF0vFQGIPCyoOfQ ++VKemT3O5BKXbEK/WgBmTHMZzGPUGCZ7dxjEeTpE1d6YIadSa3FMyA34PWi8+3jdn ++lGSnK5MBlfKnk8Qo5vYOKPMgVmRPzqyJ8gUorNvAUEKZeFjV+wZeX/0yxSunumCj ++dfOk2TWDDwKBgEQE0xxED32HhH2774RHXPIMW6Rgb6XmiFbIb+6KmMd/mwQG+Iqp ++G0UzRKY0b28gPa5tDWmIglYBQUagwgV7CWOuUqBqpFns5rl7y/yY+nEkPKsKu5dA ++ZrK3i1gafd/EfkqwhSRhVwmUeGBXyok5kOrNh641A+KYyeQKyVY5qMiDAoGALJgb ++DIn/5ewfRxULRXmu2SbIUagaCNNOnop1pmDJ+93pCKZAGqd135BxhmCqkfREMY5r ++S2zgaKVLky3SqFqVVCiRmEz/KpmeRJNMMfyD2nTyjXSjw/Ka/e+Y04uIDpQvILLd ++xsAsNqLQZMDenbnJ57Vw3ZEa4s7lflyKd6ZnOYsCgYEA5jRpE1+lw1mAieDNovqH ++Mp2VwrmuFWhkeC7RW0G8ngNRzP9K6p77cDZGuR8GO5OHhpC3JG14OhOGL5rmDcwc ++ufXRlGMeAfWSY6EOY2hPWltML4EiX0zRESipQty8ns/HekIVlmOh4sv+3N3EqLlE ++edJcYLfcg1FGwnVQLHuVhy4= ++-----END PRIVATE KEY----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/server.pem +@@ -0,0 +1,75 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 4097 (0x1001) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Root CA ++ Validity ++ Not Before: Jul 12 09:33:13 2023 GMT ++ Not After : Jul 11 09:33:13 2024 GMT ++ Subject: CN=Server ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:db:e2:a3:08:74:02:d8:49:97:7b:fd:10:49:e4: ++ f4:d1:65:2d:b7:77:84:a4:23:16:6e:38:65:e2:49: ++ d6:0d:c8:33:6a:83:e8:d9:67:91:cf:26:ed:59:71: ++ 91:59:ec:06:08:34:20:27:93:fc:af:d6:b3:dd:02: ++ 8c:f9:d2:c6:4a:4e:31:da:71:06:4b:85:a4:9d:b3: ++ 43:e5:37:9f:d3:ae:4c:14:d1:65:1b:6a:51:56:9b: ++ 90:fa:2c:1f:95:94:37:64:39:25:92:3b:75:0d:a3: ++ 6d:e7:5f:7c:01:30:25:8b:f6:d4:ea:34:2c:33:37: ++ 1f:28:dc:fe:8b:f2:08:c4:3b:23:94:de:52:01:dc: ++ 35:34:16:01:99:37:41:64:93:b6:6b:6d:9c:68:96: ++ 7e:fc:1d:c8:1f:c0:1c:56:0b:64:9a:7c:ec:14:f7: ++ 3a:1f:8d:d7:04:42:be:10:ea:40:0a:0c:ad:4c:ec: ++ 46:1b:ab:c5:3a:ec:15:12:ed:24:51:a2:3d:94:6f: ++ a2:8d:85:31:82:b8:7e:5f:d0:ce:2e:9b:29:2f:a2: ++ 78:38:6e:fa:98:aa:6a:e9:00:cd:2a:57:f1:74:9e: ++ 0b:ac:f2:a2:60:00:7d:b5:01:e1:c0:bc:6f:62:b8: ++ ff:c0:a6:16:ec:94:a1:65:f8:c7:b9:dc:9d:ff:d8: ++ 0f:e5 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: ++ CA:FALSE ++ X509v3 Subject Key Identifier: ++ 3E:48:4E:C9:24:FA:DE:27:EA:A4:98:81:2A:06:12:9A:F6:FA:17:4E ++ X509v3 Authority Key Identifier: ++ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 22:fe:de:97:6e:e8:5d:65:91:f0:70:af:97:85:53:5e:8e:c8: ++ 88:9b:e5:b3:33:d4:21:b9:3b:09:b7:72:70:16:8c:a8:0e:80: ++ 0f:1b:03:cb:95:94:ae:40:e2:3b:54:06:ec:1e:f5:bc:58:8a: ++ 22:57:cf:fe:14:b0:15:8c:18:5d:9d:fe:0e:70:55:26:c5:cc: ++ 92:f3:bf:03:19:e6:bd:41:b5:c3:cf:15:d3:e9:10:df:65:2a: ++ 68:c0:a3:df:93:a4:b1:66:20:94:1d:df:0a:9c:05:e7:74:a1: ++ 1a:39:db:c2:5b:78:8c:0c:f6:5e:30:80:cc:39:04:8a:8c:db: ++ 81:c1:5b:b4:3e:c2:ba:ae:06:ec:19:91:b4:a5:46:05:e7:8c: ++ ef:88:3f:d1:38:d3:37:42:88:25:c2:43:9b:df:7f:7c:15:c3: ++ 7b:72:d2:b6:49:45:ce:c8:ce:f1:2d:be:7b:86:1c:31:8d:c9: ++ de:51:d4:06:9f:1d:f2:86:ac:bf:5f:4d:da:31:26:70:ce:e1: ++ 0a:87:1f:a9:73:24:78:a2:4a:c2:73:ea:4c:6b:2c:a7:b6:1c: ++ d7:c3:5e:3a:8a:f9:02:54:62:73:a2:a6:3e:e5:d6:2d:6f:6e: ++ ba:57:11:20:d1:41:2e:c7:6b:d8:7d:70:5e:1d:17:03:5e:a7: ++ 16:c9:4b:fb ++-----BEGIN CERTIFICATE----- ++MIIC7DCCAdSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v ++dCBDQTAeFw0yMzA3MTIwOTMzMTNaFw0yNDA3MTEwOTMzMTNaMBExDzANBgNVBAMM ++BlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANviowh0AthJ ++l3v9EEnk9NFlLbd3hKQjFm44ZeJJ1g3IM2qD6Nlnkc8m7VlxkVnsBgg0ICeT/K/W ++s90CjPnSxkpOMdpxBkuFpJ2zQ+U3n9OuTBTRZRtqUVabkPosH5WUN2Q5JZI7dQ2j ++bedffAEwJYv21Oo0LDM3Hyjc/ovyCMQ7I5TeUgHcNTQWAZk3QWSTtmttnGiWfvwd ++yB/AHFYLZJp87BT3Oh+N1wRCvhDqQAoMrUzsRhurxTrsFRLtJFGiPZRvoo2FMYK4 ++fl/Qzi6bKS+ieDhu+piqaukAzSpX8XSeC6zyomAAfbUB4cC8b2K4/8CmFuyUoWX4 ++x7ncnf/YD+UCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUPkhOyST63ifq ++pJiBKgYSmvb6F04wHwYDVR0jBBgwFoAUYy/O1fZqk3VmDAjTQW+h2suzsD4wDQYJ ++KoZIhvcNAQELBQADggEBACL+3pdu6F1lkfBwr5eFU16OyIib5bMz1CG5Owm3cnAW ++jKgOgA8bA8uVlK5A4jtUBuwe9bxYiiJXz/4UsBWMGF2d/g5wVSbFzJLzvwMZ5r1B ++tcPPFdPpEN9lKmjAo9+TpLFmIJQd3wqcBed0oRo528JbeIwM9l4wgMw5BIqM24HB ++W7Q+wrquBuwZkbSlRgXnjO+IP9E40zdCiCXCQ5vff3wVw3ty0rZJRc7IzvEtvnuG ++HDGNyd5R1AafHfKGrL9fTdoxJnDO4QqHH6lzJHiiSsJz6kxrLKe2HNfDXjqK+QJU ++YnOipj7l1i1vbrpXESDRQS7Ha9h9cF4dFwNepxbJS/s= ++-----END CERTIFICATE----- +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4649,3 +4649,4 @@ fips_sli_RAND_bytes_is_approved + fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: + FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: + FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: ++OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP diff --git a/openssl-ship_fips_standalone_hmac.patch b/openssl-ship_fips_standalone_hmac.patch new file mode 100644 index 0000000..a4f8f51 --- /dev/null +++ b/openssl-ship_fips_standalone_hmac.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1d/crypto/fips/build.info +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/build.info 2020-01-23 13:45:11.232633025 +0100 ++++ openssl-1.1.1d/crypto/fips/build.info 2020-01-23 13:45:11.432634214 +0100 +@@ -7,7 +7,7 @@ SOURCE[../../libcrypto]=\ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ + fips_dh_selftest.c fips_ers.c + +-PROGRAMS_NO_INST=\ ++PROGRAMS=\ + fips_standalone_hmac + + SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c diff --git a/openssl-truststore.patch b/openssl-truststore.patch new file mode 100644 index 0000000..e43f30e --- /dev/null +++ b/openssl-truststore.patch @@ -0,0 +1,17 @@ +Don't use the legacy /etc/ssl/certs directory anymore but rather the +p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) +Index: openssl-1.1.1-pre1/include/internal/cryptlib.h +=================================================================== +--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100 ++++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100 +@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM); + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR +-# define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_DIR "/var/lib/ca-certificates/openssl" ++# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf" + # else diff --git a/openssl-unknown_dgst.patch b/openssl-unknown_dgst.patch new file mode 100644 index 0000000..eeece21 --- /dev/null +++ b/openssl-unknown_dgst.patch @@ -0,0 +1,15 @@ +Index: openssl-1.1.1d/apps/dgst.c +=================================================================== +--- openssl-1.1.1d.orig/apps/dgst.c 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/apps/dgst.c 2020-03-20 11:20:27.618536409 +0100 +@@ -95,6 +95,10 @@ int dgst_main(int argc, char **argv) + prog = opt_progname(argv[0]); + buf = app_malloc(BUFSIZE, "I/O buffer"); + md = EVP_get_digestbyname(prog); ++ if (md == NULL && strcmp(prog, "dgst") != 0) { ++ BIO_printf(bio_err, "%s is not a known digest\n", prog); ++ goto end; ++ } + + prog = opt_init(argc, argv, dgst_options); + while ((o = opt_next()) != OPT_EOF) { diff --git a/openssl.keyring b/openssl.keyring new file mode 100644 index 0000000..d7ab2d7 --- /dev/null +++ b/openssl.keyring @@ -0,0 +1,305 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 +Comment: Matt Caswell +Comment: Matt Caswell + +mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay +hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3 +iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi +2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa +N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz +UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0H01hdHQgQ2Fzd2VsbCA8 +bWF0dEBvcGVuc3NsLm9yZz6JATgEEwECACIFAlPevrwCGwMGCwkIBwMCBhUIAgkK +CwQWAgMBAh4BAheAAAoJENnE0m0OYESRoD0H/1lEJXfr66rdvskyOi0zU0ARvUXH +jbmmYkZ7ETkdXh7Va/Tjn81T3pwmr3F4IcLGNLDz4Eg67xbq/T8rrsEPOx5nV/mR +nUT97UmsQuLnR2wLGbRBu24FKM7oX3KQvgIdJWdxHHJsjpGCViE1mIFARAzlN+6p +3tPbnQzANjRy7i/PYU/niGdqVcMhcnZCX5F7YH6w6t0ZmYH3m1QeREnWqfxu7eyH +sIvebMgKTI/bMG8Z7KlLZha9HwrFXQAPIST6sfc1blKJ9INUDM9iK6DR/ulkw7e0 +hmHLqjWqYs5PzyXeoNnsPXJt69wiADYqj4KNDIdNp1RoF9qfb1nE+DM6rga0IE1h +dHQgQ2Fzd2VsbCA8ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsD +BgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+ +viob8935Uirei4FvnzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeA +RGwWTQYGmFmrNRWZ2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAj +eU8uSarmeZgGVMAInsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE +5Q7wnnoRXdLyNet0AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R +4gYFS/xGfTgocPUDZ4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO +5vISJkZvqE5UuQENBFGALsIBCADPZ1CQBKbFQWMCvdjz/TJaNf3rV6eiYASOvLDg +icU8Mwa208yJXr1UF6lvc3Tgw+jmynIBjbhvhujcJ+eD+jHEaXdncaK/WAPsmiNM +k+glZ4cbF48HP77kOLQQC+rX7jAF0VSHhFZNtnCpOByQevCJlwgkXckYvRyBOYk6 +2R7BwuLIwLIq4ZXNKPIVN4KpCodhIcGuvlPJczcdOoaBRGcSFUbXqM9Y8whyJhex +F87RHAyGpjvLnJFSgLimyYBRpFN25LzYFpXPD4MeLUVDSRgtSxOJ2KmkhMHntUqQ +P1XsIgzm4/ez6Mwkxc0QlAQp0r2gJU56QPdE5zgx+2q/i+WhABEBAAGJAR8EGAEC +AAkFAlGALsICGwwACgkQ2cTSbQ5gRJELNgf/elwfYchaV/24buNWDa+50gOuXQ4v +Xfj5DKry6aYnJBt1UeMV1ssMxCU8OltgzTMhTupjrXV1oDXYAxexymWLxwa+qcrb +SwDD+wX1gb1O2GOfbiplEnOb5dDc7Gkm8eTw0kBJEiAiyPv4SMLhFzm+me4Dq1+x +dbsvN05hxTjow9pi5eYrFMxYWi1ZNH2UmPpgoIN/4p28G/IN9fdWG5Ni315p3WhL +HRMzC609IOsCIJsm8+lHVblT30jxpctFVlQBtbDTzgqQLiaTVevlca3VYgMd70D2 +8d186gxUtSEpZ3dKkv+0V8DLhQ6VR/wQ780HKIpFp6UWP5aDxpEoOEwe2g== +=Z0q9 +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: B7C1 C143 60F3 53A3 6862 E4D5 231C 84CD DCC6 9C45 +Comment: Paul Dale + +mQINBGApr7sBEACoyczHMNgWiVg4jMjtdkb5j7csKPdFx8B7FJNMFrL/Z/I1BjwM +TQ7fxKvDN6z3mjAMKhU+wCL9vUSSMUtyze/fox09n84jYDwN3n37ozkrhcDB01ia +iKCCeRNEW6meTs3/aJPGCznIOk/kMHlnZnQPcSphIexo/ZUyB59h6smz2LvoTZg0 +aeZeJwe0cfaVnWYA1a9wr+QJDQwRkEqdy772cM03Phs/sRWd4+nBqP1XxWlX30Yj +VGjDsY3gH9AAy4oUnb7tOmk5S9FIKuMdkkWeU0Abm8/36OfZyMFbZDAMbO8i3un4 +eIQOg5tjynSXYel3nlJ/fwoSHefPgavCkBdknk842LM9xr22t+IKmy99uW7FDqvj +wbPoMg6z2Jarl0Fqu3GhIjCmKMe6TBfkYwB4fp5KtzRwrSjDo16vkMoM69mXqA7w +f1JV+BKvE6QTePNt8ix4ib5c6mPOrFnYG1X3tkNOc4/q6KcGbvS1xMax12q2/zSZ +PmoJvzWTrSF8lQDZKjMnXnhrZMY8h7lu/QE4DQ1M9U1PFdf6vwLrNaHHfi/rWKTe +fsrGp2TIqU4lm45p0fDroYqDML+gp8RMUZBU8M4wGwhludEiCoOFjXu2ECvvgrB7 +JHrh+FtMuuRPx4q2eRO75NepDfZqmp48PIqkt2b3VjisNceB70uYiUQ2eQARAQAB +tB1QYXVsIERhbGUgPHBhdWxpQG9wZW5zc2wub3JnPokCTgQTAQoAOBYhBLfBwUNg +81OjaGLk1SMchM3cxpxFBQJgKa+7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA +AAoJECMchM3cxpxFa0YQAIAnnNek3+UXZL/u4R6hs/lJopC9p/MFbCnL0b1zZnbz +Kbbva10PA3PEv+szhylDKeDIbDKF1yEjI4BTNCLS8sLKEZWSLTMW1MZhmxWm5TdF +ebhoj6Tjjfxme4ETyk3+v3hC3Ylm0jiqHHErutRAPIW1VDFQVxKZPasv1yj3YNiB +SktTSH1MjZZtlDYjp9z3VTczvrO3BBJJSxQ5CY749pEwtjwdLTqOVtoJL8thZ3J9 +jSnSDsgFVp/pPNVxxV98Yd89JqM34MvOuD3jYSOEtMUCJgMFXNZ/c2+BpWrX+ssP +qrY9vBrq7o91K+OQHbb4Z1pjK/dzDq183E32uTOYbco7ga/JqE7c997zY0fgQsIz +hdEveC4oMydzwHQ9WzHUYR7AtTgF9kKsTHy8H6ye3uaJMIMSEdAvI4mxG/k/zG/Q +KrIt1nUJh/M7uu2IT9fM+AoR+2VV1u1vimxpCpOXpTB4mTIR5YfiaRfXnHm55iq/ +odxVj/yVqFUcujy+YC9SAoKRGJRQV0KZur1xAOJsgwUJ1iXJZwypowkI59jpwl2q +WCfZIS1ZrpIebiVk4ZBaHDe1v178uLO3IasZR7HLvcD7ESX8U88ng8J1nXHq+Uc7 +4j5Dc6CMTd5WYTkFvhjO33JiHncK8CLYOFsndIGXts/OEhp08N5JELHCeSuu4UIb +uQINBGApr7sBEADNQ6w6jQNqxWxHDjJzcXclQJFPB2qlT/5eMa7QeOYiJ5DmY2VQ +P0Mltkmrc8T/I9NfRFpaB7Z+8zE5lmjSi3N5fYWjhoZp9oP0WYfSLef4KpD7KfEE +TaBohn8cw0Kt+nmEN904w9kpLE+WAvD0qRKnilcCUWE5Es719W8dMh/8cB6FiCI5 +8myIvV63yDV1DiNyEcKNeasIFF8n3FCd0gWPXXS9Fe7muQpIJ4Lb2p3ylqcY9UaU +8n+LQAb1LL1kC468MU0LBhhkCnZ2BacWnJu7JrzQ1Nihk+JRyXt0QARcgsITt8+3 +rQdZDb6o6jTixClNXOJ2LGZMAI2NrQppfn3uBny06veyde9l3riwtOYwqEfETt6O +Ndy0gOd4zelPOnfMtzwDePC0m0b5ibNsMGVYGu5bmu4XFZrk8ivcAiEg4TJHcYtU +meONyuhmaCbcG8in0GZvUgb/YLcBpLBhFFUUd1ALBfi6cXlvFlSU0HHQoNRIAyFt +C1DQaAOWQ9v21KSF6zFG9Qg3yHKy+xBjXjfp0IZOqN5jrmXxbfl/+LWqUHD54tmS +iHrUf1CiW6no+4WBI9f6/+QCVLFBoStlNgoRt/OcIXmq1cTJ2pTSPl3S0+HobCEa +llEGEDXqsGxmV2kNmxsUks/knEGFElp/XtMrhykicIdQYntMaRebljrpiwARAQAB +iQI2BBgBCgAgFiEEt8HBQ2DzU6NoYuTVIxyEzdzGnEUFAmApr7sCGwwACgkQIxyE +zdzGnEW2ew/+IzGVXgB34NeHnaLVDTtiUXgrNoOV4xFTS+kvZXrGC5i+mMhae9Pc +gvAyjssJ7dVP2RJBSNkfdxrRd2D4HFcf3dn/n646HNiTinirfvoUf4VIA1jdDp9q +ixi//tO7fsPyn35d672OA9AC3ccBgji6V9XA58REonF+ap2bE0JBJYTJZrET9Wny +BPEjefdpORSHaXqimfHN59QV5gXEFZ4Ci1jCt9n6WEb0oo+kQTkUb8z7F9P+7ojj +Q+4KrgtlXb9ijxCwMfGRPNInnumqyKJ0PhTVwhM1JNdi53nwVY98OGEZXWiKPFQ6 +lAGyLLXwaOSztKGSdsFPK/tpyVihwoqHjJCU5St/PVlpvRKhbtq24FfDu7YyDO2Q +Dp2/F+QIdVnUFO2I1xeb2k+/Tx+3nfKYNui+AFaudOblrYQzPrlswJzCmmB/OTkt +wuOqr2nvQr2JUwmSaRvdCAe8EI/HAa/ujlA87T69L4T66KwBWuBkIYZQxFtCiC+B +mksPCYe9TBTZm2+8xk6UiSMKurwESTkDj/uUGmtGHi3cSJPSQ5x41COSEc+/yZ0k +eQTSnnkVrB71cMr2yVe9WWiUqUoHbkwiiy9YAHkp76jHbTRsCjs8O2otioAW06Yb +7r1iWp6twh/giBzsVJndeP5Ss/85TQfrl8x8yJjv1OQiIRrTTz6GdU0= +=AbiA +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C +Comment: Tomáš Mráz +Comment: Tomáš Mráz +Comment: Tomáš Mráz + +mQINBGDxTCUBEACi0J1AgwXxjrAV/Gam5o4aZSVcPFBcO0bfWML5mT8ZUc3xO1cr +55DscbkXb27OK/FSdrq1YP7+pCtSZOstNPY/7k4VzNS1o8VoMzJZ3LAiXI5WB/LH +F8XSyzGuFEco/VT1hjTvb8EW2KlcBCR6Y22z5Wm1rVLqu7Q8b/ff1+M/kaWM6BFi +UKqfBZdqJuDDNFRGqFr0JjCol0D1v1vollm612OARKpzuUSOERdc11utidkGihag +pJDyP5a+qHZ4GNzZkZ+BBduuZDMUdEKgK28Pi0P0Nm17XRzX1Of1uXojMvroov7K +/Bkbpv+uvZoiSEAeD+G/+Tyk9VLhmyji9P+0lwYyHb3ACgS3wElz7CZwFgB3kjJv +MX93OlCAMruFht/+6hQu0zx1KPxx+55j/w7oSVzH8ZmYND5kM4zlGVnJxJk6aBu8 +laOARZw7EENz3c+hdgo+C+kXostNsbiuQTQnlFFaIM7Uy029wWnlCKSEmyElW9ZB +HnPhcihi8WbfoRdTcdfMraxCEIU1G/oVxYKfzV2koZTSkwPpqJYckyjHs7Zez5A3 +zVlAXPFEVLECEr02ESpWxFabk8itAz0oMZSn5tb3lBHs1XFqDvJaqME1unasjj06 +YUuDgKHxCWZLxo/cfJRrVxlRcsDgZ3s4PjxKkAmzUXt5yb7K3EVWDQri0wARAQAB +tBtUb23DocWhIE1yw6F6IDx0bUB0OG0uaW5mbz6JAlQEEwEIAD4WIQSiH6t0sAiK +o2EVJYa47xprqdotXAUCYPFMkQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIe +AQIXgAAKCRC47xprqdotXEGoD/9CyRFM8tzcdQsQBeQewKGTGdJvPx9saDLO6EVy +U9lEy8vLKMHnmAk+9myVBf0UHxCjVZblvXEL6U/eCINW8TBu9ZH56AMkPQgvfZkE +KrpBoP2yfkA9/2rfChec7jkFUwArWKAB8hyLPiABXdm3vRZMhiBAsFTv9rdrr89W +nAvcd9OXPxrEM7mNkkCDUlRkfRwdxSezStmJ/18bM5lrlR4Dj9MYUOieYICsu/nh +1u9C+QDOGruo/xku7B87qVSnKM4My28/RtSeGjTBNw3QPEmumArINNUDNZbe3e+I +m23l6tyP7nmtLbo0wPcRB9q4K1GlmecqzSgLsdf8YCOZKax9DLaA2fWVJCyp22Uj +kCmHkVgeXmByndWVdfYyJO4LGJhM7BfmWGa/yIRKRKZGlJavRY+UAkfqkXCbzhFD +IMyRTU3zqJfJcXrVDslvB1mMbBGIR7gmL2HSToNvN5E2xiEamHbSOv0ze0Vw5A1M +8S71i+jLUSenGTgjLdu52+K7SGLtyhG/kA5NpvMyCLBOYZ+4HPgbIwKLlcm5SRJ6 +z4sKLSZmU7HLMp69jXfGQqjYbJoUEHsCsLOeVMGiOVZqoZWQWcMHy9VvOA0FVx41 +xrpdDLft9ad+cM/oaiYXEWhqYRnBM5eIH0B3HOk/kmLZ6crNE+X5xG1qhoZgAurM +MriPFbQfVG9tw6HFoSBNcsOheiA8dG9tYXNAYXJsZXRvLmN6PokCVAQTAQgAPhYh +BKIfq3SwCIqjYRUlhrjvGmup2i1cBQJg8UxqAhsDBQkSzAMABQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJELjvGmup2i1cessP/jG7dFv/YEIn7p47wA+q+43Korjk +8LLpdb+YhVEpXgLK3yUNOcghs+e+UxSlS4jDV9ThpKgBEgTCn6V8vEWe5djvLVcO +UNG/wx33ksZKDOrZt2qGzz9VBd2ur100HjA3ibGClMjchMQCctlAHBCI/jV7g9Sv +FIHr/qECDnr50lh4kNeBZH/6gYEnB1Uqkc+7y/0gopk3kEcxO00qKj9d8QPatsoW +FOBW6OT0ldX5m19EL+x4Ku2/ayBwmobsQyj3cDV8cJN9QxJxB1AqLAKXK3XpEQ8Q +UERor6Z2gQu9bCRoQCl3Xu+lfqh2gmfoXoWiZFinoBzEETtILEUdNa2MsJheNuVy +Tf+W/vrfyAKVl7DgPk+n360frxmR8n7pkSpDq12s9J4eimX7aUlbhDX2XiMo/kGS +2oo2ulB083oJq09UieI2acwRIn6fFAOXx4Cr9IRAnKtvGxT3XzkDJ8WkC/+QE7wW +kjtD994kD2Jf1GCqFIWPx+J88VXp5UbobOENYBGWvc5Pki541aFKkXe5mvK9n2Fm +T3fOeBnyhT27J79UYSkOg9Zk0o7lcLKvgX3TqOwRrwMOGqyBIrHkLprIbeX5KOBI +yvtovyTuq3piF6OcfOYuZJOcV4LnnW6Ok9sgia1WgqNyJ+FSdSl6tLabzcM6sZ1I +8tmXB4BcoHFB9N0AtCFUb23DocWhIE1yw6F6IDx0b21hc0BvcGVuc3NsLm9yZz6J +AlQEEwEIAD4WIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFMJQIbAwUJEswDAAUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRC47xprqdotXJUfD/9qFJURXryr8/Uh +KJIAYQawc3rgSCeMaSi60fgPhteBf9VPA5w84OKLtnZFcPcpvGpaHuRxj+mchOSo +2HkYz7eseTsWbfguDiBNf1sA0IW6/WfIjqfGliw/ikLn/mA8GgLzgPPEiEbZH+gZ ++J1ttxv15E8dWVSYILJcn7VLX8EgYc93uaiPbcc6wG3qBz5UD7FW6pg6AjEhz6j4 +yQBq/dAUUL9nfrrx8p6548aslAR5A7e1kWPSMkrXD6ECdlJ8LReaPjiWrvLCtf1M +cmAQJkXX9PLHtPtkXzfT97GdcEWtPF3qpu9k8gK3QC/dPoACIsDUU1+muaqlRB3A +ozLVFbSJ2kA0BqnHvhB+7cIB/ZkAasiI1jJ9XPwJJnzZGlRFGJnUg6MRX//FIvly +Vi+hFt1DQ2tWMo6peu1sNDDONYKL7/NhFedJhIRoYUiQtcEuWqtTjOUn7ErkaC2y +q8hzWgYCe2afy1sUvyDtUjuldVTNzV1ic4MPC+QZ5ZEw2uHfP2oELlK2zUlLZIpt +Bwvgzqw5qcxj0nBHoaDTRyJXrXDWf/DsyS6Df1t8Uidoc6W3zNEhKbabvTb4gtWj +hh/QezJNtyRSg4SZ2Zx+ExgAngFdhKUk01XytLcEqYHjOjO6ZHpP0/+E7T8yZ7sI +w5AnBC/mkTbqp5Nsbk/spoN0Wl7PZbkCDQRg8UyoARAApiWRrHjdEu9Fp2yd7K93 +VpttsAWGeZo6adA7kKrdB+DFwyQdQQIGF1MoxzKb3rcO2sxoU/SnY/TpxdVbSO27 +1MLUcqoEc5F+uxuXsp4Tx5s6iXY9xTwQeBi8pAUQSLlWc/yoakF4sahG+5+0NUDp +djCEevRw2nHVbMbyzACgB0VRErhpY6gOBK7LkHwXAEXh1pN836P1s3DLLInjoM50 +IGQJLJ38/dBeWf9lqJrDif3lZ9Br7h2xHVhaj+08iWKFXb+MDkW6lXOuT+A8pzHK +bz1TVhopid9NOcw8ws00Vnq9R0/dhk+FT81XJC6GmoBi2GjjKpLNMzfBE6IkJjhn +gMY9Wz5sSfXhyd0x7ZGdS3w9SiIXXoxw35woC1/Ue6QVasm/ldCNSNH63y8G5b7w +NA84/fhVa9/Tug8zyzRj9p5Ge7b1yMbtVy9Ret8e1xB3yOJH8rjwmd13ocNBrFYh +D4b1+P0DScr4TburR3S4gwzawB2juIToELQGseR8nQg8k6Fk5vZ8MaYslMU2za7H +a379C8+A9h0C2mobqtw7Gq8NzDH2H4Bgpy0Ce8ByWnRHEIrZcK4vZDTzBfW+lYJB +HFlNc0mheV2ih6vjmz940cakzLvGF65UA69tsS8Q/3sWH2QLFTywdcEUZNgZRWnc +nAaLOI/nw1ydegw8F+s1ALEAEQEAAYkEcgQYAQgAJhYhBKIfq3SwCIqjYRUlhrjv +Gmup2i1cBQJg8UyoAhsCBQkLRzUAAkAJELjvGmup2i1cwXQgBBkBCAAdFiEE3HAy +Zir4heL0fyQ/UnRmohynnm0FAmDxTKgACgkQUnRmohynnm3v+Q/+NpYQuO+0a57+ +otwvuN3xoMsOmiingnd6u5fefi8qCjHgYJxnZQhihk4MOyiY46CxJImFKI6M13H5 +SlsuaGMbl17f5V8dE7rUDD9D9tD4+hVe504UsAdqaKHFhE8xyWJ24it9LmIXY358 +cQ7gm/EzA/wCKEez1Z/IUlx6hrG6BnAuE6FYhLTQt5WcCGbA17I72M1H50rX8fa0 +8qOg4rzyNEOesz1auI3pt1VOy/VJo7V+oO2yz4NNGBqjCN1mMOmBl1vBldZz4oZJ +vqoCFgx4Bj4h8LHilyg2OWZV4Xh7fUGH2/RIdfAYhCTz495N1sdDHew9Qc3PP0vV +yzwoCJY2moCiZ16K0o215rgYAJcY2KCCithjw+ktHZ/E108cmJJE0ZXG9sFVdF6A +HEEofaYRgXEvwFOwEBnytAq2l1ePmlTe6eu5/hSMYlan93YpsF2tol+jw7F+aspg +K2JPWqB4FsupxnvvAvzGBrTTGfCL4z7K8/6QmYrJBByx0W/lkFsebEfOz0SY/Rvs +aGQ3LEmQkbn+Cz2c2PwmIuYJisunHNC1rH6lF1a19D2lpe82Eh3TsXEsgjty2+sh +uHsKCX/snSa+zySqMbsE6o/8AquuT7tkdHO1rYfr3ffvIeX8HVj6NKm1eyk6uyCE +cb08jqBWOG8tzpNt6PIviyrQRrK+ncSLjw/9GT4LhZKnfLM5pVAFV0jVqf29lVhk +RHDeiNmdprqpvW35cAS7LH2wv2xGj4+wGaJmksruiJj2KtNAWa+7Uvd4xvntrL3F +9kG5qC04iTx9nng4qliZAI1wGxT/fAKS165L5sdTXRvcywokshxtsPgCXcH/J2v/ +JC6BGn44o8qo/CLGIaTBk6V8NfY4YqNFyMaMRAQSQ9Pk0KXQxswdxASaYzTTb93g +muoO7XrIu7ae1lppeL3HB5hQ0/zF1cVzCrLXffsEZNVW/1/9VamicTOWP8dV/ylN +86d7NvfJk8L7O+YIsEKYhKEDfCXIZrF7Ynu9SCWiR8LAqxZpBx2/6lommQJ7RlKr +HBkWUGyC8WHYr/sxORy0uxSevGFcfK2sFMnpLJhC6C830O05B6SFTWTrD9c/NC2S +DDWQCr1Tud3GZ634BowTlQRgJpGJc2s4wOMaARnhVtr/GZQhfCzOhcaHAVMBX0FE +ce+LktihEnzEJJgc/bzTH+t3fIW8bS4c65YlwCzMCJ1oYyALlD1BlZ6whFSVUZro +uYVu8diJ4Alf9+hcYOU/Gnbyi3bFbRGhBVz8lB3TcEeP02+gSSFD7iDi2Wt3hkmY +YaT7k3YGM2ksXdQ25SGM1aW4drxaqAj5sZ48OXTMNT9ira3TL/o/Xp6GRhVE8iOl +JKbGoqC+wchHmOK5Ag0EYPFMJQEQAN/J6BypHYuzqwVDH8hrCQJ0s9I1fFdiu60u +aeLTQPeB2JVwV4t9WZsM6mVMEUZJGIobk2Y5FFzLsHtbPlSs7MXtLhlLa05iiMXq +oZsS7EYI+GDNO6OP1j8h9On2Ik5EnK/0dWGQglSY/ryw+5ShdAjHSd4hCRvBxfX7 +FJGNrvIkIp8AxlTvNBQyuR4rluOnfS1LXFDlaTWxRAZBJdB/GyAbCqKmkfbkXZbM +ZFA93E2skrLJ66CPgaK83r+DUi6+EyvOKTkZw0OU6S0k7xT4Z1f0AbS/ON5G8wjL +vxKu+Tmd2LHLMUTMiSQ7/K0iw4+pms1+MOBWFDX8aS/poRe0NS779RIk+Hy4OG7+ +i9Rpf4wU+Z2QHbUYrun6h7+RySv+E27QWCgNuAdm2F8cIsxQ3B0mAapqf2ECIkNb +PftDlv/iDqzAxAobNJzlsKQrcRmEPIOqNxi3TP+H85ekwHTdwwdPb5u8pgehpDum +ciyHfYZ7A3eNl6RubQMIWQgQzxUbreUJkKjHwLoqkTHDafJeKI7+2nII4r3peQfE +N0jZ5HSXHTHu4520FUBHNutvuHqCy0nQrhvoXEfD4woYk27OOwSKHu1ZdEFa6iJH +eAW0f6pSOMkEMDRtFWv0/hVpNDbhA+jAswzD4+XYDk+xZdDONua9inO930MGI2Bs +LQ1kotFTABEBAAGJAjwEGAEIACYWIQSiH6t0sAiKo2EVJYa47xprqdotXAUCYPFM +JQIbDAUJEswDAAAKCRC47xprqdotXBU2D/4vF/5FrkPz78jSl7YN77gc/sTpBGMh +QxhZxKpf+8xE/oig9/F90BMKaFAflChiEMPc+Dj0VrCGwP2xMTVO4J7lw7bTr3RB +uETuVq8S3XgtmTlXwoRQL91XtoGjAjhfgpXbi/DEyZ6+34QwMYr474rsKiMsBcMS +nWTDuqRqkFYAaF4LRbD6RkWck+C7k4ps/KIflEKiSEuvpjk1TpibwoSt+zIeZI6u +sSLWbGcADqnXHe0GClUqcMYbIgLzVyXQQzUvfrwAzi8XvfW+8QhP+B5oZT6y8YBD +NHQDcITC4OYaVHYnZWS+tPtPQZK4duAlZRd/lBxKPbNWee5ufPh5ALFAINpBWP0C +nHKVj/P3fBcCrz2ZYaH5iQmqhSbJ3lyFKJoQQgrcnWbnOWI91DdhmvE2GIyn1JJE +FT2YQqRH52dDX5gOl5OcwT7PxV1jc03bhZsOCylBoq1Yd9iD3U0bgiqI71dGZrXZ +qaQzuigCRxlv8nF97SUGLDCuvqC5ejmecQBYmLCrgIiRcI+FXSVnZhUYkeBbg9sX +Cla8mCgxF1RhH2S9z9blrLEf2r+l/8P0+IWmmaTvCbZ7kIrUsbGv7FNCubVA3UXc +zPrDR7hQC/xNAX1RXMGNmPru9wVtgnn72UneoD/dLYY65U/ZFLNeQAnq9c3VJKQ2 +TIdjvGbJ/k4qxw== +=Ctij +-----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 +Comment: OpenSSL security team +Comment: OpenSSL OMC +Comment: OpenSSL Security + +mQINBFQv6Z8BEACuJwJkw/Iniec6U1RzocYHBFKl1eE0WBu1vthYmcn0D/GJKvWM +kRhx9GSlWMqj9mgSFUOsFWrpPIm3Jzh4bLweUjH5I7R0Frh39dDFh1hhwHEholBy +yUGFTb8TppptXnzzDoNz4yUQcRP2oeG1vC/ePXPWHKgtp+0hmM3MQ3WIN+gSmpdt +4vMIoWKKCq+E1tYcsFk9URBWWEwBw+OJ37o7TrernyxwtXwdPOjYhA4mLtnKHs+5 +QivuOvK7gNf5hggyv6fp6d2ixvJZ9CdUYFdlOwaHA97B694RcAMxaMtzUpfkiJ/Q +2zR83QG4az6COKK38W6Kp7bLveMF6Rb4Y+gOjV4KvHKpzNAP2sNkmCIohlmoPhT9 +Ce9tWq6oK+o1MEc1Ejb1/kn9CeCloKlF8HkzhFLpqqkZ//3j73/6kuK45UVg5PbO +3GLcyTJW4enmTUFxy0d24Bfdgu7FpH1vHIisDkON3QO4TMwCJoLWGULqpJKP7kUf +5HCnafDroN5wF9jMVxFhmDOOdXyIeYkBVF6swwIlyq8VlYSjYWGAUtIb3rOiUNWc +zYY6spdAN6VtKTMnXTm608yH118p+UOB5rJuKBqk3tMaiIjoyOcya4ImenX85rfK +eCOVNtdOC/0N8McfO0eFc6fZxcy7ykZ1a7FLyqQDexpZM7OLoM5SXObX1QARAQAB +tDRPcGVuU1NMIHNlY3VyaXR5IHRlYW0gPG9wZW5zc2wtc2VjdXJpdHlAb3BlbnNz +bC5vcmc+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE78Ck +Z9YTy4PH7W0w2JTizos9efUFAmPX/PkFCRGJRs4ACgkQ2JTizos9efWXgg/+Negn +a1HZIWs18LDktjV49a3IeKhjJV+UrTvQnFpSNXbwpnKa6iVX9PlE+3nLkIrkz6HJ +uBl1MZElcmrqIsVCKHcrbcJSgZM4fV0AgEEm5gNfK19gbJjs1qdbtwTYccDiHwGl +4EeTkPsOCo20QEC8jvkdHvMsvoD11c57NprQVVsOyuyz7B7LwV+6hZ2MAv6BZrNE +XBjzqxHGKcq4iyOKTGwRAufiXdq2+kV7GVjihH41YjV08f/b7O2uAm4k/IbULtvY +3Y/9rVvtU/Na044FQBGObH7/DbEOc8uFAH8Vy7M32rZmQet7pO8M5BrBMAaU2OAz +ZQ5CqauGvjTJ4GXi+pBoCVafPvsGkB1W6IxnPPJZsFw9kxOKSV1Md4jh90OdaIGe +HW4qagRaLDtDRtkFnIkbtc38HC/e30ANoNS3Enws7XSNvQ+O7HfeSsATsM/2cjL8 +c281Nv9o+xaNI4TN3KsfRswcQtnsN2cCkPZWKgTJcjpdANkX9CK7mYNS8bu6YsAV +nRF2iAB25Vjcz/92Dd28/nPI2CkKkOMhDtnFty8B2LZ2tbfoU1DsNzg+b3ejaXLZ +jhnZdL3b3F4iKpyzDhTpDHo4P/yxrtV8LOmHJN63oc1JljqgkU+RcxndSZ/LDHqt +VH02VwVHMVt4no62mZj2UNT2+Ci5p+tze4Rhfl60JU9wZW5TU0wgT01DIDxvcGVu +c3NsLW9tY0BvcGVuc3NsLm9yZz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgID +AQACHgECF4AWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f87QUJEYlGzgAKCRDY +lOLOiz159XBzD/9InUdyS1hdC7f2uEbD5A+5UFUwy9hqzy8sXLrGfUMtJC3Ur+CA +RqpHw6LC9oqFlAMhdSpIINzswLvpYqYKUllQWw0bStqWed6wuonC7nQk4fJhaWhT +MEyVNC7gpy1FcFQYZZ/rwVxftvV6EesOIL+cM9Tg2IKvdrJsuFtmhcrEmrAVrPuO +VkIBbOjylU5iHbs3hW15DqMXiu6s9wLlxSJtqWWcGT4Xp3SjUy2XRzsWwFPrdsnZ +cj1h1C1onglIpNuq7yQF6rrBmKUdy7FClXswEg+He6qV6zLhZo6bRAZO2b/g4aNX +NVOh5BS9ZpQds5FejHx3la6GzfPM/szC0WJR2r/6RqR/dizrPlhsJX3g5I+fRnNG +mOrUa7S/OrR3QlWyE5pvytKTno0UvPuITA7MGtQf3z4n4UbM7bYyLmCIVEkDQl9K +ax1vtEYLKKx7sVLmJUQVqo8RmmjottRZ6+B5UWOB+dXvt3Z+mJLHt92y6NLk4iOX +q3bgO9eMPgk+GdLXjgtgeu7S33BNE984/0B+jDLqhgEjK2spA50uPXBUtDm+Au+s +1zfePJVfQxdaoKY00iOltujRS6sqE1PtbebTHgDakxnr9MClzTmRz6ymAglxo72o +gk0OJCNELdckK0HHd5hGLEKBlSVGYSx2J985o7VE/raBr7/YULm4k0LXJbQvT3Bl +blNTTCBTZWN1cml0eSA8b3BlbnNzbC1zZWN1cml0eUBvcGVuc3NsLm9yZz6JAlUE +EwEKAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEE78CkZ9YTy4PH7W0w +2JTizos9efUFAmIp6vAFCRdgAsUACgkQ2JTizos9efWbyA//cw5h9kzqjHNPrWyU +nqchSA/BAxGAfv8IW5vTXKIGou/vbF+2eV4pGe8cjYErfiEMI2XEqgW3NqtB8Ie1 +JpvHb/JARDpXRAeO0nAz68UZiv0s+BYG1cL0MJgxSmwLEo1XIxx+NYQRPaIPhWId +gdJmhOylGHRbZPfUu0gsX3JvFYYJvqSbZYJx47JzLgvsaRtY06oOt89hqVOp9geS +4HtwcZiIohq1E4Fy8+TYR7iMv62lBAG0xOoLCy4UzM3pVbChzcfmLLtH4ZbDO2ks +vhafec6lUetxMJuvqClp4oYDp9ucrcZF3pJA0feSGF6EXOmYo3KMiVbG35DqfJrI +8gva6QPTFo8WRsTZ7hUrn/BioXx7Orrmtl5++IPAU7c/0JPHCVordxinD/XDdcFV +s2IIf5iL914/CaI8AXmeM4H0m9kuaS9N0UI8+3gIBhO19cP1VJBw/EWdwjwHtUlf +d6mOAbwuVAjPEWQmcf0jIxoUR9t+3ieZjPdcHus5d9/xH2iOLdEHYQRHRiLlKFtu +PhWgqy7UgpWRye/628at5C9m5TfGQBldSoOkUzPQGGpV3pUiHeJlQPBAYl1AAvAK +8+Y2T9iSZXUuMXiMp3lplDEzXKHjUaXXUkgFuGs/L8YB+BBNBSE/GS078kQrc6Wu +y7mmnE22aFf7G0N/hin+9QeIWJq0J09wZW5TU0wgdGVhbSA8b3BlbnNzbC10ZWFt +QG9wZW5zc2wub3JnPokCWQQwAQoAQxYhBO/ApGfWE8uDx+1tMNiU4s6LPXn1BQJZ +2fY1JR0gUmVwbGFjZWQgYnkgb3BlbnNzbC1vbWNAb3BlbnNzbC5vcmcACgkQ2JTi +zos9efVQIg/8C1c/ChPOM/ojwXA1yUeIa4rD6BXlLDetE3KIqD1MvR251xV8Ox21 +3GYFHW+6CEfQ82xiy02CB+VsYh58tMi41NDWq6fkZOW4vFnJbFx/pYk8xFMl0ml3 +LkGsh9cVoesSiEBAsF4vQ/bmCNfM68DsLtjAK7GQobcW5ArIqvgc3LlYXUspkgE9 +yMcQcPqyMsNrEPgrFCcd3fWzXF1qsO8Rtd4bwyaJACkpQnZ832wY91uuMGzWcG2A ++SxkdOFPuDkWm5l8hbA6+DpdFp/YiDnfwAZqr6uoqdkcT0e8IRsGqJ2FJ7qHeGSv +kFjkGHaOPkJM69lJIEFMCrjvBQVN4b8HhcqbnJbnrWVGFDxgSdjNvXqzBDJgDqMh +GN5ZHJhGhiZDi02uzqJ0p+OUzK1CiEo0/Mc7Nb5sVfvYrP4LoqKRceNePgwZp8Jw +OnC5U84TWa6pHYm3rijfrBPPMFex9NDQQ/KEFINhAMQVMUtj2iy5ANPpqsftOIjs +RfWWn+7QIi4EuYRADcllRaHJaTBAzI56ngkDaA55oyaMnSUnu0fjgWTiD4CEVbsS +rR0nWJKhCg5DbVwq/dImoN1iK78ziR6cJdeQhe3GY+AdWe7Ci+75TiYy8Zlh9Sz4 +mpl81xRz9eYcO/g0xG6wpPE/fqua8/AgeKArEKJWN1uvKCCFZzRB7uq5Ag0EVC/p +nwEQAMB3s+8dq5T8fW+b3OcGujEcbhyguc6D5shlNWsuCV3W7+izsVUe+0hD1YwD +30C6zj2+CJrMxPQ/BB3u3SbyHMDP5fKL7GQiA/n192hX2DuHxvQwnDNkHxYghtrF +KOlXAyte2awA0fC+e0o8lHa1Yd2ZZNqlDC23qJtLMJH8bX8CIr59KckNyv64bF+h +VPIN3evnh1Ajn4A85848EZMQcjedg72MsA3TW2D4omayY7eXE5uut7FYcY6SM4pT +hIB2X9DM39Rgy3qC4ObvEkEfaWnJfHxyXiA8XF+FZukXc/iM68P0VS/sMml9QPsY +MWnMHcGlOcuzQJRAalqZJwuK0ZIvobh/Y9rYLxrHtNCgSjaFuSN9K/YhpAxs80H6 +lVa7GCSASTRrS3OvmY++fTsUPzSOvit0kqQfimziYx7QcJIagG92mvUmuf2PEfzv +Si6iaIqMhaTaJq5qxOR0q430KakQktNPX53HflWL7YenDPYw1rEyQFxGqjaBY1X8 +NtuzZ0P4cahgsBFc8HgYu2u3Ysd5wmvSTsOXld8Qsns1KIUOpzgWw56AJ6dxS3lK +4QSUFwjzbZW9H0jJ49eBMAaA+hCjv8c/4BFuZq9Gvsafn425Lx1V/3PFJlPu55V+ +7qWjeOkSzNctMlmCqPQVetbZ/pHLAJO5IUO3SoTs5kl6bARzABEBAAGJAjwEGAEK +ACYCGwwWIQTvwKRn1hPLg8ftbTDYlOLOiz159QUCY9f9DQUJEYlG7gAKCRDYlOLO +iz159f5RD/9Dhv5+muyWX9U4wNH7Dt7KHOtFyQ6+YrlLGj6WgZlFQD3sz1hVabJs +HwFuiaIjnZmQwiUJm72jCMUncL3OsWrQXm6SU60aG20XeQl1oXWmSD9D/len23hO +Yo/3WsC3o1AIkLA9cJ3h/oo3I7RE30skw4MwQ4oCFlmidmOLvkz3TD22qxf+WaK7 +KO0vJRVHQIVl1ZdsBSSULcr8BcupKXaKSBJQDya2TkEh6OUf1B/7EIk811oeNSaL +9eJXS9VGDytVyjGGXSbudBw2XAV0/oiPPDKYElbOZH66d6marGwCCdc29cNono/7 +zf0+/hyunzY3m1PkYGyzUmfWq4WNulJ9GEAz0O1rss/4hxnGqn/m3gue+aQx4hji +/K/vAV+531YT9MEp6m6e3074a7Hvn2l/tsBoL1Xseb6J9ZGL8fnZiuG6RF4sP1Lz +sQXmyjgr1yTlCShgNQCYXAgprWXPCwv176kL0WxkGhcI+GmSe3kNWr3HYoeTfBQ/ +G8GWaIZ2qJRY/d/P9bgWu3oztWcVqEDorK3Pbu5/VeIeEfIkc717EgvdZU4EB70v +E/jnY1V9GLFzdPcygy7bz5aA4IA/Y12VFdhQ9/E7HFvEv0KUa294rQiH86lRyCJI +aEUqeymypLjoU2oeR4Cujkne+5spQHBfn2/RWGqH28v+vqHysb/8GA== +=Q+Oa +-----END PGP PUBLIC KEY BLOCK----- diff --git a/reproducibledate.patch b/reproducibledate.patch new file mode 100644 index 0000000..126b190 --- /dev/null +++ b/reproducibledate.patch @@ -0,0 +1,13 @@ +diff --git a/apps/progs.pl b/apps/progs.pl +index 5767140..834544a 100644 +--- a/apps/progs.pl ++++ b/apps/progs.pl +@@ -17,7 +17,7 @@ use configdata qw/@disablables %unified_info/; + my %commands = (); + my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; + my $apps_openssl = shift @ARGV; +-my $YEAR = [localtime()]->[5] + 1900; ++my $YEAR = 2024; + + # because the program apps/openssl has object files as sources, and + # they then have the corresponding C files as source, we need to chain diff --git a/showciphers.c b/showciphers.c new file mode 100644 index 0000000..9001c31 --- /dev/null +++ b/showciphers.c @@ -0,0 +1,27 @@ +#include +#include + +int main() { + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + STACK_OF(SSL_CIPHER) *sk = NULL; + const SSL_METHOD *meth = TLS_server_method(); + int i; + const char *p; + + ctx = SSL_CTX_new(meth); + if (ctx == NULL) + return 1; + ssl = SSL_new(ctx); + if (ssl == NULL) + return 1; + sk = SSL_get_ciphers(ssl); + for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); + p = SSL_CIPHER_get_name(c); + if (p == NULL) + break; + printf("%s\n", p); + } + return 0; +}