[openssl-commits] [openssl] master update
The branch master has been updated via 9986bfefa420f0db920768453bef0b40507db595 (commit) from 03ad7c009e16a233c733098db3169c560142ccd3 (commit) - Log - commit 9986bfefa420f0db920768453bef0b40507db595 Author: Andy Polyakov Date: Sat Sep 22 14:39:51 2018 +0200 sha/asm/keccak1600-armv8.pl: halve the size of hw-assisted subroutine. Yes, it's second halving, i.e. it's now 1/4 of original size, or more specifically inner loop. The challenge with Keccak is that you need more temporary registers than there are available. By reversing the order in which columns are assigned in Chi, it's possible to use three of A[][] registers as temporary prior their assigment. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7294) --- Summary of changes: crypto/sha/asm/keccak1600-armv8.pl | 146 ++--- 1 file changed, 69 insertions(+), 77 deletions(-) diff --git a/crypto/sha/asm/keccak1600-armv8.pl b/crypto/sha/asm/keccak1600-armv8.pl index 704ab4a..e4e94bc 100755 --- a/crypto/sha/asm/keccak1600-armv8.pl +++ b/crypto/sha/asm/keccak1600-armv8.pl @@ -533,30 +533,28 @@ my @A = map([ "v".$_.".16b", "v".($_+1).".16b", "v".($_+2).".16b", (0, 5, 10, 15, 20)); my @C = map("v$_.16b", (25..31)); +my @D = @C[4,5,6,2,3]; $code.=<<___; .type KeccakF1600_ce,%function .align 5 KeccakF1600_ce: - mov x9,#12 + mov x9,#24 adr x10,iotas b .Loop_ce .align 4 .Loop_ce: -___ -for($i=0; $i<2; $i++) { -$code.=<<___; // Theta - eor3$C[0],$A[0][0],$A[1][0],$A[2][0] - eor3$C[1],$A[0][1],$A[1][1],$A[2][1] - eor3$C[2],$A[0][2],$A[1][2],$A[2][2] - eor3$C[3],$A[0][3],$A[1][3],$A[2][3] - eor3$C[4],$A[0][4],$A[1][4],$A[2][4] - eor3$C[0],$C[0], $A[3][0],$A[4][0] - eor3$C[1],$C[1], $A[3][1],$A[4][1] - eor3$C[2],$C[2], $A[3][2],$A[4][2] - eor3$C[3],$C[3], $A[3][3],$A[4][3] - eor3$C[4],$C[4], $A[3][4],$A[4][4] + eor3$C[0],$A[4][0],$A[3][0],$A[2][0] + eor3$C[1],$A[4][1],$A[3][1],$A[2][1] + eor3$C[2],$A[4][2],$A[3][2],$A[2][2] + eor3$C[3],$A[4][3],$A[3][3],$A[2][3] + eor3$C[4],$A[4][4],$A[3][4],$A[2][4] + eor3$C[0],$C[0], $A[1][0],$A[0][0] + eor3$C[1],$C[1], $A[1][1],$A[0][1] + eor3$C[2],$C[2], $A[1][2],$A[0][2] + eor3$C[3],$C[3], $A[1][3],$A[0][3] + eor3$C[4],$C[4], $A[1][4],$A[0][4] rax1$C[5],$C[0],$C[2] // D[1] rax1$C[6],$C[1],$C[3] // D[2] @@ -565,81 +563,75 @@ $code.=<<___; rax1$C[4],$C[4],$C[1] // D[0] // Theta+Rho+Pi - xar $C[0], $A[1][1],$C[5],#64-$rhotates[1][1] // C[0]=A[0][1] - xar $A[1][1],$A[1][4],$C[3],#64-$rhotates[1][4] - xar $A[1][4],$A[4][2],$C[6],#64-$rhotates[4][2] - xar $A[4][2],$A[2][4],$C[3],#64-$rhotates[2][4] - xar $A[2][4],$A[4][0],$C[4],#64-$rhotates[4][0] + xar $C[0], $A[0][1],$D[1],#64-$rhotates[0][1] // C[0]=A[2][0] - xar $A[4][0],$A[0][2],$C[6],#64-$rhotates[0][2] + xar $A[0][1],$A[1][1],$D[1],#64-$rhotates[1][1] + xar $A[1][1],$A[1][4],$D[4],#64-$rhotates[1][4] + xar $A[1][4],$A[4][2],$D[2],#64-$rhotates[4][2] + xar $A[4][2],$A[2][4],$D[4],#64-$rhotates[2][4] + xar $A[2][4],$A[4][0],$D[0],#64-$rhotates[4][0] - xar $A[0][2],$A[2][2],$C[6],#64-$rhotates[2][2] - xar $A[2][2],$A[2][3],$C[2],#64-$rhotates[2][3] - xar $A[2][3],$A[3][4],$C[3],#64-$rhotates[3][4] - xar $A[3][4],$A[4][3],$C[2],#64-$rhotates[4][3] - xar $A[4][3],$A[3][0],$C[4],#64-$rhotates[3][0] + xar $C[1], $A[0][2],$D[2],#64-$rhotates[0][2] // C[1]=A[4][0] - xar $A[3][0],$A[0][4],$C[3],#64-$rhotates[0][4] + xar $A[0][2],$A[2][2],$D[2],#64-$rhotates[2][2] + xar $A[2][2],$A[2][3],$D[3],#64-$rhotates[2][3] + xar $A[2][3],$A[3][4],$D[4],#64-$rhotates[3][4] + xar $A[3][4],$A[4][3],$D[3],#64-$rhotates[4][3] + xar $A[4][3],$A[3][0],$D[0],#64-$rhotates[3][0] - eor $A[0][0],$A[0][0],$C[4] - ldr x11,[x10],#8 + xar $A[3][0],$A[0][4],$D[4],#64-$rhotates[0][4] - xar $C[1], $A[3][3],$C[2],#64-$rhotates[3][3] // C[1]=A[0][3] - xar $A[3][3],$A[3][2],$C[6],#64-$rhotates[3][2] - xar $A[3][2],$A[2][1],$C[5],#64-$rhotates[2][1
[openssl-commits] [openssl] master update
The branch master has been updated via 03ad7c009e16a233c733098db3169c560142ccd3 (commit) from 9d71a24ebf57e7157888af1ca587eafe914bf96f (commit) - Log - commit 03ad7c009e16a233c733098db3169c560142ccd3 Author: Andy Polyakov Date: Sun Oct 14 15:19:41 2018 +0200 Configurations/15-android.conf: add support for "standalone toolchain". Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7400) --- Summary of changes: Configurations/15-android.conf | 41 +++-- NOTES.ANDROID | 18 +- 2 files changed, 44 insertions(+), 15 deletions(-) diff --git a/Configurations/15-android.conf b/Configurations/15-android.conf index d3b428b..a6b0d7a 100644 --- a/Configurations/15-android.conf +++ b/Configurations/15-android.conf @@ -24,7 +24,12 @@ my $ndk = $ENV{ANDROID_NDK}; die "\$ANDROID_NDK is not defined" if (!$ndk); -die "\$ANDROID_NDK=$ndk is invalid" if (!-d "$ndk/platforms"); +if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") { +# $ndk/platforms is traditional "all-inclusive" NDK, while +# $ndk/AndroidVersion.txt is so-called standalone toolchain +# tailored for specific target down to API level. +die "\$ANDROID_NDK=$ndk is invalid"; +} $ndk = canonpath($ndk); my $ndkver = undef; @@ -40,10 +45,18 @@ close $fh; } -my $sysroot; +my ($sysroot, $api, $arch); + +$config{target} =~ m|[^-]+-([^-]+)$|; # split on dash +$arch = $1; -if (!($sysroot = $ENV{CROSS_SYSROOT})) { -my $api = "*"; +if ($sysroot = $ENV{CROSS_SYSROOT}) { +$sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|; +($api, $arch) = ($1, $2); +} elsif (-f "$ndk/AndroidVersion.txt") { +$sysroot = "$ndk/sysroot"; +} else { +$api = "*"; # see if user passed -D__ANDROID_API__=N foreach (@{$useradd{CPPDEFINES}}, @{$user{CPPFLAGS}}) { @@ -59,19 +72,15 @@ } glob("$ndk/platforms/android-$api"); die "no $ndk/platforms/android-$api" if ($#platforms < 0); -$config{target} =~ m|[^-]+-([^-]+)$|; # split on dash -$sysroot = "@platforms[$#platforms]/arch-$1"; +$sysroot = "@platforms[$#platforms]/arch-$arch"; } die "no sysroot=$sysroot" if (!-d $sysroot); -$sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|; -my ($api, $arch) = ($1, $2); - my $triarch = $triplet{$arch}; my $cflags; my $cppflags; -# see if there is NDK clang on $PATH +# see if there is NDK clang on $PATH, "universal" or "standalone" if (which("clang") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) { my $host=$1; # harmonize with gcc default @@ -83,6 +92,18 @@ . "/$tritools-4.9/prebuilt/$host"; $user{CC} = "clang" if ($user{CC} !~ m|clang|); $user{CROSS_COMPILE} = undef; +} elsif (-f "$ndk/AndroidVersion.txt") {#"standalone toolchain" +my $cc = $user{CC} // "clang"; +# One can probably argue that both clang and gcc should be +# probed, but support for "standalone toolchain" was added +# *after* announcement that gcc is being phased out, so +# favouring clang is considered adequate. Those who insist +# have option to enforce test for gcc with CC=gcc. +if (which("$triarch-$cc") !~ m|^$ndk|) { +die "no NDK $triarch-$cc on \$PATH"; +} +$user{CC} = $cc; +$user{CROSS_COMPILE} = "$triarch-"; } elsif ($user{CC} eq "clang") { die "no NDK clang on \$PATH"; } else { diff --git a/NOTES.ANDROID b/NOTES.ANDROID index d13f47d..bbbd8e4 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -24,16 +24,18 @@ in order to invoke $(CROSS_COMPILE)gcc and company. (Configure will fail and give you a hint if you get it wrong.) Apart from PATH adjustment you need to set ANDROID_NDK environment to point at N
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a66c361a773e697b5c6bb805ae37d2c4c8d32cb1 (commit) from fc762e7d5c21b534af967f4308b2b9597fe76d7f (commit) - Log - commit a66c361a773e697b5c6bb805ae37d2c4c8d32cb1 Author: Andy Polyakov Date: Sun Oct 14 15:19:41 2018 +0200 Configurations/15-android.conf: add support for "standalone toolchain". Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7400) (cherry picked from commit 03ad7c009e16a233c733098db3169c560142ccd3) --- Summary of changes: Configurations/15-android.conf | 41 +++-- NOTES.ANDROID | 18 +- 2 files changed, 44 insertions(+), 15 deletions(-) diff --git a/Configurations/15-android.conf b/Configurations/15-android.conf index d3b428b..a6b0d7a 100644 --- a/Configurations/15-android.conf +++ b/Configurations/15-android.conf @@ -24,7 +24,12 @@ my $ndk = $ENV{ANDROID_NDK}; die "\$ANDROID_NDK is not defined" if (!$ndk); -die "\$ANDROID_NDK=$ndk is invalid" if (!-d "$ndk/platforms"); +if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") { +# $ndk/platforms is traditional "all-inclusive" NDK, while +# $ndk/AndroidVersion.txt is so-called standalone toolchain +# tailored for specific target down to API level. +die "\$ANDROID_NDK=$ndk is invalid"; +} $ndk = canonpath($ndk); my $ndkver = undef; @@ -40,10 +45,18 @@ close $fh; } -my $sysroot; +my ($sysroot, $api, $arch); + +$config{target} =~ m|[^-]+-([^-]+)$|; # split on dash +$arch = $1; -if (!($sysroot = $ENV{CROSS_SYSROOT})) { -my $api = "*"; +if ($sysroot = $ENV{CROSS_SYSROOT}) { +$sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|; +($api, $arch) = ($1, $2); +} elsif (-f "$ndk/AndroidVersion.txt") { +$sysroot = "$ndk/sysroot"; +} else { +$api = "*"; # see if user passed -D__ANDROID_API__=N foreach (@{$useradd{CPPDEFINES}}, @{$user{CPPFLAGS}}) { @@ -59,19 +72,15 @@ } glob("$ndk/platforms/android-$api"); die "no $ndk/platforms/android-$api" if ($#platforms < 0); -$config{target} =~ m|[^-]+-([^-]+)$|; # split on dash -$sysroot = "@platforms[$#platforms]/arch-$1"; +$sysroot = "@platforms[$#platforms]/arch-$arch"; } die "no sysroot=$sysroot" if (!-d $sysroot); -$sysroot =~ m|/android-([0-9]+)/arch-(\w+)/?$|; -my ($api, $arch) = ($1, $2); - my $triarch = $triplet{$arch}; my $cflags; my $cppflags; -# see if there is NDK clang on $PATH +# see if there is NDK clang on $PATH, "universal" or "standalone" if (which("clang") =~ m|^$ndk/.*/prebuilt/([^/]+)/|) { my $host=$1; # harmonize with gcc default @@ -83,6 +92,18 @@ . "/$tritools-4.9/prebuilt/$host"; $user{CC} = "clang" if ($user{CC} !~ m|clang|); $user{CROSS_COMPILE} = undef; +} elsif (-f "$ndk/AndroidVersion.txt") {#"standalone toolchain" +my $cc = $user{CC} // "clang"; +# One can probably argue that both clang and gcc should be +# probed, but support for "standalone toolchain" was added +# *after* announcement that gcc is being phased out, so +# favouring clang is considered adequate. Those who insist +# have option to enforce test for gcc with CC=gcc. +if (which("$triarch-$cc") !~ m|^$ndk|) { +die "no NDK $triarch-$cc on \$PATH"; +} +$user{CC} = $cc; +$user{CROSS_COMPILE} = "$triarch-"; } elsif ($user{CC} eq "clang") { die "no NDK clang on \$PATH"; } else { diff --git a/NOTES.ANDROID b/NOTES.ANDROID index d13f47d..bbbd8e4 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -24,16 +24,18 @@ in order to invoke $(CROSS_COMPILE)gcc and company. (Configure will fail and give you a hint if you get it wro
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 (commit) from d46f9173bbd62ffa7ae0b20bf05c600e14722cc6 (commit) - Log - commit f2828a14fbe2ce56b5090f45b2a9a6e749d33b22 Author: Andy Polyakov Date: Wed Oct 17 10:09:33 2018 +0200 arch/async_posix.h: improve portability. {make|swap|get|set}context are removed in POSIX.1-2008, but glibc apparently keeps providing it. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7420) (cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f) --- Summary of changes: crypto/async/arch/async_posix.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index 76937a9..939b4ab 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -17,7 +17,8 @@ # include -# if _POSIX_VERSION >= 200112L +# if _POSIX_VERSION >= 200112L \ + && (_POSIX_VERSION < 200809L || defined(__GLIBC__)) # include _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via fc762e7d5c21b534af967f4308b2b9597fe76d7f (commit) from aa519853be79ae92e6aa8ec34de5d1803d721b00 (commit) - Log - commit fc762e7d5c21b534af967f4308b2b9597fe76d7f Author: Andy Polyakov Date: Wed Oct 17 10:09:33 2018 +0200 arch/async_posix.h: improve portability. {make|swap|get|set}context are removed in POSIX.1-2008, but glibc apparently keeps providing it. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7420) (cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f) --- Summary of changes: crypto/async/arch/async_posix.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index b07c2cb..62449fe 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -17,7 +17,8 @@ # include -# if _POSIX_VERSION >= 200112L +# if _POSIX_VERSION >= 200112L \ + && (_POSIX_VERSION < 200809L || defined(__GLIBC__)) # include _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 9d71a24ebf57e7157888af1ca587eafe914bf96f (commit) from cb8164b05e3bad5586c2a109bbdbab1ad65a1a6f (commit) - Log - commit 9d71a24ebf57e7157888af1ca587eafe914bf96f Author: Andy Polyakov Date: Wed Oct 17 10:09:33 2018 +0200 arch/async_posix.h: improve portability. {make|swap|get|set}context are removed in POSIX.1-2008, but glibc apparently keeps providing it. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7420) --- Summary of changes: crypto/async/arch/async_posix.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index b07c2cb..62449fe 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -17,7 +17,8 @@ # include -# if _POSIX_VERSION >= 200112L +# if _POSIX_VERSION >= 200112L \ + && (_POSIX_VERSION < 200809L || defined(__GLIBC__)) # include _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d68af00685c4a76e9545882e350717ae5e4071df (commit) via f39ad8dcaa75293968d2633d043de3f5fce4f37b (commit) from 9453b196343db579c590130adc63d35d2ff87188 (commit) - Log - commit d68af00685c4a76e9545882e350717ae5e4071df Author: Patrick Steuer Date: Tue Jan 31 12:43:35 2017 +0100 s390x assembly pack: add OPENSSL_s390xcap man page. Signed-off-by: Patrick Steuer Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6813) commit f39ad8dcaa75293968d2633d043de3f5fce4f37b Author: Patrick Steuer Date: Mon Jan 30 17:37:54 2017 +0100 s390x assembly pack: add OPENSSL_s390xcap environment variable. The OPENSSL_s390xcap environment variable is used to set bits in the s390x capability vector to zero. This simplifies testing of different code paths. Signed-off-by: Patrick Steuer Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6813) --- Summary of changes: crypto/s390x_arch.h | 23 +- crypto/s390xcap.c | 515 ++ crypto/s390xcpuid.pl | 31 ++- doc/man3/OPENSSL_s390xcap.pod | 173 ++ util/private.num | 1 + 5 files changed, 730 insertions(+), 13 deletions(-) create mode 100644 doc/man3/OPENSSL_s390xcap.pod diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h index 4a775a9..3bed655 100644 --- a/crypto/s390x_arch.h +++ b/crypto/s390x_arch.h @@ -49,6 +49,9 @@ struct OPENSSL_s390xcap_st { extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; +/* Max number of 64-bit words currently returned by STFLE */ +# define S390X_STFLE_MAX 3 + /* convert facility bit number or function code to bit mask */ # define S390X_CAPBIT(i) (1ULL << (63 - (i) % 64)) @@ -68,9 +71,15 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_KMA 0xb0 /* Facility Bit Numbers */ -# define S390X_VX 129 -# define S390X_VXD 134 -# define S390X_VXE 135 +# define S390X_MSA 17 /* message-security-assist */ +# define S390X_STCKF 25 /* store-clock-fast */ +# define S390X_MSA557 /* message-security-assist-ext. 5 */ +# define S390X_MSA376 /* message-security-assist-ext. 3 */ +# define S390X_MSA477 /* message-security-assist-ext. 4 */ +# define S390X_VX 129 /* vector */ +# define S390X_VXD 134 /* vector packed decimal */ +# define S390X_VXE 135 /* vector enhancements 1 */ +# define S390X_MSA8146 /* message-security-assist-ext. 8 */ /* Function Codes */ @@ -78,6 +87,9 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_QUERY 0 /* kimd/klmd */ +# define S390X_SHA_1 1 +# define S390X_SHA_256 2 +# define S390X_SHA_512 3 # define S390X_SHA3_22432 # define S390X_SHA3_25633 # define S390X_SHA3_38434 @@ -91,7 +103,12 @@ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P; # define S390X_AES_192 19 # define S390X_AES_256 20 +/* km */ +# define S390X_XTS_AES_128 50 +# define S390X_XTS_AES_256 52 + /* prno */ +# define S390X_SHA_512_DRNG3 # define S390X_TRNG114 /* Register 0 Flags */ diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c index e7c7f0a..881613a 100644 --- a/crypto/s390xcap.c +++ b/crypto/s390xcap.c @@ -13,15 +13,51 @@ #include #include #include "internal/cryptlib.h" +#include "internal/ctype.h" #include "s390x_arch.h" +#define LEN128 +#define STR_(S)#S +#define STR(S) STR_(S) + +#define TOK_FUNC(NAME) \ +(sscanf(tok_begin, \ +" " STR(NAME) " : %" STR(LEN) "[^:] : "\ +"%" STR(LEN) "s %" STR(LEN) "s ", \ +tok[0], tok[1], tok[2]) == 2) {\ + \ +off = (tok[0][0] == '~') ? 1 : 0; \ +if (sscanf(tok[0] + off, "%llx", >NAME[0]) != 1) \ +goto ret; \ +if (off) \ +cap->NAME[0] = ~cap->NAME[0]; \
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a76a41655e57b72b30a373aae6e75afedf920076 (commit) from 77078e6bbfa686dba00cf379f0c96bd2833133a6 (commit) - Log - commit a76a41655e57b72b30a373aae6e75afedf920076 Author: Andy Polyakov Date: Fri Oct 12 22:17:51 2018 +0200 ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac. (back-port of commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/7392) --- Summary of changes: ssl/s3_enc.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index e08857d..89b7739 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -404,13 +404,14 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) } if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { SSLerr(SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); -return 0; +ret = 0; +goto err; } ret = EVP_MD_CTX_size(ctx); if (ret < 0) { -EVP_MD_CTX_reset(ctx); -return 0; +ret = 0; +goto err; } if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) @@ -422,6 +423,7 @@ int ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p) ret = 0; } + err: EVP_MD_CTX_free(ctx); return ret; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via b1016c96dbb7a8d9b724f34656e0b2aae9e54cfe (commit) from 6be3286fee187edb3c133910c6ec27d21a75976b (commit) - Log - commit b1016c96dbb7a8d9b724f34656e0b2aae9e54cfe Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) --- Summary of changes: crypto/rsa/rsa_eay.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 1bb121f..be948a4 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -783,10 +783,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via f7cbb8a4c222807be19994167890e66630a70101 (commit) from d39b27749f7402127a0be1e8dfffd710db52bde6 (commit) - Log - commit f7cbb8a4c222807be19994167890e66630a70101 Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) --- Summary of changes: crypto/rsa/rsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index 5703411..23f948f 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -655,10 +655,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via a9e4192e711de0018664346ccd33a9bbb0637572 (commit) from 7055086185dba1c509887cdaacdc6cd59a8dd9ea (commit) - Log - commit a9e4192e711de0018664346ccd33a9bbb0637572 Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) (cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849) --- Summary of changes: crypto/rsa/rsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index d581777..2b1b006 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -680,10 +680,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d1c008f66bad435b18aa45aa59f72bed7c682849 (commit) from 7d0effeacbb50b12bfc24df7614d7cf5c8686f51 (commit) - Log - commit d1c008f66bad435b18aa45aa59f72bed7c682849 Author: Andy Polyakov Date: Wed Sep 5 14:33:21 2018 +0200 rsa/rsa_ossl.c: fix and extend commentary [skip ci]. Reviewed-by: Richard Levitte Reviewed-by: Nicola Tuveri (Merged from https://github.com/openssl/openssl/pull/7123) --- Summary of changes: crypto/rsa/rsa_ossl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c index d581777..2b1b006 100644 --- a/crypto/rsa/rsa_ossl.c +++ b/crypto/rsa/rsa_ossl.c @@ -680,10 +680,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) */ || !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p) -/* r0 = r0 * iqmp mod p */ +/* r1 = r1 * iqmp mod p */ || !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx) || !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p, ctx) +/* r0 = r1 * q + m1 */ || !bn_mul_fixed_top(r0, r1, rsa->q, ctx) || !bn_mod_add_fixed_top(r0, r0, m1, rsa->n)) goto err; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 7d0effeacbb50b12bfc24df7614d7cf5c8686f51 (commit) from fc97c882f443060dffd8eb56a6b8784e52096c86 (commit) - Log - commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51 Author: Andy Polyakov Date: Sun Sep 2 13:07:58 2018 +0200 ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac. Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/7085) --- Summary of changes: ssl/s3_enc.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 5f40381..fca84ef 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -442,15 +442,16 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); -return 0; +ret = 0; +goto err; } ret = EVP_MD_CTX_size(ctx); if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); -EVP_MD_CTX_reset(ctx); -return 0; +ret = 0; +goto err; } if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) @@ -463,6 +464,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, ret = 0; } + err: EVP_MD_CTX_free(ctx); return ret; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 7ed9ad1cc3fadcaac7815e588e23a3ad16379697 (commit) from ed5108a387d98fa75c0810c33a05fc9e3bf0355b (commit) - Log - commit 7ed9ad1cc3fadcaac7815e588e23a3ad16379697 Author: Andy Polyakov Date: Mon Sep 17 12:36:37 2018 +0200 sha/asm/keccak1600-s390x.pl: resolve -march=z900 portability issue. Negative displacement in memory references was not originally specified, so that for maximum coverage one should abstain from it, just like with any other extension. [Unless it's guarded by run-time switch, but there is no switch in keccak1600-s390x.] Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7239) (cherry picked from commit fc97c882f443060dffd8eb56a6b8784e52096c86) --- Summary of changes: crypto/sha/asm/keccak1600-s390x.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl index 3bce19b..1184cf2 100755 --- a/crypto/sha/asm/keccak1600-s390x.pl +++ b/crypto/sha/asm/keccak1600-s390x.pl @@ -432,9 +432,9 @@ SHA3_absorb: lrvg%r0,0($inp) la $inp,8($inp) xg %r0,0(%r1) - la %r1,8(%r1) a${g}hi $len,-8 - stg %r0,-8(%r1) + stg %r0,0(%r1) + la %r1,8(%r1) brct$bsz,.Lblock_absorb stm${g} $inp,$len,$frame+3*$SIZE_T($sp) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via fc97c882f443060dffd8eb56a6b8784e52096c86 (commit) from 990fe909949a58398b3a0cbbdc52b9bbb9cefaa0 (commit) - Log - commit fc97c882f443060dffd8eb56a6b8784e52096c86 Author: Andy Polyakov Date: Mon Sep 17 12:36:37 2018 +0200 sha/asm/keccak1600-s390x.pl: resolve -march=z900 portability issue. Negative displacement in memory references was not originally specified, so that for maximum coverage one should abstain from it, just like with any other extension. [Unless it's guarded by run-time switch, but there is no switch in keccak1600-s390x.] Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7239) --- Summary of changes: crypto/sha/asm/keccak1600-s390x.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl index 3bce19b..1184cf2 100755 --- a/crypto/sha/asm/keccak1600-s390x.pl +++ b/crypto/sha/asm/keccak1600-s390x.pl @@ -432,9 +432,9 @@ SHA3_absorb: lrvg%r0,0($inp) la $inp,8($inp) xg %r0,0(%r1) - la %r1,8(%r1) a${g}hi $len,-8 - stg %r0,-8(%r1) + stg %r0,0(%r1) + la %r1,8(%r1) brct$bsz,.Lblock_absorb stm${g} $inp,$len,$frame+3*$SIZE_T($sp) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 6be3286fee187edb3c133910c6ec27d21a75976b (commit) from fff1da43be2236995cdf5ef2f3e2a51be232ba85 (commit) - Log - commit 6be3286fee187edb3c133910c6ec27d21a75976b Author: Andy Polyakov Date: Sun Sep 23 16:38:11 2018 +0200 util/domd: omit superfluous shift in -MD handling. While reviewing last modification in GH#6261 Richard actually spotted the inconsistency, but withdrew the remark, correct one in aftermath... Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7298) --- Summary of changes: util/domd | 1 - 1 file changed, 1 deletion(-) diff --git a/util/domd b/util/domd index 6eb019e..849e271 100755 --- a/util/domd +++ b/util/domd @@ -11,7 +11,6 @@ if [ "$1" = "-MD" ]; then MAKEDEPEND="$MAKEDEPEND $1" shift done -shift fi if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 13da3ad00c80e1da816ca27f6c15b0ecee1bb0b8 (commit) from 67afcfd35b9b429493947594becf4e269bcd1a5b (commit) - Log - commit 13da3ad00c80e1da816ca27f6c15b0ecee1bb0b8 Author: Andy Polyakov Date: Tue Aug 28 22:06:26 2018 +0200 Revert ".travis.yml: omit linux-ppc64le target." IBM POWER Open Source Ecosystem division asserts commitment to providing more reliable service. GH#7016. This reverts commit 275bfc56a6c4efa7e80c8cbb11fda0c3f9be818d. Reviewed-by: Paul Dale Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte --- Summary of changes: .travis.yml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index d755d8f..764da28 100644 --- a/.travis.yml +++ b/.travis.yml @@ -32,10 +32,10 @@ env: matrix: include: -#- os: linux-ppc64le -# sudo: false -# compiler: clang -# env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES" +- os: linux-ppc64le + sudo: false + compiler: clang + env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES" - os: linux addons: apt: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via bc251459adc14a1a56d0cbe2d372f3d6ffd20cf8 (commit) via b6f773b8d6c41e86c107b57dabc637c91884150e (commit) via f9381fd323303316282331a8cced6e030e809794 (commit) via 387d170b32ceeac450bfa50b81db9db9179dc880 (commit) from 19096672b48b3282bb9f11c4adadbcdd545f54a3 (commit) - Log - commit bc251459adc14a1a56d0cbe2d372f3d6ffd20cf8 Author: Andy Polyakov Date: Wed Aug 15 15:46:35 2018 +0200 bn/bn_lib.c: conceal even memmory access pattern in bn2binpad. (cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) commit b6f773b8d6c41e86c107b57dabc637c91884150e Author: Andy Polyakov Date: Mon Aug 13 16:59:08 2018 +0200 bn/bn_blind.c: use Montgomery multiplication when possible. (cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28) Resolved conflicts: crypto/bn/bn_blind.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) commit f9381fd323303316282331a8cced6e030e809794 Author: Andy Polyakov Date: Mon Aug 13 20:20:28 2018 +0200 rsa/rsa_eay.c: implement variant of "Smooth CRT-RSA." In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... (cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59) Resolved conflicts: crypto/rsa/rsa_eay.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) commit 387d170b32ceeac450bfa50b81db9db9179dc880 Author: Andy Polyakov Date: Fri Aug 10 19:31:22 2018 +0200 crypto/bn: add more fixed-top routines. Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. (cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9) Resolved conflicts: crypto/bn/bn_mod.c crypto/bn_int.h Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6942) --- Summary of changes: crypto/bn/bn_blind.c | 63 ++-- crypto/bn/bn_lib.c | 34 - crypto/bn/bn_mod.c | 67 +- crypto/bn/bn_mont.c | 29 ++- crypto/bn/bn_mul.c | 12 +- crypto/bn/bn_sqr.c | 12 +- crypto/bn_int.h | 6 +++ crypto/rsa/rsa_eay.c | 101 ++- 8 files changed, 264 insertions(+), 60 deletions(-) diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index d448daa..40e1bb6 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -206,10 +206,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { -if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) -goto err; -if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) -goto err; +if (b->m_ctx != NULL) { +if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) +|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) +goto err; +} else { +if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) +|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) +goto err; +} } ret = 1; @@ -241,13 +246,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) else if (!BN_BLINDING_update(b, ctx)) return (0); -if (r != NULL) { -if (!BN_copy(r, b->Ai)) -ret = 0; -} +if (r != NULL && (BN_copy(r, b->Ai) == NULL)) +return 0; -if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) -ret = 0; +if (b->m_ctx != NULL) +ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); +else +ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -264,14 +269,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, bn_check_top(n); -if (r != NULL) -ret = BN_mod_mul(n, n, r, b->mod, ctx); -else { -if (b->Ai == NULL) { -BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); -return (0); +if (r == NULL && (r = b->Ai) == NULL) { +BNerr(BN_F_BN_BLINDIN
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 73bebc17a14da5278b01416b39e5c28a7d0c1861 (commit) via c5c6915fba3f1becfd78ed2be032caa38ecadef3 (commit) via db09fdc1a675bde167001a4f68e0f1e595e96dee (commit) via a6d8fe92a601728138e645302fa8bab7ca54fb58 (commit) from 5eee95a54de6854e60886c8e662a902184b12d04 (commit) - Log - commit 73bebc17a14da5278b01416b39e5c28a7d0c1861 Author: Andy Polyakov Date: Wed Aug 15 15:46:35 2018 +0200 bn/bn_lib.c: conceal even memmory access pattern in bn2binpad. (cherry picked from commit 324b95605225410763fe63f7cff36eb46ca54ee9) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) commit c5c6915fba3f1becfd78ed2be032caa38ecadef3 Author: Andy Polyakov Date: Mon Aug 13 16:59:08 2018 +0200 bn/bn_blind.c: use Montgomery multiplication when possible. (cherry picked from commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28) Resolved conflicts: crypto/bn/bn_blind.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) commit db09fdc1a675bde167001a4f68e0f1e595e96dee Author: Andy Polyakov Date: Fri Aug 10 19:46:03 2018 +0200 rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA." In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... (cherry picked from commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59) Resolved conflicts: crypto/rsa/rsa_ossl.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) commit a6d8fe92a601728138e645302fa8bab7ca54fb58 Author: Andy Polyakov Date: Fri Aug 10 19:31:22 2018 +0200 crypto/bn: add more fixed-top routines. Add bn_mul_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. (cherry picked from commit fcc4ee09473cac511eca90faa003661c7786e4f9) Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6940) --- Summary of changes: crypto/bn/bn_blind.c | 88 -- crypto/bn/bn_lib.c | 34 +++--- crypto/bn/bn_mod.c | 67 +++- crypto/bn/bn_mont.c | 27 +--- crypto/bn/bn_mul.c | 12 +++- crypto/bn/bn_sqr.c | 12 +++- crypto/include/internal/bn_int.h | 6 ++ crypto/rsa/rsa_ossl.c| 130 --- 8 files changed, 287 insertions(+), 89 deletions(-) diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 24d1383..7a8237c 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -109,10 +109,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { -if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) -goto err; -if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) -goto err; +if (b->m_ctx != NULL) { +if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) +|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) +goto err; +} else { +if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) +|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) +goto err; +} } ret = 1; @@ -144,13 +149,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) else if (!BN_BLINDING_update(b, ctx)) return (0); -if (r != NULL) { -if (!BN_copy(r, b->Ai)) -ret = 0; -} +if (r != NULL && (BN_copy(r, b->Ai) == NULL)) +return 0; -if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) -ret = 0; +if (b->m_ctx != NULL) +ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); +else +ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -167,14 +172,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, bn_check_top(n); -if (r != NULL) -ret = BN_mod_mul(n, n, r, b->mod, ctx); -else { -if (b->Ai == NULL) { -BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); -return (0); +if (r == NULL && (r = b->Ai) == NULL) { +BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED);
[openssl-commits] [openssl] master update
The branch master has been updated via 7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff (commit) via a88e328c3a098e7c64e94c6b426ff45e76eface1 (commit) from d573ff17939458f7b14d56770641c11a83b98d10 (commit) - Log - commit 7d38ca3f8bca58bf7b69e78c1f1ab69e5f429dff Author: Andy Polyakov Date: Fri Aug 17 12:30:36 2018 +0200 x509v3/v3_purp.c: refine lock-free check in x509v3_cache_extensions. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6996) commit a88e328c3a098e7c64e94c6b426ff45e76eface1 Author: Andy Polyakov Date: Fri Aug 17 12:13:01 2018 +0200 internal/tsan_assist.h: add tsan_ld_acq and tsan_st_rel. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6996) --- Summary of changes: crypto/x509v3/v3_purp.c| 16 + include/internal/tsan_assist.h | 78 +++--- 2 files changed, 76 insertions(+), 18 deletions(-) diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 5a535e2..70b0397 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -354,9 +354,11 @@ static void x509v3_cache_extensions(X509 *x) X509_EXTENSION *ex; int i; +#ifdef tsan_ld_acq /* fast lock-free check, see end of the function for details. */ -if (tsan_load((TSAN_QUALIFIER int *)>ex_cached)) +if (tsan_ld_acq((TSAN_QUALIFIER int *)>ex_cached)) return; +#endif CRYPTO_THREAD_write_lock(x->lock); if (x->ex_flags & EXFLAG_SET) { @@ -498,13 +500,15 @@ static void x509v3_cache_extensions(X509 *x) } x509_init_sig_info(x); x->ex_flags |= EXFLAG_SET; -CRYPTO_THREAD_unlock(x->lock); +#ifdef tsan_st_rel +tsan_st_rel((TSAN_QUALIFIER int *)>ex_cached, 1); /* - * It has to be placed after memory barrier, which is implied by unlock. - * Worst thing that can happen is that another thread proceeds to lock - * and checks x->ex_flags & EXFLAGS_SET. See beginning of the function. + * Above store triggers fast lock-free check in the beginning of the + * function. But one has to ensure that the structure is "stable", i.e. + * all stores are visible on all processors. Hence the release fence. */ -tsan_store((TSAN_QUALIFIER int *)>ex_cached, 1); +#endif +CRYPTO_THREAD_unlock(x->lock); } /*- diff --git a/include/internal/tsan_assist.h b/include/internal/tsan_assist.h index f6870a2..2c76383 100644 --- a/include/internal/tsan_assist.h +++ b/include/internal/tsan_assist.h @@ -8,8 +8,9 @@ */ /* - * Goal here is to facilitate writing "thread-opportunistic" code that - * withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when + * Contemporary compilers implement lock-free atomic memory access + * primitives that facilitate writing "thread-opportunistic" or even real + * multi-threading low-overhead code. "Thread-opportunistic" is when * exact result is not required, e.g. some statistics, or execution flow * doesn't have to be unambiguous. Simplest example is lazy "constant" * initialization when one can synchronize on variable itself, e.g. @@ -28,12 +29,22 @@ * bother. Having Thread Sanitizer accept "thread-opportunistic" code * allows to move on trouble-shooting real bugs. * - * We utilize the fact that compilers that implement Thread Sanitizer - * implement even atomic operations. Then it's assumed that - * ATOMIC_{LONG|INT}_LOCK_FREE are assigned same value as - * ATOMIC_POINTER_LOCK_FREE. And check for >= 2 ensures that correspodning + * Resolving Thread Sanitizer nits was the initial purpose for this module, + * but it was later extended with more nuanced primitives that are useful + * even in "non-opportunistic" scenarios. Most notably verifying if a shared + * structure is fully initialized and bypassing the initialization lock. + * It's suggested to view macros defined in this module as "annotations" for + * thread-safe lock-free code, "Thread-Safe ANnotations"... + * + * It's assumed that ATOMIC_{LONG|INT}_LOCK_FREE are assigned same value as + * ATOMIC_POINTER_LOCK_FREE. And check for >= 2 ensures that corresponding * code is inlined. It should be noted that statistics counters become * accurate in such case. + * + * Special note about TSAN_QUALIFIER. It might be undesired to use it in + * a shared header. Because whether operation on specific variable or member + * is atomic or not might be irrelevant in other modules. In such case one + * can use TSAN_QUALIFIER in cast specifically when it has to count. */ #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \ @@ -46,6 +57,8 @@ # define tsan_load(ptr) atomic_load_e
[openssl-commits] [openssl] master update
The branch master has been updated via d573ff17939458f7b14d56770641c11a83b98d10 (commit) from 21ebd2fc3fc00d7871ad00f52daffde4039da665 (commit) - Log - commit d573ff17939458f7b14d56770641c11a83b98d10 Author: Andy Polyakov Date: Sat Aug 18 17:45:08 2018 +0200 Configurations/unix-Makefile.tmpl: address find portability issue. -path is non-portable extension, fortunately it's possible to express .git subdirectory exclusion with -prune. Reviewed-by: Matthias St. Pierre Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7004) --- Summary of changes: Configurations/unix-Makefile.tmpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index c492740..16af4d2 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -413,13 +413,13 @@ libclean: clean: libclean $(RM) $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS) $(RM) $(GENERATED_MANDATORY) $(GENERATED) - -$(RM) `find . -name '*{- $depext -}' -a \! -path "./.git/*"` - -$(RM) `find . -name '*{- $objext -}' -a \! -path "./.git/*"` + -$(RM) `find . -name .git -prune -o -name '*{- $depext -}' -print` + -$(RM) `find . -name .git -prune -o -name '*{- $objext -}' -print` $(RM) core $(RM) tags TAGS doc-nits $(RM) -r test/test-runs $(RM) openssl.pc libcrypto.pc libssl.pc - -$(RM) `find . -type l -a \! -path "./.git/*"` + -$(RM) `find . -name .git -prune -o -type l -print` $(RM) $(TARFILE) distclean: clean _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 324b95605225410763fe63f7cff36eb46ca54ee9 (commit) via e02c519cd32a55e6ad39a0cfbeeda775f9115f28 (commit) via 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59 (commit) via fcc4ee09473cac511eca90faa003661c7786e4f9 (commit) from 0b89db6b2acb6cca36f812ba51119927563b3cac (commit) - Log - commit 324b95605225410763fe63f7cff36eb46ca54ee9 Author: Andy Polyakov Date: Wed Aug 15 15:46:35 2018 +0200 bn/bn_lib.c: conceal even memmory access pattern in bn2binpad. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6915) commit e02c519cd32a55e6ad39a0cfbeeda775f9115f28 Author: Andy Polyakov Date: Mon Aug 13 16:59:08 2018 +0200 bn/bn_blind.c: use Montgomery multiplication when possible. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6915) commit 41bfd5e7c8ac3a0874a94e4d15c006ad5eb48e59 Author: Andy Polyakov Date: Fri Aug 10 19:46:03 2018 +0200 rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA." In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6915) commit fcc4ee09473cac511eca90faa003661c7786e4f9 Author: Andy Polyakov Date: Fri Aug 10 19:31:22 2018 +0200 crypto/bn: add more fixed-top routines. Add bn_{mul|sqr}_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6915) --- Summary of changes: crypto/bn/bn_blind.c | 88 ++ crypto/bn/bn_lib.c | 34 ++--- crypto/bn/bn_mod.c | 67 - crypto/bn/bn_mont.c | 26 +-- crypto/bn/bn_mul.c | 12 ++- crypto/bn/bn_sqr.c | 12 ++- crypto/include/internal/bn_int.h | 6 ++ crypto/rsa/rsa_ossl.c| 155 +-- 8 files changed, 293 insertions(+), 107 deletions(-) diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 420c1ee..450cdfb 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -108,10 +108,15 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx) if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL)) goto err; } else if (!(b->flags & BN_BLINDING_NO_UPDATE)) { -if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) -goto err; -if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx)) -goto err; +if (b->m_ctx != NULL) { +if (!bn_mul_mont_fixed_top(b->Ai, b->Ai, b->Ai, b->m_ctx, ctx) +|| !bn_mul_mont_fixed_top(b->A, b->A, b->A, b->m_ctx, ctx)) +goto err; +} else { +if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx) +|| !BN_mod_mul(b->A, b->A, b->A, b->mod, ctx)) +goto err; +} } ret = 1; @@ -143,13 +148,13 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) else if (!BN_BLINDING_update(b, ctx)) return 0; -if (r != NULL) { -if (!BN_copy(r, b->Ai)) -ret = 0; -} +if (r != NULL && (BN_copy(r, b->Ai) == NULL)) +return 0; -if (!BN_mod_mul(n, n, b->A, b->mod, ctx)) -ret = 0; +if (b->m_ctx != NULL) +ret = BN_mod_mul_montgomery(n, n, b->A, b->m_ctx, ctx); +else +ret = BN_mod_mul(n, n, b->A, b->mod, ctx); return ret; } @@ -166,14 +171,29 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, bn_check_top(n); -if (r != NULL) -ret = BN_mod_mul(n, n, r, b->mod, ctx); -else { -if (b->Ai == NULL) { -BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); -return 0; +if (r == NULL && (r = b->Ai) == NULL) { +BNerr(BN_F_BN_BLINDING_INVERT_EX, BN_R_NOT_INITIALIZED); +return 0; +} + +if (b->m_ctx != NULL) { +/* ensure that BN_mod_mul_montgomery takes pre-defined path */ +if (n->dmax >= r->top) { +size_t i, rtop = r->top, ntop = n->top; +BN_ULONG mask; + +for (i = 0; i < rtop; i++) { +mask = (BN_ULONG)0 - ((i - ntop) >> (8 * sizeof(i) - 1)); +n->d[i] &= mask; +
[openssl-commits] [openssl] master update
The branch master has been updated via ea5def1478cd9aef607acac0ce2288cfac53782b (commit) from 0b1319ba94c85af9e87308e0d573d1260a802f53 (commit) - Log - commit ea5def1478cd9aef607acac0ce2288cfac53782b Author: Matthias Kraft Date: Fri Jun 15 12:36:03 2018 +0200 Extend dladdr() for AIX, consequence from changes for openssl#6368. The shared libraries are now stored as members of archives, as it is usual on AIX. To correctly address this the custom dladdr()-implementation as well as the dlfcn_load() routine need to be able to cope with such a construct: libname.a(libname.so). Signed-off-by: Matthias Kraft Reviewed-by: Andy Polyakov Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6872) --- Summary of changes: crypto/dso/dso_dlfcn.c | 39 +-- test/shlibloadtest.c | 7 ++- 2 files changed, 35 insertions(+), 11 deletions(-) diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c index 21bfb3b..ad8899c 100644 --- a/crypto/dso/dso_dlfcn.c +++ b/crypto/dso/dso_dlfcn.c @@ -108,6 +108,10 @@ static int dlfcn_load(DSO *dso) if (dso->flags & DSO_FLAG_GLOBAL_SYMBOLS) flags |= RTLD_GLOBAL; # endif +# ifdef _AIX +if (filename[strlen(filename) - 1] == ')') +flags |= RTLD_MEMBER; +# endif ptr = dlopen(filename, flags); if (ptr == NULL) { DSOerr(DSO_F_DLFCN_LOAD, DSO_R_LOAD_FAILED); @@ -332,7 +336,7 @@ static int dladdr(void *ptr, Dl_info *dl) unsigned int found = 0; struct ld_info *ldinfos, *next_ldi, *this_ldi; -if ((ldinfos = (struct ld_info *)OPENSSL_malloc(DLFCN_LDINFO_SIZE)) == NULL) { +if ((ldinfos = OPENSSL_malloc(DLFCN_LDINFO_SIZE)) == NULL) { errno = ENOMEM; dl->dli_fname = NULL; return 0; @@ -359,18 +363,33 @@ static int dladdr(void *ptr, Dl_info *dl) || ((addr >= (uintptr_t)this_ldi->ldinfo_dataorg) && (addr < ((uintptr_t)this_ldi->ldinfo_dataorg + this_ldi->ldinfo_datasize { +char *buffer, *member; +size_t buffer_sz, member_len; + +buffer_sz = strlen(this_ldi->ldinfo_filename) + 1; +member = this_ldi->ldinfo_filename + buffer_sz; +if ((member_len = strlen(member)) > 0) +buffer_sz += 1 + member_len + 1; found = 1; -/* - * Ignoring the possibility of a member name and just returning - * the path name. See docs: sys/ldr.h, loadquery() and - * dlopen()/RTLD_MEMBER. - */ -if ((dl->dli_fname = - OPENSSL_strdup(this_ldi->ldinfo_filename)) == NULL) +if ((buffer = OPENSSL_malloc(buffer_sz)) != NULL) { +OPENSSL_strlcpy(buffer, this_ldi->ldinfo_filename, buffer_sz); +if (member_len > 0) { +/* + * Need to respect a possible member name and not just + * returning the path name in this case. See docs: + * sys/ldr.h, loadquery() and dlopen()/RTLD_MEMBER. + */ +OPENSSL_strlcat(buffer, "(", buffer_sz); +OPENSSL_strlcat(buffer, member, buffer_sz); +OPENSSL_strlcat(buffer, ")", buffer_sz); +} +dl->dli_fname = buffer; +} else { errno = ENOMEM; +} } else { -next_ldi = -(struct ld_info *)((uintptr_t)this_ldi + this_ldi->ldinfo_next); +next_ldi = (struct ld_info *)((uintptr_t)this_ldi + + this_ldi->ldinfo_next); } } while (this_ldi->ldinfo_next && !found); OPENSSL_free((void *)ldinfos); diff --git a/test/shlibloadtest.c b/test/shlibloadtest.c index aad90e6..53714aa 100644 --- a/test/shlibloadtest.c +++ b/test/shlibloadtest.c @@ -48,7 +48,12 @@ typedef void *SHLIB_SYM; static int shlib_load(const char *filename, SHLIB *lib) { -*lib = dlopen(filename, RTLD_GLOBAL | RTLD_LAZY); +int dl_flags = (RTLD_GLOBAL|RTLD_LAZY); +#ifdef _AIX +if (filename[strlen(filename) - 1] == ')') +dl_flags |= RTLD_MEMBER; +#endif +*lib = dlopen(filename, dl_flags); return *lib == NULL ? 0 : 1; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 8255fd0f4f86fa4202962d4b27185c0d96f21d75 (commit) from b2a73156186ec436f584a565e6d4a98b75734286 (commit) - Log - commit 8255fd0f4f86fa4202962d4b27185c0d96f21d75 Author: Andy Polyakov Date: Thu Aug 16 09:26:12 2018 +0200 crypto/init.c: improve destructor_key's portability. It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type, which doesn't appear to hold true. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6976) (cherry picked from commit 0b1319ba94c85af9e87308e0d573d1260a802f53) --- Summary of changes: crypto/init.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/crypto/init.c b/crypto/init.c index 00a9179..2ad946c 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -41,7 +41,10 @@ static int stopped = 0; * key value and pull NULL past initialization in the first thread that * intends to use libcrypto. */ -static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1; +static union { +long sane; +CRYPTO_THREAD_LOCAL value; +} destructor_key = { -1 }; static void ossl_init_thread_stop(struct thread_local_inits_st *locals); @@ -53,17 +56,17 @@ static void ossl_init_thread_destructor(void *local) static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc) { struct thread_local_inits_st *local = -CRYPTO_THREAD_get_local(_key); +CRYPTO_THREAD_get_local(_key.value); if (alloc) { if (local == NULL && (local = OPENSSL_zalloc(sizeof(*local))) != NULL -&& !CRYPTO_THREAD_set_local(_key, local)) { +&& !CRYPTO_THREAD_set_local(_key.value, local)) { OPENSSL_free(local); return NULL; } } else { -CRYPTO_THREAD_set_local(_key, NULL); +CRYPTO_THREAD_set_local(_key.value, NULL); } return local; @@ -97,7 +100,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) #endif OPENSSL_cpuid_setup(); -destructor_key = key; +destructor_key.value = key; base_inited = 1; return 1; @@ -396,7 +399,7 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) void OPENSSL_thread_stop(void) { -if (destructor_key != (CRYPTO_THREAD_LOCAL)-1) +if (destructor_key.sane != -1) ossl_init_thread_stop(ossl_init_get_thread_local(0)); } @@ -493,8 +496,8 @@ void OPENSSL_cleanup(void) err_free_strings_int(); } -key = destructor_key; -destructor_key = (CRYPTO_THREAD_LOCAL)-1; +key = destructor_key.value; +destructor_key.sane = -1; CRYPTO_THREAD_cleanup_local(); #ifdef OPENSSL_INIT_DEBUG _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 0b1319ba94c85af9e87308e0d573d1260a802f53 (commit) from 2d162ea93f6512909454ee10597b63206862a056 (commit) - Log - commit 0b1319ba94c85af9e87308e0d573d1260a802f53 Author: Andy Polyakov Date: Thu Aug 16 09:26:12 2018 +0200 crypto/init.c: improve destructor_key's portability. It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type, which doesn't appear to hold true. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6976) --- Summary of changes: crypto/init.c | 19 +++ 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/crypto/init.c b/crypto/init.c index 7b69927..209d1a4 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -44,7 +44,10 @@ static int stopped = 0; * key value and pull NULL past initialization in the first thread that * intends to use libcrypto. */ -static CRYPTO_THREAD_LOCAL destructor_key = (CRYPTO_THREAD_LOCAL)-1; +static union { +long sane; +CRYPTO_THREAD_LOCAL value; +} destructor_key = { -1 }; static void ossl_init_thread_stop(struct thread_local_inits_st *locals); @@ -56,17 +59,17 @@ static void ossl_init_thread_destructor(void *local) static struct thread_local_inits_st *ossl_init_get_thread_local(int alloc) { struct thread_local_inits_st *local = -CRYPTO_THREAD_get_local(_key); +CRYPTO_THREAD_get_local(_key.value); if (alloc) { if (local == NULL && (local = OPENSSL_zalloc(sizeof(*local))) != NULL -&& !CRYPTO_THREAD_set_local(_key, local)) { +&& !CRYPTO_THREAD_set_local(_key.value, local)) { OPENSSL_free(local); return NULL; } } else { -CRYPTO_THREAD_set_local(_key, NULL); +CRYPTO_THREAD_set_local(_key.value, NULL); } return local; @@ -103,7 +106,7 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base) #endif OPENSSL_cpuid_setup(); -destructor_key = key; +destructor_key.value = key; base_inited = 1; return 1; @@ -409,7 +412,7 @@ static void ossl_init_thread_stop(struct thread_local_inits_st *locals) void OPENSSL_thread_stop(void) { -if (destructor_key != (CRYPTO_THREAD_LOCAL)-1) +if (destructor_key.sane != -1) ossl_init_thread_stop(ossl_init_get_thread_local(0)); } @@ -515,8 +518,8 @@ void OPENSSL_cleanup(void) err_free_strings_int(); } -key = destructor_key; -destructor_key = (CRYPTO_THREAD_LOCAL)-1; +key = destructor_key.value; +destructor_key.sane = -1; CRYPTO_THREAD_cleanup_local(); #ifdef OPENSSL_INIT_DEBUG _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2d162ea93f6512909454ee10597b63206862a056 (commit) via 19934970ac8534cd19eb3f64299e5731d97a7a80 (commit) from f112dc82a44729d3f7c853c01047f6bfeb8f90ce (commit) - Log - commit 2d162ea93f6512909454ee10597b63206862a056 Author: Andy Polyakov Date: Mon Aug 20 09:38:36 2018 +0200 man3/OBJ_nid2obj.pod: mention failure code for OBJ_create. Reviewed-by: Kurt Roeckx Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6998) commit 19934970ac8534cd19eb3f64299e5731d97a7a80 Author: Andy Polyakov Date: Fri Aug 17 23:04:03 2018 +0200 asn1/asn_moid.c: overhaul do_create. Original could allocate nid and then bail out on malloc failure. Instead allocate first *then* attempt to create object. Reviewed-by: Kurt Roeckx Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6998) --- Summary of changes: crypto/asn1/asn_moid.c | 30 -- doc/man3/OBJ_nid2obj.pod | 3 ++- 2 files changed, 14 insertions(+), 19 deletions(-) diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index f0b4dab..68a01f3 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -60,29 +60,20 @@ void ASN1_add_oid_module(void) static int do_create(const char *value, const char *name) { int nid; -ASN1_OBJECT *oid; const char *ln, *ostr, *p; -char *lntmp; +char *lntmp = NULL; + p = strrchr(value, ','); -if (!p) { +if (p == NULL) { ln = name; ostr = value; } else { -ln = NULL; +ln = value; ostr = p + 1; -if (!*ostr) +if (*ostr == '\0') return 0; while (ossl_isspace(*ostr)) ostr++; -} - -nid = OBJ_create(ostr, name, ln); - -if (nid == NID_undef) -return 0; - -if (p) { -ln = value; while (ossl_isspace(*ln)) ln++; p--; @@ -97,10 +88,13 @@ static int do_create(const char *value, const char *name) return 0; } memcpy(lntmp, ln, p - ln); -lntmp[p - ln] = 0; -oid = OBJ_nid2obj(nid); -oid->ln = lntmp; +lntmp[p - ln] = '\0'; +ln = lntmp; } -return 1; +nid = OBJ_create(ostr, name, ln); + +OPENSSL_free(lntmp); + +return nid != NID_undef; } diff --git a/doc/man3/OBJ_nid2obj.pod b/doc/man3/OBJ_nid2obj.pod index df4e2e1..cbf889f 100644 --- a/doc/man3/OBJ_nid2obj.pod +++ b/doc/man3/OBJ_nid2obj.pod @@ -84,7 +84,8 @@ OBJ_dup() returns a copy of B. OBJ_create() adds a new object to the internal table. B is the numerical form of the object, B the short name and B the -long name. A new NID is returned for the created object. +long name. A new NID is returned for the created object in case of +success and NID_undef in case of failure. OBJ_length() returns the size of the content octets of B. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 8e5da579c131c493c91efeffe87b0a5cb398fee0 (commit) from 95c91cb3fc85a50969358e579793a73726f6e483 (commit) - Log - commit 8e5da579c131c493c91efeffe87b0a5cb398fee0 Author: Andy Polyakov Date: Fri Aug 17 14:29:59 2018 +0200 Configure: don't probe for --noexecstack assembler option on Darwin. The option has no meaning on Darwin, but it can bail out in combination with -fembed-bitcode or -no-integrated-as... Reviewed-by: Richard Levitte --- Summary of changes: Configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configure b/Configure index 2eb8533..3baa8ce 100755 --- a/Configure +++ b/Configure @@ -1441,7 +1441,7 @@ if (!$disabled{makedepend}) { } } -if (!$disabled{asm}) { +if (!$disabled{asm} && !$predefined{__MACH__} && $^O ne 'VMS') { # probe for -Wa,--noexecstack option... if ($predefined{__clang__}) { # clang has builtin assembler, which doesn't recognize --help, @@ -1449,7 +1449,7 @@ if (!$disabled{asm}) { # supported platforms even when it's meaningless. In other words # probe would fail, but probed option always accepted... push @{$config{cflags}}, "-Wa,--noexecstack", "-Qunused-arguments"; -} elsif ($^O ne 'VMS') { +} else { my $cc = $config{CROSS_COMPILE}.$config{CC}; open(PIPE, "$cc -Wa,--help -c -o null.$$.o -x assembler /dev/null 2>&1 |"); while() { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d2b863643d94704abd9840519cfc54d22d0481fe (commit) from 2805ee1e095a78f596dc7adf778441e2edb9f15c (commit) - Log - commit d2b863643d94704abd9840519cfc54d22d0481fe Author: Andy Polyakov Date: Mon Aug 13 22:53:14 2018 +0200 crypto/threads_*: remove CRYPTO_atomic_{read|write}. CRYPTO_atomic_read was added with intention to read statistics counters, but readings are effectively indistinguishable from regular load (even in non-lock-free case). This is because you can get out-dated value in both cases. CRYPTO_atomic_write was added for symmetry and was never used. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6883) --- Summary of changes: crypto/threads_none.c | 12 crypto/threads_pthread.c| 38 - crypto/threads_win.c| 12 doc/man3/CRYPTO_THREAD_run_once.pod | 17 ++--- include/openssl/crypto.h| 2 -- util/libcrypto.num | 2 -- 6 files changed, 2 insertions(+), 81 deletions(-) diff --git a/crypto/threads_none.c b/crypto/threads_none.c index ab6db8e..4b1940a 100644 --- a/crypto/threads_none.c +++ b/crypto/threads_none.c @@ -128,18 +128,6 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) return 1; } -int CRYPTO_atomic_read(int *val, int *ret, CRYPTO_RWLOCK *lock) -{ -*ret = *val; -return 1; -} - -int CRYPTO_atomic_write(int *val, int n, CRYPTO_RWLOCK *lock) -{ -*val = n; -return 1; -} - int openssl_init_fork_handlers(void) { return 0; diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c index 8d30e1c..5a59779 100644 --- a/crypto/threads_pthread.c +++ b/crypto/threads_pthread.c @@ -175,44 +175,6 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) return 1; } -int CRYPTO_atomic_read(int *val, int *ret, CRYPTO_RWLOCK *lock) -{ -# if defined(__GNUC__) && defined(__ATOMIC_ACQUIRE) -if (__atomic_is_lock_free(sizeof(*val), val)) { -__atomic_load(val, ret, __ATOMIC_ACQUIRE); -return 1; -} -# endif -if (!CRYPTO_THREAD_read_lock(lock)) -return 0; - -*ret = *val; - -if (!CRYPTO_THREAD_unlock(lock)) -return 0; - -return 1; -} - -int CRYPTO_atomic_write(int *val, int n, CRYPTO_RWLOCK *lock) -{ -# if defined(__GNUC__) && defined(__ATOMIC_RELEASE) -if (__atomic_is_lock_free(sizeof(*val), val)) { -__atomic_store(val, , __ATOMIC_RELEASE); -return 1; -} -# endif -if (!CRYPTO_THREAD_write_lock(lock)) -return 0; - -*val = n; - -if (!CRYPTO_THREAD_unlock(lock)) -return 0; - -return 1; -} - # ifdef OPENSSL_SYS_UNIX static pthread_once_t fork_once_control = PTHREAD_ONCE_INIT; diff --git a/crypto/threads_win.c b/crypto/threads_win.c index 7fdbc1f..d8fdfb7 100644 --- a/crypto/threads_win.c +++ b/crypto/threads_win.c @@ -155,18 +155,6 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock) return 1; } -int CRYPTO_atomic_read(int *val, int *ret, CRYPTO_RWLOCK *lock) -{ -*ret = InterlockedCompareExchange(val, 0, 0); -return 1; -} - -int CRYPTO_atomic_write(int *val, int n, CRYPTO_RWLOCK *lock) -{ -InterlockedExchange(val, n); -return 1; -} - int openssl_init_fork_handlers(void) { return 0; diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index a290278..3277613 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -4,8 +4,8 @@ CRYPTO_THREAD_run_once, CRYPTO_THREAD_lock_new, CRYPTO_THREAD_read_lock, CRYPTO_THREAD_write_lock, -CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free, CRYPTO_atomic_add, -CRYPTO_atomic_read, CRYPTO_atomic_write - OpenSSL thread support +CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free, +CRYPTO_atomic_add - OpenSSL thread support =head1 SYNOPSIS @@ -21,8 +21,6 @@ CRYPTO_atomic_read, CRYPTO_atomic_write - OpenSSL thread support void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock); int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock); - int CRYPTO_atomic_read(int *val, int *ret, CRYPTO_RWLOCK *lock); - int CRYPTO_atomic_write(int *val, int n, CRYPTO_RWLOCK *lock); =head1 DESCRIPTION @@ -77,17 +75,6 @@ operations are supported on the specific platform. Because of this, if a variable is modified by CRYPTO_atomic_add() then CRYPTO_atomic_add() must be the only way that the variable is modified. -=item * - -CRYPTO_atomic_read() atomically reads B and returns the result of -the operation in B. B will be locked, unless atomic operations -are supported on the specific platform. - -=item * - -CRYPTO_atomic_write() atomical
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 9804228a4313fcdff1cface0f87ce8b8ed180259 (commit) from 8297ab58008e01f4b86c1b168118aaa3bb882234 (commit) - Log - commit 9804228a4313fcdff1cface0f87ce8b8ed180259 Author: Andy Polyakov Date: Sun Jul 29 14:13:32 2018 +0200 x509v3/v3_purp.c: resolve Thread Sanitizer nit. Reviewed-by: Viktor Dukhovni (Merged from https://github.com/openssl/openssl/pull/6916) (cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7) Resolved conflicts: crypto/x509v3/v3_purp.c --- Summary of changes: crypto/x509v3/v3_purp.c | 4 1 file changed, 4 deletions(-) diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 7080a51..6d3aa8f 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -396,12 +396,8 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; -if (x->ex_flags & EXFLAG_SET) -return; - CRYPTO_w_lock(CRYPTO_LOCK_X509); if (x->ex_flags & EXFLAG_SET) { CRYPTO_w_unlock(CRYPTO_LOCK_X509); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 96d7852cbd0c7861cce155e1dc8c621648c0ba70 (commit) from 86ed2e1cb04158371385047e0e7832c34273022c (commit) - Log - commit 96d7852cbd0c7861cce155e1dc8c621648c0ba70 Author: Andy Polyakov Date: Wed Aug 8 11:10:11 2018 +0200 internal/refcount.h: overhaul fencing and add _MSC_VER section. Relax memory_order on counter decrement itself, because mutable members of the reference-counted structure should be visible on all processors independently on counter. [Even re-format and minimize dependency on other headers.] Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6900) --- Summary of changes: include/internal/refcount.h | 73 ++--- 1 file changed, 62 insertions(+), 11 deletions(-) diff --git a/include/internal/refcount.h b/include/internal/refcount.h index c1663a0..75d70a6 100644 --- a/include/internal/refcount.h +++ b/include/internal/refcount.h @@ -1,5 +1,5 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,26 +18,36 @@ # if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L \ && !defined(__STDC_NO_ATOMICS__) -# include -# define HAVE_C11_ATOMICS +# include +# define HAVE_C11_ATOMICS # endif # if defined(HAVE_C11_ATOMICS) && defined(ATOMIC_INT_LOCK_FREE) \ && ATOMIC_INT_LOCK_FREE > 0 -# define HAVE_ATOMICS 1 +# define HAVE_ATOMICS 1 typedef _Atomic int CRYPTO_REF_COUNT; -static ossl_inline int CRYPTO_UP_REF(_Atomic int *val, int *ret, void *lock) +static inline int CRYPTO_UP_REF(_Atomic int *val, int *ret, void *lock) { *ret = atomic_fetch_add_explicit(val, 1, memory_order_relaxed) + 1; return 1; } -static ossl_inline int CRYPTO_DOWN_REF(_Atomic int *val, int *ret, void *lock) +/* + * Changes to shared structure other than reference counter have to be + * serialized. And any kind of serialization implies a release fence. This + * means that by the time reference counter is decremented all other + * changes are visible on all processors. Hence decrement itself can be + * relaxed. In case it hits zero, object will be destructed. Since it's + * last use of the object, destructor programmer might reason that access + * to mutable members doesn't have to be serialized anymore, which would + * otherwise imply an acquire fence. Hence conditional acquire fence... + */ +static inline int CRYPTO_DOWN_REF(_Atomic int *val, int *ret, void *lock) { -*ret = atomic_fetch_sub_explicit(val, 1, memory_order_release) - 1; +*ret = atomic_fetch_sub_explicit(val, 1, memory_order_relaxed) - 1; if (*ret == 0) atomic_thread_fence(memory_order_acquire); return 1; @@ -45,24 +55,65 @@ static ossl_inline int CRYPTO_DOWN_REF(_Atomic int *val, int *ret, void *lock) # elif defined(__GNUC__) && defined(__ATOMIC_RELAXED) && __GCC_ATOMIC_INT_LOCK_FREE > 0 -# define HAVE_ATOMICS 1 +# define HAVE_ATOMICS 1 typedef int CRYPTO_REF_COUNT; -static ossl_inline int CRYPTO_UP_REF(int *val, int *ret, void *lock) +static __inline__ int CRYPTO_UP_REF(int *val, int *ret, void *lock) { *ret = __atomic_fetch_add(val, 1, __ATOMIC_RELAXED) + 1; return 1; } -static ossl_inline int CRYPTO_DOWN_REF(int *val, int *ret, void *lock) +static __inline__ int CRYPTO_DOWN_REF(int *val, int *ret, void *lock) { -*ret = __atomic_fetch_sub(val, 1, __ATOMIC_RELEASE) - 1; +*ret = __atomic_fetch_sub(val, 1, __ATOMIC_RELAXED) - 1; if (*ret == 0) __atomic_thread_fence(__ATOMIC_ACQUIRE); return 1; } +# elif defined(_MSC_VER) && _MSC_VER>=1200 + +# define HAVE_ATOMICS 1 + +typedef volatile int CRYPTO_REF_COUNT; + +# if (defined(_M_ARM) && _M_ARM>=7) || defined(_M_ARM64) +# include +# if defined(_M_ARM64) && !defined(_ARM_BARRIER_ISH) +#define _ARM_BARRIER_ISH _ARM64_BARRIER_ISH +# endif + +static __inline int CRYPTO_UP_REF(volatile int *val, int *ret, void *lock) +{ +*ret = _InterlockedExchangeAdd_nf(val, 1) + 1; +return 1; +} + +static __inline int CRYPTO_DOWN_REF(volatile int *val, int *ret, void *lock) +{ +*ret = _InterlockedExchangeAdd_nf(val, -1) - 1; +if (*ret == 0) +__dmb(_ARM_BARRIER_ISH); +return 1; +} +# else +# pragma intrinsic(_InterlockedExchangeAdd) + +static __inline int CRYPTO_UP_REF(volatile int *val, int *ret, void *lock) +{ +*ret = _InterlockedExchangeAdd(val, 1) + 1; +return 1; +} + +static __inline int CRYPTO_DOWN_REF(volatile i
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 9553d9691ca67d6cd31573c7f6e567b182800511 (commit) via 80158ae42fffe3354b160c5818f48b6a9b651538 (commit) from a0f443a05dd68b9949b39b3310a595babcae4624 (commit) - Log - commit 9553d9691ca67d6cd31573c7f6e567b182800511 Author: Andy Polyakov Date: Sun Jul 29 14:37:17 2018 +0200 x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6891) (back-ported from commit f21b5b64cbbc279ef31389e6ae312690575187da) commit 80158ae42fffe3354b160c5818f48b6a9b651538 Author: Andy Polyakov Date: Sun Jul 29 14:13:32 2018 +0200 x509v3/v3_purp.c: resolve Thread Sanitizer nit. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6891) (cherry picked from commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7) --- Summary of changes: crypto/include/internal/x509_int.h | 1 + crypto/x509v3/v3_purp.c| 10 -- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 2845026..9a6322c 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -166,6 +166,7 @@ struct x509_st { unsigned char sha1_hash[SHA_DIGEST_LENGTH]; X509_CERT_AUX *aux; CRYPTO_RWLOCK *lock; +volatile int ex_cached; } /* X509 */ ; /* diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 144de0c..7ac0672 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -350,10 +350,10 @@ static void x509v3_cache_extensions(X509 *x) ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; X509_EXTENSION *ex; - int i; -if (x->ex_flags & EXFLAG_SET) +/* fast lock-free check, see end of the function for details. */ +if (x->ex_cached) return; CRYPTO_THREAD_write_lock(x->lock); @@ -496,6 +496,12 @@ static void x509v3_cache_extensions(X509 *x) } x->ex_flags |= EXFLAG_SET; CRYPTO_THREAD_unlock(x->lock); +/* + * It has to be placed after memory barrier, which is implied by unlock. + * Worst thing that can happen is that another thread proceeds to lock + * and checks x->ex_flags & EXFLAGS_SET. See beginning of the function. + */ +x->ex_cached = 1; } /*- _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via ec3f996b3066ecaaec87ba5ad29c606aeac0740d (commit) via df6b67becc1f41c27e20ff10b5ec42ced58b (commit) via 6412738be390dd9bf680cef89f22e4c810ab065f (commit) from f72a7ce8bc0a5c0866c6a848a7f54854d67aeba2 (commit) - Log - commit ec3f996b3066ecaaec87ba5ad29c606aeac0740d Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205) Resolved conflicts: crypto/rsa/rsa_ossl.c crypto/rsa/rsa_pk1.c commit df6b67becc1f41c27e20ff10b5ec42ced58b Author: Andy Polyakov Date: Mon Jul 16 18:17:44 2018 +0200 bn/bn_lib.c address Coverity nit in bn2binpad. It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec) commit 6412738be390dd9bf680cef89f22e4c810ab065f Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: add computationally constant-time bn_bn2binpad. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6889) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) Resolved conflicts: crypto/bn/bn_lib.c --- Summary of changes: crypto/bn/bn_lib.c| 35 + crypto/bn_int.h | 2 ++ crypto/rsa/rsa_eay.c | 39 +++- crypto/rsa/rsa_oaep.c | 39 +++- crypto/rsa/rsa_pk1.c | 62 +++ crypto/rsa/rsa_ssl.c | 8 +++ 6 files changed, 125 insertions(+), 60 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index c6005bf..03bd8cd 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -614,6 +614,41 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) } /* ignore negative */ +static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ +int n; +size_t i, inc, lasti, j; +BN_ULONG l; + +n = BN_num_bytes(a); +if (tolen == -1) +tolen = n; +else if (tolen < n) +return -1; + +if (n == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; +} + +lasti = n - 1; +for (i = 0, inc = 1, j = tolen; j > 0;) { +l = a->d[i / BN_BYTES]; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); +inc = (i - lasti) >> (8 * sizeof(i) - 1); +i += inc; /* stay on top limb */ +} + +return tolen; +} + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ +if (tolen < 0) +return -1; +return bn2binpad(a, to, tolen); +} + int BN_bn2bin(const BIGNUM *a, unsigned char *to) { int n, i; diff --git a/crypto/bn_int.h b/crypto/bn_int.h index 9683e5f..9c42d6f 100644 --- a/crypto/bn_int.h +++ b/crypto/bn_int.h @@ -11,3 +11,5 @@ int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); + +int bn_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index b147fff..b9c6855 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -114,6 +114,7 @@ #include #include #include +#include "bn_int.h" #ifndef RSA_NULL @@ -156,7 +157,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { BIGNUM *f, *ret; -int i, j, k, num = 0, r = -1; +int i, num = 0, r = -1; unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -232,15 +233,10 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, goto err; /* - * put in leading 0 bytes if the number is less than the length of the - * modulus + * BN_bn2binpad puts in leading 0 bytes if the number is less than + * the length of the modulus. */ -j = BN_num_
[openssl-commits] [openssl] master update
The branch master has been updated via 8f15498563658726a7c2bce7abcf01bea08515de (commit) via e519d6b563d95d630723784a5737ebe5ef74e4f3 (commit) via d1f8b74c584d55a3c7f8f88d997ad69b67076c77 (commit) via f21b5b64cbbc279ef31389e6ae312690575187da (commit) via 0da7358b0757fa35f2c3a8f51fa036466ae50fd7 (commit) via 9ef9088c1585e13b9727796f15f77da64dbbe623 (commit) via cab76c0f6482df5140efa2ca93c9e2d972fcd9b0 (commit) via ede3e6653c1127e852493655737327170567a453 (commit) from 8839324450b569a6253e0dd237ee3e417ef17771 (commit) - Log - commit 8f15498563658726a7c2bce7abcf01bea08515de Author: Andy Polyakov Date: Fri Aug 3 10:46:03 2018 +0200 crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG. Rationale is that it wasn't providing accurate statistics anyway. For statistics to be accurate CRYPTO_get_alloc_counts should acquire a lock and lock-free additions should not be an option. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit e519d6b563d95d630723784a5737ebe5ef74e4f3 Author: Andy Polyakov Date: Fri Aug 3 10:20:59 2018 +0200 engine/eng_lib.c: remove redundant #ifdef. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit d1f8b74c584d55a3c7f8f88d997ad69b67076c77 Author: Andy Polyakov Date: Sun Jul 29 15:21:38 2018 +0200 man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit f21b5b64cbbc279ef31389e6ae312690575187da Author: Andy Polyakov Date: Sun Jul 29 14:37:17 2018 +0200 x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit 0da7358b0757fa35f2c3a8f51fa036466ae50fd7 Author: Andy Polyakov Date: Sun Jul 29 14:13:32 2018 +0200 x509v3/v3_purp.c: resolve Thread Sanitizer nit. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit 9ef9088c1585e13b9727796f15f77da64dbbe623 Author: Andy Polyakov Date: Sun Jul 29 14:12:53 2018 +0200 ssl/*: switch to switch to Thread-Sanitizer-friendly primitives. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit cab76c0f6482df5140efa2ca93c9e2d972fcd9b0 Author: Andy Polyakov Date: Sun Jul 29 14:11:49 2018 +0200 lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) commit ede3e6653c1127e852493655737327170567a453 Author: Andy Polyakov Date: Sun Jul 29 14:10:20 2018 +0200 Add internal/tsan_assist.h. Goal here is to facilitate writing "thread-opportunistic" code that withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when exact result is not required, e.g. some statistics, or execution flow doesn't have to be unambiguous. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6786) --- Summary of changes: crypto/engine/eng_lib.c| 6 +-- crypto/include/internal/x509_int.h | 1 + crypto/lhash/lhash.c | 14 --- crypto/lhash/lhash_lcl.h | 12 +++--- crypto/mem.c | 18 crypto/x509v3/v3_purp.c| 11 - doc/man3/OPENSSL_LH_COMPFUNC.pod | 25 include/internal/tsan_assist.h | 84 ++ ssl/ssl_lib.c | 41 ++- ssl/ssl_locl.h | 33 --- ssl/ssl_sess.c | 20 - ssl/statem/extensions.c| 8 ++-- ssl/statem/statem_clnt.c | 4 +- ssl/statem/statem_lib.c| 23 --- 14 files changed, 177 insertions(+), 123 deletions(-) create mode 100644 include/internal/tsan_assist.h diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 9028319..3ef3aae 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -75,14 +75,10 @@ int engine_free_util(ENGINE *e, int not_locked) if (e == NULL) return 1; -#ifdef HAVE_ATOMICS -CRYPTO_DOWN_REF(>struct_ref, , global_engine_lock); -#else if (not_locked) -CRYPTO_atomic_add(>struct_ref, -1, , global_engine_lock); +CRYPTO_DOWN_REF(>struct_ref, , global_engine_lock); else i = --e->struct_ref; -#endi
[openssl-commits] [openssl] master update
The branch master has been updated via 8839324450b569a6253e0dd237ee3e417ef17771 (commit) via 5b37fef04a2b765835361f0652aaa0c41ed1b842 (commit) via 28ad73181aeb3b0b027d53d3266159f4b2e15d5b (commit) via f44d7e8b472dfc0602f8d06ef72e808a5e8d410c (commit) from 38eca7fed09a57c1b7a05d651af2c667b3e87719 (commit) - Log - commit 8839324450b569a6253e0dd237ee3e417ef17771 Author: Andy Polyakov Date: Sun Aug 5 16:56:54 2018 +0200 stack/stack.c: omit redundant NULL checks. Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num. This is because these are used as "opportunistic" readers, pulling whatever datai, if any, set by somebody else. All calls that add data don't check for stack being NULL, because caller should have checked if stack was actually created. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6860) commit 5b37fef04a2b765835361f0652aaa0c41ed1b842 Author: Andy Polyakov Date: Sun Aug 5 16:50:41 2018 +0200 Harmonize use of sk_TYPE_find's return value. In some cases it's about redundant check for return value, in some cases it's about replacing check for -1 with comparison to 0. Otherwise compiler might generate redundant check for <-1. [Even formatting and readability fixes.] Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6860) commit 28ad73181aeb3b0b027d53d3266159f4b2e15d5b Author: Andy Polyakov Date: Sun Aug 5 11:51:37 2018 +0200 x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ. Documentation says "at most B bytes will be written", which formally doesn't prohibit zero. But if zero B was passed, the call to memcpy was bound to crash. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6860) commit f44d7e8b472dfc0602f8d06ef72e808a5e8d410c Author: Andy Polyakov Date: Mon Aug 6 09:43:39 2018 +0200 INSTALL,NOTES.ANDROID: minor updates. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6866) --- Summary of changes: INSTALL | 10 ++ NOTES.ANDROID | 4 ++-- crypto/asn1/asn_mime.c| 4 crypto/evp/evp_pbe.c | 5 ++--- crypto/objects/obj_xref.c | 5 ++--- crypto/stack/stack.c | 21 - crypto/x509/by_dir.c | 10 +++--- crypto/x509/x509_lu.c | 11 ++- crypto/x509/x509_trs.c| 7 --- crypto/x509/x509_vpm.c| 9 - crypto/x509/x509name.c| 8 +--- crypto/x509/x_crl.c | 10 +++--- crypto/x509v3/pcy_cache.c | 10 -- crypto/x509v3/pcy_node.c | 3 --- crypto/x509v3/pcy_tree.c | 2 +- crypto/x509v3/v3_lib.c| 2 -- crypto/x509v3/v3_purp.c | 7 --- ssl/ssl_ciph.c| 5 + 18 files changed, 59 insertions(+), 74 deletions(-) diff --git a/INSTALL b/INSTALL index 98c34d6..34023dc 100644 --- a/INSTALL +++ b/INSTALL @@ -145,8 +145,8 @@ put together one-size-fits-all instructions. You might have to pass more flags or set up environment variables to actually make it work. Android and iOS cases are - discussed in corresponding Configurations/10-main.cf - sections. But there are cases when this option alone is + discussed in corresponding Configurations/15-*.conf + files. But there are cases when this option alone is sufficient. For example to build the mingw64 target on Linux "--cross-compile-prefix=x86_64-w64-mingw32-" works. Naturally provided that mingw packages are @@ -157,10 +157,12 @@ "--cross-compile-prefix=mipsel-linux-gnu-" suffices in such case. Needless to mention that you have to invoke ./Configure, not ./config, and pass your target - name explicitly. + name explicitly. Also, note that --openssldir refers + to target's file system, not one you are building on. --debug - Build OpenSSL with debugging symbols. + Build OpenSSL with debugging symbols and zero optimization + level. --libdir=DIR The name of the directory under the top of the installation diff --git a/NOTES.ANDROID b/NOTES.ANDROID index 103ed87..d13f47d 100644 --- a/NOTES.ANDROID +++ b/NOTES.ANDROID @@ -46,8 +46,8 @@ One can engage clang by adjusting PATH to cover NDK's clang. Just keep in mind that if you miss it, Configure will try to use gcc... Also, PATH would need even further adjustment to
[openssl-commits] [openssl] master update
The branch master has been updated via f38edcab594b4934bd9625ef889934b2dfb5d1f0 (commit) from 28c5b7d482dda8597bbf93890463d7eb0f9f2355 (commit) - Log - commit f38edcab594b4934bd9625ef889934b2dfb5d1f0 Author: Patrick Steuer Date: Tue Apr 3 18:24:18 2018 +0100 s390x assembly pack: add KIMD/KLMD code path for sha3/shake Signed-off-by: Patrick Steuer Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5935) --- Summary of changes: crypto/evp/build.info | 1 + crypto/evp/m_sha3.c | 235 -- crypto/s390x_arch.h | 4 + crypto/s390xcpuid.pl | 42 + 4 files changed, 275 insertions(+), 7 deletions(-) diff --git a/crypto/evp/build.info b/crypto/evp/build.info index 0305738..cc33ac3 100644 --- a/crypto/evp/build.info +++ b/crypto/evp/build.info @@ -22,3 +22,4 @@ INCLUDE[e_camellia.o]=.. ../modes INCLUDE[e_sm4.o]=.. ../modes INCLUDE[e_des.o]=.. INCLUDE[e_des3.o]=.. +INCLUDE[m_sha3.o]=.. diff --git a/crypto/evp/m_sha3.c b/crypto/evp/m_sha3.c index bfc65b2..729622b 100644 --- a/crypto/evp/m_sha3.c +++ b/crypto/evp/m_sha3.c @@ -137,7 +137,227 @@ static int shake_ctrl(EVP_MD_CTX *evp_ctx, int cmd, int p1, void *p2) } } -#define EVP_MD_SHA3(bitlen) \ +#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) +/* + * IBM S390X support + */ +# include "s390x_arch.h" + +# define S390X_SHA3_FC(ctx) ((ctx)->pad) + +# define S390X_sha3_224_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ + S390X_CAPBIT(S390X_SHA3_224)) && \ + (OPENSSL_s390xcap_P.klmd[0] & \ + S390X_CAPBIT(S390X_SHA3_224))) +# define S390X_sha3_256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ + S390X_CAPBIT(S390X_SHA3_256)) && \ + (OPENSSL_s390xcap_P.klmd[0] & \ + S390X_CAPBIT(S390X_SHA3_256))) +# define S390X_sha3_384_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ + S390X_CAPBIT(S390X_SHA3_384)) && \ + (OPENSSL_s390xcap_P.klmd[0] & \ + S390X_CAPBIT(S390X_SHA3_384))) +# define S390X_sha3_512_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ + S390X_CAPBIT(S390X_SHA3_512)) && \ + (OPENSSL_s390xcap_P.klmd[0] & \ + S390X_CAPBIT(S390X_SHA3_512))) +# define S390X_shake128_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ + S390X_CAPBIT(S390X_SHAKE_128)) && \ + (OPENSSL_s390xcap_P.klmd[0] & \ + S390X_CAPBIT(S390X_SHAKE_128))) +# define S390X_shake256_CAPABLE ((OPENSSL_s390xcap_P.kimd[0] & \ + S390X_CAPBIT(S390X_SHAKE_256)) && \ + (OPENSSL_s390xcap_P.klmd[0] & \ + S390X_CAPBIT(S390X_SHAKE_256))) + +/* Convert md-size to block-size. */ +# define S390X_KECCAK1600_BSZ(n) ((KECCAK1600_WIDTH - ((n) << 1)) >> 3) + +static int s390x_sha3_init(EVP_MD_CTX *evp_ctx) +{ +KECCAK1600_CTX *ctx = evp_ctx->md_data; +const size_t bsz = evp_ctx->digest->block_size; + +/*- + * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD + * function code. + */ +switch (bsz) { +case S390X_KECCAK1600_BSZ(224): +ctx->pad = S390X_SHA3_224; +break; +case S390X_KECCAK1600_BSZ(256): +ctx->pad = S390X_SHA3_256; +break; +case S390X_KECCAK1600_BSZ(384): +ctx->pad = S390X_SHA3_384; +break; +case S390X_KECCAK1600_BSZ(512): +ctx->pad = S390X_SHA3_512; +break; +default: +return 0; +} + +memset(ctx->A, 0, sizeof(ctx->A)); +ctx->num = 0; +ctx->block_size = bsz; +ctx->md_size = evp_ctx->digest->md_size; +return 1; +} + +static int s390x_shake_init(EVP_MD_CTX *evp_ctx) +{ +KECCAK1600_CTX *ctx = evp_ctx->md_data; +const size_t bsz = evp_ctx->digest->block_size; + +/*- + * KECCAK1600_CTX structure's pad field is used to store the KIMD/KLMD + * function code. + */ +switch (bsz) { +case S390X_KECCAK1600_BSZ(128): +ctx->pad = S390X_SHAKE_128; +break; +case S390X_KECCAK1600_BSZ(256): +ctx->pad = S390X_SHAKE_256; +break; +default: +return
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via c700d1fe090acf3661d3948c25f489803f50a98b (commit) via 4e7ade969944a9e6923a48471efb910dfb5f4a3a (commit) from 24233a0f3c491919ee3a38e2567271ccc041ee1d (commit) - Log - commit c700d1fe090acf3661d3948c25f489803f50a98b Author: Andy Polyakov Date: Thu Aug 2 09:02:47 2018 +0200 asn1/tasn_utl.c: fix logical error in asn1_do_lock. CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6843) commit 4e7ade969944a9e6923a48471efb910dfb5f4a3a Author: Andy Polyakov Date: Thu Aug 2 08:59:48 2018 +0200 Revert "asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock." This reverts commit 24233a0f3c491919ee3a38e2567271ccc041ee1d. Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6843) --- Summary of changes: crypto/asn1/tasn_utl.c | 35 --- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 22e853d..cad45a0 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -57,10 +57,8 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value, int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) { const ASN1_AUX *aux; -CRYPTO_REF_COUNT *lck; +int *lck, ret; CRYPTO_RWLOCK **lock; -int ret = -1; - if ((it->itype != ASN1_ITYPE_SEQUENCE) && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE)) return 0; @@ -69,34 +67,25 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) return 0; lck = offset2ptr(*pval, aux->ref_offset); lock = offset2ptr(*pval, aux->ref_lock); - -switch (op) { -case 0: -*lck = ret = 1; +if (op == 0) { +*lck = 1; *lock = CRYPTO_THREAD_lock_new(); if (*lock == NULL) { ASN1err(ASN1_F_ASN1_DO_LOCK, ERR_R_MALLOC_FAILURE); return -1; } -break; -case 1: -if (!CRYPTO_UP_REF(lck, , *lock)) -return -1; -break; -case -1: -if (!CRYPTO_DOWN_REF(lck, , *lock)) -return -1; /* failed */ +return 1; +} +if (!CRYPTO_atomic_add(lck, op, , *lock)) +return -1; /* failed */ #ifdef REF_PRINT -fprintf(stderr, "%p:%4d:%s\n", it, ret, it->sname); +fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); #endif -REF_ASSERT_ISNT(ret < 0); -if (ret == 0) { -CRYPTO_THREAD_lock_free(*lock); -*lock = NULL; -} -break; +REF_ASSERT_ISNT(ret < 0); +if (ret == 0) { +CRYPTO_THREAD_lock_free(*lock); +*lock = NULL; } - return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 29d8bda90ce824263317eae5354388f79844dd51 (commit) via 983e1ad235caa45d710eaa5f0d2de504d782a348 (commit) via e3ab8cc460d1a43fe6310c8d9a92589db1d4f8a3 (commit) via 6a815969776e3329fdffcc12c77e047e3a15be78 (commit) via 83325a68ad5fdfc359ab9d82a0e0da8e5fe7ede1 (commit) via c9046a05ec0fc3377e1077b401652d76ee5ce908 (commit) via 327b2c011342280c7fd5e312a4fff2a01083d2d6 (commit) via c1c0e4f1a358072767860764cd43335fc7316176 (commit) via 7cca1f96bf82b22ab49f179bae7df1562d0a104b (commit) from d69f31fcc38878769c8c917f8724c5aef10fd847 (commit) - Log - commit 29d8bda90ce824263317eae5354388f79844dd51 Author: Andy Polyakov Date: Mon Jul 30 12:39:08 2018 +0200 CHANGES: mention blinding reverting in ECDSA. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) commit 983e1ad235caa45d710eaa5f0d2de504d782a348 Author: Andy Polyakov Date: Mon Jul 30 12:37:17 2018 +0200 ecdsa/ecs_ossl.c: switch to fixed-length Montgomery multiplication. (back-ported from commit 37132c9702328940a99b1307f742ab094ef754a7) Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) commit e3ab8cc460d1a43fe6310c8d9a92589db1d4f8a3 Author: Billy Brumley Date: Wed Jan 20 13:18:21 2016 +0200 Fix BN_gcd errors for some curves Those even order that do not play nicely with Montgomery arithmetic (back-ported from commit 3a6a4a93518fbb3d96632bfdcb538d340f29c56b) Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) commit 6a815969776e3329fdffcc12c77e047e3a15be78 Author: Andy Polyakov Date: Wed Jul 25 10:29:51 2018 +0200 bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e) commit 83325a68ad5fdfc359ab9d82a0e0da8e5fe7ede1 Author: Andy Polyakov Date: Fri Jul 6 15:55:34 2018 +0200 ecdsa/ecs_ossl.c: revert blinding in ECDSA signature. Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f) Resolved onflicts: crypto/ec/ecdsa_ossl.c crypto/include/internal/bn_int.h commit c9046a05ec0fc3377e1077b401652d76ee5ce908 Author: Andy Polyakov Date: Fri Jul 6 15:13:15 2018 +0200 bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors. Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b) Resolved conflicts: crypto/bn/bn_exp.c crypto/bn/bn_lcl.h crypto/bn/bn_mont.c crypto/include/internal/bn_int.h commit 327b2c011342280c7fd5e312a4fff2a01083d2d6 Author: Andy Polyakov Date: Fri Jul 6 15:02:29 2018 +0200 bn/bn_lib.c: add BN_FLG_FIXED_TOP flag. The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6810) (cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb) Resolved conflicts: crypto/bn/bn_lcl.h crypto/bn/bn_lib.c commit c1c0e4f1a358072767860764cd43335fc7316176 Author: Andy Polyakov Da
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 24233a0f3c491919ee3a38e2567271ccc041ee1d (commit) from c0cc23af26d0363dbd164ceae97ed044e3fd8861 (commit) - Log - commit 24233a0f3c491919ee3a38e2567271ccc041ee1d Author: Andy Polyakov Date: Tue Jul 31 14:59:14 2018 +0200 asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock. CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Rich Salz (cherry picked from commit 680b9d45b005c2d0a48fd574db903bf4486b49ae) --- Summary of changes: crypto/asn1/tasn_utl.c | 35 +++ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index f79d7d6..22e853d 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -57,8 +57,10 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value, int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) { const ASN1_AUX *aux; -int *lck, ret; +CRYPTO_REF_COUNT *lck; CRYPTO_RWLOCK **lock; +int ret = -1; + if ((it->itype != ASN1_ITYPE_SEQUENCE) && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE)) return 0; @@ -67,25 +69,34 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) return 0; lck = offset2ptr(*pval, aux->ref_offset); lock = offset2ptr(*pval, aux->ref_lock); -if (op == 0) { -*lck = 1; + +switch (op) { +case 0: +*lck = ret = 1; *lock = CRYPTO_THREAD_lock_new(); if (*lock == NULL) { ASN1err(ASN1_F_ASN1_DO_LOCK, ERR_R_MALLOC_FAILURE); return -1; } -return 1; -} -if (CRYPTO_atomic_add(lck, op, , *lock) < 0) -return -1; /* failed */ +break; +case 1: +if (!CRYPTO_UP_REF(lck, , *lock)) +return -1; +break; +case -1: +if (!CRYPTO_DOWN_REF(lck, , *lock)) +return -1; /* failed */ #ifdef REF_PRINT -fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); +fprintf(stderr, "%p:%4d:%s\n", it, ret, it->sname); #endif -REF_ASSERT_ISNT(ret < 0); -if (ret == 0) { -CRYPTO_THREAD_lock_free(*lock); -*lock = NULL; +REF_ASSERT_ISNT(ret < 0); +if (ret == 0) { +CRYPTO_THREAD_lock_free(*lock); +*lock = NULL; +} +break; } + return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 680b9d45b005c2d0a48fd574db903bf4486b49ae (commit) from f52292be10cb42c25ae83be969d3ad469ea7cb4e (commit) - Log - commit 680b9d45b005c2d0a48fd574db903bf4486b49ae Author: Andy Polyakov Date: Tue Jul 31 14:59:14 2018 +0200 asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock. CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Rich Salz --- Summary of changes: crypto/asn1/tasn_utl.c | 35 +++ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index a93fd87..7ceecff 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -58,8 +58,10 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value, int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) { const ASN1_AUX *aux; -int *lck, ret; +CRYPTO_REF_COUNT *lck; CRYPTO_RWLOCK **lock; +int ret = -1; + if ((it->itype != ASN1_ITYPE_SEQUENCE) && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE)) return 0; @@ -68,25 +70,34 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) return 0; lck = offset2ptr(*pval, aux->ref_offset); lock = offset2ptr(*pval, aux->ref_lock); -if (op == 0) { -*lck = 1; + +switch (op) { +case 0: +*lck = ret = 1; *lock = CRYPTO_THREAD_lock_new(); if (*lock == NULL) { ASN1err(ASN1_F_ASN1_DO_LOCK, ERR_R_MALLOC_FAILURE); return -1; } -return 1; -} -if (CRYPTO_atomic_add(lck, op, , *lock) < 0) -return -1; /* failed */ +break; +case 1: +if (!CRYPTO_UP_REF(lck, , *lock)) +return -1; +break; +case -1: +if (!CRYPTO_DOWN_REF(lck, , *lock)) +return -1; /* failed */ #ifdef REF_PRINT -fprintf(stderr, "%p:%4d:%s\n", it, *lck, it->sname); +fprintf(stderr, "%p:%4d:%s\n", it, ret, it->sname); #endif -REF_ASSERT_ISNT(ret < 0); -if (ret == 0) { -CRYPTO_THREAD_lock_free(*lock); -*lock = NULL; +REF_ASSERT_ISNT(ret < 0); +if (ret == 0) { +CRYPTO_THREAD_lock_free(*lock); +*lock = NULL; +} +break; } + return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94 (commit) from 3c0addb71c66adf729f48050c3a75f68c44b23b6 (commit) - Log - commit 34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94 Author: Bryan Donlan Date: Tue Jul 17 13:38:17 2018 -0700 Remove DSA digest length checks when no digest is passed FIPS 186-4 does not specify a hard requirement on DSA digest lengths, and in any case the current check rejects the FIPS recommended digest lengths for key sizes != 1024 bits. Fixes: #6748 Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6749) (cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd) --- Summary of changes: crypto/dsa/dsa_pmeth.c | 18 -- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index a1cbaad..a82c4c9 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -76,13 +76,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; -if (dctx->md) { -if (tbslen != (size_t)EVP_MD_size(dctx->md)) -return 0; -} else { -if (tbslen != SHA_DIGEST_LENGTH) -return 0; -} +if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) +return 0; ret = DSA_sign(0, tbs, tbslen, sig, , dsa); @@ -100,13 +95,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; -if (dctx->md) { -if (tbslen != (size_t)EVP_MD_size(dctx->md)) -return 0; -} else { -if (tbslen != SHA_DIGEST_LENGTH) -return 0; -} +if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) +return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via cb809437d391176a1c2e76f6da77a790c9382c4b (commit) via 665d9d1c0655d6f709c99e1211c1e11fcebfeecd (commit) from bd93f1ac2750450033dbfa76b5f1597b0145b585 (commit) - Log - commit cb809437d391176a1c2e76f6da77a790c9382c4b Author: Bryan Donlan Date: Tue Jul 17 13:04:09 2018 -0700 Add test for DSA signatures of raw digests of various sizes Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6749) commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd Author: Bryan Donlan Date: Tue Jul 17 13:38:17 2018 -0700 Remove DSA digest length checks when no digest is passed FIPS 186-4 does not specify a hard requirement on DSA digest lengths, and in any case the current check rejects the FIPS recommended digest lengths for key sizes != 1024 bits. Fixes: #6748 Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6749) --- Summary of changes: crypto/dsa/dsa_pmeth.c | 18 +-- test/build.info| 6 +- test/dsa_no_digest_size_test.c | 245 + test/recipes/15-test_dsa.t | 3 +- 4 files changed, 256 insertions(+), 16 deletions(-) create mode 100644 test/dsa_no_digest_size_test.c diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index f66317b..b4ee5a7 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -77,13 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; -if (dctx->md) { -if (tbslen != (size_t)EVP_MD_size(dctx->md)) -return 0; -} else { -if (tbslen != SHA_DIGEST_LENGTH) -return 0; -} +if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) +return 0; ret = DSA_sign(0, tbs, tbslen, sig, , dsa); @@ -101,13 +96,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; -if (dctx->md) { -if (tbslen != (size_t)EVP_MD_size(dctx->md)) -return 0; -} else { -if (tbslen != SHA_DIGEST_LENGTH) -return 0; -} +if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) +return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa); diff --git a/test/build.info b/test/build.info index 8dbe0c2..04014e7 100644 --- a/test/build.info +++ b/test/build.info @@ -33,7 +33,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN rc2test rc4test rc5test \ destest mdc2test \ dhtest enginetest casttest \ - bftest ssltest_old dsatest exptest rsa_test \ + bftest ssltest_old dsatest dsa_no_digest_size_test exptest rsa_test \ evp_test evp_extra_test igetest v3nametest v3ext \ crltest danetest bad_dtls_test lhash_test \ conf_include_test \ @@ -152,6 +152,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN INCLUDE[dsatest]=../include DEPEND[dsatest]=../libcrypto libtestutil.a + SOURCE[dsa_no_digest_size_test]=dsa_no_digest_size_test.c + INCLUDE[dsa_no_digest_size_test]=../include + DEPEND[dsa_no_digest_size_test]=../libcrypto libtestutil.a + SOURCE[exptest]=exptest.c INCLUDE[exptest]=../include DEPEND[exptest]=../libcrypto libtestutil.a diff --git a/test/dsa_no_digest_size_test.c b/test/dsa_no_digest_size_test.c new file mode 100644 index 000..88c6036 --- /dev/null +++ b/test/dsa_no_digest_size_test.c @@ -0,0 +1,245 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#include "testutil.h" + +#include +#include +#include + +#ifndef OPENSSL_NO_DSA +#include + +static DSA *dsakey; + +/* + * These parameters are from test/recipes/04-test_pem_data/dsaparam.pem, + * converted using dsaparam -C + */ +static DSA *load_dsa_params(void) +{ +static unsigned char dsap_2048[] = { +0xAE, 0x35, 0x7D, 0x4E, 0x1D, 0x96, 0xE2, 0x9F, 0x00, 0x96, +0x60, 0x5A, 0x6E, 0x4D, 0x07, 0x8D, 0xA5, 0x7C, 0xBC, 0xF9, +0xAD, 0xD7, 0x9F, 0xD5, 0xE9, 0xEE, 0xA6, 0x33, 0x51, 0xDE, +0x7B, 0x72, 0xD2, 0x75, 0xAA, 0x71, 0x77, 0xF1, 0x63, 0xFB, +0xB6, 0xEC, 0x5A, 0xBA, 0x0D, 0x72, 0xA2, 0x1A, 0x1C, 0x64, +0xB8, 0xE5, 0x89, 0x09, 0x6D, 0xC9, 0x6F, 0x0B, 0
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 3c0addb71c66adf729f48050c3a75f68c44b23b6 (commit) via 811162832e875576c13139493d949b3157a1c8cf (commit) from 9da6f31c7e61b484dda6c0a59d46c76410981e13 (commit) - Log - commit 3c0addb71c66adf729f48050c3a75f68c44b23b6 Author: Andy Polyakov Date: Fri Jul 20 13:23:42 2018 +0200 crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop. Problem was that Windows threads that were terminating before libcrypto was initialized were referencing uninitialized or possibly even unrelated thread local storage index. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6799) (cherry picked from commit 80ae7285e1994d35c84519bf9e038b11d9942875) Resolved conflicts: crypto/init.c commit 811162832e875576c13139493d949b3157a1c8cf Author: Andy Polyakov Date: Fri Jul 20 13:15:48 2018 +0200 crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6799) (cherry picked from commit b86d57bb0b23253c720db38ab18ca97cb888f701) Resolved conflicts: crypto/cryptlib.c --- Summary of changes: crypto/cryptlib.c | 104 +- crypto/init.c | 54 ++-- 2 files changed, 122 insertions(+), 36 deletions(-) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index bf73244..3b878cd 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -23,29 +23,97 @@ extern unsigned int OPENSSL_ia32cap_P[4]; # if defined(OPENSSL_CPUID_OBJ) && !defined(OPENSSL_NO_ASM) && !defined(I386_ONLY) -#include + +/* + * Purpose of these minimalistic and character-type-agnostic subroutines + * is to break dependency on MSVCRT (on Windows) and locale. This makes + * OPENSSL_cpuid_setup safe to use as "constructor". "Character-type- + * agnostic" means that they work with either wide or 8-bit characters, + * exploiting the fact that first 127 characters can be simply casted + * between the sets, while the rest would be simply rejected by ossl_is* + * subroutines. + */ +# ifdef _WIN32 +typedef WCHAR variant_char; + +static variant_char *ossl_getenv(const char *name) +{ +/* + * Since we pull only one environment variable, it's simpler to + * to just ignore |name| and use equivalent wide-char L-literal. + * As well as to ignore excessively long values... + */ +static WCHAR value[48]; +DWORD len = GetEnvironmentVariableW(L"OPENSSL_ia32cap", value, 48); + +return (len > 0 && len < 48) ? value : NULL; +} +# else +typedef char variant_char; +# define ossl_getenv getenv +# endif + +static int todigit(variant_char c) +{ +if (c >= '0' && c <= '9') +return c - '0'; +else if (c >= 'A' && c <= 'F') +return c - 'A' + 10; +else if (c >= 'a' && c <= 'f') +return c - 'a' + 10; + +/* return largest base value to make caller terminate the loop */ +return 16; +} + +static uint64_t ossl_strtouint64(const variant_char *str) +{ +uint64_t ret = 0; +unsigned int digit, base = 10; + +if (*str == '0') { +base = 8, str++; +if (*str == 'x' || *str == 'X') +base = 16, str++; +} + +while((digit = todigit(*str++)) < base) +ret = ret * base + digit; + +return ret; +} + +static variant_char *ossl_strchr(const variant_char *str, char srch) +{ variant_char c; + +while((c = *str)) { +if (c == srch) + return (variant_char *)str; +str++; +} + +return NULL; +} + # define OPENSSL_CPUID_SETUP typedef uint64_t IA32CAP; + void OPENSSL_cpuid_setup(void) { static int trigger = 0; IA32CAP OPENSSL_ia32_cpuid(unsigned int *); IA32CAP vec; -char *env; +const variant_char *env; if (trigger) return; trigger = 1; -if ((env = getenv("OPENSSL_ia32cap"))) { +if ((env = ossl_getenv("OPENSSL_ia32cap")) != NULL) { int off = (env[0] == '~') ? 1 : 0; -# if defined(_WIN32) -if (!sscanf(env + off, "%I64i", )) -vec = strtoul(env + off, NULL, 0); -# else -if (!sscanf(env + off, "%lli", (long long *))) -vec = strtoul(env + off, NULL, 0); -# endif + +vec = ossl_strtouint64(env + off); + if (off) { IA32CAP mask = vec; vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P) & ~mask; @@ -64,15 +132,17 @@ void OPENSSL_cpuid_setup(void) vec = OPENSSL_ia32_cpuid(OPENSSL_ia32cap_P); } -if ((env = strchr(env, ':'))) { -
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 9da6f31c7e61b484dda6c0a59d46c76410981e13 (commit) via ed04bcf67426888e8f8556b9eb37e9e2cf4eb04b (commit) via e1c495db1d48c4a8c467d4a5e692e991528d8618 (commit) via 63ad27165f9abd4f9e55d1a2e8c9bbdb01073a4f (commit) via 6040bd3f7109dcae508c3194232e7b8ee8654dc0 (commit) from 2f19065bd35dc84492c4c47ff5b706340300866f (commit) - Log - commit 9da6f31c7e61b484dda6c0a59d46c76410981e13 Author: Andy Polyakov Date: Thu Jul 26 14:38:53 2018 +0200 CHANGES: mention blinding reverting in ECDSA. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) commit ed04bcf67426888e8f8556b9eb37e9e2cf4eb04b Author: Andy Polyakov Date: Wed Jul 25 10:29:51 2018 +0200 bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e) commit e1c495db1d48c4a8c467d4a5e692e991528d8618 Author: Andy Polyakov Date: Thu Jul 12 22:27:43 2018 +0200 ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit 37132c9702328940a99b1307f742ab094ef754a7) commit 63ad27165f9abd4f9e55d1a2e8c9bbdb01073a4f Author: Andy Polyakov Date: Fri Jul 6 16:13:29 2018 +0200 ec/ecdsa_ossl.c: formatting and readability fixes. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d) commit 6040bd3f7109dcae508c3194232e7b8ee8654dc0 Author: Andy Polyakov Date: Fri Jul 6 15:55:34 2018 +0200 ec/ecdsa_ossl.c: revert blinding in ECDSA signature. Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6796) (cherry picked from commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f) Resolved conflicts: crypto/ec/ecdsa_ossl.c --- Summary of changes: CHANGES | 4 ++ crypto/bn/bn_mod.c | 67 ++-- crypto/ec/ecdsa_ossl.c | 130 +++ crypto/include/internal/bn_int.h | 2 + 4 files changed, 104 insertions(+), 99 deletions(-) diff --git a/CHANGES b/CHANGES index 148960a..277654d 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0h and 1.1.0i [xx XXX ] + *) Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + [Andy Polyakov] + *) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 13b583f..e33e3f3 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -35,18 +35,73 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, /* * BN_mod_add variant that may be used if both a and b are non-negative and - * less than m + * less than m. The original algorithm was + * + *if (!BN_uadd(r, a, b)) + * return 0; + *if (BN_ucmp(r, m) >= 0) + * return BN_usub(r, r, m); + * + * which is replaced with addition, subtracting modulus, and conditional + * move depending on whether or not subtraction borrowed. */ -int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *m) +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) { -if (!BN_uadd(r, a, b)) +size_t i, ai, bi, mtop = m->top; +BN_ULONG storage[1024 / BN_BITS2]; +BN_ULONG carry, temp, mask, *rp, *tp = storage; +const BN_ULONG *ap, *bp; + +if (bn_wexpand(r, mtop) == NULL) return 0; -if (BN_ucmp(r, m) >= 0) -return BN_usub(r, r, m); + +if (mtop > sizeof(storage) / sizeof(storage[0]) +&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) + return 0; + +ap = a->d != NULL ? a->d : tp; +bp = b-&g
[openssl-commits] [openssl] master update
The branch master has been updated via 9d91530d2d7da1447b7be8631b269599023430e7 (commit) from 793f19e47c69558e39c702da75c27e0509baf379 (commit) - Log - commit 9d91530d2d7da1447b7be8631b269599023430e7 Author: Billy Brumley Date: Thu Jul 19 11:16:07 2018 +0300 EC GFp ladder This commit leverages the Montgomery ladder scaffold introduced in #6690 (alongside a specialized Lopez-Dahab ladder for binary curves) to provide a specialized differential addition-and-double implementation to speedup prime curves, while keeping all the features of `ec_scalar_mul_ladder` against SCA attacks. The arithmetic in ladder_pre, ladder_step and ladder_post is auto generated with tooling, from the following formulae: - `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 - `ladder_step`: differential addition-and-doubling Eq. (8) and (10) from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3 - `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to work in projective coordinates. Co-authored-by: Nicola Tuveri Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6772) --- Summary of changes: CHANGES | 11 ++- crypto/ec/ec_lcl.h | 13 ++- crypto/ec/ecp_mont.c | 6 +- crypto/ec/ecp_nist.c | 6 +- crypto/ec/ecp_smpl.c | 228 +-- 5 files changed, 249 insertions(+), 15 deletions(-) diff --git a/CHANGES b/CHANGES index cab58c0..7805912 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,15 @@ Changes between 1.1.0h and 1.1.1 [xx XXX ] + *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder + step for prime curves. The new implementation is based on formulae from + differential addition-and-doubling in homogeneous projective coordinates + from Izu-Takagi "A fast parallel elliptic curve multiplication resistant + against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves + and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified + to work in projective coordinates. + [Billy Bob Brumley, Nicola Tuveri] + *) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. @@ -30,7 +39,7 @@ [Andy Polyakov] *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder - step for binary curves. The new implementation is based on formulas from + step for binary curves. The new implementation is based on formulae from differential addition-and-doubling in mixed Lopez-Dahab projective coordinates, modified to independently blind the operands. [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri] diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 217392e..c706a84 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -301,7 +301,6 @@ struct ec_point_st { * special case */ }; - static ossl_inline int ec_point_is_compat(const EC_POINT *point, const EC_GROUP *group) { @@ -314,7 +313,6 @@ static ossl_inline int ec_point_is_compat(const EC_POINT *point, return 1; } - NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); @@ -394,7 +392,16 @@ int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, - BN_CTX *ctx); +BN_CTX *ctx); +int ec_GFp_simple_ladder_pre(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx); +int ec_GFp_simple_ladder_step(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx); +i
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 2f19065bd35dc84492c4c47ff5b706340300866f (commit) via b7862891fed4cfb5ec36a31d35e14b51bf26d01e (commit) from 616153f2f9c07f51212fb5e85170e89a4ebaadbb (commit) - Log - commit 2f19065bd35dc84492c4c47ff5b706340300866f Author: Andy Polyakov Date: Fri Jul 6 15:13:15 2018 +0200 bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors. Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6707) (cherry picked from commit 71883868ea5b33416ae8283bcc38dd2d97e5006b) Resolved conflicts: crypto/bn/bn_exp.c crypto/bn/bn_mont.c crypto/include/internal/bn_int.h commit b7862891fed4cfb5ec36a31d35e14b51bf26d01e Author: Andy Polyakov Date: Fri Jul 6 15:02:29 2018 +0200 bn/bn_lib.c: add BN_FLG_FIXED_TOP flag. The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6707) (cherry picked from commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb) Resolved conflicts: crypto/bn/bn_lcl.h --- Summary of changes: crypto/bn/bn_div.c | 1 + crypto/bn/bn_exp.c | 47 ++-- crypto/bn/bn_lcl.h | 21 ++ crypto/bn/bn_lib.c | 15 + crypto/bn/bn_mont.c | 45 -- crypto/bn/bn_sqr.c | 10 ++--- crypto/include/internal/bn_int.h | 11 ++ 7 files changed, 102 insertions(+), 48 deletions(-) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 5e620b2..aa13ce6 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -240,6 +240,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; +wnum.flags = BN_FLG_STATIC_DATA; /* * only needed when BN_ucmp messes up the values between top and max */ diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index dac3640..a6ad475 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -371,17 +371,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } -if (!BN_to_montgomery(val[0], aa, mont, ctx)) +if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { -if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) +if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || -!BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) +!bn_mul_mont_fixed_top(val[i], val[i - 1], d, mont, ctx)) goto err; } } @@ -403,19 +403,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, for (i = 1; i < j; i++) r->d[i] = (~m->d[i]) & BN_MASK2; r->top = j; -/* - * Upper words will be zero if the corresponding words of 'm' were - * 0xfff[...], so decrement r->top accordingly. - */ -bn_correct_top(r); +r->flags |= BN_FLG_FIXED_TOP; } else #endif -if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) +if (!bn_to_mont_fixed_top(r, BN_value_one(), mont, ctx)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) { -if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) +if (!bn_mul_mont_fixed_top(r, r, r, mont, ctx)) goto err; }
[openssl-commits] [openssl] master update
The branch master has been updated via 793f19e47c69558e39c702da75c27e0509baf379 (commit) via 8e8307231014bded6eb9562262ef09a76d4bfe87 (commit) from 70a579ae2f37437a1e02331eeaa84e1b68ba021e (commit) - Log - commit 793f19e47c69558e39c702da75c27e0509baf379 Author: Andy Polyakov Date: Wed Jul 25 10:24:42 2018 +0200 00-base-templates.conf: engage x25519-ppc64 module. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6782) commit 8e8307231014bded6eb9562262ef09a76d4bfe87 Author: Andy Polyakov Date: Wed Jul 25 10:24:09 2018 +0200 Add ec/asm/x25519-ppc64.pl module. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6782) --- Summary of changes: Configurations/00-base-templates.conf | 2 +- crypto/ec/asm/x25519-ppc64.pl | 824 ++ crypto/ec/build.info | 1 + 3 files changed, 826 insertions(+), 1 deletion(-) create mode 100755 crypto/ec/asm/x25519-ppc64.pl diff --git a/Configurations/00-base-templates.conf b/Configurations/00-base-templates.conf index 4a1645f..516e3cd 100644 --- a/Configurations/00-base-templates.conf +++ b/Configurations/00-base-templates.conf @@ -344,7 +344,7 @@ my %targets=( ppc64_asm => { inherit_from=> [ "ppc32_asm" ], template=> 1, - ec_asm_src => "ecp_nistz256.c ecp_nistz256-ppc64.s", + ec_asm_src => "ecp_nistz256.c ecp_nistz256-ppc64.s x25519-ppc64.s", keccak1600_asm_src => "keccak1600-ppc64.s", }, ); diff --git a/crypto/ec/asm/x25519-ppc64.pl b/crypto/ec/asm/x25519-ppc64.pl new file mode 100755 index 000..3773cb2 --- /dev/null +++ b/crypto/ec/asm/x25519-ppc64.pl @@ -0,0 +1,824 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html +# +# ==== +# Written by Andy Polyakov for the OpenSSL +# project. The module is, however, dual licensed under OpenSSL and +# CRYPTOGAMS licenses depending on where you obtain it. For further +# details see http://www.openssl.org/~appro/cryptogams/. +# +# +# X25519 lower-level primitives for PPC64. +# +# July 2018. +# +# Base 2^64 is faster than base 2^51 on pre-POWER8, most notably ~15% +# faster on PPC970/G5. POWER8 on the other hand seems to trip on own +# shoelaces when handling longer carry chains. As base 2^51 has just +# single-carry pairs, it's 25% faster than base 2^64. Since PPC970 is +# pretty old, base 2^64 implementation is not engaged. Comparison to +# compiler-generated code is complicated by the fact that not all +# compilers support 128-bit integers. When compiler doesn't, like xlc, +# this module delivers more than 2x improvement, and when it does, +# from 12% to 30% improvement was measured... + +$flavour = shift; +while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or +die "can't locate ppc-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +my $sp = "r1"; +my ($rp,$ap,$bp) = map("r$_",3..5); + +### base 2^64 +if (0) { +my ($bi,$a0,$a1,$a2,$a3,$t0,$t1, $t2,$t3, +$acc0,$acc1,$acc2,$acc3,$acc4,$acc5,$acc6,$acc7) = +map("r$_",(6..12,22..31)); +my $zero = "r0"; +my $FRAME = 16*8; + +$code.=<<___; +.text + +.globl x25519_fe64_mul +.type x25519_fe64_mul,\@function +.align 5 +x25519_fe64_mul: + stdu$sp,-$FRAME($sp) + std r22,`$FRAME-8*10`($sp) + std r23,`$FRAME-8*9`($sp) + std r24,`$FRAME-8*8`($sp) + std r25,`$FRAME-8*7`($sp) + std r26,`$FRAME-8*6`($sp) + std r27,`$FRAME-8*5`($sp) + std r28,`$FRAME-8*4`($sp) + std r29,`$FRAME-8*3`($sp) + std r30,`$FRAME-8*2`($sp) + std r31,`$FRAME-8*1`($sp) + + ld $bi,0($bp) + ld $a0,0($ap) + xor $zero,$zero,$zero + ld $a1,8($ap) + ld $a2,16($ap) + ld $a3,24($ap) + + mulld $acc0,$a0,$bi # a[0]*b[0] + mulhdu $t0,$a0,$bi + mulld $
[openssl-commits] [openssl] master update
The branch master has been updated via 70a579ae2f37437a1e02331eeaa84e1b68ba021e (commit) from 06deb93286ac5f125fc81ddc9260b9de2311c7f3 (commit) - Log - commit 70a579ae2f37437a1e02331eeaa84e1b68ba021e Author: Andy Polyakov Date: Wed Jul 25 10:29:51 2018 +0200 bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6783) --- Summary of changes: crypto/bn/bn_mod.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 463d2d6..d8e2e12 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -83,6 +83,7 @@ int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, ((volatile BN_ULONG *)tp)[i] = 0; } r->top = mtop; +r->neg = 0; if (tp != storage) OPENSSL_free(tp); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 06deb93286ac5f125fc81ddc9260b9de2311c7f3 (commit) from b9e54e98066c1ff8adab5d68b6c114b14d2f74e5 (commit) - Log - commit 06deb93286ac5f125fc81ddc9260b9de2311c7f3 Author: Andy Polyakov Date: Wed Jul 25 11:13:58 2018 +0200 apps/apps.c: harmonize print_bignum_var output with coding style. Reviewed-by: Rich Salz --- Summary of changes: apps/apps.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 2740275..4090e60 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1188,16 +1188,15 @@ void print_bignum_var(BIO *out, const BIGNUM *in, const char *var, { BIO_printf(out, "static unsigned char %s_%d[] = {", var, len); if (BN_is_zero(in)) { -BIO_printf(out, "\n\t0x00"); +BIO_printf(out, "\n0x00"); } else { int i, l; l = BN_bn2bin(in, buffer); for (i = 0; i < l; i++) { -if ((i % 10) == 0) -BIO_printf(out, "\n\t"); +BIO_printf(out, (i % 10) == 0 ? "\n" : " "); if (i < l - 1) -BIO_printf(out, "0x%02X, ", buffer[i]); +BIO_printf(out, "0x%02X,", buffer[i]); else BIO_printf(out, "0x%02X", buffer[i]); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1de6818a30fa11350460aa148e1ee30cad0a9b10 (commit) from 793e7eafd46a39f6345d7113a517c5ee5c2c6884 (commit) - Log - commit 1de6818a30fa11350460aa148e1ee30cad0a9b10 Author: Andy Polyakov Date: Fri Jul 20 13:19:11 2018 +0200 crypto/cryptlib.c: resolve possible race in OPENSSL_isservice. Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6752) (cherry picked from commit 9e4a1c3f65863b0175ddc534e232e63c4f82ea5c) --- Summary of changes: crypto/cryptlib.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index d93bcd3..bf73244 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -128,10 +128,14 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p == NULL) { HANDLE mod = GetModuleHandle(NULL); +FARPROC f; + if (mod != NULL) -_OPENSSL_isservice.f = GetProcAddress(mod, "_OPENSSL_isservice"); -if (_OPENSSL_isservice.p == NULL) +f = GetProcAddress(mod, "_OPENSSL_isservice"); +if (f == NULL) _OPENSSL_isservice.p = (void *)-1; +else +_OPENSSL_isservice.f = f; } if (_OPENSSL_isservice.p != (void *)-1) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f529b5cf05139c20f298f553446122123c012317 (commit) from 7b953da40d0dee56f360902f872dc8989f6a3e1f (commit) - Log - commit f529b5cf05139c20f298f553446122123c012317 Author: Andy Polyakov Date: Tue Jul 24 15:02:32 2018 +0200 INSTALL,NOTES.WIN: classify no-asm as non-production option. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6773) --- Summary of changes: INSTALL | 6 -- NOTES.WIN | 9 + 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/INSTALL b/INSTALL index 51141ef..98c34d6 100644 --- a/INSTALL +++ b/INSTALL @@ -256,8 +256,10 @@ no-shared option. no-asm - Do not use assembler code. On some platforms a small amount - of assembler code may still be used. + Do not use assembler code. This should be viewed as + debugging/trouble-shooting option rather than production. + On some platforms a small amount of assembler code may + still be used even with this option. no-async Do not build support for async operations. diff --git a/NOTES.WIN b/NOTES.WIN index 014036c..4d39d06 100644 --- a/NOTES.WIN +++ b/NOTES.WIN @@ -47,10 +47,11 @@ the other hand oldest one is known not to work. Everything between falls into best-effort category. - - Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us, - is required if you intend to utilize assembler modules. Note that NASM - is the only supported assembler. The Microsoft provided assembler is NOT - supported. + - Netwide Assembler, a.k.a. NASM, available from https://www.nasm.us, + is required. Note that NASM is the only supported assembler. Even + though Microsoft provided assembler is NOT supported, contemporary + 64-bit version is exercised through continuous integration of + VC-WIN64A-masm target. Installation directories _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 7b953da40d0dee56f360902f872dc8989f6a3e1f (commit) from d6b50b6e2ebc0c198877b5c56ae0a54cb9036088 (commit) - Log - commit 7b953da40d0dee56f360902f872dc8989f6a3e1f Author: Andy Polyakov Date: Tue Jul 24 15:48:15 2018 +0200 ec/ecp_nistz256.c: fix Coverity nit. |ctx| recently became unconditionally non-NULL and is already dereferenced earlier. Reviewed-by: Rich Salz --- Summary of changes: crypto/ec/ecp_nistz256.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 54c9ed2..b0564bd 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1339,8 +1339,7 @@ __owur static int ecp_nistz256_points_mul(const EC_GROUP *group, ret = 1; err: -if (ctx) -BN_CTX_end(ctx); +BN_CTX_end(ctx); OPENSSL_free(new_points); OPENSSL_free(new_scalars); return ret; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 793e7eafd46a39f6345d7113a517c5ee5c2c6884 (commit) from 36e732b00c8a22d50f88ee59d8790d5667ff72e2 (commit) - Log - commit 793e7eafd46a39f6345d7113a517c5ee5c2c6884 Author: Andy Polyakov Date: Mon Jul 23 22:26:30 2018 +0200 apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly. Reviewed-by: Rich Salz (cherry picked from commit d6b50b6e2ebc0c198877b5c56ae0a54cb9036088) --- Summary of changes: apps/dsaparam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 46e3abc..20891cf 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -226,7 +226,7 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); -BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); +BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p); print_bignum_var(bio_out, p, "dsap", bits_p, data); print_bignum_var(bio_out, q, "dsaq", bits_p, data); print_bignum_var(bio_out, g, "dsag", bits_p, data); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via d6b50b6e2ebc0c198877b5c56ae0a54cb9036088 (commit) from eb807d5383fd228a5c4cf9afc2fec487e0d22cee (commit) - Log - commit d6b50b6e2ebc0c198877b5c56ae0a54cb9036088 Author: Andy Polyakov Date: Mon Jul 23 22:26:30 2018 +0200 apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly. Reviewed-by: Rich Salz --- Summary of changes: apps/dsaparam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index ca072bb..9d8af9e 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -179,7 +179,7 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); -BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); +BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p); print_bignum_var(bio_out, p, "dsap", bits_p, data); print_bignum_var(bio_out, q, "dsaq", bits_p, data); print_bignum_var(bio_out, g, "dsag", bits_p, data); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via a8a9745257a5071b03d06b82d4b05cabb38d9718 (commit) from 7ccc506b56c3f20f08565b5aff268cb2f3bd046d (commit) - Log - commit a8a9745257a5071b03d06b82d4b05cabb38d9718 Author: Andy Polyakov Date: Sun Jul 22 16:28:20 2018 +0200 ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6761) --- Summary of changes: crypto/ec/ecp_nistz256.c | 23 --- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 9a53a39..0579cac 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1118,23 +1118,32 @@ static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group, const P256_POINT_AFFINE *in, BN_CTX *ctx) { -BIGNUM x, y; -BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS]; +BIGNUM x, y, z; int ret = 0; -memcpy(d_x, in->X, sizeof(d_x)); -x.d = d_x; +/* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ +x.d = (BN_ULONG *)in->X; x.dmax = x.top = P256_LIMBS; x.neg = 0; x.flags = BN_FLG_STATIC_DATA; -memcpy(d_y, in->Y, sizeof(d_y)); -y.d = d_y; +y.d = (BN_ULONG *)in->Y; y.dmax = y.top = P256_LIMBS; y.neg = 0; y.flags = BN_FLG_STATIC_DATA; -ret = EC_POINT_set_affine_coordinates_GFp(group, out, , , ctx); +z.d = (BN_ULONG *)ONE; +z.dmax = z.top = P256_LIMBS; +z.neg = 0; +z.flags = BN_FLG_STATIC_DATA; + +if ((ret = (BN_copy(>X, ) != NULL)) +&& (ret = (BN_copy(>Y, ) != NULL)) +&& (ret = (BN_copy(>Z, ) != NULL))) +out->Z_is_one = 1; return ret; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 275bfc56a6c4efa7e80c8cbb11fda0c3f9be818d (commit) from d8356e1b0f3635f6bd71814272c1d067fc9381bb (commit) - Log - commit 275bfc56a6c4efa7e80c8cbb11fda0c3f9be818d Author: Andy Polyakov Date: Sun Jul 22 11:51:38 2018 +0200 .travis.yml: omit linux-ppc64le target. Build jobs keep timing out initializing... Reviewed-by: Kurt Roeckx --- Summary of changes: .travis.yml | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 51fd563..e9e5aa2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -31,10 +31,10 @@ env: matrix: include: -- os: linux-ppc64le - sudo: false - compiler: clang - env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES" +#- os: linux-ppc64le +# sudo: false +# compiler: clang +# env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES" - os: linux addons: apt: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via eff1c8a2d8c625b36e6ed33bd49ac09f37f1bf22 (commit) via 5c2bac9289e97b47dc1fd1603efe09d3e10ce9cb (commit) via 08a1d30e6051afc78780f92e80b9809ba1bdaac3 (commit) from 1ef7cb279ccb69f5c3adde8aa961b72c05094237 (commit) - Log - commit eff1c8a2d8c625b36e6ed33bd49ac09f37f1bf22 Author: Andy Polyakov Date: Wed Jul 18 15:22:07 2018 +0200 ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit 8fc4aeb9521270ac74b29ce7f569939b0b39e685) commit 5c2bac9289e97b47dc1fd1603efe09d3e10ce9cb Author: Andy Polyakov Date: Wed Jul 18 15:14:44 2018 +0200 ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function. The ecp_nistz256_scatter_w7 function is called when application attempts to use custom generator, i.e. rarely. Even though non-x86_64 versions were wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit 87a75b3e5c04a1696208c279f32d1114b862cfed) commit 08a1d30e6051afc78780f92e80b9809ba1bdaac3 Author: Andy Polyakov Date: Wed Jul 18 15:13:27 2018 +0200 bn/bn_intern.c: const-ify bn_set_{static}_words. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) (cherry picked from commit f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1) --- Summary of changes: crypto/bn/bn_intern.c | 10 +++--- crypto/ec/asm/ecp_nistz256-armv4.pl | 8 crypto/ec/asm/ecp_nistz256-armv8.pl | 16 crypto/ec/asm/ecp_nistz256-sparcv9.pl | 8 crypto/ec/asm/ecp_nistz256-x86.pl | 2 +- crypto/ec/ecp_nistz256.c | 28 ++-- crypto/include/internal/bn_int.h | 4 ++-- 7 files changed, 32 insertions(+), 44 deletions(-) diff --git a/crypto/bn/bn_intern.c b/crypto/bn/bn_intern.c index 2c97064..92f1cb7 100644 --- a/crypto/bn/bn_intern.c +++ b/crypto/bn/bn_intern.c @@ -177,16 +177,20 @@ BN_ULONG *bn_get_words(const BIGNUM *a) return a->d; } -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size) +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size) { -a->d = words; +/* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ +a->d = (BN_ULONG *)words; a->dmax = a->top = size; a->neg = 0; a->flags |= BN_FLG_STATIC_DATA; bn_correct_top(a); } -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words) +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words) { if (bn_wexpand(a, num_words) == NULL) { BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE); diff --git a/crypto/ec/asm/ecp_nistz256-armv4.pl b/crypto/ec/asm/ecp_nistz256-armv4.pl index 39d4cb9..4b58135 100755 --- a/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7: .Loop_scatter_w7: ldr $mask,[$inp],#4 subs$index,$index,#1 - strb$mask,[$out,#64*0-1] + strb$mask,[$out,#64*0] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*1-1] + strb$mask,[$out,#64*1] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*2-1] + strb$mask,[$out,#64*2] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*3-1] + strb$mask,[$out,#64*3] add $out,$out,#64*4 bne .Loop_scatter_w7 diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl index cdc9161..a726cc3 100644 --- a/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1477,21 +1477,21 @@ ecp_nistz256_scatter_w7: prfmpstl1strm,[$out,#4096+64*5] prfmpstl1strm,[$out,#4096+64*6] prfmpstl1strm,[$out,#4096+64*7] - strbw3,[$out,#64*0-1] + strbw3,[$out,#64*0] lsr x3,x3,#8 - strbw3,[$out,#64*1-1] + strbw3,[$out,#64*1] lsr x3,x3,#8 - strbw3,[$out,#64*2-1] + strbw3,[$out,#64*2] lsr x3,x3,#8 - strbw3,[$out,#64*3-1] + strbw3,[$out,#64*3] lsr x3,x3,#8 - strbw3,[$out,#64*4-1] + strbw3,[$out,#64*4] lsr x3,x3,#8 - strb
[openssl-commits] [openssl] master update
The branch master has been updated via 8fc4aeb9521270ac74b29ce7f569939b0b39e685 (commit) via 87a75b3e5c04a1696208c279f32d1114b862cfed (commit) via f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1 (commit) from 708c28f2f0598af6bccbeb60fb46086784aed7da (commit) - Log - commit 8fc4aeb9521270ac74b29ce7f569939b0b39e685 Author: Andy Polyakov Date: Wed Jul 18 15:22:07 2018 +0200 ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine. ecp_nistz256_set_from_affine is called when application attempts to use custom generator, i.e. rarely. Even though it was wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) commit 87a75b3e5c04a1696208c279f32d1114b862cfed Author: Andy Polyakov Date: Wed Jul 18 15:14:44 2018 +0200 ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function. The ecp_nistz256_scatter_w7 function is called when application attempts to use custom generator, i.e. rarely. Even though non-x86_64 versions were wrong, it didn't affect point operations, they were just not as fast as expected. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) commit f40e0a342cbca8bb71d0fe3f19e1b4bfd853aff1 Author: Andy Polyakov Date: Wed Jul 18 15:13:27 2018 +0200 bn/bn_intern.c: const-ify bn_set_{static}_words. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6738) --- Summary of changes: crypto/bn/bn_intern.c | 10 +++--- crypto/ec/asm/ecp_nistz256-armv4.pl | 8 crypto/ec/asm/ecp_nistz256-armv8.pl | 16 crypto/ec/asm/ecp_nistz256-ppc64.pl | 16 crypto/ec/asm/ecp_nistz256-sparcv9.pl | 8 crypto/ec/asm/ecp_nistz256-x86.pl | 2 +- crypto/ec/ecp_nistz256.c | 28 ++-- crypto/include/internal/bn_int.h | 4 ++-- 8 files changed, 40 insertions(+), 52 deletions(-) diff --git a/crypto/bn/bn_intern.c b/crypto/bn/bn_intern.c index 2524eb2..faebdc8 100644 --- a/crypto/bn/bn_intern.c +++ b/crypto/bn/bn_intern.c @@ -172,16 +172,20 @@ BN_ULONG *bn_get_words(const BIGNUM *a) return a->d; } -void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size) +void bn_set_static_words(BIGNUM *a, const BN_ULONG *words, int size) { -a->d = words; +/* + * |const| qualifier omission is compensated by BN_FLG_STATIC_DATA + * flag, which effectively means "read-only data". + */ +a->d = (BN_ULONG *)words; a->dmax = a->top = size; a->neg = 0; a->flags |= BN_FLG_STATIC_DATA; bn_correct_top(a); } -int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words) +int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words) { if (bn_wexpand(a, num_words) == NULL) { BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE); diff --git a/crypto/ec/asm/ecp_nistz256-armv4.pl b/crypto/ec/asm/ecp_nistz256-armv4.pl index 84dcb6e..83abbdd 100755 --- a/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -894,13 +894,13 @@ ecp_nistz256_scatter_w7: .Loop_scatter_w7: ldr $mask,[$inp],#4 subs$index,$index,#1 - strb$mask,[$out,#64*0-1] + strb$mask,[$out,#64*0] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*1-1] + strb$mask,[$out,#64*1] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*2-1] + strb$mask,[$out,#64*2] mov $mask,$mask,lsr#8 - strb$mask,[$out,#64*3-1] + strb$mask,[$out,#64*3] add $out,$out,#64*4 bne .Loop_scatter_w7 diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl index 2705d7c..1361cb3 100644 --- a/crypto/ec/asm/ecp_nistz256-armv8.pl +++ b/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -1776,21 +1776,21 @@ ecp_nistz256_scatter_w7: prfmpstl1strm,[$out,#4096+64*5] prfmpstl1strm,[$out,#4096+64*6] prfmpstl1strm,[$out,#4096+64*7] - strbw3,[$out,#64*0-1] + strbw3,[$out,#64*0] lsr x3,x3,#8 - strbw3,[$out,#64*1-1] + strbw3,[$out,#64*1] lsr x3,x3,#8 - strbw3,[$out,#64*2-1] + strbw3,[$out,#64*2] lsr x3,x3,#8 - strbw3,[$out,#64*3-1] + strbw3,[$out,#64*3] lsr x3,x3,#8 - strbw3,[$out,#64*4-1] + strbw3,[$out,#64*4] lsr x3,x3,#8 - strbw3,[$out,#64*5-1] + strbw3,[$out,#64*5] lsr x3,x3,#8 - strbw3,[$out,#64*6-1] + strbw3,[$out,#64*6] lsr x3,x3,#8 - strbw3,[$
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1ef7cb279ccb69f5c3adde8aa961b72c05094237 (commit) from a0d893f9b403e2e435b39b4adf14ebffadd4ea89 (commit) - Log - commit 1ef7cb279ccb69f5c3adde8aa961b72c05094237 Author: Andy Polyakov Date: Sat Jul 21 13:50:14 2018 +0200 apps/dsaparam.c: fix -C output. Reviewed-by: Matthias St. Pierre Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6758) (cherry picked from commit 708c28f2f0598af6bccbeb60fb46086784aed7da) --- Summary of changes: apps/dsaparam.c | 27 +++ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 5c3c8f8..46e3abc 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -227,24 +227,27 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); -print_bignum_var(bio_out, p, "dsap", len, data); -print_bignum_var(bio_out, q, "dsaq", len, data); -print_bignum_var(bio_out, g, "dsag", len, data); +print_bignum_var(bio_out, p, "dsap", bits_p, data); +print_bignum_var(bio_out, q, "dsaq", bits_p, data); +print_bignum_var(bio_out, g, "dsag", bits_p, data); BIO_printf(bio_out, "DSA *dsa = DSA_new();\n" +"BIGNUM *p, *q, *g;\n" "\n"); BIO_printf(bio_out, "if (dsa == NULL)\n" "return NULL;\n"); -BIO_printf(bio_out, "dsa->p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "dsa->q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "dsa->g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "if (!dsa->p || !dsa->q || !dsa->g) {\n" -"DSA_free(dsa);\n" +BIO_printf(bio_out, "if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n", + bits_p, bits_p); +BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n", + bits_p, bits_p); +BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n", + bits_p, bits_p); +BIO_printf(bio_out, "DSA_free(dsa);\n" +"BN_free(p);\n" +"BN_free(q);\n" +"BN_free(g);\n" "return NULL;\n" "}\n" -"return(dsa);\n}\n"); +"return dsa;\n}\n"); OPENSSL_free(data); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 708c28f2f0598af6bccbeb60fb46086784aed7da (commit) from ddbe700e93e34694519d303e1b4e4525184c9dad (commit) - Log - commit 708c28f2f0598af6bccbeb60fb46086784aed7da Author: Andy Polyakov Date: Sat Jul 21 13:50:14 2018 +0200 apps/dsaparam.c: fix -C output. Reviewed-by: Matthias St. Pierre Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6758) --- Summary of changes: apps/dsaparam.c | 27 +++ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 8e33ffd..ca072bb 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -180,24 +180,27 @@ int dsaparam_main(int argc, char **argv) data = app_malloc(len + 20, "BN space"); BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); -print_bignum_var(bio_out, p, "dsap", len, data); -print_bignum_var(bio_out, q, "dsaq", len, data); -print_bignum_var(bio_out, g, "dsag", len, data); +print_bignum_var(bio_out, p, "dsap", bits_p, data); +print_bignum_var(bio_out, q, "dsaq", bits_p, data); +print_bignum_var(bio_out, g, "dsag", bits_p, data); BIO_printf(bio_out, "DSA *dsa = DSA_new();\n" +"BIGNUM *p, *q, *g;\n" "\n"); BIO_printf(bio_out, "if (dsa == NULL)\n" "return NULL;\n"); -BIO_printf(bio_out, "dsa->p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "dsa->q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "dsa->g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL);\n", - bits_p, bits_p); -BIO_printf(bio_out, "if (!dsa->p || !dsa->q || !dsa->g) {\n" -"DSA_free(dsa);\n" +BIO_printf(bio_out, "if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n", + bits_p, bits_p); +BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n", + bits_p, bits_p); +BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n", + bits_p, bits_p); +BIO_printf(bio_out, "DSA_free(dsa);\n" +"BN_free(p);\n" +"BN_free(q);\n" +"BN_free(g);\n" "return NULL;\n" "}\n" -"return(dsa);\n}\n"); +"return dsa;\n}\n"); OPENSSL_free(data); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f20aa69e33a7b418e052cf210374e2267cb93a5c (commit) via f36e9f1183b4c4947d3c71d4c31a541b96c6e3f8 (commit) via 89310b8b0f4dbe207ffd9056109fad9abab6e4d4 (commit) via 756c91b163e7d4b117590e2cb7632fbfd8cd0bda (commit) via d1e19404ceab92084eeab9e9f319009fbd9e1002 (commit) from d8434cf85691f32a17dcdfed6e81769a001074dd (commit) - Log - commit f20aa69e33a7b418e052cf210374e2267cb93a5c Author: Andy Polyakov Date: Thu Jul 19 15:28:34 2018 +0200 crypto/*: address standard-compilance nits. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6745) commit f36e9f1183b4c4947d3c71d4c31a541b96c6e3f8 Author: Andy Polyakov Date: Thu Jul 19 15:27:24 2018 +0200 bio/bss_dgram.c: harmonize usage of OPENSSL_USE_IPV6 with the rest. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6745) commit 89310b8b0f4dbe207ffd9056109fad9abab6e4d4 Author: Andy Polyakov Date: Thu Jul 19 15:16:38 2018 +0200 include/openssl/e_os2.h: define last-resort SSIZE_MAX. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6745) commit 756c91b163e7d4b117590e2cb7632fbfd8cd0bda Author: Andy Polyakov Date: Thu Jul 19 14:45:06 2018 +0200 ec/ec_lcl.h: fix pre-C9x compilation problems. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6745) commit d1e19404ceab92084eeab9e9f319009fbd9e1002 Author: Andy Polyakov Date: Thu Jul 19 12:30:26 2018 +0200 .travis.yml: exercise -std=c89 in order to catch corresponding problems. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6745) --- Summary of changes: .travis.yml| 2 +- crypto/bio/bss_dgram.c | 2 +- crypto/conf/conf_def.c | 6 +- crypto/ec/ec_lcl.h | 18 +- crypto/store/loader_file.c | 6 +- crypto/ui/ui_openssl.c | 2 +- include/openssl/e_os2.h| 2 ++ 7 files changed, 24 insertions(+), 14 deletions(-) diff --git a/.travis.yml b/.travis.yml index 34ccf80..51fd563 100644 --- a/.travis.yml +++ b/.travis.yml @@ -27,7 +27,7 @@ compiler: env: - CONFIG_OPTS="" DESTDIR="_install" - CONFIG_OPTS="no-asm -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2" -- CONFIG_OPTS="no-asm no-makedepend --strict-warnings" BUILDONLY="yes" CHECKDOCS="yes" GENERATE="yes" +- CONFIG_OPTS="no-asm no-makedepend --strict-warnings -std=c89 -D_DEFAULT_SOURCE" BUILDONLY="yes" CHECKDOCS="yes" GENERATE="yes" matrix: include: diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 424109c..d5fe5bb 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -364,7 +364,7 @@ static long dgram_get_mtu_overhead(bio_dgram_data *data) */ ret = 28; break; -# ifdef AF_INET6 +# if OPENSSL_USE_IPV6 case AF_INET6: { # ifdef IN6_IS_ADDR_V4MAPPED diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 7340a91..676540c 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -27,6 +27,10 @@ # endif #endif +#ifndef S_ISDIR +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +#endif + /* * The maximum length we can grow a value to after variable expansion. 64k * should be more than enough for all reasonable uses. @@ -656,7 +660,7 @@ static BIO *process_include(char *include, OPENSSL_DIR_CTX **dirctx, return NULL; } -if ((st.st_mode & S_IFDIR) == S_IFDIR) { +if (S_ISDIR(st.st_mode)) { if (*dirctx != NULL) { CONFerr(CONF_F_PROCESS_INCLUDE, CONF_R_RECURSIVE_DIRECTORY_INCLUDE); diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index 8b16971..217392e 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -681,9 +681,9 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); -static inline int ec_point_ladder_pre(const EC_GROUP *group, - EC_POINT *r, EC_POINT *s, - EC_POINT *p, BN_CTX *ctx) +static ossl_inline int ec_point_ladder_pre(const EC_GROUP *group, + EC_POINT *r, EC_POINT *s, + EC_POINT *p, BN_CTX *ctx) { if (group->meth->ladder_pre != NULL) return group->meth->ladder_pre(group, r, s
[openssl-commits] [openssl] master update
The branch master has been updated via 1c073b9521ce7dbdd5689bdf7ae5fa87557c3529 (commit) via 37132c9702328940a99b1307f742ab094ef754a7 (commit) via fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d (commit) via 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f (commit) from 83e034379fa3f6f0d308ec75fbcb137e26154aec (commit) - Log - commit 1c073b9521ce7dbdd5689bdf7ae5fa87557c3529 Author: Andy Polyakov Date: Sun Jul 15 17:59:59 2018 +0200 CHANGES: mention blinding reverting in ECDSA. [skip ci] Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6664) commit 37132c9702328940a99b1307f742ab094ef754a7 Author: Andy Polyakov Date: Thu Jul 12 22:27:43 2018 +0200 ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6664) commit fff7a0dcf6e3135c7f93e6cb5fb35e37dd0b384d Author: Andy Polyakov Date: Fri Jul 6 16:13:29 2018 +0200 ec/ecdsa_ossl.c: formatting and readability fixes. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6664) commit 3fc7a9b96cbed0c3da6f53c08e34d8d0c982745f Author: Andy Polyakov Date: Fri Jul 6 15:55:34 2018 +0200 ec/ecdsa_ossl.c: revert blinding in ECDSA signature. Originally suggested solution for "Return Of the Hidden Number Problem" is arguably too expensive. While it has marginal impact on slower curves, none to ~6%, optimized implementations suffer real penalties. Most notably sign with P-256 went more than 2 times[!] slower. Instead, just implement constant-time BN_mod_add_quick. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6664) --- Summary of changes: CHANGES | 4 ++ crypto/bn/bn_mod.c | 66 ++-- crypto/ec/ecdsa_ossl.c | 131 +++ crypto/include/internal/bn_int.h | 2 + 4 files changed, 103 insertions(+), 100 deletions(-) diff --git a/CHANGES b/CHANGES index c1d4c2d..ae59f92 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,10 @@ Changes between 1.1.0h and 1.1.1 [xx XXX ] + *) Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + [Andy Polyakov] + *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder step for binary curves. The new implementation is based on formulas from differential addition-and-doubling in mixed Lopez-Dahab projective diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 76adfb7..463d2d6 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -35,18 +35,72 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, /* * BN_mod_add variant that may be used if both a and b are non-negative and - * less than m + * less than m. The original algorithm was + * + *if (!BN_uadd(r, a, b)) + * return 0; + *if (BN_ucmp(r, m) >= 0) + * return BN_usub(r, r, m); + * + * which is replaced with addition, subtracting modulus, and conditional + * move depending on whether or not subtraction borrowed. */ -int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *m) +int bn_mod_add_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + const BIGNUM *m) { -if (!BN_uadd(r, a, b)) +size_t i, ai, bi, mtop = m->top; +BN_ULONG storage[1024 / BN_BITS2]; +BN_ULONG carry, temp, mask, *rp, *tp = storage; +const BN_ULONG *ap, *bp; + +if (bn_wexpand(r, mtop) == NULL) return 0; -if (BN_ucmp(r, m) >= 0) -return BN_usub(r, r, m); + +if (mtop > sizeof(storage) / sizeof(storage[0]) +&& (tp = OPENSSL_malloc(mtop * sizeof(BN_ULONG))) == NULL) + return 0; + +ap = a->d != NULL ? a->d : tp; +bp = b->d != NULL ? b->d : tp; + +for (i = 0, ai = 0, bi = 0, carry = 0; i < mtop;) { +mask = (BN_ULONG)0 - ((i - a->top) >> (8 * sizeof(i) - 1)); +temp = ((ap[ai] & mask) + carry) & BN_MASK2; +carry = (temp < carry); + +mask = (BN_ULONG)0 - ((i - b->top) >> (8 * sizeof(i) - 1)); +tp[i] = ((bp[bi] & mask) + temp) & BN_MASK2; +carry += (tp[i] < temp); + +i++; +ai += (i - a->dmax) >> (8 * sizeof(i) - 1); +bi += (i - b->dmax) >> (8 * sizeof(i) - 1); +} +rp = r->d; +carry -= bn_sub_words(rp, tp, m->d, mtop); +for (i =
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 821c3baa002fc874553cfacd65bd7bd6f6e9cb3f (commit) from 0b139e41b4ca03c1d36f4c93c6e9147e497029ca (commit) - Log - commit 821c3baa002fc874553cfacd65bd7bd6f6e9cb3f Author: Andy Polyakov Date: Mon Jul 16 18:17:44 2018 +0200 bn/bn_lib.c address Coverity nit in bn2binpad. It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by: Rich Salz (cherry picked from commit 83e034379fa3f6f0d308ec75fbcb137e26154aec) --- Summary of changes: crypto/bn/bn_lib.c | 23 +++ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index ebad255..6c57a53 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -498,28 +498,27 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i, j, top; +int n; +size_t i, inc, lasti, j; BN_ULONG l; -i = BN_num_bytes(a); +n = BN_num_bytes(a); if (tolen == -1) -tolen = i; -else if (tolen < i) +tolen = n; +else if (tolen < n) return -1; -if (i == 0) { +if (n == 0) { OPENSSL_cleanse(to, tolen); return tolen; } -top = a->top * BN_BYTES; -for (i = 0, j = tolen; j > 0; i++) { -unsigned int mask; - -mask = constant_time_lt(i, top); -i -= 1 & ~mask; /* stay on top limb */ +lasti = n - 1; +for (i = 0, inc = 1, j = tolen; j > 0;) { l = a->d[i / BN_BYTES]; -to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); +inc = (i - lasti) >> (8 * sizeof(i) - 1); +i += inc; /* stay on top limb */ } return tolen; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 83e034379fa3f6f0d308ec75fbcb137e26154aec (commit) from 9e6a32025e6e69949ad3e53a29a0b85f61f30b85 (commit) - Log - commit 83e034379fa3f6f0d308ec75fbcb137e26154aec Author: Andy Polyakov Date: Mon Jul 16 18:17:44 2018 +0200 bn/bn_lib.c address Coverity nit in bn2binpad. It was false positive, but one can as well view it as readability issue. Switch even to unsigned indices because % BN_BYTES takes 4-6 instructions with signed dividend vs. 1 (one) with unsigned. Reviewed-by: Rich Salz --- Summary of changes: crypto/bn/bn_lib.c | 23 +++ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index a582ce5..df6ea69 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -417,28 +417,27 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i, j, top; +int n; +size_t i, inc, lasti, j; BN_ULONG l; -i = BN_num_bytes(a); +n = BN_num_bytes(a); if (tolen == -1) -tolen = i; -else if (tolen < i) +tolen = n; +else if (tolen < n) return -1; -if (i == 0) { +if (n == 0) { OPENSSL_cleanse(to, tolen); return tolen; } -top = a->top * BN_BYTES; -for (i = 0, j = tolen; j > 0; i++) { -unsigned int mask; - -mask = constant_time_lt(i, top); -i -= 1 & ~mask; /* stay on top limb */ +lasti = n - 1; +for (i = 0, inc = 1, j = tolen; j > 0;) { l = a->d[i / BN_BYTES]; -to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & (0 - inc)); +inc = (i - lasti) >> (8 * sizeof(i) - 1); +i += inc; /* stay on top limb */ } return tolen; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 3c849bc901fa191fc517bc20d905783e6e428de5 (commit) via d3e3263072c91999afc256fa4666c40912dde410 (commit) via dfd5fb09500d5800b37b3aec05884fc7409032d7 (commit) via 2de607d8c952fef0cadf158b0a020037837911ac (commit) from 5d1c09de1f2736e1d4b1877206d08455ec75f558 (commit) - Log - commit 3c849bc901fa191fc517bc20d905783e6e428de5 Author: Andy Polyakov Date: Thu Jul 12 11:53:16 2018 +0200 ec/curve25519.c: reorganize for better accessibility. Move base 2^64 code to own #if section. It was nested in base 2^51 section, which arguably might have been tricky to follow. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6699) commit d3e3263072c91999afc256fa4666c40912dde410 Author: Andy Polyakov Date: Wed Jul 11 22:36:49 2018 +0200 ec/asm/x25519-x86_64.pl: add CFI directives and Windows SE handler. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6699) commit dfd5fb09500d5800b37b3aec05884fc7409032d7 Author: Andy Polyakov Date: Wed Jul 11 22:22:52 2018 +0200 test/.../evppkey.txt: X25519 regression test vectors. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6699) commit 2de607d8c952fef0cadf158b0a020037837911ac Author: Andy Polyakov Date: Wed Jul 11 22:08:02 2018 +0200 ec/asm/x25519-x86_64.pl: fix base 2^64 add/sub and final reduction. Base 2^64 addition/subtraction and final reduction failed to treat partially reduced values correctly. Thanks to Wycheproof Project for vectors and Paul Kehrer for report. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6699) --- Summary of changes: crypto/ec/asm/x25519-x86_64.pl| 318 +- crypto/ec/curve25519.c| 293 +-- test/recipes/30-test_evp_data/evppkey.txt | 38 3 files changed, 501 insertions(+), 148 deletions(-) diff --git a/crypto/ec/asm/x25519-x86_64.pl b/crypto/ec/asm/x25519-x86_64.pl index 930d7bd..da81e06 100755 --- a/crypto/ec/asm/x25519-x86_64.pl +++ b/crypto/ec/asm/x25519-x86_64.pl @@ -102,13 +102,22 @@ $code.=<<___; .type x25519_fe51_mul,\@function,3 .align 32 x25519_fe51_mul: +.cfi_startproc push%rbp +.cfi_push %rbp push%rbx +.cfi_push %rbx push%r12 +.cfi_push %r12 push%r13 +.cfi_push %r13 push%r14 +.cfi_push %r14 push%r15 +.cfi_push %r15 lea -8*5(%rsp),%rsp +.cfi_adjust_cfa_offset 40 +.Lfe51_mul_body: mov 8*0(%rsi),%rax # f[0] mov 8*0(%rdx),%r11 # load g[0-4] @@ -236,19 +245,30 @@ x25519_fe51_mul: mov 8*4(%rsp),%rdi # restore 1st argument jmp .Lreduce51 +.Lfe51_mul_epilogue: +.cfi_endproc .size x25519_fe51_mul,.-x25519_fe51_mul .globl x25519_fe51_sqr .type x25519_fe51_sqr,\@function,2 .align 32 x25519_fe51_sqr: +.cfi_startproc push%rbp +.cfi_push %rbp push%rbx +.cfi_push %rbx push%r12 +.cfi_push %r12 push%r13 +.cfi_push %r13 push%r14 +.cfi_push %r14 push%r15 +.cfi_push %r15 lea -8*5(%rsp),%rsp +.cfi_adjust_cfa_offset 40 +.Lfe51_sqr_body: mov 8*0(%rsi),%rax # g[0] mov 8*2(%rsi),%r15 # g[2] @@ -391,27 +411,45 @@ x25519_fe51_sqr: mov %r10,8*4(%rdi) mov 8*5(%rsp),%r15 +.cfi_restore %r15 mov 8*6(%rsp),%r14 +.cfi_restore %r14 mov 8*7(%rsp),%r13 +.cfi_restore %r13 mov 8*8(%rsp),%r12 +.cfi_restore %r12 mov 8*9(%rsp),%rbx +.cfi_restore %rbx mov 8*10(%rsp),%rbp +.cfi_restore %rbp lea 8*11(%rsp),%rsp +.cfi_adjust_cfa_offset 88 +.Lfe51_sqr_epilogue: ret +.cfi_endproc .size x25519_fe51_sqr,.-x25519_fe51_sqr .globl x25519_fe51_mul121666 .type x25519_fe51_mul121666,\@function,2 .align 32 x25519_fe51_mul121666: +.cfi_startproc push%rbp +.cfi_push %rbp push%rbx +.cfi_push %rbx push%r12 +.cfi_push %r12 push%r13 +.cfi_push %r13 push%r14 +.cfi_push %r14 push%r15 - mov \$121666,%eax +.cfi_push %r15 lea -8*5(%rsp),%rsp +.cfi_adjust_cfa_offset 40 +.Lfe51_mul121666_body: + mov \$121666,%eax mulq8*0(%rsi) mov %rax,%rbx # %rbx:%rcx = h0 @@ -434,6 +472,8 @@ x25519_fe51_mul121666: mov %rdx,%r15 jmp .Lreduce51 +.Lfe51_mul121666_epilogue: +.cfi_endproc .size x25519_fe51_mul
[openssl-commits] [openssl] master update
The branch master has been updated via 5d1c09de1f2736e1d4b1877206d08455ec75f558 (commit) from 582ad5d4d9b7703eb089016935133e3a18ea8205 (commit) - Log - commit 5d1c09de1f2736e1d4b1877206d08455ec75f558 Author: Andy Polyakov Date: Thu Jul 12 19:15:26 2018 +0200 bn/bn_lcl.h,bn_nist.c: addres strict warnings with -DBN_DEBUG. Reviewed-by: Rich Salz --- Summary of changes: crypto/bn/bn_lcl.h | 9 - crypto/bn/bn_nist.c | 2 +- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index 0d3a8bf..d74b590 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -151,7 +151,6 @@ * all operations manipulating the bit in question in non-BN_DEBUG build. */ # define BN_FLG_FIXED_TOP 0x1 -# include # ifdef BN_DEBUG_RAND # define bn_pollute(a) \ do { \ @@ -175,10 +174,10 @@ do { \ const BIGNUM *_bnum2 = (a); \ if (_bnum2 != NULL) { \ -int top = _bnum2->top; \ -assert((top == 0 && !_bnum2->neg) || \ - (top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \ -|| _bnum2->d[top - 1] != 0))); \ +int _top = _bnum2->top; \ +(void)ossl_assert((_top == 0 && !_bnum2->neg) || \ + (_top && ((_bnum2->flags & BN_FLG_FIXED_TOP) \ +|| _bnum2->d[_top - 1] != 0))); \ bn_pollute(_bnum2); \ } \ } while(0) diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index fcc2b77..4d71afd 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -254,7 +254,7 @@ static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max) int i; #ifdef BN_DEBUG -assert(top <= max); +(void)ossl_assert(top <= max); #endif for (i = 0; i < top; i++) dst[i] = src[i]; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 0b139e41b4ca03c1d36f4c93c6e9147e497029ca (commit) via 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 (commit) from db9926ff007ad8cd999a4e7eff35b04505b744b8 (commit) - Log - commit 0b139e41b4ca03c1d36f4c93c6e9147e497029ca Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) (cherry picked from commit 582ad5d4d9b7703eb089016935133e3a18ea8205) commit 75a67a036a041d9fdac0fd7fd5a461f48709a3d3 Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: make BN_bn2binpad computationally constant-time. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) (cherry picked from commit 89d8aade5f4011ddeea7827f08ec544c914f275a) --- Summary of changes: crypto/bn/bn_lib.c| 23 +++ crypto/rsa/rsa_oaep.c | 38 +++--- crypto/rsa/rsa_ossl.c | 38 -- crypto/rsa/rsa_pk1.c | 39 +-- crypto/rsa/rsa_ssl.c | 8 5 files changed, 79 insertions(+), 67 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 8fa9f2f..ebad255 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -497,24 +498,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i; +int i, j, top; BN_ULONG l; -bn_check_top(a); i = BN_num_bytes(a); if (tolen == -1) tolen = i; else if (tolen < i) return -1; -/* Add leading zeroes if necessary */ -if (tolen > i) { -memset(to, 0, tolen - i); -to += tolen - i; + +if (i == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; } -while (i--) { + +top = a->top * BN_BYTES; +for (i = 0, j = tolen; j > 0; i++) { +unsigned int mask; + +mask = constant_time_lt(i, top); +i -= 1 & ~mask; /* stay on top limb */ l = a->d[i / BN_BYTES]; -*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); } + return tolen; } diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 4878d49..fbe65c4 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -155,32 +155,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); -em = OPENSSL_malloc(num); -if (db == NULL || em == NULL) { +if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } -/* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ -memset(em, 0, num); -memcpy(em + num - flen, from, flen); +if (flen != num) { +em = OPENSSL_zalloc(num); +if (em == NULL) { +RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); +goto cleanup; +} + +/* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ +memcpy(em + num - flen, from, flen); +from = em; +} /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
