Hi! On Tuesday 22 December 2009, Kurt Roeckx wrote: > On Tue, Dec 22, 2009 at 11:02:52AM +0100, Carsten Wolff wrote: > Does the resulting shared object actually have an bind_engine > symbol in it? Try using objdump -T libpadlock.so to see if it > has any. Looking at the sources, only the capi and gmp engine > seem to have that.
Nice hint. Attached is a text-file with some output showing that the symbol
table is a lot larger, when compiled on debian-i386 compared to when compiled
on debian-amd64. The VIA C3 and C7 where 32Bit CPUs, maybe the engine-
programmer did not expect a 64Bit VIA Nano?
> I believe that openssl should always use the padlock engine
> on such CPUs, but since I don't have any, I can't test this.
I would like that, too. Instead, openssl relies on the application to select a
specific engine.
I will also attach the (ugly) patch for the debian package I use to produce a
shared libpadlock.so (and to add SHA padlock support).
Regards,
Carsten
--
/\-ยด-/\
( @ @ )
________o0O___^___O0o________
diff -urpN openssl-0.9.8k/debian/changelog openssl-0.9.8k.via/debian/changelog --- openssl-0.9.8k/debian/changelog 2009-12-18 12:48:06.000000000 +0100 +++ openssl-0.9.8k.via/debian/changelog 2009-12-18 12:40:41.918621165 +0100 @@ -1,3 +1,9 @@ +openssl (0.9.8k-7+via1) unstable; urgency=low + + * add VIA padlock SHA support + + -- Carsten Wolff <[email protected]> Wed, 16 Dec 2009 12:41:49 +0100 + openssl (0.9.8k-7) unstable; urgency=low * Bump the shlibs to require 0.9.8k-1. The following symbols diff -urpN openssl-0.9.8k/debian/patches/padlock-sha.patch openssl-0.9.8k.via/debian/patches/padlock-sha.patch --- openssl-0.9.8k/debian/patches/padlock-sha.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-0.9.8k.via/debian/patches/padlock-sha.patch 2009-12-18 12:40:41.922620761 +0100 @@ -0,0 +1,626 @@ +# +# OpenSSL patch to support VIA C7 hash engine +# Author: Michal Ludvig <[email protected]> +# http://www.logix.cz/michal/devel/padlock +# +Index: openssl-padlock/crypto/engine/eng_padlock.c +=================================================================== +--- openssl-padlock.orig/crypto/engine/eng_padlock.c 2006-06-27 15:36:47.950924000 +1200 ++++ openssl-padlock/crypto/engine/eng_padlock.c 2006-06-27 17:28:57.247478750 +1200 +@@ -74,12 +74,23 @@ + #ifndef OPENSSL_NO_AES + #include <openssl/aes.h> + #endif ++#ifndef OPENSSL_NO_SHA ++#include <openssl/sha.h> ++#endif + #include <openssl/rand.h> + #include <openssl/err.h> + + #ifndef OPENSSL_NO_HW + #ifndef OPENSSL_NO_HW_PADLOCK + ++/* PadLock RNG is disabled by default */ ++#define PADLOCK_NO_RNG 1 ++ ++/* No ASM routines for SHA in MSC yet */ ++#ifdef _MSC_VER ++#define OPENSSL_NO_SHA ++#endif ++ + /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */ + #if (OPENSSL_VERSION_NUMBER >= 0x00908000L) + # ifndef OPENSSL_NO_DYNAMIC_ENGINE +@@ -135,52 +146,89 @@ + static int padlock_init(ENGINE *e); + + /* RNG Stuff */ ++#ifndef PADLOCK_NO_RNG + static RAND_METHOD padlock_rand; ++#endif + + /* Cipher Stuff */ + #ifndef OPENSSL_NO_AES + static int padlock_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid); + #endif + ++/* Digest Stuff */ ++#ifndef OPENSSL_NO_SHA ++static int padlock_digests(ENGINE *e, const EVP_MD **digest, const int **nids, int nid); ++#endif ++ + /* Engine names */ + static const char *padlock_id = "padlock"; + static char padlock_name[100]; + + /* Available features */ +-static int padlock_use_ace = 0; /* Advanced Cryptography Engine */ +-static int padlock_use_rng = 0; /* Random Number Generator */ ++enum padlock_flags { ++ PADLOCK_RNG = 0x01, ++ PADLOCK_ACE = 0x02, ++ PADLOCK_ACE2 = 0x04, ++ PADLOCK_PHE = 0x08, ++ PADLOCK_PMM = 0x10 ++}; ++enum padlock_flags padlock_flags; ++ ++#define PADLOCK_HAVE_RNG (padlock_flags & PADLOCK_RNG) ++#define PADLOCK_HAVE_ACE (padlock_flags & (PADLOCK_ACE|PADLOCK_ACE2)) ++#define PADLOCK_HAVE_ACE1 (padlock_flags & PADLOCK_ACE) ++#define PADLOCK_HAVE_ACE2 (padlock_flags & PADLOCK_ACE2) ++#define PADLOCK_HAVE_PHE (padlock_flags & PADLOCK_PHE) ++#define PADLOCK_HAVE_PMM (padlock_flags & PADLOCK_PMM) ++ + #ifndef OPENSSL_NO_AES + static int padlock_aes_align_required = 1; + #endif + ++/* Init / Max buffer sizes for SHA */ ++#define PADLOCK_SHA_INIT_ORD 13 /* = 8192 */ ++#define PADLOCK_SHA_MAX_ORD 13 /* = 8192 */ ++ + /* ===== Engine "management" functions ===== */ + + /* Prepare the ENGINE structure for registration */ + static int + padlock_bind_helper(ENGINE *e) + { ++ char phe_string[20]; ++ + /* Check available features */ + padlock_available(); + +-#if 1 /* disable RNG for now, see commentary in vicinity of RNG code */ +- padlock_use_rng=0; +-#endif ++ /* Build PHE info with buffer size argument */ ++ if (PADLOCK_HAVE_PHE) ++ BIO_snprintf(phe_string, sizeof(phe_string), ++ "PHE(%lu) ", 1UL << PADLOCK_SHA_MAX_ORD); + + /* Generate a nice engine name with available features */ + BIO_snprintf(padlock_name, sizeof(padlock_name), +- "VIA PadLock (%s, %s)", +- padlock_use_rng ? "RNG" : "no-RNG", +- padlock_use_ace ? "ACE" : "no-ACE"); ++ "VIA PadLock: %s%s%s%s%s", ++ padlock_flags ? "" : "not supported", ++ PADLOCK_HAVE_RNG ? "RNG " : "", ++ PADLOCK_HAVE_ACE ? (PADLOCK_HAVE_ACE2 ? "ACE2 " : "ACE ") : "", ++ PADLOCK_HAVE_PHE ? phe_string : "", ++ PADLOCK_HAVE_PMM ? "PMM " : ""); + + /* Register everything or return with an error */ + if (!ENGINE_set_id(e, padlock_id) || + !ENGINE_set_name(e, padlock_name) || + +- !ENGINE_set_init_function(e, padlock_init) || ++ !ENGINE_set_init_function(e, padlock_init) + #ifndef OPENSSL_NO_AES +- (padlock_use_ace && !ENGINE_set_ciphers (e, padlock_ciphers)) || ++ || (PADLOCK_HAVE_ACE && !ENGINE_set_ciphers (e, padlock_ciphers)) ++#endif ++#ifndef OPENSSL_NO_SHA ++ || (PADLOCK_HAVE_PHE && !ENGINE_set_digests (e, padlock_digests)) ++#endif ++#ifndef PADLOCK_NO_RNG ++ || (PADLOCK_HAVE_RNG && !ENGINE_set_RAND (e, &padlock_rand)) + #endif +- (padlock_use_rng && !ENGINE_set_RAND (e, &padlock_rand))) { ++ ) { + return 0; + } + +@@ -210,7 +258,7 @@ + static int + padlock_init(ENGINE *e) + { +- return (padlock_use_rng || padlock_use_ace); ++ return (padlock_flags); + } + + /* This stuff is needed if this ENGINE is being compiled into a self-contained +@@ -237,6 +285,17 @@ + + /* ===== Here comes the "real" engine ===== */ + ++#ifdef __GNUC__ ++#define likely(x) __builtin_expect(!!(x), 1) ++#define unlikely(x) __builtin_expect(!!(x), 0) ++#else ++#define likely(x) (x) ++#define unlikely(x) (x) ++#endif ++ ++/* How to test if we need to typedef uint32_t ??? */ ++typedef unsigned long uint32_t; ++ + #ifndef OPENSSL_NO_AES + /* Some AES-related constants */ + #define AES_BLOCK_SIZE 16 +@@ -362,10 +421,22 @@ + : "+a"(eax), "=d"(edx) : : "ecx"); + + /* Fill up some flags */ +- padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6)); +- padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2)); ++ padlock_flags |= ((edx & (0x3<<3)) ? PADLOCK_RNG : 0); ++ padlock_flags |= ((edx & (0x3<<7)) ? PADLOCK_ACE : 0); ++ padlock_flags |= ((edx & (0x3<<9)) ? PADLOCK_ACE2 : 0); ++ padlock_flags |= ((edx & (0x3<<11)) ? PADLOCK_PHE : 0); ++ padlock_flags |= ((edx & (0x3<<13)) ? PADLOCK_PMM : 0); + +- return padlock_use_ace + padlock_use_rng; ++ return padlock_flags; ++} ++ ++static inline void ++padlock_htonl_block(uint32_t *data, size_t count) ++{ ++ while (count--) { ++ asm volatile ("bswapl %0" : "+r"(*data)); ++ data++; ++ } + } + + #ifndef OPENSSL_NO_AES +@@ -374,12 +445,9 @@ + padlock_bswapl(AES_KEY *ks) + { + size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]); +- unsigned int *key = ks->rd_key; ++ uint32_t *key = (uint32_t*) ks->rd_key; + +- while (i--) { +- asm volatile ("bswapl %0" : "+r"(*key)); +- key++; +- } ++ padlock_htonl_block(key, i); + } + #endif + +@@ -1154,6 +1222,415 @@ + + #endif /* OPENSSL_NO_AES */ + ++#ifndef OPENSSL_NO_SHA ++ ++// #define PADLOCK_SHA_STAT 1 ++ ++union sha_all_ctx { ++ SHA_CTX sha_ctx; ++ SHA256_CTX sha256_ctx; /* shared with SHA224 */ ++}; ++ ++typedef int (*f_sha_init)(void *c); ++typedef int (*f_sha_update)(void *c, const void *_data, size_t len); ++typedef int (*f_sha_final)(unsigned char *md, void *c); ++typedef void (*f_sha_padlock)(char *in, unsigned char *out, int count); ++ ++struct sha_digest_functions { ++ f_sha_init init; ++ f_sha_update update; ++ f_sha_final final; ++ f_sha_padlock padlock; ++}; ++ ++/* Don't forget to initialize all relevant ++ * fields in padlock_sha_init() or face the ++ * consequences!!! ++ * BTW We don't use bzero() on this structure ++ * because zeroing fallback_ctx is ++ * a waste of time. */ ++struct padlock_digest_data { ++ void *buf_start, *buf_alloc; ++ ssize_t used; ++ unsigned long order:8, bypass:1; ++ /* Fallback support */ ++ struct sha_digest_functions fallback_fcs; ++ union sha_all_ctx fallback_ctx; ++#ifdef PADLOCK_SHA_STAT ++ size_t stat_count, stat_total; ++#endif ++}; ++ ++#ifdef PADLOCK_SHA_STAT ++size_t all_count, all_total; ++#endif ++ ++#define DIGEST_DATA(ctx) ((struct padlock_digest_data *)(ctx->md_data)) ++#define DDATA_FREE(ddata) ((size_t)(1L << ddata->order) - ddata->used) ++ ++static void ++padlock_sha_bypass(struct padlock_digest_data *ddata) ++{ ++ if (ddata->bypass) ++ return; ++ ++ ddata->fallback_fcs.init(&ddata->fallback_ctx); ++ if (ddata->buf_start && ddata->used > 0) { ++ ddata->fallback_fcs.update(&ddata->fallback_ctx, ddata->buf_start, ddata->used); ++ if (ddata->buf_alloc) { ++ memset(ddata->buf_start, 0, ddata->used); ++ free(ddata->buf_alloc); ++ ddata->buf_alloc = 0; ++ } ++ } ++ ddata->buf_start = 0; ++ ddata->used = 0; ++ ddata->bypass = 1; ++ ++ return; ++} ++ ++static void ++padlock_do_sha1(char *in, char *out, int count) ++{ ++ /* We can't store directly to *out as it ++ * doesn't have to be aligned. But who cares, ++ * it's only a few bytes... */ ++ char buf[128+16]; ++ unsigned char *output = NEAREST_ALIGNED(buf); ++ ++ ((uint32_t*)output)[0] = 0x67452301; ++ ((uint32_t*)output)[1] = 0xEFCDAB89; ++ ((uint32_t*)output)[2] = 0x98BADCFE; ++ ((uint32_t*)output)[3] = 0x10325476; ++ ((uint32_t*)output)[4] = 0xC3D2E1F0; ++ ++ asm volatile (".byte 0xf3,0x0f,0xa6,0xc8" /* rep xsha1 */ ++ : "+S"(in), "+D"(output) ++ : "c"(count), "a"(0)); ++ ++ memcpy(out, output, 5 * sizeof(uint32_t)); ++ ++ padlock_htonl_block((uint32_t*)out, 5); ++} ++ ++static void ++padlock_do_sha224(char *in, char *out, int count) ++{ ++ /* We can't store directly to *out as it ++ * doesn't have to be aligned. But who cares, ++ * it's only a few bytes... */ ++ char buf[128+16]; ++ unsigned char *output = NEAREST_ALIGNED(buf); ++ ++ ((uint32_t*)output)[0] = 0xC1059ED8UL; ++ ((uint32_t*)output)[1] = 0x367CD507UL; ++ ((uint32_t*)output)[2] = 0x3070DD17UL; ++ ((uint32_t*)output)[3] = 0xF70E5939UL; ++ ((uint32_t*)output)[4] = 0xFFC00B31UL; ++ ((uint32_t*)output)[5] = 0x68581511UL; ++ ((uint32_t*)output)[6] = 0x64F98FA7UL; ++ ((uint32_t*)output)[7] = 0xBEFA4FA4UL; ++ ++ asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */ ++ : "+S"(in), "+D"(output) ++ : "c"(count), "a"(0)); ++ ++ memcpy(out, output, 7 * sizeof(uint32_t)); ++ ++ padlock_htonl_block((uint32_t*)out, 7); ++} ++ ++static void ++padlock_do_sha256(char *in, char *out, int count) ++{ ++ /* We can't store directly to *out as it ++ * doesn't have to be aligned. But who cares, ++ * it's only a few bytes... */ ++ char buf[128+16]; ++ unsigned char *output = NEAREST_ALIGNED(buf); ++ ++ ((uint32_t*)output)[0] = 0x6A09E667; ++ ((uint32_t*)output)[1] = 0xBB67AE85; ++ ((uint32_t*)output)[2] = 0x3C6EF372; ++ ((uint32_t*)output)[3] = 0xA54FF53A; ++ ((uint32_t*)output)[4] = 0x510E527F; ++ ((uint32_t*)output)[5] = 0x9B05688C; ++ ((uint32_t*)output)[6] = 0x1F83D9AB; ++ ((uint32_t*)output)[7] = 0x5BE0CD19; ++ ++ asm volatile (".byte 0xf3,0x0f,0xa6,0xd0" /* rep xsha256 */ ++ : "+S"(in), "+D"(output) ++ : "c"(count), "a"(0)); ++ ++ memcpy(out, output, 8 * sizeof(uint32_t)); ++ ++ padlock_htonl_block((uint32_t*)out, 8); ++} ++ ++static int ++padlock_sha_init(EVP_MD_CTX *ctx) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++ ddata->used = 0; ++ ddata->bypass = 0; ++ ++ ddata->order = PADLOCK_SHA_INIT_ORD; ++ ddata->buf_alloc = malloc((1L << ddata->order) + 16); ++ ddata->buf_start = NEAREST_ALIGNED(ddata->buf_alloc); ++ ++ return 1; ++} ++ ++static int ++padlock_sha1_init(EVP_MD_CTX *ctx) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++ ddata->fallback_fcs.init = (f_sha_init)SHA1_Init; ++ ddata->fallback_fcs.update = (f_sha_update)SHA1_Update; ++ ddata->fallback_fcs.final = (f_sha_final)SHA1_Final; ++ ddata->fallback_fcs.padlock = (f_sha_padlock)padlock_do_sha1; ++ ++ return padlock_sha_init(ctx); ++} ++ ++static int ++padlock_sha224_init(EVP_MD_CTX *ctx) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++ ddata->fallback_fcs.init = (f_sha_init)SHA224_Init; ++ ddata->fallback_fcs.update = (f_sha_update)SHA224_Update; ++ ddata->fallback_fcs.final = (f_sha_final)SHA224_Final; ++ ddata->fallback_fcs.padlock = (f_sha_padlock)padlock_do_sha224; ++ ++ return padlock_sha_init(ctx); ++} ++ ++static int ++padlock_sha256_init(EVP_MD_CTX *ctx) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++ ddata->fallback_fcs.init = (f_sha_init)SHA256_Init; ++ ddata->fallback_fcs.update = (f_sha_update)SHA256_Update; ++ ddata->fallback_fcs.final = (f_sha_final)SHA256_Final; ++ ddata->fallback_fcs.padlock = (f_sha_padlock)padlock_do_sha256; ++ ++ return padlock_sha_init(ctx); ++} ++ ++static int ++padlock_sha_update(EVP_MD_CTX *ctx, const void *data, size_t length) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++#ifdef PADLOCK_SHA_STAT ++ ddata->stat_count++; ++ ddata->stat_total += length; ++ all_count++; ++ all_total += length; ++#endif ++ if (unlikely(ddata->bypass)) { ++ ddata->fallback_fcs.update(&ddata->fallback_ctx, data, length); ++ return 1; ++ } ++ if (unlikely(DDATA_FREE(ddata) < length)) { ++ if (likely(ddata->used + length > (1 << PADLOCK_SHA_MAX_ORD))) { ++ /* Too much data to be stored -> bypass to SW SHA */ ++ padlock_sha_bypass(ddata); ++ ddata->fallback_fcs.update(&ddata->fallback_ctx, data, length); ++ return 1; ++ } else { ++ /* Resize the alocated buffer */ ++ char *new_buf; ++ size_t new_size; ++ ++ while ((1<<++ddata->order) < (ddata->used + length)); ++ new_size = (1<<ddata->order); ++ if(!(new_buf = realloc(ddata->buf_alloc, new_size + 16))) { ++ /* fallback plan again */ ++ padlock_sha_bypass(ddata); ++ ddata->fallback_fcs.update(&ddata->fallback_ctx, data, length); ++ return 1; ++ } ++ ddata->buf_alloc = new_buf; ++ ddata->buf_start = NEAREST_ALIGNED(new_buf); ++ } ++ } ++ ++ memcpy(ddata->buf_start + ddata->used, data, length); ++ ddata->used += length; ++ ++ return 1; ++} ++ ++static int ++padlock_sha_final(EVP_MD_CTX *ctx, unsigned char *md) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++#ifdef PADLOCK_SHA_STAT ++ fprintf(stderr, "PadLock CTX: cnt=%zu, tot=%zu, avg=%zu\n", ++ ddata->stat_count, ddata->stat_total, ++ ddata->stat_count ? (ddata->stat_total/ddata->stat_count) : 0); ++ fprintf(stderr, "PadLock ALL: cnt=%zu, tot=%zu, avg=%zu\n", ++ all_count, all_total, all_count ? (all_total/all_count) : 0); ++#endif ++ ++ if (ddata->bypass) { ++ ddata->fallback_fcs.final(md, &ddata->fallback_ctx); ++ return 1; ++ } ++ ++ /* Pass the input buffer to PadLock microcode... */ ++ ddata->fallback_fcs.padlock(ddata->buf_start, md, ddata->used); ++ memset(ddata->buf_start, 0, ddata->used); ++ free(ddata->buf_alloc); ++ ddata->buf_start = 0; ++ ddata->buf_alloc = 0; ++ ddata->used = 0; ++ ++ return 1; ++} ++ ++static int ++padlock_sha_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from) ++{ ++ struct padlock_digest_data *ddata_from = DIGEST_DATA(from); ++ struct padlock_digest_data *ddata_to = DIGEST_DATA(to); ++ ++ memcpy(ddata_to, ddata_from, sizeof(struct padlock_digest_data)); ++ if (ddata_from->buf_alloc) { ++ ddata_to->buf_alloc = malloc(1L << ddata_to->order); ++ if (!ddata_to->buf_start) { ++ fprintf(stderr, "%s(): malloc() failed\n", __func__); ++ exit(1); ++ } ++ ddata_to->buf_start = NEAREST_ALIGNED(ddata_to->buf_alloc); ++ memcpy(ddata_to->buf_start, ddata_from->buf_start, ddata_from->used); ++ } ++ return 1; ++} ++ ++static int ++padlock_sha_cleanup(EVP_MD_CTX *ctx) ++{ ++ struct padlock_digest_data *ddata = DIGEST_DATA(ctx); ++ ++ if (ddata->buf_alloc) { ++ memset(ddata->buf_start, 0, ddata->used); ++ free(ddata->buf_alloc); ++ } ++ ++ memset(ddata, 0, sizeof(struct padlock_digest_data)); ++ ++ return 1; ++} ++ ++static const EVP_MD padlock_sha1_md = { ++ NID_sha1, ++ NID_sha1WithRSAEncryption, ++ SHA_DIGEST_LENGTH, ++ 0, ++ padlock_sha1_init, ++ padlock_sha_update, ++ padlock_sha_final, ++ padlock_sha_copy, ++ padlock_sha_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA_CBLOCK, ++ sizeof(struct padlock_digest_data), ++}; ++ ++static const EVP_MD padlock_sha224_md = { ++ NID_sha224, ++ NID_sha224WithRSAEncryption, ++ SHA224_DIGEST_LENGTH, ++ 0, ++ padlock_sha224_init, ++ padlock_sha_update, ++ padlock_sha_final, ++ padlock_sha_copy, ++ padlock_sha_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA_CBLOCK, ++ sizeof(struct padlock_digest_data), ++}; ++ ++static const EVP_MD padlock_sha256_md = { ++ NID_sha256, ++ NID_sha256WithRSAEncryption, ++ SHA256_DIGEST_LENGTH, ++ 0, ++ padlock_sha256_init, ++ padlock_sha_update, ++ padlock_sha_final, ++ padlock_sha_copy, ++ padlock_sha_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA_CBLOCK, ++ sizeof(struct padlock_digest_data), ++}; ++ ++static int padlock_digest_nids[] = { ++#if !defined(OPENSSL_NO_SHA) ++ NID_sha1, ++#endif ++#if !defined(OPENSSL_NO_SHA256) ++#if !defined(OPENSSL_NO_SHA224) ++ NID_sha224, ++#endif ++ NID_sha256, ++#endif ++}; ++ ++static int padlock_digest_nids_num = sizeof(padlock_digest_nids)/sizeof(padlock_digest_nids[0]); ++ ++static int ++padlock_digests (ENGINE *e, const EVP_MD **digest, const int **nids, int nid) ++{ ++ /* No specific digest => return a list of supported nids ... */ ++ if (!digest) { ++ *nids = padlock_digest_nids; ++ return padlock_digest_nids_num; ++ } ++ ++ /* ... or the requested "digest" otherwise */ ++ switch (nid) { ++#if !defined(OPENSSL_NO_SHA) ++ case NID_sha1: ++ *digest = &padlock_sha1_md; ++ break; ++#endif ++ ++ ++#if !defined(OPENSSL_NO_SHA256) ++#if !defined(OPENSSL_NO_SHA224) ++ case NID_sha224: ++ *digest = &padlock_sha224_md; ++ break; ++#endif /* OPENSSL_NO_SHA224 */ ++ ++ case NID_sha256: ++ *digest = &padlock_sha256_md; ++ break; ++#endif /* OPENSSL_NO_SHA256 */ ++ ++ default: ++ /* Sorry, we don't support this NID */ ++ *digest = NULL; ++ return 0; ++ } ++ ++ return 1; ++} ++ ++#endif /* OPENSSL_NO_SHA */ ++ ++#ifndef PADLOCK_NO_RNG + /* ===== Random Number Generator ===== */ + /* + * This code is not engaged. The reason is that it does not comply +@@ -1209,6 +1686,7 @@ + padlock_rand_bytes, /* pseudorand */ + padlock_rand_status, /* rand status */ + }; ++#endif /* PADLOCK_NO_RNG */ + + #endif /* COMPILE_HW_PADLOCK */ + diff -urpN openssl-0.9.8k/debian/patches/padlock-shared-makefiles.patch openssl-0.9.8k.via/debian/patches/padlock-shared-makefiles.patch --- openssl-0.9.8k/debian/patches/padlock-shared-makefiles.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-0.9.8k.via/debian/patches/padlock-shared-makefiles.patch 2009-12-18 12:40:41.922620761 +0100 @@ -0,0 +1,50 @@ +diff -ur openssl-0.9.8k.orig/crypto/engine/Makefile openssl-0.9.8k/crypto/engine/Makefile +--- openssl-0.9.8k.orig/crypto/engine/Makefile 2008-09-17 19:10:59.000000000 +0200 ++++ openssl-0.9.8k/crypto/engine/Makefile 2009-12-18 10:19:02.118624815 +0100 +@@ -21,12 +21,12 @@ + eng_table.c eng_pkey.c eng_fat.c eng_all.c \ + tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \ + tb_cipher.c tb_digest.c \ +- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c ++ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c + LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ + eng_table.o eng_pkey.o eng_fat.o eng_all.o \ + tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \ + tb_cipher.o tb_digest.o \ +- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o ++ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o + + SRC= $(LIBSRC) + +diff -ur openssl-0.9.8k.orig/engines/Makefile openssl-0.9.8k/engines/Makefile +--- openssl-0.9.8k.orig/engines/Makefile 2009-12-18 10:09:24.650619741 +0100 ++++ openssl-0.9.8k/engines/Makefile 2009-12-18 10:21:02.199384424 +0100 +@@ -20,7 +20,7 @@ + APPS= + + LIB=$(TOP)/libcrypto.a +-LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec capi ++LIBNAMES= 4758cca aep atalla cswift gmp chil nuron sureware ubsec capi padlock + + LIBSRC= e_4758cca.c \ + e_aep.c \ +@@ -31,7 +31,8 @@ + e_nuron.c \ + e_sureware.c \ + e_ubsec.c \ +- e_capi.c ++ e_capi.c \ ++ e_padlock.c + LIBOBJ= e_4758cca.o \ + e_aep.o \ + e_atalla.o \ +@@ -41,7 +42,8 @@ + e_nuron.o \ + e_sureware.o \ + e_ubsec.o \ +- e_capi.o ++ e_capi.o \ ++ e_padlock.o + + SRC= $(LIBSRC) + diff -urpN openssl-0.9.8k/debian/patches/padlock-shared.patch openssl-0.9.8k.via/debian/patches/padlock-shared.patch --- openssl-0.9.8k/debian/patches/padlock-shared.patch 1970-01-01 01:00:00.000000000 +0100 +++ openssl-0.9.8k.via/debian/patches/padlock-shared.patch 2009-12-18 12:40:41.926620005 +0100 @@ -0,0 +1,53 @@ +# PadLock engine is never compiled as a shared object although +# OpenSSL sometimes thinks so. This patch fixes the +# initialization sequence so that it works with static PadLock +# again. +# Taken from Fedora Core 5 + +Index: openssl/crypto/engine/eng_all.c +=================================================================== +--- openssl.orig/crypto/engine/eng_all.c ++++ openssl/crypto/engine/eng_all.c +@@ -68,9 +68,6 @@ void ENGINE_load_builtin_engines(void) + #if 0 + ENGINE_load_openssl(); + #endif +-#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) +- ENGINE_load_padlock(); +-#endif + ENGINE_load_dynamic(); + #ifndef OPENSSL_NO_STATIC_ENGINE + #ifndef OPENSSL_NO_HW +@@ -95,6 +98,9 @@ void ENGINE_load_builtin_engines(void) + #ifndef OPENSSL_NO_HW_UBSEC + ENGINE_load_ubsec(); + #endif ++#ifndef OPENSSL_NO_HW_PADLOCK ++ ENGINE_load_padlock(); ++#endif + #endif + #if defined(__OpenBSD__) || defined(__FreeBSD__) + ENGINE_load_cryptodev(); +diff -ur openssl-0.9.8k.via.orig/crypto/engine/eng_padlock.c openssl-0.9.8k.via/crypto/engine/eng_padlock.c +--- openssl-0.9.8k.via.orig/crypto/engine/eng_padlock.c 2009-12-18 12:33:37.538619954 +0100 ++++ openssl-0.9.8k.via/crypto/engine/eng_padlock.c 2009-12-18 12:35:46.743860803 +0100 +@@ -91,17 +91,8 @@ + #define OPENSSL_NO_SHA + #endif + +-/* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */ +-#if (OPENSSL_VERSION_NUMBER >= 0x00908000L) +-# ifndef OPENSSL_NO_DYNAMIC_ENGINE +-# define DYNAMIC_ENGINE +-# endif +-#elif (OPENSSL_VERSION_NUMBER >= 0x00907000L) +-# ifdef ENGINE_DYNAMIC_SUPPORT +-# define DYNAMIC_ENGINE +-# endif +-#else +-# error "Only OpenSSL >= 0.9.7 is supported" ++#ifndef OPENSSL_NO_DYNAMIC_ENGINE ++# define DYNAMIC_ENGINE + #endif + + /* VIA PadLock AES is available *ONLY* on some x86 CPUs. diff -urpN openssl-0.9.8k/debian/patches/series openssl-0.9.8k.via/debian/patches/series --- openssl-0.9.8k/debian/patches/series 2009-12-18 12:48:06.000000000 +0100 +++ openssl-0.9.8k.via/debian/patches/series 2009-12-18 12:40:41.926620005 +0100 @@ -26,3 +26,6 @@ CVE-2009-1387.patch CVE-2009-2409.patch no_check_self_signed.patch CVE-2009-3555.patch +padlock-sha.patch +padlock-shared-makefiles.patch +padlock-shared.patch diff -urpN openssl-0.9.8k/debian/rules openssl-0.9.8k.via/debian/rules --- openssl-0.9.8k/debian/rules 2009-12-18 12:48:06.000000000 +0100 +++ openssl-0.9.8k.via/debian/rules 2009-12-18 12:40:41.926620005 +0100 @@ -29,9 +29,11 @@ WANTED_LIBC_VERSION = 2.3.1-10 patch: patch-stamp patch-stamp: QUILT_PATCHES=debian/patches quilt push -a || test $$? = 2 + mv crypto/engine/eng_padlock.c engines/e_padlock.c touch patch-stamp unpatch: + mv engines/e_padlock.c crypto/engine/eng_padlock.c QUILT_PATCHES=debian/patches quilt pop -a || test $$? = 2 rm -rf patch-stamp debian/patched
r...@debian-amd64:~/openssl-shared# dpkg-source -x openssl_0.9.8k-7.dsc r...@debian-amd64:~/openssl-shared# cd openssl-0.9.8k/ r...@debian-amd64:~/openssl-shared/openssl-0.9.8k# patch -p1 < ../package-openssl_0.9.8k-7_full-padlock-support.diff r...@debian-amd64:~/openssl-shared/openssl-0.9.8k# dpkg-buildpackage -uc -us r...@debian-amd64:~/openssl-shared/openssl-0.9.8k# objdump -T engines/libpadlock.so engines/libpadlock.so: file format elf64-x86-64 DYNAMIC SYMBOL TABLE: 0000000000000510 l d .init 0000000000000000 .init 0000000000000000 w D *UND* 0000000000000000 __gmon_start__ 0000000000000000 w D *UND* 0000000000000000 _Jv_RegisterClasses 0000000000000000 w DF *UND* 0000000000000000 GLIBC_2.2.5 __cxa_finalize 0000000000000630 g DF .text 0000000000000002 OPENSSL_0.9.8 ENGINE_load_padlock 0000000000000000 g DO *ABS* 0000000000000000 OPENSSL_0.9.8 OPENSSL_0.9.8 0000000000200940 g D *ABS* 0000000000000000 OPENSSL_0.9.8 _end 0000000000200930 g D *ABS* 0000000000000000 OPENSSL_0.9.8 _edata 0000000000200930 g D *ABS* 0000000000000000 OPENSSL_0.9.8 __bss_start 0000000000000510 g DF .init 0000000000000000 OPENSSL_0.9.8 _init 0000000000000678 g DF .fini 0000000000000000 OPENSSL_0.9.8 _fini r...@debian-i386:~/openssl-shared# dpkg-source -x openssl_0.9.8k-7.dsc r...@debian-i386:~/openssl-shared# cd openssl-0.9.8k/ r...@debian-i386:~/openssl-shared/openssl-0.9.8k# patch -p1 < ../package-openssl_0.9.8k-7_full-padlock-support.diff r...@debian-i386:~/openssl-shared/openssl-0.9.8k# dpkg-buildpackage -uc -us r...@debian-i386:~/openssl-shared/openssl-0.9.8k# objdump -T engines/libpadlock.so engines/libpadlock.so: file format elf32-i386 DYNAMIC SYMBOL TABLE: 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_ex_data_implementation 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA224_Update 00000000 DF *UND* 00000000 OPENSSL_0.9.8 BIO_snprintf 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA1_Init 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA1_Final 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_set_ciphers 00000000 w D *UND* 00000000 __gmon_start__ 00000000 w D *UND* 00000000 _Jv_RegisterClasses 00000000 DF *UND* 00000000 GLIBC_2.0 realloc 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ERR_set_implementation 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_mem_functions 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA256_Init 00000000 DF *UND* 00000000 OPENSSL_0.9.8 EVP_CIPHER_CTX_flags 00000000 DF *UND* 00000000 GLIBC_2.0 memset 00000000 DF *UND* 00000000 GLIBC_2.0 free 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_dynlock_destroy_callback 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_set_id 00000000 DO *UND* 00000000 GLIBC_2.0 stderr 00000000 DF *UND* 00000000 GLIBC_2.0 memcpy 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_dynlock_lock_callback 00000000 DF *UND* 00000000 OPENSSL_0.9.8 RSA_verify 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA256_Update 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_locking_callback 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_get_static_state 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_set_digests 00000000 DF *UND* 00000000 OPENSSL_0.9.8 AES_set_decrypt_key 00000000 DF *UND* 00000000 GLIBC_2.0 fprintf 00000000 DF *UND* 00000000 OPENSSL_0.9.8 EVP_CIPHER_set_asn1_iv 00000000 DF *UND* 00000000 GLIBC_2.0 malloc 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_dynlock_create_callback 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ERR_clear_error 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA224_Final 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_free 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_new 00000000 DF *UND* 00000000 OPENSSL_0.9.8 EVP_CIPHER_CTX_key_length 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA224_Init 00000000 DF *UND* 00000000 OPENSSL_0.9.8 AES_set_encrypt_key 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_add 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_set_init_function 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA256_Final 00000000 DF *UND* 00000000 GLIBC_2.0 strcmp 00000000 w DF *UND* 00000000 GLIBC_2.1.3 __cxa_finalize 00000000 DF *UND* 00000000 GLIBC_2.0 exit 00000000 DF *UND* 00000000 OPENSSL_0.9.8 ENGINE_set_name 00000000 DF *UND* 00000000 OPENSSL_0.9.8 CRYPTO_set_add_lock_callback 00000000 DF *UND* 00000000 OPENSSL_0.9.8 SHA1_Update 00000000 DF *UND* 00000000 OPENSSL_0.9.8 EVP_CIPHER_get_asn1_iv 00000000 DF *UND* 00000000 OPENSSL_0.9.8 RSA_sign 00002c00 g DF .text 00000062 OPENSSL_0.9.8 ENGINE_load_padlock 00003728 g DO .bss 00000004 OPENSSL_0.9.8 padlock_flags 00000000 g DO *ABS* 00000000 OPENSSL_0.9.8 OPENSSL_0.9.8 0000372c g D *ABS* 00000000 OPENSSL_0.9.8 _end 00003690 g D *ABS* 00000000 OPENSSL_0.9.8 _edata 00001240 g DF .text 00000015 OPENSSL_0.9.8 v_check 00003690 g D *ABS* 00000000 OPENSSL_0.9.8 __bss_start 00000f04 g DF .init 00000000 OPENSSL_0.9.8 _init 00002da8 g DF .fini 00000000 OPENSSL_0.9.8 _fini 000016b0 g DF .text 000000e3 OPENSSL_0.9.8 bind_engine
signature.asc
Description: This is a digitally signed message part.
