diff --git a/openssl-3.1.4.tar.gz b/openssl-3.1.4.tar.gz deleted file mode 100644 index dde84fd..0000000 --- a/openssl-3.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 -size 15569450 diff --git a/openssl-3.1.4.tar.gz.asc b/openssl-3.1.4.tar.gz.asc deleted file mode 100644 index d7c5025..0000000 --- a/openssl-3.1.4.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9 -efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA -U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si -ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C -hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx -NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP -0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec -h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD -MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN -UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F -FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs -5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o= -=EH33 ------END PGP SIGNATURE----- diff --git a/openssl-3.2.0.tar.gz b/openssl-3.2.0.tar.gz new file mode 100644 index 0000000..bb15ed1 --- /dev/null +++ b/openssl-3.2.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e +size 17698352 diff --git a/openssl-3.2.0.tar.gz.asc b/openssl-3.2.0.tar.gz.asc new file mode 100644 index 0000000..bb23a2c --- /dev/null +++ b/openssl-3.2.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmVfUa8ACgkQ2JTizos9 +efX/mg/+NZWf13Ny/NNLImxaTedNHOospiB1zs+lO1MNSoVCTKV+BkOcTAdFVKpb +r20CKwoXHW3wiAtf+Apa/JBp1KImvmCnVpz2/CdpQi4wBIQzXBl9ADDy0YxtFdEe +4Wy2SczSifYmJSLX4vW28gv9PtD96ghiYRqp/BXu5mud4n/zctILrpsZ2vQUWfsi +emRAspQKHVowiZHR35qxVceiscvwcXs2yTJR5aWh6Q50ON2+AUGQN7XvybYV1jyp +3E2ZAhUjCW+5H2RY3HaldFsL5EyJFYN+RIC9hiLdrdE8vPHGWwEXIzJnq4jmukXW +X5hZZGtR2IrYAOKn/j0kKU25II+yGhzRrCLsgW+4ErQXPeCjfzdFmAaOY1EjPwAf +ijSoewnY0iQI/WQDF90c4x3eFFioSAT7Kf8Qff1MOcKzH/Y+bldUA4g0XfutL4p1 +Oh66cmSsTyAH57MLgu/4x8H7ixzRsB39D5hmVJMiBgIv3vr8yUxG0JcTxRWeVHVv +DBCKXzdJxhnvy2XV9Dgox1S59yzmGFXBseS2tVGbN167Qn3jZagQWq67GbL2IQTv +Y9OFUNyhbBFZvs3qmov6q/l/F/BEI0lOOA4R3H6QTlnhtfli5wJ5CD89Fo3tpqvE +VHm2hqXynASs1E+6Eik7Xt+g1r8uVf1saCBHM3U6tBzpJk4FDYM= +=rgzJ +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index e723227..787349b 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,275 @@ +------------------------------------------------------------------- +Thu Nov 23 16:07:51 UTC 2023 - Otto Hollmann + +- Update to 3.2.0: + * The BLAKE2b hash algorithm supports a configurable output length + by setting the "size" parameter. + * Enable extra Arm64 optimization on Windows for GHASH, RAND and + AES. + * Added a function to delete objects from store by URI - + OSSL_STORE_delete() and the corresponding provider-storemgmt API + function OSSL_FUNC_store_delete(). + * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to + pass a passphrase callback when opening a store. + * Changed the default salt length used by PBES2 KDF's (PBKDF2 and + scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard + uses a 64 bit salt length for PBE, and recommends a minimum of 64 + bits for PBES2. For FIPS compliance PBKDF2 requires a salt length + of 128 bits. This affects OpenSSL command line applications such + as "genrsa" and "pkcs8" and API's such as + PEM_write_bio_PrivateKey() that are reliant on the default value. + The additional commandline option 'saltlen' has been added to the + OpenSSL command line applications for "pkcs8" and "enc" to allow + the salt length to be set to a non default value. + * Changed the default value of the ess_cert_id_alg configuration + option which is used to calculate the TSA's public key + certificate identifier. The default algorithm is updated to be + sha256 instead of sha1. + * Added optimization for SM2 algorithm on aarch64. It uses a huge + precomputed table for point multiplication of the base point, + which increases the size of libcrypto from 4.4 MB to 4.9 MB. A + new configure option no-sm2-precomp has been added to disable the + precomputed table. + * Added client side support for QUIC + * Added multiple tutorials on the OpenSSL library and in particular + on writing various clients (using TLS and QUIC protocols) with + libssl. + * Added secp384r1 implementation using Solinas' reduction to improve + speed of the NIST P-384 elliptic curve. To enable the + implementation the build option enable-ec_nistp_64_gcc_128 must + be used. + * Improved RFC7468 compliance of the asn1parse command. + * Added SHA256/192 algorithm support. + * Added support for securely getting root CA certificate update in + CMP. + * Improved contention on global write locks by using more read locks + where appropriate. + * Improved performance of OSSL_PARAM lookups in performance critical + provider functions. + * Added the SSL_get0_group_name() function to provide access to the + name of the group used for the TLS key exchange. + * Provide a new configure option no-http that can be used to disable + the HTTP support. Provide new configure options no-apps and + no-docs to disable building the openssl command line application + and the documentation. + * Provide a new configure option no-ecx that can be used to disable + the X25519, X448, and EdDSA support. + * When multiple OSSL_KDF_PARAM_INFO parameters are passed to the + EVP_KDF_CTX_set_params() function they are now concatenated not + just for the HKDF algorithm but also for SSKDF and X9.63 KDF + algorithms. + * Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions + that get the provider context as a parameter. + * TLS round-trip time calculation was added by a Brigham Young + University Capstone team partnering with Sandia National + Laboratories. A new function in ssl_lib titled + SSL_get_handshake_rtt will calculate and retrieve this value. + * Added the "-quic" option to s_client to enable connectivity to + QUIC servers. QUIC requires the use of ALPN, so this must be + specified via the "-alpn" option. Use of the "advanced" s_client + command command via the "-adv" option is recommended. + * Added an "advanced" command mode to s_client. Use this with + the "-adv" option. The old "basic" command mode recognises + certain letters that must always appear at the start of a line + and cannot be escaped. The advanced command mode enables commands + to be entered anywhere and there is an escaping mechanism. After + starting s_client with "-adv" type "{help}" to show a list of + available commands. + * Add Raw Public Key (RFC7250) support. Authentication is supported + by matching keys against either local policy (TLSA records + synthesised from the expected keys) or DANE (TLSA records + obtained by the application from DNS). TLSA records will also + match the same key in the server certificate, should RPK use not + happen to be negotiated. + * Added support for modular exponentiation and CRT offloading for + the S390x architecture. + * Added further assembler code for the RISC-V architecture. + * Added EC_GROUP_to_params() which creates an OSSL_PARAM array from + a given EC_GROUP. + * Improved support for non-default library contexts and property + queries when parsing PKCS#12 files. + * Implemented support for all five instances of EdDSA from RFC8032: + Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. The streaming + is not yet supported for the HashEdDSA variants (Ed25519ph and + Ed448ph). + * Added SM4 optimization for ARM processors using ASIMD and AES HW + instructions. + * Implemented SM4-XTS support. + * Added platform-agnostic OSSL_sleep() function. + * Implemented deterministic ECDSA signatures (RFC6979) support. + * Implemented AES-GCM-SIV (RFC8452) support. + * Added support for pluggable (provider-based) TLS signature + algorithms. This enables TLS 1.3 authentication operations with + algorithms embedded in providers not included by default in + OpenSSL. In combination with the already available pluggable KEM + and X.509 support, this enables for example suitable providers to + deliver post-quantum or quantum-safe cryptography to OpenSSL + users. + * Added support for pluggable (provider-based) CMS signature + algorithms. This enables CMS sign and verify operations with + algorithms embedded in providers not included by default in + OpenSSL. + * Added support for Hybrid Public Key Encryption (HPKE) as defined + in RFC9180. HPKE is required for TLS Encrypted ClientHello + (ECH), Message Layer Security (MLS) and other IETF + specifications. HPKE can also be used by other applications that + require encrypting "to" an ECDH public key. External APIs are + defined in include/openssl/hpke.h and documented in + doc/man3/OSSL_HPKE_CTX_new.pod + * Implemented HPKE DHKEM support in providers used by HPKE + (RFC9180) API. + * Add support for certificate compression (RFC8879), including + library support for Brotli and Zstandard compression. + * Add the ability to add custom attributes to PKCS12 files. Add a + new API PKCS12_create_ex2, identical to the existing + PKCS12_create_ex but allows for a user specified callback and + optional argument. Added a new PKCS12_SAFEBAG_set0_attr, which + allows for a new attr to be added to the existing STACK_OF + attrs. + * Major refactor of the libssl record layer. + * Add a mac salt length option for the pkcs12 command. + * Add more SRTP protection profiles from RFC8723 and RFC8269. + * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. + * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and + FreeBSD where supported and enabled. + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK + (RFC 5489) to the list of ciphersuites providing Perfect Forward + Secrecy as required by SECLEVEL >= 3. + * Add new SSL APIs to aid in efficiently implementing TLS/SSL + fingerprinting. The SSL_CTRL_GET_IANA_GROUPS control code, + exposed as the SSL_get0_iana_groups() function-like macro, + retrieves the list of supported groups sent by the peer. The + function SSL_client_hello_get_extension_order() populates a + caller-supplied array with the list of extension types present in + the ClientHello, in order of appearance. + * Fixed PEM_write_bio_PKCS8PrivateKey() and + PEM_write_bio_PKCS8PrivateKey_nid() to make it possible to use + empty passphrase strings. + * The PKCS12_parse() function now supports MAC-less PKCS12 files. + * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions + () calls to be able to change functions used for allocating the + memory of asynchronous call stack. + * Added support for signed BIGNUMs in the OSSL_PARAM APIs. + * A failure exit code is returned when using the openssl x509 + command to check certificate attributes and the checks fail. + * The default SSL/TLS security level has been changed from 1 to 2. + RSA, DSA and DH keys of 1024 bits and above and less than 2048 + bits and ECC keys of 160 bits and above and less than 224 bits + were previously accepted by default but are now no longer + allowed. By default TLS compression was already disabled in + previous OpenSSL versions. At security level 2 it cannot be + enabled. + * The SSL_CTX_set_cipher_list family functions now accept ciphers + using their IANA standard names. + * The PVK key derivation function has been moved from b2i_PVK_bio_ex + () into the legacy crypto provider as an EVP_KDF. Applications + requiring this KDF will need to load the legacy crypto provider. + * CCM8 cipher suites in TLS have been downgraded to security level + zero because they use a short authentication tag which lowers + their strength. + * Subject or issuer names in X.509 objects are now displayed as + UTF-8 strings by default. + * Add X.509 certificate codeSigning purpose and related checks on + key usage and extended key usage of the leaf certificate + according to the CA/Browser Forum. + * The x509, ca, and req apps now produce X.509 v3 certificates. + The -x509v1 option of req prefers generation of X.509 v1 + certificates. X509_sign() and X509_sign_ctx() make sure that the + certificate has X.509 version 3 if the certificate information + includes X.509 extensions. + * Fix and extend certificate handling and the apps x509, verify etc. + such as adding a trace facility for debugging certificate chain + building. + * Various fixes and extensions to the CMP+CRMF implementation and + the cmp app in particular supporting requests for central key + generation, generalized polling, and various types of genm/genp + exchanges defined in CMP Updates. + * Fixes and extensions to the HTTP client and to the HTTP server in + apps/ like correcting the TLS and proxy support and adding + tracing for debugging. + * Extended the CMS API for handling CMS_SignedData and + CMS_EnvelopedData. + * CMS_add0_cert() and CMS_add1_cert() no longer throw an error if a + certificate to be added is already present. CMS_sign_ex() and + CMS_sign() now ignore any duplicate certificates in their certs + argument and no longer throw an error for them. + * Fixed and extended util/check-format.pl for checking adherence to + the coding style + https://www.openssl.org/policies/technical/coding-style.html. The + checks are meanwhile more complete and yield fewer false + positives. + * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide + memory-based BIOs with datagram semantics and support for + BIO_sendmmsg() and BIO_recvmmsg() calls. They can be used as the + transport BIOs for QUIC. + * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow + sending and receiving multiple messages in a single call. An + implementation is provided for BIO_dgram. For further details, + see BIO_sendmmsg(3). + * Support for loading root certificates from the Windows certificate + store has been added. The support is in the form of a store which + recognises the URI string of org.openssl.winstore://. This URI + scheme currently takes no arguments. This store is built by + default and can be disabled using the new compile-time option + no-winstore. This store is not currently used by default and must + be loaded explicitly using the above store URI. It is expected to + be loaded by default in the future. + * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some + linux kernel versions that support KTLS have a known bug in CCM + processing. That has been fixed in stable releases starting from + 5.4.164, 5.10.84, 5.15.7, and all releases since 5.16. KTLS with + CCM ciphersuites should be only used on these releases. + * Added -ktls option to s_server and s_client commands to enable the + KTLS support. + * Zerocopy KTLS sendfile() support on Linux. + * The OBJ_ calls are now thread safe using a global lock. + * New parameter -digest for openssl cms command allowing signing + pre-computed digests and new CMS API functions supporting that + functionality. + * OPENSSL_malloc() and other allocation functions now raise errors + on allocation failures. The callers do not need to explicitly + raise errors unless they want to for tracing purposes. + * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 + decryption as a protection against Bleichenbacher-like attacks. + The RSA decryption API will now return a randomly generated + deterministic message instead of an error in case it detects an + error when checking padding during PKCS#1 v1.5 decryption. This + is a general protection against issues like CVE-2020-25659 and + CVE-2020-25657. This protection can be disabled by calling + EVP_PKEY_CTX_ctrl_str + (ctx, "rsa_pkcs1_implicit_rejection". "0") on the RSA decryption + context. + * Added support for Brainpool curves in TLS-1.3. + * Added OpenBSD specific build targets. + * Support for Argon2d, Argon2i, Argon2id KDFs has been added along + with a basic thread pool implementation for select platforms. +- Revert 0e55c3ab to resolve 'libssl.so: undefined reference to `ossl_safe_getenv' + introduced by our patch openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Add openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch +- Remove patches (already upsteram): + * openssl-Add_support_for_Windows_CA_certificate_store.patch + * openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch + * openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch + * openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch + * openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch + * openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch + * openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch + * openssl-CVE-2023-5678.patch +- Refresh patches: + * openssl-no-html-docs.patch + * openssl-truststore.patch + * openssl-pkgconfig.patch + * openssl-DEFAULT_SUSE_cipher.patch + * openssl-ppc64-config.patch + * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * openssl-Override-default-paths-for-the-CA-directory-tree.patch + * openssl-Add-FIPS_mode-compatibility-macro.patch + * openssl-Add-Kernel-FIPS-mode-flag-support.patch +- Drop openssl-no-date.patch + Upstream added support for reproducible builds via SOURCE_DATE_EPOCH in + https://github.com/openssl/openssl/commit/8a8d9e190533ee41e8b231b18c7837f98f1ae231 + thereby making this patch obsolete as builds *should* still be reproducible. + ------------------------------------------------------------------- Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann diff --git a/openssl-3.spec b/openssl-3.spec index 592d2c5..d44bdb1 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -22,7 +22,7 @@ %define man_suffix 3ssl Name: openssl-3 # Don't forget to update the version in the "openssl" meta-package! -Version: 3.1.4 +Version: 3.2.0 Release: 0 Summary: Secure Sockets and Transport Layer Security License: Apache-2.0 @@ -42,26 +42,15 @@ Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch -Patch6: openssl-no-date.patch # Add crypto-policies support -Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch -Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch -# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW -Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch +Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +Patch7: openssl-Override-default-paths-for-the-CA-directory-tree.patch +# PATCH-FIX-OPENSUSE: Revert of 0e55c3ab8d702ffc897c9beb51d19b14b789618 +# Makefile: Call mknum.pl on 'make ordinals' only if needed +Patch8: openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch # PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support -Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch -Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch -# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514 -# POWER10 performance enhancements for cryptography -Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch -Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch -Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch -Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch -Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch -Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch -# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or -# checking excessively long X9.42 DH keys or parameters may be very slow -Patch18: openssl-CVE-2023-5678.patch +Patch9: openssl-Add-FIPS_mode-compatibility-macro.patch +Patch10: openssl-Add-Kernel-FIPS-mode-flag-support.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Requires: libopenssl3 = %{version}-%{release} @@ -180,14 +169,18 @@ perl configdata.pm --dump %check # Relax the crypto-policies requirements for the regression tests -# Revert patch8 before running tests -patch -p1 -R < %{PATCH8} +# Revert patch7 before running tests +patch -p1 -R < %{PATCH7} export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -# export HARNESS_VERBOSE=yes +#export HARNESS_VERBOSE=yes +%ifarch %{ix86} #Skip test, see issue#22837 +LD_LIBRARY_PATH="$PWD" make TESTS='-test_symbol_presence' test -j16 +%else LD_LIBRARY_PATH="$PWD" make test -j16 +%endif # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto diff --git a/openssl-Add-FIPS_mode-compatibility-macro.patch b/openssl-Add-FIPS_mode-compatibility-macro.patch index 76abdf2..587169d 100644 --- a/openssl-Add-FIPS_mode-compatibility-macro.patch +++ b/openssl-Add-FIPS_mode-compatibility-macro.patch @@ -14,11 +14,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd 2 files changed, 40 insertions(+) create mode 100644 include/openssl/fips.h -diff --git a/include/openssl/fips.h b/include/openssl/fips.h -new file mode 100644 -index 0000000000..4162cbf88e +Index: openssl-3.2.0/include/openssl/fips.h +=================================================================== --- /dev/null -+++ b/include/openssl/fips.h ++++ openssl-3.2.0/include/openssl/fips.h @@ -0,0 +1,26 @@ +/* + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. @@ -46,11 +45,11 @@ index 0000000000..4162cbf88e +} +# endif +#endif -diff --git a/test/property_test.c b/test/property_test.c -index 45b1db3e85..8894c1c1cb 100644 ---- a/test/property_test.c -+++ b/test/property_test.c -@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i) +Index: openssl-3.2.0/test/property_test.c +=================================================================== +--- openssl-3.2.0.orig/test/property_test.c ++++ openssl-3.2.0/test/property_test.c +@@ -680,6 +680,19 @@ static int test_property_list_to_string( return ret; } @@ -70,7 +69,7 @@ index 45b1db3e85..8894c1c1cb 100644 int setup_tests(void) { ADD_TEST(test_property_string); -@@ -690,6 +703,7 @@ int setup_tests(void) +@@ -693,6 +706,7 @@ int setup_tests(void) ADD_TEST(test_property); ADD_TEST(test_query_cache_stochastic); ADD_TEST(test_fips_mode); @@ -78,6 +77,3 @@ index 45b1db3e85..8894c1c1cb 100644 ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); return 1; } --- -2.41.0 - diff --git a/openssl-Add-Kernel-FIPS-mode-flag-support.patch b/openssl-Add-Kernel-FIPS-mode-flag-support.patch index 94a80cf..3bbcfba 100644 --- a/openssl-Add-Kernel-FIPS-mode-flag-support.patch +++ b/openssl-Add-Kernel-FIPS-mode-flag-support.patch @@ -13,12 +13,12 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd include/internal/provider.h | 3 +++ 2 files changed, 39 insertions(+) -diff --git a/crypto/context.c b/crypto/context.c -index e294ea1512..51002ba79a 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -16,6 +16,41 @@ - #include "internal/provider.h" +Index: openssl-3.2.0/crypto/context.c +=================================================================== +--- openssl-3.2.0.orig/crypto/context.c ++++ openssl-3.2.0/crypto/context.c +@@ -17,6 +17,41 @@ + #include "crypto/decoder.h" #include "crypto/context.h" +# include @@ -59,7 +59,7 @@ index e294ea1512..51002ba79a 100644 struct ossl_lib_ctx_st { CRYPTO_RWLOCK *lock, *rand_crngt_lock; OSSL_EX_DATA_GLOBAL global; -@@ -336,6 +371,7 @@ static int default_context_inited = 0; +@@ -368,6 +403,7 @@ static int default_context_inited = 0; DEFINE_RUN_ONCE_STATIC(default_context_do_init) { @@ -67,11 +67,11 @@ index e294ea1512..51002ba79a 100644 if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) goto err; -diff --git a/include/internal/provider.h b/include/internal/provider.h -index 18937f84c7..1446bf7afb 100644 ---- a/include/internal/provider.h -+++ b/include/internal/provider.h -@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, +Index: openssl-3.2.0/include/internal/provider.h +=================================================================== +--- openssl-3.2.0.orig/include/internal/provider.h ++++ openssl-3.2.0/include/internal/provider.h +@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); @@ -81,6 +81,3 @@ index 18937f84c7..1446bf7afb 100644 # ifdef __cplusplus } # endif --- -2.41.0 - diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 1bb6aee..bb716bf 100644 --- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -15,9 +15,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist util/libcrypto.num | 1 8 files changed, 110 insertions(+), 14 deletions(-) ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man +Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.0/Configurations/unix-Makefile.tmpl +@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -28,7 +30,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -36,14 +38,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} ---- a/Configure -+++ b/Configure +Index: openssl-3.2.0/Configure +=================================================================== +--- openssl-3.2.0.orig/Configure ++++ openssl-3.2.0/Configure @@ -27,7 +27,7 @@ use OpenSSL::config; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; my $banner = <<"EOF"; @@ -58,7 +62,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -387,6 +391,7 @@ $config{prefix}=""; +@@ -394,6 +398,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -66,7 +70,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -989,6 +994,10 @@ while (@argvcopy) +@@ -1047,6 +1052,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } @@ -77,9 +81,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist elsif (/^--banner=(.*)$/) { $banner = $1 . "\n"; ---- a/doc/man1/openssl-ciphers.pod.in -+++ b/doc/man1/openssl-ciphers.pod.in -@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher s +Index: openssl-3.2.0/doc/man1/openssl-ciphers.pod.in +=================================================================== +--- openssl-3.2.0.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.2.0/doc/man1/openssl-ciphers.pod.in +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher s The cipher suites not enabled by B, currently B. @@ -95,9 +101,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist =item B "High" encryption cipher suites. This currently means those with key lengths ---- a/include/openssl/ssl.h.in -+++ b/include/openssl/ssl.h.in -@@ -213,6 +213,11 @@ extern "C" { +Index: openssl-3.2.0/include/openssl/ssl.h.in +=================================================================== +--- openssl-3.2.0.orig/include/openssl/ssl.h.in ++++ openssl-3.2.0/include/openssl/ssl.h.in +@@ -214,6 +214,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) */ @@ -109,9 +117,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 ---- a/ssl/ssl_ciph.c -+++ b/ssl/ssl_ciph.c -@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c +Index: openssl-3.2.0/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.2.0.orig/ssl/ssl_ciph.c ++++ openssl-3.2.0/ssl/ssl_ciph.c +@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -165,7 +175,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -193,16 +203,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* * To reduce the work to do we only want to process the compiled -@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; +@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -212,18 +222,17 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1610,8 +1666,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(co_list); - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); - return NULL; /* Failure */ + goto err; } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1644,8 +1699,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -233,7 +242,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } /* -@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1653,10 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -249,7 +258,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1708,6 +1765,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -264,9 +273,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx +Index: openssl-3.2.0/ssl/ssl_lib.c +=================================================================== +--- openssl-3.2.0.orig/ssl/ssl_lib.c ++++ openssl-3.2.0/ssl/ssl_lib.c +@@ -689,7 +689,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), @@ -275,7 +286,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li +@@ -3955,7 +3955,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -283,10 +294,12 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; ---- a/test/cipherlist_test.c -+++ b/test/cipherlist_test.c -@@ -246,7 +246,9 @@ end: + goto err; +Index: openssl-3.2.0/test/cipherlist_test.c +=================================================================== +--- openssl-3.2.0.orig/test/cipherlist_test.c ++++ openssl-3.2.0/test/cipherlist_test.c +@@ -261,7 +261,9 @@ end: int setup_tests(void) { @@ -295,11 +308,13 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist +#endif ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); - return 1; ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP + ADD_TEST(test_stdname_cipherlist); +Index: openssl-3.2.0/util/libcrypto.num +=================================================================== +--- openssl-3.2.0.orig/util/libcrypto.num ++++ openssl-3.2.0/util/libcrypto.num +@@ -5536,3 +5536,4 @@ X509_STORE_CTX_set_get_crl + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: diff --git a/openssl-Add_support_for_Windows_CA_certificate_store.patch b/openssl-Add_support_for_Windows_CA_certificate_store.patch deleted file mode 100644 index cd143e0..0000000 --- a/openssl-Add_support_for_Windows_CA_certificate_store.patch +++ /dev/null @@ -1,743 +0,0 @@ -From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Fri, 8 Apr 2022 13:10:52 +0100 -Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI - env - -Fixes #18068. ---- - CHANGES.md | 21 - Configure | 7 - crypto/x509/by_dir.c | 17 - crypto/x509/by_store.c | 14 - crypto/x509/x509_def.c | 15 - doc/build.info | 6 - doc/man3/X509_get_default_cert_file.pod | 113 +++++ - include/internal/cryptlib.h | 11 - include/internal/e_os.h | 2 - include/openssl/x509.h.in | 3 - providers/implementations/include/prov/implementations.h | 1 - providers/implementations/storemgmt/build.info | 3 - providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++ - providers/stores.inc | 3 - util/libcrypto.num | 3 - util/missingcrypto.txt | 4 - 16 files changed, 536 insertions(+), 14 deletions(-) - ---- a/CHANGES.md -+++ b/CHANGES.md -@@ -24,6 +24,27 @@ OpenSSL 3.1 - - ### Changes between 3.1.0 and 3.1.1 [30 May 2023] - -+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced. -+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The -+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of -+ paths which are searched for root certificates. -+ -+ The existing `SSL_CERT_DIR` environment variable is deprecated. -+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated -+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes -+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate -+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored -+ for the purposes of determining root certificate stores. -+ -+ *Hugo Landau* -+ -+ * Support for loading root certificates from the Windows certificate store -+ has been added. The support is in the form of a store which recognises the -+ URI string of `org.openssl.winstore://`. This store is enabled by default and -+ can be disabled using the new compile-time option `no-winstore`. -+ -+ *Hugo Landau* -+ - * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic - OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. - ---- a/Configure -+++ b/Configure -@@ -420,6 +420,7 @@ my @disablables = ( - "cached-fetch", - "camellia", - "capieng", -+ "winstore", - "cast", - "chacha", - "cmac", -@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) { - } - } - -+unless ($disabled{winstore}) { -+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) { -+ disable('not-windows', 'winstore'); -+ } -+} -+ - push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); - - # Get the extra flags used when building shared libraries and modules. We ---- a/crypto/x509/by_dir.c -+++ b/crypto/x509/by_dir.c -@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in - switch (cmd) { - case X509_L_ADD_DIR: - if (argl == X509_FILETYPE_DEFAULT) { -- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ /* If SSL_CERT_PATH is provided and non-empty, use that. */ -+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env()); - -- if (dir) -- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); -- else -- ret = add_cert_dir(ld, X509_get_default_cert_dir(), -- X509_FILETYPE_PEM); -+ /* Fallback to SSL_CERT_DIR. */ -+ if (dir == NULL) -+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ -+ /* Fallback to built-in default. */ -+ if (dir == NULL) -+ dir = X509_get_default_cert_dir(); -+ -+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - if (!ret) { - ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR); - } ---- a/crypto/x509/by_store.c -+++ b/crypto/x509/by_store.c -@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP - { - switch (cmd) { - case X509_L_ADD_STORE: -- /* If no URI is given, use the default cert dir as default URI */ -+ /* First try the newer default cert URI envvar. */ -+ if (argp == NULL) -+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env()); -+ -+ /* If not set, see if we have a URI in the older cert dir envvar. */ - if (argp == NULL) - argp = ossl_safe_getenv(X509_get_default_cert_dir_env()); -+ -+ /* Fallback to default store URI. */ - if (argp == NULL) -- argp = X509_get_default_cert_dir(); -+ argp = X509_get_default_cert_uri(); -+ -+ /* No point adding an empty URI. */ -+ if (!*argp) -+ return 1; - - { - STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); ---- a/crypto/x509/x509_def.c -+++ b/crypto/x509/x509_def.c -@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v - return X509_CERT_AREA; - } - -+const char *X509_get_default_cert_uri(void) -+{ -+ return X509_CERT_URI; -+} -+ - const char *X509_get_default_cert_dir(void) - { - return X509_CERT_DIR; -@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v - return X509_CERT_FILE; - } - -+const char *X509_get_default_cert_uri_env(void) -+{ -+ return X509_CERT_URI_EVP; -+} -+ -+const char *X509_get_default_cert_path_env(void) -+{ -+ return X509_CERT_PATH_EVP; -+} -+ - const char *X509_get_default_cert_dir_env(void) - { - return X509_CERT_DIR_EVP; ---- a/doc/build.info -+++ b/doc/build.info -@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma - GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod - DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod - GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod -+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod -+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod -+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod -+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod - DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod - GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod - DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod -@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht - html/man3/X509_get0_notBefore.html \ - html/man3/X509_get0_signature.html \ - html/man3/X509_get0_uids.html \ -+html/man3/X509_get_default_cert_file.html \ - html/man3/X509_get_extension_flags.html \ - html/man3/X509_get_pubkey.html \ - html/man3/X509_get_serialNumber.html \ -@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \ - man/man3/X509_get0_notBefore.3 \ - man/man3/X509_get0_signature.3 \ - man/man3/X509_get0_uids.3 \ -+man/man3/X509_get_default_cert_file.3 \ - man/man3/X509_get_extension_flags.3 \ - man/man3/X509_get_pubkey.3 \ - man/man3/X509_get_serialNumber.3 \ ---- /dev/null -+++ b/doc/man3/X509_get_default_cert_file.pod -@@ -0,0 +1,113 @@ -+=pod -+ -+=head1 NAME -+ -+X509_get_default_cert_file, X509_get_default_cert_file_env, -+X509_get_default_cert_path_env, -+X509_get_default_cert_dir, X509_get_default_cert_dir_env, -+X509_get_default_cert_uri, X509_get_default_cert_uri_env - -+retrieve default locations for trusted CA certificates -+ -+=head1 SYNOPSIS -+ -+ #include -+ -+ const char *X509_get_default_cert_file(void); -+ const char *X509_get_default_cert_dir(void); -+ const char *X509_get_default_cert_uri(void); -+ -+ const char *X509_get_default_cert_file_env(void); -+ const char *X509_get_default_cert_path_env(void); -+ const char *X509_get_default_cert_dir_env(void); -+ const char *X509_get_default_cert_uri_env(void); -+ -+=head1 DESCRIPTION -+ -+The X509_get_default_cert_file() function returns the default path -+to a file containing trusted CA certificates. OpenSSL will use this as -+the default path when it is asked to load trusted CA certificates -+from a file and no other path is specified. If the file exists, CA certificates -+are loaded from the file. -+ -+The X509_get_default_cert_dir() function returns a default delimeter-separated -+list of paths to a directories containing trusted CA certificates named in the -+hashed format. OpenSSL will use this as the default list of paths when it is -+asked to load trusted CA certificates from a directory and no other path is -+specified. If a given directory in the list exists, OpenSSL attempts to lookup -+CA certificates in this directory by calculating a filename based on a hash of -+the certificate's subject name. -+ -+The X509_get_default_cert_uri() function returns the default URI for a -+certificate store accessed programmatically via an OpenSSL provider. If there is -+no default store applicable to the system for which OpenSSL was compiled, this -+returns an empty string. -+ -+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return -+environment variable names which are recommended to specify nondefault values to -+be used instead of the values returned by X509_get_default_cert_file() and -+X509_get_default_cert_uri() respectively. The values returned by the latter -+functions are not affected by these environment variables; you must check for -+these environment variables yourself, using these functions to retrieve the -+correct environment variable names. If an environment variable is not set, the -+value returned by the corresponding function above should be used. -+ -+X509_get_default_cert_path_env() returns the environment variable name which is -+recommended to specify a nondefault value to be used instead of the value -+returned by X509_get_default_cert_dir(). This environment variable supercedes -+the deprecated environment variable whose name is returned by -+X509_get_default_cert_dir_env(). This environment variable was deprecated as its -+contents can be interpreted ambiguously; see NOTES. -+ -+By default, OpenSSL uses the path list specified in the environment variable -+whose name is returned by X509_get_default_cert_path_env() if it is set; -+otherwise, it uses the path list specified in the environment variable whose -+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it -+uses the value returned by X509_get_default_cert_dir()). -+ -+=head1 NOTES -+ -+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and -+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this -+release, store URIs were expressed via the environment variable returned by -+X509_get_default_cert_dir_env(); this environment variable could be used to -+specify either a list of directories or a store URI. This creates an ambiguity -+in which the environment variable returned by X509_get_default_cert_dir_env() is -+interpreted both as a list of directories and as a store URI. -+ -+This usage and the environment variable returned by -+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use -+the environment variable returned by X509_get_default_cert_uri_env(), and to -+specify a list of directories, use the environment variable returned by -+X509_get_default_cert_path_env(). -+ -+=head1 RETURN VALUES -+ -+These functions return pointers to constant strings with static storage -+duration. -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and -+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1. -+ -+=head1 COPYRIGHT -+ -+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -13,6 +13,8 @@ - - # include - # include -+# include "openssl/configuration.h" -+# include "internal/e_os.h" /* ossl_inline in many files */ - - # ifdef OPENSSL_USE_APPLINK - # define BIO_FLAGS_UPLINK_INTERNAL 0x8000 -@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM); - # define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf" - # endif - -+#ifndef OPENSSL_NO_WINSTORE -+# define X509_CERT_URI "org.openssl.winstore://" -+#else -+# define X509_CERT_URI "" -+#endif -+ -+# define X509_CERT_URI_EVP "SSL_CERT_URI" -+# define X509_CERT_PATH_EVP "SSL_CERT_PATH" - # define X509_CERT_DIR_EVP "SSL_CERT_DIR" - # define X509_CERT_FILE_EVP "SSL_CERT_FILE" - # define CTLOG_FILE_EVP "CTLOG_FILE" -@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_ - # endif - return path[0] == '/'; - } -- - #endif ---- a/include/internal/e_os.h -+++ b/include/internal/e_os.h -@@ -249,7 +249,7 @@ FILE *__iob_func(); - /***********************************************/ - - # if defined(OPENSSL_SYS_WINDOWS) --# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) -+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE) - # define open _open - # define fdopen _fdopen - # define close _close ---- a/include/openssl/x509.h.in -+++ b/include/openssl/x509.h.in -@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s - ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); - - const char *X509_get_default_cert_area(void); -+const char *X509_get_default_cert_uri(void); - const char *X509_get_default_cert_dir(void); - const char *X509_get_default_cert_file(void); -+const char *X509_get_default_cert_uri_env(void); -+const char *X509_get_default_cert_path_env(void); - const char *X509_get_default_cert_dir_env(void); - const char *X509_get_default_cert_file_env(void); - const char *X509_get_default_private_dir(void); ---- a/providers/implementations/include/prov/implementations.h -+++ b/providers/implementations/include/prov/implementations.h -@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP - extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[]; - - extern const OSSL_DISPATCH ossl_file_store_functions[]; -+extern const OSSL_DISPATCH ossl_winstore_store_functions[]; ---- a/providers/implementations/storemgmt/build.info -+++ b/providers/implementations/storemgmt/build.info -@@ -4,3 +4,6 @@ - $STORE_GOAL=../../libdefault.a - - SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c -+IF[{- !$disabled{winstore} -}] -+ SOURCE[$STORE_GOAL]=winstore_store.c -+ENDIF ---- /dev/null -+++ b/providers/implementations/storemgmt/winstore_store.c -@@ -0,0 +1,327 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include /* The OSSL_STORE_INFO type numbers */ -+#include "internal/cryptlib.h" -+#include "internal/o_dir.h" -+#include "crypto/decoder.h" -+#include "crypto/ctype.h" /* ossl_isdigit() */ -+#include "prov/implementations.h" -+#include "prov/bio.h" -+#include "file_store_local.h" -+ -+#include -+ -+enum { -+ STATE_IDLE, -+ STATE_READ, -+ STATE_EOF, -+}; -+ -+struct winstore_ctx_st { -+ void *provctx; -+ char *propq; -+ unsigned char *subject; -+ size_t subject_len; -+ -+ HCERTSTORE win_store; -+ const CERT_CONTEXT *win_ctx; -+ int state; -+ -+ OSSL_DECODER_CTX *dctx; -+}; -+ -+static void winstore_win_reset(struct winstore_ctx_st *ctx) -+{ -+ if (ctx->win_ctx != NULL) { -+ CertFreeCertificateContext(ctx->win_ctx); -+ ctx->win_ctx = NULL; -+ } -+ -+ ctx->state = STATE_IDLE; -+} -+ -+static void winstore_win_advance(struct winstore_ctx_st *ctx) -+{ -+ CERT_NAME_BLOB name = {0}; -+ -+ if (ctx->state == STATE_EOF) -+ return; -+ -+ name.cbData = ctx->subject_len; -+ name.pbData = ctx->subject; -+ -+ ctx->win_ctx = (name.cbData == 0 ? NULL : -+ CertFindCertificateInStore(ctx->win_store, -+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, -+ 0, CERT_FIND_SUBJECT_NAME, -+ &name, ctx->win_ctx)); -+ -+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ; -+} -+ -+static void *winstore_open(void *provctx, const char *uri) -+{ -+ struct winstore_ctx_st *ctx = NULL; -+ -+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:")) -+ return NULL; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx == NULL) -+ return NULL; -+ -+ ctx->provctx = provctx; -+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT"); -+ if (ctx->win_store == NULL) { -+ OPENSSL_free(ctx); -+ return NULL; -+ } -+ -+ winstore_win_reset(ctx); -+ return ctx; -+} -+ -+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin) -+{ -+ return NULL; /* not supported */ -+} -+ -+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[]) -+{ -+ static const OSSL_PARAM known_settable_ctx_params[] = { -+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), -+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), -+ OSSL_PARAM_END -+ }; -+ return known_settable_ctx_params; -+} -+ -+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ const OSSL_PARAM *p; -+ int do_reset = 0; -+ -+ if (params == NULL) -+ return 1; -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); -+ if (p != NULL) { -+ do_reset = 1; -+ OPENSSL_free(ctx->propq); -+ ctx->propq = NULL; -+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0)) -+ return 0; -+ } -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT); -+ if (p != NULL) { -+ const unsigned char *der = NULL; -+ size_t der_len = 0; -+ -+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len)) -+ return 0; -+ -+ do_reset = 1; -+ -+ OPENSSL_free(ctx->subject); -+ -+ ctx->subject = OPENSSL_malloc(der_len); -+ if (ctx->subject == NULL) { -+ ctx->subject_len = 0; -+ return 0; -+ } -+ -+ ctx->subject_len = der_len; -+ memcpy(ctx->subject, der, der_len); -+ } -+ -+ if (do_reset) { -+ winstore_win_reset(ctx); -+ winstore_win_advance(ctx); -+ } -+ -+ return 1; -+} -+ -+struct load_data_st { -+ OSSL_CALLBACK *object_cb; -+ void *object_cbarg; -+}; -+ -+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst, -+ const OSSL_PARAM *params, void *construct_data) -+{ -+ struct load_data_st *data = construct_data; -+ return data->object_cb(params, data->object_cbarg); -+} -+ -+static void load_cleanup(void *construct_data) -+{ -+ /* No-op. */ -+} -+ -+static int setup_decoder(struct winstore_ctx_st *ctx) -+{ -+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); -+ const OSSL_ALGORITHM *to_algo = NULL; -+ -+ if (ctx->dctx != NULL) -+ return 1; -+ -+ ctx->dctx = OSSL_DECODER_CTX_new(); -+ if (ctx->dctx == NULL) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ for (to_algo = ossl_any_to_obj_algorithm; -+ to_algo->algorithm_names != NULL; -+ to_algo++) { -+ OSSL_DECODER *to_obj = NULL; -+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL; -+ -+ /* -+ * Create the internal last resort decoder implementation -+ * together with a "decoder instance". -+ * The decoder doesn't need any identification or to be -+ * attached to any provider, since it's only used locally. -+ */ -+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL); -+ if (to_obj != NULL) -+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); -+ -+ OSSL_DECODER_free(to_obj); -+ if (to_obj_inst == NULL) -+ goto err; -+ -+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx, -+ to_obj_inst)) { -+ ossl_decoder_instance_free(to_obj_inst); -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ } -+ -+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) { -+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); -+ goto err; -+ } -+ -+ return 1; -+ -+err: -+ OSSL_DECODER_CTX_free(ctx->dctx); -+ ctx->dctx = NULL; -+ return 0; -+} -+ -+static int winstore_load_using(struct winstore_ctx_st *ctx, -+ OSSL_CALLBACK *object_cb, void *object_cbarg, -+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg, -+ const void *der, size_t der_len) -+{ -+ struct load_data_st data; -+ const unsigned char *der_ = der; -+ size_t der_len_ = der_len; -+ -+ if (setup_decoder(ctx) == 0) -+ return 0; -+ -+ data.object_cb = object_cb; -+ data.object_cbarg = object_cbarg; -+ -+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data); -+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg); -+ -+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0) -+ return 0; -+ -+ return 1; -+} -+ -+static int winstore_load(void *loaderctx, -+ OSSL_CALLBACK *object_cb, void *object_cbarg, -+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) -+{ -+ int ret = 0; -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ if (ctx->state != STATE_READ) -+ return 0; -+ -+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg, -+ ctx->win_ctx->pbCertEncoded, -+ ctx->win_ctx->cbCertEncoded); -+ -+ if (ret == 1) -+ winstore_win_advance(ctx); -+ -+ return ret; -+} -+ -+static int winstore_eof(void *loaderctx) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ return ctx->state != STATE_READ; -+} -+ -+static int winstore_close(void *loaderctx) -+{ -+ struct winstore_ctx_st *ctx = loaderctx; -+ -+ winstore_win_reset(ctx); -+ CertCloseStore(ctx->win_store, 0); -+ OSSL_DECODER_CTX_free(ctx->dctx); -+ OPENSSL_free(ctx->propq); -+ OPENSSL_free(ctx->subject); -+ OPENSSL_free(ctx); -+ return 1; -+} -+ -+const OSSL_DISPATCH ossl_winstore_store_functions[] = { -+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open }, -+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach }, -+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params }, -+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params }, -+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load }, -+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof }, -+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close }, -+ { 0, NULL }, -+}; ---- a/providers/stores.inc -+++ b/providers/stores.inc -@@ -12,3 +12,6 @@ - #endif - - STORE("file", "yes", ossl_file_store_functions) -+#ifndef OPENSSL_NO_WINSTORE -+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions) -+#endif ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup - EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: - BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: - OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP -+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION: -+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: -+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ---- a/util/missingcrypto.txt -+++ b/util/missingcrypto.txt -@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3) - X509_get1_email(3) - X509_get1_ocsp(3) - X509_get_default_cert_area(3) --X509_get_default_cert_dir(3) --X509_get_default_cert_dir_env(3) --X509_get_default_cert_file(3) --X509_get_default_cert_file_env(3) - X509_get_default_private_dir(3) - X509_get_pubkey_parameters(3) - X509_get_signature_type(3) diff --git a/openssl-CVE-2023-5678.patch b/openssl-CVE-2023-5678.patch deleted file mode 100644 index f4cd8eb..0000000 --- a/openssl-CVE-2023-5678.patch +++ /dev/null @@ -1,172 +0,0 @@ -From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) ---- - crypto/dh/dh_check.c | 12 ++++++++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/dh/dh_key.c | 12 ++++++++++++ - crypto/err/openssl.txt | 1 + - include/crypto/dherr.h | 2 +- - include/openssl/dh.h | 6 +++--- - include/openssl/dherr.h | 3 ++- - 7 files changed, 33 insertions(+), 6 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7fd6b..e20eb62081c5e 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426cc9..f76ac0dd1463f 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241b9e..afc49f5cdc87d 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index a1e6bbb617fcb..69e4f61aa1801 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb887..519327f795742 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 8bc17448a0817..f1c0ed06b375a 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96f8c..074a70145f9f5 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch index b8d8688..fb43a50 100644 --- a/openssl-DEFAULT_SUSE_cipher.patch +++ b/openssl-DEFAULT_SUSE_cipher.patch @@ -1,27 +1,7 @@ -Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c -=================================================================== ---- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c -+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c -@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - */ - ok = 1; - rule_p = rule_str; -- if (strncmp(rule_str, "DEFAULT", 7) == 0) { -+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { -+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, -+ &head, &tail, ca_list, c); -+ rule_p += 12; -+ if (*rule_p == ':') -+ rule_p++; -+ } -+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) { - ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), - &head, &tail, ca_list, c); - rule_p += 7; -Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t +Index: openssl-3.2.0/test/recipes/99-test_suse_default_ciphers.t =================================================================== --- /dev/null -+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t ++++ openssl-3.2.0/test/recipes/99-test_suse_default_ciphers.t @@ -0,0 +1,23 @@ +#! /usr/bin/env perl + @@ -46,11 +26,11 @@ Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t + "$cipherlist should contain TLSv1.3 ciphers\n"); +} + -Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in +Index: openssl-3.2.0/include/openssl/ssl.h.in =================================================================== ---- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in -+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in -@@ -189,6 +189,11 @@ extern "C" { +--- openssl-3.2.0.orig/include/openssl/ssl.h.in ++++ openssl-3.2.0/include/openssl/ssl.h.in +@@ -194,6 +194,11 @@ extern "C" { */ # ifndef OPENSSL_NO_DEPRECATED_3_0 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" @@ -62,3 +42,23 @@ Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in /* * This is the default set of TLSv1.3 ciphersuites * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() +Index: openssl-3.2.0/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.2.0.orig/ssl/ssl_ciph.c ++++ openssl-3.2.0/ssl/ssl_ciph.c +@@ -1623,7 +1623,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + */ + ok = 1; + rule_p = rule_str; +- if (HAS_PREFIX(rule_str, "DEFAULT")) { ++ if (HAS_PREFIX(rule_str, "DEFAULT_SUSE")) { ++ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, ++ &head, &tail, ca_list, c); ++ rule_p += 12; ++ if (*rule_p == ':') ++ rule_p++; ++ } ++ else if (HAS_PREFIX(rule_str, "DEFAULT")) { + ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), + &head, &tail, ca_list, c); + rule_p += 7; diff --git a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch deleted file mode 100644 index 7c57d6b..0000000 --- a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch +++ /dev/null @@ -1,495 +0,0 @@ -From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001 -From: Danny Tsen -Date: Tue, 22 Aug 2023 15:58:53 -0400 -Subject: [PATCH] Improve performance for 6x unrolling with vpermxor - instruction - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21812) ---- - crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- - 1 file changed, 95 insertions(+), 50 deletions(-) - -diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl -index 60cf86f52aed2..38b9405a283b7 100755 ---- a/crypto/aes/asm/aesp8-ppc.pl -+++ b/crypto/aes/asm/aesp8-ppc.pl -@@ -99,11 +99,12 @@ - .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev - .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev - .long 0,0,0,0 ?asis -+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe - Lconsts: - mflr r0 - bcl 20,31,\$+4 - mflr $ptr #vvvvv "distance between . and rcon -- addi $ptr,$ptr,-0x48 -+ addi $ptr,$ptr,-0x58 - mtlr r0 - blr - .long 0 -@@ -2405,7 +2406,7 @@ () - my $key_=$key2; - my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); - $x00=0 if ($flavour =~ /osx/); --my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); -+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); - my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); - my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); - my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys -@@ -2460,6 +2461,18 @@ () - li $x70,0x70 - mtspr 256,r0 - -+ # Reverse eighty7 to 0x010101..87 -+ xxlor 2, 32+$eighty7, 32+$eighty7 -+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 -+ xxlor 1, 32+$eighty7, 32+$eighty7 -+ -+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe -+ mr $x70, r6 -+ bl Lconsts -+ lxvw4x 0, $x40, r6 # load XOR contents -+ mr r6, $x70 -+ li $x70,0x70 -+ - subi $rounds,$rounds,3 # -4 in total - - lvx $rndkey0,$x00,$key1 # load key schedule -@@ -2502,69 +2515,77 @@ () - ?vperm v31,v31,$twk5,$keyperm - lvx v25,$x10,$key_ # pre-load round[2] - -+ # Switch to use the following codes with 0x010101..87 to generate tweak. -+ # eighty7 = 0x010101..87 -+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits -+ # vand tmp, tmp, eighty7 # last byte with carry -+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) -+ # xxlor vsx, 0, 0 -+ # vpermxor tweak, tweak, tmp, vsx -+ - vperm $in0,$inout,$inptail,$inpperm - subi $inp,$inp,31 # undo "caller" - vxor $twk0,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vand $tmp,$tmp,$eighty7 - vxor $out0,$in0,$twk0 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - - lvx_u $in1,$x10,$inp - vxor $twk1,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in1,$in1,$in1,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out1,$in1,$twk1 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - - lvx_u $in2,$x20,$inp - andi. $taillen,$len,15 - vxor $twk2,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in2,$in2,$in2,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out2,$in2,$twk2 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - - lvx_u $in3,$x30,$inp - sub $len,$len,$taillen - vxor $twk3,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in3,$in3,$in3,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out3,$in3,$twk3 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - - lvx_u $in4,$x40,$inp - subi $len,$len,0x60 - vxor $twk4,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in4,$in4,$in4,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out4,$in4,$twk4 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - - lvx_u $in5,$x50,$inp - addi $inp,$inp,0x60 - vxor $twk5,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in5,$in5,$in5,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out5,$in5,$twk5 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 - - vxor v31,v31,$rndkey0 - mtctr $rounds -@@ -2590,6 +2611,8 @@ () - lvx v25,$x10,$key_ # round[4] - bdnz Loop_xts_enc6x - -+ xxlor 32+$eighty7, 1, 1 # 0x010101..87 -+ - subic $len,$len,96 # $len-=96 - vxor $in0,$twk0,v31 # xor with last round key - vcipher $out0,$out0,v24 -@@ -2599,7 +2622,6 @@ () - vaddubm $tweak,$tweak,$tweak - vcipher $out2,$out2,v24 - vcipher $out3,$out3,v24 -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out4,$out4,v24 - vcipher $out5,$out5,v24 - -@@ -2607,7 +2629,8 @@ () - vand $tmp,$tmp,$eighty7 - vcipher $out0,$out0,v25 - vcipher $out1,$out1,v25 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - vcipher $out2,$out2,v25 - vcipher $out3,$out3,v25 - vxor $in1,$twk1,v31 -@@ -2618,13 +2641,13 @@ () - - and r0,r0,$len - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out0,$out0,v26 - vcipher $out1,$out1,v26 - vand $tmp,$tmp,$eighty7 - vcipher $out2,$out2,v26 - vcipher $out3,$out3,v26 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - vcipher $out4,$out4,v26 - vcipher $out5,$out5,v26 - -@@ -2638,7 +2661,6 @@ () - vaddubm $tweak,$tweak,$tweak - vcipher $out0,$out0,v27 - vcipher $out1,$out1,v27 -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out2,$out2,v27 - vcipher $out3,$out3,v27 - vand $tmp,$tmp,$eighty7 -@@ -2646,7 +2668,8 @@ () - vcipher $out5,$out5,v27 - - addi $key_,$sp,$FRAME+15 # rewind $key_ -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - vcipher $out0,$out0,v28 - vcipher $out1,$out1,v28 - vxor $in3,$twk3,v31 -@@ -2655,7 +2678,6 @@ () - vcipher $out2,$out2,v28 - vcipher $out3,$out3,v28 - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipher $out4,$out4,v28 - vcipher $out5,$out5,v28 - lvx v24,$x00,$key_ # re-pre-load round[1] -@@ -2663,7 +2685,8 @@ () - - vcipher $out0,$out0,v29 - vcipher $out1,$out1,v29 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - vcipher $out2,$out2,v29 - vcipher $out3,$out3,v29 - vxor $in4,$twk4,v31 -@@ -2673,14 +2696,14 @@ () - vcipher $out5,$out5,v29 - lvx v25,$x10,$key_ # re-pre-load round[2] - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - - vcipher $out0,$out0,v30 - vcipher $out1,$out1,v30 - vand $tmp,$tmp,$eighty7 - vcipher $out2,$out2,v30 - vcipher $out3,$out3,v30 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - vcipher $out4,$out4,v30 - vcipher $out5,$out5,v30 - vxor $in5,$twk5,v31 -@@ -2690,7 +2713,6 @@ () - vcipherlast $out0,$out0,$in0 - lvx_u $in0,$x00,$inp # load next input block - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vcipherlast $out1,$out1,$in1 - lvx_u $in1,$x10,$inp - vcipherlast $out2,$out2,$in2 -@@ -2703,7 +2725,10 @@ () - vcipherlast $out4,$out4,$in4 - le?vperm $in2,$in2,$in2,$leperm - lvx_u $in4,$x40,$inp -- vxor $tweak,$tweak,$tmp -+ xxlor 10, 32+$in0, 32+$in0 -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 -+ xxlor 32+$in0, 10, 10 - vcipherlast $tmp,$out5,$in5 # last block might be needed - # in stealing mode - le?vperm $in3,$in3,$in3,$leperm -@@ -2736,6 +2761,8 @@ () - mtctr $rounds - beq Loop_xts_enc6x # did $len-=96 borrow? - -+ xxlor 32+$eighty7, 2, 2 # 0x870101..01 -+ - addic. $len,$len,0x60 - beq Lxts_enc6x_zero - cmpwi $len,0x20 -@@ -3112,6 +3139,18 @@ () - li $x70,0x70 - mtspr 256,r0 - -+ # Reverse eighty7 to 0x010101..87 -+ xxlor 2, 32+$eighty7, 32+$eighty7 -+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 -+ xxlor 1, 32+$eighty7, 32+$eighty7 -+ -+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe -+ mr $x70, r6 -+ bl Lconsts -+ lxvw4x 0, $x40, r6 # load XOR contents -+ mr r6, $x70 -+ li $x70,0x70 -+ - subi $rounds,$rounds,3 # -4 in total - - lvx $rndkey0,$x00,$key1 # load key schedule -@@ -3159,64 +3198,64 @@ () - vxor $twk0,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vand $tmp,$tmp,$eighty7 - vxor $out0,$in0,$twk0 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - - lvx_u $in1,$x10,$inp - vxor $twk1,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in1,$in1,$in1,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out1,$in1,$twk1 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - - lvx_u $in2,$x20,$inp - andi. $taillen,$len,15 - vxor $twk2,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in2,$in2,$in2,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out2,$in2,$twk2 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - - lvx_u $in3,$x30,$inp - sub $len,$len,$taillen - vxor $twk3,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in3,$in3,$in3,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out3,$in3,$twk3 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - - lvx_u $in4,$x40,$inp - subi $len,$len,0x60 - vxor $twk4,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in4,$in4,$in4,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out4,$in4,$twk4 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - - lvx_u $in5,$x50,$inp - addi $inp,$inp,0x60 - vxor $twk5,$tweak,$rndkey0 - vsrab $tmp,$tweak,$seven # next tweak value - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - le?vperm $in5,$in5,$in5,$leperm - vand $tmp,$tmp,$eighty7 - vxor $out5,$in5,$twk5 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 - - vxor v31,v31,$rndkey0 - mtctr $rounds -@@ -3242,6 +3281,8 @@ () - lvx v25,$x10,$key_ # round[4] - bdnz Loop_xts_dec6x - -+ xxlor 32+$eighty7, 1, 1 -+ - subic $len,$len,96 # $len-=96 - vxor $in0,$twk0,v31 # xor with last round key - vncipher $out0,$out0,v24 -@@ -3251,7 +3292,6 @@ () - vaddubm $tweak,$tweak,$tweak - vncipher $out2,$out2,v24 - vncipher $out3,$out3,v24 -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out4,$out4,v24 - vncipher $out5,$out5,v24 - -@@ -3259,7 +3299,8 @@ () - vand $tmp,$tmp,$eighty7 - vncipher $out0,$out0,v25 - vncipher $out1,$out1,v25 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in1, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in1 - vncipher $out2,$out2,v25 - vncipher $out3,$out3,v25 - vxor $in1,$twk1,v31 -@@ -3270,13 +3311,13 @@ () - - and r0,r0,$len - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out0,$out0,v26 - vncipher $out1,$out1,v26 - vand $tmp,$tmp,$eighty7 - vncipher $out2,$out2,v26 - vncipher $out3,$out3,v26 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in2, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in2 - vncipher $out4,$out4,v26 - vncipher $out5,$out5,v26 - -@@ -3290,7 +3331,6 @@ () - vaddubm $tweak,$tweak,$tweak - vncipher $out0,$out0,v27 - vncipher $out1,$out1,v27 -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out2,$out2,v27 - vncipher $out3,$out3,v27 - vand $tmp,$tmp,$eighty7 -@@ -3298,7 +3338,8 @@ () - vncipher $out5,$out5,v27 - - addi $key_,$sp,$FRAME+15 # rewind $key_ -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in3, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in3 - vncipher $out0,$out0,v28 - vncipher $out1,$out1,v28 - vxor $in3,$twk3,v31 -@@ -3307,7 +3348,6 @@ () - vncipher $out2,$out2,v28 - vncipher $out3,$out3,v28 - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipher $out4,$out4,v28 - vncipher $out5,$out5,v28 - lvx v24,$x00,$key_ # re-pre-load round[1] -@@ -3315,7 +3355,8 @@ () - - vncipher $out0,$out0,v29 - vncipher $out1,$out1,v29 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in4, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in4 - vncipher $out2,$out2,v29 - vncipher $out3,$out3,v29 - vxor $in4,$twk4,v31 -@@ -3325,14 +3366,14 @@ () - vncipher $out5,$out5,v29 - lvx v25,$x10,$key_ # re-pre-load round[2] - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - - vncipher $out0,$out0,v30 - vncipher $out1,$out1,v30 - vand $tmp,$tmp,$eighty7 - vncipher $out2,$out2,v30 - vncipher $out3,$out3,v30 -- vxor $tweak,$tweak,$tmp -+ xxlor 32+$in5, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in5 - vncipher $out4,$out4,v30 - vncipher $out5,$out5,v30 - vxor $in5,$twk5,v31 -@@ -3342,7 +3383,6 @@ () - vncipherlast $out0,$out0,$in0 - lvx_u $in0,$x00,$inp # load next input block - vaddubm $tweak,$tweak,$tweak -- vsldoi $tmp,$tmp,$tmp,15 - vncipherlast $out1,$out1,$in1 - lvx_u $in1,$x10,$inp - vncipherlast $out2,$out2,$in2 -@@ -3355,7 +3395,10 @@ () - vncipherlast $out4,$out4,$in4 - le?vperm $in2,$in2,$in2,$leperm - lvx_u $in4,$x40,$inp -- vxor $tweak,$tweak,$tmp -+ xxlor 10, 32+$in0, 32+$in0 -+ xxlor 32+$in0, 0, 0 -+ vpermxor $tweak, $tweak, $tmp, $in0 -+ xxlor 32+$in0, 10, 10 - vncipherlast $out5,$out5,$in5 - le?vperm $in3,$in3,$in3,$leperm - lvx_u $in5,$x50,$inp -@@ -3386,6 +3429,8 @@ () - mtctr $rounds - beq Loop_xts_dec6x # did $len-=96 borrow? - -+ xxlor 32+$eighty7, 2, 2 -+ - addic. $len,$len,0x60 - beq Lxts_dec6x_zero - cmpwi $len,0x20 diff --git a/openssl-Override-default-paths-for-the-CA-directory-tree.patch b/openssl-Override-default-paths-for-the-CA-directory-tree.patch index 681d082..0fd31e4 100644 --- a/openssl-Override-default-paths-for-the-CA-directory-tree.patch +++ b/openssl-Override-default-paths-for-the-CA-directory-tree.patch @@ -13,10 +13,10 @@ It needs to be reverted before running tests. apps/openssl.cnf | 20 ++++++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) -Index: openssl-3.0.1/apps/openssl.cnf +Index: openssl-3.2.0/apps/openssl.cnf =================================================================== ---- openssl-3.0.1.orig/apps/openssl.cnf -+++ openssl-3.0.1/apps/openssl.cnf +--- openssl-3.2.0.orig/apps/openssl.cnf ++++ openssl-3.2.0/apps/openssl.cnf @@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 [openssl_init] diff --git a/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch b/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch new file mode 100644 index 0000000..1b52f21 --- /dev/null +++ b/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch @@ -0,0 +1,37 @@ +From 0e55c3ab8d702ffc897c9beb51d19b14b7896182 Mon Sep 17 00:00:00 2001 +From: "Dr. David von Oheimb" +Date: Tue, 11 May 2021 12:59:03 +0200 +Subject: [PATCH] Makefile: Call mknum.pl on 'make ordinals' only if needed + +Reviewed-by: Richard Levitte +Reviewed-by: Tomas Mraz +Reviewed-by: David von Oheimb +(Merged from https://github.com/openssl/openssl/pull/15224) +--- + Configurations/unix-Makefile.tmpl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.0/Configurations/unix-Makefile.tmpl +@@ -1368,18 +1368,15 @@ renumber: build_generated + --renumber \ + $(SSLHEADERS) + +-$(SRCDIR)/util/libcrypto.num: $(CRYPTOHEADERS) $(SRCDIR)/include/openssl/symhacks.h ++ordinals: build_generated + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ + --ordinals $(SRCDIR)/util/libcrypto.num \ + --symhacks $(SRCDIR)/include/openssl/symhacks.h \ + $(CRYPTOHEADERS) +-$(SRCDIR)/util/libssl.num: $(SSLHEADERS) $(SRCDIR)/include/openssl/symhacks.h + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ + --ordinals $(SRCDIR)/util/libssl.num \ + --symhacks $(SRCDIR)/include/openssl/symhacks.h \ + $(SSLHEADERS) +-.PHONY: ordinals +-ordinals: build_generated $(SRCDIR)/util/libcrypto.num $(SRCDIR)/util/libssl.num + + test_ordinals: + $(MAKE) run_tests TESTS=test_ordinals diff --git a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch deleted file mode 100644 index 3bb9496..0000000 --- a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch +++ /dev/null @@ -1,2159 +0,0 @@ -From 01d901e470d9e035a3bd78e77b9438a4cc0da785 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 12 Jul 2023 12:25:22 +1000 -Subject: [PATCH] ec: 56-bit Limb Solinas' Strategy for secp384r1 - -Adopt a 56-bit redundant-limb Solinas' reduction approach for efficient -modular multiplication in P384. This has the affect of accelerating -digital signing by 446% and verification by 106%. The implementation -strategy and names of methods are the same as that provided in -ecp_nistp224 and ecp_nistp521. - -As in Commit 1036749883cc ("ec: Add run time code selection for p521 -field operations"), allow for run time selection of implementation for -felem_{square,mul}, where an assembly implementation is proclaimed to -be present when ECP_NISTP384_ASM is present. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/build.info | 2 - crypto/ec/ec_curve.c | 4 - crypto/ec/ec_lib.c | 8 - crypto/ec/ec_local.h | 27 - crypto/ec/ecp_nistp384.c | 1988 +++++++++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 2027 insertions(+), 2 deletions(-) - create mode 100644 crypto/ec/ecp_nistp384.c - ---- a/crypto/ec/build.info -+++ b/crypto/ec/build.info -@@ -59,7 +59,7 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c e - curve448/arch_32/f_impl32.c - - IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] -- $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c -+ $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp384.c ecp_nistp521.c ecp_nistputil.c - ENDIF - - SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c \ ---- a/crypto/ec/ec_curve.c -+++ b/crypto/ec/ec_curve.c -@@ -2838,6 +2838,8 @@ static const ec_list_element curve_list[ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -+ ossl_ec_GFp_nistp384_method, - # else - 0, - # endif -@@ -2931,6 +2933,8 @@ static const ec_list_element curve_list[ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -+# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -+ ossl_ec_GFp_nistp384_method, - # else - 0, - # endif ---- a/crypto/ec/ec_lib.c -+++ b/crypto/ec/ec_lib.c -@@ -102,12 +102,16 @@ void EC_pre_comp_free(EC_GROUP *group) - case PCT_nistp256: - EC_nistp256_pre_comp_free(group->pre_comp.nistp256); - break; -+ case PCT_nistp384: -+ ossl_ec_nistp384_pre_comp_free(group->pre_comp.nistp384); -+ break; - case PCT_nistp521: - EC_nistp521_pre_comp_free(group->pre_comp.nistp521); - break; - #else - case PCT_nistp224: - case PCT_nistp256: -+ case PCT_nistp384: - case PCT_nistp521: - break; - #endif -@@ -191,12 +195,16 @@ int EC_GROUP_copy(EC_GROUP *dest, const - case PCT_nistp256: - dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256); - break; -+ case PCT_nistp384: -+ dest->pre_comp.nistp384 = ossl_ec_nistp384_pre_comp_dup(src->pre_comp.nistp384); -+ break; - case PCT_nistp521: - dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521); - break; - #else - case PCT_nistp224: - case PCT_nistp256: -+ case PCT_nistp384: - case PCT_nistp521: - break; - #endif ---- a/crypto/ec/ec_local.h -+++ b/crypto/ec/ec_local.h -@@ -203,6 +203,7 @@ struct ec_method_st { - */ - typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; - typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; -+typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; - typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; - typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; - typedef struct ec_pre_comp_st EC_PRE_COMP; -@@ -264,12 +265,13 @@ struct ec_group_st { - */ - enum { - PCT_none, -- PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, -+ PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, - PCT_ec - } pre_comp_type; - union { - NISTP224_PRE_COMP *nistp224; - NISTP256_PRE_COMP *nistp256; -+ NISTP384_PRE_COMP *nistp384; - NISTP521_PRE_COMP *nistp521; - NISTZ256_PRE_COMP *nistz256; - EC_PRE_COMP *ec; -@@ -333,6 +335,7 @@ static ossl_inline int ec_point_is_compa - - NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); - NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); -+NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); - NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); - NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); - NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); -@@ -341,6 +344,7 @@ EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_C - void EC_pre_comp_free(EC_GROUP *group); - void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); - void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); -+void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); - void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); - void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); - void EC_ec_pre_comp_free(EC_PRE_COMP *); -@@ -552,6 +556,27 @@ int ossl_ec_GFp_nistp256_points_mul(cons - int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); - int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); - -+/* method functions in ecp_nistp384.c */ -+int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); -+int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, -+ const BIGNUM *a, const BIGNUM *n, -+ BN_CTX *); -+int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, -+ const EC_POINT *point, -+ BIGNUM *x, BIGNUM *y, -+ BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], const BIGNUM *scalars[], -+ BN_CTX *); -+int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], -+ const BIGNUM *scalars[], BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -+int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); -+const EC_METHOD *ossl_ec_GFp_nistp384_method(void); -+ - /* method functions in ecp_nistp521.c */ - int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); - int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, ---- /dev/null -+++ b/crypto/ec/ecp_nistp384.c -@@ -0,0 +1,1988 @@ -+/* -+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Copyright 2023 IBM Corp. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+/* -+ * Designed for 56-bit limbs by Rohan McLure . -+ * The layout is based on that of ecp_nistp{224,521}.c, allowing even for asm -+ * acceleration of felem_{square,mul} as supported in these files. -+ */ -+ -+#include -+ -+#include -+#include -+#include "ec_local.h" -+ -+#include "internal/numbers.h" -+ -+#ifndef INT128_MAX -+# error "Your compiler doesn't appear to support 128-bit integer types" -+#endif -+ -+typedef uint8_t u8; -+typedef uint64_t u64; -+ -+/* -+ * The underlying field. P384 operates over GF(2^384-2^128-2^96+2^32-1). We -+ * can serialize an element of this field into 48 bytes. We call this an -+ * felem_bytearray. -+ */ -+ -+typedef u8 felem_bytearray[48]; -+ -+/* -+ * These are the parameters of P384, taken from FIPS 186-3, section D.1.2.4. -+ * These values are big-endian. -+ */ -+static const felem_bytearray nistp384_curve_params[5] = { -+ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, -+ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a = -3 */ -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC}, -+ {0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, /* b */ -+ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, -+ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, -+ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF}, -+ {0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, /* x */ -+ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, -+ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, -+ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7}, -+ {0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, /* y */ -+ 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, -+ 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, -+ 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F}, -+}; -+ -+/*- -+ * The representation of field elements. -+ * ------------------------------------ -+ * -+ * We represent field elements with seven values. These values are either 64 or -+ * 128 bits and the field element represented is: -+ * v[0]*2^0 + v[1]*2^56 + v[2]*2^112 + ... + v[6]*2^336 (mod p) -+ * Each of the seven values is called a 'limb'. Since the limbs are spaced only -+ * 56 bits apart, but are greater than 56 bits in length, the most significant -+ * bits of each limb overlap with the least significant bits of the next -+ * -+ * This representation is considered to be 'redundant' in the sense that -+ * intermediate values can each contain more than a 56-bit value in each limb. -+ * Reduction causes all but the final limb to be reduced to contain a value less -+ * than 2^56, with the final value represented allowed to be larger than 2^384, -+ * inasmuch as we can be sure that arithmetic overflow remains impossible. The -+ * reduced value must of course be congruent to the unreduced value. -+ * -+ * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a -+ * 'widefelem', featuring enough bits to store the result of a multiplication -+ * and even some further arithmetic without need for immediate reduction. -+ */ -+ -+#define NLIMBS 7 -+ -+typedef uint64_t limb; -+typedef uint128_t widelimb; -+typedef limb limb_aX __attribute((__aligned__(1))); -+typedef limb felem[NLIMBS]; -+typedef widelimb widefelem[2*NLIMBS-1]; -+ -+static const limb bottom56bits = 0xffffffffffffff; -+ -+/* Helper functions (de)serialising reduced field elements in little endian */ -+static void bin48_to_felem(felem out, const u8 in[48]) -+{ -+ memset(out, 0, 56); -+ out[0] = (*((limb *) & in[0])) & bottom56bits; -+ out[1] = (*((limb_aX *) & in[7])) & bottom56bits; -+ out[2] = (*((limb_aX *) & in[14])) & bottom56bits; -+ out[3] = (*((limb_aX *) & in[21])) & bottom56bits; -+ out[4] = (*((limb_aX *) & in[28])) & bottom56bits; -+ out[5] = (*((limb_aX *) & in[35])) & bottom56bits; -+ memmove(&out[6], &in[42], 6); -+} -+ -+static void felem_to_bin48(u8 out[48], const felem in) -+{ -+ memset(out, 0, 48); -+ (*((limb *) & out[0])) |= (in[0] & bottom56bits); -+ (*((limb_aX *) & out[7])) |= (in[1] & bottom56bits); -+ (*((limb_aX *) & out[14])) |= (in[2] & bottom56bits); -+ (*((limb_aX *) & out[21])) |= (in[3] & bottom56bits); -+ (*((limb_aX *) & out[28])) |= (in[4] & bottom56bits); -+ (*((limb_aX *) & out[35])) |= (in[5] & bottom56bits); -+ memmove(&out[42], &in[6], 6); -+} -+ -+/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ -+static int BN_to_felem(felem out, const BIGNUM *bn) -+{ -+ felem_bytearray b_out; -+ int num_bytes; -+ -+ if (BN_is_negative(bn)) { -+ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); -+ return 0; -+ } -+ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); -+ if (num_bytes < 0) { -+ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); -+ return 0; -+ } -+ bin48_to_felem(out, b_out); -+ return 1; -+} -+ -+/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ -+static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) -+{ -+ felem_bytearray b_out; -+ -+ felem_to_bin48(b_out, in); -+ return BN_lebin2bn(b_out, sizeof(b_out), out); -+} -+ -+/*- -+ * Field operations -+ * ---------------- -+ */ -+ -+static void felem_one(felem out) -+{ -+ out[0] = 1; -+ memset(&out[1], 0, sizeof(limb) * (NLIMBS-1)); -+} -+ -+static void felem_assign(felem out, const felem in) -+{ -+ memcpy(out, in, sizeof(felem)); -+} -+ -+/* felem_sum64 sets out = out + in. */ -+static void felem_sum64(felem out, const felem in) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] += in[i]; -+} -+ -+/* felem_scalar sets out = in * scalar */ -+static void felem_scalar(felem out, const felem in, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] = in[i] * scalar; -+} -+ -+/* felem_scalar64 sets out = out * scalar */ -+static void felem_scalar64(felem out, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] *= scalar; -+} -+ -+/* felem_scalar128 sets out = out * scalar */ -+static void felem_scalar128(widefelem out, limb scalar) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < 2*NLIMBS-1; i++) -+ out[i] *= scalar; -+} -+ -+/*- -+ * felem_neg sets |out| to |-in| -+ * On entry: -+ * in[i] < 2^60 - 2^29 -+ * On exit: -+ * out[i] < 2^60 -+ */ -+static void felem_neg(felem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^12 * p redundantly with each limb -+ * of the form 2^60 + ... -+ */ -+ static const limb two60m52m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 52) -+ - (((limb) 1) << 4); -+ static const limb two60p44m12 = (((limb) 1) << 60) -+ + (((limb) 1) << 44) -+ - (((limb) 1) << 12); -+ static const limb two60m28m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 28) -+ - (((limb) 1) << 4); -+ static const limb two60m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 4); -+ -+ out[0] = two60p44m12 - in[0]; -+ out[1] = two60m52m4 - in[1]; -+ out[2] = two60m28m4 - in[2]; -+ out[3] = two60m4 - in[3]; -+ out[4] = two60m4 - in[4]; -+ out[5] = two60m4 - in[5]; -+ out[6] = two60m4 - in[6]; -+} -+ -+/*- -+ * felem_diff64 subtracts |in| from |out| -+ * On entry: -+ * in[i] < 2^60 - 2^52 - 2^4 -+ * On exit: -+ * out[i] < out_orig[i] + 2^60 + 2^44 -+ */ -+static void felem_diff64(felem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^12 * p redundantly with each limb -+ * of the form 2^60 + ... -+ */ -+ -+ static const limb two60m52m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 52) -+ - (((limb) 1) << 4); -+ static const limb two60p44m12 = (((limb) 1) << 60) -+ + (((limb) 1) << 44) -+ - (((limb) 1) << 12); -+ static const limb two60m28m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 28) -+ - (((limb) 1) << 4); -+ static const limb two60m4 = (((limb) 1) << 60) -+ - (((limb) 1) << 4); -+ -+ out[0] += two60p44m12 - in[0]; -+ out[1] += two60m52m4 - in[1]; -+ out[2] += two60m28m4 - in[2]; -+ out[3] += two60m4 - in[3]; -+ out[4] += two60m4 - in[4]; -+ out[5] += two60m4 - in[5]; -+ out[6] += two60m4 - in[6]; -+} -+ -+/* -+ * in[i] < 2^63 -+ * out[i] < out_orig[i] + 2^64 + 2^48 -+ */ -+static void felem_diff_128_64(widefelem out, const felem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^16 * p redundantly with each limb -+ * of the form 2^64 + ... -+ */ -+ -+ static const widelimb two64m56m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 56) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64m32m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 32) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64m8 = (((widelimb) 1) << 64) -+ - (((widelimb) 1) << 8); -+ static const widelimb two64p48m16 = (((widelimb) 1) << 64) -+ + (((widelimb) 1) << 48) -+ - (((widelimb) 1) << 16); -+ unsigned int i; -+ -+ out[0] += two64p48m16; -+ out[1] += two64m56m8; -+ out[2] += two64m32m8; -+ out[3] += two64m8; -+ out[4] += two64m8; -+ out[5] += two64m8; -+ out[6] += two64m8; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] -= in[i]; -+} -+ -+/* -+ * in[i] < 2^127 - 2^119 - 2^71 -+ * out[i] < out_orig[i] + 2^127 + 2^111 -+ */ -+static void felem_diff128(widefelem out, const widefelem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^415 * p redundantly with each limb -+ * of the form 2^127 + ... -+ */ -+ -+ static const widelimb two127 = ((widelimb) 1) << 127; -+ static const widelimb two127m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127p111m79m71 = (((widelimb) 1) << 127) -+ + (((widelimb) 1) << 111) -+ - (((widelimb) 1) << 79) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127m119m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 119) -+ - (((widelimb) 1) << 71); -+ static const widelimb two127m95m71 = (((widelimb) 1) << 127) -+ - (((widelimb) 1) << 95) -+ - (((widelimb) 1) << 71); -+ unsigned int i; -+ -+ out[0] += two127; -+ out[1] += two127m71; -+ out[2] += two127m71; -+ out[3] += two127m71; -+ out[4] += two127m71; -+ out[5] += two127m71; -+ out[6] += two127p111m79m71; -+ out[7] += two127m119m71; -+ out[8] += two127m95m71; -+ out[9] += two127m71; -+ out[10] += two127m71; -+ out[11] += two127m71; -+ out[12] += two127m71; -+ -+ for (i = 0; i < 2*NLIMBS-1; i++) -+ out[i] -= in[i]; -+} -+ -+static void felem_square_ref(widefelem out, const felem in) -+{ -+ felem inx2; -+ felem_scalar(inx2, in, 2); -+ -+ out[0] = ((uint128_t) in[0]) * in[0]; -+ -+ out[1] = ((uint128_t) in[0]) * inx2[1]; -+ -+ out[2] = ((uint128_t) in[0]) * inx2[2] -+ + ((uint128_t) in[1]) * in[1]; -+ -+ out[3] = ((uint128_t) in[0]) * inx2[3] -+ + ((uint128_t) in[1]) * inx2[2]; -+ -+ out[4] = ((uint128_t) in[0]) * inx2[4] -+ + ((uint128_t) in[1]) * inx2[3] -+ + ((uint128_t) in[2]) * in[2]; -+ -+ out[5] = ((uint128_t) in[0]) * inx2[5] -+ + ((uint128_t) in[1]) * inx2[4] -+ + ((uint128_t) in[2]) * inx2[3]; -+ -+ out[6] = ((uint128_t) in[0]) * inx2[6] -+ + ((uint128_t) in[1]) * inx2[5] -+ + ((uint128_t) in[2]) * inx2[4] -+ + ((uint128_t) in[3]) * in[3]; -+ -+ out[7] = ((uint128_t) in[1]) * inx2[6] -+ + ((uint128_t) in[2]) * inx2[5] -+ + ((uint128_t) in[3]) * inx2[4]; -+ -+ out[8] = ((uint128_t) in[2]) * inx2[6] -+ + ((uint128_t) in[3]) * inx2[5] -+ + ((uint128_t) in[4]) * in[4]; -+ -+ out[9] = ((uint128_t) in[3]) * inx2[6] -+ + ((uint128_t) in[4]) * inx2[5]; -+ -+ out[10] = ((uint128_t) in[4]) * inx2[6] -+ + ((uint128_t) in[5]) * in[5]; -+ -+ out[11] = ((uint128_t) in[5]) * inx2[6]; -+ -+ out[12] = ((uint128_t) in[6]) * in[6]; -+} -+ -+static void felem_mul_ref(widefelem out, const felem in1, const felem in2) -+{ -+ out[0] = ((uint128_t) in1[0]) * in2[0]; -+ -+ out[1] = ((uint128_t) in1[0]) * in2[1] -+ + ((uint128_t) in1[1]) * in2[0]; -+ -+ out[2] = ((uint128_t) in1[0]) * in2[2] -+ + ((uint128_t) in1[1]) * in2[1] -+ + ((uint128_t) in1[2]) * in2[0]; -+ -+ out[3] = ((uint128_t) in1[0]) * in2[3] -+ + ((uint128_t) in1[1]) * in2[2] -+ + ((uint128_t) in1[2]) * in2[1] -+ + ((uint128_t) in1[3]) * in2[0]; -+ -+ out[4] = ((uint128_t) in1[0]) * in2[4] -+ + ((uint128_t) in1[1]) * in2[3] -+ + ((uint128_t) in1[2]) * in2[2] -+ + ((uint128_t) in1[3]) * in2[1] -+ + ((uint128_t) in1[4]) * in2[0]; -+ -+ out[5] = ((uint128_t) in1[0]) * in2[5] -+ + ((uint128_t) in1[1]) * in2[4] -+ + ((uint128_t) in1[2]) * in2[3] -+ + ((uint128_t) in1[3]) * in2[2] -+ + ((uint128_t) in1[4]) * in2[1] -+ + ((uint128_t) in1[5]) * in2[0]; -+ -+ out[6] = ((uint128_t) in1[0]) * in2[6] -+ + ((uint128_t) in1[1]) * in2[5] -+ + ((uint128_t) in1[2]) * in2[4] -+ + ((uint128_t) in1[3]) * in2[3] -+ + ((uint128_t) in1[4]) * in2[2] -+ + ((uint128_t) in1[5]) * in2[1] -+ + ((uint128_t) in1[6]) * in2[0]; -+ -+ out[7] = ((uint128_t) in1[1]) * in2[6] -+ + ((uint128_t) in1[2]) * in2[5] -+ + ((uint128_t) in1[3]) * in2[4] -+ + ((uint128_t) in1[4]) * in2[3] -+ + ((uint128_t) in1[5]) * in2[2] -+ + ((uint128_t) in1[6]) * in2[1]; -+ -+ out[8] = ((uint128_t) in1[2]) * in2[6] -+ + ((uint128_t) in1[3]) * in2[5] -+ + ((uint128_t) in1[4]) * in2[4] -+ + ((uint128_t) in1[5]) * in2[3] -+ + ((uint128_t) in1[6]) * in2[2]; -+ -+ out[9] = ((uint128_t) in1[3]) * in2[6] -+ + ((uint128_t) in1[4]) * in2[5] -+ + ((uint128_t) in1[5]) * in2[4] -+ + ((uint128_t) in1[6]) * in2[3]; -+ -+ out[10] = ((uint128_t) in1[4]) * in2[6] -+ + ((uint128_t) in1[5]) * in2[5] -+ + ((uint128_t) in1[6]) * in2[4]; -+ -+ out[11] = ((uint128_t) in1[5]) * in2[6] -+ + ((uint128_t) in1[6]) * in2[5]; -+ -+ out[12] = ((uint128_t) in1[6]) * in2[6]; -+} -+ -+/*- -+ * Reduce thirteen 128-bit coefficients to seven 64-bit coefficients. -+ * in[i] < 2^128 - 2^125 -+ * out[i] < 2^56 for i < 6, -+ * out[6] <= 2^48 -+ * -+ * The technique in use here stems from the format of the prime modulus: -+ * P384 = 2^384 - delta -+ * -+ * Thus we can reduce numbers of the form (X + 2^384 * Y) by substituting -+ * them with (X + delta Y), with delta = 2^128 + 2^96 + (-2^32 + 1). These -+ * coefficients are still quite large, and so we repeatedly apply this -+ * technique on high-order bits in order to guarantee the desired bounds on -+ * the size of our output. -+ * -+ * The three phases of elimination are as follows: -+ * [1]: Y = 2^120 (in[12] | in[11] | in[10] | in[9]) -+ * [2]: Y = 2^8 (acc[8] | acc[7]) -+ * [3]: Y = 2^48 (acc[6] >> 48) -+ * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d) -+ */ -+static void felem_reduce(felem out, const widefelem in) -+{ -+ /* -+ * In order to prevent underflow, we add a multiple of p before subtracting. -+ * Use telescopic sums to represent 2^76 * p redundantly with each limb -+ * of the form 2^124 + ... -+ */ -+ static const widelimb two124m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 68); -+ static const widelimb two124m116m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 116) -+ - (((widelimb) 1) << 68); -+ static const widelimb two124p108m76 = (((widelimb) 1) << 124) -+ + (((widelimb) 1) << 108) -+ - (((widelimb) 1) << 76); -+ static const widelimb two124m92m68 = (((widelimb) 1) << 124) -+ - (((widelimb) 1) << 92) -+ - (((widelimb) 1) << 68); -+ widelimb temp, acc[9]; -+ unsigned int i; -+ -+ memcpy(acc, in, sizeof(widelimb) * 9); -+ -+ acc[0] += two124p108m76; -+ acc[1] += two124m116m68; -+ acc[2] += two124m92m68; -+ acc[3] += two124m68; -+ acc[4] += two124m68; -+ acc[5] += two124m68; -+ acc[6] += two124m68; -+ -+ /* [1]: Eliminate in[9], ..., in[12] */ -+ acc[8] += in[12] >> 32; -+ acc[7] += (in[12] & 0xffffffff) << 24; -+ acc[7] += in[12] >> 8; -+ acc[6] += (in[12] & 0xff) << 48; -+ acc[6] -= in[12] >> 16; -+ acc[5] -= ((in[12] & 0xffff) << 40); -+ acc[6] += in[12] >> 48; -+ acc[5] += (in[12] & 0xffffffffffff) << 8; -+ -+ acc[7] += in[11] >> 32; -+ acc[6] += (in[11] & 0xffffffff) << 24; -+ acc[6] += in[11] >> 8; -+ acc[5] += (in[11] & 0xff) << 48; -+ acc[5] -= in[11] >> 16; -+ acc[4] -= ((in[11] & 0xffff) << 40); -+ acc[5] += in[11] >> 48; -+ acc[4] += (in[11] & 0xffffffffffff) << 8; -+ -+ acc[6] += in[10] >> 32; -+ acc[5] += (in[10] & 0xffffffff) << 24; -+ acc[5] += in[10] >> 8; -+ acc[4] += (in[10] & 0xff) << 48; -+ acc[4] -= in[10] >> 16; -+ acc[3] -= ((in[10] & 0xffff) << 40); -+ acc[4] += in[10] >> 48; -+ acc[3] += (in[10] & 0xffffffffffff) << 8; -+ -+ acc[5] += in[9] >> 32; -+ acc[4] += (in[9] & 0xffffffff) << 24; -+ acc[4] += in[9] >> 8; -+ acc[3] += (in[9] & 0xff) << 48; -+ acc[3] -= in[9] >> 16; -+ acc[2] -= ((in[9] & 0xffff) << 40); -+ acc[3] += in[9] >> 48; -+ acc[2] += (in[9] & 0xffffffffffff) << 8; -+ -+ /* -+ * [2]: Eliminate acc[7], acc[8], that is the 7 and eighth limbs, as -+ * well as the contributions made from eliminating higher limbs. -+ * acc[7] < in[7] + 2^120 + 2^56 < in[7] + 2^121 -+ * acc[8] < in[8] + 2^96 -+ */ -+ acc[4] += acc[8] >> 32; -+ acc[3] += (acc[8] & 0xffffffff) << 24; -+ acc[3] += acc[8] >> 8; -+ acc[2] += (acc[8] & 0xff) << 48; -+ acc[2] -= acc[8] >> 16; -+ acc[1] -= ((acc[8] & 0xffff) << 40); -+ acc[2] += acc[8] >> 48; -+ acc[1] += (acc[8] & 0xffffffffffff) << 8; -+ -+ acc[3] += acc[7] >> 32; -+ acc[2] += (acc[7] & 0xffffffff) << 24; -+ acc[2] += acc[7] >> 8; -+ acc[1] += (acc[7] & 0xff) << 48; -+ acc[1] -= acc[7] >> 16; -+ acc[0] -= ((acc[7] & 0xffff) << 40); -+ acc[1] += acc[7] >> 48; -+ acc[0] += (acc[7] & 0xffffffffffff) << 8; -+ -+ /*- -+ * acc[k] < in[k] + 2^124 + 2^121 -+ * < in[k] + 2^125 -+ * < 2^128, for k <= 6 -+ */ -+ -+ /* -+ * Carry 4 -> 5 -> 6 -+ * This has the effect of ensuring that these more significant limbs -+ * will be small in value after eliminating high bits from acc[6]. -+ */ -+ acc[5] += acc[4] >> 56; -+ acc[4] &= 0x00ffffffffffffff; -+ -+ acc[6] += acc[5] >> 56; -+ acc[5] &= 0x00ffffffffffffff; -+ -+ /*- -+ * acc[6] < in[6] + 2^124 + 2^121 + 2^72 + 2^16 -+ * < in[6] + 2^125 -+ * < 2^128 -+ */ -+ -+ /* [3]: Eliminate high bits of acc[6] */ -+ temp = acc[6] >> 48; -+ acc[6] &= 0x0000ffffffffffff; -+ -+ /* temp < 2^80 */ -+ -+ acc[3] += temp >> 40; -+ acc[2] += (temp & 0xffffffffff) << 16; -+ acc[2] += temp >> 16; -+ acc[1] += (temp & 0xffff) << 40; -+ acc[1] -= temp >> 24; -+ acc[0] -= (temp & 0xffffff) << 32; -+ acc[0] += temp; -+ -+ /*- -+ * acc[k] < acc_old[k] + 2^64 + 2^56 -+ * < in[k] + 2^124 + 2^121 + 2^72 + 2^64 + 2^56 + 2^16 , k < 4 -+ */ -+ -+ /* Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */ -+ acc[0] &= 0x00ffffffffffffff; -+ -+ acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */ -+ acc[1] &= 0x00ffffffffffffff; -+ -+ acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */ -+ acc[2] &= 0x00ffffffffffffff; -+ -+ /*- -+ * acc[k] < acc_old[k] + 2^72 + 2^16 -+ * < in[k] + 2^124 + 2^121 + 2^73 + 2^64 + 2^56 + 2^17 -+ * < in[k] + 2^125 -+ * < 2^128 , k < 4 -+ */ -+ -+ acc[4] += acc[3] >> 56; /*- -+ * acc[4] < acc_old[4] + 2^72 + 2^16 -+ * < 2^72 + 2^56 + 2^16 -+ */ -+ acc[3] &= 0x00ffffffffffffff; -+ -+ acc[5] += acc[4] >> 56; /*- -+ * acc[5] < acc_old[5] + 2^16 + 1 -+ * < 2^56 + 2^16 + 1 -+ */ -+ acc[4] &= 0x00ffffffffffffff; -+ -+ acc[6] += acc[5] >> 56; /* acc[6] < 2^48 + 1 <= 2^48 */ -+ acc[5] &= 0x00ffffffffffffff; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] = acc[i]; -+} -+ -+#if defined(ECP_NISTP384_ASM) -+static void felem_square_wrapper(widefelem out, const felem in); -+static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2); -+ -+static void (*felem_square_p)(widefelem out, const felem in) = -+ felem_square_wrapper; -+static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) = -+ felem_mul_wrapper; -+ -+void p384_felem_square(widefelem out, const felem in); -+void p384_felem_mul(widefelem out, const felem in1, const felem in2); -+ -+# if defined(_ARCH_PPC64) -+# include "crypto/ppc_arch.h" -+# endif -+ -+static void felem_select(void) -+{ -+ /* Default */ -+ felem_square_p = felem_square_ref; -+ felem_mul_p = felem_mul_ref; -+} -+ -+static void felem_square_wrapper(widefelem out, const felem in) -+{ -+ felem_select(); -+ felem_square_p(out, in); -+} -+ -+static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2) -+{ -+ felem_select(); -+ felem_mul_p(out, in1, in2); -+} -+ -+# define felem_square felem_square_p -+# define felem_mul felem_mul_p -+#else -+# define felem_square felem_square_ref -+# define felem_mul felem_mul_ref -+#endif -+ -+static ossl_inline void felem_square_reduce(felem out, const felem in) -+{ -+ widefelem tmp; -+ -+ felem_square(tmp, in); -+ felem_reduce(out, tmp); -+} -+ -+static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2) -+{ -+ widefelem tmp; -+ -+ felem_mul(tmp, in1, in2); -+ felem_reduce(out, tmp); -+} -+ -+/*- -+ * felem_inv calculates |out| = |in|^{-1} -+ * -+ * Based on Fermat's Little Theorem: -+ * a^p = a (mod p) -+ * a^{p-1} = 1 (mod p) -+ * a^{p-2} = a^{-1} (mod p) -+ */ -+static void felem_inv(felem out, const felem in) -+{ -+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6; -+ unsigned int i = 0; -+ -+ felem_square_reduce(ftmp, in); /* 2^1 */ -+ felem_mul_reduce(ftmp, ftmp, in); /* 2^1 + 2^0 */ -+ felem_assign(ftmp2, ftmp); -+ -+ felem_square_reduce(ftmp, ftmp); /* 2^2 + 2^1 */ -+ felem_mul_reduce(ftmp, ftmp, in); /* 2^2 + 2^1 * 2^0 */ -+ felem_assign(ftmp3, ftmp); -+ -+ for (i = 0; i < 3; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^5 + 2^4 + 2^3 */ -+ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 6; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^11 + ... + 2^6 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^11 + ... + 2^0 */ -+ -+ for (i = 0; i < 3; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^14 + ... + 2^3 */ -+ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^14 + ... + 2^0 */ -+ felem_assign(ftmp5, ftmp); -+ -+ for (i = 0; i < 15; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^29 + ... + 2^15 */ -+ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^29 + ... + 2^0 */ -+ felem_assign(ftmp6, ftmp); -+ -+ for (i = 0; i < 30; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^59 + ... + 2^30 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^59 + ... + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 60; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^119 + ... + 2^60 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^119 + ... + 2^0 */ -+ felem_assign(ftmp4, ftmp); -+ -+ for (i = 0; i < 120; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^239 + ... + 2^120 */ -+ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^239 + ... + 2^0 */ -+ -+ for (i = 0; i < 15; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^254 + ... + 2^15 */ -+ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^254 + ... + 2^0 */ -+ -+ for (i = 0; i < 31; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^285 + ... + 2^31 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^285 + ... + 2^31 + 2^29 + ... + 2^0 */ -+ -+ for (i = 0; i < 2; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^2 */ -+ felem_mul_reduce(ftmp, ftmp2, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^0 */ -+ -+ for (i = 0; i < 94; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 */ -+ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 + 2^29 + ... + 2^0 */ -+ -+ for (i = 0; i < 2; i++) -+ felem_square_reduce(ftmp, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 */ -+ felem_mul_reduce(ftmp, in, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 + 2^0 */ -+ -+ memcpy(out, ftmp, sizeof(felem)); -+} -+ -+/* -+ * Zero-check: returns a limb with all bits set if |in| == 0 (mod p) -+ * and 0 otherwise. We know that field elements are reduced to -+ * 0 < in < 2p, so we only need to check two cases: -+ * 0 and 2^384 - 2^128 - 2^96 + 2^32 - 1 -+ * in[k] < 2^56, k < 6 -+ * in[6] <= 2^48 -+ */ -+static limb felem_is_zero(const felem in) -+{ -+ limb zero, p384; -+ -+ zero = in[0] | in[1] | in[2] | in[3] | in[4] | in[5] | in[6]; -+ zero = ((int64_t) (zero) - 1) >> 63; -+ p384 = (in[0] ^ 0x000000ffffffff) | (in[1] ^ 0xffff0000000000) -+ | (in[2] ^ 0xfffffffffeffff) | (in[3] ^ 0xffffffffffffff) -+ | (in[4] ^ 0xffffffffffffff) | (in[5] ^ 0xffffffffffffff) -+ | (in[6] ^ 0xffffffffffff); -+ p384 = ((int64_t) (p384) - 1) >> 63; -+ -+ return (zero | p384); -+} -+ -+static int felem_is_zero_int(const void *in) -+{ -+ return (int)(felem_is_zero(in) & ((limb) 1)); -+} -+ -+/*- -+ * felem_contract converts |in| to its unique, minimal representation. -+ * Assume we've removed all redundant bits. -+ * On entry: -+ * in[k] < 2^56, k < 6 -+ * in[6] <= 2^48 -+ */ -+static void felem_contract(felem out, const felem in) -+{ -+ static const int64_t two56 = ((limb) 1) << 56; -+ -+ /* -+ * We know for a fact that 0 <= |in| < 2*p, for p = 2^384 - 2^128 - 2^96 + 2^32 - 1 -+ * Perform two successive, idempotent subtractions to reduce if |in| >= p. -+ */ -+ -+ int64_t tmp[NLIMBS], cond[5], a; -+ unsigned int i; -+ -+ memcpy(tmp, in, sizeof(felem)); -+ -+ /* Case 1: a = 1 iff |in| >= 2^384 */ -+ a = (in[6] >> 48); -+ tmp[0] += a; -+ tmp[0] -= a << 32; -+ tmp[1] += a << 40; -+ tmp[2] += a << 16; -+ tmp[6] &= 0x0000ffffffffffff; -+ -+ /* -+ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be -+ * non-zero, so we only need one step -+ */ -+ -+ a = tmp[0] >> 63; -+ tmp[0] += a & two56; -+ tmp[1] -= a & 1; -+ -+ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ tmp[2] += tmp[1] >> 56; -+ tmp[1] &= 0x00ffffffffffffff; -+ -+ tmp[3] += tmp[2] >> 56; -+ tmp[2] &= 0x00ffffffffffffff; -+ -+ tmp[4] += tmp[3] >> 56; -+ tmp[3] &= 0x00ffffffffffffff; -+ -+ tmp[5] += tmp[4] >> 56; -+ tmp[4] &= 0x00ffffffffffffff; -+ -+ tmp[6] += tmp[5] >> 56; /* tmp[6] < 2^48 */ -+ tmp[5] &= 0x00ffffffffffffff; -+ -+ /* -+ * Case 2: a = all ones if p <= |in| < 2^384, 0 otherwise -+ */ -+ -+ /* 0 iff (2^129..2^383) are all one */ -+ cond[0] = ((tmp[6] | 0xff000000000000) & tmp[5] & tmp[4] & tmp[3] & (tmp[2] | 0x0000000001ffff)) + 1; -+ /* 0 iff 2^128 bit is one */ -+ cond[1] = (tmp[2] | ~0x00000000010000) + 1; -+ /* 0 iff (2^96..2^127) bits are all one */ -+ cond[2] = ((tmp[2] | 0xffffffffff0000) & (tmp[1] | 0x0000ffffffffff)) + 1; -+ /* 0 iff (2^32..2^95) bits are all zero */ -+ cond[3] = (tmp[1] & ~0xffff0000000000) | (tmp[0] & ~((int64_t) 0x000000ffffffff)); -+ /* 0 iff (2^0..2^31) bits are all one */ -+ cond[4] = (tmp[0] | 0xffffff00000000) + 1; -+ -+ /* -+ * In effect, invert our conditions, so that 0 values become all 1's, -+ * any non-zero value in the low-order 56 bits becomes all 0's -+ */ -+ for (i = 0; i < 5; i++) -+ cond[i] = ((cond[i] & 0x00ffffffffffffff) - 1) >> 63; -+ -+ /* -+ * The condition for determining whether in is greater than our -+ * prime is given by the following condition. -+ */ -+ -+ /* First subtract 2^384 - 2^129 cheaply */ -+ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); -+ tmp[6] &= ~a; -+ tmp[5] &= ~a; -+ tmp[4] &= ~a; -+ tmp[3] &= ~a; -+ tmp[2] &= ~a | 0x0000000001ffff; -+ -+ /* -+ * Subtract 2^128 - 2^96 by -+ * means of disjoint cases. -+ */ -+ -+ /* subtract 2^128 if that bit is present, and add 2^96 */ -+ a = cond[0] & cond[1]; -+ tmp[2] &= ~a | 0xfffffffffeffff; -+ tmp[1] += a & ((int64_t) 1 << 40); -+ -+ /* otherwise, clear bits 2^127 .. 2^96 */ -+ a = cond[0] & ~cond[1] & (cond[2] & (~cond[3] | cond[4])); -+ tmp[2] &= ~a | 0xffffffffff0000; -+ tmp[1] &= ~a | 0x0000ffffffffff; -+ -+ /* finally, subtract the last 2^32 - 1 */ -+ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); -+ tmp[0] += a & (-((int64_t) 1 << 32) + 1); -+ -+ /* -+ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be -+ * non-zero, so we only need one step -+ */ -+ a = tmp[0] >> 63; -+ tmp[0] += a & two56; -+ tmp[1] -= a & 1; -+ -+ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ -+ tmp[2] += tmp[1] >> 56; -+ tmp[1] &= 0x00ffffffffffffff; -+ -+ tmp[3] += tmp[2] >> 56; -+ tmp[2] &= 0x00ffffffffffffff; -+ -+ tmp[4] += tmp[3] >> 56; -+ tmp[3] &= 0x00ffffffffffffff; -+ -+ tmp[5] += tmp[4] >> 56; -+ tmp[4] &= 0x00ffffffffffffff; -+ -+ tmp[6] += tmp[5] >> 56; -+ tmp[5] &= 0x00ffffffffffffff; -+ -+ memcpy(out, tmp, sizeof(felem)); -+} -+ -+/*- -+ * Group operations -+ * ---------------- -+ * -+ * Building on top of the field operations we have the operations on the -+ * elliptic curve group itself. Points on the curve are represented in Jacobian -+ * coordinates -+ */ -+ -+/*- -+ * point_double calculates 2*(x_in, y_in, z_in) -+ * -+ * The method is taken from: -+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b -+ * -+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed. -+ * while x_out == y_in is not (maybe this works, but it's not tested). -+ */ -+static void -+point_double(felem x_out, felem y_out, felem z_out, -+ const felem x_in, const felem y_in, const felem z_in) -+{ -+ widefelem tmp, tmp2; -+ felem delta, gamma, beta, alpha, ftmp, ftmp2; -+ -+ felem_assign(ftmp, x_in); -+ felem_assign(ftmp2, x_in); -+ -+ /* delta = z^2 */ -+ felem_square_reduce(delta, z_in); /* delta[i] < 2^56 */ -+ -+ /* gamma = y^2 */ -+ felem_square_reduce(gamma, y_in); /* gamma[i] < 2^56 */ -+ -+ /* beta = x*gamma */ -+ felem_mul_reduce(beta, x_in, gamma); /* beta[i] < 2^56 */ -+ -+ /* alpha = 3*(x-delta)*(x+delta) */ -+ felem_diff64(ftmp, delta); /* ftmp[i] < 2^60 + 2^58 + 2^44 */ -+ felem_sum64(ftmp2, delta); /* ftmp2[i] < 2^59 */ -+ felem_scalar64(ftmp2, 3); /* ftmp2[i] < 2^61 */ -+ felem_mul_reduce(alpha, ftmp, ftmp2); /* alpha[i] < 2^56 */ -+ -+ /* x' = alpha^2 - 8*beta */ -+ felem_square(tmp, alpha); /* tmp[i] < 2^115 */ -+ felem_assign(ftmp, beta); /* ftmp[i] < 2^56 */ -+ felem_scalar64(ftmp, 8); /* ftmp[i] < 2^59 */ -+ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ -+ -+ /* z' = (y + z)^2 - gamma - delta */ -+ felem_sum64(delta, gamma); /* delta[i] < 2^57 */ -+ felem_assign(ftmp, y_in); /* ftmp[i] < 2^56 */ -+ felem_sum64(ftmp, z_in); /* ftmp[i] < 2^56 */ -+ felem_square(tmp, ftmp); /* tmp[i] < 2^115 */ -+ felem_diff_128_64(tmp, delta); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(z_out, tmp); /* z_out[i] < 2^56 */ -+ -+ /* y' = alpha*(4*beta - x') - 8*gamma^2 */ -+ felem_scalar64(beta, 4); /* beta[i] < 2^58 */ -+ felem_diff64(beta, x_out); /* beta[i] < 2^60 + 2^58 + 2^44 */ -+ felem_mul(tmp, alpha, beta); /* tmp[i] < 2^119 */ -+ felem_square(tmp2, gamma); /* tmp2[i] < 2^115 */ -+ felem_scalar128(tmp2, 8); /* tmp2[i] < 2^118 */ -+ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^119 + 2^111 */ -+ felem_reduce(y_out, tmp); /* tmp[i] < 2^56 */ -+} -+ -+/* copy_conditional copies in to out iff mask is all ones. */ -+static void copy_conditional(felem out, const felem in, limb mask) -+{ -+ unsigned int i; -+ -+ for (i = 0; i < NLIMBS; i++) -+ out[i] ^= mask & (in[i] ^ out[i]); -+} -+ -+/*- -+ * point_add calculates (x1, y1, z1) + (x2, y2, z2) -+ * -+ * The method is taken from -+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, -+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity). -+ * -+ * This function includes a branch for checking whether the two input points -+ * are equal (while not equal to the point at infinity). See comment below -+ * on constant-time. -+ */ -+static void point_add(felem x3, felem y3, felem z3, -+ const felem x1, const felem y1, const felem z1, -+ const int mixed, const felem x2, const felem y2, -+ const felem z2) -+{ -+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; -+ widefelem tmp, tmp2; -+ limb x_equal, y_equal, z1_is_zero, z2_is_zero; -+ limb points_equal; -+ -+ z1_is_zero = felem_is_zero(z1); -+ z2_is_zero = felem_is_zero(z2); -+ -+ /* ftmp = z1z1 = z1**2 */ -+ felem_square_reduce(ftmp, z1); /* ftmp[i] < 2^56 */ -+ -+ if (!mixed) { -+ /* ftmp2 = z2z2 = z2**2 */ -+ felem_square_reduce(ftmp2, z2); /* ftmp2[i] < 2^56 */ -+ -+ /* u1 = ftmp3 = x1*z2z2 */ -+ felem_mul_reduce(ftmp3, x1, ftmp2); /* ftmp3[i] < 2^56 */ -+ -+ /* ftmp5 = z1 + z2 */ -+ felem_assign(ftmp5, z1); /* ftmp5[i] < 2^56 */ -+ felem_sum64(ftmp5, z2); /* ftmp5[i] < 2^57 */ -+ -+ /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */ -+ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ -+ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^117 + 2^64 + 2^48 */ -+ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^65 + 2^49 */ -+ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ -+ -+ /* ftmp2 = z2 * z2z2 */ -+ felem_mul_reduce(ftmp2, ftmp2, z2); /* ftmp2[i] < 2^56 */ -+ -+ /* s1 = ftmp6 = y1 * z2**3 */ -+ felem_mul_reduce(ftmp6, y1, ftmp2); /* ftmp6[i] < 2^56 */ -+ } else { -+ /* -+ * We'll assume z2 = 1 (special case z2 = 0 is handled later) -+ */ -+ -+ /* u1 = ftmp3 = x1*z2z2 */ -+ felem_assign(ftmp3, x1); /* ftmp3[i] < 2^56 */ -+ -+ /* ftmp5 = 2*z1z2 */ -+ felem_scalar(ftmp5, z1, 2); /* ftmp5[i] < 2^57 */ -+ -+ /* s1 = ftmp6 = y1 * z2**3 */ -+ felem_assign(ftmp6, y1); /* ftmp6[i] < 2^56 */ -+ } -+ /* ftmp3[i] < 2^56, ftmp5[i] < 2^57, ftmp6[i] < 2^56 */ -+ -+ /* u2 = x2*z1z1 */ -+ felem_mul(tmp, x2, ftmp); /* tmp[i] < 2^115 */ -+ -+ /* h = ftmp4 = u2 - u1 */ -+ felem_diff_128_64(tmp, ftmp3); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(ftmp4, tmp); /* ftmp[4] < 2^56 */ -+ -+ x_equal = felem_is_zero(ftmp4); -+ -+ /* z_out = ftmp5 * h */ -+ felem_mul_reduce(z_out, ftmp5, ftmp4); /* z_out[i] < 2^56 */ -+ -+ /* ftmp = z1 * z1z1 */ -+ felem_mul_reduce(ftmp, ftmp, z1); /* ftmp[i] < 2^56 */ -+ -+ /* s2 = tmp = y2 * z1**3 */ -+ felem_mul(tmp, y2, ftmp); /* tmp[i] < 2^115 */ -+ -+ /* r = ftmp5 = (s2 - s1)*2 */ -+ felem_diff_128_64(tmp, ftmp6); /* tmp[i] < 2^115 + 2^64 + 2^48 */ -+ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ -+ y_equal = felem_is_zero(ftmp5); -+ felem_scalar64(ftmp5, 2); /* ftmp5[i] < 2^57 */ -+ -+ /* -+ * The formulae are incorrect if the points are equal, in affine coordinates -+ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this -+ * happens. -+ * -+ * We use bitwise operations to avoid potential side-channels introduced by -+ * the short-circuiting behaviour of boolean operators. -+ * -+ * The special case of either point being the point at infinity (z1 and/or -+ * z2 are zero), is handled separately later on in this function, so we -+ * avoid jumping to point_double here in those special cases. -+ * -+ * Notice the comment below on the implications of this branching for timing -+ * leaks and why it is considered practically irrelevant. -+ */ -+ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); -+ -+ if (points_equal) { -+ /* -+ * This is obviously not constant-time but it will almost-never happen -+ * for ECDH / ECDSA. -+ */ -+ point_double(x3, y3, z3, x1, y1, z1); -+ return; -+ } -+ -+ /* I = ftmp = (2h)**2 */ -+ felem_assign(ftmp, ftmp4); /* ftmp[i] < 2^56 */ -+ felem_scalar64(ftmp, 2); /* ftmp[i] < 2^57 */ -+ felem_square_reduce(ftmp, ftmp); /* ftmp[i] < 2^56 */ -+ -+ /* J = ftmp2 = h * I */ -+ felem_mul_reduce(ftmp2, ftmp4, ftmp); /* ftmp2[i] < 2^56 */ -+ -+ /* V = ftmp4 = U1 * I */ -+ felem_mul_reduce(ftmp4, ftmp3, ftmp); /* ftmp4[i] < 2^56 */ -+ -+ /* x_out = r**2 - J - 2V */ -+ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ -+ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^64 + 2^48 */ -+ felem_assign(ftmp3, ftmp4); /* ftmp3[i] < 2^56 */ -+ felem_scalar64(ftmp4, 2); /* ftmp4[i] < 2^57 */ -+ felem_diff_128_64(tmp, ftmp4); /* tmp[i] < 2^117 + 2^65 + 2^49 */ -+ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ -+ -+ /* y_out = r(V-x_out) - 2 * s1 * J */ -+ felem_diff64(ftmp3, x_out); /* ftmp3[i] < 2^60 + 2^56 + 2^44 */ -+ felem_mul(tmp, ftmp5, ftmp3); /* tmp[i] < 2^116 */ -+ felem_mul(tmp2, ftmp6, ftmp2); /* tmp2[i] < 2^115 */ -+ felem_scalar128(tmp2, 2); /* tmp2[i] < 2^116 */ -+ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^116 + 2^111 */ -+ felem_reduce(y_out, tmp); /* y_out[i] < 2^56 */ -+ -+ copy_conditional(x_out, x2, z1_is_zero); -+ copy_conditional(x_out, x1, z2_is_zero); -+ copy_conditional(y_out, y2, z1_is_zero); -+ copy_conditional(y_out, y1, z2_is_zero); -+ copy_conditional(z_out, z2, z1_is_zero); -+ copy_conditional(z_out, z1, z2_is_zero); -+ felem_assign(x3, x_out); -+ felem_assign(y3, y_out); -+ felem_assign(z3, z_out); -+} -+ -+/*- -+ * Base point pre computation -+ * -------------------------- -+ * -+ * Two different sorts of precomputed tables are used in the following code. -+ * Each contain various points on the curve, where each point is three field -+ * elements (x, y, z). -+ * -+ * For the base point table, z is usually 1 (0 for the point at infinity). -+ * This table has 16 elements: -+ * index | bits | point -+ * ------+---------+------------------------------ -+ * 0 | 0 0 0 0 | 0G -+ * 1 | 0 0 0 1 | 1G -+ * 2 | 0 0 1 0 | 2^95G -+ * 3 | 0 0 1 1 | (2^95 + 1)G -+ * 4 | 0 1 0 0 | 2^190G -+ * 5 | 0 1 0 1 | (2^190 + 1)G -+ * 6 | 0 1 1 0 | (2^190 + 2^95)G -+ * 7 | 0 1 1 1 | (2^190 + 2^95 + 1)G -+ * 8 | 1 0 0 0 | 2^285G -+ * 9 | 1 0 0 1 | (2^285 + 1)G -+ * 10 | 1 0 1 0 | (2^285 + 2^95)G -+ * 11 | 1 0 1 1 | (2^285 + 2^95 + 1)G -+ * 12 | 1 1 0 0 | (2^285 + 2^190)G -+ * 13 | 1 1 0 1 | (2^285 + 2^190 + 1)G -+ * 14 | 1 1 1 0 | (2^285 + 2^190 + 2^95)G -+ * 15 | 1 1 1 1 | (2^285 + 2^190 + 2^95 + 1)G -+ * -+ * The reason for this is so that we can clock bits into four different -+ * locations when doing simple scalar multiplies against the base point. -+ * -+ * Tables for other points have table[i] = iG for i in 0 .. 16. -+ */ -+ -+/* gmul is the table of precomputed base points */ -+static const felem gmul[16][3] = { -+{{0, 0, 0, 0, 0, 0, 0}, -+ {0, 0, 0, 0, 0, 0, 0}, -+ {0, 0, 0, 0, 0, 0, 0}}, -+{{0x00545e3872760ab7, 0x00f25dbf55296c3a, 0x00e082542a385502, 0x008ba79b9859f741, -+ 0x0020ad746e1d3b62, 0x0005378eb1c71ef3, 0x0000aa87ca22be8b}, -+ {0x00431d7c90ea0e5f, 0x00b1ce1d7e819d7a, 0x0013b5f0b8c00a60, 0x00289a147ce9da31, -+ 0x0092dc29f8f41dbd, 0x002c6f5d9e98bf92, 0x00003617de4a9626}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00024711cc902a90, 0x00acb2e579ab4fe1, 0x00af818a4b4d57b1, 0x00a17c7bec49c3de, -+ 0x004280482d726a8b, 0x00128dd0f0a90f3b, 0x00004387c1c3fa3c}, -+ {0x002ce76543cf5c3a, 0x00de6cee5ef58f0a, 0x00403e42fa561ca6, 0x00bc54d6f9cb9731, -+ 0x007155f925fb4ff1, 0x004a9ce731b7b9bc, 0x00002609076bd7b2}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00e74c9182f0251d, 0x0039bf54bb111974, 0x00b9d2f2eec511d2, 0x0036b1594eb3a6a4, -+ 0x00ac3bb82d9d564b, 0x00f9313f4615a100, 0x00006716a9a91b10}, -+ {0x0046698116e2f15c, 0x00f34347067d3d33, 0x008de4ccfdebd002, 0x00e838c6b8e8c97b, -+ 0x006faf0798def346, 0x007349794a57563c, 0x00002629e7e6ad84}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x0075300e34fd163b, 0x0092e9db4e8d0ad3, 0x00254be9f625f760, 0x00512c518c72ae68, -+ 0x009bfcf162bede5a, 0x00bf9341566ce311, 0x0000cd6175bd41cf}, -+ {0x007dfe52af4ac70f, 0x0002159d2d5c4880, 0x00b504d16f0af8d0, 0x0014585e11f5e64c, -+ 0x0089c6388e030967, 0x00ffb270cbfa5f71, 0x00009a15d92c3947}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x0033fc1278dc4fe5, 0x00d53088c2caa043, 0x0085558827e2db66, 0x00c192bef387b736, -+ 0x00df6405a2225f2c, 0x0075205aa90fd91a, 0x0000137e3f12349d}, -+ {0x00ce5b115efcb07e, 0x00abc3308410deeb, 0x005dc6fc1de39904, 0x00907c1c496f36b4, -+ 0x0008e6ad3926cbe1, 0x00110747b787928c, 0x0000021b9162eb7e}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x008180042cfa26e1, 0x007b826a96254967, 0x0082473694d6b194, 0x007bd6880a45b589, -+ 0x00c0a5097072d1a3, 0x0019186555e18b4e, 0x000020278190e5ca}, -+ {0x00b4bef17de61ac0, 0x009535e3c38ed348, 0x002d4aa8e468ceab, 0x00ef40b431036ad3, -+ 0x00defd52f4542857, 0x0086edbf98234266, 0x00002025b3a7814d}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00b238aa97b886be, 0x00ef3192d6dd3a32, 0x0079f9e01fd62df8, 0x00742e890daba6c5, -+ 0x008e5289144408ce, 0x0073bbcc8e0171a5, 0x0000c4fd329d3b52}, -+ {0x00c6f64a15ee23e7, 0x00dcfb7b171cad8b, 0x00039f6cbd805867, 0x00de024e428d4562, -+ 0x00be6a594d7c64c5, 0x0078467b70dbcd64, 0x0000251f2ed7079b}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x000e5cc25fc4b872, 0x005ebf10d31ef4e1, 0x0061e0ebd11e8256, 0x0076e026096f5a27, -+ 0x0013e6fc44662e9a, 0x0042b00289d3597e, 0x000024f089170d88}, -+ {0x001604d7e0effbe6, 0x0048d77cba64ec2c, 0x008166b16da19e36, 0x006b0d1a0f28c088, -+ 0x000259fcd47754fd, 0x00cc643e4d725f9a, 0x00007b10f3c79c14}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00430155e3b908af, 0x00b801e4fec25226, 0x00b0d4bcfe806d26, 0x009fc4014eb13d37, -+ 0x0066c94e44ec07e8, 0x00d16adc03874ba2, 0x000030c917a0d2a7}, -+ {0x00edac9e21eb891c, 0x00ef0fb768102eff, 0x00c088cef272a5f3, 0x00cbf782134e2964, -+ 0x0001044a7ba9a0e3, 0x00e363f5b194cf3c, 0x00009ce85249e372}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x001dd492dda5a7eb, 0x008fd577be539fd1, 0x002ff4b25a5fc3f1, 0x0074a8a1b64df72f, -+ 0x002ba3d8c204a76c, 0x009d5cff95c8235a, 0x0000e014b9406e0f}, -+ {0x008c2e4dbfc98aba, 0x00f30bb89f1a1436, 0x00b46f7aea3e259c, 0x009224454ac02f54, -+ 0x00906401f5645fa2, 0x003a1d1940eabc77, 0x00007c9351d680e6}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x005a35d872ef967c, 0x0049f1b7884e1987, 0x0059d46d7e31f552, 0x00ceb4869d2d0fb6, -+ 0x00e8e89eee56802a, 0x0049d806a774aaf2, 0x0000147e2af0ae24}, -+ {0x005fd1bd852c6e5e, 0x00b674b7b3de6885, 0x003b9ea5eb9b6c08, 0x005c9f03babf3ef7, -+ 0x00605337fecab3c7, 0x009a3f85b11bbcc8, 0x0000455470f330ec}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x002197ff4d55498d, 0x00383e8916c2d8af, 0x00eb203f34d1c6d2, 0x0080367cbd11b542, -+ 0x00769b3be864e4f5, 0x0081a8458521c7bb, 0x0000c531b34d3539}, -+ {0x00e2a3d775fa2e13, 0x00534fc379573844, 0x00ff237d2a8db54a, 0x00d301b2335a8882, -+ 0x000f75ea96103a80, 0x0018fecb3cdd96fa, 0x0000304bf61e94eb}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00b2afc332a73dbd, 0x0029a0d5bb007bc5, 0x002d628eb210f577, 0x009f59a36dd05f50, -+ 0x006d339de4eca613, 0x00c75a71addc86bc, 0x000060384c5ea93c}, -+ {0x00aa9641c32a30b4, 0x00cc73ae8cce565d, 0x00ec911a4df07f61, 0x00aa4b762ea4b264, -+ 0x0096d395bb393629, 0x004efacfb7632fe0, 0x00006f252f46fa3f}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00567eec597c7af6, 0x0059ba6795204413, 0x00816d4e6f01196f, 0x004ae6b3eb57951d, -+ 0x00420f5abdda2108, 0x003401d1f57ca9d9, 0x0000cf5837b0b67a}, -+ {0x00eaa64b8aeeabf9, 0x00246ddf16bcb4de, 0x000e7e3c3aecd751, 0x0008449f04fed72e, -+ 0x00307b67ccf09183, 0x0017108c3556b7b1, 0x0000229b2483b3bf}, -+ {1, 0, 0, 0, 0, 0, 0}}, -+{{0x00e7c491a7bb78a1, 0x00eafddd1d3049ab, 0x00352c05e2bc7c98, 0x003d6880c165fa5c, -+ 0x00b6ac61cc11c97d, 0x00beeb54fcf90ce5, 0x0000dc1f0b455edc}, -+ {0x002db2e7aee34d60, 0x0073b5f415a2d8c0, 0x00dd84e4193e9a0c, 0x00d02d873467c572, -+ 0x0018baaeda60aee5, 0x0013fb11d697c61e, 0x000083aafcc3a973}, -+ {1, 0, 0, 0, 0, 0, 0}} -+}; -+ -+/* -+ * select_point selects the |idx|th point from a precomputation table and -+ * copies it to out. -+ * -+ * pre_comp below is of the size provided in |size|. -+ */ -+static void select_point(const limb idx, unsigned int size, -+ const felem pre_comp[][3], felem out[3]) -+{ -+ unsigned int i, j; -+ limb *outlimbs = &out[0][0]; -+ -+ memset(out, 0, sizeof(*out) * 3); -+ -+ for (i = 0; i < size; i++) { -+ const limb *inlimbs = &pre_comp[i][0][0]; -+ limb mask = i ^ idx; -+ -+ mask |= mask >> 4; -+ mask |= mask >> 2; -+ mask |= mask >> 1; -+ mask &= 1; -+ mask--; -+ for (j = 0; j < NLIMBS * 3; j++) -+ outlimbs[j] |= inlimbs[j] & mask; -+ } -+} -+ -+/* get_bit returns the |i|th bit in |in| */ -+static char get_bit(const felem_bytearray in, int i) -+{ -+ if (i < 0 || i >= 384) -+ return 0; -+ return (in[i >> 3] >> (i & 7)) & 1; -+} -+ -+/* -+ * Interleaved point multiplication using precomputed point multiples: The -+ * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars -+ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the -+ * generator, using certain (large) precomputed multiples in g_pre_comp. -+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out -+ */ -+static void batch_mul(felem x_out, felem y_out, felem z_out, -+ const felem_bytearray scalars[], -+ const unsigned int num_points, const u8 *g_scalar, -+ const int mixed, const felem pre_comp[][17][3], -+ const felem g_pre_comp[16][3]) -+{ -+ int i, skip; -+ unsigned int num, gen_mul = (g_scalar != NULL); -+ felem nq[3], tmp[4]; -+ limb bits; -+ u8 sign, digit; -+ -+ /* set nq to the point at infinity */ -+ memset(nq, 0, sizeof(nq)); -+ -+ /* -+ * Loop over all scalars msb-to-lsb, interleaving additions of multiples -+ * of the generator (last quarter of rounds) and additions of other -+ * points multiples (every 5th round). -+ */ -+ skip = 1; /* save two point operations in the first -+ * round */ -+ for (i = (num_points ? 380 : 98); i >= 0; --i) { -+ /* double */ -+ if (!skip) -+ point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); -+ -+ /* add multiples of the generator */ -+ if (gen_mul && (i <= 98)) { -+ bits = get_bit(g_scalar, i + 285) << 3; -+ if (i < 95) { -+ bits |= get_bit(g_scalar, i + 190) << 2; -+ bits |= get_bit(g_scalar, i + 95) << 1; -+ bits |= get_bit(g_scalar, i); -+ } -+ /* select the point to add, in constant time */ -+ select_point(bits, 16, g_pre_comp, tmp); -+ if (!skip) { -+ /* The 1 argument below is for "mixed" */ -+ point_add(nq[0], nq[1], nq[2], -+ nq[0], nq[1], nq[2], 1, -+ tmp[0], tmp[1], tmp[2]); -+ } else { -+ memcpy(nq, tmp, 3 * sizeof(felem)); -+ skip = 0; -+ } -+ } -+ -+ /* do other additions every 5 doublings */ -+ if (num_points && (i % 5 == 0)) { -+ /* loop over all scalars */ -+ for (num = 0; num < num_points; ++num) { -+ bits = get_bit(scalars[num], i + 4) << 5; -+ bits |= get_bit(scalars[num], i + 3) << 4; -+ bits |= get_bit(scalars[num], i + 2) << 3; -+ bits |= get_bit(scalars[num], i + 1) << 2; -+ bits |= get_bit(scalars[num], i) << 1; -+ bits |= get_bit(scalars[num], i - 1); -+ ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); -+ -+ /* -+ * select the point to add or subtract, in constant time -+ */ -+ select_point(digit, 17, pre_comp[num], tmp); -+ felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative -+ * point */ -+ copy_conditional(tmp[1], tmp[3], (-(limb) sign)); -+ -+ if (!skip) { -+ point_add(nq[0], nq[1], nq[2], -+ nq[0], nq[1], nq[2], mixed, -+ tmp[0], tmp[1], tmp[2]); -+ } else { -+ memcpy(nq, tmp, 3 * sizeof(felem)); -+ skip = 0; -+ } -+ } -+ } -+ } -+ felem_assign(x_out, nq[0]); -+ felem_assign(y_out, nq[1]); -+ felem_assign(z_out, nq[2]); -+} -+ -+/* Precomputation for the group generator. */ -+struct nistp384_pre_comp_st { -+ felem g_pre_comp[16][3]; -+ CRYPTO_REF_COUNT refcnt; -+ CRYPTO_RWLOCK *refcnt_lock; -+}; -+ -+const EC_METHOD *ossl_ec_GFp_nistp384_method(void) -+{ -+ static const EC_METHOD ret = { -+ EC_FLAGS_DEFAULT_OCT, -+ NID_X9_62_prime_field, -+ ossl_ec_GFp_nistp384_group_init, -+ ossl_ec_GFp_simple_group_finish, -+ ossl_ec_GFp_simple_group_clear_finish, -+ ossl_ec_GFp_nist_group_copy, -+ ossl_ec_GFp_nistp384_group_set_curve, -+ ossl_ec_GFp_simple_group_get_curve, -+ ossl_ec_GFp_simple_group_get_degree, -+ ossl_ec_group_simple_order_bits, -+ ossl_ec_GFp_simple_group_check_discriminant, -+ ossl_ec_GFp_simple_point_init, -+ ossl_ec_GFp_simple_point_finish, -+ ossl_ec_GFp_simple_point_clear_finish, -+ ossl_ec_GFp_simple_point_copy, -+ ossl_ec_GFp_simple_point_set_to_infinity, -+ ossl_ec_GFp_simple_point_set_affine_coordinates, -+ ossl_ec_GFp_nistp384_point_get_affine_coordinates, -+ 0, /* point_set_compressed_coordinates */ -+ 0, /* point2oct */ -+ 0, /* oct2point */ -+ ossl_ec_GFp_simple_add, -+ ossl_ec_GFp_simple_dbl, -+ ossl_ec_GFp_simple_invert, -+ ossl_ec_GFp_simple_is_at_infinity, -+ ossl_ec_GFp_simple_is_on_curve, -+ ossl_ec_GFp_simple_cmp, -+ ossl_ec_GFp_simple_make_affine, -+ ossl_ec_GFp_simple_points_make_affine, -+ ossl_ec_GFp_nistp384_points_mul, -+ ossl_ec_GFp_nistp384_precompute_mult, -+ ossl_ec_GFp_nistp384_have_precompute_mult, -+ ossl_ec_GFp_nist_field_mul, -+ ossl_ec_GFp_nist_field_sqr, -+ 0, /* field_div */ -+ ossl_ec_GFp_simple_field_inv, -+ 0, /* field_encode */ -+ 0, /* field_decode */ -+ 0, /* field_set_to_one */ -+ ossl_ec_key_simple_priv2oct, -+ ossl_ec_key_simple_oct2priv, -+ 0, /* set private */ -+ ossl_ec_key_simple_generate_key, -+ ossl_ec_key_simple_check_key, -+ ossl_ec_key_simple_generate_public_key, -+ 0, /* keycopy */ -+ 0, /* keyfinish */ -+ ossl_ecdh_simple_compute_key, -+ ossl_ecdsa_simple_sign_setup, -+ ossl_ecdsa_simple_sign_sig, -+ ossl_ecdsa_simple_verify_sig, -+ 0, /* field_inverse_mod_ord */ -+ 0, /* blind_coordinates */ -+ 0, /* ladder_pre */ -+ 0, /* ladder_step */ -+ 0 /* ladder_post */ -+ }; -+ -+ return &ret; -+} -+ -+/******************************************************************************/ -+/* -+ * FUNCTIONS TO MANAGE PRECOMPUTATION -+ */ -+ -+static NISTP384_PRE_COMP *nistp384_pre_comp_new(void) -+{ -+ NISTP384_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); -+ -+ if (ret == NULL || (ret->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL) { -+ OPENSSL_free(ret); -+ return NULL; -+ } -+ -+ ret->refcnt = 1; -+ return ret; -+} -+ -+NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *p) -+{ -+ int i; -+ -+ if (p != NULL) -+ CRYPTO_UP_REF(&p->refcnt, &i, p->refcnt_lock); -+ return p; -+} -+ -+void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *p) -+{ -+ int i; -+ -+ if (p == NULL) -+ return; -+ -+ CRYPTO_DOWN_REF(&p->refcnt, &i, p->refcnt_lock); -+ REF_PRINT_COUNT("ossl_ec_nistp384", p); -+ if (i > 0) -+ return; -+ REF_ASSERT_ISNT(i < 0); -+ -+ CRYPTO_THREAD_lock_free(p->refcnt_lock); -+ OPENSSL_free(p); -+} -+ -+/******************************************************************************/ -+/* -+ * OPENSSL EC_METHOD FUNCTIONS -+ */ -+ -+int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group) -+{ -+ int ret; -+ -+ ret = ossl_ec_GFp_simple_group_init(group); -+ group->a_is_minus3 = 1; -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, -+ const BIGNUM *a, const BIGNUM *b, -+ BN_CTX *ctx) -+{ -+ int ret = 0; -+ BIGNUM *curve_p, *curve_a, *curve_b; -+#ifndef FIPS_MODULE -+ BN_CTX *new_ctx = NULL; -+ -+ if (ctx == NULL) -+ ctx = new_ctx = BN_CTX_new(); -+#endif -+ if (ctx == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ curve_p = BN_CTX_get(ctx); -+ curve_a = BN_CTX_get(ctx); -+ curve_b = BN_CTX_get(ctx); -+ if (curve_b == NULL) -+ goto err; -+ BN_bin2bn(nistp384_curve_params[0], sizeof(felem_bytearray), curve_p); -+ BN_bin2bn(nistp384_curve_params[1], sizeof(felem_bytearray), curve_a); -+ BN_bin2bn(nistp384_curve_params[2], sizeof(felem_bytearray), curve_b); -+ if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) { -+ ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS); -+ goto err; -+ } -+ group->field_mod_func = BN_nist_mod_384; -+ ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); -+ err: -+ BN_CTX_end(ctx); -+#ifndef FIPS_MODULE -+ BN_CTX_free(new_ctx); -+#endif -+ return ret; -+} -+ -+/* -+ * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = -+ * (X/Z^2, Y/Z^3) -+ */ -+int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, -+ const EC_POINT *point, -+ BIGNUM *x, BIGNUM *y, -+ BN_CTX *ctx) -+{ -+ felem z1, z2, x_in, y_in, x_out, y_out; -+ widefelem tmp; -+ -+ if (EC_POINT_is_at_infinity(group, point)) { -+ ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); -+ return 0; -+ } -+ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || -+ (!BN_to_felem(z1, point->Z))) -+ return 0; -+ felem_inv(z2, z1); -+ felem_square(tmp, z2); -+ felem_reduce(z1, tmp); -+ felem_mul(tmp, x_in, z1); -+ felem_reduce(x_in, tmp); -+ felem_contract(x_out, x_in); -+ if (x != NULL) { -+ if (!felem_to_BN(x, x_out)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ return 0; -+ } -+ } -+ felem_mul(tmp, z1, z2); -+ felem_reduce(z1, tmp); -+ felem_mul(tmp, y_in, z1); -+ felem_reduce(y_in, tmp); -+ felem_contract(y_out, y_in); -+ if (y != NULL) { -+ if (!felem_to_BN(y, y_out)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+/* points below is of size |num|, and tmp_felems is of size |num+1/ */ -+static void make_points_affine(size_t num, felem points[][3], -+ felem tmp_felems[]) -+{ -+ /* -+ * Runs in constant time, unless an input is the point at infinity (which -+ * normally shouldn't happen). -+ */ -+ ossl_ec_GFp_nistp_points_make_affine_internal(num, -+ points, -+ sizeof(felem), -+ tmp_felems, -+ (void (*)(void *))felem_one, -+ felem_is_zero_int, -+ (void (*)(void *, const void *)) -+ felem_assign, -+ (void (*)(void *, const void *)) -+ felem_square_reduce, -+ (void (*)(void *, const void *, const void*)) -+ felem_mul_reduce, -+ (void (*)(void *, const void *)) -+ felem_inv, -+ (void (*)(void *, const void *)) -+ felem_contract); -+} -+ -+/* -+ * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL -+ * values Result is stored in r (r can equal one of the inputs). -+ */ -+int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, -+ const BIGNUM *scalar, size_t num, -+ const EC_POINT *points[], -+ const BIGNUM *scalars[], BN_CTX *ctx) -+{ -+ int ret = 0; -+ int j; -+ int mixed = 0; -+ BIGNUM *x, *y, *z, *tmp_scalar; -+ felem_bytearray g_secret; -+ felem_bytearray *secrets = NULL; -+ felem (*pre_comp)[17][3] = NULL; -+ felem *tmp_felems = NULL; -+ unsigned int i; -+ int num_bytes; -+ int have_pre_comp = 0; -+ size_t num_points = num; -+ felem x_in, y_in, z_in, x_out, y_out, z_out; -+ NISTP384_PRE_COMP *pre = NULL; -+ felem(*g_pre_comp)[3] = NULL; -+ EC_POINT *generator = NULL; -+ const EC_POINT *p = NULL; -+ const BIGNUM *p_scalar = NULL; -+ -+ BN_CTX_start(ctx); -+ x = BN_CTX_get(ctx); -+ y = BN_CTX_get(ctx); -+ z = BN_CTX_get(ctx); -+ tmp_scalar = BN_CTX_get(ctx); -+ if (tmp_scalar == NULL) -+ goto err; -+ -+ if (scalar != NULL) { -+ pre = group->pre_comp.nistp384; -+ if (pre) -+ /* we have precomputation, try to use it */ -+ g_pre_comp = &pre->g_pre_comp[0]; -+ else -+ /* try to use the standard precomputation */ -+ g_pre_comp = (felem(*)[3]) gmul; -+ generator = EC_POINT_new(group); -+ if (generator == NULL) -+ goto err; -+ /* get the generator from precomputation */ -+ if (!felem_to_BN(x, g_pre_comp[1][0]) || -+ !felem_to_BN(y, g_pre_comp[1][1]) || -+ !felem_to_BN(z, g_pre_comp[1][2])) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, -+ generator, -+ x, y, z, ctx)) -+ goto err; -+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) -+ /* precomputation matches generator */ -+ have_pre_comp = 1; -+ else -+ /* -+ * we don't have valid precomputation: treat the generator as a -+ * random point -+ */ -+ num_points++; -+ } -+ -+ if (num_points > 0) { -+ if (num_points >= 2) { -+ /* -+ * unless we precompute multiples for just one point, converting -+ * those into affine form is time well spent -+ */ -+ mixed = 1; -+ } -+ secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); -+ pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); -+ if (mixed) -+ tmp_felems = -+ OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1)); -+ if ((secrets == NULL) || (pre_comp == NULL) -+ || (mixed && (tmp_felems == NULL))) -+ goto err; -+ -+ /* -+ * we treat NULL scalars as 0, and NULL points as points at infinity, -+ * i.e., they contribute nothing to the linear combination -+ */ -+ for (i = 0; i < num_points; ++i) { -+ if (i == num) { -+ /* -+ * we didn't have a valid precomputation, so we pick the -+ * generator -+ */ -+ p = EC_GROUP_get0_generator(group); -+ p_scalar = scalar; -+ } else { -+ /* the i^th point */ -+ p = points[i]; -+ p_scalar = scalars[i]; -+ } -+ if (p_scalar != NULL && p != NULL) { -+ /* reduce scalar to 0 <= scalar < 2^384 */ -+ if ((BN_num_bits(p_scalar) > 384) -+ || (BN_is_negative(p_scalar))) { -+ /* -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ num_bytes = BN_bn2lebinpad(tmp_scalar, -+ secrets[i], sizeof(secrets[i])); -+ } else { -+ num_bytes = BN_bn2lebinpad(p_scalar, -+ secrets[i], sizeof(secrets[i])); -+ } -+ if (num_bytes < 0) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ /* precompute multiples */ -+ if ((!BN_to_felem(x_out, p->X)) || -+ (!BN_to_felem(y_out, p->Y)) || -+ (!BN_to_felem(z_out, p->Z))) -+ goto err; -+ memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); -+ memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); -+ memcpy(pre_comp[i][1][2], z_out, sizeof(felem)); -+ for (j = 2; j <= 16; ++j) { -+ if (j & 1) { -+ point_add(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], -+ pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 0, -+ pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]); -+ } else { -+ point_double(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], -+ pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]); -+ } -+ } -+ } -+ } -+ if (mixed) -+ make_points_affine(num_points * 17, pre_comp[0], tmp_felems); -+ } -+ -+ /* the scalar for the generator */ -+ if (scalar != NULL && have_pre_comp) { -+ memset(g_secret, 0, sizeof(g_secret)); -+ /* reduce scalar to 0 <= scalar < 2^384 */ -+ if ((BN_num_bits(scalar) > 384) || (BN_is_negative(scalar))) { -+ /* -+ * this is an unusual input, and we don't guarantee -+ * constant-timeness -+ */ -+ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); -+ } else { -+ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); -+ } -+ /* do the multiplication with generator precomputation */ -+ batch_mul(x_out, y_out, z_out, -+ (const felem_bytearray(*))secrets, num_points, -+ g_secret, -+ mixed, (const felem(*)[17][3])pre_comp, -+ (const felem(*)[3])g_pre_comp); -+ } else { -+ /* do the multiplication without generator precomputation */ -+ batch_mul(x_out, y_out, z_out, -+ (const felem_bytearray(*))secrets, num_points, -+ NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); -+ } -+ /* reduce the output to its unique minimal representation */ -+ felem_contract(x_in, x_out); -+ felem_contract(y_in, y_out); -+ felem_contract(z_in, z_out); -+ if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || -+ (!felem_to_BN(z, z_in))) { -+ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); -+ goto err; -+ } -+ ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, -+ ctx); -+ -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(generator); -+ OPENSSL_free(secrets); -+ OPENSSL_free(pre_comp); -+ OPENSSL_free(tmp_felems); -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx) -+{ -+ int ret = 0; -+ NISTP384_PRE_COMP *pre = NULL; -+ int i, j; -+ BIGNUM *x, *y; -+ EC_POINT *generator = NULL; -+ felem tmp_felems[16]; -+#ifndef FIPS_MODULE -+ BN_CTX *new_ctx = NULL; -+#endif -+ -+ /* throw away old precomputation */ -+ EC_pre_comp_free(group); -+ -+#ifndef FIPS_MODULE -+ if (ctx == NULL) -+ ctx = new_ctx = BN_CTX_new(); -+#endif -+ if (ctx == NULL) -+ return 0; -+ -+ BN_CTX_start(ctx); -+ x = BN_CTX_get(ctx); -+ y = BN_CTX_get(ctx); -+ if (y == NULL) -+ goto err; -+ /* get the generator */ -+ if (group->generator == NULL) -+ goto err; -+ generator = EC_POINT_new(group); -+ if (generator == NULL) -+ goto err; -+ BN_bin2bn(nistp384_curve_params[3], sizeof(felem_bytearray), x); -+ BN_bin2bn(nistp384_curve_params[4], sizeof(felem_bytearray), y); -+ if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) -+ goto err; -+ if ((pre = nistp384_pre_comp_new()) == NULL) -+ goto err; -+ /* -+ * if the generator is the standard one, use built-in precomputation -+ */ -+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) { -+ memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); -+ goto done; -+ } -+ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) || -+ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) || -+ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z))) -+ goto err; -+ /* compute 2^95*G, 2^190*G, 2^285*G */ -+ for (i = 1; i <= 4; i <<= 1) { -+ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], -+ pre->g_pre_comp[i][0], pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]); -+ for (j = 0; j < 94; ++j) { -+ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], -+ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2]); -+ } -+ } -+ /* g_pre_comp[0] is the point at infinity */ -+ memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0])); -+ /* the remaining multiples */ -+ /* 2^95*G + 2^190*G */ -+ point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1], pre->g_pre_comp[6][2], -+ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ /* 2^95*G + 2^285*G */ -+ point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1], pre->g_pre_comp[10][2], -+ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ /* 2^190*G + 2^285*G */ -+ point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], -+ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, -+ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2]); -+ /* 2^95*G + 2^190*G + 2^285*G */ -+ point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1], pre->g_pre_comp[14][2], -+ pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], 0, -+ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); -+ for (i = 1; i < 8; ++i) { -+ /* odd multiples: add G */ -+ point_add(pre->g_pre_comp[2 * i + 1][0], pre->g_pre_comp[2 * i + 1][1], pre->g_pre_comp[2 * i + 1][2], -+ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], 0, -+ pre->g_pre_comp[1][0], pre->g_pre_comp[1][1], pre->g_pre_comp[1][2]); -+ } -+ make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems); -+ -+ done: -+ SETPRECOMP(group, nistp384, pre); -+ ret = 1; -+ pre = NULL; -+ err: -+ BN_CTX_end(ctx); -+ EC_POINT_free(generator); -+#ifndef FIPS_MODULE -+ BN_CTX_free(new_ctx); -+#endif -+ ossl_ec_nistp384_pre_comp_free(pre); -+ return ret; -+} -+ -+int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group) -+{ -+ return HAVEPRECOMP(group, nistp384); -+} diff --git a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch deleted file mode 100644 index 90f12cd..0000000 --- a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Fri, 23 Jun 2023 16:41:48 +1000 -Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul} - wrappers - -Runtime selection of implementations for felem_{square,mul} depends on -felem_{square,mul}_wrapper functions, which overwrite function points in -a similar design to that of .plt.got sections used by program loaders -during dynamic linking. - -There's no reason why these functions need to have external linkage. -Mark static. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/ecp_nistp521.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c -index 97815cac1f13..32a9268ecf17 100644 ---- a/crypto/ec/ecp_nistp521.c -+++ b/crypto/ec/ecp_nistp521.c -@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in) - } - - #if defined(ECP_NISTP521_ASM) --void felem_square_wrapper(largefelem out, const felem in); --void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); -+static void felem_square_wrapper(largefelem out, const felem in); -+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); - - static void (*felem_square_p)(largefelem out, const felem in) = - felem_square_wrapper; -@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2); - # include "crypto/ppc_arch.h" - # endif - --void felem_select(void) -+static void felem_select(void) - { - # if defined(_ARCH_PPC64) - if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { -@@ -707,13 +707,13 @@ void felem_select(void) - felem_mul_p = felem_mul_ref; - } - --void felem_square_wrapper(largefelem out, const felem in) -+static void felem_square_wrapper(largefelem out, const felem in) - { - felem_select(); - felem_square_p(out, in); - } - --void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) -+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) - { - felem_select(); - felem_mul_p(out, in1, in2); diff --git a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch deleted file mode 100644 index 91bb470..0000000 --- a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch +++ /dev/null @@ -1,428 +0,0 @@ -From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 31 May 2023 14:32:26 +1000 -Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul} - -Add an assembly implementation of felem_{square,mul}, which will be -implemented whenever Altivec support is present and the core implements -ISA 3.0 (Power 9) or greater. - -Signed-off-by: Rohan McLure - -Reviewed-by: Paul Dale -Reviewed-by: Shane Lontis -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Todd Short -(Merged from https://github.com/openssl/openssl/pull/21471) ---- - crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++ - crypto/ec/build.info | 6 +- - crypto/ec/ecp_nistp384.c | 9 + - 3 files changed, 368 insertions(+), 2 deletions(-) - create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl - -diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl -new file mode 100755 -index 000000000000..3f86b391af69 ---- /dev/null -+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl -@@ -0,0 +1,355 @@ -+#! /usr/bin/env perl -+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+# -+# ==================================================================== -+# Written by Rohan McLure for the OpenSSL -+# project. -+# ==================================================================== -+# -+# p384 lower-level primitives for PPC64 using vector instructions. -+# -+ -+use strict; -+use warnings; -+ -+my $flavour = shift; -+my $output = ""; -+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} -+if (!$output) { -+ $output = "-"; -+} -+ -+my ($xlate, $dir); -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open OUT,"| \"$^X\" $xlate $flavour $output"; -+*STDOUT=*OUT; -+ -+my $code = ""; -+ -+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); -+ -+my $vzero = "v32"; -+ -+sub startproc($) -+{ -+ my ($name) = @_; -+ -+ $code.=<<___; -+ .globl ${name} -+ .align 5 -+${name}: -+ -+___ -+} -+ -+sub endproc($) -+{ -+ my ($name) = @_; -+ -+ $code.=<<___; -+ blr -+ .size ${name},.-${name} -+ -+___ -+} -+ -+ -+sub push_vrs($$) -+{ -+ my ($min, $max) = @_; -+ -+ my $count = $max - $min + 1; -+ -+ $code.=<<___; -+ mr $savesp,$sp -+ stdu $sp,-16*`$count+1`($sp) -+ -+___ -+ for (my $i = $min; $i <= $max; $i++) { -+ my $mult = $max - $i + 1; -+ $code.=<<___; -+ stxv $i,-16*$mult($savesp) -+___ -+ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+sub pop_vrs($$) -+{ -+ my ($min, $max) = @_; -+ -+ $code.=<<___; -+ ld $savesp,0($sp) -+___ -+ for (my $i = $min; $i <= $max; $i++) { -+ my $mult = $max - $i + 1; -+ $code.=<<___; -+ lxv $i,-16*$mult($savesp) -+___ -+ } -+ -+ $code.=<<___; -+ mr $sp,$savesp -+ -+___ -+} -+ -+sub load_vrs($$) -+{ -+ my ($pointer, $reg_list) = @_; -+ -+ for (my $i = 0; $i <= 6; $i++) { -+ my $offset = $i * 8; -+ $code.=<<___; -+ lxsd $reg_list->[$i],$offset($pointer) -+___ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+sub store_vrs($$) -+{ -+ my ($pointer, $reg_list) = @_; -+ -+ for (my $i = 0; $i <= 12; $i++) { -+ my $offset = $i * 16; -+ $code.=<<___; -+ stxv $reg_list->[$i],$offset($pointer) -+___ -+ } -+ -+ $code.=<<___; -+ -+___ -+} -+ -+$code.=<<___; -+.machine "any" -+.text -+ -+___ -+ -+{ -+ # mul/square common -+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43"); -+ my ($zero, $one) = ("r8", "r9"); -+ my $out = "v51"; -+ -+ { -+ # -+ # p384_felem_mul -+ # -+ -+ my ($in1p, $in2p) = ("r4", "r5"); -+ my @in1 = map("v$_",(44..50)); -+ my @in2 = map("v$_",(35..41)); -+ -+ startproc("p384_felem_mul"); -+ -+ push_vrs(52, 63); -+ -+ $code.=<<___; -+ vspltisw $vzero,0 -+ -+___ -+ -+ load_vrs($in1p, \@in1); -+ load_vrs($in2p, \@in2); -+ -+ $code.=<<___; -+ vmsumudm $out,$in1[0],$in2[0],$vzero -+ stxv $out,0($outp) -+ -+ xxpermdi $t1,$in1[0],$in1[1],0b00 -+ xxpermdi $t2,$in2[1],$in2[0],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,16($outp) -+ -+ xxpermdi $t2,$in2[2],$in2[1],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in1[2],$in2[0],$out -+ stxv $out,32($outp) -+ -+ xxpermdi $t2,$in2[1],$in2[0],0b00 -+ xxpermdi $t3,$in1[2],$in1[3],0b00 -+ xxpermdi $t4,$in2[3],$in2[2],0b00 -+ vmsumudm $out,$t1,$t4,$vzero -+ vmsumudm $out,$t3,$t2,$out -+ stxv $out,48($outp) -+ -+ xxpermdi $t2,$in2[4],$in2[3],0b00 -+ xxpermdi $t4,$in2[2],$in2[1],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ vmsumudm $out,$in1[4],$in2[0],$out -+ stxv $out,64($outp) -+ -+ xxpermdi $t2,$in2[5],$in2[4],0b00 -+ xxpermdi $t4,$in2[3],$in2[2],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t4,$in2[1],$in2[0],0b00 -+ xxpermdi $t1,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t4,$out -+ stxv $out,80($outp) -+ -+ xxpermdi $t1,$in1[0],$in1[1],0b00 -+ xxpermdi $t2,$in2[6],$in2[5],0b00 -+ xxpermdi $t4,$in2[4],$in2[3],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t2,$in2[2],$in2[1],0b00 -+ xxpermdi $t1,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t2,$out -+ vmsumudm $out,$in1[6],$in2[0],$out -+ stxv $out,96($outp) -+ -+ xxpermdi $t1,$in1[1],$in1[2],0b00 -+ xxpermdi $t2,$in2[6],$in2[5],0b00 -+ xxpermdi $t3,$in1[3],$in1[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ xxpermdi $t3,$in2[2],$in2[1],0b00 -+ xxpermdi $t1,$in1[5],$in1[6],0b00 -+ vmsumudm $out,$t1,$t3,$out -+ stxv $out,112($outp) -+ -+ xxpermdi $t1,$in1[2],$in1[3],0b00 -+ xxpermdi $t3,$in1[4],$in1[5],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$t3,$t4,$out -+ vmsumudm $out,$in1[6],$in2[2],$out -+ stxv $out,128($outp) -+ -+ xxpermdi $t1,$in1[3],$in1[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ xxpermdi $t1,$in1[5],$in1[6],0b00 -+ vmsumudm $out,$t1,$t4,$out -+ stxv $out,144($outp) -+ -+ vmsumudm $out,$t3,$t2,$vzero -+ vmsumudm $out,$in1[6],$in2[4],$out -+ stxv $out,160($outp) -+ -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,176($outp) -+ -+ vmsumudm $out,$in1[6],$in2[6],$vzero -+ stxv $out,192($outp) -+___ -+ -+ endproc("p384_felem_mul"); -+ } -+ -+ { -+ # -+ # p384_felem_square -+ # -+ -+ my ($inp) = ("r4"); -+ my @in = map("v$_",(44..50)); -+ my @inx2 = map("v$_",(35..41)); -+ -+ startproc("p384_felem_square"); -+ -+ push_vrs(52, 63); -+ -+ $code.=<<___; -+ vspltisw $vzero,0 -+ -+___ -+ -+ load_vrs($inp, \@in); -+ -+ $code.=<<___; -+ li $zero,0 -+ li $one,1 -+ mtvsrdd $t1,$one,$zero -+___ -+ -+ for (my $i = 0; $i <= 6; $i++) { -+ $code.=<<___; -+ vsld $inx2[$i],$in[$i],$t1 -+___ -+ } -+ -+ $code.=<<___; -+ vmsumudm $out,$in[0],$in[0],$vzero -+ stxv $out,0($outp) -+ -+ vmsumudm $out,$in[0],$inx2[1],$vzero -+ stxv $out,16($outp) -+ -+ vmsumudm $out,$in[0],$inx2[2],$vzero -+ vmsumudm $out,$in[1],$in[1],$out -+ stxv $out,32($outp) -+ -+ xxpermdi $t1,$in[0],$in[1],0b00 -+ xxpermdi $t2,$inx2[3],$inx2[2],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,48($outp) -+ -+ xxpermdi $t4,$inx2[4],$inx2[3],0b00 -+ vmsumudm $out,$t1,$t4,$vzero -+ vmsumudm $out,$in[2],$in[2],$out -+ stxv $out,64($outp) -+ -+ xxpermdi $t2,$inx2[5],$inx2[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[2],$inx2[3],$out -+ stxv $out,80($outp) -+ -+ xxpermdi $t2,$inx2[6],$inx2[5],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[2],$inx2[4],$out -+ vmsumudm $out,$in[3],$in[3],$out -+ stxv $out,96($outp) -+ -+ xxpermdi $t3,$in[1],$in[2],0b00 -+ vmsumudm $out,$t3,$t2,$vzero -+ vmsumudm $out,$in[3],$inx2[4],$out -+ stxv $out,112($outp) -+ -+ xxpermdi $t1,$in[2],$in[3],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ vmsumudm $out,$in[4],$in[4],$out -+ stxv $out,128($outp) -+ -+ xxpermdi $t1,$in[3],$in[4],0b00 -+ vmsumudm $out,$t1,$t2,$vzero -+ stxv $out,144($outp) -+ -+ vmsumudm $out,$in[4],$inx2[6],$vzero -+ vmsumudm $out,$in[5],$in[5],$out -+ stxv $out,160($outp) -+ -+ vmsumudm $out,$in[5],$inx2[6],$vzero -+ stxv $out,176($outp) -+ -+ vmsumudm $out,$in[6],$in[6],$vzero -+ stxv $out,192($outp) -+___ -+ -+ endproc("p384_felem_square"); -+ } -+} -+ -+$code =~ s/\`([^\`]*)\`/eval $1/gem; -+print $code; -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/ec/build.info b/crypto/ec/build.info -index 1fa60a1deddd..4077bead7bdb 100644 ---- a/crypto/ec/build.info -+++ b/crypto/ec/build.info -@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}] - $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s - $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM - IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] -- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s -- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM -+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s -+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM -+ INCLUDE[ecp_nistp384.o]=.. - INCLUDE[ecp_nistp521.o]=.. - ENDIF - -@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl - INCLUDE[ecp_nistz256-armv8.o]=.. - GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl - -+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl - GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl - - GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl -diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c -index a0559487ed4e..14f9530d07c6 100644 ---- a/crypto/ec/ecp_nistp384.c -+++ b/crypto/ec/ecp_nistp384.c -@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2); - - static void felem_select(void) - { -+# if defined(_ARCH_PPC64) -+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { -+ felem_square_p = p384_felem_square; -+ felem_mul_p = p384_felem_mul; -+ -+ return; -+ } -+# endif -+ - /* Default */ - felem_square_p = felem_square_ref; - felem_mul_p = felem_mul_ref; diff --git a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch deleted file mode 100644 index a2918d9..0000000 --- a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Tue, 15 Aug 2023 15:20:20 +1000 -Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1 - -Substitutions in the felem_reduce() method feature unecessary -parentheses, remove them. - -Signed-off-by: Rohan McLure - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/21749) ---- - crypto/ec/ecp_nistp384.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c -index 14f9530d07c6..ff68f9cc7ad0 100644 ---- a/crypto/ec/ecp_nistp384.c -+++ b/crypto/ec/ecp_nistp384.c -@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[7] += in[12] >> 8; - acc[6] += (in[12] & 0xff) << 48; - acc[6] -= in[12] >> 16; -- acc[5] -= ((in[12] & 0xffff) << 40); -+ acc[5] -= (in[12] & 0xffff) << 40; - acc[6] += in[12] >> 48; - acc[5] += (in[12] & 0xffffffffffff) << 8; - -@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[6] += in[11] >> 8; - acc[5] += (in[11] & 0xff) << 48; - acc[5] -= in[11] >> 16; -- acc[4] -= ((in[11] & 0xffff) << 40); -+ acc[4] -= (in[11] & 0xffff) << 40; - acc[5] += in[11] >> 48; - acc[4] += (in[11] & 0xffffffffffff) << 8; - -@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[5] += in[10] >> 8; - acc[4] += (in[10] & 0xff) << 48; - acc[4] -= in[10] >> 16; -- acc[3] -= ((in[10] & 0xffff) << 40); -+ acc[3] -= (in[10] & 0xffff) << 40; - acc[4] += in[10] >> 48; - acc[3] += (in[10] & 0xffffffffffff) << 8; - -@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[4] += in[9] >> 8; - acc[3] += (in[9] & 0xff) << 48; - acc[3] -= in[9] >> 16; -- acc[2] -= ((in[9] & 0xffff) << 40); -+ acc[2] -= (in[9] & 0xffff) << 40; - acc[3] += in[9] >> 48; - acc[2] += (in[9] & 0xffffffffffff) << 8; - -@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[3] += acc[8] >> 8; - acc[2] += (acc[8] & 0xff) << 48; - acc[2] -= acc[8] >> 16; -- acc[1] -= ((acc[8] & 0xffff) << 40); -+ acc[1] -= (acc[8] & 0xffff) << 40; - acc[2] += acc[8] >> 48; - acc[1] += (acc[8] & 0xffffffffffff) << 8; - -@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in) - acc[2] += acc[7] >> 8; - acc[1] += (acc[7] & 0xff) << 48; - acc[1] -= acc[7] >> 16; -- acc[0] -= ((acc[7] & 0xffff) << 40); -+ acc[0] -= (acc[7] & 0xffff) << 40; - acc[1] += acc[7] >> 48; - acc[0] += (acc[7] & 0xffffffffffff) << 8; - diff --git a/openssl-no-date.patch b/openssl-no-date.patch deleted file mode 100644 index c910674..0000000 --- a/openssl-no-date.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: openssl-1.1.1-pre1/util/mkbuildinf.pl -=================================================================== ---- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100 -+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100 -@@ -28,7 +28,7 @@ print <<"END_OUTPUT"; - */ - - #define PLATFORM "platform: $platform" --#define DATE "built on: $date" -+#define DATE "" - - /* - * Generate compiler_flags as an array of individual characters. This is a diff --git a/openssl-no-html-docs.patch b/openssl-no-html-docs.patch index efda996..bad408d 100644 --- a/openssl-no-html-docs.patch +++ b/openssl-no-html-docs.patch @@ -1,13 +1,13 @@ -Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl +Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl -@@ -611,7 +611,7 @@ install_sw: install_dev install_engines +--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.0/Configurations/unix-Makefile.tmpl +@@ -632,7 +632,7 @@ install_sw: install_dev install_engines - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs ## Install manpages and HTML documentation - uninstall_docs: uninstall_man_docs uninstall_html_docs + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch index 862be2c..2bfae5b 100644 --- a/openssl-pkgconfig.patch +++ b/openssl-pkgconfig.patch @@ -1,8 +1,8 @@ -Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl +Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100 -+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100 -@@ -843,7 +843,7 @@ libcrypto.pc: +--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.0/Configurations/unix-Makefile.tmpl +@@ -1454,7 +1454,7 @@ libcrypto.pc: echo 'Version: '$(VERSION); \ echo 'Libs: -L$${libdir} -lcrypto'; \ echo 'Libs.private: $(LIB_EX_LIBS)'; \ @@ -11,7 +11,7 @@ Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl libssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -860,7 +860,7 @@ libssl.pc: +@@ -1471,7 +1471,7 @@ libssl.pc: echo 'Version: '$(VERSION); \ echo 'Requires.private: libcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \ diff --git a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch deleted file mode 100644 index ecfecb5..0000000 --- a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Wed, 16 Aug 2023 16:52:47 +1000 -Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm - -Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as -VSX enabled systems make extensive use of renaming, and so writebacks in -felem_{mul,square}() can be reordered for best cache effects. - -Remove stack allocations. This in turn fixes unmatched push/pops in -felem_{mul,square}(). - -Signed-off-by: Rohan McLure - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/21749) ---- - crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 ----------------------------- - 1 file changed, 49 deletions(-) - -diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl -index 3f86b391af69..28f4168e5218 100755 ---- a/crypto/ec/asm/ecp_nistp384-ppc64.pl -+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl -@@ -62,51 +62,6 @@ ($) - ___ - } - -- --sub push_vrs($$) --{ -- my ($min, $max) = @_; -- -- my $count = $max - $min + 1; -- -- $code.=<<___; -- mr $savesp,$sp -- stdu $sp,-16*`$count+1`($sp) -- --___ -- for (my $i = $min; $i <= $max; $i++) { -- my $mult = $max - $i + 1; -- $code.=<<___; -- stxv $i,-16*$mult($savesp) --___ -- -- } -- -- $code.=<<___; -- --___ --} -- --sub pop_vrs($$) --{ -- my ($min, $max) = @_; -- -- $code.=<<___; -- ld $savesp,0($sp) --___ -- for (my $i = $min; $i <= $max; $i++) { -- my $mult = $max - $i + 1; -- $code.=<<___; -- lxv $i,-16*$mult($savesp) --___ -- } -- -- $code.=<<___; -- mr $sp,$savesp -- --___ --} -- - sub load_vrs($$) - { - my ($pointer, $reg_list) = @_; -@@ -162,8 +117,6 @@ ($$) - - startproc("p384_felem_mul"); - -- push_vrs(52, 63); -- - $code.=<<___; - vspltisw $vzero,0 - -@@ -268,8 +221,6 @@ ($$) - - startproc("p384_felem_square"); - -- push_vrs(52, 63); -- - $code.=<<___; - vspltisw $vzero,0 - diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch index 1efc39d..b697def 100644 --- a/openssl-ppc64-config.patch +++ b/openssl-ppc64-config.patch @@ -1,8 +1,8 @@ -Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm +Index: openssl-3.2.0/util/perl/OpenSSL/config.pm =================================================================== ---- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm -+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm -@@ -525,14 +525,19 @@ EOF +--- openssl-3.2.0.orig/util/perl/OpenSSL/config.pm ++++ openssl-3.2.0/util/perl/OpenSSL/config.pm +@@ -584,14 +584,19 @@ EOF return { target => "linux-ppc64" } if $KERNEL_BITS eq '64'; my %config = (); diff --git a/openssl-truststore.patch b/openssl-truststore.patch index e43f30e..11795e7 100644 --- a/openssl-truststore.patch +++ b/openssl-truststore.patch @@ -1,10 +1,10 @@ Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) -Index: openssl-1.1.1-pre1/include/internal/cryptlib.h +Index: openssl-3.2.0/include/internal/common.h =================================================================== ---- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100 -+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100 -@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM); +--- openssl-3.2.0.orig/include/internal/common.h ++++ openssl-3.2.0/include/internal/common.h +@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR