pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
..
compare: pool:devel
Branches Tags
pool:factory
pool:devel

No commits in common. "factory" and "devel" have entirely different histories.
factory ... devel

34 changed files with 8925 additions and 0 deletions
Show Stats Expand all files Collapse all files

28
openssl-3-FIPS-PCT_rsa_keygen.patch Normal file
View File

@ -0,0 +1,28 @@
Index: openssl-3.1.4/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c
+++ openssl-3.1.4/crypto/rsa/rsa_gen.c
@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
#ifdef FIPS_MODULE
ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb);
- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */
+ /* FIPS MODE needs to always run the pairwise test. But, the
+ * rsa_keygen_pairwise_test() PCT as self-test requirements will be
+ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and
+ * this PCT can be skipped here. See bsc#1221760 for more info.
+ */
+ pairwise_test = 0;
#else
/*
* Only multi-prime keys or insecure keys with a small key length or a
@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc
rsa->dmp1 = NULL;
rsa->dmq1 = NULL;
rsa->iqmp = NULL;
+#ifdef FIPS_MODULE
+ abort();
+#endif /* FIPS_MODULE */
}
}
return ok;

35
openssl-3-use-include-directive.patch Normal file
View File

@ -0,0 +1,35 @@
---
apps/openssl.cnf | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -19,6 +19,7 @@ openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
+[ oid_section ]
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
@@ -47,6 +48,18 @@ providers = provider_sect
# Load default TLS policy configuration
ssl_conf = ssl_module
+engines = engine_section
+
+[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+.include /etc/ssl/engines3.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef3.d
+
# Uncomment the sections that start with ## below to enable the legacy provider.
# Loading the legacy provider enables support for the following algorithms:
# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160

BIN
openssl-3.1.4.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
openssl-3.1.4.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9
efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA
U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si
ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C
hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx
NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP
0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec
h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD
MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN
UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F
FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs
5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o=
=EH33
-----END PGP SIGNATURE-----

3
openssl-3.1.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:053a31fa80cf4aebe1068c987d2ef1e44ce418881427c4464751ae800c31d06c
size 15684836

16
openssl-3.1.7.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXB9UACgkQIWCU39DL
ge/wjg/+MwugS9yaSCXXeqfRDYphyyblQ915j30Zo4kOdxr/ZBkrrzExxQaAN9tC
NR+w33NPmiQQk8MPKKx3dcOZ3giHv7uGlBbo8fHihoUJ5cM9jDLd0UnqSUKU6C7h
mK0BcGBj+Y5Sj2wH0NLPbFgfqbk2rbFRyDDoszj/ZahdE/dr1m1W8vI+FFqqqLjO
hc4J26Dn/oTA1FWgXhIAPQDjG/sUy2waF1Q/nelVkeCwrL5modcW8CXGiwZa5Wan
93cAgk0VUVq20FGQLVVxhGJ9wMGv48nS/hJKugJci1CFqX1eLc5NrbDah3sejGpA
9ZgNoguolbxVe+pFDF+Qj5tLM34+ONI4m2wqtKNAA9UN/W2NuQxatDlHYU2u718C
YpiEodIuNz5ktGAtHAe0fI36rvMJGy/6nKuzMXNF+QmbFzWhtnQRXJuC6uY7dIOa
QHHYmKboVJCb9Ak2gSuTEJvov8HFnlCRzzXBEN2sP6Xd86flERRcMH41VtEu0u2c
wB54o5+9l/7PQ3TOSdNUD6JakjraE05KMHB0KwEUIvAEMceaIrp1q6BnVrEzRjdV
WMsagkvHiv4dUP8lT1DpCEhq7jHyzvHtFrrQq+SAHITgnYiENF6K89w2QLkqoK33
Co/eerwMazO3+qxASYz7pFODPyVAsTIWvuWAJ6CmtubJBinjVnM=
=Z8CX
-----END PGP SIGNATURE-----

743
openssl-Add_support_for_Windows_CA_certificate_store.patch Normal file
View File

@ -0,0 +1,743 @@
From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001
From: Hugo Landau <hlandau@openssl.org>
Date: Fri, 8 Apr 2022 13:10:52 +0100
Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI
env
Fixes #18068.
---
CHANGES.md | 21
Configure | 7
crypto/x509/by_dir.c | 17
crypto/x509/by_store.c | 14
crypto/x509/x509_def.c | 15
doc/build.info | 6
doc/man3/X509_get_default_cert_file.pod | 113 +++++
include/internal/cryptlib.h | 11
include/internal/e_os.h | 2
include/openssl/x509.h.in | 3
providers/implementations/include/prov/implementations.h | 1
providers/implementations/storemgmt/build.info | 3
providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++
providers/stores.inc | 3
util/libcrypto.num | 3
util/missingcrypto.txt | 4
16 files changed, 536 insertions(+), 14 deletions(-)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,27 @@ OpenSSL 3.1
### Changes between 3.1.0 and 3.1.1 [30 May 2023]
+ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced.
+ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The
+ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of
+ paths which are searched for root certificates.
+
+ The existing `SSL_CERT_DIR` environment variable is deprecated.
+ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated
+ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes
+ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate
+ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored
+ for the purposes of determining root certificate stores.
+
+ *Hugo Landau*
+
+ * Support for loading root certificates from the Windows certificate store
+ has been added. The support is in the form of a store which recognises the
+ URI string of `org.openssl.winstore://`. This store is enabled by default and
+ can be disabled using the new compile-time option `no-winstore`.
+
+ *Hugo Landau*
+
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
--- a/Configure
+++ b/Configure
@@ -420,6 +420,7 @@ my @disablables = (
"cached-fetch",
"camellia",
"capieng",
+ "winstore",
"cast",
"chacha",
"cmac",
@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) {
}
}
+unless ($disabled{winstore}) {
+ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) {
+ disable('not-windows', 'winstore');
+ }
+}
+
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
# Get the extra flags used when building shared libraries and modules. We
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+ /* If SSL_CERT_PATH is provided and non-empty, use that. */
+ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
- if (dir)
- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
- else
- ret = add_cert_dir(ld, X509_get_default_cert_dir(),
- X509_FILETYPE_PEM);
+ /* Fallback to SSL_CERT_DIR. */
+ if (dir == NULL)
+ dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to built-in default. */
+ if (dir == NULL)
+ dir = X509_get_default_cert_dir();
+
+ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
if (!ret) {
ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
}
--- a/crypto/x509/by_store.c
+++ b/crypto/x509/by_store.c
@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP
{
switch (cmd) {
case X509_L_ADD_STORE:
- /* If no URI is given, use the default cert dir as default URI */
+ /* First try the newer default cert URI envvar. */
+ if (argp == NULL)
+ argp = ossl_safe_getenv(X509_get_default_cert_uri_env());
+
+ /* If not set, see if we have a URI in the older cert dir envvar. */
if (argp == NULL)
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
+
+ /* Fallback to default store URI. */
if (argp == NULL)
- argp = X509_get_default_cert_dir();
+ argp = X509_get_default_cert_uri();
+
+ /* No point adding an empty URI. */
+ if (!*argp)
+ return 1;
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v
return X509_CERT_AREA;
}
+const char *X509_get_default_cert_uri(void)
+{
+ return X509_CERT_URI;
+}
+
const char *X509_get_default_cert_dir(void)
{
return X509_CERT_DIR;
@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v
return X509_CERT_FILE;
}
+const char *X509_get_default_cert_uri_env(void)
+{
+ return X509_CERT_URI_EVP;
+}
+
+const char *X509_get_default_cert_path_env(void)
+{
+ return X509_CERT_PATH_EVP;
+}
+
const char *X509_get_default_cert_dir_env(void)
{
return X509_CERT_DIR_EVP;
--- a/doc/build.info
+++ b/doc/build.info
@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma
GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod
DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod
+DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod
+DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
+GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod
DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod
DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod
@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht
html/man3/X509_get0_notBefore.html \
html/man3/X509_get0_signature.html \
html/man3/X509_get0_uids.html \
+html/man3/X509_get_default_cert_file.html \
html/man3/X509_get_extension_flags.html \
html/man3/X509_get_pubkey.html \
html/man3/X509_get_serialNumber.html \
@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \
man/man3/X509_get0_notBefore.3 \
man/man3/X509_get0_signature.3 \
man/man3/X509_get0_uids.3 \
+man/man3/X509_get_default_cert_file.3 \
man/man3/X509_get_extension_flags.3 \
man/man3/X509_get_pubkey.3 \
man/man3/X509_get_serialNumber.3 \
--- /dev/null
+++ b/doc/man3/X509_get_default_cert_file.pod
@@ -0,0 +1,113 @@
+=pod
+
+=head1 NAME
+
+X509_get_default_cert_file, X509_get_default_cert_file_env,
+X509_get_default_cert_path_env,
+X509_get_default_cert_dir, X509_get_default_cert_dir_env,
+X509_get_default_cert_uri, X509_get_default_cert_uri_env -
+retrieve default locations for trusted CA certificates
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ const char *X509_get_default_cert_file(void);
+ const char *X509_get_default_cert_dir(void);
+ const char *X509_get_default_cert_uri(void);
+
+ const char *X509_get_default_cert_file_env(void);
+ const char *X509_get_default_cert_path_env(void);
+ const char *X509_get_default_cert_dir_env(void);
+ const char *X509_get_default_cert_uri_env(void);
+
+=head1 DESCRIPTION
+
+The X509_get_default_cert_file() function returns the default path
+to a file containing trusted CA certificates. OpenSSL will use this as
+the default path when it is asked to load trusted CA certificates
+from a file and no other path is specified. If the file exists, CA certificates
+are loaded from the file.
+
+The X509_get_default_cert_dir() function returns a default delimeter-separated
+list of paths to a directories containing trusted CA certificates named in the
+hashed format. OpenSSL will use this as the default list of paths when it is
+asked to load trusted CA certificates from a directory and no other path is
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
+CA certificates in this directory by calculating a filename based on a hash of
+the certificate's subject name.
+
+The X509_get_default_cert_uri() function returns the default URI for a
+certificate store accessed programmatically via an OpenSSL provider. If there is
+no default store applicable to the system for which OpenSSL was compiled, this
+returns an empty string.
+
+X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return
+environment variable names which are recommended to specify nondefault values to
+be used instead of the values returned by X509_get_default_cert_file() and
+X509_get_default_cert_uri() respectively. The values returned by the latter
+functions are not affected by these environment variables; you must check for
+these environment variables yourself, using these functions to retrieve the
+correct environment variable names. If an environment variable is not set, the
+value returned by the corresponding function above should be used.
+
+X509_get_default_cert_path_env() returns the environment variable name which is
+recommended to specify a nondefault value to be used instead of the value
+returned by X509_get_default_cert_dir(). This environment variable supercedes
+the deprecated environment variable whose name is returned by
+X509_get_default_cert_dir_env(). This environment variable was deprecated as its
+contents can be interpreted ambiguously; see NOTES.
+
+By default, OpenSSL uses the path list specified in the environment variable
+whose name is returned by X509_get_default_cert_path_env() if it is set;
+otherwise, it uses the path list specified in the environment variable whose
+name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it
+uses the value returned by X509_get_default_cert_dir()).
+
+=head1 NOTES
+
+X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and
+X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this
+release, store URIs were expressed via the environment variable returned by
+X509_get_default_cert_dir_env(); this environment variable could be used to
+specify either a list of directories or a store URI. This creates an ambiguity
+in which the environment variable returned by X509_get_default_cert_dir_env() is
+interpreted both as a list of directories and as a store URI.
+
+This usage and the environment variable returned by
+X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use
+the environment variable returned by X509_get_default_cert_uri_env(), and to
+specify a list of directories, use the environment variable returned by
+X509_get_default_cert_path_env().
+
+=head1 RETURN VALUES
+
+These functions return pointers to constant strings with static storage
+duration.
+
+=head1 SEE ALSO
+
+L<X509_LOOKUP(3)>,
+L<SSL_CTX_set_default_verify_file(3)>,
+L<SSL_CTX_set_default_verify_dir(3)>,
+L<SSL_CTX_set_default_verify_store(3)>,
+L<SSL_CTX_load_verify_file(3)>,
+L<SSL_CTX_load_verify_dir(3)>,
+L<SSL_CTX_load_verify_store(3)>,
+L<SSL_CTX_load_verify_locations(3)>
+
+=head1 HISTORY
+
+X509_get_default_cert_uri(), X509_get_default_cert_path_env() and
+X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1.
+
+=head1 COPYRIGHT
+
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -13,6 +13,8 @@
# include <stdlib.h>
# include <string.h>
+# include "openssl/configuration.h"
+# include "internal/e_os.h" /* ossl_inline in many files */
# ifdef OPENSSL_USE_APPLINK
# define BIO_FLAGS_UPLINK_INTERNAL 0x8000
@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM);
# define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf"
# endif
+#ifndef OPENSSL_NO_WINSTORE
+# define X509_CERT_URI "org.openssl.winstore://"
+#else
+# define X509_CERT_URI ""
+#endif
+
+# define X509_CERT_URI_EVP "SSL_CERT_URI"
+# define X509_CERT_PATH_EVP "SSL_CERT_PATH"
# define X509_CERT_DIR_EVP "SSL_CERT_DIR"
# define X509_CERT_FILE_EVP "SSL_CERT_FILE"
# define CTLOG_FILE_EVP "CTLOG_FILE"
@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_
# endif
return path[0] == '/';
}
-
#endif
--- a/include/internal/e_os.h
+++ b/include/internal/e_os.h
@@ -249,7 +249,7 @@ FILE *__iob_func();
/***********************************************/
# if defined(OPENSSL_SYS_WINDOWS)
-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
+# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
# define open _open
# define fdopen _fdopen
# define close _close
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
const char *X509_get_default_cert_area(void);
+const char *X509_get_default_cert_uri(void);
const char *X509_get_default_cert_dir(void);
const char *X509_get_default_cert_file(void);
+const char *X509_get_default_cert_uri_env(void);
+const char *X509_get_default_cert_path_env(void);
const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);
const char *X509_get_default_private_dir(void);
--- a/providers/implementations/include/prov/implementations.h
+++ b/providers/implementations/include/prov/implementations.h
@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP
extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[];
extern const OSSL_DISPATCH ossl_file_store_functions[];
+extern const OSSL_DISPATCH ossl_winstore_store_functions[];
--- a/providers/implementations/storemgmt/build.info
+++ b/providers/implementations/storemgmt/build.info
@@ -4,3 +4,6 @@
$STORE_GOAL=../../libdefault.a
SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c
+IF[{- !$disabled{winstore} -}]
+ SOURCE[$STORE_GOAL]=winstore_store.c
+ENDIF
--- /dev/null
+++ b/providers/implementations/storemgmt/winstore_store.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <openssl/store.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/core_names.h>
+#include <openssl/core_object.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/params.h>
+#include <openssl/decoder.h>
+#include <openssl/proverr.h>
+#include <openssl/store.h> /* The OSSL_STORE_INFO type numbers */
+#include "internal/cryptlib.h"
+#include "internal/o_dir.h"
+#include "crypto/decoder.h"
+#include "crypto/ctype.h" /* ossl_isdigit() */
+#include "prov/implementations.h"
+#include "prov/bio.h"
+#include "file_store_local.h"
+
+#include <wincrypt.h>
+
+enum {
+ STATE_IDLE,
+ STATE_READ,
+ STATE_EOF,
+};
+
+struct winstore_ctx_st {
+ void *provctx;
+ char *propq;
+ unsigned char *subject;
+ size_t subject_len;
+
+ HCERTSTORE win_store;
+ const CERT_CONTEXT *win_ctx;
+ int state;
+
+ OSSL_DECODER_CTX *dctx;
+};
+
+static void winstore_win_reset(struct winstore_ctx_st *ctx)
+{
+ if (ctx->win_ctx != NULL) {
+ CertFreeCertificateContext(ctx->win_ctx);
+ ctx->win_ctx = NULL;
+ }
+
+ ctx->state = STATE_IDLE;
+}
+
+static void winstore_win_advance(struct winstore_ctx_st *ctx)
+{
+ CERT_NAME_BLOB name = {0};
+
+ if (ctx->state == STATE_EOF)
+ return;
+
+ name.cbData = ctx->subject_len;
+ name.pbData = ctx->subject;
+
+ ctx->win_ctx = (name.cbData == 0 ? NULL :
+ CertFindCertificateInStore(ctx->win_store,
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+ 0, CERT_FIND_SUBJECT_NAME,
+ &name, ctx->win_ctx));
+
+ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ;
+}
+
+static void *winstore_open(void *provctx, const char *uri)
+{
+ struct winstore_ctx_st *ctx = NULL;
+
+ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:"))
+ return NULL;
+
+ ctx = OPENSSL_zalloc(sizeof(*ctx));
+ if (ctx == NULL)
+ return NULL;
+
+ ctx->provctx = provctx;
+ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT");
+ if (ctx->win_store == NULL) {
+ OPENSSL_free(ctx);
+ return NULL;
+ }
+
+ winstore_win_reset(ctx);
+ return ctx;
+}
+
+static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin)
+{
+ return NULL; /* not supported */
+}
+
+static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ static const OSSL_PARAM known_settable_ctx_params[] = {
+ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0),
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0),
+ OSSL_PARAM_END
+ };
+ return known_settable_ctx_params;
+}
+
+static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+ const OSSL_PARAM *p;
+ int do_reset = 0;
+
+ if (params == NULL)
+ return 1;
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES);
+ if (p != NULL) {
+ do_reset = 1;
+ OPENSSL_free(ctx->propq);
+ ctx->propq = NULL;
+ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0))
+ return 0;
+ }
+
+ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
+ if (p != NULL) {
+ const unsigned char *der = NULL;
+ size_t der_len = 0;
+
+ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len))
+ return 0;
+
+ do_reset = 1;
+
+ OPENSSL_free(ctx->subject);
+
+ ctx->subject = OPENSSL_malloc(der_len);
+ if (ctx->subject == NULL) {
+ ctx->subject_len = 0;
+ return 0;
+ }
+
+ ctx->subject_len = der_len;
+ memcpy(ctx->subject, der, der_len);
+ }
+
+ if (do_reset) {
+ winstore_win_reset(ctx);
+ winstore_win_advance(ctx);
+ }
+
+ return 1;
+}
+
+struct load_data_st {
+ OSSL_CALLBACK *object_cb;
+ void *object_cbarg;
+};
+
+static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst,
+ const OSSL_PARAM *params, void *construct_data)
+{
+ struct load_data_st *data = construct_data;
+ return data->object_cb(params, data->object_cbarg);
+}
+
+static void load_cleanup(void *construct_data)
+{
+ /* No-op. */
+}
+
+static int setup_decoder(struct winstore_ctx_st *ctx)
+{
+ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx);
+ const OSSL_ALGORITHM *to_algo = NULL;
+
+ if (ctx->dctx != NULL)
+ return 1;
+
+ ctx->dctx = OSSL_DECODER_CTX_new();
+ if (ctx->dctx == NULL) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ for (to_algo = ossl_any_to_obj_algorithm;
+ to_algo->algorithm_names != NULL;
+ to_algo++) {
+ OSSL_DECODER *to_obj = NULL;
+ OSSL_DECODER_INSTANCE *to_obj_inst = NULL;
+
+ /*
+ * Create the internal last resort decoder implementation
+ * together with a "decoder instance".
+ * The decoder doesn't need any identification or to be
+ * attached to any provider, since it's only used locally.
+ */
+ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL);
+ if (to_obj != NULL)
+ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx);
+
+ OSSL_DECODER_free(to_obj);
+ if (to_obj_inst == NULL)
+ goto err;
+
+ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx,
+ to_obj_inst)) {
+ ossl_decoder_instance_free(to_obj_inst);
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+ }
+
+ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) {
+ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB);
+ goto err;
+ }
+
+ return 1;
+
+err:
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ ctx->dctx = NULL;
+ return 0;
+}
+
+static int winstore_load_using(struct winstore_ctx_st *ctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg,
+ const void *der, size_t der_len)
+{
+ struct load_data_st data;
+ const unsigned char *der_ = der;
+ size_t der_len_ = der_len;
+
+ if (setup_decoder(ctx) == 0)
+ return 0;
+
+ data.object_cb = object_cb;
+ data.object_cbarg = object_cbarg;
+
+ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data);
+ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg);
+
+ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0)
+ return 0;
+
+ return 1;
+}
+
+static int winstore_load(void *loaderctx,
+ OSSL_CALLBACK *object_cb, void *object_cbarg,
+ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg)
+{
+ int ret = 0;
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ if (ctx->state != STATE_READ)
+ return 0;
+
+ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg,
+ ctx->win_ctx->pbCertEncoded,
+ ctx->win_ctx->cbCertEncoded);
+
+ if (ret == 1)
+ winstore_win_advance(ctx);
+
+ return ret;
+}
+
+static int winstore_eof(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ return ctx->state != STATE_READ;
+}
+
+static int winstore_close(void *loaderctx)
+{
+ struct winstore_ctx_st *ctx = loaderctx;
+
+ winstore_win_reset(ctx);
+ CertCloseStore(ctx->win_store, 0);
+ OSSL_DECODER_CTX_free(ctx->dctx);
+ OPENSSL_free(ctx->propq);
+ OPENSSL_free(ctx->subject);
+ OPENSSL_free(ctx);
+ return 1;
+}
+
+const OSSL_DISPATCH ossl_winstore_store_functions[] = {
+ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open },
+ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach },
+ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params },
+ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params },
+ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load },
+ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof },
+ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close },
+ { 0, NULL },
+};
--- a/providers/stores.inc
+++ b/providers/stores.inc
@@ -12,3 +12,6 @@
#endif
STORE("file", "yes", ossl_file_store_functions)
+#ifndef OPENSSL_NO_WINSTORE
+STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions)
+#endif
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup
EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION:
BN_are_coprime 5564 3_1_0 EXIST::FUNCTION:
OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP
+X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION:
+X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION:
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3)
X509_get1_email(3)
X509_get1_ocsp(3)
X509_get_default_cert_area(3)
-X509_get_default_cert_dir(3)
-X509_get_default_cert_dir_env(3)
-X509_get_default_cert_file(3)
-X509_get_default_cert_file_env(3)
X509_get_default_private_dir(3)
X509_get_pubkey_parameters(3)
X509_get_signature_type(3)

217
openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Normal file
View File

@ -0,0 +1,217 @@
From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001
From: Clemens Lang <cllang@redhat.com>
Date: Tue, 1 Mar 2022 15:44:18 +0100
Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1
in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because
on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level
to 2.
On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security
level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and
we want the legacy crypto policy to allow SHA-1 in TLS, the only option
to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is
SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to
allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which
will allow SHA-1 in OpenSSL 3).
The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because
rh-allow-sha1-signatures will default to yes in Fedora (according to our
current plans including until F38), and the security level in the
DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the
default configuration.
Related: rhbz#2055796
Related: rhbz#2070977
---
crypto/x509/x509_vfy.c | 20 ++++++++++-
doc/man5/config.pod | 7 ++++
ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++-------
test/recipes/25-test_verify.t | 4 +--
4 files changed, 82 insertions(+), 16 deletions(-)
Index: openssl-3.1.4/crypto/x509/x509_vfy.c
===================================================================
--- openssl-3.1.4.orig/crypto/x509/x509_vfy.c
+++ openssl-3.1.4/crypto/x509/x509_vfy.c
@@ -25,6 +25,7 @@
#include <openssl/objects.h>
#include <openssl/core_names.h>
#include "internal/dane.h"
+#include "internal/sslconf.h"
#include "crypto/x509.h"
#include "x509_local.h"
@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT
{
int secbits = -1;
int level = ctx->param->auth_level;
+ int nid;
+ OSSL_LIB_CTX *libctx = NULL;
if (level <= 0)
return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+ if (ctx->libctx)
+ libctx = ctx->libctx;
+ else if (cert->libctx)
+ libctx = cert->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL))
return 0;
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ctx->param->auth_level < 2)
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
return secbits >= minbits_table[level - 1];
}
Index: openssl-3.1.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
@@ -317,6 +317,13 @@ this option is set to B<no>. Because TL
pseudorandom function (PRF) to derive key material, disabling
B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or newer.
+Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
+algorithms that use SHA1 in security level 1, despite the definition of
+security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet.
+This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on
+Fedora without requiring to set the security level to 0, which would include
+further insecure algorithms, and thus restores support for TLS 1.0 and 1.1.
+
This is a downstream specific option, and normally it should be set up via crypto-policies.
=item B<fips_mode> (deprecated)
Index: openssl-3.1.4/ssl/t1_lib.c
===================================================================
--- openssl-3.1.4.orig/ssl/t1_lib.c
+++ openssl-3.1.4/ssl/t1_lib.c
@@ -20,6 +20,7 @@
#include <openssl/bn.h>
#include <openssl/provider.h>
#include <openssl/param_build.h>
+#include "crypto/x509.h"
#include "internal/sslconf.h"
#include "internal/nelem.h"
#include "internal/sizes.h"
@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST);
return 0;
}
- /*
- * Make sure security callback allows algorithm. For historical
- * reasons we have to pass the sigalg as a two byte char array.
- */
- sigalgstr[0] = (sig >> 8) & 0xff;
- sigalgstr[1] = sig & 0xff;
- secbits = sigalg_security_bits(s->ctx, lu);
- if (secbits == 0 ||
- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
- md != NULL ? EVP_MD_get_type(md) : NID_undef,
- (void *)sigalgstr)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ } else {
+ /*
+ * Make sure security callback allows algorithm. For historical
+ * reasons we have to pass the sigalg as a two byte char array.
+ */
+ sigalgstr[0] = (sig >> 8) & 0xff;
+ sigalgstr[1] = sig & 0xff;
+ secbits = sigalg_security_bits(s->ctx, lu);
+ if (secbits == 0 ||
+ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
+ md != NULL ? EVP_MD_get_type(md) : NID_undef,
+ (void *)sigalgstr)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE);
+ return 0;
+ }
}
/* Store the sigalg the peer uses */
s->s3.tmp.peer_sigalg = lu;
@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS
}
}
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
+ && SSL_get_security_level(s) < 2) {
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+ }
+
/* Finally see if security callback allows it */
secbits = sigalg_security_bits(s->ctx, lu);
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s,
{
/* Lookup signature algorithm digest */
int secbits, nid, pknid;
+ OSSL_LIB_CTX *libctx = NULL;
+
/* Don't check signature if self signed */
if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0)
return 1;
@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s,
/* If digest NID not defined use signature NID */
if (nid == NID_undef)
nid = pknid;
+
+ if (x && x->libctx)
+ libctx = x->libctx;
+ else if (ctx && ctx->libctx)
+ libctx = ctx->libctx;
+ else if (s && s->ctx && s->ctx->libctx)
+ libctx = s->ctx->libctx;
+ else
+ libctx = OSSL_LIB_CTX_get0_global_default();
+
+ if ((nid == NID_sha1 || nid == NID_md5_sha1)
+ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0)
+ && ((s != NULL && SSL_get_security_level(s) < 2)
+ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2)
+ ))
+ /* When rh-allow-sha1-signatures = yes and security level <= 1,
+ * explicitly allow SHA1 for backwards compatibility. Also allow
+ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */
+ return 1;
+
if (s)
return ssl_security(s, op, secbits, nid, x);
else
Index: openssl-3.1.4/test/recipes/25-test_verify.t
===================================================================
--- openssl-3.1.4.orig/test/recipes/25-test_verify.t
+++ openssl-3.1.4/test/recipes/25-test_verify.t
@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");
-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"),
- "Reject PSS signature using SHA1 and auth level 1");
+ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+ "Reject PSS signature using SHA1 and auth level 2");
ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
"PSS signature using SHA256 and auth level 2");

1354
openssl-CVE-2023-50782.patch Normal file
View File

File diff suppressed because it is too large Load Diff

172
openssl-CVE-2023-5678.patch Normal file
View File

@ -0,0 +1,172 @@
From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Fri, 20 Oct 2023 09:18:19 +0200
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
We already check for an excessively large P in DH_generate_key(), but not in
DH_check_pub_key(), and none of them check for an excessively large Q.
This change adds all the missing excessive size checks of P and Q.
It's to be noted that behaviours surrounding excessively sized P and Q
differ. DH_check() raises an error on the excessively sized P, but only
sets a flag for the excessively sized Q. This behaviour is mimicked in
DH_check_pub_key().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22518)
---
crypto/dh/dh_check.c | 12 ++++++++++++
crypto/dh/dh_err.c | 3 ++-
crypto/dh/dh_key.c | 12 ++++++++++++
crypto/err/openssl.txt | 1 +
include/crypto/dherr.h | 2 +-
include/openssl/dh.h | 6 +++---
include/openssl/dherr.h | 3 ++-
7 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 7ba2beae7fd6b..e20eb62081c5e 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
*/
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
{
+ /* Don't do any checks at all with an excessively large modulus */
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
+ return 0;
+ }
+
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
+ return 1;
+ }
+
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
}
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
index 4152397426cc9..f76ac0dd1463f 100644
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
"parameter encoding error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
"unable to check generator"},
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index d84ea99241b9e..afc49f5cdc87d 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
goto err;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ goto err;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
return 0;
}
+ if (dh->params.q != NULL
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
+ return 0;
+ }
+
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
return 0;
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index a1e6bbb617fcb..69e4f61aa1801 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
DH_R_NO_PRIVATE_VALUE:100:no private value
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
DH_R_PEER_KEY_ERROR:111:peer key error
+DH_R_Q_TOO_LARGE:130:q too large
DH_R_SHARED_INFO_ERROR:113:shared info error
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
index bb24d131eb887..519327f795742 100644
--- a/include/crypto/dherr.h
+++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 8bc17448a0817..f1c0ed06b375a 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_GENERATOR_3 3
# define DH_GENERATOR_5 5
-/* DH_check error codes */
+/* DH_check error codes, some of them shared with DH_check_pub_key */
/*
* NB: These values must align with the equivalently named macros in
* internal/ffc.h.
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
# define DH_NOT_SUITABLE_GENERATOR 0x08
# define DH_CHECK_Q_NOT_PRIME 0x10
-# define DH_CHECK_INVALID_Q_VALUE 0x20
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
# define DH_CHECK_INVALID_J_VALUE 0x40
# define DH_MODULUS_TOO_SMALL 0x80
-# define DH_MODULUS_TOO_LARGE 0x100
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
/* DH_check_pub_key error codes */
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
index 5d2a762a96f8c..074a70145f9f5 100644
--- a/include/openssl/dherr.h
+++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,6 +50,7 @@
# define DH_R_NO_PRIVATE_VALUE 100
# define DH_R_PARAMETER_ENCODING_ERROR 105
# define DH_R_PEER_KEY_ERROR 111
+# define DH_R_Q_TOO_LARGE 130
# define DH_R_SHARED_INFO_ERROR 113
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121

109
openssl-CVE-2023-6129.patch Normal file
View File

@ -0,0 +1,109 @@
From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rmclure@linux.ibm.com>
Date: Thu, 4 Jan 2024 10:25:50 +0100
Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
Fixes CVE-2023-6129
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs saves the the contents of vector registers in different order
than they are restored. Thus the contents of some of these vector registers
is corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23200)
(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
---
crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
index 9f86134d923fb..2e601bb9c24be 100755
--- a/crypto/poly1305/asm/poly1305-ppc.pl
+++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -744,7 +744,7 @@
my $LOCALS= 6*$SIZE_T;
my $VSXFRAME = $LOCALS + 6*$SIZE_T;
$VSXFRAME += 128; # local variables
- $VSXFRAME += 13*16; # v20-v31 offload
+ $VSXFRAME += 12*16; # v20-v31 offload
my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
@@ -919,12 +919,12 @@
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1153,12 +1153,12 @@
addi r11,r11,32
stvx v22,r10,$sp
addi r10,r10,32
- stvx v23,r10,$sp
- addi r10,r10,32
- stvx v24,r11,$sp
+ stvx v23,r11,$sp
addi r11,r11,32
- stvx v25,r10,$sp
+ stvx v24,r10,$sp
addi r10,r10,32
+ stvx v25,r11,$sp
+ addi r11,r11,32
stvx v26,r10,$sp
addi r10,r10,32
stvx v27,r11,$sp
@@ -1899,26 +1899,26 @@
mtspr 256,r12 # restore vrsave
lvx v20,r10,$sp
addi r10,r10,32
- lvx v21,r10,$sp
- addi r10,r10,32
- lvx v22,r11,$sp
+ lvx v21,r11,$sp
addi r11,r11,32
- lvx v23,r10,$sp
+ lvx v22,r10,$sp
addi r10,r10,32
- lvx v24,r11,$sp
+ lvx v23,r11,$sp
addi r11,r11,32
- lvx v25,r10,$sp
+ lvx v24,r10,$sp
addi r10,r10,32
- lvx v26,r11,$sp
+ lvx v25,r11,$sp
addi r11,r11,32
- lvx v27,r10,$sp
+ lvx v26,r10,$sp
addi r10,r10,32
- lvx v28,r11,$sp
+ lvx v27,r11,$sp
addi r11,r11,32
- lvx v29,r10,$sp
+ lvx v28,r10,$sp
addi r10,r10,32
- lvx v30,r11,$sp
- lvx v31,r10,$sp
+ lvx v29,r11,$sp
+ addi r11,r11,32
+ lvx v30,r10,$sp
+ lvx v31,r11,$sp
$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)

122
openssl-CVE-2023-6237.patch Normal file
View File

@ -0,0 +1,122 @@
From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 22 Dec 2023 16:25:56 +0100
Subject: [PATCH] Limit the execution time of RSA public key check
Fixes CVE-2023-6237
If a large and incorrect RSA public key is checked with
EVP_PKEY_public_check() the computation could take very long time
due to no limit being applied to the RSA public key size and
unnecessarily high number of Miller-Rabin algorithm rounds
used for non-primality check of the modulus.
Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
Also the number of Miller-Rabin rounds was set to 5.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23243)
(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
---
crypto/rsa/rsa_sp800_56b_check.c | 8 +++-
test/recipes/91-test_pkey_check.t | 2 +-
.../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++
3 files changed, 56 insertions(+), 2 deletions(-)
create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
index fc8f19b48770b..bcbdd24fb8199 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
+++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
return 0;
nbits = BN_num_bits(rsa->n);
+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
#ifdef FIPS_MODULE
/*
* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
goto err;
}
- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
#ifdef FIPS_MODULE
if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
#else
diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
index dc7cc64533af2..f8088df14d36c 100644
--- a/test/recipes/91-test_pkey_check.t
+++ b/test/recipes/91-test_pkey_check.t
@@ -70,7 +70,7 @@ push(@positive_tests, (
"dhpkey.pem"
)) unless disabled("dh");
-my @negative_pubtests = ();
+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
push(@negative_pubtests, (
"dsapub_noparam.der"
diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
new file mode 100644
index 0000000000000..9a2eaedaf1b22
--- /dev/null
+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
@@ -0,0 +1,48 @@
+-----BEGIN PUBLIC KEY-----
+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
+AQAB
+-----END PUBLIC KEY-----

120
openssl-CVE-2024-0727.patch Normal file
View File

@ -0,0 +1,120 @@
From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 19 Jan 2024 11:28:58 +0000
Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
CVE-2024-0727
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23362)
(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
---
crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
crypto/pkcs12/p12_mutl.c | 5 +++++
crypto/pkcs12/p12_npas.c | 5 +++--
crypto/pkcs7/pk7_mime.c | 7 +++++--
4 files changed, 31 insertions(+), 4 deletions(-)
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index 6fd4184af5a52..80ce31b3bca66 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p7->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
}
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
{
if (!PKCS7_type_is_encrypted(p7))
return NULL;
+
+ if (p7->d.encrypted == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
pass, passlen,
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
return NULL;
}
+
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return NULL;
+ }
+
p7s = ASN1_item_unpack(p12->authsafes->d.data,
ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
if (p7s != NULL) {
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 67a885a45f89e..68ff54d0e90ee 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
return 0;
}
+ if (p12->authsafes->d.data == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
+ return 0;
+ }
+
salt = p12->mac->salt->data;
saltlen = p12->mac->salt->length;
if (p12->mac->iter == NULL)
diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
index 62230bc6187ff..1e5b5495991a4 100644
--- a/crypto/pkcs12/p12_npas.c
+++ b/crypto/pkcs12/p12_npas.c
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
bags = PKCS12_unpack_p7data(p7);
} else if (bagnid == NID_pkcs7_encrypted) {
bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
- &pbe_nid, &pbe_iter, &pbe_saltlen))
+ if (p7->d.encrypted == NULL
+ || !alg_get(p7->d.encrypted->enc_data->algorithm,
+ &pbe_nid, &pbe_iter, &pbe_saltlen))
goto err;
} else {
continue;
diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
index 49a0da5f819c4..8228315eeaa3a 100644
--- a/crypto/pkcs7/pk7_mime.c
+++ b/crypto/pkcs7/pk7_mime.c
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
int ctype_nid = OBJ_obj2nid(p7->type);
const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
- if (ctype_nid == NID_pkcs7_signed)
+ if (ctype_nid == NID_pkcs7_signed) {
+ if (p7->d.sign == NULL)
+ return 0;
mdalgs = p7->d.sign->md_algs;
- else
+ } else {
mdalgs = NULL;
+ }
flags ^= SMIME_OLDMIME;

116
openssl-CVE-2024-2511.patch Normal file
View File

@ -0,0 +1,116 @@
From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:43:53 +0000
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
---
ssl/ssl_lib.c | 5 +++--
ssl/ssl_sess.c | 28 ++++++++++++++++++++++------
ssl/statem/statem_srvr.c | 5 ++---
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b5cc4af2f0302..e747b7f90aa71 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index bf84e792251b8..241cf43c46296 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 5d59d53563ed8..8e493176f658e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {

41
openssl-CVE-2024-41996.patch Normal file
View File

@ -0,0 +1,41 @@
From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 5 Aug 2024 17:54:14 +0200
Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
safe-prime groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The partial validation is fully sufficient to check the key validity.
Thanks to Szilárd Pfeiffer for reporting the issue.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25088)
---
providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 82c3093b122c2..ebdce767102ee 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
if (pub_key == NULL)
return 0;
- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
- && ossl_dh_is_named_safe_prime_group(dh))
+ /*
+ * The partial test is only valid for named group's with q = (p - 1) / 2
+ * but for that case it is also fully sufficient to check the key validity.
+ */
+ if (ossl_dh_is_named_safe_prime_group(dh))
return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
return DH_check_pub_key_ex(dh, pub_key);

199
openssl-CVE-2024-4603.patch Normal file
View File

@ -0,0 +1,199 @@
From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 8 May 2024 15:23:45 +0200
Subject: [PATCH] Check DSA parameters for excessive sizes before validating
This avoids overly long computation of various validation
checks.
Fixes CVE-2024-4603
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/24346)
(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
---
CHANGES.md | 17 ++++++
crypto/dsa/dsa_check.c | 44 ++++++++++++--
.../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++
3 files changed, 114 insertions(+), 4 deletions(-)
create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
Index: openssl-3.1.4/crypto/dsa/dsa_check.c
===================================================================
--- openssl-3.1.4.orig/crypto/dsa/dsa_check.c
+++ openssl-3.1.4/crypto/dsa/dsa_check.c
@@ -19,8 +19,34 @@
#include "dsa_local.h"
#include "crypto/dsa.h"
+static int dsa_precheck_params(const DSA *dsa, int *ret)
+{
+ if (dsa->params.p == NULL || dsa->params.q == NULL) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
+ *ret = FFC_CHECK_INVALID_PQ;
+ return 0;
+ }
+
+ return 1;
+}
+
int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
FFC_PARAM_TYPE_DSA, ret);
@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa
*/
int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds
*/
int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
{
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
&& *ret == 0;
}
@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d
{
*ret = 0;
- return (dsa->params.q != NULL
- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
+ if (!dsa_precheck_params(dsa, ret))
+ return 0;
+
+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
}
/*
@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL;
- if (dsa->params.p == NULL
- || dsa->params.g == NULL
+ if (!dsa_precheck_params(dsa, &ret))
+ return 0;
+
+ if (dsa->params.g == NULL
|| dsa->priv_key == NULL
|| dsa->pub_key == NULL)
return 0;
Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
===================================================================
--- /dev/null
+++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
@@ -0,0 +1,57 @@
+-----BEGIN DSA PARAMETERS-----
+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
+vKuje86bePD6kD/LH3wmkA==
+-----END DSA PARAMETERS-----
Index: openssl-3.1.4/CHANGES.md
===================================================================
--- openssl-3.1.4.orig/CHANGES.md
+++ openssl-3.1.4/CHANGES.md
@@ -22,6 +22,23 @@ OpenSSL Releases
OpenSSL 3.1
-----------
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow.
+
+ Applications that use the functions EVP_PKEY_param_check() or
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+ experience long delays. Where the key or parameters that are being checked
+ have been obtained from an untrusted source this may lead to a Denial of
+ Service.
+
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+ reason.
+
+ ([CVE-2024-4603])
+
+ *Tomáš Mráz*
+
### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
* Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),

28
openssl-CVE-2024-4741.patch Normal file
View File

@ -0,0 +1,28 @@
@@ -, +, @@
---
ssl/record/methods/tls_common.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- openssl-3.0.8/ssl/record/ssl3_buffer.c
+++ openssl-3.0.8/ssl/record/ssl3_buffer.c
@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s)
OPENSSL_cleanse(b->buf, b->len);
OPENSSL_free(b->buf);
b->buf = NULL;
+ s->rlayer.packet = NULL;
+ s->rlayer.packet_length = 0;
return 1;
}
--- openssl-3.0.8/ssl/record/rec_layer_s3.c
+++ openssl-3.0.8/ssl/record/rec_layer_s3.c
@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t
s->rlayer.packet_length = 0;
/* ... now we can act as if 'extend' was set */
}
+ if (!ossl_assert(s->rlayer.packet != NULL)) {
+ /* does not happen */
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return -1;
+ }
len = s->rlayer.packet_length;
pkt = rb->buf + align;

326
openssl-CVE-2024-5535.patch Normal file
View File

@ -0,0 +1,326 @@
From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:14:33 +0100
Subject: [PATCH] Fix SSL_select_next_proto
Ensure that the provided client list is non-NULL and starts with a valid
entry. When called from the ALPN callback the client list should already
have been validated by OpenSSL so this should not cause a problem. When
called from the NPN callback the client list is locally configured and
will not have already been validated. Therefore SSL_select_next_proto
should not assume that it is correctly formatted.
We implement stricter checking of the client protocol list. We also do the
same for the server list while we are about it.
CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
1 file changed, 40 insertions(+), 23 deletions(-)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5493d9b9c7..f218dcf1db 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
unsigned int server_len,
const unsigned char *client, unsigned int client_len)
{
- unsigned int i, j;
- const unsigned char *result;
- int status = OPENSSL_NPN_UNSUPPORTED;
+ PACKET cpkt, csubpkt, spkt, ssubpkt;
+
+ if (!PACKET_buf_init(&cpkt, client, client_len)
+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
+ || PACKET_remaining(&csubpkt) == 0) {
+ *out = NULL;
+ *outlen = 0;
+ return OPENSSL_NPN_NO_OVERLAP;
+ }
+
+ /*
+ * Set the default opportunistic protocol. Will be overwritten if we find
+ * a match.
+ */
+ *out = (unsigned char *)PACKET_data(&csubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&csubpkt);
/*
* For each protocol in server preference order, see if we support it.
*/
- for (i = 0; i < server_len;) {
- for (j = 0; j < client_len;) {
- if (server[i] == client[j] &&
- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
- /* We found a match */
- result = &server[i];
- status = OPENSSL_NPN_NEGOTIATED;
- goto found;
+ if (PACKET_buf_init(&spkt, server, server_len)) {
+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
+ if (PACKET_remaining(&ssubpkt) == 0)
+ continue; /* Invalid - ignore it */
+ if (PACKET_buf_init(&cpkt, client, client_len)) {
+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
+ PACKET_remaining(&ssubpkt))) {
+ /* We found a match */
+ *out = (unsigned char *)PACKET_data(&ssubpkt);
+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
+ return OPENSSL_NPN_NEGOTIATED;
+ }
+ }
+ /* Ignore spurious trailing bytes in the client list */
+ } else {
+ /* This should never happen */
+ return OPENSSL_NPN_NO_OVERLAP;
}
- j += client[j];
- j++;
}
- i += server[i];
- i++;
+ /* Ignore spurious trailing bytes in the server list */
}
- /* There's no overlap between our protocols and the server's list. */
- result = client;
- status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
- *out = (unsigned char *)result + 1;
- *outlen = result[0];
- return status;
+ /*
+ * There's no overlap between our protocols and the server's list. We use
+ * the default opportunistic protocol selected earlier
+ */
+ return OPENSSL_NPN_NO_OVERLAP;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
--
2.45.2
From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:18:27 +0100
Subject: [PATCH] More correctly handle a selected_len of 0 when
processing NPN
In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but
the selected_len is 0 we should fail. Previously this would fail with an
internal_error alert because calling OPENSSL_malloc(selected_len) will
return NULL when selected_len is 0. We make this error detection more
explicit and return a handshake failure alert.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_clnt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 842be0722b..a07dc62e9a 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
PACKET_data(pkt),
PACKET_remaining(pkt),
s->ctx->ext.npn_select_cb_arg) !=
- SSL_TLSEXT_ERR_OK) {
+ SSL_TLSEXT_ERR_OK
+ || selected_len == 0) {
SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION);
return 0;
}
--
2.45.2
From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 31 May 2024 11:46:38 +0100
Subject: [PATCH] Clarify the SSL_select_next_proto() documentation
We clarify the input preconditions and the expected behaviour in the event
of no overlap.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
index 102e657851..a29557dd91 100644
--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod
+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod
@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to
set the list of protocols available to be negotiated. The B<protos> must be in
protocol-list format, described below. The length of B<protos> is specified in
-B<protos_len>.
+B<protos_len>. Setting B<protos_len> to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
SSL_CTX_set_alpn_select_cb() sets the application callback B<cb> used by a
server to select which protocol to use for the incoming connection. When B<cb>
@@ -73,9 +74,16 @@ B<server_len> and B<client>, B<client_len> must be in the protocol-list format
described below. The first item in the B<server>, B<server_len> list that
matches an item in the B<client>, B<client_len> list is selected, and returned
in B<out>, B<outlen>. The B<out> value will point into either B<server> or
-B<client>, so it should be copied immediately. If no match is found, the first
-item in B<client>, B<client_len> is returned in B<out>, B<outlen>. This
-function can also be used in the NPN callback.
+B<client>, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+
+The SSL_select_next_proto() helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in B<client>, B<client_len> is returned in B<out>, B<outlen> and
+B<OPENSSL_NPN_NO_OVERLAP> is returned. This can be useful when implementating
+the NPN callback. In the ALPN case, the value returned in B<out> and B<outlen>
+must be ignored if B<OPENSSL_NPN_NO_OVERLAP> has been returned from
+SSL_select_next_proto().
SSL_CTX_set_next_proto_select_cb() sets a callback B<cb> that is called when a
client needs to select a protocol from the server's provided list, and a
@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B<in>).
The length of the protocol name must be written into B<outlen>. The
server's advertised protocols are provided in B<in> and B<inlen>. The
callback can assume that B<in> is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than B<SSL_TLSEXT_ERR_OK>. The B<arg> parameter is the pointer
-set via SSL_CTX_set_next_proto_select_cb().
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+B<SSL_TLSEXT_ERR_OK> or if the zero length protocol is selected. The B<arg>
+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb().
SSL_CTX_set_next_protos_advertised_cb() sets a callback B<cb> that is called
when a TLS server needs a list of supported protocols for Next Protocol
@@ -149,7 +158,8 @@ A match was found and is returned in B<out>, B<outlen>.
=item OPENSSL_NPN_NO_OVERLAP
No match was found. The first item in B<client>, B<client_len> is returned in
-B<out>, B<outlen>.
+B<out>, B<outlen> (or B<NULL> and 0 in the case where the first entry in
+B<client> is invalid).
=back
--
2.45.2
From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 10:41:55 +0100
Subject: [PATCH] Correct return values for
tls_construct_stoc_next_proto_neg
Return EXT_RETURN_NOT_SENT in the event that we don't send the extension,
rather than EXT_RETURN_SENT. This actually makes no difference at all to
the current control flow since this return value is ignored in this case
anyway. But lets make it correct anyway.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_srvr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 4ea085e1a1..2da880450f 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
s->s3.npn_seen = 1;
+ return EXT_RETURN_SENT;
}
- return EXT_RETURN_SENT;
+ return EXT_RETURN_NOT_SENT;
}
#endif
--
2.45.2
From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 21 Jun 2024 11:51:54 +0100
Subject: [PATCH] Add ALPN validation in the client
The ALPN protocol selected by the server must be one that we originally
advertised. We should verify that it is.
Follow on from CVE-2024-5535
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24718)
---
ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index a07dc62e9a..b21ccf9273 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
size_t len;
+ PACKET confpkt, protpkt;
+ int valid = 0;
/* We must have requested it. */
if (!s->s3.alpn_sent) {
@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
return 0;
}
+
+ /* It must be a protocol that we sent */
+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) {
+ if (PACKET_remaining(&protpkt) != len)
+ continue;
+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) {
+ /* Valid protocol found */
+ valid = 1;
+ break;
+ }
+ }
+
+ if (!valid) {
+ /* The protocol sent from the server does not match one we advertised */
+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+ return 0;
+ }
+
OPENSSL_free(s->s3.alpn_selected);
s->s3.alpn_selected = OPENSSL_malloc(len);
if (s->s3.alpn_selected == NULL) {
--
2.45.2

255
openssl-CVE-2024-6119.patch Normal file
View File

@ -0,0 +1,255 @@
commit 97ebe37033e8884f4cca5544a74376633c665e11
Author: Viktor Dukhovni <viktor@openssl.org>
Date: Wed Jun 19 21:04:11 2024 +1000
Avoid type errors in EAI-related name check logic.
The incorrectly typed data is read only, used in a compare operation, so
neither remote code execution, nor memory content disclosure were possible.
However, applications performing certificate name checks were vulnerable to
denial of service.
The GENERAL_TYPE data type is a union, and we must take care to access the
correct member, based on `gen->type`, not all the member fields have the same
structure, and a segfault is possible if the wrong member field is read.
The code in question was lightly refactored with the intent to make it more
obviously correct.
CVE-2024-6119
(cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1)
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 1a18174995..a09414c972 100644
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
- if (OBJ_obj2nid(gen->d.otherName->type_id) ==
- NID_id_on_SmtpUTF8Mailbox) {
- san_present = 1;
-
- /*
- * If it is not a UTF8String then that is unexpected and we
- * treat it as no match
- */
- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
- cstr = gen->d.otherName->value->value.utf8string;
-
- /* Positive on success, negative on error! */
- if ((rv = do_check_string(cstr, 0, equal, flags,
- chk, chklen, peername)) != 0)
- break;
- }
- } else
+ switch (gen->type) {
+ default:
+ continue;
+ case GEN_OTHERNAME:
+ switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
+ default:
continue;
- } else {
- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
+ case NID_id_on_SmtpUTF8Mailbox:
+ /*-
+ * https://datatracker.ietf.org/doc/html/rfc8398#section-3
+ *
+ * Due to name constraint compatibility reasons described
+ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
+ * be used unless the local-part of the email address
+ * contains non-ASCII characters. When the local-part is
+ * ASCII, rfc822Name subjectAltName MUST be used instead
+ * of SmtpUTF8Mailbox. This is compatible with legacy
+ * software that supports only rfc822Name (and not
+ * SmtpUTF8Mailbox). [...]
+ *
+ * SmtpUTF8Mailbox is encoded as UTF8String.
+ *
+ * If it is not a UTF8String then that is unexpected, and
+ * we ignore the invalid SAN (neither set san_present nor
+ * consider it a candidate for equality). This does mean
+ * that the subject CN may be considered, as would be the
+ * case when the malformed SmtpUtf8Mailbox SAN is instead
+ * simply absent.
+ *
+ * When CN-ID matching is not desirable, applications can
+ * choose to turn it off, doing so is at this time a best
+ * practice.
+ */
+ if (check_type != GEN_EMAIL
+ || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
+ continue;
+ alt_type = 0;
+ cstr = gen->d.otherName->value->value.utf8string;
+ break;
+ }
+ break;
+ case GEN_EMAIL:
+ if (check_type != GEN_EMAIL)
continue;
- }
- san_present = 1;
- if (check_type == GEN_EMAIL)
cstr = gen->d.rfc822Name;
- else if (check_type == GEN_DNS)
+ break;
+ case GEN_DNS:
+ if (check_type != GEN_DNS)
+ continue;
cstr = gen->d.dNSName;
- else
+ break;
+ case GEN_IPADD:
+ if (check_type != GEN_IPADD)
+ continue;
cstr = gen->d.iPAddress;
+ break;
+ }
+ san_present = 1;
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags,
chk, chklen, peername)) != 0)
diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
index 522982ddfb..e18735d89a 100644
--- a/test/recipes/25-test_eai_data.t
+++ b/test/recipes/25-test_eai_data.t
@@ -21,16 +21,18 @@ setup("test_eai_data");
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
#./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
-plan tests => 12;
+plan tests => 16;
require_ok(srctop_file('test','recipes','tconversion.pl'));
my $folder = "test/recipes/25-test_eai_data";
my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
my $utf8_pem = srctop_file($folder, "utf8_leaf.pem");
+my $kdc_pem = srctop_file($folder, "kdc-cert.pem");
my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem");
+my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem");
my $out;
my $outcnt = 0;
@@ -56,10 +58,18 @@ SKIP: {
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem])));
+# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
+ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
+ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem])));
+
#Check that we get the expected failure return code
with({ exit_checker => sub { return shift == 2; } },
sub {
diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
new file mode 100644
index 0000000000..e8a2c6f55d
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
+MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
+RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
+6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
+BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
+vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
+Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
+7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
+3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
+te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
+AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
+RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
+ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
+T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
+iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
+UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
+El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
+0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
+oDQ9fKfUOAmUFth2/R/eGA==
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
new file mode 100644
index 0000000000..a74c96bf31
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
+b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
+DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
+61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
+qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
+MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
+dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
+3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
+pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
+lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
+Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
+KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
+7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
+vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
new file mode 100755
index 0000000000..7a8dbc719f
--- /dev/null
+++ b/test/recipes/25-test_eai_data/kdc.sh
@@ -0,0 +1,41 @@
+#! /usr/bin/env bash
+
+# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
+# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
+# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should
+# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
+# should likewise lead to ASAN issues with email name checks.
+
+rm -f root-key.pem root-cert.pem
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
+ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
+
+exts=$(
+ printf "%s\n%s\n%s\n%s = " \
+ "subjectKeyIdentifier = hash" \
+ "authorityKeyIdentifier = keyid" \
+ "basicConstraints = CA:false" \
+ "subjectAltName"
+ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
+ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
+ printf "%s, " "email:joe@example.com"
+ printf "%s\n" "DNS:mx1.example.com"
+ printf "[kdc_princ_name]\n"
+ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
+ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
+ printf "[kdc_principal_seq]\n"
+ printf "name_type = EXP:0, INTEGER:1\n"
+ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
+ printf "[kdc_principal_components]\n"
+ printf "princ1 = GeneralString:krbtgt\n"
+ printf "princ2 = GeneralString:TEST.EXAMPLE\n"
+ )
+
+printf "%s\n" "$exts"
+
+openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
+ -subj "/CN=TEST.EXAMPLE" |
+ openssl x509 -req -out kdc-cert.pem \
+ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
+ -set_serial 2 -days 36524 \
+ -extfile <(printf "%s\n" "$exts")

198
openssl-CVE-2024-9143.patch Normal file
View File

@ -0,0 +1,198 @@
From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@openssl.org>
Date: Thu, 19 Sep 2024 01:02:40 +1000
Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
The BN_GF2m_poly2arr() function converts characteristic-2 field
(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
to a compact array with just the exponents of the non-zero terms.
These polynomials are then used in BN_GF2m_mod_arr() to perform modular
reduction. A precondition of calling BN_GF2m_mod_arr() is that the
polynomial must have a non-zero constant term (i.e. the array has `0` as
its final element).
Internally, callers of BN_GF2m_poly2arr() did not verify that
precondition, and binary EC curve parameters with an invalid polynomial
could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
The precondition is always true for polynomials that arise from the
standard form of EC parameters for characteristic-two fields (X9.62).
See the "Finite Field Identification" section of:
https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
basis X9.62 forms.
This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
Additionally, the return value is made unambiguous when there is not
enough space to also pad the array with a final `-1` sentinel value.
The return value is now always the number of elements (including the
final `-1`) that would be filled when the output array is sufficiently
large. Previously the same count was returned both when the array has
just enough room for the final `-1` and when it had only enough space
for non-sentinel values.
Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
CPU exhausition attacks via excessively large inputs.
The above issues do not arise in processing X.509 certificates. These
generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
disallows explicit EC parameters. The TLS code in OpenSSL enforces this
constraint only after the certificate is decoded, but, even if explicit
parameters are specified, they are in X9.62 form, which cannot represent
problem values as noted above.
Initially reported as oss-fuzz issue 71623.
A closely related issue was earlier reported in
<https://github.com/openssl/openssl/issues/19826>.
Severity: Low, CVE-2024-9143
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25639)
(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
---
crypto/bn/bn_gf2m.c | 28 +++++++++++++++-------
test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 71 insertions(+), 8 deletions(-)
diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
index c811ae82d6b15..bcc66613cc14d 100644
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -15,6 +15,7 @@
#include "bn_local.h"
#ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
/*
* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/*
* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
* x^i) into an array of integers corresponding to the bits with non-zero
- * coefficient. Array is terminated with -1. Up to max elements of the array
- * will be filled. Return value is total number of array elements that would
- * be filled if array was large enough.
+ * coefficient. The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1. Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`. It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
*/
int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
{
int i, j, k = 0;
BN_ULONG mask;
- if (BN_is_zero(a))
+ if (!BN_is_odd(a))
return 0;
for (i = a->top - 1; i >= 0; i--) {
@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
}
}
- if (k < max) {
+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+ return 0;
+
+ if (k < max)
p[k] = -1;
- k++;
- }
- return k;
+ return k + 1;
}
/*
diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
index 8c2cd05631696..02cfd4e9d8858 100644
--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
}
#ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+ int ret = 0;
+ BN_CTX *ctx = BN_CTX_new();
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+ TEST_info("Testing GF2m hardening\n");
+
+ BN_CTX_start(ctx);
+ p = BN_CTX_get(ctx);
+ a = BN_CTX_get(ctx);
+ if (!TEST_ptr(b = BN_CTX_get(ctx))
+ || !TEST_true(BN_one(a))
+ || !TEST_true(BN_one(b)))
+ goto out;
+
+ /* Even pentanomial value should be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf2)))
+ goto out;
+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Zero constant term accepted in GF2m polynomial");
+
+ /* Odd hexanomial should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf3)))
+ goto out;
+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Hexanomial accepted as GF2m polynomial");
+
+ /* Excessive polynomial degree should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0x71))
+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+ goto out;
+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("GF2m polynomial degree > %d accepted",
+ OPENSSL_ECC_MAX_FIELD_BITS);
+
+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+ EC_GROUP_free(group1);
+ EC_GROUP_free(group2);
+ EC_GROUP_free(group3);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+
+ return ret;
+}
+
/* test EC_GF2m_simple_method directly */
static int field_tests_ec2_simple(void)
{
@@ -443,6 +493,7 @@ int setup_tests(void)
ADD_TEST(field_tests_ecp_simple);
ADD_TEST(field_tests_ecp_mont);
#ifndef OPENSSL_NO_EC2M
+ ADD_TEST(ec2m_field_sanity);
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);

64
openssl-DEFAULT_SUSE_cipher.patch Normal file
View File

@ -0,0 +1,64 @@
Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
===================================================================
--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
+++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
- if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ &head, &tail, ca_list, c);
+ rule_p += 12;
+ if (*rule_p == ':')
+ rule_p++;
+ }
+ else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
&head, &tail, ca_list, c);
rule_p += 7;
Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
===================================================================
--- /dev/null
+++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
@@ -0,0 +1,23 @@
+#! /usr/bin/env perl
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT/;
+use OpenSSL::Test::Utils;
+
+setup("test_default_ciphersuites");
+
+plan tests => 6;
+
+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
+
+foreach my $cipherlist (@cipher_suites) {
+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
+ "openssl ciphers works with ciphersuite $cipherlist");
+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
+ "$cipherlist shouldn't contain MD5, DES or RC4\n");
+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
+ "$cipherlist should contain TLSv1.3 ciphers\n");
+}
+
Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
===================================================================
--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
+++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
@@ -189,6 +189,11 @@ extern "C" {
*/
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/*
* This is the default set of TLSv1.3 ciphersuites
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()

19
openssl-Disable-default-provider-for-test-suite.patch Normal file
View File

@ -0,0 +1,19 @@
Index: openssl-3.1.4/apps/openssl.cnf
===================================================================
--- openssl-3.1.4.orig/apps/openssl.cnf
+++ openssl-3.1.4/apps/openssl.cnf
@@ -70,11 +70,11 @@ engines = engine_section
# to side-channel attacks and as such have been deprecated.
[provider_sect]
-default = default_sect
+##default = default_sect
##legacy = legacy_sect
-[default_sect]
-activate = 1
+##[default_sect]
+##activate = 1
##[legacy_sect]
##activate = 1

28
openssl-Enable-BTI-feature-for-md5-on-aarch64.patch Normal file
View File

@ -0,0 +1,28 @@
From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001
From: "fangming.fang" <fangming.fang@arm.com>
Date: Thu, 7 Dec 2023 06:17:51 +0000
Subject: [PATCH] Enable BTI feature for md5 on aarch64
Fixes: #22959
---
crypto/md5/asm/md5-aarch64.pl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl
index 3200a0fa9bff0..5a8608069691d 100755
--- a/crypto/md5/asm/md5-aarch64.pl
+++ b/crypto/md5/asm/md5-aarch64.pl
@@ -28,10 +28,13 @@
*STDOUT=*OUT;
$code .= <<EOF;
+#include "arm_arch.h"
+
.text
.globl ossl_md5_block_asm_data_order
.type ossl_md5_block_asm_data_order,\@function
ossl_md5_block_asm_data_order:
+ AARCH64_VALID_CALL_TARGET
// Save all callee-saved registers
stp x19,x20,[sp,#-80]!
stp x21,x22,[sp,#16]