[openssl-commits] [openssl] master update
The branch master has been updated via 582ad5d4d9b7703eb089016935133e3a18ea8205 (commit) via 89d8aade5f4011ddeea7827f08ec544c914f275a (commit) from 1e839545803107b230a8177875de5994f85984de (commit) - Log - commit 582ad5d4d9b7703eb089016935133e3a18ea8205 Author: Andy Polyakov Date: Sun Feb 4 15:24:54 2018 +0100 rsa/*: switch to BN_bn2binpad. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) commit 89d8aade5f4011ddeea7827f08ec544c914f275a Author: Andy Polyakov Date: Sun Feb 4 15:20:29 2018 +0100 bn/bn_lib.c: make BN_bn2binpad computationally constant-time. "Computationally constant-time" means that it might still leak information about input's length, but only in cases when input is missing complete BN_ULONG limbs. But even then leak is possible only if attacker can observe memory access pattern with limb granularity. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5254) --- Summary of changes: crypto/bn/bn_lib.c| 23 +++ crypto/rsa/rsa_oaep.c | 38 +++--- crypto/rsa/rsa_ossl.c | 38 -- crypto/rsa/rsa_pk1.c | 39 +-- crypto/rsa/rsa_ssl.c | 8 5 files changed, 79 insertions(+), 67 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index b42df82..a582ce5 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -12,6 +12,7 @@ #include "internal/cryptlib.h" #include "bn_lcl.h" #include +#include "internal/constant_time_locl.h" /* This stuff appears to be completely unused, so is deprecated */ #if OPENSSL_API_COMPAT < 0x00908000L @@ -416,24 +417,30 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) /* ignore negative */ static int bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { -int i; +int i, j, top; BN_ULONG l; -bn_check_top(a); i = BN_num_bytes(a); if (tolen == -1) tolen = i; else if (tolen < i) return -1; -/* Add leading zeroes if necessary */ -if (tolen > i) { -memset(to, 0, tolen - i); -to += tolen - i; + +if (i == 0) { +OPENSSL_cleanse(to, tolen); +return tolen; } -while (i--) { + +top = a->top * BN_BYTES; +for (i = 0, j = tolen; j > 0; i++) { +unsigned int mask; + +mask = constant_time_lt(i, top); +i -= 1 & ~mask; /* stay on top limb */ l = a->d[i / BN_BYTES]; -*(to++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; +to[--j] = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); } + return tolen; } diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index d4de71d..dfea063 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -150,32 +150,40 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, dblen = num - mdlen - 1; db = OPENSSL_malloc(dblen); -em = OPENSSL_malloc(num); -if (db == NULL || em == NULL) { +if (db == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE); goto cleanup; } -/* - * Always do this zero-padding copy (even when num == flen) to avoid - * leaking that information. The copy still leaks some side-channel - * information, but it's impossible to have a fixed memory access - * pattern since we can't read out of the bounds of |from|. - * - * TODO(emilia): Consider porting BN_bn2bin_padded from BoringSSL. - */ -memset(em, 0, num); -memcpy(em + num - flen, from, flen); +if (flen != num) { +em = OPENSSL_zalloc(num); +if (em == NULL) { +RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, + ERR_R_MALLOC_FAILURE); +goto cleanup; +} + +/* + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad, but if it doesn't, we do this zero-padding copy + * to avoid leaking that information. The copy still leaks some + * side-channel information, but it's impossible to have a fixed + * memory access pattern since we can't read out of the bounds of + * |from|. + */ +memcpy(em + num - flen, from, flen); +from = em; +} /* * The first byte must be zero, however we must not leak if this is * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). */ -good = constant_time_is_zero(em[0]); +good = constant_time_is_zero(from
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 88af716e831fd7f76e2b2eab568905733b7c87eb (commit) via 308447e3bdacd9ed55d5f8c4dd266d6aa75aab2b (commit) via cc1fef6308ec6cb8ba6c00b20e4a8014d7847db2 (commit) from dcb8333087d56eef97c482aabb506b8be8299cde (commit) - Log - commit 88af716e831fd7f76e2b2eab568905733b7c87eb Author: Andy Polyakov Date: Fri Jul 6 14:54:34 2018 +0200 bn/bn_mont.c: improve readability of post-condition code. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) (cherry picked from commit 6c90182a5f87af1a1e462536e7123ad2afb84c43) commit 308447e3bdacd9ed55d5f8c4dd266d6aa75aab2b Author: Andy Polyakov Date: Fri Jul 6 13:46:07 2018 +0200 bn/bn_mont.c: move boundary condition check closer to caller. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) (cherry picked from commit 3c97e4121ecec20cfac433883cd4709580a05620) commit cc1fef6308ec6cb8ba6c00b20e4a8014d7847db2 Author: Andy Polyakov Date: Fri Jul 6 13:16:40 2018 +0200 bn/bn_lib.c: remove bn_check_top from bn_expand2. Trouble is that addition is postponing expansion till carry is calculated, and if addition carries, top word can be zero, which triggers assertion in bn_check_top. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) (cherry picked from commit e42395e637c3507b80b25c7ed63236898822d2f1) --- Summary of changes: crypto/bn/bn_lib.c | 5 - crypto/bn/bn_mont.c | 18 +- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index c59bdb7..8fa9f2f 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -222,8 +222,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) const BN_ULONG *B; int i; -bn_check_top(b); - if (words > (INT_MAX / (4 * BN_BITS2))) { BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_BIGNUM_TOO_LONG); return NULL; @@ -298,8 +296,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BIGNUM *bn_expand2(BIGNUM *b, int words) { -bn_check_top(b); - if (words > b->dmax) { BN_ULONG *a = bn_expand_internal(b, words); if (!a) @@ -312,7 +308,6 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) b->dmax = words; } -bn_check_top(b); return b; } diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index dad3d07..e1d2973 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -28,9 +28,9 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, { BIGNUM *tmp; int ret = 0; -#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) int num = mont->N.top; +#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) if (num > 1 && a->top == num && b->top == num) { if (bn_wexpand(r, num) == NULL) return (0); @@ -43,6 +43,9 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } #endif +if ((a->top + b->top) > 2 * num) +return 0; + BN_CTX_start(ctx); tmp = BN_CTX_get(ctx); if (tmp == NULL) @@ -95,8 +98,6 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) /* clear the top words of T */ i = max - r->top; -if (i < 0) -return 0; if (i) memset([r->top], 0, sizeof(*rp) * i); @@ -129,15 +130,14 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) */ ap = &(r->d[nl]); +carry -= bn_sub_words(rp, ap, np, nl); /* - * |v| is one if |ap| - |np| underflowed or zero if it did not. Note |v| - * cannot be -1. That would imply the subtraction did not fit in |nl| words, - * and we know at most one subtraction is needed. + * |carry| is -1 if |ap| - |np| underflowed or zero if it did not. Note + * |carry| cannot be 1. That would imply the subtraction did not fit in + * |nl| words, and we know at most one subtraction is needed. */ -v = bn_sub_words(rp, ap, np, nl) - carry; -v = 0 - v; for (i = 0; i < nl; i++) { -rp[i] = (v & ap[i]) | (~v & rp[i]); +rp[i] = (carry & ap[i]) | (~carry & rp[i]); ap[i] = 0; } bn_correct_top(r); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 71883868ea5b33416ae8283bcc38dd2d97e5006b (commit) via 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb (commit) via 6c90182a5f87af1a1e462536e7123ad2afb84c43 (commit) via 3c97e4121ecec20cfac433883cd4709580a05620 (commit) via e42395e637c3507b80b25c7ed63236898822d2f1 (commit) from 7da84e0f0088fc9d575039fb173f12af0ae25832 (commit) - Log - commit 71883868ea5b33416ae8283bcc38dd2d97e5006b Author: Andy Polyakov Date: Fri Jul 6 15:13:15 2018 +0200 bn/bn_{mont|exp}.c: switch to zero-padded intermediate vectors. Note that exported functions maintain original behaviour, so that external callers won't observe difference. While internally we can now perform Montogomery multiplication on fixed-length vectors, fixed at modulus size. The new functions, bn_to_mont_fixed_top and bn_mul_mont_fixed_top, are declared in bn_int.h, because one can use them even outside bn, e.g. in RSA, DSA, ECDSA... Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) commit 305b68f1a2b6d4d0aa07a6ab47ac372f067a40bb Author: Andy Polyakov Date: Fri Jul 6 15:02:29 2018 +0200 bn/bn_lib.c: add BN_FLG_FIXED_TOP flag. The new flag marks vectors that were not treated with bn_correct_top, in other words such vectors are permitted to be zero padded. For now it's BN_DEBUG-only flag, as initial use case for zero-padded vectors would be controlled Montgomery multiplication/exponentiation, not general purpose. For general purpose use another type might be more appropriate. Advantage of this suggestion is that it's possible to back-port it... bn/bn_div.c: fix memory sanitizer problem. bn/bn_sqr.c: harmonize with BN_mul. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) commit 6c90182a5f87af1a1e462536e7123ad2afb84c43 Author: Andy Polyakov Date: Fri Jul 6 14:54:34 2018 +0200 bn/bn_mont.c: improve readability of post-condition code. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) commit 3c97e4121ecec20cfac433883cd4709580a05620 Author: Andy Polyakov Date: Fri Jul 6 13:46:07 2018 +0200 bn/bn_mont.c: move boundary condition check closer to caller. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) commit e42395e637c3507b80b25c7ed63236898822d2f1 Author: Andy Polyakov Date: Fri Jul 6 13:16:40 2018 +0200 bn/bn_lib.c: remove bn_check_top from bn_expand2. Trouble is that addition is postponing expansion till carry is calculated, and if addition carries, top word can be zero, which triggers assertion in bn_check_top. Reviewed-by: Rich Salz Reviewed-by: David Benjamin (Merged from https://github.com/openssl/openssl/pull/6662) --- Summary of changes: crypto/bn/bn_div.c | 1 + crypto/bn/bn_exp.c | 47 -- crypto/bn/bn_lcl.h | 20 +++-- crypto/bn/bn_lib.c | 20 +++-- crypto/bn/bn_mont.c | 63 +++- crypto/bn/bn_sqr.c | 10 ++- crypto/include/internal/bn_int.h | 12 7 files changed, 112 insertions(+), 61 deletions(-) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index b9b85fd..464a444 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -234,6 +234,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; +wnum.flags = BN_FLG_STATIC_DATA; /* * only needed when BN_ucmp messes up the values between top and max */ diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 10d3912..4e24c94 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -361,17 +361,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } -if (!BN_to_montgomery(val[0], aa, mont, ctx)) +if (!bn_to_mont_fixed_top(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { -if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) +if (!bn_mul_mont_fixed_top(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || -!BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) +!bn
[openssl-commits] [openssl] master update
The branch master has been updated via 8977880603176bea3dda1f1accae1b774d2104ac (commit) from f99648638c8340cbc0cb7ddaa54309435bda9530 (commit) - Log - commit 8977880603176bea3dda1f1accae1b774d2104ac Author: Andy Polyakov Date: Mon Jul 9 11:11:37 2018 +0200 poly1305/asm/poly1305-x86_64.pl: fix solaris64-x86_64-cc build. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6676) --- Summary of changes: crypto/poly1305/asm/poly1305-x86_64.pl | 77 +- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/poly1305-x86_64.pl index 0b4c56e..88394b0 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -3753,6 +3753,44 @@ poly1305_emit_base2_44: .size poly1305_emit_base2_44,.-poly1305_emit_base2_44 ___ } } } +$code.=<<___; +.align 64 +.Lconst: +.Lmask24: +.long 0x0ff,0,0x0ff,0,0x0ff,0,0x0ff,0 +.L129: +.long `1<<24`,0,`1<<24`,0,`1<<24`,0,`1<<24`,0 +.Lmask26: +.long 0x3ff,0,0x3ff,0,0x3ff,0,0x3ff,0 +.Lpermd_avx2: +.long 2,2,2,3,2,0,2,1 +.Lpermd_avx512: +.long 0,0,0,1, 0,2,0,3, 0,4,0,5, 0,6,0,7 + +.L2_44_inp_permd: +.long 0,1,1,2,2,3,7,7 +.L2_44_inp_shift: +.quad 0,12,24,64 +.L2_44_mask: +.quad 0xfff,0xfff,0x3ff,0x +.L2_44_shift_rgt: +.quad 44,44,42,64 +.L2_44_shift_lft: +.quad 8,8,10,64 + +.align 64 +.Lx_mask44: +.quad 0xfff,0xfff,0xfff,0xfff +.quad 0xfff,0xfff,0xfff,0xfff +.Lx_mask42: +.quad 0x3ff,0x3ff,0x3ff,0x3ff +.quad 0x3ff,0x3ff,0x3ff,0x3ff +___ +} +$code.=<<___; +.asciz "Poly1305 for x86_64, CRYPTOGAMS by " +.align 16 +___ { # chacha20-poly1305 helpers my ($out,$inp,$otp,$len)=$win64 ? ("%rcx","%rdx","%r8", "%r9") : # Win64 order @@ -3857,45 +3895,6 @@ xor128_decrypt_n_pad: .size xor128_decrypt_n_pad,.-xor128_decrypt_n_pad ___ } -$code.=<<___; -.align 64 -.Lconst: -.Lmask24: -.long 0x0ff,0,0x0ff,0,0x0ff,0,0x0ff,0 -.L129: -.long `1<<24`,0,`1<<24`,0,`1<<24`,0,`1<<24`,0 -.Lmask26: -.long 0x3ff,0,0x3ff,0,0x3ff,0,0x3ff,0 -.Lpermd_avx2: -.long 2,2,2,3,2,0,2,1 -.Lpermd_avx512: -.long 0,0,0,1, 0,2,0,3, 0,4,0,5, 0,6,0,7 - -.L2_44_inp_permd: -.long 0,1,1,2,2,3,7,7 -.L2_44_inp_shift: -.quad 0,12,24,64 -.L2_44_mask: -.quad 0xfff,0xfff,0x3ff,0x -.L2_44_shift_rgt: -.quad 44,44,42,64 -.L2_44_shift_lft: -.quad 8,8,10,64 - -.align 64 -.Lx_mask44: -.quad 0xfff,0xfff,0xfff,0xfff -.quad 0xfff,0xfff,0xfff,0xfff -.Lx_mask42: -.quad 0x3ff,0x3ff,0x3ff,0x3ff -.quad 0x3ff,0x3ff,0x3ff,0x3ff -___ -} - -$code.=<<___; -.asciz "Poly1305 for x86_64, CRYPTOGAMS by " -.align 16 -___ # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, # CONTEXT *context,DISPATCHER_CONTEXT *disp) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 750d5587d1d688df964cb37e86942da7e639d47b (commit) from 5d58e8f1710fbcf955bc949734aa8d594523276d (commit) - Log - commit 750d5587d1d688df964cb37e86942da7e639d47b Author: Andy Polyakov Date: Sun Jul 8 18:57:30 2018 +0200 apps/req.c: fix -addext option. Address even Coverity nit. Reviewed-by: Paul Dale Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6671) --- Summary of changes: apps/req.c | 25 +++-- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/apps/req.c b/apps/req.c index 3d89f20..066e7c6 100644 --- a/apps/req.c +++ b/apps/req.c @@ -24,7 +24,6 @@ #include #include #include -#include #include #ifndef OPENSSL_NO_RSA # include @@ -177,21 +176,22 @@ static void exts_cleanup(OPENSSL_STRING *x) static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) { char *p; +size_t off; /* Check syntax. */ -if (strchr(kv, '=') == NULL) -return 1; - /* Skip leading whitespace, make a copy. */ while (*kv && isspace(*kv)) if (*++kv == '\0') return 1; +if ((p = strchr(kv, '=')) == NULL) +return 1; +off = p - kv; if ((kv = OPENSSL_strdup(kv)) == NULL) return -1; /* Skip trailing space before the equal sign. */ -for (p = strchr(kv, '='); p > kv; --p) -if (p[-1] != ' ' && p[-1] != '\t') +for (p = kv + off; p > kv; --p) +if (!isspace(p[-1])) break; if (p == kv) { OPENSSL_free(kv); @@ -199,16 +199,13 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv) } *p = '\0'; -/* Finally have a clean "key"; see if it's there. */ -if (lh_OPENSSL_STRING_retrieve(addexts, (OPENSSL_STRING*)kv) != NULL) { -BIO_printf(bio_err, "Extension \"%s\" repeated\n", kv); -OPENSSL_free(kv); -return 1; +/* Finally have a clean "key"; see if it's there [by attempt to add it]. */ +if ((p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv)) +!= NULL || lh_OPENSSL_STRING_error(addexts)) { +OPENSSL_free(p != NULL ? p : kv); +return -1; } -/* Not found; add it. */ -if (lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv) == NULL) -return -1; return 0; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 45197ad33ee77f3773eaefe2395072fbdd9d978c (commit) via c118fb92386cc6f81aadf2a64473e94bac938cee (commit) from 9e26532295c579afa91a3edf0864b380a5f0ec16 (commit) - Log - commit 45197ad33ee77f3773eaefe2395072fbdd9d978c Author: Andy Polyakov Date: Sun Jul 8 12:12:15 2018 +0200 modes/ocb128.c: readability and formatting improvements. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6669) commit c118fb92386cc6f81aadf2a64473e94bac938cee Author: DesWurstes Date: Sat Jul 7 12:10:53 2018 +0300 modes/ocb128.c: improve the calculation of double mask CLA: trivial Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6667) --- Summary of changes: crypto/modes/ocb128.c | 22 ++ 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c index 76591e6..713b9aa 100644 --- a/crypto/modes/ocb128.c +++ b/crypto/modes/ocb128.c @@ -42,22 +42,13 @@ static u32 ocb_ntz(u64 n) static void ocb_block_lshift(const unsigned char *in, size_t shift, unsigned char *out) { -unsigned char shift_mask; int i; -unsigned char mask[15]; +unsigned char carry = 0, carry_next; -shift_mask = 0xff; -shift_mask <<= (8 - shift); for (i = 15; i >= 0; i--) { -if (i > 0) { -mask[i - 1] = in[i] & shift_mask; -mask[i - 1] >>= 8 - shift; -} -out[i] = in[i] << shift; - -if (i != 15) { -out[i] ^= mask[i]; -} +carry_next = in[i] >> (8 - shift); +out[i] = (in[i] << shift) | carry; +carry = carry_next; } } @@ -74,7 +65,7 @@ static void ocb_double(OCB_BLOCK *in, OCB_BLOCK *out) */ mask = in->c[0] & 0x80; mask >>= 7; -mask *= 135; +mask = (0 - mask) & 0x87; ocb_block_lshift(in->c, 1, out->c); @@ -119,8 +110,7 @@ static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx) * the index. */ ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3; -tmp_ptr = -OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK)); +tmp_ptr = OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK)); if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */ return NULL; ctx->l = tmp_ptr; _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 0edb109f97c1bbbd5961326f93b2ccf385b26674 (commit) from 2ce71b60272325c4453914b501a2c2ff1b75c80d (commit) - Log - commit 0edb109f97c1bbbd5961326f93b2ccf385b26674 Author: Andy Polyakov Date: Tue Jul 3 21:34:08 2018 +0200 evp/e_chacha20_poly1305.c: further improve small-fragment TLS performance. Improvement coefficients vary with TLS fragment length and platform, on most Intel processors maximum improvement is ~50%, while on Ryzen - 80%. The "secret" is new dedicated ChaCha20_128 code path and vectorized xor helpers. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6638) --- Summary of changes: crypto/evp/e_chacha20_poly1305.c | 54 ++--- crypto/poly1305/asm/poly1305-x86_64.pl | 104 + 2 files changed, 150 insertions(+), 8 deletions(-) diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index 47d5e50..6a9bccf 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -196,14 +196,23 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx, } # if !defined(OPENSSL_SMALL_FOOTPRINT) + +# if defined(POLY1305_ASM) && (defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64)) +#define XOR128_HELPERS +void *xor128_encrypt_n_pad(void *out, const void *inp, void *otp, size_t len); +void *xor128_decrypt_n_pad(void *out, const void *inp, void *otp, size_t len); +static const unsigned char zero[4 * CHACHA_BLK_SIZE] = { 0 }; +# else static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 }; +# endif static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx); -size_t i, tail, tohash_len, plen = actx->tls_payload_length; -unsigned char *buf, *tohash, *ctr, storage[2 * CHACHA_BLK_SIZE + 32]; +size_t tail, tohash_len, buf_len, plen = actx->tls_payload_length; +unsigned char *buf, *tohash, *ctr, storage[sizeof(zero) + 32]; if (len != plen + POLY1305_BLOCK_SIZE) return -1; @@ -212,9 +221,11 @@ static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ctr = buf + CHACHA_BLK_SIZE; tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE; -if (plen <= CHACHA_BLK_SIZE) { +# ifdef XOR128_HELPERS +if (plen <= 3 * CHACHA_BLK_SIZE) { actx->key.counter[0] = 0; -ChaCha20_ctr32(buf, zero, 2 * CHACHA_BLK_SIZE, actx->key.key.d, +buf_len = (plen + 2 * CHACHA_BLK_SIZE - 1) & (0 - CHACHA_BLK_SIZE); +ChaCha20_ctr32(buf, zero, buf_len, actx->key.key.d, actx->key.counter); Poly1305_Init(POLY1305_ctx(actx), buf); actx->key.partial_len = 0; @@ -223,6 +234,31 @@ static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, actx->len.aad = EVP_AEAD_TLS1_AAD_LEN; actx->len.text = plen; +if (plen) { +if (ctx->encrypt) +ctr = xor128_encrypt_n_pad(out, in, ctr, plen); +else +ctr = xor128_decrypt_n_pad(out, in, ctr, plen); + +in += plen; +out += plen; +tohash_len = (size_t)(ctr - tohash); +} +} +# else +if (plen <= CHACHA_BLK_SIZE) { +size_t i; + +actx->key.counter[0] = 0; +ChaCha20_ctr32(buf, zero, (buf_len = 2 * CHACHA_BLK_SIZE), + actx->key.key.d, actx->key.counter); +Poly1305_Init(POLY1305_ctx(actx), buf); +actx->key.partial_len = 0; +memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE); +tohash_len = POLY1305_BLOCK_SIZE; +actx->len.aad = EVP_AEAD_TLS1_AAD_LEN; +actx->len.text = plen; + if (ctx->encrypt) { for (i = 0; i < plen; i++) { out[i] = ctr[i] ^= in[i]; @@ -242,10 +278,12 @@ static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, memset(ctr + i, 0, tail); ctr += i + tail; tohash_len += i + tail; -} else { +} +# endif +else { actx->key.counter[0] = 0; -ChaCha20_ctr32(buf, zero, CHACHA_BLK_SIZE, actx->key.key.d, - actx->key.counter); +ChaCha20_ctr32(buf, zero, (buf_len = CHACHA_BLK_SIZE), + actx->key.key.d, actx->key.counter); Poly1305_Init(POLY1305_ctx(actx), buf); actx->key.counter[0] = 1; actx->key.partial_len = 0; @@ -300,7 +338,7 @@ st
[openssl-commits] [openssl] master update
The branch master has been updated via d5487a454c485eb6f9aef7fb0cb1c0681a06fd25 (commit) via b068a9b914887af5cc99895754412582fbb0e10b (commit) from 4cb004573a28fe5f8f8d95dc9407e0fe9df6f14c (commit) - Log - commit d5487a454c485eb6f9aef7fb0cb1c0681a06fd25 Author: Andy Polyakov Date: Mon Jul 2 13:16:33 2018 +0200 chacha/asm/chacha-x86_64.pl: add dedicated path for 128-byte inputs. The 128-byte vectors are extensively used in chacha20_poly1305_tls_cipher and dedicated code path is ~30-50% faster on most platforms. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6626) commit b068a9b914887af5cc99895754412582fbb0e10b Author: Andy Polyakov Date: Mon Jul 2 13:12:49 2018 +0200 perlasm/x86_64-xlate.pl: refine symbol recognition in .xdata. Hexadecimals were erroneously recognized as symbols in .xdata. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6626) --- Summary of changes: crypto/chacha/asm/chacha-x86_64.pl | 295 +++-- crypto/perlasm/x86_64-xlate.pl | 2 +- 2 files changed, 222 insertions(+), 75 deletions(-) diff --git a/crypto/chacha/asm/chacha-x86_64.pl b/crypto/chacha/asm/chacha-x86_64.pl index 51bb6a9..b54f3b1 100755 --- a/crypto/chacha/asm/chacha-x86_64.pl +++ b/crypto/chacha/asm/chacha-x86_64.pl @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -28,33 +28,32 @@ # # Performance in cycles per byte out of large buffer. # -# IALU/gcc 4.8(i) 1xSSSE3/SSE24xSSSE3 NxAVX(v) +# IALU/gcc 4.8(i) 1x/2xSSSE3(ii) 4xSSSE3 NxAVX(v) # -# P4 9.48/+99% -/22.7(ii) - -# Core27.83/+55% 7.90/8.08 4.35 -# Westmere 7.19/+50% 5.60/6.70 3.00 -# Sandy Bridge 8.31/+42% 5.45/6.76 2.72 -# Ivy Bridge 6.71/+46% 5.40/6.49 2.41 -# Haswell 5.92/+43% 5.20/6.45 2.421.23 -# Skylake[-X] 5.87/+39% 4.70/- 2.311.19[0.80(vi)] -# Silvermont 12.0/+33% 7.75/7.40 7.03(iii) -# Knights L11.7/- - 9.60(iii) 0.80 -# Goldmont 10.6/+17% 5.10/- 3.28 -# Sledgehammer 7.28/+52% -/14.2(ii) - -# Bulldozer9.66/+28% 9.85/11.1 3.06(iv) -# Ryzen5.96/+50% 5.19/- 2.402.09 -# VIA Nano 10.5/+46% 6.72/8.60 6.05 +# P4 9.48/+99% - - +# Core27.83/+55% 7.90/5.76 4.35 +# Westmere 7.19/+50% 5.60/4.50 3.00 +# Sandy Bridge 8.31/+42% 5.45/4.00 2.72 +# Ivy Bridge 6.71/+46% 5.40/? 2.41 +# Haswell 5.92/+43% 5.20/3.45 2.421.23 +# Skylake[-X] 5.87/+39% 4.70/3.22 2.311.19[0.80(vi)] +# Silvermont 12.0/+33% 7.75/6.90 7.03(iii) +# Knights L11.7/- ? 9.60(iii) 0.80 +# Goldmont 10.6/+17% 5.10/3.52 3.28 +# Sledgehammer 7.28/+52% - - +# Bulldozer9.66/+28% 9.85/5.35(iv) 3.06(iv) +# Ryzen5.96/+50% 5.19/3.00 2.402.09 +# VIA Nano 10.5/+46% 6.72/6.88 6.05 # # (i) compared to older gcc 3.x one can observe >2x improvement on # most platforms; -# (ii) as it can be seen, SSE2 performance is too low on legacy -# processors; NxSSE2 results are naturally better, but not -# impressively better than IALU ones, which is why you won't -# find SSE2 code below; +# (ii) 2xSSSE3 is code path optimized specifically for 128 bytes used +# by chacha20_poly1305_tls_cipher, results are EVP-free; # (iii)this is not optimal result for Atom because of MSROM # limitations, SSE2 can do better, but gain is considered too # low to justify the [maintenance] effort; -# (iv) Bulldozer actually executes 4xXOP code path that delivers 2.20; +# (iv) Bulldozer actually executes 4xXOP code path that delivers 2.20 +# and 4.85 for 128-byte inputs; # (v) 8xAVX2, 8xAVX512VL or 16xAVX512F, whichever best applicable; # (vi) even though Skylake-X can execute AVX512F code and deliver 0.57 # cpb in single thread, the corresponding capability is suppressed; @@ -489,6 +488,7 @@ $code.=<<___if ($avx); ___ $code.=<<___; cmp \$128,$len # we might throw away some data, + je .LChaCha20_128 ja .LChaCha20_4
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e35e5941e0b2f7af1cd56f07ee8d4eaf2b445132 (commit) from a80f76aff4e0be3f5738cf9b292f940dc06a0e2a (commit) - Log - commit e35e5941e0b2f7af1cd56f07ee8d4eaf2b445132 Author: Andy Polyakov Date: Sat Jun 30 12:52:10 2018 +0200 test/evp_test.c: address sanitizer errors in pderive_test_run. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6614) --- Summary of changes: test/evp_test.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/evp_test.c b/test/evp_test.c index fb2ca27..c2434db 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1592,19 +1592,19 @@ static int pderive_test_run(struct evp_test *t) struct pkey_data *kdata = t->data; unsigned char *out = NULL; size_t out_len; -const char *err = "INTERNAL_ERROR"; +const char *err = "DERIVE_ERROR"; -out_len = kdata->output_len; +if (EVP_PKEY_derive(kdata->ctx, NULL, _len) <= 0) +goto err; out = OPENSSL_malloc(out_len); if (!out) { fprintf(stderr, "Error allocating output buffer!\n"); exit(1); } -err = "DERIVE_ERROR"; if (EVP_PKEY_derive(kdata->ctx, out, _len) <= 0) goto err; err = "SHARED_SECRET_LENGTH_MISMATCH"; -if (out_len != kdata->output_len) +if (kdata->output == NULL || out_len != kdata->output_len) goto err; err = "SHARED_SECRET_MISMATCH"; if (check_output(t, kdata->output, out, out_len)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a0e53000a8d2f464c5a49e93abaa606e67d7558e (commit) from ce5eb5e8149d8d03660575f4b8504c993851988a (commit) - Log - commit a0e53000a8d2f464c5a49e93abaa606e67d7558e Author: Andy Polyakov Date: Fri Jun 29 18:46:57 2018 +0200 rand/rand_unix.c: address macro redifinition warning. Occasionally, e.g. when compiling for elderly glibc, you end up passing -D_GNU_SOURCE on command line, and doing so triggered warning... Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6616) --- Summary of changes: crypto/rand/rand_unix.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index b64cf27..f482de0 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -7,7 +7,9 @@ * https://www.openssl.org/source/license.html */ -#define _GNU_SOURCE +#ifndef _GNU_SOURCE +# define _GNU_SOURCE +#endif #include "e_os.h" #include #include "internal/cryptlib.h" _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via a80f76aff4e0be3f5738cf9b292f940dc06a0e2a (commit) from c7b9e7be89c987fbf065852d846ac4982a32941b (commit) - Log - commit a80f76aff4e0be3f5738cf9b292f940dc06a0e2a Author: Andy Polyakov Date: Fri Jun 29 17:48:54 2018 +0200 modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6615) (cherry picked from commit ce5eb5e8149d8d03660575f4b8504c993851988a) --- Summary of changes: crypto/modes/asm/ghash-armv4.pl | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/crypto/modes/asm/ghash-armv4.pl b/crypto/modes/asm/ghash-armv4.pl index 7d880c9..426ef30 100644 --- a/crypto/modes/asm/ghash-armv4.pl +++ b/crypto/modes/asm/ghash-armv4.pl @@ -145,6 +145,8 @@ $code=<<___; .text #if defined(__thumb2__) || defined(__clang__) .syntaxunified +#define ldrplb ldrbpl +#define ldrneb ldrbne #endif #if defined(__thumb2__) .thumb @@ -152,11 +154,6 @@ $code=<<___; .code 32 #endif -#ifdef __clang__ -#define ldrplb ldrbpl -#define ldrneb ldrbne -#endif - .type rem_4bit,%object .align 5 rem_4bit: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via ce5eb5e8149d8d03660575f4b8504c993851988a (commit) from a091e212fc55244fe03a4c7db7d8978c5b5014cb (commit) - Log - commit ce5eb5e8149d8d03660575f4b8504c993851988a Author: Andy Polyakov Date: Fri Jun 29 17:48:54 2018 +0200 modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6615) --- Summary of changes: crypto/modes/asm/ghash-armv4.pl | 7 ++- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/crypto/modes/asm/ghash-armv4.pl b/crypto/modes/asm/ghash-armv4.pl index 9cc072e..9d8c988 100644 --- a/crypto/modes/asm/ghash-armv4.pl +++ b/crypto/modes/asm/ghash-armv4.pl @@ -145,6 +145,8 @@ $code=<<___; .text #if defined(__thumb2__) || defined(__clang__) .syntaxunified +#define ldrplb ldrbpl +#define ldrneb ldrbne #endif #if defined(__thumb2__) .thumb @@ -152,11 +154,6 @@ $code=<<___; .code 32 #endif -#ifdef __clang__ -#define ldrplb ldrbpl -#define ldrneb ldrbne -#endif - .type rem_4bit,%object .align 5 rem_4bit: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a091e212fc55244fe03a4c7db7d8978c5b5014cb (commit) from 249330de0250bc598d20d383bab37d150cdad239 (commit) - Log - commit a091e212fc55244fe03a4c7db7d8978c5b5014cb Author: Andy Polyakov Date: Wed Jun 27 12:16:52 2018 +0200 evp/e_chacha20_poly1305.c: improve performance for short TLS records. Inputs not longer than 64 bytes are processed ~10% faster, longer lengths not divisble by 64, e.g. 255, up to ~20%. Unfortunately it's impossible to measure with apps/speed.c, -aead benchmarks TLS-like call sequence, but not exact. It took specially crafted code path... Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6597) --- Summary of changes: crypto/evp/e_chacha20_poly1305.c | 158 --- 1 file changed, 148 insertions(+), 10 deletions(-) diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index 9bf98f1..47d5e50 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -150,6 +150,7 @@ typedef struct { EVP_CHACHA_KEY key; unsigned int nonce[12/4]; unsigned char tag[POLY1305_BLOCK_SIZE]; +unsigned char tls_aad[POLY1305_BLOCK_SIZE]; struct { uint64_t aad, text; } len; int aad, mac_inited, tag_len, nonce_len; size_t tls_payload_length; @@ -179,7 +180,8 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx, /* pad on the left */ if (actx->nonce_len <= CHACHA_CTR_SIZE) -memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv, actx->nonce_len); +memcpy(temp + CHACHA_CTR_SIZE - actx->nonce_len, iv, + actx->nonce_len); chacha_init_key(ctx, inkey, temp, enc); @@ -193,23 +195,158 @@ static int chacha20_poly1305_init_key(EVP_CIPHER_CTX *ctx, return 1; } +# if !defined(OPENSSL_SMALL_FOOTPRINT) +static const unsigned char zero[2 * CHACHA_BLK_SIZE] = { 0 }; + +static int chacha20_poly1305_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +const unsigned char *in, size_t len) +{ +EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx); +size_t i, tail, tohash_len, plen = actx->tls_payload_length; +unsigned char *buf, *tohash, *ctr, storage[2 * CHACHA_BLK_SIZE + 32]; + +if (len != plen + POLY1305_BLOCK_SIZE) +return -1; + +buf = storage + ((0 - (size_t)storage) & 15); /* align */ +ctr = buf + CHACHA_BLK_SIZE; +tohash = buf + CHACHA_BLK_SIZE - POLY1305_BLOCK_SIZE; + +if (plen <= CHACHA_BLK_SIZE) { +actx->key.counter[0] = 0; +ChaCha20_ctr32(buf, zero, 2 * CHACHA_BLK_SIZE, actx->key.key.d, + actx->key.counter); +Poly1305_Init(POLY1305_ctx(actx), buf); +actx->key.partial_len = 0; +memcpy(tohash, actx->tls_aad, POLY1305_BLOCK_SIZE); +tohash_len = POLY1305_BLOCK_SIZE; +actx->len.aad = EVP_AEAD_TLS1_AAD_LEN; +actx->len.text = plen; + +if (ctx->encrypt) { +for (i = 0; i < plen; i++) { +out[i] = ctr[i] ^= in[i]; +} +} else { +for (i = 0; i < plen; i++) { +unsigned char c = in[i]; +out[i] = ctr[i] ^ c; +ctr[i] = c; +} +} + +in += i; +out += i; + +tail = (0 - i) & (POLY1305_BLOCK_SIZE - 1); +memset(ctr + i, 0, tail); +ctr += i + tail; +tohash_len += i + tail; +} else { +actx->key.counter[0] = 0; +ChaCha20_ctr32(buf, zero, CHACHA_BLK_SIZE, actx->key.key.d, + actx->key.counter); +Poly1305_Init(POLY1305_ctx(actx), buf); +actx->key.counter[0] = 1; +actx->key.partial_len = 0; +Poly1305_Update(POLY1305_ctx(actx), actx->tls_aad, POLY1305_BLOCK_SIZE); +tohash = ctr; +tohash_len = 0; +actx->len.aad = EVP_AEAD_TLS1_AAD_LEN; +actx->len.text = plen; + +if (ctx->encrypt) { +ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter); +Poly1305_Update(POLY1305_ctx(actx), out, plen); +} else { +Poly1305_Update(POLY1305_ctx(actx), in, plen); +ChaCha20_ctr32(out, in, plen, actx->key.key.d, actx->key.counter); +} + +in += plen; +out += plen; +tail = (0 - plen) & (POLY1305_BLOCK_SIZE - 1); +Poly1305_Update(POLY1305_ctx(actx), zero, tail); +} + +{ +const union { +long one; +char little; +} is_endian = { 1 }; + +if (is_endian.little) { +memcpy(ctr, (unsigned char *)>len, POL
[openssl-commits] [openssl] master update
The branch master has been updated via 249330de0250bc598d20d383bab37d150cdad239 (commit) from 8eab767a718f44ccba9888eeb81a5328cff47bab (commit) - Log - commit 249330de0250bc598d20d383bab37d150cdad239 Author: Billy Brumley Date: Thu Jun 28 10:59:08 2018 +0300 More EVP ECC testing: positive and negative 1. For every named curve, two "golden" keypair positive tests. 2. Also two "golden" stock ECDH positive tests. 3. For named curves with non-trivial cofactors, additionally two "golden" ECC CDH positive tests. 4. For named curves with non-trivial cofactors, additionally two negative tests. There is some overlap with existing EVP tests, especially for the NIST curves (for example, positive testing ECC CDH KATs for NIST curves). "Golden" here means all the values are independent from OpenSSL's ECC code. I used sage to calculate them. What comes from OpenSSL is: 1. The OIDs (parsed by tooling) 2. The curve parameters (parsing ecparam output with tooling) The values inside the PEMs (private keys, public keys) and shared keys are from sage. The PEMs themselves are the output of asn1parse, with input taken from sage. Reviewed-by: Andy Polyakov Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6608) --- Summary of changes: test/recipes/30-test_evp.t|2 +- test/recipes/30-test_evp_data/evppkey_ecc.txt | 4366 + 2 files changed, 4367 insertions(+), 1 deletion(-) create mode 100644 test/recipes/30-test_evp_data/evppkey_ecc.txt diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index b498244..4fca366 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/; setup("test_evp"); my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt", -"evpmac.txt", "evppbe.txt", "evppkey.txt" ); +"evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt" ); plan tests => scalar(@files); diff --git a/test/recipes/30-test_evp_data/evppkey_ecc.txt b/test/recipes/30-test_evp_data/evppkey_ecc.txt new file mode 100644 index 000..685af17 --- /dev/null +++ b/test/recipes/30-test_evp_data/evppkey_ecc.txt @@ -0,0 +1,4366 @@ +Title=brainpoolP160r1 curve tests + +PrivateKey=ALICE_cf_brainpoolP160r1 +-BEGIN PRIVATE KEY- +MDYCAQAwFAYHKoZIzj0CAQYJKyQDAwIIAQEBBBswGQIBAQQUo0UiM85512uHsr2DkIOYgyxSQxk= +-END PRIVATE KEY- + +PublicKey=ALICE_cf_brainpoolP160r1_PUB +-BEGIN PUBLIC KEY- +MEIwFAYHKoZIzj0CAQYJKyQDAwIIAQEBAyoABI7OZhLqr+8c3D9Tn6++CqQtc9jG5a1COb1okeZb +wKJUkmWn6NvNCQQ= +-END PUBLIC KEY- + +PrivPubKeyPair=ALICE_cf_brainpoolP160r1:ALICE_cf_brainpoolP160r1_PUB + +PrivateKey=BOB_cf_brainpoolP160r1 +-BEGIN PRIVATE KEY- +MDYCAQAwFAYHKoZIzj0CAQYJKyQDAwIIAQEBBBswGQIBAQQUmr0Vq3Z/feXq9tg9s8dxJXne1dU= +-END PRIVATE KEY- + +PublicKey=BOB_cf_brainpoolP160r1_PUB +-BEGIN PUBLIC KEY- +MEIwFAYHKoZIzj0CAQYJKyQDAwIIAQEBAyoABAu+ovBXBFQuw3Rt9qeImT6mLh9rerLFnTRL0+LH +sptS1Mbd0R4+5HM= +-END PUBLIC KEY- + +PrivPubKeyPair=BOB_cf_brainpoolP160r1:BOB_cf_brainpoolP160r1_PUB + +# ECDH Alice with Bob peer +Derive=ALICE_cf_brainpoolP160r1 +PeerKey=BOB_cf_brainpoolP160r1_PUB +SharedSecret=2e75cb6a8f13951b437e04a0ed1d714a610036cc + +# ECDH Bob with Alice peer +Derive=BOB_cf_brainpoolP160r1 +PeerKey=ALICE_cf_brainpoolP160r1_PUB +SharedSecret=2e75cb6a8f13951b437e04a0ed1d714a610036cc + +Title=brainpoolP160t1 curve tests + +PrivateKey=ALICE_cf_brainpoolP160t1 +-BEGIN PRIVATE KEY- +MDYCAQAwFAYHKoZIzj0CAQYJKyQDAwIIAQECBBswGQIBAQQU1P/o5GQx5PA0kQoiwUtaXBUASUY= +-END PRIVATE KEY- + +PublicKey=ALICE_cf_brainpoolP160t1_PUB +-BEGIN PUBLIC KEY- +MEIwFAYHKoZIzj0CAQYJKyQDAwIIAQECAyoABANetsUNsxVmDo7X4LQ9yPYTcjN1HvLTo9GEEQtV +lG71NyzLPQwPDwM= +-END PUBLIC KEY- + +PrivPubKeyPair=ALICE_cf_brainpoolP160t1:ALICE_cf_brainpoolP160t1_PUB + +PrivateKey=BOB_cf_brainpoolP160t1 +-BEGIN PRIVATE KEY- +MDYCAQAwFAYHKoZIzj0CAQYJKyQDAwIIAQECBBswGQIBAQQUck4Sh9X3JjSUIRoxxKv8qLM6Ijc= +-END PRIVATE KEY- + +PublicKey=BOB_cf_brainpoolP160t1_PUB +-BEGIN PUBLIC KEY- +MEIwFAYHKoZIzj0CAQYJKyQDAwIIAQECAyoABEtd7DRUMYXeoxhxpWgPz/esQkXtoTAAune8CAAo +HqNNlR11VDctfkw= +-END PUBLIC KEY- + +PrivPubKeyPair=BOB_cf_brainpoolP160t1:BOB_cf_brainpoolP160t1_PUB + +# ECDH Alice with Bob peer +Derive=ALICE_cf_brainpoolP160t1 +PeerKey=BOB_cf_brainpoolP160t1_PUB +SharedSecret=6ea603a6a1a83812b967c83ef1867bd807be761e + +# ECDH Bob with Alice peer +Derive=BOB_cf_brainpoolP160t1 +Peer
[openssl-commits] [openssl] master update
The branch master has been updated via 2c879241baaf9115e8ebbe228e1a624564eea64c (commit) from 32f803d88ec3df7f95dfbf840c271f7438ce3357 (commit) - Log - commit 2c879241baaf9115e8ebbe228e1a624564eea64c Author: Andy Polyakov Date: Fri Jun 22 14:13:59 2018 +0200 NOTES.UNIX: add "Linking your application" paragraph ... and mention more runtime search path flags. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6587) --- Summary of changes: NOTES.UNIX | 44 +++- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/NOTES.UNIX b/NOTES.UNIX index 284da10..6c291cb 100644 --- a/NOTES.UNIX +++ b/NOTES.UNIX @@ -24,12 +24,12 @@ Every Unix system has its own set of default locations for shared libraries, such as /lib, /usr/lib or possibly /usr/local/lib. If libraries are installed in non-default locations, dynamically linked - binaries will not find them and therefore fail to run unless they get a - bit of help from a defined runtime shared library search path. + binaries will not find them and therefore fail to run, unless they get + a bit of help from a defined runtime shared library search path. For OpenSSL's application (the 'openssl' command), our configuration scripts do NOT generally set the runtime shared library search path for - you. It's therefore advisable to set it explicitly when configuring + you. It's therefore advisable to set it explicitly when configuring, unless the libraries are to be installed in directories that you know to be in the default list. @@ -42,14 +42,15 @@ Possible options to set the runtime shared library search path include the following: --Wl,-rpath,/whatever/path --R /whatever/path --rpath /whatever/path +-Wl,-rpath,/whatever/path # Linux, *BSD, etc. +-R /whatever/path # Solaris +-Wl,-R,/whatever/path # AIX (-bsvr4 is passed internally) +-Wl,+b,/whatever/path # HP-UX +-rpath /whatever/path # Tru64, IRIX OpenSSL's configuration scripts recognise all these options and pass - them to the Makefile that they build. (In fact, it recognises anything - starting with '-Wl,' as a linker option, so for example, HP-UX' - '-Wl,+b,/whatever/path' would be used correctly) + them to the Makefile that they build. (In fact, all arguments starting + with '-Wl,' are recognised as linker options.) Please do not use verbatim directories in your runtime shared library search path! Some OpenSSL config targets add an extra directory level @@ -89,3 +90,28 @@ $ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \ '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)' + + It might be worth noting that some/most ELF systems implement support + for runtime search path relative to the directory containing current + executable, by interpreting $ORIGIN along with some other internal + variables. Consult your system documentation. + + Linking your application + + + Third-party applications dynamically linked with OpenSSL (or any other) + shared library face exactly the same problem with non-default locations. + The OpenSSL config options mentioned above might or might not have bearing + on linking of the target application. "Might" means that under some + circumstances it would be sufficient to link with OpenSSL shared library + "naturally", i.e. with -L/whatever/path -lssl -lcrypto. But there are + also cases when you'd have to explicitly specify runtime search path + when linking your application. Consult your system documentation and use + above section as inspiration... + + Shared OpenSSL builds also install static libraries. Linking with the + latter is likely to require special care, because linkers usually look + for shared libraries first and tend to remain "blind" to static OpenSSL + libraries. Referring to system documentation would suffice, if not for + a corner case. On AIX static libraries (in shared build) are named + differently, add _a suffix to link with them, e.g. -lcrypto_a. _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via fa339c69a6441ab79623c73f637e25018c735b49 (commit) from 1753d1237429bace72a944f7654ce4b1c4364f60 (commit) - Log - commit fa339c69a6441ab79623c73f637e25018c735b49 Author: Andy Polyakov Date: Sun Jun 24 16:43:21 2018 +0200 store/loader_file.c: fix char-subscripts warning. This happens on systems that perform is* character classifictions as array lookup, e.g. NetBSD. Reviewed-by: Rich Salz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/6584) --- Summary of changes: crypto/store/loader_file.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c index 1d36cd2..25ada81 100644 --- a/crypto/store/loader_file.c +++ b/crypto/store/loader_file.c @@ -1216,9 +1216,9 @@ static int file_name_check(OSSL_STORE_LOADER_CTX *ctx, const char *name) * Last, check that the rest of the extension is a decimal number, at * least one digit long. */ -if (!isdigit(*p)) +if (!ossl_isdigit(*p)) return 0; -while (isdigit(*p)) +while (ossl_isdigit(*p)) p++; # ifdef __VMS @@ -1227,7 +1227,7 @@ static int file_name_check(OSSL_STORE_LOADER_CTX *ctx, const char *name) */ if (*p == ';') for (p++; *p != '\0'; p++) -if (!isdigit(*p)) +if (!ossl_isdigit(*p)) break; # endif _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 95a3705745aee42c6a6ef991707664c644541283 (commit) from 469c2c4a455007ca3465b64e88a1dcfc864e3f0e (commit) - Log - commit 95a3705745aee42c6a6ef991707664c644541283 Author: Andy Polyakov Date: Fri Jun 22 15:37:26 2018 +0200 ec/ec_pmeth.c: minor cleanups and readability fixes. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6562) --- Summary of changes: crypto/ec/ec_pmeth.c | 53 +--- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index f4ea8b5..5bee031 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -88,11 +88,12 @@ static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) { EC_PKEY_CTX *dctx = ctx->data; -if (dctx) { +if (dctx != NULL) { EC_GROUP_free(dctx->gen_group); EC_KEY_free(dctx->co_key); OPENSSL_free(dctx->kdf_ukm); OPENSSL_free(dctx); +ctx->data = NULL; } } @@ -103,19 +104,23 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, unsigned int sltmp; EC_PKEY_CTX *dctx = ctx->data; EC_KEY *ec = ctx->pkey->pkey.ec; +const int sig_sz = ECDSA_size(ec); -if (!sig) { -*siglen = ECDSA_size(ec); +/* ensure cast to size_t is safe */ +if (!ossl_assert(sig_sz > 0)) +return 0; + +if (sig == NULL) { +*siglen = (size_t)sig_sz; return 1; -} else if (*siglen < (size_t)ECDSA_size(ec)) { +} + +if (*siglen < (size_t)sig_sz) { ECerr(EC_F_PKEY_EC_SIGN, EC_R_BUFFER_TOO_SMALL); return 0; } -if (dctx->md) -type = EVP_MD_type(dctx->md); -else -type = NID_sha1; +type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1; ret = ECDSA_sign(type, tbs, tbslen, sig, , ec); @@ -386,7 +391,8 @@ static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { EC_KEY *ec = NULL; EC_PKEY_CTX *dctx = ctx->data; -int ret = 0; +int ret; + if (dctx->gen_group == NULL) { ECerr(EC_F_PKEY_EC_PARAMGEN, EC_R_NO_PARAMETERS_SET); return 0; @@ -394,10 +400,8 @@ static int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) ec = EC_KEY_new(); if (ec == NULL) return 0; -ret = EC_KEY_set_group(ec, dctx->gen_group); -if (ret) -EVP_PKEY_assign_EC_KEY(pkey, ec); -else +if (!(ret = EC_KEY_set_group(ec, dctx->gen_group)) +|| !ossl_assert(ret = EVP_PKEY_assign_EC_KEY(pkey, ec))) EC_KEY_free(ec); return ret; } @@ -406,23 +410,26 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { EC_KEY *ec = NULL; EC_PKEY_CTX *dctx = ctx->data; +int ret; + if (ctx->pkey == NULL && dctx->gen_group == NULL) { ECerr(EC_F_PKEY_EC_KEYGEN, EC_R_NO_PARAMETERS_SET); return 0; } ec = EC_KEY_new(); -if (!ec) +if (ec == NULL) +return 0; +if (!ossl_assert(EVP_PKEY_assign_EC_KEY(pkey, ec))) { +EC_KEY_free(ec); return 0; -EVP_PKEY_assign_EC_KEY(pkey, ec); -if (ctx->pkey) { -/* Note: if error return, pkey is freed by parent routine */ -if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey)) -return 0; -} else { -if (!EC_KEY_set_group(ec, dctx->gen_group)) -return 0; } -return EC_KEY_generate_key(pkey->pkey.ec); +/* Note: if error is returned, we count on caller to free pkey->pkey.ec */ +if (ctx->pkey != NULL) +ret = EVP_PKEY_copy_parameters(pkey, ctx->pkey); +else +ret = EC_KEY_set_group(ec, dctx->gen_group); + +return ret ? EC_KEY_generate_key(ec) : 0; } const EVP_PKEY_METHOD ec_pkey_meth = { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 469c2c4a455007ca3465b64e88a1dcfc864e3f0e (commit) via 5a2124620cb2893b2d5c40be75579cd9c35c839c (commit) from c35e96691ff3415e68531076ff9f011703524c0a (commit) - Log - commit 469c2c4a455007ca3465b64e88a1dcfc864e3f0e Author: Nicola Tuveri Date: Thu Jun 21 19:15:50 2018 +0300 Use ec_group_do_inverse_ord() in SM2 Reviewed-by: Andy Polyakov Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6521) commit 5a2124620cb2893b2d5c40be75579cd9c35c839c Author: Nicola Tuveri Date: Thu Jun 21 19:08:50 2018 +0300 Add inter-module private header for EC functions Internal submodules of libcrypto may require non-public functions from the EC submodule. In preparation to use `ec_group_do_inverse_ord()` (from #6116) inside the SM2 submodule to apply a SCA mitigation on the modular inversion, this commit moves the `ec_group_do_inverse_ord()` prototype declaration from the EC-local `crypto/ec/ec_lcl.h` header to the `crypto/include/internal/ec_int.h` inter-module private header. Reviewed-by: Andy Polyakov Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/6521) --- Summary of changes: crypto/ec/ec_lcl.h | 4 +--- crypto/include/internal/ec_int.h | 45 crypto/sm2/sm2_sign.c| 3 ++- 3 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 crypto/include/internal/ec_int.h diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index cf29c7c..ae38029 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -14,6 +14,7 @@ #include #include #include "internal/refcount.h" +#include "internal/ec_int.h" #include "curve448/curve448_lcl.h" #if defined(__SUNPRO_C) @@ -636,7 +637,4 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], void X25519_public_from_private(uint8_t out_public_value[32], const uint8_t private_key[32]); -int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, -const BIGNUM *x, BN_CTX *ctx); - int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); diff --git a/crypto/include/internal/ec_int.h b/crypto/include/internal/ec_int.h new file mode 100644 index 000..bb4b512 --- /dev/null +++ b/crypto/include/internal/ec_int.h @@ -0,0 +1,45 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* Internal EC functions for other submodules: not for application use */ + +#ifndef HEADER_OSSL_EC_INTERNAL_H +# define HEADER_OSSL_EC_INTERNAL_H +# include + +# ifndef OPENSSL_NO_EC + +# include + +/*- + * Computes the multiplicative inverse of x in the range + * [1,EC_GROUP::order), where EC_GROUP::order is the cardinality of the + * subgroup generated by the generator G: + * + * res := x^(-1) (mod EC_GROUP::order). + * + * This function expects the following two conditions to hold: + * - the EC_GROUP order is prime, and + * - x is included in the range [1, EC_GROUP::order). + * + * This function returns 1 on success, 0 on error. + * + * If the EC_GROUP order is even, this function explicitly returns 0 as + * an error. + * In case any of the two conditions stated above is not satisfied, + * the correctness of its output is not guaranteed, even if the return + * value could still be 1 (as primality testing and a conditional modular + * reduction round on the input can be omitted by the underlying + * implementations for better SCA properties on regular input values). + */ +__owur int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res, + const BIGNUM *x, BN_CTX *ctx); + +# endif /* OPENSSL_NO_EC */ +#endif diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c index 9d19054..14576ca 100644 --- a/crypto/sm2/sm2_sign.c +++ b/crypto/sm2/sm2_sign.c @@ -11,6 +11,7 @@ #include "internal/sm2.h" #include "internal/sm2err.h" +#include "internal/ec_int.h" /* ec_group_do_inverse_ord() */ #include #include #include @@ -133,7 +134,7 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e) continue; if (!BN_add(s, dA, BN_value_one()) -|| !BN_mod_inverse(s, s, order, ctx) +|| !ec_group_do_inverse_ord(group, s, s, ctx) || !BN_mod_mul(tmp, dA, r, order, ctx) || !BN_
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 1f3f79e55a9c8257efb406a43d0a925f1fba25e6 (commit) from 2b451311ee5973907da650ed25393130310c3841 (commit) - Log - commit 1f3f79e55a9c8257efb406a43d0a925f1fba25e6 Author: Andy Polyakov Date: Thu Jun 21 13:52:04 2018 +0200 sha/asm/sha{256|512}-armv4.pl: harmonize thumb2 support with the rest. Reviewed-by: Richard Levitte (cherry picked from commit 2e51557bc93f90ca2274230b042acb53cc3a268d) --- Summary of changes: crypto/sha/asm/sha256-armv4.pl | 2 +- crypto/sha/asm/sha512-armv4.pl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl index 55d30cb..509aa2c 100644 --- a/crypto/sha/asm/sha256-armv4.pl +++ b/crypto/sha/asm/sha256-armv4.pl @@ -254,7 +254,7 @@ for($i=0;$i<16;$i++){ _00_15($i,@V); unshift(@V,pop(@V)); } $code.=".Lrounds_16_xx:\n"; for (;$i<32;$i++) { _16_XX($i,@V); unshift(@V,pop(@V)); } $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t3,[sp,#16*4] @ pull ctx diff --git a/crypto/sha/asm/sha512-armv4.pl b/crypto/sha/asm/sha512-armv4.pl index 22b5a9d..872c27f 100644 --- a/crypto/sha/asm/sha512-armv4.pl +++ b/crypto/sha/asm/sha512-armv4.pl @@ -157,7 +157,7 @@ $code.=<<___; teq $t0,#$magic ldr $t3,[sp,#$Coff+0] @ c.lo -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ it eq @ Thumb2 thing, sanity check in ARM #endif orreq $Ktbl,$Ktbl,#1 @@ -411,7 +411,7 @@ $code.=<<___; ___ _00_15(0x17); $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ittteq @ Thumb2 thing, sanity check in ARM #endif ldreq $t0,[sp,#`$Xoff+8*(16-1)`+0] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2e51557bc93f90ca2274230b042acb53cc3a268d (commit) from 3aab9c40118f6a9d92d3a9d9fa1724421515e09f (commit) - Log - commit 2e51557bc93f90ca2274230b042acb53cc3a268d Author: Andy Polyakov Date: Thu Jun 21 13:52:04 2018 +0200 sha/asm/sha{256|512}-armv4.pl: harmonize thumb2 support with the rest. Reviewed-by: Richard Levitte --- Summary of changes: crypto/sha/asm/sha256-armv4.pl | 2 +- crypto/sha/asm/sha512-armv4.pl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl index 55d30cb..509aa2c 100644 --- a/crypto/sha/asm/sha256-armv4.pl +++ b/crypto/sha/asm/sha256-armv4.pl @@ -254,7 +254,7 @@ for($i=0;$i<16;$i++){ _00_15($i,@V); unshift(@V,pop(@V)); } $code.=".Lrounds_16_xx:\n"; for (;$i<32;$i++) { _16_XX($i,@V); unshift(@V,pop(@V)); } $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t3,[sp,#16*4] @ pull ctx diff --git a/crypto/sha/asm/sha512-armv4.pl b/crypto/sha/asm/sha512-armv4.pl index 22b5a9d..872c27f 100644 --- a/crypto/sha/asm/sha512-armv4.pl +++ b/crypto/sha/asm/sha512-armv4.pl @@ -157,7 +157,7 @@ $code.=<<___; teq $t0,#$magic ldr $t3,[sp,#$Coff+0] @ c.lo -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ it eq @ Thumb2 thing, sanity check in ARM #endif orreq $Ktbl,$Ktbl,#1 @@ -411,7 +411,7 @@ $code.=<<___; ___ _00_15(0x17); $code.=<<___; -#if __ARM_ARCH__>=7 +#ifdef __thumb2__ ittteq @ Thumb2 thing, sanity check in ARM #endif ldreq $t0,[sp,#`$Xoff+8*(16-1)`+0] _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 8b2f413e8f2f85e5bcc229e3b63c7f32c7c3c1fd (commit) via bd3d8c12606c48388be61db0681ac759804b6100 (commit) via 8f29569ef384d0f6f107bb8b1262e36d874a3cc7 (commit) via cff89b179c91c7c1f6f08b2c1f1697005c1804d2 (commit) via b48d4397b8ee4256f0b0a115eb99f27ae89995e0 (commit) from 3f5abab94104574c32991243668ac633a8d8e525 (commit) - Log - commit 8b2f413e8f2f85e5bcc229e3b63c7f32c7c3c1fd Author: Andy Polyakov Date: Tue Jun 19 18:25:19 2018 +0200 CHANGES: mention AIX shared library support overhaul. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6487) commit bd3d8c12606c48388be61db0681ac759804b6100 Author: Andy Polyakov Date: Fri Jun 15 15:41:07 2018 +0200 recipes/90-test_shlibload.t: disable tests on AIX till further notice. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6487) commit 8f29569ef384d0f6f107bb8b1262e36d874a3cc7 Author: Andy Polyakov Date: Fri Jun 15 15:24:14 2018 +0200 Configurations/10-main.conf: always pass -bsrv4 to AIX linker. This makes AIX build procedure behave more like e.g. Solaris. Most notably this makes it possible to pass -Wl,-R,'$(LIBRPATH)' at config time to embed installation destination as library search path into openssl binary. This doesn't imply that other applications have to be linked with -bsvr4, they are free to choose whatever appropriate for given circumstances. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6487) commit cff89b179c91c7c1f6f08b2c1f1697005c1804d2 Author: Andy Polyakov Date: Thu Jun 14 11:45:15 2018 +0200 Configurations/unix-Makefile.tmpl: switch to "natural" AIX shared libraries. AIX treats its shared libraries in unique manner, by placing multiple shared objects of different versions and bitnesses, into .a file. So far we have been naively linking with version-less libcrypto|ssl.so, which poses long-term maintenance problems. One could choose to link straight with libcrypto.so.X.Y [or libcrypto.X.Y.so], but it would be inconsistent with the way AIX [or Unix] does things. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6487) commit b48d4397b8ee4256f0b0a115eb99f27ae89995e0 Author: Andy Polyakov Date: Thu Jun 14 22:07:48 2018 +0200 Configure: allow some file extensions to be overridden by target config. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6487) --- Summary of changes: CHANGES | 9 Configurations/10-main.conf | 13 Configurations/unix-Makefile.tmpl | 44 ++- Configure | 5 +++-- test/recipes/90-test_shlibload.t | 1 + 5 files changed, 56 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index 8b4a8bb..c272e8d 100644 --- a/CHANGES +++ b/CHANGES @@ -8,6 +8,15 @@ release branch. Changes between 1.1.0h and 1.1.1 [xx XXX ] + + *) AIX shared library support overhaul. Switch to AIX "natural" way of + handling shared libraries, which means collecting shared objects of + different versions and bitnesses in one common archive. This allows to + mitigate conflict between 1.0 and 1.1 side-by-side installations. It + doesn't affect the way 3rd party applications are linked, only how + multi-version installation is managed. + [Andy Polyakov] + *) Make ec_group_do_inverse_ord() more robust and available to other EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA mitigations are applied to the fallback BN_mod_inverse(). diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index a62abe2..62b4c9d 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1110,14 +1110,17 @@ my %targets = ( template => 1, sys_id => "AIX", lib_cppflags => "-DB_ENDIAN", +lflags => "-Wl,-bsvr4", thread_scheme=> "pthreads", dso_scheme => "dlfcn", shared_target=> "self", -shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", -bin_lflags => shared("-Wl,-bsvr4"), -module_ldflags => "-Wl,-G,-bsymbolic,-bexpall,-bnolibpath", -shared_ldflag=> "-Wl,-G,-bsymbolic,-bnolibpath", +module_ldflags => "-Wl,-G,-bsymbolic,-bexpall", +shared_ldflag=> "-Wl,-G,-bsymbolic",
[openssl-commits] [openssl] master update
The branch master has been updated via 991f0355fb782f499e226a732c0099847048c91a (commit) from 1b712f3fe4752ae1c770f06f957c0e5675b1801c (commit) - Log - commit 991f0355fb782f499e226a732c0099847048c91a Author: FdaSilvaYY Date: Tue May 8 09:47:26 2018 +0200 apps/ca: fix useless get before delete. Small simplification by skipping effectively redundant step and not resuming search from point past deletion. Reviewed-by: Andy Polyakov Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6195) --- Summary of changes: apps/ca.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 4a8396e..558809e 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1706,11 +1706,11 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } +i = -1; while ((i = X509_NAME_get_index_by_NID(dn_subject, NID_pkcs9_emailAddress, - -1)) >= 0) { -tmpne = X509_NAME_get_entry(dn_subject, i); -X509_NAME_delete_entry(dn_subject, i); + i)) >= 0) { +tmpne = X509_NAME_delete_entry(dn_subject, i--); X509_NAME_ENTRY_free(tmpne); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 1b712f3fe4752ae1c770f06f957c0e5675b1801c (commit) from 9be083ad36cd148bddaa11cee835e27b6f5e67df (commit) - Log - commit 1b712f3fe4752ae1c770f06f957c0e5675b1801c Author: Andy Polyakov Date: Wed Jun 20 14:14:11 2018 +0200 Configurations/10-main.conf: IRIX configs unification. Add irix-common template that covers even irix-shared from shared-info.pl. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6536) --- Summary of changes: Configurations/10-main.conf | 53 --- Configurations/shared-info.pl | 7 -- 2 files changed, 19 insertions(+), 41 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 54f609d..a62abe2 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -356,75 +356,60 @@ my %targets = ( IRIX 6.x configs # Only N32 and N64 ABIs are supported. +"irix-common" => { +inherit_from => [ "BASE_unix" ], +template => 1, +cppflags => threads("-D_SGI_MP_SOURCE"), +lib_cppflags => "-DB_ENDIAN -DBN_DIV3W", +ex_libs => add(threads("-lpthread")), +thread_scheme=> "pthreads", +dso_scheme => "dlfcn", +shared_target=> "self", +shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", +shared_ldflag=> "-shared -Wl,-Bsymbolic", +shared_sonameflag=> "-Wl,-soname,", +}, "irix-mips3-gcc" => { -inherit_from => [ "BASE_unix", asm("mips64_asm") ], +inherit_from => [ "irix-common", asm("mips64_asm") ], CC => "gcc", CFLAGS => picker(debug => "-g -O0", release => "-O3"), +LDFLAGS => "-static-libgcc", cflags => "-mabi=n32", -cppflags => combine("-DB_ENDIAN -DBN_DIV3W", -threads("-D_SGI_MP_SOURCE")), -cppflags => threads("-D_SGI_MP_SOURCE"), -lib_cppflags => "-DB_ENDIAN -DBN_DIV3W", -ex_libs => add(threads("-lpthread")), bn_ops => "RC4_CHAR SIXTY_FOUR_BIT", -thread_scheme=> "pthreads", perlasm_scheme => "n32", -dso_scheme => "dlfcn", -shared_target=> "irix-shared", -shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", multilib => "32", }, "irix-mips3-cc" => { -inherit_from => [ "BASE_unix", asm("mips64_asm") ], +inherit_from => [ "irix-common", asm("mips64_asm") ], CC => "cc", CFLAGS => picker(debug => "-g -O0", release => "-O2"), cflags => "-n32 -mips3 -use_readonly_const -G0 -rdata_shared", -cppflags => threads("-D_SGI_MP_SOURCE"), -lib_cppflags => "-DB_ENDIAN -DBN_DIV3W", -ex_libs => add(threads("-lpthread")), bn_ops => "RC4_CHAR SIXTY_FOUR_BIT", -thread_scheme=> "pthreads", perlasm_scheme => "n32", -dso_scheme => "dlfcn", -shared_target=> "irix-shared", -shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", multilib => "32", }, # N64 ABI builds. "irix64-mips4-gcc" => { -inherit_from => [ "BASE_unix", asm("mips64_asm") ], +inherit_from => [ "irix-common", asm("mips64_asm") ], CC => "gcc", CFLAGS => picker(debug => "-g -O0", release => "-O3"), +LDFLAGS => "-static-libgcc", cflags => "-mabi=64 -mips4", -cppflags => threads("-D_SGI_MP_SOURCE"), -lib_cppflags => "-DB_ENDIAN -DBN_DIV3W", -ex_libs => add(threads("-lp
[openssl-commits] [openssl] master update
The branch master has been updated via 9be083ad36cd148bddaa11cee835e27b6f5e67df (commit) from a766aab93a282774e63ba918d0bb1c6680a5f292 (commit) - Log - commit 9be083ad36cd148bddaa11cee835e27b6f5e67df Author: Andy Polyakov Date: Mon Jun 18 12:50:53 2018 +0200 Remove some inline assembler and non-standard constructs. The goal is to minimize maintenance burden by eliminating somewhat obscure platform-specific tweaks that are not viewed as critical for contemporary applications. This affects Camellia and digest implementations that rely on md32_common.h, MD4, MD5, SHA1, SHA256. SHA256 is the only one that can be viewed as critical, but given the assembly coverage, the omission is considered appropriate. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6508) --- Summary of changes: crypto/camellia/camellia.c| 50 ++--- crypto/include/internal/md32_common.h | 128 ++ 2 files changed, 10 insertions(+), 168 deletions(-) diff --git a/crypto/camellia/camellia.c b/crypto/camellia/camellia.c index 6641a62..45f2325 100644 --- a/crypto/camellia/camellia.c +++ b/crypto/camellia/camellia.c @@ -44,51 +44,11 @@ #include #include -/* 32-bit rotations */ -#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) -# if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64)) -# define RightRotate(x, s) _lrotr(x, s) -# define LeftRotate(x, s) _lrotl(x, s) -# if _MSC_VER >= 1400 -# define SWAP(x) _byteswap_ulong(x) -# else -# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) -# endif -# define GETU32(p) SWAP(*((u32 *)(p))) -# define PUTU32(p,v) (*((u32 *)(p)) = SWAP((v))) -# elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__i386) || defined(__x86_64) -# define RightRotate(x,s) ({u32 ret; asm ("rorl %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; }) -# define LeftRotate(x,s) ({u32 ret; asm ("roll %1,%0":"=r"(ret):"I"(s),"0"(x):"cc"); ret; }) -# if defined(B_ENDIAN)/* stratus.com does it */ -#define GETU32(p) (*(u32 *)(p)) -#define PUTU32(p,v) (*(u32 *)(p)=(v)) -# else -#define GETU32(p) ({u32 r=*(const u32 *)(p); asm("bswapl %0":"=r"(r):"0"(r)); r; }) -#define PUTU32(p,v) ({u32 r=(v); asm("bswapl %0":"=r"(r):"0"(r)); *(u32 *)(p)=r; }) -# endif -# elif defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \ -defined(__powerpc) || defined(__ppc__) || defined(__powerpc64__) -# define LeftRotate(x,s) ({u32 ret; asm ("rlwinm %0,%1,%2,0,31":"=r"(ret):"r"(x),"I"(s)); ret; }) -# define RightRotate(x,s) LeftRotate(x,(32-s)) -# elif defined(__s390x__) -# define LeftRotate(x,s) ({u32 ret; asm ("rll %0,%1,%2":"=r"(ret):"r"(x),"I"(s)); ret; }) -# define RightRotate(x,s) LeftRotate(x,(32-s)) -# define GETU32(p) (*(u32 *)(p)) -# define PUTU32(p,v) (*(u32 *)(p)=(v)) -# endif -# endif -#endif - -#if !defined(RightRotate) && !defined(LeftRotate) -# define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) ) -# define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) ) -#endif - -#if !defined(GETU32) && !defined(PUTU32) -# define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3])) -# define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v)) -#endif +#define RightRotate(x, s) ( ((x) >> (s)) + ((x) << (32 - s)) ) +#define LeftRotate(x, s) ( ((x) << (s)) + ((x) >> (32 - s)) ) + +#define GETU32(p) (((u32)(p)[0] << 24) ^ ((u32)(p)[1] << 16) ^ ((u32)(p)[2] << 8) ^ ((u32)(p)[3])) +#define PUTU32(p,v) ((p)[0] = (u8)((v) >> 24), (p)[1] = (u8)((v) >> 16), (p)[2] = (u8)((v) >> 8), (p)[3] = (u8)(v)) /* S-box data */ #define SBOX1_1110 Camellia_SBOX[0] diff --git a/crypto/include/internal/md32_common.h b/crypto/include/internal/md32_common.h index e498cf3..2e9f893 100644 --- a/crypto/include/internal/md32_common.h +++ b/crypto/include/internal/md32_common.h @@ -93,149 +93,31 @@ # error "HASH_BLOCK_DATA_ORDER must be defined!" #endif -/* - * Engage compiler specific rotate intrinsic function if available. - */ -#undef ROTATE -#ifndef PEDANTIC -# if defined(_MSC_VER) -# define ROTATE(a,n) _lrotl(a,n) -# elif defined(__ICC) -# define ROTATE(a
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 8b4e971f66779193281d6a3bf8ff7535e6ff13b4 (commit) via 7c17124650fead2effa32dc6c95c8c155c5615f9 (commit) from fc4b2bf9ff2c98bd9dde487e41e0eb26664c08ff (commit) - Log - commit 8b4e971f66779193281d6a3bf8ff7535e6ff13b4 Author: Andy Polyakov Date: Sat Jun 16 16:23:34 2018 +0200 sha/asm/sha{1|256}-586.pl: harmonize clang version detection. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit b55e21b357902959ae8ec0255952402f5ccaa515) commit 7c17124650fead2effa32dc6c95c8c155c5615f9 Author: Andy Polyakov Date: Sat Jun 16 16:22:19 2018 +0200 bn/asm/rsaz-avx2.pl: harmonize clang version detection. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit 9e97f61dec312084abe03226e5c962d818c9fc2b) --- Summary of changes: crypto/bn/asm/rsaz-avx2.pl | 2 +- crypto/sha/asm/sha1-586.pl | 2 +- crypto/sha/asm/sha256-586.pl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl index 2b3f8b0..d4124a8 100755 --- a/crypto/bn/asm/rsaz-avx2.pl +++ b/crypto/bn/asm/rsaz-avx2.pl @@ -97,7 +97,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0;# 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/crypto/sha/asm/sha1-586.pl b/crypto/sha/asm/sha1-586.pl index e0b5d83..e29c33a 100644 --- a/crypto/sha/asm/sha1-586.pl +++ b/crypto/sha/asm/sha1-586.pl @@ -131,7 +131,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" && `ml 2>&1` =~ /Version ([0-9]+)\./ && $1>=10);# first version supporting AVX -$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && +$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); # first version supporting AVX $shaext=$xmm; ### set to zero if compiling for 1.0.1 diff --git a/crypto/sha/asm/sha256-586.pl b/crypto/sha/asm/sha256-586.pl index e907714..1c3fb00 100644 --- a/crypto/sha/asm/sha256-586.pl +++ b/crypto/sha/asm/sha256-586.pl @@ -83,7 +83,7 @@ if ($xmm && !$avx && $ARGV[0] eq "win32" && $avx = ($1>=10) + ($1>=11); } -if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { +if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via c35608e5422d2718868d88439e22369d4aabb7c6 (commit) via 1d5e1085bdef69a360cb01f10fc03e5ffbc9feaf (commit) via 0e41c2a309509599478e5bdffd877e4d4f635308 (commit) via 3bce5b05cb31c25ac0a32eaa06f730e67ff32e13 (commit) from f0f0abe7a5c23a00999d69e42362b60e22449c36 (commit) - Log - commit c35608e5422d2718868d88439e22369d4aabb7c6 Author: Andy Polyakov Date: Sat Jun 16 16:25:40 2018 +0200 ec/asm/ecp_nistz256-avx2.pl: harmonize clang version detection. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit 575045f59fc393abc9d49604d82ccd17c82925fa) commit 1d5e1085bdef69a360cb01f10fc03e5ffbc9feaf Author: Andy Polyakov Date: Sat Jun 16 16:24:55 2018 +0200 {chacha|poly1305}/asm/*-x64.pl: harmonize clang version detection. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit 27635a4ecb1bc4852ccf456a9374a68931dc330f) commit 0e41c2a309509599478e5bdffd877e4d4f635308 Author: Andy Polyakov Date: Sat Jun 16 16:23:34 2018 +0200 sha/asm/sha{1|256}-586.pl: harmonize clang version detection. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit b55e21b357902959ae8ec0255952402f5ccaa515) commit 3bce5b05cb31c25ac0a32eaa06f730e67ff32e13 Author: Andy Polyakov Date: Sat Jun 16 16:22:19 2018 +0200 bn/asm/rsaz-avx2.pl: harmonize clang version detection. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6499) (cherry picked from commit 9e97f61dec312084abe03226e5c962d818c9fc2b) --- Summary of changes: crypto/bn/asm/rsaz-avx2.pl | 2 +- crypto/chacha/asm/chacha-x86.pl | 2 +- crypto/ec/asm/ecp_nistz256-avx2.pl | 2 +- crypto/poly1305/asm/poly1305-x86.pl | 2 +- crypto/sha/asm/sha1-586.pl | 2 +- crypto/sha/asm/sha256-586.pl| 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl index 46d746b..c9450e7 100755 --- a/crypto/bn/asm/rsaz-avx2.pl +++ b/crypto/bn/asm/rsaz-avx2.pl @@ -104,7 +104,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0;# 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/crypto/chacha/asm/chacha-x86.pl b/crypto/chacha/asm/chacha-x86.pl index 61b3286..db2b43b 100755 --- a/crypto/chacha/asm/chacha-x86.pl +++ b/crypto/chacha/asm/chacha-x86.pl @@ -61,7 +61,7 @@ $ymm=1 if ($xmm && !$ymm && $ARGV[0] eq "win32" && $1>=10);# first version supporting AVX $ymm=1 if ($xmm && !$ymm && - `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/ && + `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); # first version supporting AVX $a="eax"; diff --git a/crypto/ec/asm/ecp_nistz256-avx2.pl b/crypto/ec/asm/ecp_nistz256-avx2.pl index 3bdd2cf..c5a1f0b 100755 --- a/crypto/ec/asm/ecp_nistz256-avx2.pl +++ b/crypto/ec/asm/ecp_nistz256-avx2.pl @@ -67,7 +67,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0;# 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/crypto/poly1305/asm/poly1305-x86.pl b/crypto/poly1305/asm/poly1305-x86.pl index ab24dfc..8b30fda 100755 --- a/crypto/poly1305/asm/poly1305-x86.pl +++ b/crypto/poly1305/asm/poly1305-x86.pl @@ -70,7 +70,7 @@ if ($sse2) { $avx = ($1>=2.09) + ($1>=2.10); } - if (!$avx && `$ENV{CC} -v 2>&1` =~ /(^clang version|based on LLVM) ([3-9]\.[0-9]+)/) { + if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } } diff --git a/crypto/sha/asm/s
[openssl-commits] [openssl] master update
The branch master has been updated via 3f0c3d2263cd98dd3bcd366f199f0df7c9887d81 (commit) from 82b6b0848cea95de821a7f901bd8b0b5dab17fa4 (commit) - Log - commit 3f0c3d2263cd98dd3bcd366f199f0df7c9887d81 Author: Andy Polyakov Date: Wed Jun 13 14:00:04 2018 +0200 bn/bn_exp.c: harmonize all code paths with last commit. 848113a30b431c2fe21ae8de2a366b9b6146fb92 added mitigation for a side-channel attack. This commit extends approach to all code paths for consistency. [It also removes redundant white spaces introduced in last commit.] Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6480) --- Summary of changes: crypto/bn/bn_exp.c | 55 -- 1 file changed, 33 insertions(+), 22 deletions(-) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 2dbf5b4..10d3912 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -850,20 +850,27 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, top /= 2; bn_flip_t4(np, mont->N.d, top); -bits--; -for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) -wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); +/* + * The exponent may not have a whole number of fixed-size windows. + * To simplify the main loop, the initial window has between 1 and + * full-window-size bits such that what remains is always a whole + * number of windows + */ +window0 = (bits - 1) % 5 + 1; +wmask = (1 << window0) - 1; +bits -= window0; +wvalue = bn_get_bits(p, bits) & wmask; bn_gather5_t4(tmp.d, top, powerbuf, wvalue); /* * Scan the exponent one window at a time starting from the most * significant bits. */ -while (bits >= 0) { +while (bits > 0) { if (bits < stride) -stride = bits + 1; +stride = bits; bits -= stride; -wvalue = bn_get_bits(p, bits + 1); +wvalue = bn_get_bits(p, bits); if ((*pwr5_worker) (tmp.d, np, n0, powerbuf, wvalue, stride)) continue; @@ -971,32 +978,36 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bn_scatter5(tmp.d, top, powerbuf, i); } # endif -bits--; -for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) -wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); +/* + * The exponent may not have a whole number of fixed-size windows. + * To simplify the main loop, the initial window has between 1 and + * full-window-size bits such that what remains is always a whole + * number of windows + */ +window0 = (bits - 1) % 5 + 1; +wmask = (1 << window0) - 1; +bits -= window0; +wvalue = bn_get_bits(p, bits) & wmask; bn_gather5(tmp.d, top, powerbuf, wvalue); /* * Scan the exponent one window at a time starting from the most * significant bits. */ -if (top & 7) -while (bits >= 0) { -for (wvalue = 0, i = 0; i < 5; i++, bits--) -wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); - +if (top & 7) { +while (bits > 0) { bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top); bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top, -wvalue); +bn_get_bits5(p->d, bits -= 5)); +} } else { -while (bits >= 0) { -wvalue = bn_get_bits5(p->d, bits - 4); -bits -= 5; -bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); +while (bits > 0) { +bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, + bn_get_bits5(p->d, bits -= 5)); } } @@ -1038,12 +1049,12 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } } -/* +/* * The exponent may not have a whole number of fixed-size windows. * To simplify the main loop, the initial window has between 1 and * full-window-size bits such that what remains is always a whole * number of windows - */
[openssl-commits] [openssl] master update
The branch master has been updated via 82b6b0848cea95de821a7f901bd8b0b5dab17fa4 (commit) via 0ef40b76e745731a28f7340071c051316b8a1bae (commit) from 17e822e9f85e4cd65eba1dd4ba710749aa71793f (commit) - Log - commit 82b6b0848cea95de821a7f901bd8b0b5dab17fa4 Author: Andy Polyakov Date: Wed Jun 13 11:10:27 2018 +0200 Configurations/10-main.conf: improve Makefile readability on AIX and Solaris. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6477) commit 0ef40b76e745731a28f7340071c051316b8a1bae Author: Andy Polyakov Date: Wed Jun 13 10:57:51 2018 +0200 Configurations/10-main.conf: move hpux-shared flags to hpux-common. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6477) --- Summary of changes: Configurations/10-main.conf | 35 +++ Configurations/shared-info.pl | 5 - 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 63862e7..54f609d 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -232,7 +232,7 @@ my %targets = ( ex_libs => add(threads("-pthread")), bn_ops => "BN_LLONG", shared_cflag => "-fPIC", -shared_ldflag=> add("-shared -static-libgcc"), +shared_ldflag=> add_before("-shared -static-libgcc"), }, "solaris64-x86_64-gcc" => { # -shared -static-libgcc might appear controversial, but modules @@ -254,7 +254,7 @@ my %targets = ( bn_ops => "SIXTY_FOUR_BIT_LONG", perlasm_scheme => "elf", shared_cflag => "-fPIC", -shared_ldflag=> add("-shared -static-libgcc"), +shared_ldflag=> add_before("-shared -static-libgcc"), multilib => "/64", }, @@ -285,7 +285,7 @@ my %targets = ( bn_ops => "SIXTY_FOUR_BIT_LONG", perlasm_scheme => "elf", shared_cflag => "-KPIC", -shared_ldflag=> add("-G -dy -z text"), +shared_ldflag=> add_before("-G -dy -z text"), multilib => "/64", }, @@ -301,7 +301,7 @@ my %targets = ( ex_libs => add(threads("-pthread")), bn_ops => "BN_LLONG RC4_CHAR", shared_cflag => "-fPIC", -shared_ldflag=> add("-shared"), +shared_ldflag=> add_before("-shared"), }, "solaris-sparcv8-gcc" => { inherit_from => [ "solaris-sparcv7-gcc", asm("sparcv8_asm") ], @@ -336,7 +336,7 @@ my %targets = ( ex_libs => add(threads("-lpthread")), bn_ops => "BN_LLONG RC4_CHAR", shared_cflag => "-KPIC", -shared_ldflag=> add("-G -dy -z text"), +shared_ldflag=> add_before("-G -dy -z text"), }, "solaris-sparcv8-cc" => { @@ -463,7 +463,10 @@ my %targets = ( lib_cppflags => "-DB_ENDIAN", thread_scheme=> "pthreads", dso_scheme => "dlfcn",# overridden in 32-bit PA-RISC builds -shared_target=> "hpux-shared", +shared_target=> "self", +bin_lflags => "-Wl,+s,+cdp,../:,+cdp,./:", +shared_ldflag=> "-Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+cdp,../:,+cdp,./:", +shared_sonameflag=> "-Wl,+h,", }, "hpux-parisc-gcc" => { inherit_from => [ "hpux-common" ], @@ -476,7 +479,7 @@ my %targets = ( bn_ops => "BN_LLONG RC4_CHAR", dso_scheme => "dl", shared_cflag => "-fPIC", -shared_ldflag=> "-shared", +shared_ldflag=> add_before("-shared"), shared_extension => ".sl.\$(SHLIB_VERSION_NUMBER)", }, "hpux-parisc1_1-gcc" => { @@ -492,7 +495,7 @@ my %targets = ( ex_libs => add("-ldl", threads("-pthread")), bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", shared_cflag => "-fpic", -shared_ldflag=> "-s
[openssl-commits] [openssl] master update
The branch master has been updated via d3273ef6c549d1bf74d18c9056218c1d8b98a2b9 (commit) via 10aafed3ec8719442d0d3516a6a12a45d2a70a2f (commit) via 60aa6c1a590de47acdd290a60e25b87005a35b8f (commit) from dbb85890a85af25db35dbd710ac07b3c704a27f0 (commit) - Log - commit d3273ef6c549d1bf74d18c9056218c1d8b98a2b9 Author: Andy Polyakov Date: Mon Jun 11 12:50:25 2018 +0200 Configurations/10-main.conf: replace -bexpall with explicit list on AIX. [omit even -b:SRE, as it's implied by -G flag.] Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6453) commit 10aafed3ec8719442d0d3516a6a12a45d2a70a2f Author: Andy Polyakov Date: Mon Jun 11 12:43:50 2018 +0200 Configurations/10-main.conf: AIX configs unification. Add aix-common template that covers even aix-shared from shared-info.pl, add -bsymbolic to shared_ldflags. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6453) commit 60aa6c1a590de47acdd290a60e25b87005a35b8f Author: Andy Polyakov Date: Mon Jun 11 12:22:29 2018 +0200 Configure: add shared() to facilitate shared-specific flags. This allows to specify flags specific to shared build, e.g. 'bin_lflags => shared("-Wl,-bsvr4")'. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6453) --- Summary of changes: Configurations/10-main.conf | 59 ++- Configurations/shared-info.pl | 4 --- Configure | 5 +++- build.info| 8 ++ util/mkdef.pl | 16 5 files changed, 47 insertions(+), 45 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index b3fc488..63862e7 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1117,85 +1117,74 @@ my %targets = ( # variable, then you should know that in OpenSSL case it's considered # only in ./config. Once configured, build procedure remains "deaf" to # current value of $OBJECT_MODE. +"aix-common" => { +inherit_from => [ "BASE_unix" ], +template => 1, +sys_id => "AIX", +lib_cppflags => "-DB_ENDIAN", +thread_scheme=> "pthreads", +dso_scheme => "dlfcn", +shared_target=> "self", +shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", +bin_lflags => shared("-Wl,-bsvr4"), +module_ldflags => "-Wl,-G,-bsymbolic,-bexpall,-bnolibpath", +shared_ldflag=> "-Wl,-G,-bsymbolic,-bnolibpath", +shared_defflag => "-Wl,-bE:", +}, "aix-gcc" => { -inherit_from => [ "BASE_unix", asm("ppc32_asm") ], +inherit_from => [ "aix-common", asm("ppc32_asm") ], CC => "gcc", CFLAGS => picker(debug => "-O0 -g", release => "-O"), cflags => add(threads("-pthread")), -lib_cppflags => "-DB_ENDIAN", -ex_libs => add(threads("-pthread")), -sys_id => "AIX", +ex_libs => threads("-pthread"), bn_ops => "BN_LLONG RC4_CHAR", -thread_scheme=> "pthreads", perlasm_scheme => "aix32", -dso_scheme => "dlfcn", -shared_target=> "aix-shared", -shared_ldflag=> "-shared -static-libgcc -Wl,-G", -shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", +shared_ldflag=> add("-shared -static-libgcc"), AR => add("-X32"), RANLIB => add("-X32"), }, "aix64-gcc" => { -inherit_from => [ "BASE_unix", asm("ppc64_asm") ], +inherit_from => [ "aix-common", asm("ppc64_asm") ], CC => "gcc", CFLAGS => picker(debug => "-O0 -g", release => "-O"), cflags => combine("-maix64", threads("-pthread")), -lib_cppflags => "-DB_ENDIAN", -ex_libs => add(threads("-pthread")), -sys_id
[openssl-commits] [openssl] master update
The branch master has been updated via dbb85890a85af25db35dbd710ac07b3c704a27f0 (commit) from 55c5c1b63a5f2497e26d734d597c40e4a36fe4af (commit) - Log - commit dbb85890a85af25db35dbd710ac07b3c704a27f0 Author: Andy Polyakov Date: Sun Jun 10 18:06:15 2018 +0200 Configurations/10-main.conf: reinstate soname on Solaris. The flag was apparently omitted in switch from Makefile.shared to shared-info.pl. Do put it back! And in the process move all solaris-shared flags from shared-info.pl to solaris-common. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/6446) --- Summary of changes: Configurations/10-main.conf | 15 +-- Configurations/shared-info.pl | 4 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index fed386b..b3fc488 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -211,8 +211,11 @@ my %targets = ( ex_libs => add("-lsocket -lnsl -ldl"), dso_scheme => "dlfcn", thread_scheme=> "pthreads", -shared_target=> "solaris-shared", +shared_target=> "self", shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)", +shared_ldflag=> "-Wl,-Bsymbolic", +shared_defflag => "-Wl,-M,", +shared_sonameflag=> "-Wl,-h,", }, Solaris x86 with GNU C setups "solaris-x86-gcc" => { @@ -229,7 +232,7 @@ my %targets = ( ex_libs => add(threads("-pthread")), bn_ops => "BN_LLONG", shared_cflag => "-fPIC", -shared_ldflag=> "-shared -static-libgcc", +shared_ldflag=> add("-shared -static-libgcc"), }, "solaris64-x86_64-gcc" => { # -shared -static-libgcc might appear controversial, but modules @@ -251,7 +254,7 @@ my %targets = ( bn_ops => "SIXTY_FOUR_BIT_LONG", perlasm_scheme => "elf", shared_cflag => "-fPIC", -shared_ldflag=> "-shared -static-libgcc", +shared_ldflag=> add("-shared -static-libgcc"), multilib => "/64", }, @@ -282,7 +285,7 @@ my %targets = ( bn_ops => "SIXTY_FOUR_BIT_LONG", perlasm_scheme => "elf", shared_cflag => "-KPIC", -shared_ldflag=> "-G -dy -z text", +shared_ldflag=> add("-G -dy -z text"), multilib => "/64", }, @@ -298,7 +301,7 @@ my %targets = ( ex_libs => add(threads("-pthread")), bn_ops => "BN_LLONG RC4_CHAR", shared_cflag => "-fPIC", -shared_ldflag=> "-shared", +shared_ldflag=> add("-shared"), }, "solaris-sparcv8-gcc" => { inherit_from => [ "solaris-sparcv7-gcc", asm("sparcv8_asm") ], @@ -333,7 +336,7 @@ my %targets = ( ex_libs => add(threads("-lpthread")), bn_ops => "BN_LLONG RC4_CHAR", shared_cflag => "-KPIC", -shared_ldflag=> "-G -dy -z text", +shared_ldflag=> add("-G -dy -z text"), }, "solaris-sparcv8-cc" => { diff --git a/Configurations/shared-info.pl b/Configurations/shared-info.pl index f3c4cb6..eb919b1 100644 --- a/Configurations/shared-info.pl +++ b/Configurations/shared-info.pl @@ -65,10 +65,6 @@ my %shared_info; shared_ldflag => '-shared -Wl,-Bsymbolic -set_version $(SHLIB_VERSION_NUMBER)', }; }, -'solaris-shared' => { -shared_ldflag => '-Wl,-Bsymbolic', -shared_defflag=> '-Wl,-M,', -}, 'svr3-shared' => sub { return $shared_info{'gnu-shared'} if detect_gnu_ld(); return { _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via e13d8f7ba4681f904cba71558168965697b76a17 (commit) from 776ad43f9d5c50bd8f9d03c89b862d275835247a (commit) - Log - commit e13d8f7ba4681f904cba71558168965697b76a17 Author: Andy Polyakov Date: Fri Jun 8 15:02:39 2018 +0200 bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path. This module is used only with odd input lengths, i.e. not used in normal PKI cases, on contemporary processors. The problem was "illuminated" by fuzzing tests. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6440) (cherry picked from commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231) --- Summary of changes: crypto/bn/asm/sparcv9-mont.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/bn/asm/sparcv9-mont.pl b/crypto/bn/asm/sparcv9-mont.pl index 55ceecb..ef434bc 100644 --- a/crypto/bn/asm/sparcv9-mont.pl +++ b/crypto/bn/asm/sparcv9-mont.pl @@ -493,6 +493,9 @@ $code.=<<___; mulx$npj,$mul1,$acc1 add $tpj,$car1,$car1 ld [$np+$j],$npj ! np[j] + srlx$car1,32,$tmp0 + and $car1,$mask,$car1 + add $tmp0,$sbit,$sbit add $acc0,$car1,$car1 ld [$tp+8],$tpj! tp[j] add $acc1,$car1,$car1 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via bd45a8d1ef338027e6892a7c886a373a4fafbf7d (commit) from 278f65eeabb28279661927ecbcc23e95aad34948 (commit) - Log - commit bd45a8d1ef338027e6892a7c886a373a4fafbf7d Author: Andy Polyakov Date: Fri Jun 8 15:02:39 2018 +0200 bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path. This module is used only with odd input lengths, i.e. not used in normal PKI cases, on contemporary processors. The problem was "illuminated" by fuzzing tests. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6440) (cherry picked from commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231) --- Summary of changes: crypto/bn/asm/sparcv9-mont.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/bn/asm/sparcv9-mont.pl b/crypto/bn/asm/sparcv9-mont.pl index 30db95e..2043ab0 100644 --- a/crypto/bn/asm/sparcv9-mont.pl +++ b/crypto/bn/asm/sparcv9-mont.pl @@ -483,6 +483,9 @@ $code.=<<___; mulx$npj,$mul1,$acc1 add $tpj,$car1,$car1 ld [$np+$j],$npj ! np[j] + srlx$car1,32,$tmp0 + and $car1,$mask,$car1 + add $tmp0,$sbit,$sbit add $acc0,$car1,$car1 ld [$tp+8],$tpj! tp[j] add $acc1,$car1,$car1 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via f55ef97b5c0f8559f393b72ebd4b2de32ad6d231 (commit) from 913cebc8f44d50479704040c77d9ed20eea839bc (commit) - Log - commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231 Author: Andy Polyakov Date: Fri Jun 8 15:02:39 2018 +0200 bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path. This module is used only with odd input lengths, i.e. not used in normal PKI cases, on contemporary processors. The problem was "illuminated" by fuzzing tests. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/6440) --- Summary of changes: crypto/bn/asm/sparcv9-mont.pl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/bn/asm/sparcv9-mont.pl b/crypto/bn/asm/sparcv9-mont.pl index c0407b1..b41903a 100644 --- a/crypto/bn/asm/sparcv9-mont.pl +++ b/crypto/bn/asm/sparcv9-mont.pl @@ -493,6 +493,9 @@ $code.=<<___; mulx$npj,$mul1,$acc1 add $tpj,$car1,$car1 ld [$np+$j],$npj ! np[j] + srlx$car1,32,$tmp0 + and $car1,$mask,$car1 + add $tmp0,$sbit,$sbit add $acc0,$car1,$car1 ld [$tp+8],$tpj! tp[j] add $acc1,$car1,$car1 _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 913cebc8f44d50479704040c77d9ed20eea839bc (commit) via 46ceca3c91cc7b8e8f522009e7338a9a96952e6e (commit) from 55fc247a699be33153f27c06d304e6e60eeff980 (commit) - Log - commit 913cebc8f44d50479704040c77d9ed20eea839bc Author: Andy Polyakov Date: Fri Jun 8 11:38:22 2018 +0200 rand/rand_unix.c: bypass DSO_global_lookup on ELF systems. If built with no-dso, syscall_random remains "blind" to getentropy. Since it's possible to detect symbol availability on ELF-based systems without involving DSO module, bypass it. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6436) commit 46ceca3c91cc7b8e8f522009e7338a9a96952e6e Author: Andy Polyakov Date: Fri Jun 8 11:03:32 2018 +0200 rand/rand_unix.c: omit error from DSO_global_lookup. If built with no-dso, DSO_global_lookup leaves "unsupported" message in error queue. Since there is a fall-back code, it's unnecessary distraction. Reviewed-by: Rich Salz Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/6436) --- Summary of changes: crypto/rand/rand_unix.c | 26 ++ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index 9f17494..7989081 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -229,17 +229,9 @@ static size_t sysctl_random(char *buf, size_t buflen) */ int syscall_random(void *buf, size_t buflen) { -union { -void *p; -int (*f)(void *buffer, size_t length); -} p_getentropy; - /* * Do runtime detection to find getentropy(). * - * We could cache the result of the lookup, but we normally don't - * call this function often. - * * Known OSs that should support this: * - Darwin since 16 (OSX 10.12, IOS 10.0). * - Solaris since 11.3 @@ -247,9 +239,27 @@ int syscall_random(void *buf, size_t buflen) * - Linux since 3.17 with glibc 2.25 * - FreeBSD since 12.0 (1200061) */ +# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) +extern int getentropy(void *bufer, size_t length) __attribute__((weak)); + +if (getentropy != NULL) +return getentropy(buf, buflen) == 0 ? buflen : 0; +# else +union { +void *p; +int (*f)(void *buffer, size_t length); +} p_getentropy; + +/* + * We could cache the result of the lookup, but we normally don't + * call this function often. + */ +ERR_set_mark(); p_getentropy.p = DSO_global_lookup("getentropy"); +ERR_pop_to_mark(); if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? buflen : 0; +# endif /* Linux supports this since version 3.17 */ # if defined(__linux) && defined(SYS_getrandom) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits