ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Import OpenSSL 1.1.1f

Browse Source
This commit is contained in:
Steve Dower
2020-04-03 21:53:21 +01:00
parent 6f2f71e7ea
commit e531386a2f
993 changed files with 23821 additions and 3602 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
crypto/ec/asm/ecp_nistz256-armv4.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1394,7 +1394,7 @@ my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
# 256-bit vectors on top. Then note that we push
# starting from r0, which means that we have copy of
# input arguments just below these temporary vectors.
# We use three of them for !in1infty, !in2intfy and
# We use three of them for ~in1infty, ~in2infty and
# result of check for zero.
$code.=<<___;
@@ -1424,7 +1424,7 @@ ecp_nistz256_point_add:
#endif
movne r12,#-1
stmia r3,{r4-r11}
str r12,[sp,#32*18+8] @ !in2infty
str r12,[sp,#32*18+8] @ ~in2infty
ldmia $a_ptr!,{r4-r11} @ copy in1_x
add r3,sp,#$in1_x
@@ -1445,7 +1445,7 @@ ecp_nistz256_point_add:
#endif
movne r12,#-1
stmia r3,{r4-r11}
str r12,[sp,#32*18+4] @ !in1infty
str r12,[sp,#32*18+4] @ ~in1infty
add $a_ptr,sp,#$in2_z
add $b_ptr,sp,#$in2_z
@@ -1510,33 +1510,20 @@ ecp_nistz256_point_add:
orr $a0,$a0,$a2
orr $a4,$a4,$a6
orr $a0,$a0,$a7
orrs $a0,$a0,$a4
orr $a0,$a0,$a4 @ ~is_equal(U1,U2)
bne .Ladd_proceed @ is_equal(U1,U2)?
ldr $t0,[sp,#32*18+4] @ ~in1infty
ldr $t1,[sp,#32*18+8] @ ~in2infty
ldr $t2,[sp,#32*18+12] @ ~is_equal(S1,S2)
mvn $t0,$t0 @ -1/0 -> 0/-1
mvn $t1,$t1 @ -1/0 -> 0/-1
orr $a0,$t0
orr $a0,$t1
orrs $a0,$t2 @ set flags
ldr $t0,[sp,#32*18+4]
ldr $t1,[sp,#32*18+8]
ldr $t2,[sp,#32*18+12]
tst $t0,$t1
beq .Ladd_proceed @ (in1infty || in2infty)?
tst $t2,$t2
beq .Ladd_double @ is_equal(S1,S2)?
@ if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
bne .Ladd_proceed
ldr $r_ptr,[sp,#32*18+16]
eor r4,r4,r4
eor r5,r5,r5
eor r6,r6,r6
eor r7,r7,r7
eor r8,r8,r8
eor r9,r9,r9
eor r10,r10,r10
eor r11,r11,r11
stmia $r_ptr!,{r4-r11}
stmia $r_ptr!,{r4-r11}
stmia $r_ptr!,{r4-r11}
b .Ladd_done
.align 4
.Ladd_double:
ldr $a_ptr,[sp,#32*18+20]
add sp,sp,#32*(18-5)+16 @ difference in frame sizes
@@ -1601,15 +1588,15 @@ ecp_nistz256_point_add:
add $b_ptr,sp,#$S2
bl __ecp_nistz256_sub_from @ p256_sub(res_y, res_y, S2);
ldr r11,[sp,#32*18+4] @ !in1intfy
ldr r12,[sp,#32*18+8] @ !in2intfy
ldr r11,[sp,#32*18+4] @ ~in1infty
ldr r12,[sp,#32*18+8] @ ~in2infty
add r1,sp,#$res_x
add r2,sp,#$in2_x
and r10,r11,r12
and r10,r11,r12 @ ~in1infty & ~in2infty
mvn r11,r11
add r3,sp,#$in1_x
and r11,r11,r12
mvn r12,r12
and r11,r11,r12 @ in1infty & ~in2infty
mvn r12,r12 @ in2infty
ldr $r_ptr,[sp,#32*18+16]
___
for($i=0;$i<96;$i+=8) { # conditional moves
@@ -1617,11 +1604,11 @@ $code.=<<___;
ldmia r1!,{r4-r5} @ res_x
ldmia r2!,{r6-r7} @ in2_x
ldmia r3!,{r8-r9} @ in1_x
and r4,r4,r10
and r4,r4,r10 @ ~in1infty & ~in2infty
and r5,r5,r10
and r6,r6,r11
and r6,r6,r11 @ in1infty & ~in2infty
and r7,r7,r11
and r8,r8,r12
and r8,r8,r12 @ in2infty
and r9,r9,r12
orr r4,r4,r6
orr r5,r5,r7
@@ -1656,7 +1643,7 @@ my $Z1sqr = $S2;
# 256-bit vectors on top. Then note that we push
# starting from r0, which means that we have copy of
# input arguments just below these temporary vectors.
# We use two of them for !in1infty, !in2intfy.
# We use two of them for ~in1infty, ~in2infty.
my @ONE_mont=(1,0,0,-1,-1,-1,-2,0);
@@ -1687,7 +1674,7 @@ ecp_nistz256_point_add_affine:
#endif
movne r12,#-1
stmia r3,{r4-r11}
str r12,[sp,#32*15+4] @ !in1infty
str r12,[sp,#32*15+4] @ ~in1infty
ldmia $b_ptr!,{r4-r11} @ copy in2_x
add r3,sp,#$in2_x
@@ -1714,7 +1701,7 @@ ecp_nistz256_point_add_affine:
it ne
#endif
movne r12,#-1
str r12,[sp,#32*15+8] @ !in2infty
str r12,[sp,#32*15+8] @ ~in2infty
add $a_ptr,sp,#$in1_z
add $b_ptr,sp,#$in1_z
@@ -1796,15 +1783,15 @@ ecp_nistz256_point_add_affine:
add $b_ptr,sp,#$S2
bl __ecp_nistz256_sub_from @ p256_sub(res_y, res_y, S2);
ldr r11,[sp,#32*15+4] @ !in1intfy
ldr r12,[sp,#32*15+8] @ !in2intfy
ldr r11,[sp,#32*15+4] @ ~in1infty
ldr r12,[sp,#32*15+8] @ ~in2infty
add r1,sp,#$res_x
add r2,sp,#$in2_x
and r10,r11,r12
and r10,r11,r12 @ ~in1infty & ~in2infty
mvn r11,r11
add r3,sp,#$in1_x
and r11,r11,r12
mvn r12,r12
and r11,r11,r12 @ in1infty & ~in2infty
mvn r12,r12 @ in2infty
ldr $r_ptr,[sp,#32*15]
___
for($i=0;$i<64;$i+=8) { # conditional moves
@@ -1812,11 +1799,11 @@ $code.=<<___;
ldmia r1!,{r4-r5} @ res_x
ldmia r2!,{r6-r7} @ in2_x
ldmia r3!,{r8-r9} @ in1_x
and r4,r4,r10
and r4,r4,r10 @ ~in1infty & ~in2infty
and r5,r5,r10
and r6,r6,r11
and r6,r6,r11 @ in1infty & ~in2infty
and r7,r7,r11
and r8,r8,r12
and r8,r8,r12 @ in2infty
and r9,r9,r12
orr r4,r4,r6
orr r5,r5,r7
@@ -1862,4 +1849,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT; # enforce flush
close STDOUT or die "error closing STDOUT: $!"; # enforce flush

69
crypto/ec/asm/ecp_nistz256-armv8.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -722,7 +722,7 @@ $code.=<<___;
.align 5
ecp_nistz256_point_double:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
stp x29,x30,[sp,#-96]!
add x29,sp,#0
stp x19,x20,[sp,#16]
stp x21,x22,[sp,#32]
@@ -855,7 +855,7 @@ ecp_nistz256_point_double:
add sp,x29,#0 // destroy frame
ldp x19,x20,[x29,#16]
ldp x21,x22,[x29,#32]
ldp x29,x30,[sp],#80
ldp x29,x30,[sp],#96
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_point_double,.-ecp_nistz256_point_double
@@ -872,7 +872,7 @@ my ($res_x,$res_y,$res_z,
my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr);
# above map() describes stack layout with 12 temporary
# 256-bit vectors on top.
my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26));
my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp0,$temp1,$temp2)=map("x$_",(21..28));
$code.=<<___;
.globl ecp_nistz256_point_add
@@ -880,12 +880,13 @@ $code.=<<___;
.align 5
ecp_nistz256_point_add:
.inst 0xd503233f // paciasp
stp x29,x30,[sp,#-80]!
stp x29,x30,[sp,#-96]!
add x29,sp,#0
stp x19,x20,[sp,#16]
stp x21,x22,[sp,#32]
stp x23,x24,[sp,#48]
stp x25,x26,[sp,#64]
stp x27,x28,[sp,#80]
sub sp,sp,#32*12
ldp $a0,$a1,[$bp,#64] // in2_z
@@ -899,7 +900,7 @@ ecp_nistz256_point_add:
orr $t2,$a2,$a3
orr $in2infty,$t0,$t2
cmp $in2infty,#0
csetm $in2infty,ne // !in2infty
csetm $in2infty,ne // ~in2infty
add $rp,sp,#$Z2sqr
bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z);
@@ -909,7 +910,7 @@ ecp_nistz256_point_add:
orr $t2,$a2,$a3
orr $in1infty,$t0,$t2
cmp $in1infty,#0
csetm $in1infty,ne // !in1infty
csetm $in1infty,ne // ~in1infty
add $rp,sp,#$Z1sqr
bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
@@ -950,7 +951,7 @@ ecp_nistz256_point_add:
orr $acc0,$acc0,$acc1 // see if result is zero
orr $acc2,$acc2,$acc3
orr $temp,$acc0,$acc2
orr $temp0,$acc0,$acc2 // ~is_equal(S1,S2)
add $bp,sp,#$Z2sqr
add $rp,sp,#$U1
@@ -971,32 +972,21 @@ ecp_nistz256_point_add:
orr $acc0,$acc0,$acc1 // see if result is zero
orr $acc2,$acc2,$acc3
orr $acc0,$acc0,$acc2
tst $acc0,$acc0
b.ne .Ladd_proceed // is_equal(U1,U2)?
orr $acc0,$acc0,$acc2 // ~is_equal(U1,U2)
tst $in1infty,$in2infty
b.eq .Ladd_proceed // (in1infty || in2infty)?
mvn $temp1,$in1infty // -1/0 -> 0/-1
mvn $temp2,$in2infty // -1/0 -> 0/-1
orr $acc0,$acc0,$temp1
orr $acc0,$acc0,$temp2
orr $acc0,$acc0,$temp0
cbnz $acc0,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
tst $temp,$temp
b.eq .Ladd_double // is_equal(S1,S2)?
eor $a0,$a0,$a0
eor $a1,$a1,$a1
stp $a0,$a1,[$rp_real]
stp $a0,$a1,[$rp_real,#16]
stp $a0,$a1,[$rp_real,#32]
stp $a0,$a1,[$rp_real,#48]
stp $a0,$a1,[$rp_real,#64]
stp $a0,$a1,[$rp_real,#80]
b .Ladd_done
.align 4
.Ladd_double:
mov $ap,$ap_real
mov $rp,$rp_real
ldp x23,x24,[x29,#48]
ldp x25,x26,[x29,#64]
ldp x27,x28,[x29,#80]
add sp,sp,#32*(12-4) // difference in stack frames
b .Ldouble_shortcut
@@ -1081,14 +1071,14 @@ ___
for($i=0;$i<64;$i+=32) { # conditional moves
$code.=<<___;
ldp $acc0,$acc1,[$ap_real,#$i] // in1
cmp $in1infty,#0 // !$in1intfy, remember?
cmp $in1infty,#0 // ~$in1intfy, remember?
ldp $acc2,$acc3,[$ap_real,#$i+16]
csel $t0,$a0,$t0,ne
csel $t1,$a1,$t1,ne
ldp $a0,$a1,[sp,#$res_x+$i+32] // res
csel $t2,$a2,$t2,ne
csel $t3,$a3,$t3,ne
cmp $in2infty,#0 // !$in2intfy, remember?
cmp $in2infty,#0 // ~$in2intfy, remember?
ldp $a2,$a3,[sp,#$res_x+$i+48]
csel $acc0,$t0,$acc0,ne
csel $acc1,$t1,$acc1,ne
@@ -1102,13 +1092,13 @@ ___
}
$code.=<<___;
ldp $acc0,$acc1,[$ap_real,#$i] // in1
cmp $in1infty,#0 // !$in1intfy, remember?
cmp $in1infty,#0 // ~$in1intfy, remember?
ldp $acc2,$acc3,[$ap_real,#$i+16]
csel $t0,$a0,$t0,ne
csel $t1,$a1,$t1,ne
csel $t2,$a2,$t2,ne
csel $t3,$a3,$t3,ne
cmp $in2infty,#0 // !$in2intfy, remember?
cmp $in2infty,#0 // ~$in2intfy, remember?
csel $acc0,$t0,$acc0,ne
csel $acc1,$t1,$acc1,ne
csel $acc2,$t2,$acc2,ne
@@ -1122,7 +1112,8 @@ $code.=<<___;
ldp x21,x22,[x29,#32]
ldp x23,x24,[x29,#48]
ldp x25,x26,[x29,#64]
ldp x29,x30,[sp],#80
ldp x27,x28,[x29,#80]
ldp x29,x30,[sp],#96
.inst 0xd50323bf // autiasp
ret
.size ecp_nistz256_point_add,.-ecp_nistz256_point_add
@@ -1166,7 +1157,7 @@ ecp_nistz256_point_add_affine:
orr $t2,$a2,$a3
orr $in1infty,$t0,$t2
cmp $in1infty,#0
csetm $in1infty,ne // !in1infty
csetm $in1infty,ne // ~in1infty
ldp $acc0,$acc1,[$bp] // in2_x
ldp $acc2,$acc3,[$bp,#16]
@@ -1180,7 +1171,7 @@ ecp_nistz256_point_add_affine:
orr $t0,$t0,$t2
orr $in2infty,$acc0,$t0
cmp $in2infty,#0
csetm $in2infty,ne // !in2infty
csetm $in2infty,ne // ~in2infty
add $rp,sp,#$Z1sqr
bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z);
@@ -1290,14 +1281,14 @@ ___
for($i=0;$i<64;$i+=32) { # conditional moves
$code.=<<___;
ldp $acc0,$acc1,[$ap_real,#$i] // in1
cmp $in1infty,#0 // !$in1intfy, remember?
cmp $in1infty,#0 // ~$in1intfy, remember?
ldp $acc2,$acc3,[$ap_real,#$i+16]
csel $t0,$a0,$t0,ne
csel $t1,$a1,$t1,ne
ldp $a0,$a1,[sp,#$res_x+$i+32] // res
csel $t2,$a2,$t2,ne
csel $t3,$a3,$t3,ne
cmp $in2infty,#0 // !$in2intfy, remember?
cmp $in2infty,#0 // ~$in2intfy, remember?
ldp $a2,$a3,[sp,#$res_x+$i+48]
csel $acc0,$t0,$acc0,ne
csel $acc1,$t1,$acc1,ne
@@ -1314,13 +1305,13 @@ ___
}
$code.=<<___;
ldp $acc0,$acc1,[$ap_real,#$i] // in1
cmp $in1infty,#0 // !$in1intfy, remember?
cmp $in1infty,#0 // ~$in1intfy, remember?
ldp $acc2,$acc3,[$ap_real,#$i+16]
csel $t0,$a0,$t0,ne
csel $t1,$a1,$t1,ne
csel $t2,$a2,$t2,ne
csel $t3,$a3,$t3,ne
cmp $in2infty,#0 // !$in2intfy, remember?
cmp $in2infty,#0 // ~$in2intfy, remember?
csel $acc0,$t0,$acc0,ne
csel $acc1,$t1,$acc1,ne
csel $acc2,$t2,$acc2,ne
@@ -1880,4 +1871,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT; # enforce flush
close STDOUT or die "error closing STDOUT: $!"; # enforce flush

6
crypto/ec/asm/ecp_nistz256-avx2.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright (c) 2014, Intel Corporation. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
@@ -47,7 +47,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$addx = ($1>=12);
}
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) {
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$avx = ($ver>=3.0) + ($ver>=3.01);
$addx = ($ver>=3.03);
@@ -2077,4 +2077,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

4
crypto/ec/asm/ecp_nistz256-ppc64.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -2379,4 +2379,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT; # enforce flush
close STDOUT or die "error closing STDOUT: $!"; # enforce flush

4
crypto/ec/asm/ecp_nistz256-sparcv9.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -3057,4 +3057,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

80
crypto/ec/asm/ecp_nistz256-x86.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1388,7 +1388,7 @@ for ($i=0;$i<7;$i++) {
# above map() describes stack layout with 18 temporary
# 256-bit vectors on top, then we take extra words for
# !in1infty, !in2infty, result of check for zero and
# ~in1infty, ~in2infty, result of check for zero and
# OPENSSL_ia32cap_P copy. [one unused word for padding]
&stack_push(8*18+5);
if ($sse2) {
@@ -1419,7 +1419,7 @@ for ($i=0;$i<7;$i++) {
&sub ("eax","ebp");
&or ("ebp","eax");
&sar ("ebp",31);
&mov (&DWP(32*18+4,"esp"),"ebp"); # !in2infty
&mov (&DWP(32*18+4,"esp"),"ebp"); # ~in2infty
&lea ("edi",&DWP($in1_x,"esp"));
for($i=0;$i<96;$i+=16) {
@@ -1441,7 +1441,7 @@ for ($i=0;$i<7;$i++) {
&sub ("eax","ebp");
&or ("ebp","eax");
&sar ("ebp",31);
&mov (&DWP(32*18+0,"esp"),"ebp"); # !in1infty
&mov (&DWP(32*18+0,"esp"),"ebp"); # ~in1infty
&mov ("eax",&DWP(32*18+12,"esp")); # OPENSSL_ia32cap_P copy
&lea ("esi",&DWP($in2_z,"esp"));
@@ -1516,23 +1516,19 @@ for ($i=0;$i<7;$i++) {
&or ("eax",&DWP(0,"edi"));
&or ("eax",&DWP(4,"edi"));
&or ("eax",&DWP(8,"edi"));
&or ("eax",&DWP(12,"edi"));
&or ("eax",&DWP(12,"edi")); # ~is_equal(U1,U2)
&mov ("ebx",&DWP(32*18+0,"esp")); # ~in1infty
&not ("ebx"); # -1/0 -> 0/-1
&or ("eax","ebx");
&mov ("ebx",&DWP(32*18+4,"esp")); # ~in2infty
&not ("ebx"); # -1/0 -> 0/-1
&or ("eax","ebx");
&or ("eax",&DWP(32*18+8,"esp")); # ~is_equal(S1,S2)
# if (~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
&data_byte(0x3e); # predict taken
&jnz (&label("add_proceed")); # is_equal(U1,U2)?
&mov ("eax",&DWP(32*18+0,"esp"));
&and ("eax",&DWP(32*18+4,"esp"));
&mov ("ebx",&DWP(32*18+8,"esp"));
&jz (&label("add_proceed")); # (in1infty || in2infty)?
&test ("ebx","ebx");
&jz (&label("add_double")); # is_equal(S1,S2)?
&mov ("edi",&wparam(0));
&xor ("eax","eax");
&mov ("ecx",96/4);
&data_byte(0xfc,0xf3,0xab); # cld; stosd
&jmp (&label("add_done"));
&jnz (&label("add_proceed"));
&set_label("add_double",16);
&mov ("esi",&wparam(1));
@@ -1614,34 +1610,34 @@ for ($i=0;$i<7;$i++) {
&lea ("edi",&DWP($res_y,"esp"));
&call ("_ecp_nistz256_sub"); # p256_sub(res_y, res_y, S2);
&mov ("ebp",&DWP(32*18+0,"esp")); # !in1infty
&mov ("esi",&DWP(32*18+4,"esp")); # !in2infty
&mov ("ebp",&DWP(32*18+0,"esp")); # ~in1infty
&mov ("esi",&DWP(32*18+4,"esp")); # ~in2infty
&mov ("edi",&wparam(0));
&mov ("edx","ebp");
&not ("ebp");
&and ("edx","esi");
&and ("ebp","esi");
&not ("esi");
&and ("edx","esi"); # ~in1infty & ~in2infty
&and ("ebp","esi"); # in1infty & ~in2infty
&not ("esi"); # in2infty
########################################
# conditional moves
for($i=64;$i<96;$i+=4) {
&mov ("eax","edx");
&mov ("eax","edx"); # ~in1infty & ~in2infty
&and ("eax",&DWP($res_x+$i,"esp"));
&mov ("ebx","ebp");
&mov ("ebx","ebp"); # in1infty & ~in2infty
&and ("ebx",&DWP($in2_x+$i,"esp"));
&mov ("ecx","esi");
&mov ("ecx","esi"); # in2infty
&and ("ecx",&DWP($in1_x+$i,"esp"));
&or ("eax","ebx");
&or ("eax","ecx");
&mov (&DWP($i,"edi"),"eax");
}
for($i=0;$i<64;$i+=4) {
&mov ("eax","edx");
&mov ("eax","edx"); # ~in1infty & ~in2infty
&and ("eax",&DWP($res_x+$i,"esp"));
&mov ("ebx","ebp");
&mov ("ebx","ebp"); # in1infty & ~in2infty
&and ("ebx",&DWP($in2_x+$i,"esp"));
&mov ("ecx","esi");
&mov ("ecx","esi"); # in2infty
&and ("ecx",&DWP($in1_x+$i,"esp"));
&or ("eax","ebx");
&or ("eax","ecx");
@@ -1668,7 +1664,7 @@ for ($i=0;$i<7;$i++) {
# above map() describes stack layout with 15 temporary
# 256-bit vectors on top, then we take extra words for
# !in1infty, !in2infty, and OPENSSL_ia32cap_P copy.
# ~in1infty, ~in2infty, and OPENSSL_ia32cap_P copy.
&stack_push(8*15+3);
if ($sse2) {
&call ("_picup_eax");
@@ -1698,7 +1694,7 @@ for ($i=0;$i<7;$i++) {
&sub ("eax","ebp");
&or ("ebp","eax");
&sar ("ebp",31);
&mov (&DWP(32*15+0,"esp"),"ebp"); # !in1infty
&mov (&DWP(32*15+0,"esp"),"ebp"); # ~in1infty
&lea ("edi",&DWP($in2_x,"esp"));
for($i=0;$i<64;$i+=16) {
@@ -1724,7 +1720,7 @@ for ($i=0;$i<7;$i++) {
&lea ("ebp",&DWP($in1_z,"esp"));
&sar ("ebx",31);
&lea ("edi",&DWP($Z1sqr,"esp"));
&mov (&DWP(32*15+4,"esp"),"ebx"); # !in2infty
&mov (&DWP(32*15+4,"esp"),"ebx"); # ~in2infty
&call ("_ecp_nistz256_mul_mont"); # p256_sqr_mont(Z1sqr, in1_z);
@@ -1823,14 +1819,14 @@ for ($i=0;$i<7;$i++) {
&lea ("edi",&DWP($res_y,"esp"));
&call ("_ecp_nistz256_sub"); # p256_sub(res_y, res_y, S2);
&mov ("ebp",&DWP(32*15+0,"esp")); # !in1infty
&mov ("esi",&DWP(32*15+4,"esp")); # !in2infty
&mov ("ebp",&DWP(32*15+0,"esp")); # ~in1infty
&mov ("esi",&DWP(32*15+4,"esp")); # ~in2infty
&mov ("edi",&wparam(0));
&mov ("edx","ebp");
&not ("ebp");
&and ("edx","esi");
&and ("ebp","esi");
&not ("esi");
&and ("edx","esi"); # ~in1infty & ~in2infty
&and ("ebp","esi"); # in1infty & ~in2infty
&not ("esi"); # in2infty
########################################
# conditional moves
@@ -1848,11 +1844,11 @@ for ($i=0;$i<7;$i++) {
&mov (&DWP($i,"edi"),"eax");
}
for($i=0;$i<64;$i+=4) {
&mov ("eax","edx");
&mov ("eax","edx"); # ~in1infty & ~in2infty
&and ("eax",&DWP($res_x+$i,"esp"));
&mov ("ebx","ebp");
&mov ("ebx","ebp"); # in1infty & ~in2infty
&and ("ebx",&DWP($in2_x+$i,"esp"));
&mov ("ecx","esi");
&mov ("ecx","esi"); # in2infty
&and ("ecx",&DWP($in1_x+$i,"esp"));
&or ("eax","ebx");
&or ("eax","ecx");
@@ -1863,4 +1859,4 @@ for ($i=0;$i<7;$i++) {
&asm_finish();
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

40
crypto/ec/asm/ecp_nistz256-x86_64.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright (c) 2014, Intel Corporation. All Rights Reserved.
# Copyright (c) 2015 CloudFlare, Inc.
#
@@ -72,7 +72,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$addx = ($1>=12);
}
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) {
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$avx = ($ver>=3.0) + ($ver>=3.01);
$addx = ($ver>=3.03);
@@ -1579,6 +1579,7 @@ $code.=<<___;
.type ecp_nistz256_to_mont,\@function,2
.align 32
ecp_nistz256_to_mont:
.cfi_startproc
___
$code.=<<___ if ($addx);
mov \$0x80100, %ecx
@@ -1587,6 +1588,7 @@ ___
$code.=<<___;
lea .LRR(%rip), $b_org
jmp .Lmul_mont
.cfi_endproc
.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont
################################################################################
@@ -2562,6 +2564,7 @@ $code.=<<___;
.type ecp_nistz256_scatter_w5,\@abi-omnipotent
.align 32
ecp_nistz256_scatter_w5:
.cfi_startproc
lea -3($index,$index,2), $index
movdqa 0x00($in_t), %xmm0
shl \$5, $index
@@ -2578,6 +2581,7 @@ ecp_nistz256_scatter_w5:
movdqa %xmm5, 0x50($val,$index)
ret
.cfi_endproc
.size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5
################################################################################
@@ -2685,6 +2689,7 @@ $code.=<<___;
.type ecp_nistz256_scatter_w7,\@abi-omnipotent
.align 32
ecp_nistz256_scatter_w7:
.cfi_startproc
movdqu 0x00($in_t), %xmm0
shl \$6, $index
movdqu 0x10($in_t), %xmm1
@@ -2696,6 +2701,7 @@ ecp_nistz256_scatter_w7:
movdqa %xmm3, 0x30($val,$index)
ret
.cfi_endproc
.size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7
################################################################################
@@ -3020,8 +3026,10 @@ $code.=<<___;
.type ecp_nistz256_avx2_gather_w7,\@function,3
.align 32
ecp_nistz256_avx2_gather_w7:
.cfi_startproc
.byte 0x0f,0x0b # ud2
ret
.cfi_endproc
.size ecp_nistz256_avx2_gather_w7,.-ecp_nistz256_avx2_gather_w7
___
}
@@ -3617,29 +3625,19 @@ $code.=<<___;
call __ecp_nistz256_sub_from$x # p256_sub(H, U2, U1);
or $acc5, $acc4 # see if result is zero
or $acc0, $acc4
or $acc1, $acc4 # !is_equal(U1, U2)
movq %xmm2, $acc0 # in1infty | in2infty
movq %xmm3, $acc1 # !is_equal(S1, S2)
or $acc0, $acc4
or $acc1, $acc4
# if (!is_equal(U1, U2) | in1infty | in2infty | !is_equal(S1, S2))
.byte 0x3e # predict taken
jnz .Ladd_proceed$x # is_equal(U1,U2)?
movq %xmm2, $acc0
movq %xmm3, $acc1
test $acc0, $acc0
jnz .Ladd_proceed$x # (in1infty || in2infty)?
test $acc1, $acc1
jz .Ladd_double$x # is_equal(S1,S2)?
jnz .Ladd_proceed$x
movq %xmm0, $r_ptr # restore $r_ptr
pxor %xmm0, %xmm0
movdqu %xmm0, 0x00($r_ptr)
movdqu %xmm0, 0x10($r_ptr)
movdqu %xmm0, 0x20($r_ptr)
movdqu %xmm0, 0x30($r_ptr)
movdqu %xmm0, 0x40($r_ptr)
movdqu %xmm0, 0x50($r_ptr)
jmp .Ladd_done$x
.align 32
.Ladd_double$x:
movq %xmm1, $a_ptr # restore $a_ptr
movq %xmm0, $r_ptr # restore $r_ptr
@@ -4738,4 +4736,4 @@ ___
$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

4
crypto/ec/asm/x25519-ppc64.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -821,4 +821,4 @@ ___
$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

20
crypto/ec/asm/x25519-x86_64.pl
View File

@@ -1,5 +1,5 @@
#!/usr/bin/env perl
# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -90,7 +90,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$addx = ($1>=12);
}
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) {
if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$addx = ($ver>=3.03);
}
@@ -488,12 +488,14 @@ $code.=<<___;
.type x25519_fe64_eligible,\@abi-omnipotent
.align 32
x25519_fe64_eligible:
.cfi_startproc
mov OPENSSL_ia32cap_P+8(%rip),%ecx
xor %eax,%eax
and \$0x80100,%ecx
cmp \$0x80100,%ecx
cmove %ecx,%eax
ret
.cfi_endproc
.size x25519_fe64_eligible,.-x25519_fe64_eligible
.globl x25519_fe64_mul
@@ -722,6 +724,7 @@ x25519_fe64_sqr:
.align 32
x25519_fe64_mul121666:
.Lfe64_mul121666_body:
.cfi_startproc
mov \$121666,%edx
mulx 8*0(%rsi),$acc0,%rcx
mulx 8*1(%rsi),$acc1,%rax
@@ -750,6 +753,7 @@ x25519_fe64_mul121666:
.Lfe64_mul121666_epilogue:
ret
.cfi_endproc
.size x25519_fe64_mul121666,.-x25519_fe64_mul121666
.globl x25519_fe64_add
@@ -757,6 +761,7 @@ x25519_fe64_mul121666:
.align 32
x25519_fe64_add:
.Lfe64_add_body:
.cfi_startproc
mov 8*0(%rsi),$acc0
mov 8*1(%rsi),$acc1
mov 8*2(%rsi),$acc2
@@ -785,6 +790,7 @@ x25519_fe64_add:
.Lfe64_add_epilogue:
ret
.cfi_endproc
.size x25519_fe64_add,.-x25519_fe64_add
.globl x25519_fe64_sub
@@ -792,6 +798,7 @@ x25519_fe64_add:
.align 32
x25519_fe64_sub:
.Lfe64_sub_body:
.cfi_startproc
mov 8*0(%rsi),$acc0
mov 8*1(%rsi),$acc1
mov 8*2(%rsi),$acc2
@@ -820,6 +827,7 @@ x25519_fe64_sub:
.Lfe64_sub_epilogue:
ret
.cfi_endproc
.size x25519_fe64_sub,.-x25519_fe64_sub
.globl x25519_fe64_tobytes
@@ -827,6 +835,7 @@ x25519_fe64_sub:
.align 32
x25519_fe64_tobytes:
.Lfe64_to_body:
.cfi_startproc
mov 8*0(%rsi),$acc0
mov 8*1(%rsi),$acc1
mov 8*2(%rsi),$acc2
@@ -862,6 +871,7 @@ x25519_fe64_tobytes:
.Lfe64_to_epilogue:
ret
.cfi_endproc
.size x25519_fe64_tobytes,.-x25519_fe64_tobytes
___
} else {
@@ -870,8 +880,10 @@ $code.=<<___;
.type x25519_fe64_eligible,\@abi-omnipotent
.align 32
x25519_fe64_eligible:
.cfi_startproc
xor %eax,%eax
ret
.cfi_endproc
.size x25519_fe64_eligible,.-x25519_fe64_eligible
.globl x25519_fe64_mul
@@ -887,8 +899,10 @@ x25519_fe64_mul121666:
x25519_fe64_add:
x25519_fe64_sub:
x25519_fe64_tobytes:
.cfi_startproc
.byte 0x0f,0x0b # ud2
ret
.cfi_endproc
.size x25519_fe64_mul,.-x25519_fe64_mul
___
}
@@ -1114,4 +1128,4 @@ ___
$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

2
crypto/ec/curve25519.c
View File

@@ -8,7 +8,7 @@
*/
#include <string.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/sha.h>
#if defined(X25519_ASM) && (defined(__x86_64) || defined(__x86_64__) || \

8
crypto/ec/curve448/arch_32/arch_intrinsics.h
View File

@@ -10,10 +10,10 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_ARCH_32_ARCH_INTRINSICS_H
# define HEADER_ARCH_32_ARCH_INTRINSICS_H
#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H
# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H
#include "internal/constant_time_locl.h"
#include "internal/constant_time.h"
# define ARCH_WORD_BITS 32
@@ -24,4 +24,4 @@ static ossl_inline uint64_t widemul(uint32_t a, uint32_t b)
return ((uint64_t)a) * b;
}
#endif /* HEADER_ARCH_32_ARCH_INTRINSICS_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_INTRINSICS_H */

6
crypto/ec/curve448/arch_32/f_impl.h
View File

@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_ARCH_32_F_IMPL_H
# define HEADER_ARCH_32_F_IMPL_H
#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H
# define OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H
# define GF_HEADROOM 2
# define LIMB(x) ((x) & ((1 << 28) - 1)), ((x) >> 28)
@@ -57,4 +57,4 @@ void gf_weak_reduce(gf a)
a->limb[0] = (a->limb[0] & mask) + tmp;
}
#endif /* HEADER_ARCH_32_F_IMPL_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_ARCH_32_F_IMPL_H */

2
crypto/ec/curve448/curve448.c
View File

@@ -15,7 +15,7 @@
#include "point_448.h"
#include "ed448.h"
#include "curve448_lcl.h"
#include "curve448_local.h"
#define COFACTOR 4

6
crypto/ec/curve448/curve448_lcl.h → crypto/ec/curve448/curve448_local.h
View File

@@ -6,8 +6,8 @@
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_CURVE448_LCL_H
# define HEADER_CURVE448_LCL_H
#ifndef OSSL_CRYPTO_EC_CURVE448_LOCAL_H
# define OSSL_CRYPTO_EC_CURVE448_LOCAL_H
# include "curve448utils.h"
int X448(uint8_t out_shared_key[56], const uint8_t private_key[56],
@@ -35,4 +35,4 @@ int ED448ph_verify(const uint8_t hash[64], const uint8_t signature[114],
int ED448_public_from_private(uint8_t out_public_key[57],
const uint8_t private_key[57]);
#endif /* HEADER_CURVE448_LCL_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_LOCAL_H */

4
crypto/ec/curve448/curve448utils.h
View File

@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_CURVE448UTILS_H
# define HEADER_CURVE448UTILS_H
#ifndef OSSL_CRYPTO_EC_CURVE448UTILS_H
# define OSSL_CRYPTO_EC_CURVE448UTILS_H
# include <openssl/e_os2.h>

6
crypto/ec/curve448/ed448.h
View File

@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_ED448_H
# define HEADER_ED448_H
#ifndef OSSL_CRYPTO_EC_CURVE448_ED448_H
# define OSSL_CRYPTO_EC_CURVE448_ED448_H
# include "point_448.h"
@@ -192,4 +192,4 @@ c448_error_t c448_ed448_convert_private_key_to_x448(
uint8_t x[X448_PRIVATE_BYTES],
const uint8_t ed[EDDSA_448_PRIVATE_BYTES]);
#endif /* HEADER_ED448_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_ED448_H */

11
crypto/ec/curve448/eddsa.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -12,7 +12,7 @@
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include "curve448_lcl.h"
#include "curve448_local.h"
#include "word.h"
#include "ed448.h"
#include "internal/numbers.h"
@@ -50,7 +50,12 @@ static c448_error_t hash_init_with_dom(EVP_MD_CTX *hashctx, uint8_t prehashed,
const uint8_t *context,
size_t context_len)
{
const char *dom_s = "SigEd448";
#ifdef CHARSET_EBCDIC
const char dom_s[] = {0x53, 0x69, 0x67, 0x45,
0x64, 0x34, 0x34, 0x38, 0x00};
#else
const char dom_s[] = "SigEd448";
#endif
uint8_t dom[2];
if (context_len > UINT8_MAX)

8
crypto/ec/curve448/field.h
View File

@@ -10,10 +10,10 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_FIELD_H
# define HEADER_FIELD_H
#ifndef OSSL_CRYPTO_EC_CURVE448_FIELD_H
# define OSSL_CRYPTO_EC_CURVE448_FIELD_H
# include "internal/constant_time_locl.h"
# include "internal/constant_time.h"
# include <string.h>
# include <assert.h>
# include "word.h"
@@ -165,4 +165,4 @@ static ossl_inline void gf_cond_swap(gf x, gf_s * RESTRICT y, mask_t swap)
}
}
#endif /* HEADER_FIELD_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_FIELD_H */

6
crypto/ec/curve448/point_448.h
View File

@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_POINT_448_H
# define HEADER_POINT_448_H
#ifndef OSSL_CRYPTO_EC_CURVE448_POINT_448_H
# define OSSL_CRYPTO_EC_CURVE448_POINT_448_H
# include "curve448utils.h"
# include "field.h"
@@ -298,4 +298,4 @@ void curve448_scalar_destroy(curve448_scalar_t scalar);
/* Overwrite point with zeros. */
void curve448_point_destroy(curve448_point_t point);
#endif /* HEADER_POINT_448_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_POINT_448_H */

6
crypto/ec/curve448/word.h
View File

@@ -10,8 +10,8 @@
* Originally written by Mike Hamburg
*/
#ifndef HEADER_WORD_H
# define HEADER_WORD_H
#ifndef OSSL_CRYPTO_EC_CURVE448_WORD_H
# define OSSL_CRYPTO_EC_CURVE448_WORD_H
# include <string.h>
# include <assert.h>
@@ -78,4 +78,4 @@ static ossl_inline mask_t bool_to_mask(c448_bool_t m)
return ret;
}
#endif /* HEADER_WORD_H */
#endif /* OSSL_CRYPTO_EC_CURVE448_WORD_H */

2
crypto/ec/ec2_oct.c
View File

@@ -10,7 +10,7 @@
#include <openssl/err.h>
#include "ec_lcl.h"
#include "ec_local.h"
#ifndef OPENSSL_NO_EC2M

4
crypto/ec/ec2_smpl.c
View File

@@ -10,8 +10,8 @@
#include <openssl/err.h>
#include "internal/bn_int.h"
#include "ec_lcl.h"
#include "crypto/bn.h"
#include "ec_local.h"
#ifndef OPENSSL_NO_EC2M

6
crypto/ec/ec_ameth.c
View File

@@ -14,9 +14,9 @@
#include <openssl/bn.h>
#include <openssl/cms.h>
#include <openssl/asn1t.h>
#include "internal/asn1_int.h"
#include "internal/evp_int.h"
#include "ec_lcl.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include "ec_local.h"
#ifndef OPENSSL_NO_CMS
static int ecdh_cms_decrypt(CMS_RecipientInfo *ri);

23
crypto/ec/ec_asn1.c
View File

@@ -8,7 +8,7 @@
*/
#include <string.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/asn1t.h>
#include <openssl/objects.h>
@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
unsigned char *buffer = NULL;
const EC_POINT *point = NULL;
point_conversion_form_t form;
ASN1_INTEGER *orig;
if (params == NULL) {
if ((ret = ECPARAMETERS_new()) == NULL) {
@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
goto err;
}
ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
if (ret->order == NULL) {
ret->order = orig;
ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
/* set the cofactor (optional) */
tmp = EC_GROUP_get0_cofactor(group);
if (tmp != NULL) {
ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
if (ret->cofactor == NULL) {
ret->cofactor = orig;
ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
goto err;
}
@@ -846,6 +849,20 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
* serialized using explicit parameters by default.
*/
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
/*
* If the input params do not contain the optional seed field we make
* sure it is not added to the returned group.
*
* The seed field is not really used inside libcrypto anyway, and
* adding it to parsed explicit parameter keys would alter their DER
* encoding output (because of the extra field) which could impact
* applications fingerprinting keys by their DER encoding.
*/
if (params->curve->seed == NULL) {
if (EC_GROUP_set_seed(ret, NULL, 0) != 1)
goto err;
}
}
ok = 1;

2
crypto/ec/ec_check.c
View File

@@ -7,7 +7,7 @@
* https://www.openssl.org/source/license.html
*/
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/err.h>
int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx)

2
crypto/ec/ec_curve.c
View File

@@ -9,7 +9,7 @@
*/
#include <string.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>

2
crypto/ec/ec_cvt.c
View File

@@ -9,7 +9,7 @@
*/
#include <openssl/err.h>
#include "ec_lcl.h"
#include "ec_local.h"
EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx)

2
crypto/ec/ec_key.c
View File

@@ -10,7 +10,7 @@
#include "internal/cryptlib.h"
#include <string.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include "internal/refcount.h"
#include <openssl/err.h>
#include <openssl/engine.h>

2
crypto/ec/ec_kmeth.c
View File

@@ -11,7 +11,7 @@
#include <openssl/ec.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include "ec_lcl.h"
#include "ec_local.h"
static const EC_KEY_METHOD openssl_ec_key_method = {

2
crypto/ec/ec_lib.c
View File

@@ -13,7 +13,7 @@
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include "ec_lcl.h"
#include "ec_local.h"
/* functions for EC_GROUP objects */

2
crypto/ec/ec_lcl.h → crypto/ec/ec_local.h
View File

@@ -14,7 +14,7 @@
#include <openssl/ec.h>
#include <openssl/bn.h>
#include "internal/refcount.h"
#include "internal/ec_int.h"
#include "crypto/ec.h"
#if defined(__SUNPRO_C)
# if __SUNPRO_C >= 0x520

4
crypto/ec/ec_mult.c
View File

@@ -12,8 +12,8 @@
#include <openssl/err.h>
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "ec_lcl.h"
#include "crypto/bn.h"
#include "ec_local.h"
#include "internal/refcount.h"
/*

2
crypto/ec/ec_oct.c
View File

@@ -13,7 +13,7 @@
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include "ec_lcl.h"
#include "ec_local.h"
int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
const BIGNUM *x, int y_bit, BN_CTX *ctx)

4
crypto/ec/ec_pmeth.c
View File

@@ -12,9 +12,9 @@
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/ec.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/evp.h>
#include "internal/evp_int.h"
#include "crypto/evp.h"
/* EC pkey context structure */

6
crypto/ec/ec_print.c
View File

@@ -9,7 +9,7 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include "ec_lcl.h"
#include "ec_local.h"
BIGNUM *EC_POINT_point2bn(const EC_GROUP *group,
const EC_POINT *point,
@@ -39,13 +39,13 @@ EC_POINT *EC_POINT_bn2point(const EC_GROUP *group,
EC_POINT *ret;
if ((buf_len = BN_num_bytes(bn)) == 0)
return NULL;
buf_len = 1;
if ((buf = OPENSSL_malloc(buf_len)) == NULL) {
ECerr(EC_F_EC_POINT_BN2POINT, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (!BN_bn2bin(bn, buf)) {
if (!BN_bn2binpad(bn, buf, buf_len)) {
OPENSSL_free(buf);
return NULL;
}

2
crypto/ec/ecdh_kdf.c
View File

@@ -10,7 +10,7 @@
#include <string.h>
#include <openssl/ec.h>
#include <openssl/evp.h>
#include "ec_lcl.h"
#include "ec_local.h"
/* Key derivation function from X9.63/SECG */
/* Way more than we will ever need */

2
crypto/ec/ecdh_ossl.c
View File

@@ -17,7 +17,7 @@
#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/ec.h>
#include "ec_lcl.h"
#include "ec_local.h"
int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
const EC_POINT *pub_key, const EC_KEY *ecdh)

6
crypto/ec/ecdsa_ossl.c
View File

@@ -11,8 +11,8 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/rand.h>
#include "internal/bn_int.h"
#include "ec_lcl.h"
#include "crypto/bn.h"
#include "ec_local.h"
int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
unsigned char *sig, unsigned int *siglen,
@@ -309,7 +309,7 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
goto err;
ret = ECDSA_do_verify(dgst, dgst_len, s, eckey);
err:
OPENSSL_clear_free(der, derlen);
OPENSSL_free(der);
ECDSA_SIG_free(s);
return ret;
}

2
crypto/ec/ecdsa_sign.c
View File

@@ -8,7 +8,7 @@
*/
#include <openssl/ec.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/err.h>
ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)

8
crypto/ec/ecdsa_vrf.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,7 +8,7 @@
*/
#include <openssl/ec.h>
#include "ec_lcl.h"
#include "ec_local.h"
#include <openssl/err.h>
/*-
@@ -23,7 +23,7 @@ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
if (eckey->meth->verify_sig != NULL)
return eckey->meth->verify_sig(dgst, dgst_len, sig, eckey);
ECerr(EC_F_ECDSA_DO_VERIFY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
return -1;
}
/*-
@@ -39,5 +39,5 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
return eckey->meth->verify(type, dgst, dgst_len, sigbuf, sig_len,
eckey);
ECerr(EC_F_ECDSA_VERIFY, EC_R_OPERATION_NOT_SUPPORTED);
return 0;
return -1;
}

2
crypto/ec/ecp_mont.c
View File

@@ -10,7 +10,7 @@
#include <openssl/err.h>
#include "ec_lcl.h"
#include "ec_local.h"
const EC_METHOD *EC_GFp_mont_method(void)
{

2
crypto/ec/ecp_nist.c
View File

@@ -12,7 +12,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include "ec_lcl.h"
#include "ec_local.h"
const EC_METHOD *EC_GFp_nist_method(void)
{

39
crypto/ec/ecp_nistp224.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <stdint.h>
# include <string.h>
# include <openssl/err.h>
# include "ec_lcl.h"
# include "ec_local.h"
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
@@ -907,6 +907,7 @@ static void point_add(felem x3, felem y3, felem z3,
felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out;
widefelem tmp, tmp2;
limb z1_is_zero, z2_is_zero, x_equal, y_equal;
limb points_equal;
if (!mixed) {
/* ftmp2 = z2^2 */
@@ -963,15 +964,41 @@ static void point_add(felem x3, felem y3, felem z3,
felem_reduce(ftmp, tmp);
/*
* the formulae are incorrect if the points are equal so we check for
* this and do doubling if this happens
* The formulae are incorrect if the points are equal, in affine coordinates
* (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
* happens.
*
* We use bitwise operations to avoid potential side-channels introduced by
* the short-circuiting behaviour of boolean operators.
*/
x_equal = felem_is_zero(ftmp);
y_equal = felem_is_zero(ftmp3);
/*
* The special case of either point being the point at infinity (z1 and/or
* z2 are zero), is handled separately later on in this function, so we
* avoid jumping to point_double here in those special cases.
*/
z1_is_zero = felem_is_zero(z1);
z2_is_zero = felem_is_zero(z2);
/* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */
if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
/*
* Compared to `ecp_nistp256.c` and `ecp_nistp521.c`, in this
* specific implementation `felem_is_zero()` returns truth as `0x1`
* (rather than `0xff..ff`).
*
* This implies that `~true` in this implementation becomes
* `0xff..fe` (rather than `0x0`): for this reason, to be used in
* the if expression, we mask out only the last bit in the next
* line.
*/
points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)) & 1;
if (points_equal) {
/*
* This is obviously not constant-time but, as mentioned before, this
* case never happens during single point multiplication, so there is no
* timing leak for ECDH or ECDSA signing.
*/
point_double(x3, y3, z3, x1, y1, z1);
return;
}

30
crypto/ec/ecp_nistp256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -39,7 +39,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <stdint.h>
# include <string.h>
# include <openssl/err.h>
# include "ec_lcl.h"
# include "ec_local.h"
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
@@ -74,8 +74,8 @@ static const felem_bytearray nistp256_curve_params[5] = {
{0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* a = -3 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc}, /* b */
{0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc},
{0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, /* b */
0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc,
0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b},
@@ -1241,6 +1241,7 @@ static void point_add(felem x3, felem y3, felem z3,
longfelem tmp, tmp2;
smallfelem small1, small2, small3, small4, small5;
limb x_equal, y_equal, z1_is_zero, z2_is_zero;
limb points_equal;
felem_shrink(small3, z1);
@@ -1340,7 +1341,26 @@ static void point_add(felem x3, felem y3, felem z3,
felem_shrink(small1, ftmp5);
y_equal = smallfelem_is_zero(small1);
if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
/*
* The formulae are incorrect if the points are equal, in affine coordinates
* (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
* happens.
*
* We use bitwise operations to avoid potential side-channels introduced by
* the short-circuiting behaviour of boolean operators.
*
* The special case of either point being the point at infinity (z1 and/or
* z2 are zero), is handled separately later on in this function, so we
* avoid jumping to point_double here in those special cases.
*/
points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
if (points_equal) {
/*
* This is obviously not constant-time but, as mentioned before, this
* case never happens during single point multiplication, so there is no
* timing leak for ECDH or ECDSA signing.
*/
point_double(x3, y3, z3, x1, y1, z1);
return;
}

24
crypto/ec/ecp_nistp521.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,7 +38,7 @@ NON_EMPTY_TRANSLATION_UNIT
# include <string.h>
# include <openssl/err.h>
# include "ec_lcl.h"
# include "ec_local.h"
# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
/* even with gcc, the typedef won't work for 32-bit platforms */
@@ -1158,6 +1158,7 @@ static void point_add(felem x3, felem y3, felem z3,
felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
largefelem tmp, tmp2;
limb x_equal, y_equal, z1_is_zero, z2_is_zero;
limb points_equal;
z1_is_zero = felem_is_zero(z1);
z2_is_zero = felem_is_zero(z2);
@@ -1242,7 +1243,24 @@ static void point_add(felem x3, felem y3, felem z3,
felem_scalar64(ftmp5, 2);
/* ftmp5[i] < 2^61 */
if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
/*
* The formulae are incorrect if the points are equal, in affine coordinates
* (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
* happens.
*
* We use bitwise operations to avoid potential side-channels introduced by
* the short-circuiting behaviour of boolean operators.
*
* The special case of either point being the point at infinity (z1 and/or
* z2 are zero), is handled separately later on in this function, so we
* avoid jumping to point_double here in those special cases.
*
* Notice the comment below on the implications of this branching for timing
* leaks and why it is considered practically irrelevant.
*/
points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
if (points_equal) {
/*
* This is obviously not constant-time but it will almost-never happen
* for ECDH / ECDSA. The case where it can happen is during scalar-mult

2
crypto/ec/ecp_nistputil.c
View File

@@ -33,7 +33,7 @@ NON_EMPTY_TRANSLATION_UNIT
*/
# include <stddef.h>
# include "ec_lcl.h"
# include "ec_local.h"
/*
* Convert an array of points into affine coordinates. (If the point at

55
crypto/ec/ecp_nistz256.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
@@ -21,8 +21,8 @@
#include <string.h>
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "ec_lcl.h"
#include "crypto/bn.h"
#include "ec_local.h"
#include "internal/refcount.h"
#if BN_BITS2 != 64
@@ -358,16 +358,47 @@ static void ecp_nistz256_point_add(P256_POINT *r,
ecp_nistz256_sub(H, U2, U1); /* H = U2 - U1 */
/*
* This should not happen during sign/ecdh, so no constant time violation
* The formulae are incorrect if the points are equal so we check for
* this and do doubling if this happens.
*
* Points here are in Jacobian projective coordinates (Xi, Yi, Zi)
* that are bound to the affine coordinates (xi, yi) by the following
* equations:
* - xi = Xi / (Zi)^2
* - y1 = Yi / (Zi)^3
*
* For the sake of optimization, the algorithm operates over
* intermediate variables U1, U2 and S1, S2 that are derived from
* the projective coordinates:
* - U1 = X1 * (Z2)^2 ; U2 = X2 * (Z1)^2
* - S1 = Y1 * (Z2)^3 ; S2 = Y2 * (Z1)^3
*
* It is easy to prove that is_equal(U1, U2) implies that the affine
* x-coordinates are equal, or either point is at infinity.
* Likewise is_equal(S1, S2) implies that the affine y-coordinates are
* equal, or either point is at infinity.
*
* The special case of either point being the point at infinity (Z1 or Z2
* is zero), is handled separately later on in this function, so we avoid
* jumping to point_double here in those special cases.
*
* When both points are inverse of each other, we know that the affine
* x-coordinates are equal, and the y-coordinates have different sign.
* Therefore since U1 = U2, we know H = 0, and therefore Z3 = H*Z1*Z2
* will equal 0, thus the result is infinity, if we simply let this
* function continue normally.
*
* We use bitwise operations to avoid potential side-channels introduced by
* the short-circuiting behaviour of boolean operators.
*/
if (is_equal(U1, U2) && !in1infty && !in2infty) {
if (is_equal(S1, S2)) {
ecp_nistz256_point_double(r, a);
return;
} else {
memset(r, 0, sizeof(*r));
return;
}
if (is_equal(U1, U2) & ~in1infty & ~in2infty & is_equal(S1, S2)) {
/*
* This is obviously not constant-time but it should never happen during
* single point multiplication, so there is no timing leak for ECDH or
* ECDSA signing.
*/
ecp_nistz256_point_double(r, a);
return;
}
ecp_nistz256_sqr_mont(Rsqr, R); /* R^2 */

2
crypto/ec/ecp_oct.c
View File

@@ -11,7 +11,7 @@
#include <openssl/err.h>
#include <openssl/symhacks.h>
#include "ec_lcl.h"
#include "ec_local.h"
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point,

2
crypto/ec/ecp_smpl.c
View File

@@ -11,7 +11,7 @@
#include <openssl/err.h>
#include <openssl/symhacks.h>
#include "ec_lcl.h"
#include "ec_local.h"
const EC_METHOD *EC_GFp_simple_method(void)
{

10
crypto/ec/ecx_meth.c
View File

@@ -12,10 +12,10 @@
#include <openssl/x509.h>
#include <openssl/ec.h>
#include <openssl/rand.h>
#include "internal/asn1_int.h"
#include "internal/evp_int.h"
#include "ec_lcl.h"
#include "curve448/curve448_lcl.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include "ec_local.h"
#include "curve448/curve448_local.h"
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128
@@ -191,7 +191,7 @@ static int ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
}
rv = ecx_key_op(pkey, pkey->ameth->pkey_id, palg, p, plen, KEY_OP_PRIVATE);
ASN1_OCTET_STRING_free(oct);
ASN1_STRING_clear_free(oct);
return rv;
}