27
openssl-FIPS-release_num_in_version_string.patch Normal file
View File

@ -0,0 +1,27 @@
Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p
static int fips_get_params(void *provctx, OSSL_PARAM params[])
{
+#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE
OSSL_PARAM *p;
FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx),
OSSL_LIB_CTX_FIPS_PROV_INDEX);
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider"))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR))
return 0;
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))

309
openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch Normal file
View File

@ -0,0 +1,309 @@
From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001
From: Todd Short <todd.short@me.com>
Date: Thu, 1 Feb 2024 23:09:38 -0500
Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior
Fix #23448
`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function.
Fix the setting of the parameter in the params code.
Update the TLS_PRF code to also use the params code.
Add tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23456)
(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b)
---
crypto/evp/pmeth_lib.c | 65 ++++++++++++++++++-
providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++
providers/implementations/kdfs/hkdf.c | 8 +++
test/pkey_meth_kdf_test.c | 53 +++++++++++----
4 files changed, 156 insertions(+), 12 deletions(-)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ba1971c..d0eeaf7 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return EVP_PKEY_CTX_set_params(ctx, octet_string_params);
}
+static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
+ const char *param, int op, int ctrl,
+ const unsigned char *data,
+ int datalen)
+{
+ OSSL_PARAM os_params[2];
+ unsigned char *info = NULL;
+ size_t info_len = 0;
+ size_t info_alloc = 0;
+ int ret = 0;
+
+ if (ctx == NULL || (ctx->operation & op) == 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED);
+ /* Uses the same return values as EVP_PKEY_CTX_ctrl */
+ return -2;
+ }
+
+ /* Code below to be removed when legacy support is dropped. */
+ if (fallback)
+ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data));
+ /* end of legacy support */
+
+ if (datalen < 0) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
+ return 0;
+ }
+
+ /* Get the original value length */
+ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
+ os_params[1] = OSSL_PARAM_construct_end();
+
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ return 0;
+
+ /* Older provider that doesn't support getting this parameter */
+ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
+ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
+
+ info_alloc = os_params[0].return_size + datalen;
+ if (info_alloc == 0)
+ return 0;
+ info = OPENSSL_zalloc(info_alloc);
+ if (info == NULL)
+ return 0;
+ info_len = os_params[0].return_size;
+
+ os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc);
+
+ /* if we have data, then go get it */
+ if (info_len > 0) {
+ if (!EVP_PKEY_CTX_get_params(ctx, os_params))
+ goto error;
+ }
+
+ /* Copy the input data */
+ memcpy(&info[info_len], data, datalen);
+ ret = EVP_PKEY_CTX_set_params(ctx, os_params);
+
+ error:
+ OPENSSL_clear_free(info, info_alloc);
+ return ret;
+}
+
int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx,
const unsigned char *sec, int seclen)
{
@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,
int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,
const unsigned char *info, int infolen)
{
- return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL,
+ return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL,
OSSL_KDF_PARAM_INFO,
EVP_PKEY_OP_DERIVE,
EVP_PKEY_CTRL_HKDF_INFO,
diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c
index 527a866..4bc8102 100644
--- a/providers/implementations/exchange/kdf_exch.c
+++ b/providers/implementations/exchange/kdf_exch.c
@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive;
static OSSL_FUNC_keyexch_freectx_fn kdf_freectx;
static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx;
static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params;
+static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params;
static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params;
+static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params;
typedef struct {
void *provctx;
@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[])
return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params);
}
+static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[])
+{
+ PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx;
+
+ return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params);
+}
+
static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx,
void *provctx,
const char *kdfname)
@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF")
KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx,
+ void *provctx,
+ const char *kdfname)
+{
+ EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname,
+ NULL);
+ const OSSL_PARAM *params;
+
+ if (kdf == NULL)
+ return NULL;
+
+ params = EVP_KDF_gettable_ctx_params(kdf);
+ EVP_KDF_free(kdf);
+
+ return params;
+}
+
+#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \
+ static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \
+ void *provctx) \
+ { \
+ return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \
+ }
+
+KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF")
+KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF")
+KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
+
#define KDF_KEYEXCH_FUNCTIONS(funcname) \
const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \
{ OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \
@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT")
{ OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \
{ OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \
{ OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \
+ { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \
{ OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \
(void (*)(void))kdf_##funcname##_settable_ctx_params }, \
+ { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \
+ (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \
{ 0, NULL } \
};
diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c
index daa619b..dd65a2a 100644
--- a/providers/implementations/kdfs/hkdf.c
+++ b/providers/implementations/kdfs/hkdf.c
@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[])
return 0;
return OSSL_PARAM_set_size_t(p, sz);
}
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) {
+ if (ctx->info == NULL || ctx->info_len == 0) {
+ p->return_size = 0;
+ return 1;
+ }
+ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len);
+ }
return -2;
}
@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx,
{
static const OSSL_PARAM known_gettable_ctx_params[] = {
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
+ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0),
OSSL_PARAM_END
};
return known_gettable_ctx_params;
diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c
index f816d24..c09e2f3 100644
--- a/test/pkey_meth_kdf_test.c
+++ b/test/pkey_meth_kdf_test.c
@@ -16,7 +16,7 @@
#include <openssl/kdf.h>
#include "testutil.h"
-static int test_kdf_tls1_prf(void)
+static int test_kdf_tls1_prf(int index)
{
int ret = 0;
EVP_PKEY_CTX *pctx;
@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void)
TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
goto err;
}
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
- (unsigned char *)"seed", 4) <= 0) {
- TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
- goto err;
+ if (index == 0) {
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"seed", 4) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
+ } else {
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"se", 2) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx,
+ (unsigned char *)"ed", 2) <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+ goto err;
+ }
}
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
TEST_error("EVP_PKEY_derive");
@@ -65,7 +78,7 @@ err:
return ret;
}
-static int test_kdf_hkdf(void)
+static int test_kdf_hkdf(int index)
{
int ret = 0;
EVP_PKEY_CTX *pctx;
@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void)
TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
goto err;
}
- if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
+ if (index == 0) {
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5)
<= 0) {
- TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
- goto err;
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
+ } else {
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3)
+ <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
+ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2)
+ <= 0) {
+ TEST_error("EVP_PKEY_CTX_add1_hkdf_info");
+ goto err;
+ }
}
if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
TEST_error("EVP_PKEY_derive");
@@ -195,8 +221,13 @@ err:
int setup_tests(void)
{
- ADD_TEST(test_kdf_tls1_prf);
- ADD_TEST(test_kdf_hkdf);
+ int tests = 1;
+
+ if (fips_provider_version_ge(NULL, 3, 3, 1))
+ tests = 2;
+
+ ADD_ALL_TESTS(test_kdf_tls1_prf, tests);
+ ADD_ALL_TESTS(test_kdf_hkdf, tests);
#ifndef OPENSSL_NO_SCRYPT
ADD_TEST(test_kdf_scrypt);
#endif
--
2.45.1

94
openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch Normal file
View File

@ -0,0 +1,94 @@
From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001
From: trinity-1686a <trinity@deuxfleurs.fr>
Date: Mon, 15 Apr 2024 11:13:14 +0200
Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info
Fixes #24130
The regression was introduced in PR #23456.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24141)
(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5)
---
crypto/evp/pmeth_lib.c | 2 ++
test/evp_extra_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index d0eeaf7..bce1ebc 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
if (datalen < 0) {
ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
return 0;
+ } else if (datalen == 0) {
+ return 1;
}
/* Get the original value length */
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 9b3bee7..22121ce 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void)
return ret;
}
+static int test_empty_salt_info_HKDF(void)
+{
+ EVP_PKEY_CTX *pctx;
+ unsigned char out[20];
+ size_t outlen;
+ int ret = 0;
+ unsigned char salt[] = "";
+ unsigned char key[] = "012345678901234567890123456789";
+ unsigned char info[] = "";
+ const unsigned char expected[] = {
+ 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a,
+ 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06,
+ };
+ size_t expectedlen = sizeof(expected);
+
+ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq)))
+ goto done;
+
+ outlen = sizeof(out);
+ memset(out, 0, outlen);
+
+ if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt,
+ sizeof(salt) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key,
+ sizeof(key) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info,
+ sizeof(info) - 1), 0)
+ || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0)
+ || !TEST_mem_eq(out, outlen, expected, expectedlen))
+ goto done;
+
+ ret = 1;
+
+ done:
+ EVP_PKEY_CTX_free(pctx);
+
+ return ret;
+}
+
#ifndef OPENSSL_NO_EC
static int test_X509_PUBKEY_inplace(void)
{
@@ -5166,6 +5207,7 @@ int setup_tests(void)
#endif
ADD_TEST(test_HKDF);
ADD_TEST(test_emptyikm_HKDF);
+ ADD_TEST(test_empty_salt_info_HKDF);
#ifndef OPENSSL_NO_EC
ADD_TEST(test_X509_PUBKEY_inplace);
ADD_TEST(test_X509_PUBKEY_dup);
--
2.45.1

495
openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch Normal file
View File

@ -0,0 +1,495 @@
From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001
From: Danny Tsen <dtsen@linux.ibm.com>
Date: Tue, 22 Aug 2023 15:58:53 -0400
Subject: [PATCH] Improve performance for 6x unrolling with vpermxor
instruction
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21812)
---
crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++-------------
1 file changed, 95 insertions(+), 50 deletions(-)
diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
index 60cf86f52aed2..38b9405a283b7 100755
--- a/crypto/aes/asm/aesp8-ppc.pl
+++ b/crypto/aes/asm/aesp8-ppc.pl
@@ -99,11 +99,12 @@
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
.long 0,0,0,0 ?asis
+.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
Lconsts:
mflr r0
bcl 20,31,\$+4
mflr $ptr #vvvvv "distance between . and rcon
- addi $ptr,$ptr,-0x48
+ addi $ptr,$ptr,-0x58
mtlr r0
blr
.long 0
@@ -2405,7 +2406,7 @@ ()
my $key_=$key2;
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
$x00=0 if ($flavour =~ /osx/);
-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
+my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
@@ -2460,6 +2461,18 @@ ()
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -2502,69 +2515,77 @@ ()
?vperm v31,v31,$twk5,$keyperm
lvx v25,$x10,$key_ # pre-load round[2]
+ # Switch to use the following codes with 0x010101..87 to generate tweak.
+ # eighty7 = 0x010101..87
+ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
+ # vand tmp, tmp, eighty7 # last byte with carry
+ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
+ # xxlor vsx, 0, 0
+ # vpermxor tweak, tweak, tmp, vsx
+
vperm $in0,$inout,$inptail,$inpperm
subi $inp,$inp,31 # undo "caller"
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -2590,6 +2611,8 @@ ()
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_enc6x
+ xxlor 32+$eighty7, 1, 1 # 0x010101..87
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vcipher $out0,$out0,v24
@@ -2599,7 +2622,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vcipher $out2,$out2,v24
vcipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v24
vcipher $out5,$out5,v24
@@ -2607,7 +2629,8 @@ ()
vand $tmp,$tmp,$eighty7
vcipher $out0,$out0,v25
vcipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vcipher $out2,$out2,v25
vcipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -2618,13 +2641,13 @@ ()
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v26
vcipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vcipher $out4,$out4,v26
vcipher $out5,$out5,v26
@@ -2638,7 +2661,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vcipher $out0,$out0,v27
vcipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out2,$out2,v27
vcipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -2646,7 +2668,8 @@ ()
vcipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vcipher $out0,$out0,v28
vcipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -2655,7 +2678,6 @@ ()
vcipher $out2,$out2,v28
vcipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v28
vcipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -2663,7 +2685,8 @@ ()
vcipher $out0,$out0,v29
vcipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vcipher $out2,$out2,v29
vcipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -2673,14 +2696,14 @@ ()
vcipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v30
vcipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v30
vcipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vcipher $out4,$out4,v30
vcipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -2690,7 +2713,6 @@ ()
vcipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vcipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vcipherlast $out2,$out2,$in2
@@ -2703,7 +2725,10 @@ ()
vcipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vcipherlast $tmp,$out5,$in5 # last block might be needed
# in stealing mode
le?vperm $in3,$in3,$in3,$leperm
@@ -2736,6 +2761,8 @@ ()
mtctr $rounds
beq Loop_xts_enc6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2 # 0x870101..01
+
addic. $len,$len,0x60
beq Lxts_enc6x_zero
cmpwi $len,0x20
@@ -3112,6 +3139,18 @@ ()
li $x70,0x70
mtspr 256,r0
+ # Reverse eighty7 to 0x010101..87
+ xxlor 2, 32+$eighty7, 32+$eighty7
+ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
+ xxlor 1, 32+$eighty7, 32+$eighty7
+
+ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe
+ mr $x70, r6
+ bl Lconsts
+ lxvw4x 0, $x40, r6 # load XOR contents
+ mr r6, $x70
+ li $x70,0x70
+
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@@ -3159,64 +3198,64 @@ ()
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@@ -3242,6 +3281,8 @@ ()
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_dec6x
+ xxlor 32+$eighty7, 1, 1
+
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vncipher $out0,$out0,v24
@@ -3251,7 +3292,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vncipher $out2,$out2,v24
vncipher $out3,$out3,v24
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v24
vncipher $out5,$out5,v24
@@ -3259,7 +3299,8 @@ ()
vand $tmp,$tmp,$eighty7
vncipher $out0,$out0,v25
vncipher $out1,$out1,v25
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in1, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in1
vncipher $out2,$out2,v25
vncipher $out3,$out3,v25
vxor $in1,$twk1,v31
@@ -3270,13 +3311,13 @@ ()
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v26
vncipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v26
vncipher $out3,$out3,v26
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in2, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in2
vncipher $out4,$out4,v26
vncipher $out5,$out5,v26
@@ -3290,7 +3331,6 @@ ()
vaddubm $tweak,$tweak,$tweak
vncipher $out0,$out0,v27
vncipher $out1,$out1,v27
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out2,$out2,v27
vncipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@@ -3298,7 +3338,8 @@ ()
vncipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in3, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in3
vncipher $out0,$out0,v28
vncipher $out1,$out1,v28
vxor $in3,$twk3,v31
@@ -3307,7 +3348,6 @@ ()
vncipher $out2,$out2,v28
vncipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v28
vncipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@@ -3315,7 +3355,8 @@ ()
vncipher $out0,$out0,v29
vncipher $out1,$out1,v29
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in4, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in4
vncipher $out2,$out2,v29
vncipher $out3,$out3,v29
vxor $in4,$twk4,v31
@@ -3325,14 +3366,14 @@ ()
vncipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v30
vncipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v30
vncipher $out3,$out3,v30
- vxor $tweak,$tweak,$tmp
+ xxlor 32+$in5, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in5
vncipher $out4,$out4,v30
vncipher $out5,$out5,v30
vxor $in5,$twk5,v31
@@ -3342,7 +3383,6 @@ ()
vncipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
- vsldoi $tmp,$tmp,$tmp,15
vncipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vncipherlast $out2,$out2,$in2
@@ -3355,7 +3395,10 @@ ()
vncipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
- vxor $tweak,$tweak,$tmp
+ xxlor 10, 32+$in0, 32+$in0
+ xxlor 32+$in0, 0, 0
+ vpermxor $tweak, $tweak, $tmp, $in0
+ xxlor 32+$in0, 10, 10
vncipherlast $out5,$out5,$in5
le?vperm $in3,$in3,$in3,$leperm
lvx_u $in5,$x50,$inp
@@ -3386,6 +3429,8 @@ ()
mtctr $rounds
beq Loop_xts_dec6x # did $len-=96 borrow?
+ xxlor 32+$eighty7, 2, 2
+
addic. $len,$len,0x60
beq Lxts_dec6x_zero
cmpwi $len,0x20

35
openssl-crypto-policies-support.patch Normal file
View File

@ -0,0 +1,35 @@
Add default section to load crypto-policies configuration for TLS.
It needs to be reverted before running tests.
---
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
Index: openssl-3.2.0/apps/openssl.cnf
===================================================================
--- openssl-3.2.0.orig/apps/openssl.cnf
+++ openssl-3.2.0/apps/openssl.cnf
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
# List of providers to load
[provider_sect]
@@ -71,6 +73,13 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]

2159
openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

65
openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch Normal file
View File

@ -0,0 +1,65 @@
From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Fri, 23 Jun 2023 16:41:48 +1000
Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul}
wrappers
Runtime selection of implementations for felem_{square,mul} depends on
felem_{square,mul}_wrapper functions, which overwrite function points in
a similar design to that of .plt.got sections used by program loaders
during dynamic linking.
There's no reason why these functions need to have external linkage.
Mark static.
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21471)
---
crypto/ec/ecp_nistp521.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
index 97815cac1f13..32a9268ecf17 100644
--- a/crypto/ec/ecp_nistp521.c
+++ b/crypto/ec/ecp_nistp521.c
@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in)
}
#if defined(ECP_NISTP521_ASM)
-void felem_square_wrapper(largefelem out, const felem in);
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
+static void felem_square_wrapper(largefelem out, const felem in);
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
static void (*felem_square_p)(largefelem out, const felem in) =
felem_square_wrapper;
@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2);
# include "crypto/ppc_arch.h"
# endif
-void felem_select(void)
+static void felem_select(void)
{
# if defined(_ARCH_PPC64)
if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
@@ -707,13 +707,13 @@ void felem_select(void)
felem_mul_p = felem_mul_ref;
}
-void felem_square_wrapper(largefelem out, const felem in)
+static void felem_square_wrapper(largefelem out, const felem in)
{
felem_select();
felem_square_p(out, in);
}
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
+static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
{
felem_select();
felem_mul_p(out, in1, in2);

428
openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch Normal file
View File

@ -0,0 +1,428 @@
From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Wed, 31 May 2023 14:32:26 +1000
Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul}
Add an assembly implementation of felem_{square,mul}, which will be
implemented whenever Altivec support is present and the core implements
ISA 3.0 (Power 9) or greater.
Signed-off-by: Rohan McLure <rohanmclure@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21471)
---
crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++
crypto/ec/build.info | 6 +-
crypto/ec/ecp_nistp384.c | 9 +
3 files changed, 368 insertions(+), 2 deletions(-)
create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
new file mode 100755
index 000000000000..3f86b391af69
--- /dev/null
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -0,0 +1,355 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# ====================================================================
+# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
+# project.
+# ====================================================================
+#
+# p384 lower-level primitives for PPC64 using vector instructions.
+#
+
+use strict;
+use warnings;
+
+my $flavour = shift;
+my $output = "";
+while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+if (!$output) {
+ $output = "-";
+}
+
+my ($xlate, $dir);
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
+die "can't locate ppc-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+my $code = "";
+
+my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
+
+my $vzero = "v32";
+
+sub startproc($)
+{
+ my ($name) = @_;
+
+ $code.=<<___;
+ .globl ${name}
+ .align 5
+${name}:
+
+___
+}
+
+sub endproc($)
+{
+ my ($name) = @_;
+
+ $code.=<<___;
+ blr
+ .size ${name},.-${name}
+
+___
+}
+
+
+sub push_vrs($$)
+{
+ my ($min, $max) = @_;
+
+ my $count = $max - $min + 1;
+
+ $code.=<<___;
+ mr $savesp,$sp
+ stdu $sp,-16*`$count+1`($sp)
+
+___
+ for (my $i = $min; $i <= $max; $i++) {
+ my $mult = $max - $i + 1;
+ $code.=<<___;
+ stxv $i,-16*$mult($savesp)
+___
+
+ }
+
+ $code.=<<___;
+
+___
+}
+
+sub pop_vrs($$)
+{
+ my ($min, $max) = @_;
+
+ $code.=<<___;
+ ld $savesp,0($sp)
+___
+ for (my $i = $min; $i <= $max; $i++) {
+ my $mult = $max - $i + 1;
+ $code.=<<___;
+ lxv $i,-16*$mult($savesp)
+___
+ }
+
+ $code.=<<___;
+ mr $sp,$savesp
+
+___
+}
+
+sub load_vrs($$)
+{
+ my ($pointer, $reg_list) = @_;
+
+ for (my $i = 0; $i <= 6; $i++) {
+ my $offset = $i * 8;
+ $code.=<<___;
+ lxsd $reg_list->[$i],$offset($pointer)
+___
+ }
+
+ $code.=<<___;
+
+___
+}
+
+sub store_vrs($$)
+{
+ my ($pointer, $reg_list) = @_;
+
+ for (my $i = 0; $i <= 12; $i++) {
+ my $offset = $i * 16;
+ $code.=<<___;
+ stxv $reg_list->[$i],$offset($pointer)
+___
+ }
+
+ $code.=<<___;
+
+___
+}
+
+$code.=<<___;
+.machine "any"
+.text
+
+___
+
+{
+ # mul/square common
+ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
+ my ($zero, $one) = ("r8", "r9");
+ my $out = "v51";
+
+ {
+ #
+ # p384_felem_mul
+ #
+
+ my ($in1p, $in2p) = ("r4", "r5");
+ my @in1 = map("v$_",(44..50));
+ my @in2 = map("v$_",(35..41));
+
+ startproc("p384_felem_mul");
+
+ push_vrs(52, 63);
+
+ $code.=<<___;
+ vspltisw $vzero,0
+
+___
+
+ load_vrs($in1p, \@in1);
+ load_vrs($in2p, \@in2);
+
+ $code.=<<___;
+ vmsumudm $out,$in1[0],$in2[0],$vzero
+ stxv $out,0($outp)
+
+ xxpermdi $t1,$in1[0],$in1[1],0b00
+ xxpermdi $t2,$in2[1],$in2[0],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,16($outp)
+
+ xxpermdi $t2,$in2[2],$in2[1],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in1[2],$in2[0],$out
+ stxv $out,32($outp)
+
+ xxpermdi $t2,$in2[1],$in2[0],0b00
+ xxpermdi $t3,$in1[2],$in1[3],0b00
+ xxpermdi $t4,$in2[3],$in2[2],0b00
+ vmsumudm $out,$t1,$t4,$vzero
+ vmsumudm $out,$t3,$t2,$out
+ stxv $out,48($outp)
+
+ xxpermdi $t2,$in2[4],$in2[3],0b00
+ xxpermdi $t4,$in2[2],$in2[1],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ vmsumudm $out,$in1[4],$in2[0],$out
+ stxv $out,64($outp)
+
+ xxpermdi $t2,$in2[5],$in2[4],0b00
+ xxpermdi $t4,$in2[3],$in2[2],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t4,$in2[1],$in2[0],0b00
+ xxpermdi $t1,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t4,$out
+ stxv $out,80($outp)
+
+ xxpermdi $t1,$in1[0],$in1[1],0b00
+ xxpermdi $t2,$in2[6],$in2[5],0b00
+ xxpermdi $t4,$in2[4],$in2[3],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t2,$in2[2],$in2[1],0b00
+ xxpermdi $t1,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t2,$out
+ vmsumudm $out,$in1[6],$in2[0],$out
+ stxv $out,96($outp)
+
+ xxpermdi $t1,$in1[1],$in1[2],0b00
+ xxpermdi $t2,$in2[6],$in2[5],0b00
+ xxpermdi $t3,$in1[3],$in1[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ xxpermdi $t3,$in2[2],$in2[1],0b00
+ xxpermdi $t1,$in1[5],$in1[6],0b00
+ vmsumudm $out,$t1,$t3,$out
+ stxv $out,112($outp)
+
+ xxpermdi $t1,$in1[2],$in1[3],0b00
+ xxpermdi $t3,$in1[4],$in1[5],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$t3,$t4,$out
+ vmsumudm $out,$in1[6],$in2[2],$out
+ stxv $out,128($outp)
+
+ xxpermdi $t1,$in1[3],$in1[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ xxpermdi $t1,$in1[5],$in1[6],0b00
+ vmsumudm $out,$t1,$t4,$out
+ stxv $out,144($outp)
+
+ vmsumudm $out,$t3,$t2,$vzero
+ vmsumudm $out,$in1[6],$in2[4],$out
+ stxv $out,160($outp)
+
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,176($outp)
+
+ vmsumudm $out,$in1[6],$in2[6],$vzero
+ stxv $out,192($outp)
+___
+
+ endproc("p384_felem_mul");
+ }
+
+ {
+ #
+ # p384_felem_square
+ #
+
+ my ($inp) = ("r4");
+ my @in = map("v$_",(44..50));
+ my @inx2 = map("v$_",(35..41));
+
+ startproc("p384_felem_square");
+
+ push_vrs(52, 63);
+
+ $code.=<<___;
+ vspltisw $vzero,0
+
+___
+
+ load_vrs($inp, \@in);
+
+ $code.=<<___;
+ li $zero,0
+ li $one,1
+ mtvsrdd $t1,$one,$zero
+___
+
+ for (my $i = 0; $i <= 6; $i++) {
+ $code.=<<___;
+ vsld $inx2[$i],$in[$i],$t1
+___
+ }
+
+ $code.=<<___;
+ vmsumudm $out,$in[0],$in[0],$vzero
+ stxv $out,0($outp)
+
+ vmsumudm $out,$in[0],$inx2[1],$vzero
+ stxv $out,16($outp)
+
+ vmsumudm $out,$in[0],$inx2[2],$vzero
+ vmsumudm $out,$in[1],$in[1],$out
+ stxv $out,32($outp)
+
+ xxpermdi $t1,$in[0],$in[1],0b00
+ xxpermdi $t2,$inx2[3],$inx2[2],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,48($outp)
+
+ xxpermdi $t4,$inx2[4],$inx2[3],0b00
+ vmsumudm $out,$t1,$t4,$vzero
+ vmsumudm $out,$in[2],$in[2],$out
+ stxv $out,64($outp)
+
+ xxpermdi $t2,$inx2[5],$inx2[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[2],$inx2[3],$out
+ stxv $out,80($outp)
+
+ xxpermdi $t2,$inx2[6],$inx2[5],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[2],$inx2[4],$out
+ vmsumudm $out,$in[3],$in[3],$out
+ stxv $out,96($outp)
+
+ xxpermdi $t3,$in[1],$in[2],0b00
+ vmsumudm $out,$t3,$t2,$vzero
+ vmsumudm $out,$in[3],$inx2[4],$out
+ stxv $out,112($outp)
+
+ xxpermdi $t1,$in[2],$in[3],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ vmsumudm $out,$in[4],$in[4],$out
+ stxv $out,128($outp)
+
+ xxpermdi $t1,$in[3],$in[4],0b00
+ vmsumudm $out,$t1,$t2,$vzero
+ stxv $out,144($outp)
+
+ vmsumudm $out,$in[4],$inx2[6],$vzero
+ vmsumudm $out,$in[5],$in[5],$out
+ stxv $out,160($outp)
+
+ vmsumudm $out,$in[5],$inx2[6],$vzero
+ stxv $out,176($outp)
+
+ vmsumudm $out,$in[6],$in[6],$vzero
+ stxv $out,192($outp)
+___
+
+ endproc("p384_felem_square");
+ }
+}
+
+$code =~ s/\`([^\`]*)\`/eval $1/gem;
+print $code;
+close STDOUT or die "error closing STDOUT: $!";
diff --git a/crypto/ec/build.info b/crypto/ec/build.info
index 1fa60a1deddd..4077bead7bdb 100644
--- a/crypto/ec/build.info
+++ b/crypto/ec/build.info
@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}]
$ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s
$ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM
IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}]
- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s
- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM
+ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s
+ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM
+ INCLUDE[ecp_nistp384.o]=..
INCLUDE[ecp_nistp521.o]=..
ENDIF
@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl
INCLUDE[ecp_nistz256-armv8.o]=..
GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl
+GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl
GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl
GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index a0559487ed4e..14f9530d07c6 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2);
static void felem_select(void)
{
+# if defined(_ARCH_PPC64)
+ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
+ felem_square_p = p384_felem_square;
+ felem_mul_p = p384_felem_mul;
+
+ return;
+ }
+# endif
+
/* Default */
felem_square_p = felem_square_ref;
felem_mul_p = felem_mul_ref;

76
openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch Normal file
View File

@ -0,0 +1,76 @@
From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Tue, 15 Aug 2023 15:20:20 +1000
Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1
Substitutions in the felem_reduce() method feature unecessary
parentheses, remove them.
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21749)
---
crypto/ec/ecp_nistp384.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
index 14f9530d07c6..ff68f9cc7ad0 100644
--- a/crypto/ec/ecp_nistp384.c
+++ b/crypto/ec/ecp_nistp384.c
@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[7] += in[12] >> 8;
acc[6] += (in[12] & 0xff) << 48;
acc[6] -= in[12] >> 16;
- acc[5] -= ((in[12] & 0xffff) << 40);
+ acc[5] -= (in[12] & 0xffff) << 40;
acc[6] += in[12] >> 48;
acc[5] += (in[12] & 0xffffffffffff) << 8;
@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[6] += in[11] >> 8;
acc[5] += (in[11] & 0xff) << 48;
acc[5] -= in[11] >> 16;
- acc[4] -= ((in[11] & 0xffff) << 40);
+ acc[4] -= (in[11] & 0xffff) << 40;
acc[5] += in[11] >> 48;
acc[4] += (in[11] & 0xffffffffffff) << 8;
@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[5] += in[10] >> 8;
acc[4] += (in[10] & 0xff) << 48;
acc[4] -= in[10] >> 16;
- acc[3] -= ((in[10] & 0xffff) << 40);
+ acc[3] -= (in[10] & 0xffff) << 40;
acc[4] += in[10] >> 48;
acc[3] += (in[10] & 0xffffffffffff) << 8;
@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[4] += in[9] >> 8;
acc[3] += (in[9] & 0xff) << 48;
acc[3] -= in[9] >> 16;
- acc[2] -= ((in[9] & 0xffff) << 40);
+ acc[2] -= (in[9] & 0xffff) << 40;
acc[3] += in[9] >> 48;
acc[2] += (in[9] & 0xffffffffffff) << 8;
@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[3] += acc[8] >> 8;
acc[2] += (acc[8] & 0xff) << 48;
acc[2] -= acc[8] >> 16;
- acc[1] -= ((acc[8] & 0xffff) << 40);
+ acc[1] -= (acc[8] & 0xffff) << 40;
acc[2] += acc[8] >> 48;
acc[1] += (acc[8] & 0xffffffffffff) << 8;
@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in)
acc[2] += acc[7] >> 8;
acc[1] += (acc[7] & 0xff) << 48;
acc[1] -= acc[7] >> 16;
- acc[0] -= ((acc[7] & 0xffff) << 40);
+ acc[0] -= (acc[7] & 0xffff) << 40;
acc[1] += acc[7] >> 48;
acc[0] += (acc[7] & 0xffffffffffff) << 8;

96
openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch Normal file
View File

@ -0,0 +1,96 @@
From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001
From: Rohan McLure <rohanmclure@linux.ibm.com>
Date: Wed, 16 Aug 2023 16:52:47 +1000
Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm
Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as
VSX enabled systems make extensive use of renaming, and so writebacks in
felem_{mul,square}() can be reordered for best cache effects.
Remove stack allocations. This in turn fixes unmatched push/pops in
felem_{mul,square}().
Signed-off-by: Rohan McLure <rohan.mclure@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21749)
---
crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 -----------------------------
1 file changed, 49 deletions(-)
diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
index 3f86b391af69..28f4168e5218 100755
--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
@@ -62,51 +62,6 @@ ($)
___
}
-
-sub push_vrs($$)
-{
- my ($min, $max) = @_;
-
- my $count = $max - $min + 1;
-
- $code.=<<___;
- mr $savesp,$sp
- stdu $sp,-16*`$count+1`($sp)
-
-___
- for (my $i = $min; $i <= $max; $i++) {
- my $mult = $max - $i + 1;
- $code.=<<___;
- stxv $i,-16*$mult($savesp)
-___
-
- }
-
- $code.=<<___;
-
-___
-}
-
-sub pop_vrs($$)
-{
- my ($min, $max) = @_;
-
- $code.=<<___;
- ld $savesp,0($sp)
-___
- for (my $i = $min; $i <= $max; $i++) {
- my $mult = $max - $i + 1;
- $code.=<<___;
- lxv $i,-16*$mult($savesp)
-___
- }
-
- $code.=<<___;
- mr $sp,$savesp
-
-___
-}
-
sub load_vrs($$)
{
my ($pointer, $reg_list) = @_;
@@ -162,8 +117,6 @@ ($$)
startproc("p384_felem_mul");
- push_vrs(52, 63);
-
$code.=<<___;
vspltisw $vzero,0
@@ -268,8 +221,6 @@ ($$)
startproc("p384_felem_square");
- push_vrs(52, 63);
-
$code.=<<___;
vspltisw $vzero,0

929
reproducible.patch Normal file
View File

@ -0,0 +1,929 @@
commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf
Author: trigpolynom <trigpolynom@gmail.com>
Date: Tue Oct 17 22:44:45 2023 -0400
aes-gcm-avx512.pl: fix non-reproducibility issue
Replace the random suffix with a counter, to make the
build reproducible.
Fixes #20954
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22415)
diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl
index afd2af941a..9f9124373b 100644
--- a/crypto/modes/asm/aes-gcm-avx512.pl
+++ b/crypto/modes/asm/aes-gcm-avx512.pl
@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE);
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11);
+# ; Counter used for assembly label generation
+my $label_count = 0;
+
# ; This implementation follows the convention: for non-leaf functions (they
# ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from
# ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This
@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a
# ;;; Helper functions
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ; Generates "random" local labels
-sub random_string() {
- my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
- my $length = 15;
- my $str;
- map { $str .= $chars[rand(33)] } 1 .. $length;
- return $str;
-}
-
sub BYTE {
my ($reg) = @_;
if ($reg =~ /%r[abcd]x/i) {
@@ -417,7 +411,7 @@ ___
sub EPILOG {
my ($hkeys_storage_on_stack, $payload_len) = @_;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) {
@@ -425,13 +419,13 @@ sub EPILOG {
# ; were stored in the local frame storage
$code .= <<___;
cmpq \$`16*16`,$payload_len
- jbe .Lskip_hkeys_cleanup_${rndsuffix}
+ jbe .Lskip_hkeys_cleanup_${label_suffix}
vpxor %xmm0,%xmm0,%xmm0
___
for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) {
$code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n";
}
- $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n";
+ $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n";
}
if ($CLEAR_SCRATCH_REGISTERS) {
@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack {
&& $HKEYS_RANGE ne "first32"
&& $HKEYS_RANGE ne "last32");
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
test $HKEYS_READY,$HKEYS_READY
- jnz .L_skip_hkeys_precomputation_${rndsuffix}
+ jnz .L_skip_hkeys_precomputation_${label_suffix}
___
if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") {
@@ -615,7 +609,7 @@ ___
}
}
- $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n";
+ $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n";
}
# ;; =============================================================================
@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH {
my $SHFMSK = $ZT13;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
mov $A_IN,$T1 # ; T1 = AAD
mov $A_LEN,$T2 # ; T2 = aadLen
or $T2,$T2
- jz .L_CALC_AAD_done_${rndsuffix}
+ jz .L_CALC_AAD_done_${label_suffix}
xor $HKEYS_READY,$HKEYS_READY
vmovdqa64 SHUF_MASK(%rip),$SHFMSK
-.L_get_AAD_loop48x16_${rndsuffix}:
+.L_get_AAD_loop48x16_${label_suffix}:
cmp \$`(48*16)`,$T2
- jl .L_exit_AAD_loop48x16_${rndsuffix}
+ jl .L_exit_AAD_loop48x16_${label_suffix}
___
$code .= <<___;
@@ -1499,15 +1493,15 @@ ___
$code .= <<___;
sub \$`(48*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(48*16)`,$T1
- jmp .L_get_AAD_loop48x16_${rndsuffix}
+ jmp .L_get_AAD_loop48x16_${label_suffix}
-.L_exit_AAD_loop48x16_${rndsuffix}:
+.L_exit_AAD_loop48x16_${label_suffix}:
# ; Less than 48x16 bytes remaining
cmp \$`(32*16)`,$T2
- jl .L_less_than_32x16_${rndsuffix}
+ jl .L_less_than_32x16_${label_suffix}
___
$code .= <<___;
@@ -1556,14 +1550,14 @@ ___
$code .= <<___;
sub \$`(32*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(32*16)`,$T1
- jmp .L_less_than_16x16_${rndsuffix}
+ jmp .L_less_than_16x16_${label_suffix}
-.L_less_than_32x16_${rndsuffix}:
+.L_less_than_32x16_${label_suffix}:
cmp \$`(16*16)`,$T2
- jl .L_less_than_16x16_${rndsuffix}
+ jl .L_less_than_16x16_${label_suffix}
# ; Get next 16 blocks
vmovdqu64 `64*0`($T1),$ZT1
vmovdqu64 `64*1`($T1),$ZT2
@@ -1588,11 +1582,11 @@ ___
$code .= <<___;
sub \$`(16*16)`,$T2
- je .L_CALC_AAD_done_${rndsuffix}
+ je .L_CALC_AAD_done_${label_suffix}
add \$`(16*16)`,$T1
# ; Less than 16x16 bytes remaining
-.L_less_than_16x16_${rndsuffix}:
+.L_less_than_16x16_${label_suffix}:
# ;; prep mask source address
lea byte64_len_to_mask_table(%rip),$T3
lea ($T3,$T2,8),$T3
@@ -1601,28 +1595,28 @@ ___
add \$15,@{[DWORD($T2)]}
shr \$4,@{[DWORD($T2)]}
cmp \$2,@{[DWORD($T2)]}
- jb .L_AAD_blocks_1_${rndsuffix}
- je .L_AAD_blocks_2_${rndsuffix}
+ jb .L_AAD_blocks_1_${label_suffix}
+ je .L_AAD_blocks_2_${label_suffix}
cmp \$4,@{[DWORD($T2)]}
- jb .L_AAD_blocks_3_${rndsuffix}
- je .L_AAD_blocks_4_${rndsuffix}
+ jb .L_AAD_blocks_3_${label_suffix}
+ je .L_AAD_blocks_4_${label_suffix}
cmp \$6,@{[DWORD($T2)]}
- jb .L_AAD_blocks_5_${rndsuffix}
- je .L_AAD_blocks_6_${rndsuffix}
+ jb .L_AAD_blocks_5_${label_suffix}
+ je .L_AAD_blocks_6_${label_suffix}
cmp \$8,@{[DWORD($T2)]}
- jb .L_AAD_blocks_7_${rndsuffix}
- je .L_AAD_blocks_8_${rndsuffix}
+ jb .L_AAD_blocks_7_${label_suffix}
+ je .L_AAD_blocks_8_${label_suffix}
cmp \$10,@{[DWORD($T2)]}
- jb .L_AAD_blocks_9_${rndsuffix}
- je .L_AAD_blocks_10_${rndsuffix}
+ jb .L_AAD_blocks_9_${label_suffix}
+ je .L_AAD_blocks_10_${label_suffix}
cmp \$12,@{[DWORD($T2)]}
- jb .L_AAD_blocks_11_${rndsuffix}
- je .L_AAD_blocks_12_${rndsuffix}
+ jb .L_AAD_blocks_11_${label_suffix}
+ je .L_AAD_blocks_12_${label_suffix}
cmp \$14,@{[DWORD($T2)]}
- jb .L_AAD_blocks_13_${rndsuffix}
- je .L_AAD_blocks_14_${rndsuffix}
+ jb .L_AAD_blocks_13_${label_suffix}
+ je .L_AAD_blocks_14_${label_suffix}
cmp \$15,@{[DWORD($T2)]}
- je .L_AAD_blocks_15_${rndsuffix}
+ je .L_AAD_blocks_15_${label_suffix}
___
# ;; fall through for 16 blocks
@@ -1635,7 +1629,7 @@ ___
# ;; - jump to reduction code
for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) {
- $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n";
+ $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n";
if ($aad_blocks > 12) {
$code .= "sub \$`12*16*8`, $T3\n";
} elsif ($aad_blocks > 8) {
@@ -1656,11 +1650,11 @@ ___
if ($aad_blocks > 1) {
# ;; fall through to CALC_AAD_done in 1 block case
- $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n";
+ $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n";
}
}
- $code .= ".L_CALC_AAD_done_${rndsuffix}:\n";
+ $code .= ".L_CALC_AAD_done_${label_suffix}:\n";
# ;; result in AAD_HASH
}
@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK {
my $IA1 = $GPTMP2;
my $IA2 = $GPTMP0;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
# ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero
mov ($PBLOCK_LEN),$LENGTH
or $LENGTH,$LENGTH
- je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks
+ je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks
___
&READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG);
@@ -1755,9 +1749,9 @@ ___
}
$code .= <<___;
sub \$16,$IA1
- jge .L_no_extra_mask_${rndsuffix}
+ jge .L_no_extra_mask_${label_suffix}
sub $IA1,$IA0
-.L_no_extra_mask_${rndsuffix}:
+.L_no_extra_mask_${label_suffix}:
# ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1
# ;; - mask out bottom $LENGTH bytes of $XTMP1
# ;; sizeof(SHIFT_MASK) == 16 bytes
@@ -1781,7 +1775,7 @@ ___
}
$code .= <<___;
cmp \$0,$IA1
- jl .L_partial_incomplete_${rndsuffix}
+ jl .L_partial_incomplete_${label_suffix}
___
# ;; GHASH computation for the last <16 Byte block
@@ -1793,9 +1787,9 @@ ___
mov $LENGTH,$IA0
mov \$16,$LENGTH
sub $IA0,$LENGTH
- jmp .L_enc_dec_done_${rndsuffix}
+ jmp .L_enc_dec_done_${label_suffix}
-.L_partial_incomplete_${rndsuffix}:
+.L_partial_incomplete_${label_suffix}:
___
if ($win64) {
$code .= <<___;
@@ -1808,7 +1802,7 @@ ___
$code .= <<___;
mov $PLAIN_CIPH_LEN,$LENGTH
-.L_enc_dec_done_${rndsuffix}:
+.L_enc_dec_done_${label_suffix}:
# ;; output encrypted Bytes
lea byte_len_to_mask_table(%rip),$IA0
@@ -1826,7 +1820,7 @@ ___
$code .= <<___;
mov $CIPH_PLAIN_OUT,$IA0
vmovdqu8 $XTMP1,($IA0){$MASKREG}
-.L_partial_block_done_${rndsuffix}:
+.L_partial_block_done_${label_suffix}:
___
}
@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
my $GM = $_[23]; # [in] ZMM with mid prodcut part
my $GL = $_[24]; # [in] ZMM with lo product part
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; - Hash all but the last partial block of data
@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH {
# ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16.
# ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256.
cmp \$16,$LENGTH
- jl .L_small_initial_partial_block_${rndsuffix}
+ jl .L_small_initial_partial_block_${label_suffix}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; Handle a full length final block - encrypt and hash all blocks
@@ -2056,11 +2050,11 @@ ___
&GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
$ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL);
}
- $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n";
+ $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n";
}
$code .= <<___;
-.L_small_initial_partial_block_${rndsuffix}:
+.L_small_initial_partial_block_${label_suffix}:
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;;; Handle ghash for a <16B final block
@@ -2125,7 +2119,7 @@ ___
# ;; a partial block of data, so xor that into the hash.
vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT
# ;; The result is in $HASH_IN_OUT
- jmp .L_after_reduction_${rndsuffix}
+ jmp .L_after_reduction_${label_suffix}
___
}
@@ -2133,7 +2127,7 @@ ___
# ;;; After GHASH reduction
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
- $code .= ".L_small_initial_compute_done_${rndsuffix}:\n";
+ $code .= ".L_small_initial_compute_done_${label_suffix}:\n";
# ;; If using init/update/finalize, we need to xor any partial block data
# ;; into the hash.
@@ -2144,13 +2138,13 @@ ___
$code .= <<___;
# ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero
or $LENGTH,$LENGTH
- je .L_after_reduction_${rndsuffix}
+ je .L_after_reduction_${label_suffix}
___
}
$code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n";
}
- $code .= ".L_after_reduction_${rndsuffix}:\n";
+ $code .= ".L_after_reduction_${label_suffix}:\n";
# ;; Final hash is now in HASH_IN_OUT
}
@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N {
die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n"
if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
my $GH1H = $HASH_IN_OUT;
@@ -2326,16 +2320,16 @@ ___
$code .= <<___;
cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]}
- jae .L_16_blocks_overflow_${rndsuffix}
+ jae .L_16_blocks_overflow_${label_suffix}
___
&ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
$NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE,
$B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4);
$code .= <<___;
- jmp .L_16_blocks_ok_${rndsuffix}
+ jmp .L_16_blocks_ok_${label_suffix}
-.L_16_blocks_overflow_${rndsuffix}:
+.L_16_blocks_overflow_${label_suffix}:
vpshufb $SHFMSK,$CTR_BE,$CTR_BE
vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03
___
@@ -2355,7 +2349,7 @@ ___
$NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
$B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
$code .= <<___;
-.L_16_blocks_ok_${rndsuffix}:
+.L_16_blocks_ok_${label_suffix}:
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;; - pre-load constants
@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST {
my $MASKREG = $_[44]; # [clobbered] mask register
my $PBLOCK_LEN = $_[45]; # [in] partial block length
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
add \$15,@{[DWORD($IA0)]}
shr \$4,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_0_${rndsuffix}
+ je .L_last_num_blocks_is_0_${label_suffix}
cmp \$8,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_8_${rndsuffix}
- jb .L_last_num_blocks_is_7_1_${rndsuffix}
+ je .L_last_num_blocks_is_8_${label_suffix}
+ jb .L_last_num_blocks_is_7_1_${label_suffix}
cmp \$12,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_12_${rndsuffix}
- jb .L_last_num_blocks_is_11_9_${rndsuffix}
+ je .L_last_num_blocks_is_12_${label_suffix}
+ jb .L_last_num_blocks_is_11_9_${label_suffix}
# ;; 16, 15, 14 or 13
cmp \$15,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_15_${rndsuffix}
- ja .L_last_num_blocks_is_16_${rndsuffix}
+ je .L_last_num_blocks_is_15_${label_suffix}
+ ja .L_last_num_blocks_is_16_${label_suffix}
cmp \$14,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_14_${rndsuffix}
- jmp .L_last_num_blocks_is_13_${rndsuffix}
+ je .L_last_num_blocks_is_14_${label_suffix}
+ jmp .L_last_num_blocks_is_13_${label_suffix}
-.L_last_num_blocks_is_11_9_${rndsuffix}:
+.L_last_num_blocks_is_11_9_${label_suffix}:
# ;; 11, 10 or 9
cmp \$10,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_10_${rndsuffix}
- ja .L_last_num_blocks_is_11_${rndsuffix}
- jmp .L_last_num_blocks_is_9_${rndsuffix}
+ je .L_last_num_blocks_is_10_${label_suffix}
+ ja .L_last_num_blocks_is_11_${label_suffix}
+ jmp .L_last_num_blocks_is_9_${label_suffix}
-.L_last_num_blocks_is_7_1_${rndsuffix}:
+.L_last_num_blocks_is_7_1_${label_suffix}:
cmp \$4,@{[DWORD($IA0)]}
- je .L_last_num_blocks_is_4_${rndsuffix}
- jb .L_last_num_blocks_is_3_1_${rndsuffix}
+ je .L_last_num_blocks_is_4_${label_suffix}
+ jb .L_last_num_blocks_is_3_1_${label_suffix}
# ;; 7, 6 or 5
cmp \$6,@{[DWORD($IA0)]}
- ja .L_last_num_blocks_is_7_${rndsuffix}
- je .L_last_num_blocks_is_6_${rndsuffix}
- jmp .L_last_num_blocks_is_5_${rndsuffix}
+ ja .L_last_num_blocks_is_7_${label_suffix}
+ je .L_last_num_blocks_is_6_${label_suffix}
+ jmp .L_last_num_blocks_is_5_${label_suffix}
-.L_last_num_blocks_is_3_1_${rndsuffix}:
+.L_last_num_blocks_is_3_1_${label_suffix}:
# ;; 3, 2 or 1
cmp \$2,@{[DWORD($IA0)]}
- ja .L_last_num_blocks_is_3_${rndsuffix}
- je .L_last_num_blocks_is_2_${rndsuffix}
+ ja .L_last_num_blocks_is_3_${label_suffix}
+ je .L_last_num_blocks_is_2_${label_suffix}
___
# ;; fall through for `jmp .L_last_num_blocks_is_1`
@@ -2859,7 +2853,7 @@ ___
# ;; Use rep to generate different block size variants
# ;; - one block size has to be the first one
for my $num_blocks (1 .. 16) {
- $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
+ $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n";
&GHASH_16_ENCRYPT_N_GHASH_N(
$AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET,
$LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET,
@@ -2872,10 +2866,10 @@ ___
$ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG,
$num_blocks, $PBLOCK_LEN);
- $code .= "jmp .L_last_blocks_done_${rndsuffix}\n";
+ $code .= "jmp .L_last_blocks_done_${label_suffix}\n";
}
- $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n";
+ $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n";
# ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction
# ;; - convert mid into end_reduce
@@ -2891,7 +2885,7 @@ ___
$GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01,
$ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09);
- $code .= ".L_last_blocks_done_${rndsuffix}:\n";
+ $code .= ".L_last_blocks_done_${label_suffix}:\n";
}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
my $GHDAT1 = $ZT21;
my $GHDAT2 = $ZT22;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
# ;; prepare counter blocks
$code .= <<___;
cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
- jae .L_16_blocks_overflow_${rndsuffix}
+ jae .L_16_blocks_overflow_${label_suffix}
vpaddd $ADDBE_1234,$CTR_BE,$B00_03
vpaddd $ADDBE_4x4,$B00_03,$B04_07
vpaddd $ADDBE_4x4,$B04_07,$B08_11
vpaddd $ADDBE_4x4,$B08_11,$B12_15
- jmp .L_16_blocks_ok_${rndsuffix}
-.L_16_blocks_overflow_${rndsuffix}:
+ jmp .L_16_blocks_ok_${label_suffix}
+.L_16_blocks_overflow_${label_suffix}:
vpshufb $SHFMSK,$CTR_BE,$CTR_BE
vmovdqa64 ddq_add_4444(%rip),$B12_15
vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03
@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL {
vpshufb $SHFMSK,$B04_07,$B04_07
vpshufb $SHFMSK,$B08_11,$B08_11
vpshufb $SHFMSK,$B12_15,$B12_15
-.L_16_blocks_ok_${rndsuffix}:
+.L_16_blocks_ok_${label_suffix}:
___
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK {
my $XMM0 = $_[1]; # ; [in/out]
my $GPR1 = $_[2]; # ; [clobbered]
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
# ; load number of rounds from AES_KEY structure (offset in bytes is
# ; size of the |rd_key| buffer)
mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]}
cmp \$9,@{[DWORD($GPR1)]}
- je .Laes_128_${rndsuffix}
+ je .Laes_128_${label_suffix}
cmp \$11,@{[DWORD($GPR1)]}
- je .Laes_192_${rndsuffix}
+ je .Laes_192_${label_suffix}
cmp \$13,@{[DWORD($GPR1)]}
- je .Laes_256_${rndsuffix}
- jmp .Lexit_aes_${rndsuffix}
+ je .Laes_256_${label_suffix}
+ jmp .Lexit_aes_${label_suffix}
___
for my $keylen (sort keys %aes_rounds) {
my $nr = $aes_rounds{$keylen};
$code .= <<___;
.align 32
-.Laes_${keylen}_${rndsuffix}:
+.Laes_${keylen}_${label_suffix}:
___
$code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n";
for (my $i = 1; $i <= $nr; $i++) {
@@ -3364,10 +3358,10 @@ ___
}
$code .= <<___;
vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0
- jmp .Lexit_aes_${rndsuffix}
+ jmp .Lexit_aes_${label_suffix}
___
}
- $code .= ".Lexit_aes_${rndsuffix}:\n\n";
+ $code .= ".Lexit_aes_${label_suffix}:\n\n";
}
sub CALC_J0 {
@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL {
my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask
my $PBLOCK_LEN = $_[30]; # [in] partial block length
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
cmp \$8,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_8_${rndsuffix}
- jl .L_small_initial_num_blocks_is_7_1_${rndsuffix}
+ je .L_small_initial_num_blocks_is_8_${label_suffix}
+ jl .L_small_initial_num_blocks_is_7_1_${label_suffix}
cmp \$12,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_12_${rndsuffix}
- jl .L_small_initial_num_blocks_is_11_9_${rndsuffix}
+ je .L_small_initial_num_blocks_is_12_${label_suffix}
+ jl .L_small_initial_num_blocks_is_11_9_${label_suffix}
# ;; 16, 15, 14 or 13
cmp \$16,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_16_${rndsuffix}
+ je .L_small_initial_num_blocks_is_16_${label_suffix}
cmp \$15,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_15_${rndsuffix}
+ je .L_small_initial_num_blocks_is_15_${label_suffix}
cmp \$14,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_14_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_13_${rndsuffix}
+ je .L_small_initial_num_blocks_is_14_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_13_${label_suffix}
-.L_small_initial_num_blocks_is_11_9_${rndsuffix}:
+.L_small_initial_num_blocks_is_11_9_${label_suffix}:
# ;; 11, 10 or 9
cmp \$11,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_11_${rndsuffix}
+ je .L_small_initial_num_blocks_is_11_${label_suffix}
cmp \$10,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_10_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_9_${rndsuffix}
+ je .L_small_initial_num_blocks_is_10_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_9_${label_suffix}
-.L_small_initial_num_blocks_is_7_1_${rndsuffix}:
+.L_small_initial_num_blocks_is_7_1_${label_suffix}:
cmp \$4,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_4_${rndsuffix}
- jl .L_small_initial_num_blocks_is_3_1_${rndsuffix}
+ je .L_small_initial_num_blocks_is_4_${label_suffix}
+ jl .L_small_initial_num_blocks_is_3_1_${label_suffix}
# ;; 7, 6 or 5
cmp \$7,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_7_${rndsuffix}
+ je .L_small_initial_num_blocks_is_7_${label_suffix}
cmp \$6,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_6_${rndsuffix}
- jmp .L_small_initial_num_blocks_is_5_${rndsuffix}
+ je .L_small_initial_num_blocks_is_6_${label_suffix}
+ jmp .L_small_initial_num_blocks_is_5_${label_suffix}
-.L_small_initial_num_blocks_is_3_1_${rndsuffix}:
+.L_small_initial_num_blocks_is_3_1_${label_suffix}:
# ;; 3, 2 or 1
cmp \$3,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_3_${rndsuffix}
+ je .L_small_initial_num_blocks_is_3_${label_suffix}
cmp \$2,$NUM_BLOCKS
- je .L_small_initial_num_blocks_is_2_${rndsuffix}
+ je .L_small_initial_num_blocks_is_2_${label_suffix}
# ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed
@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL {
___
for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) {
- $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
+ $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n";
&INITIAL_BLOCKS_PARTIAL(
$AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET,
$num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1,
@@ -3625,11 +3619,11 @@ ___
$ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN);
if ($num_blocks != 16) {
- $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n";
+ $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n";
}
}
- $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n";
+ $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n";
}
# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC {
my $MASKREG = "%k1";
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
# ;; reduction every 48 blocks, depth 32 blocks
# ;; @note 48 blocks is the maximum capacity of the stack frame
@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC {
} else {
$code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n";
}
- $code .= "je .L_enc_dec_done_${rndsuffix}\n";
+ $code .= "je .L_enc_dec_done_${label_suffix}\n";
# Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in
# 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc'
@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC {
# ;; There may be no more data if it was consumed in the partial block.
$code .= <<___;
sub $DATA_OFFSET,$LENGTH
- je .L_enc_dec_done_${rndsuffix}
+ je .L_enc_dec_done_${label_suffix}
___
$code .= <<___;
cmp \$`(16 * 16)`,$LENGTH
- jbe .L_message_below_equal_16_blocks_${rndsuffix}
+ jbe .L_message_below_equal_16_blocks_${label_suffix}
vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK
vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4
@@ -3815,7 +3809,7 @@ ___
$code .= <<___;
cmp \$`(32 * 16)`,$LENGTH
- jb .L_message_below_32_blocks_${rndsuffix}
+ jb .L_message_below_32_blocks_${label_suffix}
___
# ;; ==== AES-CTR - next 16 blocks
@@ -3836,13 +3830,13 @@ ___
sub \$`(32 * 16)`,$LENGTH
cmp \$`($big_loop_nblocks * 16)`,$LENGTH
- jb .L_no_more_big_nblocks_${rndsuffix}
+ jb .L_no_more_big_nblocks_${label_suffix}
___
# ;; ====
# ;; ==== AES-CTR + GHASH - 48 blocks loop
# ;; ====
- $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -3893,15 +3887,15 @@ ___
add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET
sub \$`($big_loop_nblocks * 16)`,$LENGTH
cmp \$`($big_loop_nblocks * 16)`,$LENGTH
- jae .L_encrypt_big_nblocks_${rndsuffix}
+ jae .L_encrypt_big_nblocks_${label_suffix}
-.L_no_more_big_nblocks_${rndsuffix}:
+.L_no_more_big_nblocks_${label_suffix}:
cmp \$`(32 * 16)`,$LENGTH
- jae .L_encrypt_32_blocks_${rndsuffix}
+ jae .L_encrypt_32_blocks_${label_suffix}
cmp \$`(16 * 16)`,$LENGTH
- jae .L_encrypt_16_blocks_${rndsuffix}
+ jae .L_encrypt_16_blocks_${label_suffix}
___
# ;; =====================================================
@@ -3909,7 +3903,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n";
+ $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n";
# ;; calculate offset to the right hash key
$code .= <<___;
@@ -3937,7 +3931,7 @@ ___
$IA0, $IA5, $MASKREG, $PBLOCK_LEN);
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
- $code .= "jmp .L_ghash_done_${rndsuffix}\n";
+ $code .= "jmp .L_ghash_done_${label_suffix}\n";
# ;; =====================================================
# ;; =====================================================
@@ -3946,7 +3940,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks (reduction)
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_32_blocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4007,7 +4001,7 @@ ___
$IA0, $IA5, $MASKREG, $PBLOCK_LEN);
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
- $code .= "jmp .L_ghash_done_${rndsuffix}\n";
+ $code .= "jmp .L_ghash_done_${label_suffix}\n";
# ;; =====================================================
# ;; =====================================================
@@ -4015,7 +4009,7 @@ ___
# ;; ==== GHASH 1 x 16 blocks
# ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
# ;; ==== then GHASH N blocks
- $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n";
+ $code .= ".L_encrypt_16_blocks_${label_suffix}:\n";
# ;; ==== AES-CTR + GHASH - 16 blocks, start
$aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
@@ -4059,9 +4053,9 @@ ___
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
$code .= <<___;
- jmp .L_ghash_done_${rndsuffix}
+ jmp .L_ghash_done_${label_suffix}
-.L_message_below_32_blocks_${rndsuffix}:
+.L_message_below_32_blocks_${label_suffix}:
# ;; 32 > number of blocks > 16
sub \$`(16 * 16)`,$LENGTH
@@ -4094,9 +4088,9 @@ ___
$code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
$code .= <<___;
- jmp .L_ghash_done_${rndsuffix}
+ jmp .L_ghash_done_${label_suffix}
-.L_message_below_equal_16_blocks_${rndsuffix}:
+.L_message_below_equal_16_blocks_${label_suffix}:
# ;; Determine how many blocks to process
# ;; - process one additional block if there is a partial block
mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]}
@@ -4113,13 +4107,13 @@ ___
# ;; fall through to exit
- $code .= ".L_ghash_done_${rndsuffix}:\n";
+ $code .= ".L_ghash_done_${label_suffix}:\n";
# ;; save the last counter block
$code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n";
$code .= <<___;
vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX)
-.L_enc_dec_done_${rndsuffix}:
+.L_enc_dec_done_${label_suffix}:
___
}
@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 {
my $B08_11 = $T7;
my $B12_15 = $T8;
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
my $stack_offset = $BLK_OFFSET;
$code .= <<___;
@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 {
# ;; prepare counter blocks
cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
- jae .L_next_16_overflow_${rndsuffix}
+ jae .L_next_16_overflow_${label_suffix}
vpaddd $ADDBE_1234,$CTR,$B00_03
vpaddd $ADDBE_4x4,$B00_03,$B04_07
vpaddd $ADDBE_4x4,$B04_07,$B08_11
vpaddd $ADDBE_4x4,$B08_11,$B12_15
- jmp .L_next_16_ok_${rndsuffix}
-.L_next_16_overflow_${rndsuffix}:
+ jmp .L_next_16_ok_${label_suffix}
+.L_next_16_overflow_${label_suffix}:
vpshufb $SHUF_MASK,$CTR,$CTR
vmovdqa64 ddq_add_4444(%rip),$B12_15
vpaddd ddq_add_1234(%rip),$CTR,$B00_03
@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 {
vpshufb $SHUF_MASK,$B04_07,$B04_07
vpshufb $SHUF_MASK,$B08_11,$B08_11
vpshufb $SHUF_MASK,$B12_15,$B12_15
-.L_next_16_ok_${rndsuffix}:
+.L_next_16_ok_${label_suffix}:
vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR
addb \$16,@{[BYTE($CTR_CHECK)]}
# ;; === load 16 blocks of data
@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE {
my $GCM128_CTX = $_[0];
my $PBLOCK_LEN = $_[1];
- my $rndsuffix = &random_string();
+ my $label_suffix = $label_count++;
$code .= <<___;
vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2
@@ -4276,14 +4270,14 @@ ___
# ;; Process the final partial block.
cmp \$0,$PBLOCK_LEN
- je .L_partial_done_${rndsuffix}
+ je .L_partial_done_${label_suffix}
___
# ;GHASH computation for the last <16 Byte block
&GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
$code .= <<___;
-.L_partial_done_${rndsuffix}:
+.L_partial_done_${label_suffix}:
vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5
vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C)
vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits
@@ -4297,7 +4291,7 @@ ___
vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap
vpxor %xmm4,%xmm3,%xmm3
-.L_return_T_${rndsuffix}:
+.L_return_T_${label_suffix}:
vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX)
___
}