Accepting request 1129505 from home:ohollmann:branches:security:tls
- Update to 3.2.0: * The BLAKE2b hash algorithm supports a configurable output length by setting the "size" parameter. * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. * Added a function to delete objects from store by URI - OSSL_STORE_delete() and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass a passphrase callback when opening a store. * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default value. The additional commandline option 'saltlen' has been added to the OpenSSL command line applications for "pkcs8" and "enc" to allow the salt length to be set to a non default value. * Changed the default value of the ess_cert_id_alg configuration option which is used to calculate the TSA's public key certificate identifier. The default algorithm is updated to be sha256 instead of sha1. * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed table for point multiplication of the base point, which increases the size of libcrypto from 4.4 MB to 4.9 MB. A new configure option no-sm2-precomp has been added to disable the precomputed table. * Added client side support for QUIC OBS-URL: https://build.opensuse.org/request/show/1129505 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=80
This commit is contained in:
parent
737365e2ce
commit
259f0441ec
BIN
openssl-3.1.4.tar.gz
(Stored with Git LFS)
BIN
openssl-3.1.4.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
|
|
||||||
efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
|
|
||||||
U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
|
|
||||||
ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
|
|
||||||
hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
|
|
||||||
NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
|
|
||||||
0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
|
|
||||||
h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
|
|
||||||
MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
|
|
||||||
UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
|
|
||||||
FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
|
|
||||||
5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
|
|
||||||
=EH33
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
openssl-3.2.0.tar.gz
Normal file
3
openssl-3.2.0.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e
|
||||||
|
size 17698352
|
16
openssl-3.2.0.tar.gz.asc
Normal file
16
openssl-3.2.0.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmVfUa8ACgkQ2JTizos9
|
||||||
|
efX/mg/+NZWf13Ny/NNLImxaTedNHOospiB1zs+lO1MNSoVCTKV+BkOcTAdFVKpb
|
||||||
|
r20CKwoXHW3wiAtf+Apa/JBp1KImvmCnVpz2/CdpQi4wBIQzXBl9ADDy0YxtFdEe
|
||||||
|
4Wy2SczSifYmJSLX4vW28gv9PtD96ghiYRqp/BXu5mud4n/zctILrpsZ2vQUWfsi
|
||||||
|
emRAspQKHVowiZHR35qxVceiscvwcXs2yTJR5aWh6Q50ON2+AUGQN7XvybYV1jyp
|
||||||
|
3E2ZAhUjCW+5H2RY3HaldFsL5EyJFYN+RIC9hiLdrdE8vPHGWwEXIzJnq4jmukXW
|
||||||
|
X5hZZGtR2IrYAOKn/j0kKU25II+yGhzRrCLsgW+4ErQXPeCjfzdFmAaOY1EjPwAf
|
||||||
|
ijSoewnY0iQI/WQDF90c4x3eFFioSAT7Kf8Qff1MOcKzH/Y+bldUA4g0XfutL4p1
|
||||||
|
Oh66cmSsTyAH57MLgu/4x8H7ixzRsB39D5hmVJMiBgIv3vr8yUxG0JcTxRWeVHVv
|
||||||
|
DBCKXzdJxhnvy2XV9Dgox1S59yzmGFXBseS2tVGbN167Qn3jZagQWq67GbL2IQTv
|
||||||
|
Y9OFUNyhbBFZvs3qmov6q/l/F/BEI0lOOA4R3H6QTlnhtfli5wJ5CD89Fo3tpqvE
|
||||||
|
VHm2hqXynASs1E+6Eik7Xt+g1r8uVf1saCBHM3U6tBzpJk4FDYM=
|
||||||
|
=rgzJ
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,3 +1,275 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 23 16:07:51 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
- Update to 3.2.0:
|
||||||
|
* The BLAKE2b hash algorithm supports a configurable output length
|
||||||
|
by setting the "size" parameter.
|
||||||
|
* Enable extra Arm64 optimization on Windows for GHASH, RAND and
|
||||||
|
AES.
|
||||||
|
* Added a function to delete objects from store by URI -
|
||||||
|
OSSL_STORE_delete() and the corresponding provider-storemgmt API
|
||||||
|
function OSSL_FUNC_store_delete().
|
||||||
|
* Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to
|
||||||
|
pass a passphrase callback when opening a store.
|
||||||
|
* Changed the default salt length used by PBES2 KDF's (PBKDF2 and
|
||||||
|
scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard
|
||||||
|
uses a 64 bit salt length for PBE, and recommends a minimum of 64
|
||||||
|
bits for PBES2. For FIPS compliance PBKDF2 requires a salt length
|
||||||
|
of 128 bits. This affects OpenSSL command line applications such
|
||||||
|
as "genrsa" and "pkcs8" and API's such as
|
||||||
|
PEM_write_bio_PrivateKey() that are reliant on the default value.
|
||||||
|
The additional commandline option 'saltlen' has been added to the
|
||||||
|
OpenSSL command line applications for "pkcs8" and "enc" to allow
|
||||||
|
the salt length to be set to a non default value.
|
||||||
|
* Changed the default value of the ess_cert_id_alg configuration
|
||||||
|
option which is used to calculate the TSA's public key
|
||||||
|
certificate identifier. The default algorithm is updated to be
|
||||||
|
sha256 instead of sha1.
|
||||||
|
* Added optimization for SM2 algorithm on aarch64. It uses a huge
|
||||||
|
precomputed table for point multiplication of the base point,
|
||||||
|
which increases the size of libcrypto from 4.4 MB to 4.9 MB. A
|
||||||
|
new configure option no-sm2-precomp has been added to disable the
|
||||||
|
precomputed table.
|
||||||
|
* Added client side support for QUIC
|
||||||
|
* Added multiple tutorials on the OpenSSL library and in particular
|
||||||
|
on writing various clients (using TLS and QUIC protocols) with
|
||||||
|
libssl.
|
||||||
|
* Added secp384r1 implementation using Solinas' reduction to improve
|
||||||
|
speed of the NIST P-384 elliptic curve. To enable the
|
||||||
|
implementation the build option enable-ec_nistp_64_gcc_128 must
|
||||||
|
be used.
|
||||||
|
* Improved RFC7468 compliance of the asn1parse command.
|
||||||
|
* Added SHA256/192 algorithm support.
|
||||||
|
* Added support for securely getting root CA certificate update in
|
||||||
|
CMP.
|
||||||
|
* Improved contention on global write locks by using more read locks
|
||||||
|
where appropriate.
|
||||||
|
* Improved performance of OSSL_PARAM lookups in performance critical
|
||||||
|
provider functions.
|
||||||
|
* Added the SSL_get0_group_name() function to provide access to the
|
||||||
|
name of the group used for the TLS key exchange.
|
||||||
|
* Provide a new configure option no-http that can be used to disable
|
||||||
|
the HTTP support. Provide new configure options no-apps and
|
||||||
|
no-docs to disable building the openssl command line application
|
||||||
|
and the documentation.
|
||||||
|
* Provide a new configure option no-ecx that can be used to disable
|
||||||
|
the X25519, X448, and EdDSA support.
|
||||||
|
* When multiple OSSL_KDF_PARAM_INFO parameters are passed to the
|
||||||
|
EVP_KDF_CTX_set_params() function they are now concatenated not
|
||||||
|
just for the HKDF algorithm but also for SSKDF and X9.63 KDF
|
||||||
|
algorithms.
|
||||||
|
* Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions
|
||||||
|
that get the provider context as a parameter.
|
||||||
|
* TLS round-trip time calculation was added by a Brigham Young
|
||||||
|
University Capstone team partnering with Sandia National
|
||||||
|
Laboratories. A new function in ssl_lib titled
|
||||||
|
SSL_get_handshake_rtt will calculate and retrieve this value.
|
||||||
|
* Added the "-quic" option to s_client to enable connectivity to
|
||||||
|
QUIC servers. QUIC requires the use of ALPN, so this must be
|
||||||
|
specified via the "-alpn" option. Use of the "advanced" s_client
|
||||||
|
command command via the "-adv" option is recommended.
|
||||||
|
* Added an "advanced" command mode to s_client. Use this with
|
||||||
|
the "-adv" option. The old "basic" command mode recognises
|
||||||
|
certain letters that must always appear at the start of a line
|
||||||
|
and cannot be escaped. The advanced command mode enables commands
|
||||||
|
to be entered anywhere and there is an escaping mechanism. After
|
||||||
|
starting s_client with "-adv" type "{help}" to show a list of
|
||||||
|
available commands.
|
||||||
|
* Add Raw Public Key (RFC7250) support. Authentication is supported
|
||||||
|
by matching keys against either local policy (TLSA records
|
||||||
|
synthesised from the expected keys) or DANE (TLSA records
|
||||||
|
obtained by the application from DNS). TLSA records will also
|
||||||
|
match the same key in the server certificate, should RPK use not
|
||||||
|
happen to be negotiated.
|
||||||
|
* Added support for modular exponentiation and CRT offloading for
|
||||||
|
the S390x architecture.
|
||||||
|
* Added further assembler code for the RISC-V architecture.
|
||||||
|
* Added EC_GROUP_to_params() which creates an OSSL_PARAM array from
|
||||||
|
a given EC_GROUP.
|
||||||
|
* Improved support for non-default library contexts and property
|
||||||
|
queries when parsing PKCS#12 files.
|
||||||
|
* Implemented support for all five instances of EdDSA from RFC8032:
|
||||||
|
Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. The streaming
|
||||||
|
is not yet supported for the HashEdDSA variants (Ed25519ph and
|
||||||
|
Ed448ph).
|
||||||
|
* Added SM4 optimization for ARM processors using ASIMD and AES HW
|
||||||
|
instructions.
|
||||||
|
* Implemented SM4-XTS support.
|
||||||
|
* Added platform-agnostic OSSL_sleep() function.
|
||||||
|
* Implemented deterministic ECDSA signatures (RFC6979) support.
|
||||||
|
* Implemented AES-GCM-SIV (RFC8452) support.
|
||||||
|
* Added support for pluggable (provider-based) TLS signature
|
||||||
|
algorithms. This enables TLS 1.3 authentication operations with
|
||||||
|
algorithms embedded in providers not included by default in
|
||||||
|
OpenSSL. In combination with the already available pluggable KEM
|
||||||
|
and X.509 support, this enables for example suitable providers to
|
||||||
|
deliver post-quantum or quantum-safe cryptography to OpenSSL
|
||||||
|
users.
|
||||||
|
* Added support for pluggable (provider-based) CMS signature
|
||||||
|
algorithms. This enables CMS sign and verify operations with
|
||||||
|
algorithms embedded in providers not included by default in
|
||||||
|
OpenSSL.
|
||||||
|
* Added support for Hybrid Public Key Encryption (HPKE) as defined
|
||||||
|
in RFC9180. HPKE is required for TLS Encrypted ClientHello
|
||||||
|
(ECH), Message Layer Security (MLS) and other IETF
|
||||||
|
specifications. HPKE can also be used by other applications that
|
||||||
|
require encrypting "to" an ECDH public key. External APIs are
|
||||||
|
defined in include/openssl/hpke.h and documented in
|
||||||
|
doc/man3/OSSL_HPKE_CTX_new.pod
|
||||||
|
* Implemented HPKE DHKEM support in providers used by HPKE
|
||||||
|
(RFC9180) API.
|
||||||
|
* Add support for certificate compression (RFC8879), including
|
||||||
|
library support for Brotli and Zstandard compression.
|
||||||
|
* Add the ability to add custom attributes to PKCS12 files. Add a
|
||||||
|
new API PKCS12_create_ex2, identical to the existing
|
||||||
|
PKCS12_create_ex but allows for a user specified callback and
|
||||||
|
optional argument. Added a new PKCS12_SAFEBAG_set0_attr, which
|
||||||
|
allows for a new attr to be added to the existing STACK_OF
|
||||||
|
attrs.
|
||||||
|
* Major refactor of the libssl record layer.
|
||||||
|
* Add a mac salt length option for the pkcs12 command.
|
||||||
|
* Add more SRTP protection profiles from RFC8723 and RFC8269.
|
||||||
|
* Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload.
|
||||||
|
* Add support for TCP Fast Open (RFC7413) to macOS, Linux, and
|
||||||
|
FreeBSD where supported and enabled.
|
||||||
|
* Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
|
||||||
|
(RFC 5489) to the list of ciphersuites providing Perfect Forward
|
||||||
|
Secrecy as required by SECLEVEL >= 3.
|
||||||
|
* Add new SSL APIs to aid in efficiently implementing TLS/SSL
|
||||||
|
fingerprinting. The SSL_CTRL_GET_IANA_GROUPS control code,
|
||||||
|
exposed as the SSL_get0_iana_groups() function-like macro,
|
||||||
|
retrieves the list of supported groups sent by the peer. The
|
||||||
|
function SSL_client_hello_get_extension_order() populates a
|
||||||
|
caller-supplied array with the list of extension types present in
|
||||||
|
the ClientHello, in order of appearance.
|
||||||
|
* Fixed PEM_write_bio_PKCS8PrivateKey() and
|
||||||
|
PEM_write_bio_PKCS8PrivateKey_nid() to make it possible to use
|
||||||
|
empty passphrase strings.
|
||||||
|
* The PKCS12_parse() function now supports MAC-less PKCS12 files.
|
||||||
|
* Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions
|
||||||
|
() calls to be able to change functions used for allocating the
|
||||||
|
memory of asynchronous call stack.
|
||||||
|
* Added support for signed BIGNUMs in the OSSL_PARAM APIs.
|
||||||
|
* A failure exit code is returned when using the openssl x509
|
||||||
|
command to check certificate attributes and the checks fail.
|
||||||
|
* The default SSL/TLS security level has been changed from 1 to 2.
|
||||||
|
RSA, DSA and DH keys of 1024 bits and above and less than 2048
|
||||||
|
bits and ECC keys of 160 bits and above and less than 224 bits
|
||||||
|
were previously accepted by default but are now no longer
|
||||||
|
allowed. By default TLS compression was already disabled in
|
||||||
|
previous OpenSSL versions. At security level 2 it cannot be
|
||||||
|
enabled.
|
||||||
|
* The SSL_CTX_set_cipher_list family functions now accept ciphers
|
||||||
|
using their IANA standard names.
|
||||||
|
* The PVK key derivation function has been moved from b2i_PVK_bio_ex
|
||||||
|
() into the legacy crypto provider as an EVP_KDF. Applications
|
||||||
|
requiring this KDF will need to load the legacy crypto provider.
|
||||||
|
* CCM8 cipher suites in TLS have been downgraded to security level
|
||||||
|
zero because they use a short authentication tag which lowers
|
||||||
|
their strength.
|
||||||
|
* Subject or issuer names in X.509 objects are now displayed as
|
||||||
|
UTF-8 strings by default.
|
||||||
|
* Add X.509 certificate codeSigning purpose and related checks on
|
||||||
|
key usage and extended key usage of the leaf certificate
|
||||||
|
according to the CA/Browser Forum.
|
||||||
|
* The x509, ca, and req apps now produce X.509 v3 certificates.
|
||||||
|
The -x509v1 option of req prefers generation of X.509 v1
|
||||||
|
certificates. X509_sign() and X509_sign_ctx() make sure that the
|
||||||
|
certificate has X.509 version 3 if the certificate information
|
||||||
|
includes X.509 extensions.
|
||||||
|
* Fix and extend certificate handling and the apps x509, verify etc.
|
||||||
|
such as adding a trace facility for debugging certificate chain
|
||||||
|
building.
|
||||||
|
* Various fixes and extensions to the CMP+CRMF implementation and
|
||||||
|
the cmp app in particular supporting requests for central key
|
||||||
|
generation, generalized polling, and various types of genm/genp
|
||||||
|
exchanges defined in CMP Updates.
|
||||||
|
* Fixes and extensions to the HTTP client and to the HTTP server in
|
||||||
|
apps/ like correcting the TLS and proxy support and adding
|
||||||
|
tracing for debugging.
|
||||||
|
* Extended the CMS API for handling CMS_SignedData and
|
||||||
|
CMS_EnvelopedData.
|
||||||
|
* CMS_add0_cert() and CMS_add1_cert() no longer throw an error if a
|
||||||
|
certificate to be added is already present. CMS_sign_ex() and
|
||||||
|
CMS_sign() now ignore any duplicate certificates in their certs
|
||||||
|
argument and no longer throw an error for them.
|
||||||
|
* Fixed and extended util/check-format.pl for checking adherence to
|
||||||
|
the coding style
|
||||||
|
https://www.openssl.org/policies/technical/coding-style.html. The
|
||||||
|
checks are meanwhile more complete and yield fewer false
|
||||||
|
positives.
|
||||||
|
* Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide
|
||||||
|
memory-based BIOs with datagram semantics and support for
|
||||||
|
BIO_sendmmsg() and BIO_recvmmsg() calls. They can be used as the
|
||||||
|
transport BIOs for QUIC.
|
||||||
|
* Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow
|
||||||
|
sending and receiving multiple messages in a single call. An
|
||||||
|
implementation is provided for BIO_dgram. For further details,
|
||||||
|
see BIO_sendmmsg(3).
|
||||||
|
* Support for loading root certificates from the Windows certificate
|
||||||
|
store has been added. The support is in the form of a store which
|
||||||
|
recognises the URI string of org.openssl.winstore://. This URI
|
||||||
|
scheme currently takes no arguments. This store is built by
|
||||||
|
default and can be disabled using the new compile-time option
|
||||||
|
no-winstore. This store is not currently used by default and must
|
||||||
|
be loaded explicitly using the above store URI. It is expected to
|
||||||
|
be loaded by default in the future.
|
||||||
|
* Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some
|
||||||
|
linux kernel versions that support KTLS have a known bug in CCM
|
||||||
|
processing. That has been fixed in stable releases starting from
|
||||||
|
5.4.164, 5.10.84, 5.15.7, and all releases since 5.16. KTLS with
|
||||||
|
CCM ciphersuites should be only used on these releases.
|
||||||
|
* Added -ktls option to s_server and s_client commands to enable the
|
||||||
|
KTLS support.
|
||||||
|
* Zerocopy KTLS sendfile() support on Linux.
|
||||||
|
* The OBJ_ calls are now thread safe using a global lock.
|
||||||
|
* New parameter -digest for openssl cms command allowing signing
|
||||||
|
pre-computed digests and new CMS API functions supporting that
|
||||||
|
functionality.
|
||||||
|
* OPENSSL_malloc() and other allocation functions now raise errors
|
||||||
|
on allocation failures. The callers do not need to explicitly
|
||||||
|
raise errors unless they want to for tracing purposes.
|
||||||
|
* Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
|
||||||
|
decryption as a protection against Bleichenbacher-like attacks.
|
||||||
|
The RSA decryption API will now return a randomly generated
|
||||||
|
deterministic message instead of an error in case it detects an
|
||||||
|
error when checking padding during PKCS#1 v1.5 decryption. This
|
||||||
|
is a general protection against issues like CVE-2020-25659 and
|
||||||
|
CVE-2020-25657. This protection can be disabled by calling
|
||||||
|
EVP_PKEY_CTX_ctrl_str
|
||||||
|
(ctx, "rsa_pkcs1_implicit_rejection". "0") on the RSA decryption
|
||||||
|
context.
|
||||||
|
* Added support for Brainpool curves in TLS-1.3.
|
||||||
|
* Added OpenBSD specific build targets.
|
||||||
|
* Support for Argon2d, Argon2i, Argon2id KDFs has been added along
|
||||||
|
with a basic thread pool implementation for select platforms.
|
||||||
|
- Revert 0e55c3ab to resolve 'libssl.so: undefined reference to `ossl_safe_getenv'
|
||||||
|
introduced by our patch openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
|
* Add openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
|
||||||
|
- Remove patches (already upsteram):
|
||||||
|
* openssl-Add_support_for_Windows_CA_certificate_store.patch
|
||||||
|
* openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
|
||||||
|
* openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
|
||||||
|
* openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
|
||||||
|
* openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
|
||||||
|
* openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
|
||||||
|
* openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
|
||||||
|
* openssl-CVE-2023-5678.patch
|
||||||
|
- Refresh patches:
|
||||||
|
* openssl-no-html-docs.patch
|
||||||
|
* openssl-truststore.patch
|
||||||
|
* openssl-pkgconfig.patch
|
||||||
|
* openssl-DEFAULT_SUSE_cipher.patch
|
||||||
|
* openssl-ppc64-config.patch
|
||||||
|
* openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
|
* openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
|
* openssl-Add-FIPS_mode-compatibility-macro.patch
|
||||||
|
* openssl-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
|
- Drop openssl-no-date.patch
|
||||||
|
Upstream added support for reproducible builds via SOURCE_DATE_EPOCH in
|
||||||
|
https://github.com/openssl/openssl/commit/8a8d9e190533ee41e8b231b18c7837f98f1ae231
|
||||||
|
thereby making this patch obsolete as builds *should* still be reproducible.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
%define man_suffix 3ssl
|
%define man_suffix 3ssl
|
||||||
Name: openssl-3
|
Name: openssl-3
|
||||||
# Don't forget to update the version in the "openssl" meta-package!
|
# Don't forget to update the version in the "openssl" meta-package!
|
||||||
Version: 3.1.4
|
Version: 3.2.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Secure Sockets and Transport Layer Security
|
Summary: Secure Sockets and Transport Layer Security
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -42,26 +42,15 @@ Patch2: openssl-truststore.patch
|
|||||||
Patch3: openssl-pkgconfig.patch
|
Patch3: openssl-pkgconfig.patch
|
||||||
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
||||||
Patch5: openssl-ppc64-config.patch
|
Patch5: openssl-ppc64-config.patch
|
||||||
Patch6: openssl-no-date.patch
|
|
||||||
# Add crypto-policies support
|
# Add crypto-policies support
|
||||||
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
Patch7: openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
# PATCH-FIX-UPSTREAM: bsc#1209430 Upgrade OpenSSL from 3.0.8 to 3.1.0 in TW
|
# PATCH-FIX-OPENSUSE: Revert of 0e55c3ab8d702ffc897c9beb51d19b14b789618
|
||||||
Patch9: openssl-Add_support_for_Windows_CA_certificate_store.patch
|
# Makefile: Call mknum.pl on 'make ordinals' only if needed
|
||||||
|
Patch8: openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
|
||||||
# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
|
# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
|
||||||
Patch10: openssl-Add-FIPS_mode-compatibility-macro.patch
|
Patch9: openssl-Add-FIPS_mode-compatibility-macro.patch
|
||||||
Patch11: openssl-Add-Kernel-FIPS-mode-flag-support.patch
|
Patch10: openssl-Add-Kernel-FIPS-mode-flag-support.patch
|
||||||
# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
|
|
||||||
# POWER10 performance enhancements for cryptography
|
|
||||||
Patch12: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
|
|
||||||
Patch13: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
|
|
||||||
Patch14: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
|
|
||||||
Patch15: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
|
|
||||||
Patch16: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
|
|
||||||
Patch17: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
|
|
||||||
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
|
|
||||||
# checking excessively long X9.42 DH keys or parameters may be very slow
|
|
||||||
Patch18: openssl-CVE-2023-5678.patch
|
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: pkgconfig(zlib)
|
BuildRequires: pkgconfig(zlib)
|
||||||
Requires: libopenssl3 = %{version}-%{release}
|
Requires: libopenssl3 = %{version}-%{release}
|
||||||
@ -180,14 +169,18 @@ perl configdata.pm --dump
|
|||||||
|
|
||||||
%check
|
%check
|
||||||
# Relax the crypto-policies requirements for the regression tests
|
# Relax the crypto-policies requirements for the regression tests
|
||||||
# Revert patch8 before running tests
|
# Revert patch7 before running tests
|
||||||
patch -p1 -R < %{PATCH8}
|
patch -p1 -R < %{PATCH7}
|
||||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
||||||
|
|
||||||
export MALLOC_CHECK_=3
|
export MALLOC_CHECK_=3
|
||||||
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
||||||
#export HARNESS_VERBOSE=yes
|
#export HARNESS_VERBOSE=yes
|
||||||
|
%ifarch %{ix86} #Skip test, see issue#22837
|
||||||
|
LD_LIBRARY_PATH="$PWD" make TESTS='-test_symbol_presence' test -j16
|
||||||
|
%else
|
||||||
LD_LIBRARY_PATH="$PWD" make test -j16
|
LD_LIBRARY_PATH="$PWD" make test -j16
|
||||||
|
%endif
|
||||||
|
|
||||||
# show ciphers
|
# show ciphers
|
||||||
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
||||||
|
@ -14,11 +14,10 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|||||||
2 files changed, 40 insertions(+)
|
2 files changed, 40 insertions(+)
|
||||||
create mode 100644 include/openssl/fips.h
|
create mode 100644 include/openssl/fips.h
|
||||||
|
|
||||||
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
Index: openssl-3.2.0/include/openssl/fips.h
|
||||||
new file mode 100644
|
===================================================================
|
||||||
index 0000000000..4162cbf88e
|
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/include/openssl/fips.h
|
+++ openssl-3.2.0/include/openssl/fips.h
|
||||||
@@ -0,0 +1,26 @@
|
@@ -0,0 +1,26 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
@ -46,11 +45,11 @@ index 0000000000..4162cbf88e
|
|||||||
+}
|
+}
|
||||||
+# endif
|
+# endif
|
||||||
+#endif
|
+#endif
|
||||||
diff --git a/test/property_test.c b/test/property_test.c
|
Index: openssl-3.2.0/test/property_test.c
|
||||||
index 45b1db3e85..8894c1c1cb 100644
|
===================================================================
|
||||||
--- a/test/property_test.c
|
--- openssl-3.2.0.orig/test/property_test.c
|
||||||
+++ b/test/property_test.c
|
+++ openssl-3.2.0/test/property_test.c
|
||||||
@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i)
|
@@ -680,6 +680,19 @@ static int test_property_list_to_string(
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -70,7 +69,7 @@ index 45b1db3e85..8894c1c1cb 100644
|
|||||||
int setup_tests(void)
|
int setup_tests(void)
|
||||||
{
|
{
|
||||||
ADD_TEST(test_property_string);
|
ADD_TEST(test_property_string);
|
||||||
@@ -690,6 +703,7 @@ int setup_tests(void)
|
@@ -693,6 +706,7 @@ int setup_tests(void)
|
||||||
ADD_TEST(test_property);
|
ADD_TEST(test_property);
|
||||||
ADD_TEST(test_query_cache_stochastic);
|
ADD_TEST(test_query_cache_stochastic);
|
||||||
ADD_TEST(test_fips_mode);
|
ADD_TEST(test_fips_mode);
|
||||||
@ -78,6 +77,3 @@ index 45b1db3e85..8894c1c1cb 100644
|
|||||||
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests));
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
@ -13,12 +13,12 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|||||||
include/internal/provider.h | 3 +++
|
include/internal/provider.h | 3 +++
|
||||||
2 files changed, 39 insertions(+)
|
2 files changed, 39 insertions(+)
|
||||||
|
|
||||||
diff --git a/crypto/context.c b/crypto/context.c
|
Index: openssl-3.2.0/crypto/context.c
|
||||||
index e294ea1512..51002ba79a 100644
|
===================================================================
|
||||||
--- a/crypto/context.c
|
--- openssl-3.2.0.orig/crypto/context.c
|
||||||
+++ b/crypto/context.c
|
+++ openssl-3.2.0/crypto/context.c
|
||||||
@@ -16,6 +16,41 @@
|
@@ -17,6 +17,41 @@
|
||||||
#include "internal/provider.h"
|
#include "crypto/decoder.h"
|
||||||
#include "crypto/context.h"
|
#include "crypto/context.h"
|
||||||
|
|
||||||
+# include <sys/types.h>
|
+# include <sys/types.h>
|
||||||
@ -59,7 +59,7 @@ index e294ea1512..51002ba79a 100644
|
|||||||
struct ossl_lib_ctx_st {
|
struct ossl_lib_ctx_st {
|
||||||
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
||||||
OSSL_EX_DATA_GLOBAL global;
|
OSSL_EX_DATA_GLOBAL global;
|
||||||
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
|
@@ -368,6 +403,7 @@ static int default_context_inited = 0;
|
||||||
|
|
||||||
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
||||||
{
|
{
|
||||||
@ -67,11 +67,11 @@ index e294ea1512..51002ba79a 100644
|
|||||||
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
||||||
goto err;
|
goto err;
|
||||||
|
|
||||||
diff --git a/include/internal/provider.h b/include/internal/provider.h
|
Index: openssl-3.2.0/include/internal/provider.h
|
||||||
index 18937f84c7..1446bf7afb 100644
|
===================================================================
|
||||||
--- a/include/internal/provider.h
|
--- openssl-3.2.0.orig/include/internal/provider.h
|
||||||
+++ b/include/internal/provider.h
|
+++ openssl-3.2.0/include/internal/provider.h
|
||||||
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
|
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB
|
||||||
const OSSL_DISPATCH *in);
|
const OSSL_DISPATCH *in);
|
||||||
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
||||||
|
|
||||||
@ -81,6 +81,3 @@ index 18937f84c7..1446bf7afb 100644
|
|||||||
# ifdef __cplusplus
|
# ifdef __cplusplus
|
||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
||||||
|
@ -15,9 +15,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
util/libcrypto.num | 1
|
util/libcrypto.num | 1
|
||||||
8 files changed, 110 insertions(+), 14 deletions(-)
|
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
--- a/Configurations/unix-Makefile.tmpl
|
Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
+++ b/Configurations/unix-Makefile.tmpl
|
===================================================================
|
||||||
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||||
HTMLDIR=$(DOCDIR)/html
|
HTMLDIR=$(DOCDIR)/html
|
||||||
|
|
||||||
@ -28,7 +30,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||||
# appended after the manpage file section number. "ssl" is popular,
|
# appended after the manpage file section number. "ssl" is popular,
|
||||||
# resulting in files such as config.5ssl rather than config.5.
|
# resulting in files such as config.5ssl rather than config.5.
|
||||||
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||||
@ -36,14 +38,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||||
@{$config{CPPFLAGS}}) -}
|
@{$config{CPPFLAGS}}) -}
|
||||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||||
--- a/Configure
|
Index: openssl-3.2.0/Configure
|
||||||
+++ b/Configure
|
===================================================================
|
||||||
|
--- openssl-3.2.0.orig/Configure
|
||||||
|
+++ openssl-3.2.0/Configure
|
||||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||||
my $orig_death_handler = $SIG{__DIE__};
|
my $orig_death_handler = $SIG{__DIE__};
|
||||||
$SIG{__DIE__} = \&death_handler;
|
$SIG{__DIE__} = \&death_handler;
|
||||||
|
|
||||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
-my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
+my $usage="Usage: Configure [no-<feature> ...] [enable-<feature> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
|
||||||
my $banner = <<"EOF";
|
my $banner = <<"EOF";
|
||||||
|
|
||||||
@ -58,7 +62,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
# --banner=".." Output specified text instead of default completion banner
|
# --banner=".." Output specified text instead of default completion banner
|
||||||
#
|
#
|
||||||
# -w Don't wait after showing a Configure warning
|
# -w Don't wait after showing a Configure warning
|
||||||
@@ -387,6 +391,7 @@ $config{prefix}="";
|
@@ -394,6 +398,7 @@ $config{prefix}="";
|
||||||
$config{openssldir}="";
|
$config{openssldir}="";
|
||||||
$config{processor}="";
|
$config{processor}="";
|
||||||
$config{libdir}="";
|
$config{libdir}="";
|
||||||
@ -66,7 +70,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
my $auto_threads=1; # enable threads automatically? true by default
|
my $auto_threads=1; # enable threads automatically? true by default
|
||||||
my $default_ranlib;
|
my $default_ranlib;
|
||||||
|
|
||||||
@@ -989,6 +994,10 @@ while (@argvcopy)
|
@@ -1047,6 +1052,10 @@ while (@argvcopy)
|
||||||
die "FIPS key too long (64 bytes max)\n"
|
die "FIPS key too long (64 bytes max)\n"
|
||||||
if length $1 > 64;
|
if length $1 > 64;
|
||||||
}
|
}
|
||||||
@ -77,9 +81,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
elsif (/^--banner=(.*)$/)
|
elsif (/^--banner=(.*)$/)
|
||||||
{
|
{
|
||||||
$banner = $1 . "\n";
|
$banner = $1 . "\n";
|
||||||
--- a/doc/man1/openssl-ciphers.pod.in
|
Index: openssl-3.2.0/doc/man1/openssl-ciphers.pod.in
|
||||||
+++ b/doc/man1/openssl-ciphers.pod.in
|
===================================================================
|
||||||
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
--- openssl-3.2.0.orig/doc/man1/openssl-ciphers.pod.in
|
||||||
|
+++ openssl-3.2.0/doc/man1/openssl-ciphers.pod.in
|
||||||
|
@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||||
|
|
||||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||||
|
|
||||||
@ -95,9 +101,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
=item B<HIGH>
|
=item B<HIGH>
|
||||||
|
|
||||||
"High" encryption cipher suites. This currently means those with key lengths
|
"High" encryption cipher suites. This currently means those with key lengths
|
||||||
--- a/include/openssl/ssl.h.in
|
Index: openssl-3.2.0/include/openssl/ssl.h.in
|
||||||
+++ b/include/openssl/ssl.h.in
|
===================================================================
|
||||||
@@ -213,6 +213,11 @@ extern "C" {
|
--- openssl-3.2.0.orig/include/openssl/ssl.h.in
|
||||||
|
+++ openssl-3.2.0/include/openssl/ssl.h.in
|
||||||
|
@@ -214,6 +214,11 @@ extern "C" {
|
||||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||||
*/
|
*/
|
||||||
@ -109,9 +117,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
|
|
||||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||||
# define SSL_SENT_SHUTDOWN 1
|
# define SSL_SENT_SHUTDOWN 1
|
||||||
--- a/ssl/ssl_ciph.c
|
Index: openssl-3.2.0/ssl/ssl_ciph.c
|
||||||
+++ b/ssl/ssl_ciph.c
|
===================================================================
|
||||||
@@ -1443,6 +1443,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
--- openssl-3.2.0.orig/ssl/ssl_ciph.c
|
||||||
|
+++ openssl-3.2.0/ssl/ssl_ciph.c
|
||||||
|
@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -165,7 +175,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||||
@@ -1457,15 +1504,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||||
const SSL_CIPHER **ca_list = NULL;
|
const SSL_CIPHER **ca_list = NULL;
|
||||||
const SSL_METHOD *ssl_method = ctx->method;
|
const SSL_METHOD *ssl_method = ctx->method;
|
||||||
@ -193,16 +203,16 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* To reduce the work to do we only want to process the compiled
|
* To reduce the work to do we only want to process the compiled
|
||||||
@@ -1487,7 +1544,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
if (num_of_ciphers > 0) {
|
||||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||||
if (co_list == NULL) {
|
if (co_list == NULL)
|
||||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return NULL; /* Failure */
|
- return NULL; /* Failure */
|
||||||
+ goto err;
|
+ goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||||
@@ -1553,8 +1610,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
* in force within each class
|
* in force within each class
|
||||||
*/
|
*/
|
||||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||||
@ -212,18 +222,17 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1598,9 +1654,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1610,8 +1666,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||||
if (ca_list == NULL) {
|
if (ca_list == NULL) {
|
||||||
- OPENSSL_free(co_list);
|
- OPENSSL_free(co_list);
|
||||||
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return NULL; /* Failure */
|
- return NULL; /* Failure */
|
||||||
+ goto err;
|
+ goto err;
|
||||||
}
|
}
|
||||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
disabled_mkey, disabled_auth, disabled_enc,
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
@@ -1633,8 +1688,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1644,8 +1699,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
if (!ok) { /* Rule processing failure */
|
if (!ok) { /* Rule processing failure */
|
||||||
@ -233,7 +242,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1642,10 +1696,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1653,10 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
* if we cannot get one.
|
* if we cannot get one.
|
||||||
*/
|
*/
|
||||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||||
@ -249,7 +258,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||||
@@ -1697,6 +1754,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
@@ -1708,6 +1765,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
*cipher_list = cipherstack;
|
*cipher_list = cipherstack;
|
||||||
|
|
||||||
return cipherstack;
|
return cipherstack;
|
||||||
@ -264,9 +273,11 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
}
|
}
|
||||||
|
|
||||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||||
--- a/ssl/ssl_lib.c
|
Index: openssl-3.2.0/ssl/ssl_lib.c
|
||||||
+++ b/ssl/ssl_lib.c
|
===================================================================
|
||||||
@@ -661,7 +661,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
--- openssl-3.2.0.orig/ssl/ssl_lib.c
|
||||||
|
+++ openssl-3.2.0/ssl/ssl_lib.c
|
||||||
|
@@ -689,7 +689,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||||
ctx->tls13_ciphersuites,
|
ctx->tls13_ciphersuites,
|
||||||
&(ctx->cipher_list),
|
&(ctx->cipher_list),
|
||||||
&(ctx->cipher_list_by_id),
|
&(ctx->cipher_list_by_id),
|
||||||
@ -275,7 +286,7 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||||
return 0;
|
return 0;
|
||||||
@@ -3286,7 +3286,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
@@ -3955,7 +3955,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
||||||
if (!ssl_create_cipher_list(ret,
|
if (!ssl_create_cipher_list(ret,
|
||||||
ret->tls13_ciphersuites,
|
ret->tls13_ciphersuites,
|
||||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
@ -283,10 +294,12 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||||
goto err2;
|
goto err;
|
||||||
--- a/test/cipherlist_test.c
|
Index: openssl-3.2.0/test/cipherlist_test.c
|
||||||
+++ b/test/cipherlist_test.c
|
===================================================================
|
||||||
@@ -246,7 +246,9 @@ end:
|
--- openssl-3.2.0.orig/test/cipherlist_test.c
|
||||||
|
+++ openssl-3.2.0/test/cipherlist_test.c
|
||||||
|
@@ -261,7 +261,9 @@ end:
|
||||||
|
|
||||||
int setup_tests(void)
|
int setup_tests(void)
|
||||||
{
|
{
|
||||||
@ -295,11 +308,13 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
|||||||
+#endif
|
+#endif
|
||||||
ADD_TEST(test_default_cipherlist_explicit);
|
ADD_TEST(test_default_cipherlist_explicit);
|
||||||
ADD_TEST(test_default_cipherlist_clear);
|
ADD_TEST(test_default_cipherlist_clear);
|
||||||
return 1;
|
ADD_TEST(test_stdname_cipherlist);
|
||||||
--- a/util/libcrypto.num
|
Index: openssl-3.2.0/util/libcrypto.num
|
||||||
+++ b/util/libcrypto.num
|
===================================================================
|
||||||
@@ -5435,3 +5435,4 @@ EVP_MD_CTX_dup
|
--- openssl-3.2.0.orig/util/libcrypto.num
|
||||||
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
+++ openssl-3.2.0/util/libcrypto.num
|
||||||
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
@@ -5536,3 +5536,4 @@ X509_STORE_CTX_set_get_crl
|
||||||
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
|
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
|
||||||
|
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:
|
||||||
|
BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK
|
||||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
@ -1,743 +0,0 @@
|
|||||||
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Hugo Landau <hlandau@openssl.org>
|
|
||||||
Date: Fri, 8 Apr 2022 13:10:52 +0100
|
|
||||||
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
|
|
||||||
env
|
|
||||||
|
|
||||||
Fixes #18068.
|
|
||||||
---
|
|
||||||
CHANGES.md | 21
|
|
||||||
Configure | 7
|
|
||||||
crypto/x509/by_dir.c | 17
|
|
||||||
crypto/x509/by_store.c | 14
|
|
||||||
crypto/x509/x509_def.c | 15
|
|
||||||
doc/build.info | 6
|
|
||||||
doc/man3/X509_get_default_cert_file.pod | 113 +++++
|
|
||||||
include/internal/cryptlib.h | 11
|
|
||||||
include/internal/e_os.h | 2
|
|
||||||
include/openssl/x509.h.in | 3
|
|
||||||
providers/implementations/include/prov/implementations.h | 1
|
|
||||||
providers/implementations/storemgmt/build.info | 3
|
|
||||||
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
|
|
||||||
providers/stores.inc | 3
|
|
||||||
util/libcrypto.num | 3
|
|
||||||
util/missingcrypto.txt | 4
|
|
||||||
16 files changed, 536 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
--- a/CHANGES.md
|
|
||||||
+++ b/CHANGES.md
|
|
||||||
@@ -24,6 +24,27 @@ OpenSSL 3.1
|
|
||||||
|
|
||||||
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
|
|
||||||
|
|
||||||
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
|
|
||||||
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
|
|
||||||
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
|
|
||||||
+ paths which are searched for root certificates.
|
|
||||||
+
|
|
||||||
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
|
|
||||||
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
|
|
||||||
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
|
|
||||||
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
|
|
||||||
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
|
|
||||||
+ for the purposes of determining root certificate stores.
|
|
||||||
+
|
|
||||||
+ *Hugo Landau*
|
|
||||||
+
|
|
||||||
+ * Support for loading root certificates from the Windows certificate store
|
|
||||||
+ has been added. The support is in the form of a store which recognises the
|
|
||||||
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
|
|
||||||
+ can be disabled using the new compile-time option `no-winstore`.
|
|
||||||
+
|
|
||||||
+ *Hugo Landau*
|
|
||||||
+
|
|
||||||
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
|
|
||||||
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
|
|
||||||
|
|
||||||
--- a/Configure
|
|
||||||
+++ b/Configure
|
|
||||||
@@ -420,6 +420,7 @@ my @disablables = (
|
|
||||||
"cached-fetch",
|
|
||||||
"camellia",
|
|
||||||
"capieng",
|
|
||||||
+ "winstore",
|
|
||||||
"cast",
|
|
||||||
"chacha",
|
|
||||||
"cmac",
|
|
||||||
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+unless ($disabled{winstore}) {
|
|
||||||
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
|
|
||||||
+ disable('not-windows', 'winstore');
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
|
|
||||||
|
|
||||||
# Get the extra flags used when building shared libraries and modules. We
|
|
||||||
--- a/crypto/x509/by_dir.c
|
|
||||||
+++ b/crypto/x509/by_dir.c
|
|
||||||
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
|
||||||
switch (cmd) {
|
|
||||||
case X509_L_ADD_DIR:
|
|
||||||
if (argl == X509_FILETYPE_DEFAULT) {
|
|
||||||
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
|
||||||
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
|
|
||||||
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
|
|
||||||
|
|
||||||
- if (dir)
|
|
||||||
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
|
||||||
- else
|
|
||||||
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
|
|
||||||
- X509_FILETYPE_PEM);
|
|
||||||
+ /* Fallback to SSL_CERT_DIR. */
|
|
||||||
+ if (dir == NULL)
|
|
||||||
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
|
||||||
+
|
|
||||||
+ /* Fallback to built-in default. */
|
|
||||||
+ if (dir == NULL)
|
|
||||||
+ dir = X509_get_default_cert_dir();
|
|
||||||
+
|
|
||||||
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
|
||||||
if (!ret) {
|
|
||||||
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
|
|
||||||
}
|
|
||||||
--- a/crypto/x509/by_store.c
|
|
||||||
+++ b/crypto/x509/by_store.c
|
|
||||||
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
|
|
||||||
{
|
|
||||||
switch (cmd) {
|
|
||||||
case X509_L_ADD_STORE:
|
|
||||||
- /* If no URI is given, use the default cert dir as default URI */
|
|
||||||
+ /* First try the newer default cert URI envvar. */
|
|
||||||
+ if (argp == NULL)
|
|
||||||
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
|
|
||||||
+
|
|
||||||
+ /* If not set, see if we have a URI in the older cert dir envvar. */
|
|
||||||
if (argp == NULL)
|
|
||||||
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
|
||||||
+
|
|
||||||
+ /* Fallback to default store URI. */
|
|
||||||
if (argp == NULL)
|
|
||||||
- argp = X509_get_default_cert_dir();
|
|
||||||
+ argp = X509_get_default_cert_uri();
|
|
||||||
+
|
|
||||||
+ /* No point adding an empty URI. */
|
|
||||||
+ if (!*argp)
|
|
||||||
+ return 1;
|
|
||||||
|
|
||||||
{
|
|
||||||
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
|
|
||||||
--- a/crypto/x509/x509_def.c
|
|
||||||
+++ b/crypto/x509/x509_def.c
|
|
||||||
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
|
|
||||||
return X509_CERT_AREA;
|
|
||||||
}
|
|
||||||
|
|
||||||
+const char *X509_get_default_cert_uri(void)
|
|
||||||
+{
|
|
||||||
+ return X509_CERT_URI;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
const char *X509_get_default_cert_dir(void)
|
|
||||||
{
|
|
||||||
return X509_CERT_DIR;
|
|
||||||
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
|
|
||||||
return X509_CERT_FILE;
|
|
||||||
}
|
|
||||||
|
|
||||||
+const char *X509_get_default_cert_uri_env(void)
|
|
||||||
+{
|
|
||||||
+ return X509_CERT_URI_EVP;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+const char *X509_get_default_cert_path_env(void)
|
|
||||||
+{
|
|
||||||
+ return X509_CERT_PATH_EVP;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
const char *X509_get_default_cert_dir_env(void)
|
|
||||||
{
|
|
||||||
return X509_CERT_DIR_EVP;
|
|
||||||
--- a/doc/build.info
|
|
||||||
+++ b/doc/build.info
|
|
||||||
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
|
|
||||||
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
|
|
||||||
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
|
|
||||||
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
|
|
||||||
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
|
|
||||||
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
|
|
||||||
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
|
|
||||||
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
|
|
||||||
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
|
|
||||||
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
|
|
||||||
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
|
|
||||||
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
|
|
||||||
html/man3/X509_get0_notBefore.html \
|
|
||||||
html/man3/X509_get0_signature.html \
|
|
||||||
html/man3/X509_get0_uids.html \
|
|
||||||
+html/man3/X509_get_default_cert_file.html \
|
|
||||||
html/man3/X509_get_extension_flags.html \
|
|
||||||
html/man3/X509_get_pubkey.html \
|
|
||||||
html/man3/X509_get_serialNumber.html \
|
|
||||||
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
|
|
||||||
man/man3/X509_get0_notBefore.3 \
|
|
||||||
man/man3/X509_get0_signature.3 \
|
|
||||||
man/man3/X509_get0_uids.3 \
|
|
||||||
+man/man3/X509_get_default_cert_file.3 \
|
|
||||||
man/man3/X509_get_extension_flags.3 \
|
|
||||||
man/man3/X509_get_pubkey.3 \
|
|
||||||
man/man3/X509_get_serialNumber.3 \
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/doc/man3/X509_get_default_cert_file.pod
|
|
||||||
@@ -0,0 +1,113 @@
|
|
||||||
+=pod
|
|
||||||
+
|
|
||||||
+=head1 NAME
|
|
||||||
+
|
|
||||||
+X509_get_default_cert_file, X509_get_default_cert_file_env,
|
|
||||||
+X509_get_default_cert_path_env,
|
|
||||||
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
|
|
||||||
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
|
|
||||||
+retrieve default locations for trusted CA certificates
|
|
||||||
+
|
|
||||||
+=head1 SYNOPSIS
|
|
||||||
+
|
|
||||||
+ #include <openssl/x509.h>
|
|
||||||
+
|
|
||||||
+ const char *X509_get_default_cert_file(void);
|
|
||||||
+ const char *X509_get_default_cert_dir(void);
|
|
||||||
+ const char *X509_get_default_cert_uri(void);
|
|
||||||
+
|
|
||||||
+ const char *X509_get_default_cert_file_env(void);
|
|
||||||
+ const char *X509_get_default_cert_path_env(void);
|
|
||||||
+ const char *X509_get_default_cert_dir_env(void);
|
|
||||||
+ const char *X509_get_default_cert_uri_env(void);
|
|
||||||
+
|
|
||||||
+=head1 DESCRIPTION
|
|
||||||
+
|
|
||||||
+The X509_get_default_cert_file() function returns the default path
|
|
||||||
+to a file containing trusted CA certificates. OpenSSL will use this as
|
|
||||||
+the default path when it is asked to load trusted CA certificates
|
|
||||||
+from a file and no other path is specified. If the file exists, CA certificates
|
|
||||||
+are loaded from the file.
|
|
||||||
+
|
|
||||||
+The X509_get_default_cert_dir() function returns a default delimeter-separated
|
|
||||||
+list of paths to a directories containing trusted CA certificates named in the
|
|
||||||
+hashed format. OpenSSL will use this as the default list of paths when it is
|
|
||||||
+asked to load trusted CA certificates from a directory and no other path is
|
|
||||||
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
|
|
||||||
+CA certificates in this directory by calculating a filename based on a hash of
|
|
||||||
+the certificate's subject name.
|
|
||||||
+
|
|
||||||
+The X509_get_default_cert_uri() function returns the default URI for a
|
|
||||||
+certificate store accessed programmatically via an OpenSSL provider. If there is
|
|
||||||
+no default store applicable to the system for which OpenSSL was compiled, this
|
|
||||||
+returns an empty string.
|
|
||||||
+
|
|
||||||
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
|
|
||||||
+environment variable names which are recommended to specify nondefault values to
|
|
||||||
+be used instead of the values returned by X509_get_default_cert_file() and
|
|
||||||
+X509_get_default_cert_uri() respectively. The values returned by the latter
|
|
||||||
+functions are not affected by these environment variables; you must check for
|
|
||||||
+these environment variables yourself, using these functions to retrieve the
|
|
||||||
+correct environment variable names. If an environment variable is not set, the
|
|
||||||
+value returned by the corresponding function above should be used.
|
|
||||||
+
|
|
||||||
+X509_get_default_cert_path_env() returns the environment variable name which is
|
|
||||||
+recommended to specify a nondefault value to be used instead of the value
|
|
||||||
+returned by X509_get_default_cert_dir(). This environment variable supercedes
|
|
||||||
+the deprecated environment variable whose name is returned by
|
|
||||||
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
|
|
||||||
+contents can be interpreted ambiguously; see NOTES.
|
|
||||||
+
|
|
||||||
+By default, OpenSSL uses the path list specified in the environment variable
|
|
||||||
+whose name is returned by X509_get_default_cert_path_env() if it is set;
|
|
||||||
+otherwise, it uses the path list specified in the environment variable whose
|
|
||||||
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
|
|
||||||
+uses the value returned by X509_get_default_cert_dir()).
|
|
||||||
+
|
|
||||||
+=head1 NOTES
|
|
||||||
+
|
|
||||||
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
|
|
||||||
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
|
|
||||||
+release, store URIs were expressed via the environment variable returned by
|
|
||||||
+X509_get_default_cert_dir_env(); this environment variable could be used to
|
|
||||||
+specify either a list of directories or a store URI. This creates an ambiguity
|
|
||||||
+in which the environment variable returned by X509_get_default_cert_dir_env() is
|
|
||||||
+interpreted both as a list of directories and as a store URI.
|
|
||||||
+
|
|
||||||
+This usage and the environment variable returned by
|
|
||||||
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
|
|
||||||
+the environment variable returned by X509_get_default_cert_uri_env(), and to
|
|
||||||
+specify a list of directories, use the environment variable returned by
|
|
||||||
+X509_get_default_cert_path_env().
|
|
||||||
+
|
|
||||||
+=head1 RETURN VALUES
|
|
||||||
+
|
|
||||||
+These functions return pointers to constant strings with static storage
|
|
||||||
+duration.
|
|
||||||
+
|
|
||||||
+=head1 SEE ALSO
|
|
||||||
+
|
|
||||||
+L<X509_LOOKUP(3)>,
|
|
||||||
+L<SSL_CTX_set_default_verify_file(3)>,
|
|
||||||
+L<SSL_CTX_set_default_verify_dir(3)>,
|
|
||||||
+L<SSL_CTX_set_default_verify_store(3)>,
|
|
||||||
+L<SSL_CTX_load_verify_file(3)>,
|
|
||||||
+L<SSL_CTX_load_verify_dir(3)>,
|
|
||||||
+L<SSL_CTX_load_verify_store(3)>,
|
|
||||||
+L<SSL_CTX_load_verify_locations(3)>
|
|
||||||
+
|
|
||||||
+=head1 HISTORY
|
|
||||||
+
|
|
||||||
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
|
|
||||||
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
|
|
||||||
+
|
|
||||||
+=head1 COPYRIGHT
|
|
||||||
+
|
|
||||||
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+
|
|
||||||
+Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+this file except in compliance with the License. You can obtain a copy
|
|
||||||
+in the file LICENSE in the source distribution or at
|
|
||||||
+L<https://www.openssl.org/source/license.html>.
|
|
||||||
+
|
|
||||||
+=cut
|
|
||||||
--- a/include/internal/cryptlib.h
|
|
||||||
+++ b/include/internal/cryptlib.h
|
|
||||||
@@ -13,6 +13,8 @@
|
|
||||||
|
|
||||||
# include <stdlib.h>
|
|
||||||
# include <string.h>
|
|
||||||
+# include "openssl/configuration.h"
|
|
||||||
+# include "internal/e_os.h" /* ossl_inline in many files */
|
|
||||||
|
|
||||||
# ifdef OPENSSL_USE_APPLINK
|
|
||||||
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
|
|
||||||
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
|
|
||||||
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
|
|
||||||
# endif
|
|
||||||
|
|
||||||
+#ifndef OPENSSL_NO_WINSTORE
|
|
||||||
+# define X509_CERT_URI "org.openssl.winstore://"
|
|
||||||
+#else
|
|
||||||
+# define X509_CERT_URI ""
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
|
|
||||||
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
|
|
||||||
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
|
|
||||||
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
|
|
||||||
# define CTLOG_FILE_EVP "CTLOG_FILE"
|
|
||||||
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
|
|
||||||
# endif
|
|
||||||
return path[0] == '/';
|
|
||||||
}
|
|
||||||
-
|
|
||||||
#endif
|
|
||||||
--- a/include/internal/e_os.h
|
|
||||||
+++ b/include/internal/e_os.h
|
|
||||||
@@ -249,7 +249,7 @@ FILE *__iob_func();
|
|
||||||
/***********************************************/
|
|
||||||
|
|
||||||
# if defined(OPENSSL_SYS_WINDOWS)
|
|
||||||
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
|
|
||||||
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
|
|
||||||
# define open _open
|
|
||||||
# define fdopen _fdopen
|
|
||||||
# define close _close
|
|
||||||
--- a/include/openssl/x509.h.in
|
|
||||||
+++ b/include/openssl/x509.h.in
|
|
||||||
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
|
|
||||||
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
|
|
||||||
|
|
||||||
const char *X509_get_default_cert_area(void);
|
|
||||||
+const char *X509_get_default_cert_uri(void);
|
|
||||||
const char *X509_get_default_cert_dir(void);
|
|
||||||
const char *X509_get_default_cert_file(void);
|
|
||||||
+const char *X509_get_default_cert_uri_env(void);
|
|
||||||
+const char *X509_get_default_cert_path_env(void);
|
|
||||||
const char *X509_get_default_cert_dir_env(void);
|
|
||||||
const char *X509_get_default_cert_file_env(void);
|
|
||||||
const char *X509_get_default_private_dir(void);
|
|
||||||
--- a/providers/implementations/include/prov/implementations.h
|
|
||||||
+++ b/providers/implementations/include/prov/implementations.h
|
|
||||||
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
|
|
||||||
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
|
|
||||||
|
|
||||||
extern const OSSL_DISPATCH ossl_file_store_functions[];
|
|
||||||
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
|
|
||||||
--- a/providers/implementations/storemgmt/build.info
|
|
||||||
+++ b/providers/implementations/storemgmt/build.info
|
|
||||||
@@ -4,3 +4,6 @@
|
|
||||||
$STORE_GOAL=../../libdefault.a
|
|
||||||
|
|
||||||
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
|
|
||||||
+IF[{- !$disabled{winstore} -}]
|
|
||||||
+ SOURCE[$STORE_GOAL]=winstore_store.c
|
|
||||||
+ENDIF
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/providers/implementations/storemgmt/winstore_store.c
|
|
||||||
@@ -0,0 +1,327 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+#include <openssl/store.h>
|
|
||||||
+#include <openssl/core_dispatch.h>
|
|
||||||
+#include <openssl/core_names.h>
|
|
||||||
+#include <openssl/core_object.h>
|
|
||||||
+#include <openssl/bio.h>
|
|
||||||
+#include <openssl/err.h>
|
|
||||||
+#include <openssl/params.h>
|
|
||||||
+#include <openssl/decoder.h>
|
|
||||||
+#include <openssl/proverr.h>
|
|
||||||
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
|
|
||||||
+#include "internal/cryptlib.h"
|
|
||||||
+#include "internal/o_dir.h"
|
|
||||||
+#include "crypto/decoder.h"
|
|
||||||
+#include "crypto/ctype.h" /* ossl_isdigit() */
|
|
||||||
+#include "prov/implementations.h"
|
|
||||||
+#include "prov/bio.h"
|
|
||||||
+#include "file_store_local.h"
|
|
||||||
+
|
|
||||||
+#include <wincrypt.h>
|
|
||||||
+
|
|
||||||
+enum {
|
|
||||||
+ STATE_IDLE,
|
|
||||||
+ STATE_READ,
|
|
||||||
+ STATE_EOF,
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct winstore_ctx_st {
|
|
||||||
+ void *provctx;
|
|
||||||
+ char *propq;
|
|
||||||
+ unsigned char *subject;
|
|
||||||
+ size_t subject_len;
|
|
||||||
+
|
|
||||||
+ HCERTSTORE win_store;
|
|
||||||
+ const CERT_CONTEXT *win_ctx;
|
|
||||||
+ int state;
|
|
||||||
+
|
|
||||||
+ OSSL_DECODER_CTX *dctx;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
|
|
||||||
+{
|
|
||||||
+ if (ctx->win_ctx != NULL) {
|
|
||||||
+ CertFreeCertificateContext(ctx->win_ctx);
|
|
||||||
+ ctx->win_ctx = NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ctx->state = STATE_IDLE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
|
|
||||||
+{
|
|
||||||
+ CERT_NAME_BLOB name = {0};
|
|
||||||
+
|
|
||||||
+ if (ctx->state == STATE_EOF)
|
|
||||||
+ return;
|
|
||||||
+
|
|
||||||
+ name.cbData = ctx->subject_len;
|
|
||||||
+ name.pbData = ctx->subject;
|
|
||||||
+
|
|
||||||
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
|
|
||||||
+ CertFindCertificateInStore(ctx->win_store,
|
|
||||||
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
|
|
||||||
+ 0, CERT_FIND_SUBJECT_NAME,
|
|
||||||
+ &name, ctx->win_ctx));
|
|
||||||
+
|
|
||||||
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void *winstore_open(void *provctx, const char *uri)
|
|
||||||
+{
|
|
||||||
+ struct winstore_ctx_st *ctx = NULL;
|
|
||||||
+
|
|
||||||
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
|
|
||||||
+ if (ctx == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ ctx->provctx = provctx;
|
|
||||||
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
|
|
||||||
+ if (ctx->win_store == NULL) {
|
|
||||||
+ OPENSSL_free(ctx);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ winstore_win_reset(ctx);
|
|
||||||
+ return ctx;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
|
|
||||||
+{
|
|
||||||
+ return NULL; /* not supported */
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
|
|
||||||
+{
|
|
||||||
+ static const OSSL_PARAM known_settable_ctx_params[] = {
|
|
||||||
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
|
|
||||||
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
|
|
||||||
+ OSSL_PARAM_END
|
|
||||||
+ };
|
|
||||||
+ return known_settable_ctx_params;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
|
|
||||||
+{
|
|
||||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
|
||||||
+ const OSSL_PARAM *p;
|
|
||||||
+ int do_reset = 0;
|
|
||||||
+
|
|
||||||
+ if (params == NULL)
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ do_reset = 1;
|
|
||||||
+ OPENSSL_free(ctx->propq);
|
|
||||||
+ ctx->propq = NULL;
|
|
||||||
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
|
|
||||||
+ if (p != NULL) {
|
|
||||||
+ const unsigned char *der = NULL;
|
|
||||||
+ size_t der_len = 0;
|
|
||||||
+
|
|
||||||
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ do_reset = 1;
|
|
||||||
+
|
|
||||||
+ OPENSSL_free(ctx->subject);
|
|
||||||
+
|
|
||||||
+ ctx->subject = OPENSSL_malloc(der_len);
|
|
||||||
+ if (ctx->subject == NULL) {
|
|
||||||
+ ctx->subject_len = 0;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ctx->subject_len = der_len;
|
|
||||||
+ memcpy(ctx->subject, der, der_len);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (do_reset) {
|
|
||||||
+ winstore_win_reset(ctx);
|
|
||||||
+ winstore_win_advance(ctx);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+struct load_data_st {
|
|
||||||
+ OSSL_CALLBACK *object_cb;
|
|
||||||
+ void *object_cbarg;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
|
|
||||||
+ const OSSL_PARAM *params, void *construct_data)
|
|
||||||
+{
|
|
||||||
+ struct load_data_st *data = construct_data;
|
|
||||||
+ return data->object_cb(params, data->object_cbarg);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void load_cleanup(void *construct_data)
|
|
||||||
+{
|
|
||||||
+ /* No-op. */
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int setup_decoder(struct winstore_ctx_st *ctx)
|
|
||||||
+{
|
|
||||||
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
|
|
||||||
+ const OSSL_ALGORITHM *to_algo = NULL;
|
|
||||||
+
|
|
||||||
+ if (ctx->dctx != NULL)
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ ctx->dctx = OSSL_DECODER_CTX_new();
|
|
||||||
+ if (ctx->dctx == NULL) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ for (to_algo = ossl_any_to_obj_algorithm;
|
|
||||||
+ to_algo->algorithm_names != NULL;
|
|
||||||
+ to_algo++) {
|
|
||||||
+ OSSL_DECODER *to_obj = NULL;
|
|
||||||
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * Create the internal last resort decoder implementation
|
|
||||||
+ * together with a "decoder instance".
|
|
||||||
+ * The decoder doesn't need any identification or to be
|
|
||||||
+ * attached to any provider, since it's only used locally.
|
|
||||||
+ */
|
|
||||||
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
|
|
||||||
+ if (to_obj != NULL)
|
|
||||||
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
|
|
||||||
+
|
|
||||||
+ OSSL_DECODER_free(to_obj);
|
|
||||||
+ if (to_obj_inst == NULL)
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
|
|
||||||
+ to_obj_inst)) {
|
|
||||||
+ ossl_decoder_instance_free(to_obj_inst);
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
|
|
||||||
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ OSSL_DECODER_CTX_free(ctx->dctx);
|
|
||||||
+ ctx->dctx = NULL;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int winstore_load_using(struct winstore_ctx_st *ctx,
|
|
||||||
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
|
|
||||||
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
|
|
||||||
+ const void *der, size_t der_len)
|
|
||||||
+{
|
|
||||||
+ struct load_data_st data;
|
|
||||||
+ const unsigned char *der_ = der;
|
|
||||||
+ size_t der_len_ = der_len;
|
|
||||||
+
|
|
||||||
+ if (setup_decoder(ctx) == 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ data.object_cb = object_cb;
|
|
||||||
+ data.object_cbarg = object_cbarg;
|
|
||||||
+
|
|
||||||
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
|
|
||||||
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
|
|
||||||
+
|
|
||||||
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int winstore_load(void *loaderctx,
|
|
||||||
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
|
|
||||||
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
|
||||||
+
|
|
||||||
+ if (ctx->state != STATE_READ)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
|
|
||||||
+ ctx->win_ctx->pbCertEncoded,
|
|
||||||
+ ctx->win_ctx->cbCertEncoded);
|
|
||||||
+
|
|
||||||
+ if (ret == 1)
|
|
||||||
+ winstore_win_advance(ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int winstore_eof(void *loaderctx)
|
|
||||||
+{
|
|
||||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
|
||||||
+
|
|
||||||
+ return ctx->state != STATE_READ;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int winstore_close(void *loaderctx)
|
|
||||||
+{
|
|
||||||
+ struct winstore_ctx_st *ctx = loaderctx;
|
|
||||||
+
|
|
||||||
+ winstore_win_reset(ctx);
|
|
||||||
+ CertCloseStore(ctx->win_store, 0);
|
|
||||||
+ OSSL_DECODER_CTX_free(ctx->dctx);
|
|
||||||
+ OPENSSL_free(ctx->propq);
|
|
||||||
+ OPENSSL_free(ctx->subject);
|
|
||||||
+ OPENSSL_free(ctx);
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
|
|
||||||
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
|
|
||||||
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
|
|
||||||
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
|
|
||||||
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
|
|
||||||
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
|
|
||||||
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
|
|
||||||
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
|
|
||||||
+ { 0, NULL },
|
|
||||||
+};
|
|
||||||
--- a/providers/stores.inc
|
|
||||||
+++ b/providers/stores.inc
|
|
||||||
@@ -12,3 +12,6 @@
|
|
||||||
#endif
|
|
||||||
|
|
||||||
STORE("file", "yes", ossl_file_store_functions)
|
|
||||||
+#ifndef OPENSSL_NO_WINSTORE
|
|
||||||
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
|
|
||||||
+#endif
|
|
||||||
--- a/util/libcrypto.num
|
|
||||||
+++ b/util/libcrypto.num
|
|
||||||
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
|
|
||||||
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
|
|
||||||
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
|
|
||||||
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
|
|
||||||
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
|
|
||||||
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
|
|
||||||
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
|
|
||||||
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
|
||||||
--- a/util/missingcrypto.txt
|
|
||||||
+++ b/util/missingcrypto.txt
|
|
||||||
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
|
|
||||||
X509_get1_email(3)
|
|
||||||
X509_get1_ocsp(3)
|
|
||||||
X509_get_default_cert_area(3)
|
|
||||||
-X509_get_default_cert_dir(3)
|
|
||||||
-X509_get_default_cert_dir_env(3)
|
|
||||||
-X509_get_default_cert_file(3)
|
|
||||||
-X509_get_default_cert_file_env(3)
|
|
||||||
X509_get_default_private_dir(3)
|
|
||||||
X509_get_pubkey_parameters(3)
|
|
||||||
X509_get_signature_type(3)
|
|
@ -1,172 +0,0 @@
|
|||||||
From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Richard Levitte <levitte@openssl.org>
|
|
||||||
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
|
||||||
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
|
||||||
|
|
||||||
We already check for an excessively large P in DH_generate_key(), but not in
|
|
||||||
DH_check_pub_key(), and none of them check for an excessively large Q.
|
|
||||||
|
|
||||||
This change adds all the missing excessive size checks of P and Q.
|
|
||||||
|
|
||||||
It's to be noted that behaviours surrounding excessively sized P and Q
|
|
||||||
differ. DH_check() raises an error on the excessively sized P, but only
|
|
||||||
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
|
||||||
DH_check_pub_key().
|
|
||||||
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/22518)
|
|
||||||
---
|
|
||||||
crypto/dh/dh_check.c | 12 ++++++++++++
|
|
||||||
crypto/dh/dh_err.c | 3 ++-
|
|
||||||
crypto/dh/dh_key.c | 12 ++++++++++++
|
|
||||||
crypto/err/openssl.txt | 1 +
|
|
||||||
include/crypto/dherr.h | 2 +-
|
|
||||||
include/openssl/dh.h | 6 +++---
|
|
||||||
include/openssl/dherr.h | 3 ++-
|
|
||||||
7 files changed, 33 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
|
||||||
index 7ba2beae7fd6b..e20eb62081c5e 100644
|
|
||||||
--- a/crypto/dh/dh_check.c
|
|
||||||
+++ b/crypto/dh/dh_check.c
|
|
||||||
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
|
|
||||||
*/
|
|
||||||
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
|
||||||
{
|
|
||||||
+ /* Don't do any checks at all with an excessively large modulus */
|
|
||||||
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
|
||||||
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
|
||||||
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
|
|
||||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
|
||||||
index 4152397426cc9..f76ac0dd1463f 100644
|
|
||||||
--- a/crypto/dh/dh_err.c
|
|
||||||
+++ b/crypto/dh/dh_err.c
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Generated by util/mkerr.pl DO NOT EDIT
|
|
||||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
|
||||||
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
|
||||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
|
||||||
"parameter encoding error"},
|
|
||||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
|
||||||
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
|
||||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
|
||||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
|
||||||
"unable to check generator"},
|
|
||||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
|
||||||
index d84ea99241b9e..afc49f5cdc87d 100644
|
|
||||||
--- a/crypto/dh/dh_key.c
|
|
||||||
+++ b/crypto/dh/dh_key.c
|
|
||||||
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (dh->params.q != NULL
|
|
||||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
||||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
|
||||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
|
||||||
return 0;
|
|
||||||
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (dh->params.q != NULL
|
|
||||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
|
||||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
|
||||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
|
||||||
return 0;
|
|
||||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
|
||||||
index a1e6bbb617fcb..69e4f61aa1801 100644
|
|
||||||
--- a/crypto/err/openssl.txt
|
|
||||||
+++ b/crypto/err/openssl.txt
|
|
||||||
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
|
|
||||||
DH_R_NO_PRIVATE_VALUE:100:no private value
|
|
||||||
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
|
||||||
DH_R_PEER_KEY_ERROR:111:peer key error
|
|
||||||
+DH_R_Q_TOO_LARGE:130:q too large
|
|
||||||
DH_R_SHARED_INFO_ERROR:113:shared info error
|
|
||||||
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
|
||||||
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
|
|
||||||
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
|
|
||||||
index bb24d131eb887..519327f795742 100644
|
|
||||||
--- a/include/crypto/dherr.h
|
|
||||||
+++ b/include/crypto/dherr.h
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Generated by util/mkerr.pl DO NOT EDIT
|
|
||||||
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
|
||||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
|
||||||
index 8bc17448a0817..f1c0ed06b375a 100644
|
|
||||||
--- a/include/openssl/dh.h
|
|
||||||
+++ b/include/openssl/dh.h
|
|
||||||
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
|
|
||||||
# define DH_GENERATOR_3 3
|
|
||||||
# define DH_GENERATOR_5 5
|
|
||||||
|
|
||||||
-/* DH_check error codes */
|
|
||||||
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
|
||||||
/*
|
|
||||||
* NB: These values must align with the equivalently named macros in
|
|
||||||
* internal/ffc.h.
|
|
||||||
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
|
|
||||||
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
|
||||||
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
|
||||||
# define DH_CHECK_Q_NOT_PRIME 0x10
|
|
||||||
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
|
||||||
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
|
||||||
# define DH_CHECK_INVALID_J_VALUE 0x40
|
|
||||||
# define DH_MODULUS_TOO_SMALL 0x80
|
|
||||||
-# define DH_MODULUS_TOO_LARGE 0x100
|
|
||||||
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
|
||||||
|
|
||||||
/* DH_check_pub_key error codes */
|
|
||||||
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
|
||||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
|
||||||
index 5d2a762a96f8c..074a70145f9f5 100644
|
|
||||||
--- a/include/openssl/dherr.h
|
|
||||||
+++ b/include/openssl/dherr.h
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
/*
|
|
||||||
* Generated by util/mkerr.pl DO NOT EDIT
|
|
||||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
|
||||||
@@ -50,6 +50,7 @@
|
|
||||||
# define DH_R_NO_PRIVATE_VALUE 100
|
|
||||||
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
|
||||||
# define DH_R_PEER_KEY_ERROR 111
|
|
||||||
+# define DH_R_Q_TOO_LARGE 130
|
|
||||||
# define DH_R_SHARED_INFO_ERROR 113
|
|
||||||
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
|
||||||
|
|
@ -1,27 +1,7 @@
|
|||||||
Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
|
Index: openssl-3.2.0/test/recipes/99-test_suse_default_ciphers.t
|
||||||
===================================================================
|
|
||||||
--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
|
|
||||||
+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
|
|
||||||
@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
*/
|
|
||||||
ok = 1;
|
|
||||||
rule_p = rule_str;
|
|
||||||
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
|
||||||
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
|
|
||||||
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
|
|
||||||
+ &head, &tail, ca_list, c);
|
|
||||||
+ rule_p += 12;
|
|
||||||
+ if (*rule_p == ':')
|
|
||||||
+ rule_p++;
|
|
||||||
+ }
|
|
||||||
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
|
||||||
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
|
|
||||||
&head, &tail, ca_list, c);
|
|
||||||
rule_p += 7;
|
|
||||||
Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
|
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
|
+++ openssl-3.2.0/test/recipes/99-test_suse_default_ciphers.t
|
||||||
@@ -0,0 +1,23 @@
|
@@ -0,0 +1,23 @@
|
||||||
+#! /usr/bin/env perl
|
+#! /usr/bin/env perl
|
||||||
+
|
+
|
||||||
@ -46,11 +26,11 @@ Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
|
|||||||
+ "$cipherlist should contain TLSv1.3 ciphers\n");
|
+ "$cipherlist should contain TLSv1.3 ciphers\n");
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
|
Index: openssl-3.2.0/include/openssl/ssl.h.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
|
--- openssl-3.2.0.orig/include/openssl/ssl.h.in
|
||||||
+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
|
+++ openssl-3.2.0/include/openssl/ssl.h.in
|
||||||
@@ -189,6 +189,11 @@ extern "C" {
|
@@ -194,6 +194,11 @@ extern "C" {
|
||||||
*/
|
*/
|
||||||
# ifndef OPENSSL_NO_DEPRECATED_3_0
|
# ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||||
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
|
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
|
||||||
@ -62,3 +42,23 @@ Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
|
|||||||
/*
|
/*
|
||||||
* This is the default set of TLSv1.3 ciphersuites
|
* This is the default set of TLSv1.3 ciphersuites
|
||||||
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
|
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
|
||||||
|
Index: openssl-3.2.0/ssl/ssl_ciph.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.2.0.orig/ssl/ssl_ciph.c
|
||||||
|
+++ openssl-3.2.0/ssl/ssl_ciph.c
|
||||||
|
@@ -1623,7 +1623,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
*/
|
||||||
|
ok = 1;
|
||||||
|
rule_p = rule_str;
|
||||||
|
- if (HAS_PREFIX(rule_str, "DEFAULT")) {
|
||||||
|
+ if (HAS_PREFIX(rule_str, "DEFAULT_SUSE")) {
|
||||||
|
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
|
||||||
|
+ &head, &tail, ca_list, c);
|
||||||
|
+ rule_p += 12;
|
||||||
|
+ if (*rule_p == ':')
|
||||||
|
+ rule_p++;
|
||||||
|
+ }
|
||||||
|
+ else if (HAS_PREFIX(rule_str, "DEFAULT")) {
|
||||||
|
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
|
||||||
|
&head, &tail, ca_list, c);
|
||||||
|
rule_p += 7;
|
||||||
|
@ -1,495 +0,0 @@
|
|||||||
From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Danny Tsen <dtsen@linux.ibm.com>
|
|
||||||
Date: Tue, 22 Aug 2023 15:58:53 -0400
|
|
||||||
Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
|
|
||||||
instruction
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/21812)
|
|
||||||
---
|
|
||||||
crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
|
|
||||||
1 file changed, 95 insertions(+), 50 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
|
|
||||||
index 60cf86f52aed2..38b9405a283b7 100755
|
|
||||||
--- a/crypto/aes/asm/aesp8-ppc.pl
|
|
||||||
+++ b/crypto/aes/asm/aesp8-ppc.pl
|
|
||||||
@@ -99,11 +99,12 @@
|
|
||||||
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
|
|
||||||
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
|
|
||||||
.long 0,0,0,0 ?asis
|
|
||||||
+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
|
|
||||||
Lconsts:
|
|
||||||
mflr r0
|
|
||||||
bcl 20,31,\$+4
|
|
||||||
mflr $ptr #vvvvv "distance between . and rcon
|
|
||||||
- addi $ptr,$ptr,-0x48
|
|
||||||
+ addi $ptr,$ptr,-0x58
|
|
||||||
mtlr r0
|
|
||||||
blr
|
|
||||||
.long 0
|
|
||||||
@@ -2405,7 +2406,7 @@ ()
|
|
||||||
my $key_=$key2;
|
|
||||||
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
|
|
||||||
$x00=0 if ($flavour =~ /osx/);
|
|
||||||
-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
|
|
||||||
+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
|
|
||||||
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
|
|
||||||
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
|
|
||||||
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
|
|
||||||
@@ -2460,6 +2461,18 @@ ()
|
|
||||||
li $x70,0x70
|
|
||||||
mtspr 256,r0
|
|
||||||
|
|
||||||
+ # Reverse eighty7 to 0x010101..87
|
|
||||||
+ xxlor 2, 32+$eighty7, 32+$eighty7
|
|
||||||
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
|
|
||||||
+ xxlor 1, 32+$eighty7, 32+$eighty7
|
|
||||||
+
|
|
||||||
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
|
|
||||||
+ mr $x70, r6
|
|
||||||
+ bl Lconsts
|
|
||||||
+ lxvw4x 0, $x40, r6 # load XOR contents
|
|
||||||
+ mr r6, $x70
|
|
||||||
+ li $x70,0x70
|
|
||||||
+
|
|
||||||
subi $rounds,$rounds,3 # -4 in total
|
|
||||||
|
|
||||||
lvx $rndkey0,$x00,$key1 # load key schedule
|
|
||||||
@@ -2502,69 +2515,77 @@ ()
|
|
||||||
?vperm v31,v31,$twk5,$keyperm
|
|
||||||
lvx v25,$x10,$key_ # pre-load round[2]
|
|
||||||
|
|
||||||
+ # Switch to use the following codes with 0x010101..87 to generate tweak.
|
|
||||||
+ # eighty7 = 0x010101..87
|
|
||||||
+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
|
|
||||||
+ # vand tmp, tmp, eighty7 # last byte with carry
|
|
||||||
+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
|
|
||||||
+ # xxlor vsx, 0, 0
|
|
||||||
+ # vpermxor tweak, tweak, tmp, vsx
|
|
||||||
+
|
|
||||||
vperm $in0,$inout,$inptail,$inpperm
|
|
||||||
subi $inp,$inp,31 # undo "caller"
|
|
||||||
vxor $twk0,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out0,$in0,$twk0
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in1, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
|
||||||
|
|
||||||
lvx_u $in1,$x10,$inp
|
|
||||||
vxor $twk1,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in1,$in1,$in1,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out1,$in1,$twk1
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in2, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
|
||||||
|
|
||||||
lvx_u $in2,$x20,$inp
|
|
||||||
andi. $taillen,$len,15
|
|
||||||
vxor $twk2,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in2,$in2,$in2,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out2,$in2,$twk2
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in3, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
|
||||||
|
|
||||||
lvx_u $in3,$x30,$inp
|
|
||||||
sub $len,$len,$taillen
|
|
||||||
vxor $twk3,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in3,$in3,$in3,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out3,$in3,$twk3
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in4, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
|
||||||
|
|
||||||
lvx_u $in4,$x40,$inp
|
|
||||||
subi $len,$len,0x60
|
|
||||||
vxor $twk4,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in4,$in4,$in4,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out4,$in4,$twk4
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in5, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
|
||||||
|
|
||||||
lvx_u $in5,$x50,$inp
|
|
||||||
addi $inp,$inp,0x60
|
|
||||||
vxor $twk5,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in5,$in5,$in5,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out5,$in5,$twk5
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in0, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
|
||||||
|
|
||||||
vxor v31,v31,$rndkey0
|
|
||||||
mtctr $rounds
|
|
||||||
@@ -2590,6 +2611,8 @@ ()
|
|
||||||
lvx v25,$x10,$key_ # round[4]
|
|
||||||
bdnz Loop_xts_enc6x
|
|
||||||
|
|
||||||
+ xxlor 32+$eighty7, 1, 1 # 0x010101..87
|
|
||||||
+
|
|
||||||
subic $len,$len,96 # $len-=96
|
|
||||||
vxor $in0,$twk0,v31 # xor with last round key
|
|
||||||
vcipher $out0,$out0,v24
|
|
||||||
@@ -2599,7 +2622,6 @@ ()
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
vcipher $out2,$out2,v24
|
|
||||||
vcipher $out3,$out3,v24
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vcipher $out4,$out4,v24
|
|
||||||
vcipher $out5,$out5,v24
|
|
||||||
|
|
||||||
@@ -2607,7 +2629,8 @@ ()
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vcipher $out0,$out0,v25
|
|
||||||
vcipher $out1,$out1,v25
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in1, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
|
||||||
vcipher $out2,$out2,v25
|
|
||||||
vcipher $out3,$out3,v25
|
|
||||||
vxor $in1,$twk1,v31
|
|
||||||
@@ -2618,13 +2641,13 @@ ()
|
|
||||||
|
|
||||||
and r0,r0,$len
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vcipher $out0,$out0,v26
|
|
||||||
vcipher $out1,$out1,v26
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vcipher $out2,$out2,v26
|
|
||||||
vcipher $out3,$out3,v26
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in2, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
|
||||||
vcipher $out4,$out4,v26
|
|
||||||
vcipher $out5,$out5,v26
|
|
||||||
|
|
||||||
@@ -2638,7 +2661,6 @@ ()
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
vcipher $out0,$out0,v27
|
|
||||||
vcipher $out1,$out1,v27
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vcipher $out2,$out2,v27
|
|
||||||
vcipher $out3,$out3,v27
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
@@ -2646,7 +2668,8 @@ ()
|
|
||||||
vcipher $out5,$out5,v27
|
|
||||||
|
|
||||||
addi $key_,$sp,$FRAME+15 # rewind $key_
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in3, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
|
||||||
vcipher $out0,$out0,v28
|
|
||||||
vcipher $out1,$out1,v28
|
|
||||||
vxor $in3,$twk3,v31
|
|
||||||
@@ -2655,7 +2678,6 @@ ()
|
|
||||||
vcipher $out2,$out2,v28
|
|
||||||
vcipher $out3,$out3,v28
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vcipher $out4,$out4,v28
|
|
||||||
vcipher $out5,$out5,v28
|
|
||||||
lvx v24,$x00,$key_ # re-pre-load round[1]
|
|
||||||
@@ -2663,7 +2685,8 @@ ()
|
|
||||||
|
|
||||||
vcipher $out0,$out0,v29
|
|
||||||
vcipher $out1,$out1,v29
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in4, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
|
||||||
vcipher $out2,$out2,v29
|
|
||||||
vcipher $out3,$out3,v29
|
|
||||||
vxor $in4,$twk4,v31
|
|
||||||
@@ -2673,14 +2696,14 @@ ()
|
|
||||||
vcipher $out5,$out5,v29
|
|
||||||
lvx v25,$x10,$key_ # re-pre-load round[2]
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
|
|
||||||
vcipher $out0,$out0,v30
|
|
||||||
vcipher $out1,$out1,v30
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vcipher $out2,$out2,v30
|
|
||||||
vcipher $out3,$out3,v30
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in5, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
|
||||||
vcipher $out4,$out4,v30
|
|
||||||
vcipher $out5,$out5,v30
|
|
||||||
vxor $in5,$twk5,v31
|
|
||||||
@@ -2690,7 +2713,6 @@ ()
|
|
||||||
vcipherlast $out0,$out0,$in0
|
|
||||||
lvx_u $in0,$x00,$inp # load next input block
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vcipherlast $out1,$out1,$in1
|
|
||||||
lvx_u $in1,$x10,$inp
|
|
||||||
vcipherlast $out2,$out2,$in2
|
|
||||||
@@ -2703,7 +2725,10 @@ ()
|
|
||||||
vcipherlast $out4,$out4,$in4
|
|
||||||
le?vperm $in2,$in2,$in2,$leperm
|
|
||||||
lvx_u $in4,$x40,$inp
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 10, 32+$in0, 32+$in0
|
|
||||||
+ xxlor 32+$in0, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
|
||||||
+ xxlor 32+$in0, 10, 10
|
|
||||||
vcipherlast $tmp,$out5,$in5 # last block might be needed
|
|
||||||
# in stealing mode
|
|
||||||
le?vperm $in3,$in3,$in3,$leperm
|
|
||||||
@@ -2736,6 +2761,8 @@ ()
|
|
||||||
mtctr $rounds
|
|
||||||
beq Loop_xts_enc6x # did $len-=96 borrow?
|
|
||||||
|
|
||||||
+ xxlor 32+$eighty7, 2, 2 # 0x870101..01
|
|
||||||
+
|
|
||||||
addic. $len,$len,0x60
|
|
||||||
beq Lxts_enc6x_zero
|
|
||||||
cmpwi $len,0x20
|
|
||||||
@@ -3112,6 +3139,18 @@ ()
|
|
||||||
li $x70,0x70
|
|
||||||
mtspr 256,r0
|
|
||||||
|
|
||||||
+ # Reverse eighty7 to 0x010101..87
|
|
||||||
+ xxlor 2, 32+$eighty7, 32+$eighty7
|
|
||||||
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
|
|
||||||
+ xxlor 1, 32+$eighty7, 32+$eighty7
|
|
||||||
+
|
|
||||||
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
|
|
||||||
+ mr $x70, r6
|
|
||||||
+ bl Lconsts
|
|
||||||
+ lxvw4x 0, $x40, r6 # load XOR contents
|
|
||||||
+ mr r6, $x70
|
|
||||||
+ li $x70,0x70
|
|
||||||
+
|
|
||||||
subi $rounds,$rounds,3 # -4 in total
|
|
||||||
|
|
||||||
lvx $rndkey0,$x00,$key1 # load key schedule
|
|
||||||
@@ -3159,64 +3198,64 @@ ()
|
|
||||||
vxor $twk0,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out0,$in0,$twk0
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in1, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
|
||||||
|
|
||||||
lvx_u $in1,$x10,$inp
|
|
||||||
vxor $twk1,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in1,$in1,$in1,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out1,$in1,$twk1
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in2, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
|
||||||
|
|
||||||
lvx_u $in2,$x20,$inp
|
|
||||||
andi. $taillen,$len,15
|
|
||||||
vxor $twk2,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in2,$in2,$in2,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out2,$in2,$twk2
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in3, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
|
||||||
|
|
||||||
lvx_u $in3,$x30,$inp
|
|
||||||
sub $len,$len,$taillen
|
|
||||||
vxor $twk3,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in3,$in3,$in3,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out3,$in3,$twk3
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in4, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
|
||||||
|
|
||||||
lvx_u $in4,$x40,$inp
|
|
||||||
subi $len,$len,0x60
|
|
||||||
vxor $twk4,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in4,$in4,$in4,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out4,$in4,$twk4
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in5, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
|
||||||
|
|
||||||
lvx_u $in5,$x50,$inp
|
|
||||||
addi $inp,$inp,0x60
|
|
||||||
vxor $twk5,$tweak,$rndkey0
|
|
||||||
vsrab $tmp,$tweak,$seven # next tweak value
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
le?vperm $in5,$in5,$in5,$leperm
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vxor $out5,$in5,$twk5
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in0, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
|
||||||
|
|
||||||
vxor v31,v31,$rndkey0
|
|
||||||
mtctr $rounds
|
|
||||||
@@ -3242,6 +3281,8 @@ ()
|
|
||||||
lvx v25,$x10,$key_ # round[4]
|
|
||||||
bdnz Loop_xts_dec6x
|
|
||||||
|
|
||||||
+ xxlor 32+$eighty7, 1, 1
|
|
||||||
+
|
|
||||||
subic $len,$len,96 # $len-=96
|
|
||||||
vxor $in0,$twk0,v31 # xor with last round key
|
|
||||||
vncipher $out0,$out0,v24
|
|
||||||
@@ -3251,7 +3292,6 @@ ()
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
vncipher $out2,$out2,v24
|
|
||||||
vncipher $out3,$out3,v24
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vncipher $out4,$out4,v24
|
|
||||||
vncipher $out5,$out5,v24
|
|
||||||
|
|
||||||
@@ -3259,7 +3299,8 @@ ()
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vncipher $out0,$out0,v25
|
|
||||||
vncipher $out1,$out1,v25
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in1, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in1
|
|
||||||
vncipher $out2,$out2,v25
|
|
||||||
vncipher $out3,$out3,v25
|
|
||||||
vxor $in1,$twk1,v31
|
|
||||||
@@ -3270,13 +3311,13 @@ ()
|
|
||||||
|
|
||||||
and r0,r0,$len
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vncipher $out0,$out0,v26
|
|
||||||
vncipher $out1,$out1,v26
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vncipher $out2,$out2,v26
|
|
||||||
vncipher $out3,$out3,v26
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in2, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in2
|
|
||||||
vncipher $out4,$out4,v26
|
|
||||||
vncipher $out5,$out5,v26
|
|
||||||
|
|
||||||
@@ -3290,7 +3331,6 @@ ()
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
vncipher $out0,$out0,v27
|
|
||||||
vncipher $out1,$out1,v27
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vncipher $out2,$out2,v27
|
|
||||||
vncipher $out3,$out3,v27
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
@@ -3298,7 +3338,8 @@ ()
|
|
||||||
vncipher $out5,$out5,v27
|
|
||||||
|
|
||||||
addi $key_,$sp,$FRAME+15 # rewind $key_
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in3, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in3
|
|
||||||
vncipher $out0,$out0,v28
|
|
||||||
vncipher $out1,$out1,v28
|
|
||||||
vxor $in3,$twk3,v31
|
|
||||||
@@ -3307,7 +3348,6 @@ ()
|
|
||||||
vncipher $out2,$out2,v28
|
|
||||||
vncipher $out3,$out3,v28
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vncipher $out4,$out4,v28
|
|
||||||
vncipher $out5,$out5,v28
|
|
||||||
lvx v24,$x00,$key_ # re-pre-load round[1]
|
|
||||||
@@ -3315,7 +3355,8 @@ ()
|
|
||||||
|
|
||||||
vncipher $out0,$out0,v29
|
|
||||||
vncipher $out1,$out1,v29
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in4, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in4
|
|
||||||
vncipher $out2,$out2,v29
|
|
||||||
vncipher $out3,$out3,v29
|
|
||||||
vxor $in4,$twk4,v31
|
|
||||||
@@ -3325,14 +3366,14 @@ ()
|
|
||||||
vncipher $out5,$out5,v29
|
|
||||||
lvx v25,$x10,$key_ # re-pre-load round[2]
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
|
|
||||||
vncipher $out0,$out0,v30
|
|
||||||
vncipher $out1,$out1,v30
|
|
||||||
vand $tmp,$tmp,$eighty7
|
|
||||||
vncipher $out2,$out2,v30
|
|
||||||
vncipher $out3,$out3,v30
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 32+$in5, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in5
|
|
||||||
vncipher $out4,$out4,v30
|
|
||||||
vncipher $out5,$out5,v30
|
|
||||||
vxor $in5,$twk5,v31
|
|
||||||
@@ -3342,7 +3383,6 @@ ()
|
|
||||||
vncipherlast $out0,$out0,$in0
|
|
||||||
lvx_u $in0,$x00,$inp # load next input block
|
|
||||||
vaddubm $tweak,$tweak,$tweak
|
|
||||||
- vsldoi $tmp,$tmp,$tmp,15
|
|
||||||
vncipherlast $out1,$out1,$in1
|
|
||||||
lvx_u $in1,$x10,$inp
|
|
||||||
vncipherlast $out2,$out2,$in2
|
|
||||||
@@ -3355,7 +3395,10 @@ ()
|
|
||||||
vncipherlast $out4,$out4,$in4
|
|
||||||
le?vperm $in2,$in2,$in2,$leperm
|
|
||||||
lvx_u $in4,$x40,$inp
|
|
||||||
- vxor $tweak,$tweak,$tmp
|
|
||||||
+ xxlor 10, 32+$in0, 32+$in0
|
|
||||||
+ xxlor 32+$in0, 0, 0
|
|
||||||
+ vpermxor $tweak, $tweak, $tmp, $in0
|
|
||||||
+ xxlor 32+$in0, 10, 10
|
|
||||||
vncipherlast $out5,$out5,$in5
|
|
||||||
le?vperm $in3,$in3,$in3,$leperm
|
|
||||||
lvx_u $in5,$x50,$inp
|
|
||||||
@@ -3386,6 +3429,8 @@ ()
|
|
||||||
mtctr $rounds
|
|
||||||
beq Loop_xts_dec6x # did $len-=96 borrow?
|
|
||||||
|
|
||||||
+ xxlor 32+$eighty7, 2, 2
|
|
||||||
+
|
|
||||||
addic. $len,$len,0x60
|
|
||||||
beq Lxts_dec6x_zero
|
|
||||||
cmpwi $len,0x20
|
|
@ -13,10 +13,10 @@ It needs to be reverted before running tests.
|
|||||||
apps/openssl.cnf | 20 ++++++++++++++++++--
|
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||||
2 files changed, 19 insertions(+), 3 deletions(-)
|
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
Index: openssl-3.0.1/apps/openssl.cnf
|
Index: openssl-3.2.0/apps/openssl.cnf
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-3.0.1.orig/apps/openssl.cnf
|
--- openssl-3.2.0.orig/apps/openssl.cnf
|
||||||
+++ openssl-3.0.1/apps/openssl.cnf
|
+++ openssl-3.2.0/apps/openssl.cnf
|
||||||
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||||
|
|
||||||
[openssl_init]
|
[openssl_init]
|
||||||
|
@ -0,0 +1,37 @@
|
|||||||
|
From 0e55c3ab8d702ffc897c9beb51d19b14b7896182 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
|
||||||
|
Date: Tue, 11 May 2021 12:59:03 +0200
|
||||||
|
Subject: [PATCH] Makefile: Call mknum.pl on 'make ordinals' only if needed
|
||||||
|
|
||||||
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||||||
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
|
||||||
|
(Merged from https://github.com/openssl/openssl/pull/15224)
|
||||||
|
---
|
||||||
|
Configurations/unix-Makefile.tmpl | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -1368,18 +1368,15 @@ renumber: build_generated
|
||||||
|
--renumber \
|
||||||
|
$(SSLHEADERS)
|
||||||
|
|
||||||
|
-$(SRCDIR)/util/libcrypto.num: $(CRYPTOHEADERS) $(SRCDIR)/include/openssl/symhacks.h
|
||||||
|
+ordinals: build_generated
|
||||||
|
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
|
||||||
|
--ordinals $(SRCDIR)/util/libcrypto.num \
|
||||||
|
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
|
||||||
|
$(CRYPTOHEADERS)
|
||||||
|
-$(SRCDIR)/util/libssl.num: $(SSLHEADERS) $(SRCDIR)/include/openssl/symhacks.h
|
||||||
|
$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
|
||||||
|
--ordinals $(SRCDIR)/util/libssl.num \
|
||||||
|
--symhacks $(SRCDIR)/include/openssl/symhacks.h \
|
||||||
|
$(SSLHEADERS)
|
||||||
|
-.PHONY: ordinals
|
||||||
|
-ordinals: build_generated $(SRCDIR)/util/libcrypto.num $(SRCDIR)/util/libssl.num
|
||||||
|
|
||||||
|
test_ordinals:
|
||||||
|
$(MAKE) run_tests TESTS=test_ordinals
|
File diff suppressed because it is too large
Load Diff
@ -1,65 +0,0 @@
|
|||||||
From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
Date: Fri, 23 Jun 2023 16:41:48 +1000
|
|
||||||
Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
|
|
||||||
wrappers
|
|
||||||
|
|
||||||
Runtime selection of implementations for felem_{square,mul} depends on
|
|
||||||
felem_{square,mul}_wrapper functions, which overwrite function points in
|
|
||||||
a similar design to that of .plt.got sections used by program loaders
|
|
||||||
during dynamic linking.
|
|
||||||
|
|
||||||
There's no reason why these functions need to have external linkage.
|
|
||||||
Mark static.
|
|
||||||
|
|
||||||
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Todd Short <todd.short@me.com>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/21471)
|
|
||||||
---
|
|
||||||
crypto/ec/ecp_nistp521.c | 10 +++++-----
|
|
||||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
|
|
||||||
index 97815cac1f13..32a9268ecf17 100644
|
|
||||||
--- a/crypto/ec/ecp_nistp521.c
|
|
||||||
+++ b/crypto/ec/ecp_nistp521.c
|
|
||||||
@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
|
|
||||||
}
|
|
||||||
|
|
||||||
#if defined(ECP_NISTP521_ASM)
|
|
||||||
-void felem_square_wrapper(largefelem out, const felem in);
|
|
||||||
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
|
|
||||||
+static void felem_square_wrapper(largefelem out, const felem in);
|
|
||||||
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
|
|
||||||
|
|
||||||
static void (*felem_square_p)(largefelem out, const felem in) =
|
|
||||||
felem_square_wrapper;
|
|
||||||
@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
|
|
||||||
# include "crypto/ppc_arch.h"
|
|
||||||
# endif
|
|
||||||
|
|
||||||
-void felem_select(void)
|
|
||||||
+static void felem_select(void)
|
|
||||||
{
|
|
||||||
# if defined(_ARCH_PPC64)
|
|
||||||
if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
|
|
||||||
@@ -707,13 +707,13 @@ void felem_select(void)
|
|
||||||
felem_mul_p = felem_mul_ref;
|
|
||||||
}
|
|
||||||
|
|
||||||
-void felem_square_wrapper(largefelem out, const felem in)
|
|
||||||
+static void felem_square_wrapper(largefelem out, const felem in)
|
|
||||||
{
|
|
||||||
felem_select();
|
|
||||||
felem_square_p(out, in);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
|
|
||||||
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
|
|
||||||
{
|
|
||||||
felem_select();
|
|
||||||
felem_mul_p(out, in1, in2);
|
|
@ -1,428 +0,0 @@
|
|||||||
From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
Date: Wed, 31 May 2023 14:32:26 +1000
|
|
||||||
Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
|
|
||||||
|
|
||||||
Add an assembly implementation of felem_{square,mul}, which will be
|
|
||||||
implemented whenever Altivec support is present and the core implements
|
|
||||||
ISA 3.0 (Power 9) or greater.
|
|
||||||
|
|
||||||
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
|
|
||||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
|
|
||||||
Reviewed-by: Todd Short <todd.short@me.com>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/21471)
|
|
||||||
---
|
|
||||||
crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
|
|
||||||
crypto/ec/build.info | 6 +-
|
|
||||||
crypto/ec/ecp_nistp384.c | 9 +
|
|
||||||
3 files changed, 368 insertions(+), 2 deletions(-)
|
|
||||||
create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
|
|
||||||
|
|
||||||
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
|
||||||
new file mode 100755
|
|
||||||
index 000000000000..3f86b391af69
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
|
||||||
@@ -0,0 +1,355 @@
|
|
||||||
+#! /usr/bin/env perl
|
|
||||||
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+#
|
|
||||||
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+# this file except in compliance with the License. You can obtain a copy
|
|
||||||
+# in the file LICENSE in the source distribution or at
|
|
||||||
+# https://www.openssl.org/source/license.html
|
|
||||||
+#
|
|
||||||
+# ====================================================================
|
|
||||||
+# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
|
|
||||||
+# project.
|
|
||||||
+# ====================================================================
|
|
||||||
+#
|
|
||||||
+# p384 lower-level primitives for PPC64 using vector instructions.
|
|
||||||
+#
|
|
||||||
+
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+
|
|
||||||
+my $flavour = shift;
|
|
||||||
+my $output = "";
|
|
||||||
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
|
|
||||||
+if (!$output) {
|
|
||||||
+ $output = "-";
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+my ($xlate, $dir);
|
|
||||||
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
|
|
||||||
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
|
|
||||||
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
|
|
||||||
+die "can't locate ppc-xlate.pl";
|
|
||||||
+
|
|
||||||
+open OUT,"| \"$^X\" $xlate $flavour $output";
|
|
||||||
+*STDOUT=*OUT;
|
|
||||||
+
|
|
||||||
+my $code = "";
|
|
||||||
+
|
|
||||||
+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
|
|
||||||
+
|
|
||||||
+my $vzero = "v32";
|
|
||||||
+
|
|
||||||
+sub startproc($)
|
|
||||||
+{
|
|
||||||
+ my ($name) = @_;
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ .globl ${name}
|
|
||||||
+ .align 5
|
|
||||||
+${name}:
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub endproc($)
|
|
||||||
+{
|
|
||||||
+ my ($name) = @_;
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ blr
|
|
||||||
+ .size ${name},.-${name}
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+sub push_vrs($$)
|
|
||||||
+{
|
|
||||||
+ my ($min, $max) = @_;
|
|
||||||
+
|
|
||||||
+ my $count = $max - $min + 1;
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ mr $savesp,$sp
|
|
||||||
+ stdu $sp,-16*`$count+1`($sp)
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+ for (my $i = $min; $i <= $max; $i++) {
|
|
||||||
+ my $mult = $max - $i + 1;
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ stxv $i,-16*$mult($savesp)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub pop_vrs($$)
|
|
||||||
+{
|
|
||||||
+ my ($min, $max) = @_;
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ ld $savesp,0($sp)
|
|
||||||
+___
|
|
||||||
+ for (my $i = $min; $i <= $max; $i++) {
|
|
||||||
+ my $mult = $max - $i + 1;
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ lxv $i,-16*$mult($savesp)
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ mr $sp,$savesp
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub load_vrs($$)
|
|
||||||
+{
|
|
||||||
+ my ($pointer, $reg_list) = @_;
|
|
||||||
+
|
|
||||||
+ for (my $i = 0; $i <= 6; $i++) {
|
|
||||||
+ my $offset = $i * 8;
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ lxsd $reg_list->[$i],$offset($pointer)
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+sub store_vrs($$)
|
|
||||||
+{
|
|
||||||
+ my ($pointer, $reg_list) = @_;
|
|
||||||
+
|
|
||||||
+ for (my $i = 0; $i <= 12; $i++) {
|
|
||||||
+ my $offset = $i * 16;
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ stxv $reg_list->[$i],$offset($pointer)
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+$code.=<<___;
|
|
||||||
+.machine "any"
|
|
||||||
+.text
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+{
|
|
||||||
+ # mul/square common
|
|
||||||
+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
|
|
||||||
+ my ($zero, $one) = ("r8", "r9");
|
|
||||||
+ my $out = "v51";
|
|
||||||
+
|
|
||||||
+ {
|
|
||||||
+ #
|
|
||||||
+ # p384_felem_mul
|
|
||||||
+ #
|
|
||||||
+
|
|
||||||
+ my ($in1p, $in2p) = ("r4", "r5");
|
|
||||||
+ my @in1 = map("v$_",(44..50));
|
|
||||||
+ my @in2 = map("v$_",(35..41));
|
|
||||||
+
|
|
||||||
+ startproc("p384_felem_mul");
|
|
||||||
+
|
|
||||||
+ push_vrs(52, 63);
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ vspltisw $vzero,0
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ load_vrs($in1p, \@in1);
|
|
||||||
+ load_vrs($in2p, \@in2);
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ vmsumudm $out,$in1[0],$in2[0],$vzero
|
|
||||||
+ stxv $out,0($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in1[0],$in1[1],0b00
|
|
||||||
+ xxpermdi $t2,$in2[1],$in2[0],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ stxv $out,16($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t2,$in2[2],$in2[1],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$in1[2],$in2[0],$out
|
|
||||||
+ stxv $out,32($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t2,$in2[1],$in2[0],0b00
|
|
||||||
+ xxpermdi $t3,$in1[2],$in1[3],0b00
|
|
||||||
+ xxpermdi $t4,$in2[3],$in2[2],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t4,$vzero
|
|
||||||
+ vmsumudm $out,$t3,$t2,$out
|
|
||||||
+ stxv $out,48($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t2,$in2[4],$in2[3],0b00
|
|
||||||
+ xxpermdi $t4,$in2[2],$in2[1],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$t3,$t4,$out
|
|
||||||
+ vmsumudm $out,$in1[4],$in2[0],$out
|
|
||||||
+ stxv $out,64($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t2,$in2[5],$in2[4],0b00
|
|
||||||
+ xxpermdi $t4,$in2[3],$in2[2],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$t3,$t4,$out
|
|
||||||
+ xxpermdi $t4,$in2[1],$in2[0],0b00
|
|
||||||
+ xxpermdi $t1,$in1[4],$in1[5],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t4,$out
|
|
||||||
+ stxv $out,80($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in1[0],$in1[1],0b00
|
|
||||||
+ xxpermdi $t2,$in2[6],$in2[5],0b00
|
|
||||||
+ xxpermdi $t4,$in2[4],$in2[3],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$t3,$t4,$out
|
|
||||||
+ xxpermdi $t2,$in2[2],$in2[1],0b00
|
|
||||||
+ xxpermdi $t1,$in1[4],$in1[5],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$out
|
|
||||||
+ vmsumudm $out,$in1[6],$in2[0],$out
|
|
||||||
+ stxv $out,96($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in1[1],$in1[2],0b00
|
|
||||||
+ xxpermdi $t2,$in2[6],$in2[5],0b00
|
|
||||||
+ xxpermdi $t3,$in1[3],$in1[4],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$t3,$t4,$out
|
|
||||||
+ xxpermdi $t3,$in2[2],$in2[1],0b00
|
|
||||||
+ xxpermdi $t1,$in1[5],$in1[6],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t3,$out
|
|
||||||
+ stxv $out,112($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in1[2],$in1[3],0b00
|
|
||||||
+ xxpermdi $t3,$in1[4],$in1[5],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$t3,$t4,$out
|
|
||||||
+ vmsumudm $out,$in1[6],$in2[2],$out
|
|
||||||
+ stxv $out,128($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in1[3],$in1[4],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ xxpermdi $t1,$in1[5],$in1[6],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t4,$out
|
|
||||||
+ stxv $out,144($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$t3,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$in1[6],$in2[4],$out
|
|
||||||
+ stxv $out,160($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ stxv $out,176($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$in1[6],$in2[6],$vzero
|
|
||||||
+ stxv $out,192($outp)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ endproc("p384_felem_mul");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ {
|
|
||||||
+ #
|
|
||||||
+ # p384_felem_square
|
|
||||||
+ #
|
|
||||||
+
|
|
||||||
+ my ($inp) = ("r4");
|
|
||||||
+ my @in = map("v$_",(44..50));
|
|
||||||
+ my @inx2 = map("v$_",(35..41));
|
|
||||||
+
|
|
||||||
+ startproc("p384_felem_square");
|
|
||||||
+
|
|
||||||
+ push_vrs(52, 63);
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ vspltisw $vzero,0
|
|
||||||
+
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ load_vrs($inp, \@in);
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ li $zero,0
|
|
||||||
+ li $one,1
|
|
||||||
+ mtvsrdd $t1,$one,$zero
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ for (my $i = 0; $i <= 6; $i++) {
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ vsld $inx2[$i],$in[$i],$t1
|
|
||||||
+___
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ $code.=<<___;
|
|
||||||
+ vmsumudm $out,$in[0],$in[0],$vzero
|
|
||||||
+ stxv $out,0($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$in[0],$inx2[1],$vzero
|
|
||||||
+ stxv $out,16($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$in[0],$inx2[2],$vzero
|
|
||||||
+ vmsumudm $out,$in[1],$in[1],$out
|
|
||||||
+ stxv $out,32($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in[0],$in[1],0b00
|
|
||||||
+ xxpermdi $t2,$inx2[3],$inx2[2],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ stxv $out,48($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t4,$inx2[4],$inx2[3],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t4,$vzero
|
|
||||||
+ vmsumudm $out,$in[2],$in[2],$out
|
|
||||||
+ stxv $out,64($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t2,$inx2[5],$inx2[4],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$in[2],$inx2[3],$out
|
|
||||||
+ stxv $out,80($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t2,$inx2[6],$inx2[5],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$in[2],$inx2[4],$out
|
|
||||||
+ vmsumudm $out,$in[3],$in[3],$out
|
|
||||||
+ stxv $out,96($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t3,$in[1],$in[2],0b00
|
|
||||||
+ vmsumudm $out,$t3,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$in[3],$inx2[4],$out
|
|
||||||
+ stxv $out,112($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in[2],$in[3],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ vmsumudm $out,$in[4],$in[4],$out
|
|
||||||
+ stxv $out,128($outp)
|
|
||||||
+
|
|
||||||
+ xxpermdi $t1,$in[3],$in[4],0b00
|
|
||||||
+ vmsumudm $out,$t1,$t2,$vzero
|
|
||||||
+ stxv $out,144($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$in[4],$inx2[6],$vzero
|
|
||||||
+ vmsumudm $out,$in[5],$in[5],$out
|
|
||||||
+ stxv $out,160($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$in[5],$inx2[6],$vzero
|
|
||||||
+ stxv $out,176($outp)
|
|
||||||
+
|
|
||||||
+ vmsumudm $out,$in[6],$in[6],$vzero
|
|
||||||
+ stxv $out,192($outp)
|
|
||||||
+___
|
|
||||||
+
|
|
||||||
+ endproc("p384_felem_square");
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
|
|
||||||
+print $code;
|
|
||||||
+close STDOUT or die "error closing STDOUT: $!";
|
|
||||||
diff --git a/crypto/ec/build.info b/crypto/ec/build.info
|
|
||||||
index 1fa60a1deddd..4077bead7bdb 100644
|
|
||||||
--- a/crypto/ec/build.info
|
|
||||||
+++ b/crypto/ec/build.info
|
|
||||||
@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
|
|
||||||
$ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
|
|
||||||
$ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
|
|
||||||
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
|
|
||||||
- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
|
|
||||||
- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
|
|
||||||
+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
|
|
||||||
+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
|
|
||||||
+ INCLUDE[ecp_nistp384.o]=..
|
|
||||||
INCLUDE[ecp_nistp521.o]=..
|
|
||||||
ENDIF
|
|
||||||
|
|
||||||
@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
|
|
||||||
INCLUDE[ecp_nistz256-armv8.o]=..
|
|
||||||
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
|
|
||||||
|
|
||||||
+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
|
|
||||||
GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
|
|
||||||
|
|
||||||
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
|
|
||||||
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
|
|
||||||
index a0559487ed4e..14f9530d07c6 100644
|
|
||||||
--- a/crypto/ec/ecp_nistp384.c
|
|
||||||
+++ b/crypto/ec/ecp_nistp384.c
|
|
||||||
@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
|
|
||||||
|
|
||||||
static void felem_select(void)
|
|
||||||
{
|
|
||||||
+# if defined(_ARCH_PPC64)
|
|
||||||
+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
|
|
||||||
+ felem_square_p = p384_felem_square;
|
|
||||||
+ felem_mul_p = p384_felem_mul;
|
|
||||||
+
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+# endif
|
|
||||||
+
|
|
||||||
/* Default */
|
|
||||||
felem_square_p = felem_square_ref;
|
|
||||||
felem_mul_p = felem_mul_ref;
|
|
@ -1,76 +0,0 @@
|
|||||||
From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
Date: Tue, 15 Aug 2023 15:20:20 +1000
|
|
||||||
Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
|
|
||||||
|
|
||||||
Substitutions in the felem_reduce() method feature unecessary
|
|
||||||
parentheses, remove them.
|
|
||||||
|
|
||||||
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
|
|
||||||
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/21749)
|
|
||||||
---
|
|
||||||
crypto/ec/ecp_nistp384.c | 12 ++++++------
|
|
||||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
|
|
||||||
index 14f9530d07c6..ff68f9cc7ad0 100644
|
|
||||||
--- a/crypto/ec/ecp_nistp384.c
|
|
||||||
+++ b/crypto/ec/ecp_nistp384.c
|
|
||||||
@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
|
|
||||||
acc[7] += in[12] >> 8;
|
|
||||||
acc[6] += (in[12] & 0xff) << 48;
|
|
||||||
acc[6] -= in[12] >> 16;
|
|
||||||
- acc[5] -= ((in[12] & 0xffff) << 40);
|
|
||||||
+ acc[5] -= (in[12] & 0xffff) << 40;
|
|
||||||
acc[6] += in[12] >> 48;
|
|
||||||
acc[5] += (in[12] & 0xffffffffffff) << 8;
|
|
||||||
|
|
||||||
@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
|
|
||||||
acc[6] += in[11] >> 8;
|
|
||||||
acc[5] += (in[11] & 0xff) << 48;
|
|
||||||
acc[5] -= in[11] >> 16;
|
|
||||||
- acc[4] -= ((in[11] & 0xffff) << 40);
|
|
||||||
+ acc[4] -= (in[11] & 0xffff) << 40;
|
|
||||||
acc[5] += in[11] >> 48;
|
|
||||||
acc[4] += (in[11] & 0xffffffffffff) << 8;
|
|
||||||
|
|
||||||
@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
|
|
||||||
acc[5] += in[10] >> 8;
|
|
||||||
acc[4] += (in[10] & 0xff) << 48;
|
|
||||||
acc[4] -= in[10] >> 16;
|
|
||||||
- acc[3] -= ((in[10] & 0xffff) << 40);
|
|
||||||
+ acc[3] -= (in[10] & 0xffff) << 40;
|
|
||||||
acc[4] += in[10] >> 48;
|
|
||||||
acc[3] += (in[10] & 0xffffffffffff) << 8;
|
|
||||||
|
|
||||||
@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
|
|
||||||
acc[4] += in[9] >> 8;
|
|
||||||
acc[3] += (in[9] & 0xff) << 48;
|
|
||||||
acc[3] -= in[9] >> 16;
|
|
||||||
- acc[2] -= ((in[9] & 0xffff) << 40);
|
|
||||||
+ acc[2] -= (in[9] & 0xffff) << 40;
|
|
||||||
acc[3] += in[9] >> 48;
|
|
||||||
acc[2] += (in[9] & 0xffffffffffff) << 8;
|
|
||||||
|
|
||||||
@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
|
|
||||||
acc[3] += acc[8] >> 8;
|
|
||||||
acc[2] += (acc[8] & 0xff) << 48;
|
|
||||||
acc[2] -= acc[8] >> 16;
|
|
||||||
- acc[1] -= ((acc[8] & 0xffff) << 40);
|
|
||||||
+ acc[1] -= (acc[8] & 0xffff) << 40;
|
|
||||||
acc[2] += acc[8] >> 48;
|
|
||||||
acc[1] += (acc[8] & 0xffffffffffff) << 8;
|
|
||||||
|
|
||||||
@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
|
|
||||||
acc[2] += acc[7] >> 8;
|
|
||||||
acc[1] += (acc[7] & 0xff) << 48;
|
|
||||||
acc[1] -= acc[7] >> 16;
|
|
||||||
- acc[0] -= ((acc[7] & 0xffff) << 40);
|
|
||||||
+ acc[0] -= (acc[7] & 0xffff) << 40;
|
|
||||||
acc[1] += acc[7] >> 48;
|
|
||||||
acc[0] += (acc[7] & 0xffffffffffff) << 8;
|
|
||||||
|
|
@ -1,13 +0,0 @@
|
|||||||
Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
|
|
||||||
===================================================================
|
|
||||||
--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100
|
|
||||||
+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100
|
|
||||||
@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
|
|
||||||
*/
|
|
||||||
|
|
||||||
#define PLATFORM "platform: $platform"
|
|
||||||
-#define DATE "built on: $date"
|
|
||||||
+#define DATE ""
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Generate compiler_flags as an array of individual characters. This is a
|
|
@ -1,13 +1,13 @@
|
|||||||
Index: openssl-3.1.4/Configurations/unix-Makefile.tmpl
|
Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-3.1.4.orig/Configurations/unix-Makefile.tmpl
|
--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl
|
||||||
+++ openssl-3.1.4/Configurations/unix-Makefile.tmpl
|
+++ openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines
|
@@ -632,7 +632,7 @@ install_sw: install_dev install_engines
|
||||||
|
|
||||||
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
|
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
|
||||||
|
|
||||||
-install_docs: install_man_docs install_html_docs
|
-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
|
||||||
+install_docs: install_man_docs
|
+install_docs: install_man_docs ## Install manpages and HTML documentation
|
||||||
|
|
||||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
|
||||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl
|
Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100
|
--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl
|
||||||
+++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100
|
+++ openssl-3.2.0/Configurations/unix-Makefile.tmpl
|
||||||
@@ -843,7 +843,7 @@ libcrypto.pc:
|
@@ -1454,7 +1454,7 @@ libcrypto.pc:
|
||||||
echo 'Version: '$(VERSION); \
|
echo 'Version: '$(VERSION); \
|
||||||
echo 'Libs: -L$${libdir} -lcrypto'; \
|
echo 'Libs: -L$${libdir} -lcrypto'; \
|
||||||
echo 'Libs.private: $(LIB_EX_LIBS)'; \
|
echo 'Libs.private: $(LIB_EX_LIBS)'; \
|
||||||
@ -11,7 +11,7 @@ Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl
|
|||||||
|
|
||||||
libssl.pc:
|
libssl.pc:
|
||||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
||||||
@@ -860,7 +860,7 @@ libssl.pc:
|
@@ -1471,7 +1471,7 @@ libssl.pc:
|
||||||
echo 'Version: '$(VERSION); \
|
echo 'Version: '$(VERSION); \
|
||||||
echo 'Requires.private: libcrypto'; \
|
echo 'Requires.private: libcrypto'; \
|
||||||
echo 'Libs: -L$${libdir} -lssl'; \
|
echo 'Libs: -L$${libdir} -lssl'; \
|
||||||
|
@ -1,96 +0,0 @@
|
|||||||
From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rohan McLure <rohanmclure@linux.ibm.com>
|
|
||||||
Date: Wed, 16 Aug 2023 16:52:47 +1000
|
|
||||||
Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
|
|
||||||
|
|
||||||
Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
|
|
||||||
VSX enabled systems make extensive use of renaming, and so writebacks in
|
|
||||||
felem_{mul,square}() can be reordered for best cache effects.
|
|
||||||
|
|
||||||
Remove stack allocations. This in turn fixes unmatched push/pops in
|
|
||||||
felem_{mul,square}().
|
|
||||||
|
|
||||||
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
|
|
||||||
|
|
||||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
||||||
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
|
|
||||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/21749)
|
|
||||||
---
|
|
||||||
crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
|
|
||||||
1 file changed, 49 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
|
||||||
index 3f86b391af69..28f4168e5218 100755
|
|
||||||
--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
|
||||||
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
|
|
||||||
@@ -62,51 +62,6 @@ ($)
|
|
||||||
___
|
|
||||||
}
|
|
||||||
|
|
||||||
-
|
|
||||||
-sub push_vrs($$)
|
|
||||||
-{
|
|
||||||
- my ($min, $max) = @_;
|
|
||||||
-
|
|
||||||
- my $count = $max - $min + 1;
|
|
||||||
-
|
|
||||||
- $code.=<<___;
|
|
||||||
- mr $savesp,$sp
|
|
||||||
- stdu $sp,-16*`$count+1`($sp)
|
|
||||||
-
|
|
||||||
-___
|
|
||||||
- for (my $i = $min; $i <= $max; $i++) {
|
|
||||||
- my $mult = $max - $i + 1;
|
|
||||||
- $code.=<<___;
|
|
||||||
- stxv $i,-16*$mult($savesp)
|
|
||||||
-___
|
|
||||||
-
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- $code.=<<___;
|
|
||||||
-
|
|
||||||
-___
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-sub pop_vrs($$)
|
|
||||||
-{
|
|
||||||
- my ($min, $max) = @_;
|
|
||||||
-
|
|
||||||
- $code.=<<___;
|
|
||||||
- ld $savesp,0($sp)
|
|
||||||
-___
|
|
||||||
- for (my $i = $min; $i <= $max; $i++) {
|
|
||||||
- my $mult = $max - $i + 1;
|
|
||||||
- $code.=<<___;
|
|
||||||
- lxv $i,-16*$mult($savesp)
|
|
||||||
-___
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- $code.=<<___;
|
|
||||||
- mr $sp,$savesp
|
|
||||||
-
|
|
||||||
-___
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
sub load_vrs($$)
|
|
||||||
{
|
|
||||||
my ($pointer, $reg_list) = @_;
|
|
||||||
@@ -162,8 +117,6 @@ ($$)
|
|
||||||
|
|
||||||
startproc("p384_felem_mul");
|
|
||||||
|
|
||||||
- push_vrs(52, 63);
|
|
||||||
-
|
|
||||||
$code.=<<___;
|
|
||||||
vspltisw $vzero,0
|
|
||||||
|
|
||||||
@@ -268,8 +221,6 @@ ($$)
|
|
||||||
|
|
||||||
startproc("p384_felem_square");
|
|
||||||
|
|
||||||
- push_vrs(52, 63);
|
|
||||||
-
|
|
||||||
$code.=<<___;
|
|
||||||
vspltisw $vzero,0
|
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
|
Index: openssl-3.2.0/util/perl/OpenSSL/config.pm
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm
|
--- openssl-3.2.0.orig/util/perl/OpenSSL/config.pm
|
||||||
+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
|
+++ openssl-3.2.0/util/perl/OpenSSL/config.pm
|
||||||
@@ -525,14 +525,19 @@ EOF
|
@@ -584,14 +584,19 @@ EOF
|
||||||
return { target => "linux-ppc64" } if $KERNEL_BITS eq '64';
|
return { target => "linux-ppc64" } if $KERNEL_BITS eq '64';
|
||||||
|
|
||||||
my %config = ();
|
my %config = ();
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
Don't use the legacy /etc/ssl/certs directory anymore but rather the
|
Don't use the legacy /etc/ssl/certs directory anymore but rather the
|
||||||
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
|
p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
|
||||||
Index: openssl-1.1.1-pre1/include/internal/cryptlib.h
|
Index: openssl-3.2.0/include/internal/common.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100
|
--- openssl-3.2.0.orig/include/internal/common.h
|
||||||
+++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100
|
+++ openssl-3.2.0/include/internal/common.h
|
||||||
@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM);
|
@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser
|
||||||
|
|
||||||
# ifndef OPENSSL_SYS_VMS
|
# ifndef OPENSSL_SYS_VMS
|
||||||
# define X509_CERT_AREA OPENSSLDIR
|
# define X509_CERT_AREA OPENSSLDIR
|
||||||
|
Loading…
Reference in New Issue
Block a user