SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync code with last fixes and improvements from OpenBSD

Browse source
This commit is contained in:
purplerain 2023-08-11 09:11:00 +00:00
parent 371ae113c6
commit 454dab66ed
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
95 changed files with 1784 additions and 2042 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/libcrypto/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.153 2023/07/29 06:46:20 tb Exp $
# $OpenBSD: Makefile,v 1.155 2023/08/09 09:32:22 tb Exp $
LIB= crypto
LIBREBUILD=y
@ -168,7 +168,6 @@ SRCS+= bss_sock.c
# bn/
SRCS+= bn_add.c
SRCS+= bn_blind.c
SRCS+= bn_bpsw.c
SRCS+= bn_const.c
SRCS+= bn_convert.c
@ -534,8 +533,8 @@ SRCS+= ripemd.c
# rsa/
SRCS+= rsa_ameth.c
SRCS+= rsa_asn1.c
SRCS+= rsa_blinding.c
SRCS+= rsa_chk.c
SRCS+= rsa_crpt.c
SRCS+= rsa_eay.c
SRCS+= rsa_err.c
SRCS+= rsa_gen.c

13
lib/libcrypto/bn/bn_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_local.h,v 1.33 2023/08/03 18:53:55 tb Exp $ */
/* $OpenBSD: bn_local.h,v 1.38 2023/08/09 09:23:03 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -292,17 +292,6 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
BN_RECP_CTX *recp, BN_CTX *ctx);
void BN_BLINDING_free(BN_BLINDING *b);
int BN_BLINDING_convert(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
int BN_BLINDING_invert(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
BN_MONT_CTX *m_ctx);
/* Explicitly const time / non-const time versions for internal use */
int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);

131
lib/libcrypto/dh/dh_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dh_ameth.c,v 1.30 2023/07/08 15:29:03 beck Exp $ */
/* $OpenBSD: dh_ameth.c,v 1.33 2023/08/10 16:57:15 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -130,50 +130,53 @@ err:
static int
dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
DH *dh;
int ptype;
unsigned char *penc = NULL;
int penclen;
ASN1_STRING *str;
ASN1_INTEGER *pub_key = NULL;
const DH *dh = pkey->pkey.dh;
ASN1_STRING *params = NULL;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *key = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
dh=pkey->pkey.dh;
str = ASN1_STRING_new();
if (str == NULL) {
if ((params_len = i2d_DHparams(dh, &params_der)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_new()) == NULL) {
DHerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
params_len = 0;
str->length = i2d_DHparams(dh, &str->data);
if (str->length <= 0) {
if ((key = BN_to_ASN1_INTEGER(dh->pub_key, NULL)) == NULL)
goto err;
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
}
ptype = V_ASN1_SEQUENCE;
pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL);
if (!pub_key)
if ((aobj = OBJ_nid2obj(EVP_PKEY_DH)) == NULL)
goto err;
penclen = i2d_ASN1_INTEGER(pub_key, &penc);
ASN1_INTEGER_free(pub_key);
if (penclen <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, params, key_der, key_len))
goto err;
}
params = NULL;
key_der = NULL;
key_len = 0;
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DH), ptype,
(void *)str, penc, penclen))
return 1;
ret = 1;
err:
free(penc);
ASN1_STRING_free(str);
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
return 0;
return ret;
}
/*
@ -236,49 +239,55 @@ dherr:
static int
dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
const DH *dh = pkey->pkey.dh;
ASN1_STRING *params = NULL;
ASN1_INTEGER *prkey = NULL;
unsigned char *dp = NULL;
int dplen;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *key = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
params = ASN1_STRING_new();
if (!params) {
if ((params_len = i2d_DHparams(dh, &params_der)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
DHerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
params_len = 0;
params->length = i2d_DHparams(pkey->pkey.dh, &params->data);
if (params->length <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
goto err;
}
params->type = V_ASN1_SEQUENCE;
/* Get private key into integer */
prkey = BN_to_ASN1_INTEGER(pkey->pkey.dh->priv_key, NULL);
if (!prkey) {
if ((key = BN_to_ASN1_INTEGER(dh->priv_key, NULL)) == NULL) {
DHerror(DH_R_BN_ERROR);
goto err;
}
dplen = i2d_ASN1_INTEGER(prkey, &dp);
ASN1_INTEGER_free(prkey);
prkey = NULL;
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dhKeyAgreement), 0,
V_ASN1_SEQUENCE, params, dp, dplen))
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
}
return 1;
if ((aobj = OBJ_nid2obj(NID_dhKeyAgreement)) == NULL)
goto err;
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, params, key_der, key_len))
goto err;
params = NULL;
key_der = NULL;
key_len = 0;
err:
free(dp);
ret = 1;
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(prkey);
return 0;
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
return ret;
}
static int

123
lib/libcrypto/dsa/dsa_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dsa_ameth.c,v 1.43 2023/07/07 06:59:18 tb Exp $ */
/* $OpenBSD: dsa_ameth.c,v 1.46 2023/08/10 16:57:15 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -138,49 +138,58 @@ err:
static int
dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
DSA *dsa;
ASN1_INTEGER *pubint = NULL;
ASN1_STRING *str = NULL;
const DSA *dsa = pkey->pkey.dsa;
ASN1_STRING *params = NULL;
int ptype = V_ASN1_UNDEF;
unsigned char *penc = NULL;
int penclen;
ASN1_INTEGER *key = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
dsa = pkey->pkey.dsa;
if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
if ((str = ASN1_STRING_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
str->length = i2d_DSAparams(dsa, &str->data);
if (str->length <= 0) {
if ((params_len = i2d_DSAparams(dsa, &params_der)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
params_len = 0;
ptype = V_ASN1_SEQUENCE;
}
if ((pubint = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
if ((key = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
penclen = i2d_ASN1_INTEGER(pubint, &penc);
ASN1_INTEGER_free(pubint);
if (penclen <= 0) {
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
}
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA), ptype, str,
penc, penclen))
return 1;
if ((aobj = OBJ_nid2obj(EVP_PKEY_DSA)) == NULL)
goto err;
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, params, key_der, key_len))
goto err;
params = NULL;
key_der = NULL;
key_len = 0;
ret = 1;
err:
free(penc);
ASN1_STRING_free(str);
ASN1_STRING_free(params);
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
return 0;
return ret;
}
/* In PKCS#8 DSA: you just get a private key integer and parameters in the
@ -265,47 +274,55 @@ done:
static int
dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
const DSA *dsa = pkey->pkey.dsa;
ASN1_STRING *params = NULL;
ASN1_INTEGER *prkey = NULL;
unsigned char *dp = NULL;
int dplen;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *key = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
params = ASN1_STRING_new();
if (!params) {
if ((params_len = i2d_DSAparams(dsa, &params_der)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
params_len = 0;
params->length = i2d_DSAparams(pkey->pkey.dsa, &params->data);
if (params->length <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
params->type = V_ASN1_SEQUENCE;
/* Get private key into integer */
prkey = BN_to_ASN1_INTEGER(pkey->pkey.dsa->priv_key, NULL);
if (!prkey) {
if ((key = BN_to_ASN1_INTEGER(dsa->priv_key, NULL)) == NULL) {
DSAerror(DSA_R_BN_ERROR);
goto err;
}
dplen = i2d_ASN1_INTEGER(prkey, &dp);
ASN1_INTEGER_free(prkey);
prkey = NULL;
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0, V_ASN1_SEQUENCE,
params, dp, dplen))
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
}
return 1;
if ((aobj = OBJ_nid2obj(NID_dsa)) == NULL)
goto err;
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, params, key_der, key_len))
goto err;
params = NULL;
key_der = NULL;
key_len = 0;
err:
free(dp);
ret = 1;
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(prkey);
return 0;
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
return ret;
}
static int

5
lib/libcrypto/ec/ec.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec.h,v 1.45 2023/07/28 09:28:37 tb Exp $ */
/* $OpenBSD: ec.h,v 1.46 2023/08/11 04:45:27 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@ -262,9 +262,6 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
#endif
int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
typedef struct ec_key_st EC_KEY;
typedef struct ec_key_method_st EC_KEY_METHOD;
#define EC_PKEY_NO_PARAMETERS 0x001
#define EC_PKEY_NO_PUBKEY 0x002

23
lib/libcrypto/ecdsa/ecdsa.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ecdsa.c,v 1.17 2023/08/03 18:53:56 tb Exp $ */
/* $OpenBSD: ecdsa.c,v 1.18 2023/08/08 13:09:28 tb Exp $ */
/* ====================================================================
* Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved.
*
@ -341,27 +341,6 @@ ecdsa_sign_setup(EC_KEY *key, BN_CTX *in_ctx, BIGNUM **out_kinv, BIGNUM **out_r)
if (!bn_rand_interval(k, 1, order))
goto err;
/*
* We do not want timing information to leak the length of k,
* so we compute G * k using an equivalent scalar of fixed
* bit-length.
*
* We unconditionally perform both of these additions to prevent
* a small timing information leakage. We then choose the sum
* that is one bit longer than the order. This guarantees the
* code path used in the constant time implementations
* elsewhere.
*
* TODO: revisit the bn_copy aiming for a memory access agnostic
* conditional copy.
*/
if (!BN_add(r, k, order) ||
!BN_add(x, r, order) ||
!bn_copy(k, BN_num_bits(r) > order_bits ? r : x))
goto err;
BN_set_flags(k, BN_FLG_CONSTTIME);
/* Step 5: P = k * G. */
if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) {
ECerror(ERR_R_EC_LIB);

6
lib/libcrypto/evp/evp_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: evp_local.h,v 1.3 2023/03/01 11:16:06 tb Exp $ */
/* $OpenBSD: evp_local.h,v 1.4 2023/08/11 05:10:35 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
@ -115,7 +115,7 @@ struct evp_pkey_st {
STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
} /* EVP_PKEY */;
struct env_md_st {
struct evp_md_st {
int type;
int pkey_type;
int md_size;
@ -132,7 +132,7 @@ struct env_md_st {
int (*md_ctrl)(EVP_MD_CTX *ctx, int cmd, int p1, void *p2);
} /* EVP_MD */;
struct env_md_ctx_st {
struct evp_md_ctx_st {
const EVP_MD *digest;
ENGINE *engine; /* functional reference if 'digest' is ENGINE-provided */
unsigned long flags;

10
lib/libcrypto/hkdf/hkdf.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: hkdf.h,v 1.2 2018/04/03 13:33:53 tb Exp $ */
/* $OpenBSD: hkdf.h,v 1.3 2023/08/11 04:52:08 tb Exp $ */
/* Copyright (c) 2014, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
@ -33,7 +33,7 @@ extern "C" {
* a key from a password.
*/
int HKDF(uint8_t *out_key, size_t out_len, const struct env_md_st *digest,
int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *secret, size_t secret_len, const uint8_t *salt,
size_t salt_len, const uint8_t *info, size_t info_len);
@ -43,9 +43,9 @@ int HKDF(uint8_t *out_key, size_t out_len, const struct env_md_st *digest,
* and outputs |out_len| bytes to |out_key|. The maximum output size
* is |EVP_MAX_MD_SIZE|. It returns one on success and zero on error.
*/
int HKDF_extract(uint8_t *out_key, size_t *out_len,
const struct env_md_st *digest, const uint8_t *secret,
size_t secret_len, const uint8_t *salt, size_t salt_len);
int HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest,
const uint8_t *secret, size_t secret_len,
const uint8_t *salt, size_t salt_len);
/*
* HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of

6
lib/libcrypto/man/X509_STORE_CTX_set_verify.3
View file

@ -1,6 +1,7 @@
.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.6 2023/03/18 08:20:20 jsg Exp $
.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.7 2023/08/10 16:15:42 schwarze Exp $
.\"
.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
.\" Copyright (c) 2023 Job Snijders <job@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -14,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: March 18 2023 $
.Dd $Mdocdate: August 10 2023 $
.Dt X509_STORE_CTX_SET_VERIFY 3
.Os
.Sh NAME
@ -24,6 +25,7 @@
.Nm X509_STORE_set_verify ,
.Nm X509_STORE_set_verify_func ,
.Nm X509_STORE_get_verify ,
.Nm X509_STORE_CTX_check_issued_fn ,
.Nm X509_STORE_set_check_issued ,
.Nm X509_STORE_get_check_issued ,
.Nm X509_STORE_CTX_get_check_issued

77
lib/libcrypto/man/X509_STORE_get_by_subject.3
View file

@ -1,6 +1,6 @@
.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.3 2021/11/12 14:05:28 schwarze Exp $
.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.4 2023/08/10 14:15:16 schwarze Exp $
.\"
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
.\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -14,16 +14,18 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: November 12 2021 $
.Dd $Mdocdate: August 10 2023 $
.Dt X509_STORE_GET_BY_SUBJECT 3
.Os
.Sh NAME
.Nm X509_STORE_CTX_get_by_subject ,
.Nm X509_STORE_CTX_get_obj_by_subject ,
.Nm X509_STORE_CTX_get1_certs ,
.Nm X509_STORE_CTX_get1_crls ,
.Nm X509_STORE_CTX_get1_issuer ,
.Nm X509_STORE_get_by_subject ,
.Nm X509_STORE_get1_certs ,
.Nm X509_STORE_get1_crls ,
.Nm X509_STORE_CTX_get1_issuer
.Nm X509_STORE_get1_crls
.Nd retrieve objects from a certificate store
.Sh SYNOPSIS
.In openssl/x509_vfy.h
@ -40,6 +42,22 @@
.Fa "X509_LOOKUP_TYPE type"
.Fa "X509_NAME *name"
.Fc
.Ft STACK_OF(X509) *
.Fo X509_STORE_CTX_get1_certs
.Fa "X509_STORE_CTX *ctx"
.Fa "X509_NAME *name"
.Fc
.Ft STACK_OF(X509_CRL) *
.Fo X509_STORE_CTX_get1_crls
.Fa "X509_STORE_CTX *ctx"
.Fa "X509_NAME *name"
.Fc
.Ft int
.Fo X509_STORE_CTX_get1_issuer
.Fa "X509 **issuer"
.Fa "X509_STORE_CTX *ctx"
.Fa "X509 *certificate"
.Fc
.Ft int
.Fo X509_STORE_get_by_subject
.Fa "X509_STORE_CTX *ctx"
@ -57,12 +75,6 @@
.Fa "X509_STORE_CTX *ctx"
.Fa "X509_NAME *name"
.Fc
.Ft int
.Fo X509_STORE_CTX_get1_issuer
.Fa "X509 **issuer"
.Fa "X509_STORE_CTX *ctx"
.Fa "X509 *certificate"
.Fc
.Sh DESCRIPTION
.Fn X509_STORE_CTX_get_by_subject
retrieves the first object having a matching
@ -101,11 +113,7 @@ is empty is the responsibility of the caller.
.Fn X509_STORE_CTX_get_obj_by_subject
is similar except that a new object is allocated and returned.
.Pp
.Fn X509_STORE_get_by_subject
is a deprecated alias for
.Fn X509_STORE_CTX_get_by_subject .
.Pp
.Fn X509_STORE_get1_certs
.Fn X509_STORE_CTX_get1_certs
retrieves all certificates matching the subject
.Vt name
from the
@ -113,15 +121,15 @@ from the
associated with
.Fa ctx .
If there are none yet,
.Fn X509_STORE_get_by_subject
.Fn X509_STORE_CTX_get_by_subject
is called to try and add some.
In case of success, the reference counts of all certificates
added to the returned array are incremented by 1.
.Pp
.Fn X509_STORE_get1_crls
.Fn X509_STORE_CTX_get1_crls
is similar except that it operates on certificate revocation lists
rather than on certificates and that it always calls
.Fn X509_STORE_get_by_subject ,
.Fn X509_STORE_CTX_get_by_subject ,
even if the
.Vt X509_STORE
already contains a matching revocation list.
@ -138,7 +146,7 @@ associated with
Internally, the issuer name is retrieved with
.Xr X509_get_issuer_name 3
and the candidate issuer CA certificate with
.Fn X509_STORE_get_by_subject
.Fn X509_STORE_X509_get_by_subject
using that issuer name.
.Xr X509_check_issued 3
or a user-supplied replacement function is used to check whether the
@ -151,6 +159,13 @@ If verification parameters associated with
encourage checking of validity times, CAs with a valid time are
preferred, but if no matching CA has a valid time, one with an
invalid time is accepted anyway.
.Pp
The following are deprecated aliases:
.Bl -column X509_STORE_get_by_subject F X509_STORE_CTX_get_by_subject
.It Fn X509_STORE_get_by_subject Ta for Ta Fn X509_STORE_CTX_get_by_subject
.It Fn X509_STORE_get1_certs Ta for Ta Fn X509_STORE_CTX_get1_certs
.It Fn X509_STORE_get1_crls Ta for Ta Fn X509_STORE_CTX_get1_crls
.El
.Sh RETURN VALUES
.Fn X509_STORE_CTX_get_by_subject
and
@ -167,20 +182,24 @@ returns the new object or
.Dv NULL
on failure, in particular if no match is found or memory allocation fails.
.Pp
.Fn X509_STORE_CTX_get1_certs
and
.Fn X509_STORE_get1_certs
returns a newly allocated and populated array of certificates or
return a newly allocated and populated array of certificates or
.Dv NULL
on failure.
It fails if no match is found, if
.Fn X509_STORE_get_by_subject
They fail if no match is found, if
.Fn X509_STORE_CTX_get_by_subject
fails, or if memory allocation fails.
.Pp
.Fn X509_STORE_CTX_get1_crls
and
.Fn X509_STORE_get1_crls
returns a newly allocated and populated array of CRLs or
return a newly allocated and populated array of CRLs or
.Dv NULL
on failure.
It fails if
.Fn X509_STORE_get_by_subject
They fail if
.Fn X509_STORE_CTX_get_by_subject
finds no new match, even if the associated
.Vt X509_STORE
already contains matching CRLs, or if memory allocation fails.
@ -222,3 +241,9 @@ and
.Fn X509_STORE_CTX_get_obj_by_subject
first appeared in OpenSSL 1.1.0 and have been available since
.Ox 7.1 .
.Pp
.Fn X509_STORE_CTX_get1_certs
and
.Fn X509_STORE_CTX_get1_crls
first appeared in OpenSSL 1.1.0 and have been available since
.Ox 7.4 .

7
lib/libcrypto/man/a2d_ASN1_OBJECT.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.2 2022/01/01 02:06:07 jsg Exp $
.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.3 2023/08/09 17:34:39 schwarze Exp $
.\"
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
.\"
@ -14,13 +14,14 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: January 1 2022 $
.Dd $Mdocdate: August 9 2023 $
.Dt A2D_ASN1_OBJECT 3
.Os
.Sh NAME
.Nm a2d_ASN1_OBJECT
.Nd DER content octets of an ASN.1 object identifier
.Sh SYNOPSIS
.In openssl/asn1.h
.Ft int
.Fo a2d_ASN1_OBJECT
.Fa "unsigned char *der_out"
@ -55,7 +56,7 @@ If
.Fa der_out
is a
.Dv NULL
pointer, writing the content objects is skipped
pointer, writing the content octets is skipped
and only the return value is calculated.
.Sh RETURN VALUES
.Fn a2d_ASN1_OBJECT

70
lib/libcrypto/man/d2i_ASN1_OBJECT.3
View file

@ -1,6 +1,6 @@
.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.13 2022/09/12 14:33:47 tb Exp $
.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.14 2023/08/09 17:27:26 schwarze Exp $
.\"
.\" Copyright (c) 2017, 2022 Ingo Schwarze <schwarze@openbsd.org>
.\" Copyright (c) 2017, 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -14,12 +14,14 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: September 12 2022 $
.Dd $Mdocdate: August 9 2023 $
.Dt D2I_ASN1_OBJECT 3
.Os
.Sh NAME
.Nm d2i_ASN1_OBJECT ,
.Nm i2d_ASN1_OBJECT
.Nm i2d_ASN1_OBJECT ,
.Nm OBJ_get0_data ,
.Nm OBJ_length
.Nd decode and encode ASN.1 object identifiers
.Sh SYNOPSIS
.In openssl/asn1.h
@ -34,6 +36,11 @@
.Fa "const ASN1_OBJECT *val_in"
.Fa "unsigned char **der_out"
.Fc
.In openssl/objects.h
.Ft const unsigned char *
.Fn OBJ_get0_data "const ASN1_OBJECT *val_in"
.Ft size_t
.Fn OBJ_length "const ASN1_OBJECT *val_in"
.Sh DESCRIPTION
These functions decode and encode ASN.1 object identifiers.
For details about the semantics, examples, caveats, and bugs, see
@ -60,6 +67,16 @@ and the data contained in them are always marked as dynamically
allocated, so when they are no longer needed,
.Xr ASN1_OBJECT_free 3
can be called on them.
.Pp
.Fn i2d_ASN1_OBJECT
encodes the object identifier pointed to by
.Fa val_in
into DER format.
.Fn OBJ_get0_data
and
.Fn OBJ_length
only deal with the content octets of that DER encoding,
without taking the identifier and length octets into account.
.Sh RETURN VALUES
.Fn d2i_ASN1_OBJECT
returns a pointer to the new
@ -71,12 +88,38 @@ With other implementations, it might return a pointer to the reused
.Vt ASN1_OBJECT .
.Pp
.Fn i2d_ASN1_OBJECT
returns the number of bytes successfully encoded
returns the number of octets successfully encoded
or a value <= 0 if an error occurs.
.Pp
.Fn OBJ_get0_data
returns an internal pointer to the first content octet of the DER
encoding of
.Fa val_in .
The other content octets follow the returned pointer contiguously.
.Fn OBJ_length
returns the number of content octets contained in the DER encoding of
.Fa val_in .
This number is always smaller than the total length of the encoding
returned by
.Xr ASN1_object_size 3 .
.Pp
If
.Fa val_in
is a
.Dv NULL
pointer or points to an empty object, for example one freshly created with
.Xr ASN1_OBJECT_new 3 ,
.Fn OBJ_get0_data
returns
.Dv NULL
and
.Fn OBJ_length
returns zero.
.Sh SEE ALSO
.Xr a2d_ASN1_OBJECT 3 ,
.Xr ASN1_item_d2i 3 ,
.Xr ASN1_OBJECT_new 3 ,
.Xr ASN1_put_object 3 ,
.Xr OBJ_nid2obj 3
.Sh STANDARDS
ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
@ -90,6 +133,12 @@ and
.Fn i2d_ASN1_OBJECT
first appeared in SSLeay 0.5.1 and have been available since
.Ox 2.4 .
.Pp
.Fn OBJ_get0_data
and
.Fn OBJ_length
first appeared in OpenSSL 1.1.0 and have been available since
.Ox 7.1 .
.Sh CAVEATS
.Fn d2i_ASN1_OBJECT
never sets the long and short names of the object, not even if the
@ -102,3 +151,14 @@ on the returned object, and then
and
.Xr OBJ_nid2ln 3
on the result.
.Pp
Calling
.Fn OBJ_get0_data
and then accessing memory in front of the returned pointer
results in undefined behaviour.
In particular, it is not possible to find the identifier or
length octets in that way; use
.Xr ASN1_put_object 3
or
.Fn i2d_ASN1_OBJECT
instead.

34
lib/libcrypto/md32_common.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: md32_common.h,v 1.25 2023/05/27 18:33:34 jsing Exp $ */
/* $OpenBSD: md32_common.h,v 1.26 2023/08/10 07:15:23 jsing Exp $ */
/* ====================================================================
* Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
*
@ -307,35 +307,3 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
return 1;
}
#endif
#ifndef MD32_REG_T
#if defined(__alpha) || defined(__sparcv9) || defined(__mips)
#define MD32_REG_T long
/*
* This comment was originally written for MD5, which is why it
* discusses A-D. But it basically applies to all 32-bit digests,
* which is why it was moved to common header file.
*
* In case you wonder why A-D are declared as long and not
* as MD5_LONG. Doing so results in slight performance
* boost on LP64 architectures. The catch is we don't
* really care if 32 MSBs of a 64-bit register get polluted
* with eventual overflows as we *save* only 32 LSBs in
* *either* case. Now declaring 'em long excuses the compiler
* from keeping 32 MSBs zeroed resulting in 13% performance
* improvement under SPARC Solaris7/64 and 5% under AlphaLinux.
* Well, to be honest it should say that this *prevents*
* performance degradation.
* <appro@fy.chalmers.se>
*/
#else
/*
* Above is not absolute and there are LP64 compilers that
* generate better code if MD32_REG_T is defined int. The above
* pre-processor condition reflects the circumstances under which
* the conclusion was made and is subject to further extension.
* <appro@fy.chalmers.se>
*/
#define MD32_REG_T int
#endif
#endif

10
lib/libcrypto/md4/md4.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: md4.c,v 1.5 2023/07/28 11:04:41 jsing Exp $ */
/* $OpenBSD: md4.c,v 1.7 2023/08/10 13:41:56 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -57,11 +57,9 @@
*/
#include <stdio.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/md4.h>
@ -146,8 +144,8 @@ void
md4_block_data_order(MD4_CTX *c, const void *data_, size_t num)
{
const unsigned char *data = data_;
unsigned MD32_REG_T A, B, C, D, l;
unsigned MD32_REG_T X0, X1, X2, X3, X4, X5, X6, X7,
unsigned int A, B, C, D, l;
unsigned int X0, X1, X2, X3, X4, X5, X6, X7,
X8, X9, X10, X11, X12, X13, X14, X15;
A = c->A;

165
lib/libcrypto/md5/md5.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: md5.c,v 1.6 2023/07/28 11:06:28 jsing Exp $ */
/* $OpenBSD: md5.c,v 1.13 2023/08/10 14:04:54 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -57,9 +57,6 @@
*/
#include <stdio.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#include <stdlib.h>
#include <string.h>
@ -90,19 +87,13 @@ __END_HIDDEN_DECLS
#define HASH_UPDATE MD5_Update
#define HASH_TRANSFORM MD5_Transform
#define HASH_FINAL MD5_Final
#define HASH_MAKE_STRING(c,s) do { \
unsigned long ll; \
ll=(c)->A; HOST_l2c(ll,(s)); \
ll=(c)->B; HOST_l2c(ll,(s)); \
ll=(c)->C; HOST_l2c(ll,(s)); \
ll=(c)->D; HOST_l2c(ll,(s)); \
} while (0)
#define HASH_BLOCK_DATA_ORDER md5_block_data_order
#define HASH_NO_UPDATE
#define HASH_NO_TRANSFORM
#define HASH_NO_FINAL
#include "md32_common.h"
LCRYPTO_ALIAS(MD5_Update);
LCRYPTO_ALIAS(MD5_Transform);
LCRYPTO_ALIAS(MD5_Final);
/*
#define F(x,y,z) (((x) & (y)) | ((~(x)) & (z)))
@ -141,33 +132,13 @@ LCRYPTO_ALIAS(MD5_Final);
/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
*/
#define INIT_DATA_A (unsigned long)0x67452301L
#define INIT_DATA_B (unsigned long)0xefcdab89L
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
int
MD5_Init(MD5_CTX *c)
{
memset (c, 0, sizeof(*c));
c->A = INIT_DATA_A;
c->B = INIT_DATA_B;
c->C = INIT_DATA_C;
c->D = INIT_DATA_D;
return 1;
}
LCRYPTO_ALIAS(MD5_Init);
#ifndef md5_block_data_order
#ifdef X
#undef X
#endif
void
md5_block_data_order(MD5_CTX *c, const void *data_, size_t num)
{
const unsigned char *data = data_;
unsigned MD32_REG_T A, B, C, D, l;
unsigned MD32_REG_T X0, X1, X2, X3, X4, X5, X6, X7,
unsigned int A, B, C, D, l;
unsigned int X0, X1, X2, X3, X4, X5, X6, X7,
X8, X9, X10, X11, X12, X13, X14, X15;
A = c->A;
@ -285,6 +256,128 @@ md5_block_data_order(MD5_CTX *c, const void *data_, size_t num)
}
#endif
#define INIT_DATA_A (unsigned long)0x67452301L
#define INIT_DATA_B (unsigned long)0xefcdab89L
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
int
MD5_Init(MD5_CTX *c)
{
memset (c, 0, sizeof(*c));
c->A = INIT_DATA_A;
c->B = INIT_DATA_B;
c->C = INIT_DATA_C;
c->D = INIT_DATA_D;
return 1;
}
LCRYPTO_ALIAS(MD5_Init);
int
MD5_Update(MD5_CTX *c, const void *data_, size_t len)
{
const unsigned char *data = data_;
unsigned char *p;
MD5_LONG l;
size_t n;
if (len == 0)
return 1;
l = (c->Nl + (((MD5_LONG)len) << 3))&0xffffffffUL;
/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
* Wei Dai <weidai@eskimo.com> for pointing it out. */
if (l < c->Nl) /* overflow */
c->Nh++;
c->Nh+=(MD5_LONG)(len>>29); /* might cause compiler warning on 16-bit */
c->Nl = l;
n = c->num;
if (n != 0) {
p = (unsigned char *)c->data;
if (len >= MD5_CBLOCK || len + n >= MD5_CBLOCK) {
memcpy(p + n, data, MD5_CBLOCK - n);
md5_block_data_order(c, p, 1);
n = MD5_CBLOCK - n;
data += n;
len -= n;
c->num = 0;
memset(p, 0, MD5_CBLOCK); /* keep it zeroed */
} else {
memcpy(p + n, data, len);
c->num += (unsigned int)len;
return 1;
}
}
n = len/MD5_CBLOCK;
if (n > 0) {
md5_block_data_order (c, data, n);
n *= MD5_CBLOCK;
data += n;
len -= n;
}
if (len != 0) {
p = (unsigned char *)c->data;
c->num = (unsigned int)len;
memcpy (p, data, len);
}
return 1;
}
LCRYPTO_ALIAS(MD5_Update);
void
MD5_Transform(MD5_CTX *c, const unsigned char *data)
{
md5_block_data_order(c, data, 1);
}
LCRYPTO_ALIAS(MD5_Transform);
int
MD5_Final(unsigned char *md, MD5_CTX *c)
{
unsigned char *p = (unsigned char *)c->data;
unsigned long ll;
size_t n = c->num;
p[n] = 0x80; /* there is always room for one */
n++;
if (n > (MD5_CBLOCK - 8)) {
memset(p + n, 0, MD5_CBLOCK - n);
n = 0;
md5_block_data_order(c, p, 1);
}
memset(p + n, 0, MD5_CBLOCK - 8 - n);
p += MD5_CBLOCK - 8;
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
HOST_l2c(c->Nh, p);
HOST_l2c(c->Nl, p);
#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
HOST_l2c(c->Nl, p);
HOST_l2c(c->Nh, p);
#endif
p -= MD5_CBLOCK;
md5_block_data_order(c, p, 1);
c->num = 0;
memset(p, 0, MD5_CBLOCK);
ll = c->A;
HOST_l2c(ll, md);
ll = c->B;
HOST_l2c(ll, md);
ll = c->C;
HOST_l2c(ll, md);
ll = c->D;
HOST_l2c(ll, md);
return 1;
}
LCRYPTO_ALIAS(MD5_Final);
unsigned char *
MD5(const unsigned char *d, size_t n, unsigned char *md)
{

373
lib/libcrypto/modes/gcm128.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: gcm128.c,v 1.25 2023/07/08 14:56:54 beck Exp $ */
/* $OpenBSD: gcm128.c,v 1.26 2023/08/10 07:18:43 jsing Exp $ */
/* ====================================================================
* Copyright (c) 2010 The OpenSSL Project. All rights reserved.
*
@ -64,8 +64,6 @@
/* redefine, because alignment is ensured */
#undef GETU32
#define GETU32(p) BSWAP4(*(const u32 *)(p))
#undef PUTU32
#define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v)
#endif
#define PACK(s) ((size_t)(s)<<(sizeof(size_t)*8-16))
@ -234,26 +232,8 @@ gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
#endif
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP8
Xi[0] = BSWAP8(Z.hi);
Xi[1] = BSWAP8(Z.lo);
#else
u8 *p = (u8 *)Xi;
u32 v;
v = (u32)(Z.hi >> 32);
PUTU32(p, v);
v = (u32)(Z.hi);
PUTU32(p + 4, v);
v = (u32)(Z.lo >> 32);
PUTU32(p + 8, v);
v = (u32)(Z.lo);
PUTU32(p + 12, v);
#endif
#else /* BIG_ENDIAN */
Xi[0] = Z.hi;
Xi[1] = Z.lo;
#endif
Xi[0] = htobe64(Z.hi);
Xi[1] = htobe64(Z.lo);
}
#define GCM_MUL(ctx,Xi) gcm_gmult_8bit(ctx->Xi.u,ctx->Htable)
@ -389,26 +369,8 @@ gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
Z.lo ^= Htable[nlo].lo;
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP8
Xi[0] = BSWAP8(Z.hi);
Xi[1] = BSWAP8(Z.lo);
#else
u8 *p = (u8 *)Xi;
u32 v;
v = (u32)(Z.hi >> 32);
PUTU32(p, v);
v = (u32)(Z.hi);
PUTU32(p + 4, v);
v = (u32)(Z.lo >> 32);
PUTU32(p + 8, v);
v = (u32)(Z.lo);
PUTU32(p + 12, v);
#endif
#else /* BIG_ENDIAN */
Xi[0] = Z.hi;
Xi[1] = Z.lo;
#endif
Xi[0] = htobe64(Z.hi);
Xi[1] = htobe64(Z.lo);
}
#if !defined(OPENSSL_SMALL_FOOTPRINT)
@ -563,26 +525,8 @@ gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
Z.hi ^= ((u64)rem_8bit[rem << 4]) << 48;
#endif
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP8
Xi[0] = BSWAP8(Z.hi);
Xi[1] = BSWAP8(Z.lo);
#else
u8 *p = (u8 *)Xi;
u32 v;
v = (u32)(Z.hi >> 32);
PUTU32(p, v);
v = (u32)(Z.hi);
PUTU32(p + 4, v);
v = (u32)(Z.lo >> 32);
PUTU32(p + 8, v);
v = (u32)(Z.lo);
PUTU32(p + 12, v);
#endif
#else /* BIG_ENDIAN */
Xi[0] = Z.hi;
Xi[1] = Z.lo;
#endif
Xi[0] = htobe64(Z.hi);
Xi[1] = htobe64(Z.lo);
} while (inp += 16, len -= 16);
}
#endif
@ -640,26 +584,8 @@ gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
}
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP8
Xi[0] = BSWAP8(Z.hi);
Xi[1] = BSWAP8(Z.lo);
#else
u8 *p = (u8 *)Xi;
u32 v;
v = (u32)(Z.hi >> 32);
PUTU32(p, v);
v = (u32)(Z.hi);
PUTU32(p + 4, v);
v = (u32)(Z.lo >> 32);
PUTU32(p + 8, v);
v = (u32)(Z.lo);
PUTU32(p + 12, v);
#endif
#else /* BIG_ENDIAN */
Xi[0] = Z.hi;
Xi[1] = Z.lo;
#endif
Xi[0] = htobe64(Z.hi);
Xi[1] = htobe64(Z.lo);
}
#define GCM_MUL(ctx,Xi) gcm_gmult_1bit(ctx->Xi.u,ctx->H.u)
@ -724,20 +650,9 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
(*block)(ctx->H.c, ctx->H.c, key);
#if BYTE_ORDER == LITTLE_ENDIAN
/* H is stored in host byte order */
#ifdef BSWAP8
ctx->H.u[0] = BSWAP8(ctx->H.u[0]);
ctx->H.u[1] = BSWAP8(ctx->H.u[1]);
#else
u8 *p = ctx->H.c;
u64 hi, lo;
hi = (u64)GETU32(p) << 32|GETU32(p + 4);
lo = (u64)GETU32(p + 8) << 32|GETU32(p + 12);
ctx->H.u[0] = hi;
ctx->H.u[1] = lo;
#endif
#endif
ctx->H.u[0] = be64toh(ctx->H.u[0]);
ctx->H.u[1] = be64toh(ctx->H.u[1]);
#if TABLE_BITS==8
gcm_init_8bit(ctx->Htable, ctx->H.u);
@ -824,47 +739,16 @@ CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, size_t len)
GCM_MUL(ctx, Yi);
}
len0 <<= 3;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP8
ctx->Yi.u[1] ^= BSWAP8(len0);
#else
ctx->Yi.c[8] ^= (u8)(len0 >> 56);
ctx->Yi.c[9] ^= (u8)(len0 >> 48);
ctx->Yi.c[10] ^= (u8)(len0 >> 40);
ctx->Yi.c[11] ^= (u8)(len0 >> 32);
ctx->Yi.c[12] ^= (u8)(len0 >> 24);
ctx->Yi.c[13] ^= (u8)(len0 >> 16);
ctx->Yi.c[14] ^= (u8)(len0 >> 8);
ctx->Yi.c[15] ^= (u8)(len0);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.u[1] ^= len0;
#endif
ctx->Yi.u[1] ^= htobe64(len0);
GCM_MUL(ctx, Yi);
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c + 12);
#endif
#else /* BIG_ENDIAN */
ctr = ctx->Yi.d[3];
#endif
ctr = be32toh(ctx->Yi.d[3]);
}
(*ctx->block)(ctx->Yi.c, ctx->EK0.c, ctx->key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
}
LCRYPTO_ALIAS(CRYPTO_gcm128_setiv);
@ -960,15 +844,7 @@ CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
ctx->ares = 0;
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c + 12);
#endif
#else /* BIG_ENDIAN */
ctr = ctx->Yi.d[3];
#endif
ctr = be32toh(ctx->Yi.d[3]);
n = ctx->mres;
#if !defined(OPENSSL_SMALL_FOOTPRINT)
@ -1002,15 +878,8 @@ CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
for (i = 0; i < 16/sizeof(size_t); ++i)
out_t[i] = in_t[i] ^
ctx->EKi.t[i];
@ -1030,15 +899,8 @@ CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
for (i = 0; i < 16/sizeof(size_t); ++i)
out_t[i] = in_t[i] ^
ctx->EKi.t[i];
@ -1055,15 +917,8 @@ CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
for (i = 0; i < 16/sizeof(size_t); ++i)
ctx->Xi.t[i] ^=
out_t[i] = in_t[i] ^ ctx->EKi.t[i];
@ -1076,15 +931,8 @@ CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
if (len) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
while (len--) {
ctx->Xi.c[n] ^= out[n] = in[n] ^
ctx->EKi.c[n];
@ -1100,15 +948,7 @@ CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
if (n == 0) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
}
ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];
n = (n + 1) % 16;
@ -1150,15 +990,7 @@ CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
ctx->ares = 0;
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c + 12);
#endif
#else /* BIG_ENDIAN */
ctr = ctx->Yi.d[3];
#endif
ctr = be32toh(ctx->Yi.d[3]);
n = ctx->mres;
#if !defined(OPENSSL_SMALL_FOOTPRINT)
@ -1194,15 +1026,8 @@ CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
for (i = 0; i < 16/sizeof(size_t); ++i)
out_t[i] = in_t[i] ^
ctx->EKi.t[i];
@ -1220,15 +1045,8 @@ CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
for (i = 0; i < 16/sizeof(size_t); ++i)
out_t[i] = in_t[i] ^
ctx->EKi.t[i];
@ -1244,15 +1062,8 @@ CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
for (i = 0; i < 16/sizeof(size_t); ++i) {
size_t c = in[i];
out[i] = c ^ ctx->EKi.t[i];
@ -1267,15 +1078,8 @@ CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
if (len) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
while (len--) {
u8 c = in[n];
ctx->Xi.c[n] ^= c;
@ -1293,15 +1097,7 @@ CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
if (n == 0) {
(*block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
}
c = in[i];
out[i] = c ^ ctx->EKi.c[n];
@ -1344,15 +1140,7 @@ CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
ctx->ares = 0;
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c + 12);
#endif
#else /* BIG_ENDIAN */
ctr = ctx->Yi.d[3];
#endif
ctr = be32toh(ctx->Yi.d[3]);
n = ctx->mres;
if (n) {
@ -1372,15 +1160,7 @@ CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
while (len >= GHASH_CHUNK) {
(*stream)(in, out, GHASH_CHUNK/16, key, ctx->Yi.c);
ctr += GHASH_CHUNK/16;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
GHASH(ctx, out, GHASH_CHUNK);
out += GHASH_CHUNK;
in += GHASH_CHUNK;
@ -1392,15 +1172,7 @@ CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
(*stream)(in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
in += i;
len -= i;
#if defined(GHASH)
@ -1418,15 +1190,7 @@ CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
if (len) {
(*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
while (len--) {
ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
++n;
@ -1466,15 +1230,7 @@ CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
ctx->ares = 0;
}
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c + 12);
#endif
#else /* BIG_ENDIAN */
ctr = ctx->Yi.d[3];
#endif
ctr = be32toh(ctx->Yi.d[3]);
n = ctx->mres;
if (n) {
@ -1497,15 +1253,7 @@ CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
GHASH(ctx, in, GHASH_CHUNK);
(*stream)(in, out, GHASH_CHUNK/16, key, ctx->Yi.c);
ctr += GHASH_CHUNK/16;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
out += GHASH_CHUNK;
in += GHASH_CHUNK;
len -= GHASH_CHUNK;
@ -1529,15 +1277,7 @@ CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
#endif
(*stream)(in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
out += i;
in += i;
len -= i;
@ -1545,15 +1285,7 @@ CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
if (len) {
(*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c + 12, ctr);
#endif
#else /* BIG_ENDIAN */
ctx->Yi.d[3] = ctr;
#endif
ctx->Yi.d[3] = htobe32(ctr);
while (len--) {
u8 c = in[n];
ctx->Xi.c[n] ^= c;
@ -1580,25 +1312,8 @@ CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
if (ctx->mres || ctx->ares)
GCM_MUL(ctx, Xi);
#if BYTE_ORDER == LITTLE_ENDIAN
#ifdef BSWAP8
alen = BSWAP8(alen);
clen = BSWAP8(clen);
#else
{
u8 *p = ctx->len.c;
ctx->len.u[0] = alen;
ctx->len.u[1] = clen;
alen = (u64)GETU32(p) << 32|GETU32(p + 4);
clen = (u64)GETU32(p + 8) << 32|GETU32(p + 12);
}
#endif
#endif
ctx->Xi.u[0] ^= alen;
ctx->Xi.u[1] ^= clen;
ctx->Xi.u[0] ^= htobe64(alen);
ctx->Xi.u[1] ^= htobe64(clen);
GCM_MUL(ctx, Xi);
ctx->Xi.u[0] ^= ctx->EK0.u[0];

9
lib/libcrypto/ossl_typ.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ossl_typ.h,v 1.28 2023/07/28 10:21:01 tb Exp $ */
/* $OpenBSD: ossl_typ.h,v 1.30 2023/08/11 05:10:35 tb Exp $ */
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
@ -99,8 +99,8 @@ typedef struct comp_method_st COMP_METHOD;
typedef struct evp_cipher_st EVP_CIPHER;
typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
typedef struct env_md_st EVP_MD;
typedef struct env_md_ctx_st EVP_MD_CTX;
typedef struct evp_md_st EVP_MD;
typedef struct evp_md_ctx_st EVP_MD_CTX;
typedef struct evp_pkey_st EVP_PKEY;
typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
@ -118,6 +118,9 @@ typedef struct dh_method DH_METHOD;
typedef struct dsa_st DSA;
typedef struct dsa_method DSA_METHOD;
typedef struct ec_key_st EC_KEY;
typedef struct ec_key_method_st EC_KEY_METHOD;
typedef struct rsa_st RSA;
typedef struct rsa_meth_st RSA_METHOD;
typedef struct rsa_pss_params_st RSA_PSS_PARAMS;

395
lib/libcrypto/ripemd/ripemd.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ripemd.c,v 1.1 2023/07/28 11:08:01 jsing Exp $ */
/* $OpenBSD: ripemd.c,v 1.7 2023/08/10 12:27:35 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -125,30 +125,40 @@ __END_HIDDEN_DECLS
#define RIPEMD160_D 0x10325476L
#define RIPEMD160_E 0xC3D2E1F0L
#include "rmdconst.h"
#define KL0 0x00000000L
#define KL1 0x5A827999L
#define KL2 0x6ED9EBA1L
#define KL3 0x8F1BBCDCL
#define KL4 0xA953FD4EL
#define KR0 0x50A28BE6L
#define KR1 0x5C4DD124L
#define KR2 0x6D703EF3L
#define KR3 0x7A6D76E9L
#define KR4 0x00000000L
#define RIP1(a,b,c,d,e,w,s) { \
a+=F1(b,c,d)+X(w); \
a+=F1(b,c,d)+w; \
a=ROTATE(a,s)+e; \
c=ROTATE(c,10); }
#define RIP2(a,b,c,d,e,w,s,K) { \
a+=F2(b,c,d)+X(w)+K; \
a+=F2(b,c,d)+w+K; \
a=ROTATE(a,s)+e; \
c=ROTATE(c,10); }
#define RIP3(a,b,c,d,e,w,s,K) { \
a+=F3(b,c,d)+X(w)+K; \
a+=F3(b,c,d)+w+K; \
a=ROTATE(a,s)+e; \
c=ROTATE(c,10); }
#define RIP4(a,b,c,d,e,w,s,K) { \
a+=F4(b,c,d)+X(w)+K; \
a+=F4(b,c,d)+w+K; \
a=ROTATE(a,s)+e; \
c=ROTATE(c,10); }
#define RIP5(a,b,c,d,e,w,s,K) { \
a+=F5(b,c,d)+X(w)+K; \
a+=F5(b,c,d)+w+K; \
a=ROTATE(a,s)+e; \
c=ROTATE(c,10); }
@ -172,24 +182,14 @@ RIPEMD160_Init(RIPEMD160_CTX *c)
}
#ifndef ripemd160_block_data_order
#ifdef X
#undef X
#endif
void
ripemd160_block_data_order(RIPEMD160_CTX *ctx, const void *p, size_t num)
{
const unsigned char *data = p;
unsigned MD32_REG_T A, B,C, D, E;
unsigned MD32_REG_T a, b,c, d,e, l;
#ifndef MD32_XARRAY
/* See comment in crypto/sha/sha_locl.h for details. */
unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15;
# define X(i) XX##i
#else
RIPEMD160_LONG XX[16];
# define X(i) XX[i]
#endif
unsigned int A, B, C, D, E;
unsigned int a, b, c, d, e, l;
unsigned int X0, X1, X2, X3, X4, X5, X6, X7,
X8, X9, X10, X11, X12, X13, X14, X15;
for (; num--; ) {
@ -200,120 +200,121 @@ ripemd160_block_data_order(RIPEMD160_CTX *ctx, const void *p, size_t num)
E = ctx->E;
HOST_c2l(data, l);
X( 0) = l;HOST_c2l(data, l);
X( 1) = l;
RIP1(A, B,C, D,E, WL00, SL00);
X0 = l;
HOST_c2l(data, l);
X( 2) = l;
RIP1(E, A,B, C,D, WL01, SL01);
X1 = l;
RIP1(A, B, C, D, E, X0, 11);
HOST_c2l(data, l);
X( 3) = l;
RIP1(D, E,A, B,C, WL02, SL02);
X2 = l;
RIP1(E, A, B, C, D, X1, 14);
HOST_c2l(data, l);
X( 4) = l;
RIP1(C, D,E, A,B, WL03, SL03);
X3 = l;
RIP1(D, E, A, B, C, X2, 15);
HOST_c2l(data, l);
X( 5) = l;
RIP1(B, C,D, E,A, WL04, SL04);
X4 = l;
RIP1(C, D, E, A, B, X3, 12);
HOST_c2l(data, l);
X( 6) = l;
RIP1(A, B,C, D,E, WL05, SL05);
X5 = l;
RIP1(B, C, D, E, A, X4, 5);
HOST_c2l(data, l);
X( 7) = l;
RIP1(E, A,B, C,D, WL06, SL06);
X6 = l;
RIP1(A, B, C, D, E, X5, 8);
HOST_c2l(data, l);
X( 8) = l;
RIP1(D, E,A, B,C, WL07, SL07);
X7 = l;
RIP1(E, A, B, C, D, X6, 7);
HOST_c2l(data, l);
X( 9) = l;
RIP1(C, D,E, A,B, WL08, SL08);
X8 = l;
RIP1(D, E, A, B, C, X7, 9);
HOST_c2l(data, l);
X(10) = l;
RIP1(B, C,D, E,A, WL09, SL09);
X9 = l;
RIP1(C, D, E, A, B, X8, 11);
HOST_c2l(data, l);
X(11) = l;
RIP1(A, B,C, D,E, WL10, SL10);
X10 = l;
RIP1(B, C, D, E, A, X9, 13);
HOST_c2l(data, l);
X(12) = l;
RIP1(E, A,B, C,D, WL11, SL11);
X11 = l;
RIP1(A, B, C, D, E, X10, 14);
HOST_c2l(data, l);
X(13) = l;
RIP1(D, E,A, B,C, WL12, SL12);
X12 = l;
RIP1(E, A, B, C, D, X11, 15);
HOST_c2l(data, l);
X(14) = l;
RIP1(C, D,E, A,B, WL13, SL13);
X13 = l;
RIP1(D, E, A, B, C, X12, 6);
HOST_c2l(data, l);
X(15) = l;
RIP1(B, C,D, E,A, WL14, SL14);
RIP1(A, B,C, D,E, WL15, SL15);
X14 = l;
RIP1(C, D, E, A, B, X13, 7);
HOST_c2l(data, l);
X15 = l;
RIP1(B, C, D, E, A, X14, 9);
RIP1(A, B, C, D, E, X15, 8);
RIP2(E, A,B, C,D, WL16, SL16, KL1);
RIP2(D, E,A, B,C, WL17, SL17, KL1);
RIP2(C, D,E, A,B, WL18, SL18, KL1);
RIP2(B, C,D, E,A, WL19, SL19, KL1);
RIP2(A, B,C, D,E, WL20, SL20, KL1);
RIP2(E, A,B, C,D, WL21, SL21, KL1);
RIP2(D, E,A, B,C, WL22, SL22, KL1);
RIP2(C, D,E, A,B, WL23, SL23, KL1);
RIP2(B, C,D, E,A, WL24, SL24, KL1);
RIP2(A, B,C, D,E, WL25, SL25, KL1);
RIP2(E, A,B, C,D, WL26, SL26, KL1);
RIP2(D, E,A, B,C, WL27, SL27, KL1);
RIP2(C, D,E, A,B, WL28, SL28, KL1);
RIP2(B, C,D, E,A, WL29, SL29, KL1);
RIP2(A, B,C, D,E, WL30, SL30, KL1);
RIP2(E, A,B, C,D, WL31, SL31, KL1);
RIP2(E, A, B, C, D, X7, 7, KL1);
RIP2(D, E, A, B, C, X4, 6, KL1);
RIP2(C, D, E, A, B, X13, 8, KL1);
RIP2(B, C, D, E, A, X1, 13, KL1);
RIP2(A, B, C, D, E, X10, 11, KL1);
RIP2(E, A, B, C, D, X6, 9, KL1);
RIP2(D, E, A, B, C, X15, 7, KL1);
RIP2(C, D, E, A, B, X3, 15, KL1);
RIP2(B, C, D, E, A, X12, 7, KL1);
RIP2(A, B, C, D, E, X0, 12, KL1);
RIP2(E, A, B, C, D, X9, 15, KL1);
RIP2(D, E, A, B, C, X5, 9, KL1);
RIP2(C, D, E, A, B, X2, 11, KL1);
RIP2(B, C, D, E, A, X14, 7, KL1);
RIP2(A, B, C, D, E, X11, 13, KL1);
RIP2(E, A, B, C, D, X8, 12, KL1);
RIP3(D, E,A, B,C, WL32, SL32, KL2);
RIP3(C, D,E, A,B, WL33, SL33, KL2);
RIP3(B, C,D, E,A, WL34, SL34, KL2);
RIP3(A, B,C, D,E, WL35, SL35, KL2);
RIP3(E, A,B, C,D, WL36, SL36, KL2);
RIP3(D, E,A, B,C, WL37, SL37, KL2);
RIP3(C, D,E, A,B, WL38, SL38, KL2);
RIP3(B, C,D, E,A, WL39, SL39, KL2);
RIP3(A, B,C, D,E, WL40, SL40, KL2);
RIP3(E, A,B, C,D, WL41, SL41, KL2);
RIP3(D, E,A, B,C, WL42, SL42, KL2);
RIP3(C, D,E, A,B, WL43, SL43, KL2);
RIP3(B, C,D, E,A, WL44, SL44, KL2);
RIP3(A, B,C, D,E, WL45, SL45, KL2);
RIP3(E, A,B, C,D, WL46, SL46, KL2);
RIP3(D, E,A, B,C, WL47, SL47, KL2);
RIP3(D, E, A, B, C, X3, 11, KL2);
RIP3(C, D, E, A, B, X10, 13, KL2);
RIP3(B, C, D, E, A, X14, 6, KL2);
RIP3(A, B, C, D, E, X4, 7, KL2);
RIP3(E, A, B, C, D, X9, 14, KL2);
RIP3(D, E, A, B, C, X15, 9, KL2);
RIP3(C, D, E, A, B, X8, 13, KL2);
RIP3(B, C, D, E, A, X1, 15, KL2);
RIP3(A, B, C, D, E, X2, 14, KL2);
RIP3(E, A, B, C, D, X7, 8, KL2);
RIP3(D, E, A, B, C, X0, 13, KL2);
RIP3(C, D, E, A, B, X6, 6, KL2);
RIP3(B, C, D, E, A, X13, 5, KL2);
RIP3(A, B, C, D, E, X11, 12, KL2);
RIP3(E, A, B, C, D, X5, 7, KL2);
RIP3(D, E, A, B, C, X12, 5, KL2);
RIP4(C, D,E, A,B, WL48, SL48, KL3);
RIP4(B, C,D, E,A, WL49, SL49, KL3);
RIP4(A, B,C, D,E, WL50, SL50, KL3);
RIP4(E, A,B, C,D, WL51, SL51, KL3);
RIP4(D, E,A, B,C, WL52, SL52, KL3);
RIP4(C, D,E, A,B, WL53, SL53, KL3);
RIP4(B, C,D, E,A, WL54, SL54, KL3);
RIP4(A, B,C, D,E, WL55, SL55, KL3);
RIP4(E, A,B, C,D, WL56, SL56, KL3);
RIP4(D, E,A, B,C, WL57, SL57, KL3);
RIP4(C, D,E, A,B, WL58, SL58, KL3);
RIP4(B, C,D, E,A, WL59, SL59, KL3);
RIP4(A, B,C, D,E, WL60, SL60, KL3);
RIP4(E, A,B, C,D, WL61, SL61, KL3);
RIP4(D, E,A, B,C, WL62, SL62, KL3);
RIP4(C, D,E, A,B, WL63, SL63, KL3);
RIP4(C, D, E, A, B, X1, 11, KL3);
RIP4(B, C, D, E, A, X9, 12, KL3);
RIP4(A, B, C, D, E, X11, 14, KL3);
RIP4(E, A, B, C, D, X10, 15, KL3);
RIP4(D, E, A, B, C, X0, 14, KL3);
RIP4(C, D, E, A, B, X8, 15, KL3);
RIP4(B, C, D, E, A, X12, 9, KL3);
RIP4(A, B, C, D, E, X4, 8, KL3);
RIP4(E, A, B, C, D, X13, 9, KL3);
RIP4(D, E, A, B, C, X3, 14, KL3);
RIP4(C, D, E, A, B, X7, 5, KL3);
RIP4(B, C, D, E, A, X15, 6, KL3);
RIP4(A, B, C, D, E, X14, 8, KL3);
RIP4(E, A, B, C, D, X5, 6, KL3);
RIP4(D, E, A, B, C, X6, 5, KL3);
RIP4(C, D, E, A, B, X2, 12, KL3);
RIP5(B, C,D, E,A, WL64, SL64, KL4);
RIP5(A, B,C, D,E, WL65, SL65, KL4);
RIP5(E, A,B, C,D, WL66, SL66, KL4);
RIP5(D, E,A, B,C, WL67, SL67, KL4);
RIP5(C, D,E, A,B, WL68, SL68, KL4);
RIP5(B, C,D, E,A, WL69, SL69, KL4);
RIP5(A, B,C, D,E, WL70, SL70, KL4);
RIP5(E, A,B, C,D, WL71, SL71, KL4);
RIP5(D, E,A, B,C, WL72, SL72, KL4);
RIP5(C, D,E, A,B, WL73, SL73, KL4);
RIP5(B, C,D, E,A, WL74, SL74, KL4);
RIP5(A, B,C, D,E, WL75, SL75, KL4);
RIP5(E, A,B, C,D, WL76, SL76, KL4);
RIP5(D, E,A, B,C, WL77, SL77, KL4);
RIP5(C, D,E, A,B, WL78, SL78, KL4);
RIP5(B, C,D, E,A, WL79, SL79, KL4);
RIP5(B, C, D, E, A, X4, 9, KL4);
RIP5(A, B, C, D, E, X0, 15, KL4);
RIP5(E, A, B, C, D, X5, 5, KL4);
RIP5(D, E, A, B, C, X9, 11, KL4);
RIP5(C, D, E, A, B, X7, 6, KL4);
RIP5(B, C, D, E, A, X12, 8, KL4);
RIP5(A, B, C, D, E, X2, 13, KL4);
RIP5(E, A, B, C, D, X10, 12, KL4);
RIP5(D, E, A, B, C, X14, 5, KL4);
RIP5(C, D, E, A, B, X1, 12, KL4);
RIP5(B, C, D, E, A, X3, 13, KL4);
RIP5(A, B, C, D, E, X8, 14, KL4);
RIP5(E, A, B, C, D, X11, 11, KL4);
RIP5(D, E, A, B, C, X6, 8, KL4);
RIP5(C, D, E, A, B, X15, 5, KL4);
RIP5(B, C, D, E, A, X13, 6, KL4);
a = A;
b = B;
@ -327,90 +328,90 @@ ripemd160_block_data_order(RIPEMD160_CTX *ctx, const void *p, size_t num)
D = ctx->D;
E = ctx->E;
RIP5(A, B,C, D,E, WR00, SR00, KR0);
RIP5(E, A,B, C,D, WR01, SR01, KR0);
RIP5(D, E,A, B,C, WR02, SR02, KR0);
RIP5(C, D,E, A,B, WR03, SR03, KR0);
RIP5(B, C,D, E,A, WR04, SR04, KR0);
RIP5(A, B,C, D,E, WR05, SR05, KR0);
RIP5(E, A,B, C,D, WR06, SR06, KR0);
RIP5(D, E,A, B,C, WR07, SR07, KR0);
RIP5(C, D,E, A,B, WR08, SR08, KR0);
RIP5(B, C,D, E,A, WR09, SR09, KR0);
RIP5(A, B,C, D,E, WR10, SR10, KR0);
RIP5(E, A,B, C,D, WR11, SR11, KR0);
RIP5(D, E,A, B,C, WR12, SR12, KR0);
RIP5(C, D,E, A,B, WR13, SR13, KR0);
RIP5(B, C,D, E,A, WR14, SR14, KR0);
RIP5(A, B,C, D,E, WR15, SR15, KR0);
RIP5(A, B, C, D, E, X5, 8, KR0);
RIP5(E, A, B, C, D, X14, 9, KR0);
RIP5(D, E, A, B, C, X7, 9, KR0);
RIP5(C, D, E, A, B, X0, 11, KR0);
RIP5(B, C, D, E, A, X9, 13, KR0);
RIP5(A, B, C, D, E, X2, 15, KR0);
RIP5(E, A, B, C, D, X11, 15, KR0);
RIP5(D, E, A, B, C, X4, 5, KR0);
RIP5(C, D, E, A, B, X13, 7, KR0);
RIP5(B, C, D, E, A, X6, 7, KR0);
RIP5(A, B, C, D, E, X15, 8, KR0);
RIP5(E, A, B, C, D, X8, 11, KR0);
RIP5(D, E, A, B, C, X1, 14, KR0);
RIP5(C, D, E, A, B, X10, 14, KR0);
RIP5(B, C, D, E, A, X3, 12, KR0);
RIP5(A, B, C, D, E, X12, 6, KR0);
RIP4(E, A,B, C,D, WR16, SR16, KR1);
RIP4(D, E,A, B,C, WR17, SR17, KR1);
RIP4(C, D,E, A,B, WR18, SR18, KR1);
RIP4(B, C,D, E,A, WR19, SR19, KR1);
RIP4(A, B,C, D,E, WR20, SR20, KR1);
RIP4(E, A,B, C,D, WR21, SR21, KR1);
RIP4(D, E,A, B,C, WR22, SR22, KR1);
RIP4(C, D,E, A,B, WR23, SR23, KR1);
RIP4(B, C,D, E,A, WR24, SR24, KR1);
RIP4(A, B,C, D,E, WR25, SR25, KR1);
RIP4(E, A,B, C,D, WR26, SR26, KR1);
RIP4(D, E,A, B,C, WR27, SR27, KR1);
RIP4(C, D,E, A,B, WR28, SR28, KR1);
RIP4(B, C,D, E,A, WR29, SR29, KR1);
RIP4(A, B,C, D,E, WR30, SR30, KR1);
RIP4(E, A,B, C,D, WR31, SR31, KR1);
RIP4(E, A, B, C, D, X6, 9, KR1);
RIP4(D, E, A, B, C, X11, 13, KR1);
RIP4(C, D, E, A, B, X3, 15, KR1);
RIP4(B, C, D, E, A, X7, 7, KR1);
RIP4(A, B, C, D, E, X0, 12, KR1);
RIP4(E, A, B, C, D, X13, 8, KR1);
RIP4(D, E, A, B, C, X5, 9, KR1);
RIP4(C, D, E, A, B, X10, 11, KR1);
RIP4(B, C, D, E, A, X14, 7, KR1);
RIP4(A, B, C, D, E, X15, 7, KR1);
RIP4(E, A, B, C, D, X8, 12, KR1);
RIP4(D, E, A, B, C, X12, 7, KR1);
RIP4(C, D, E, A, B, X4, 6, KR1);
RIP4(B, C, D, E, A, X9, 15, KR1);
RIP4(A, B, C, D, E, X1, 13, KR1);
RIP4(E, A, B, C, D, X2, 11, KR1);
RIP3(D, E,A, B,C, WR32, SR32, KR2);
RIP3(C, D,E, A,B, WR33, SR33, KR2);
RIP3(B, C,D, E,A, WR34, SR34, KR2);
RIP3(A, B,C, D,E, WR35, SR35, KR2);
RIP3(E, A,B, C,D, WR36, SR36, KR2);
RIP3(D, E,A, B,C, WR37, SR37, KR2);
RIP3(C, D,E, A,B, WR38, SR38, KR2);
RIP3(B, C,D, E,A, WR39, SR39, KR2);
RIP3(A, B,C, D,E, WR40, SR40, KR2);
RIP3(E, A,B, C,D, WR41, SR41, KR2);
RIP3(D, E,A, B,C, WR42, SR42, KR2);
RIP3(C, D,E, A,B, WR43, SR43, KR2);
RIP3(B, C,D, E,A, WR44, SR44, KR2);
RIP3(A, B,C, D,E, WR45, SR45, KR2);
RIP3(E, A,B, C,D, WR46, SR46, KR2);
RIP3(D, E,A, B,C, WR47, SR47, KR2);
RIP3(D, E, A, B, C, X15, 9, KR2);
RIP3(C, D, E, A, B, X5, 7, KR2);
RIP3(B, C, D, E, A, X1, 15, KR2);
RIP3(A, B, C, D, E, X3, 11, KR2);
RIP3(E, A, B, C, D, X7, 8, KR2);
RIP3(D, E, A, B, C, X14, 6, KR2);
RIP3(C, D, E, A, B, X6, 6, KR2);
RIP3(B, C, D, E, A, X9, 14, KR2);
RIP3(A, B, C, D, E, X11, 12, KR2);
RIP3(E, A, B, C, D, X8, 13, KR2);
RIP3(D, E, A, B, C, X12, 5, KR2);
RIP3(C, D, E, A, B, X2, 14, KR2);
RIP3(B, C, D, E, A, X10, 13, KR2);
RIP3(A, B, C, D, E, X0, 13, KR2);
RIP3(E, A, B, C, D, X4, 7, KR2);
RIP3(D, E, A, B, C, X13, 5, KR2);
RIP2(C, D,E, A,B, WR48, SR48, KR3);
RIP2(B, C,D, E,A, WR49, SR49, KR3);
RIP2(A, B,C, D,E, WR50, SR50, KR3);
RIP2(E, A,B, C,D, WR51, SR51, KR3);
RIP2(D, E,A, B,C, WR52, SR52, KR3);
RIP2(C, D,E, A,B, WR53, SR53, KR3);
RIP2(B, C,D, E,A, WR54, SR54, KR3);
RIP2(A, B,C, D,E, WR55, SR55, KR3);
RIP2(E, A,B, C,D, WR56, SR56, KR3);
RIP2(D, E,A, B,C, WR57, SR57, KR3);
RIP2(C, D,E, A,B, WR58, SR58, KR3);
RIP2(B, C,D, E,A, WR59, SR59, KR3);
RIP2(A, B,C, D,E, WR60, SR60, KR3);
RIP2(E, A,B, C,D, WR61, SR61, KR3);
RIP2(D, E,A, B,C, WR62, SR62, KR3);
RIP2(C, D,E, A,B, WR63, SR63, KR3);
RIP2(C, D, E, A, B, X8, 15, KR3);
RIP2(B, C, D, E, A, X6, 5, KR3);
RIP2(A, B, C, D, E, X4, 8, KR3);
RIP2(E, A, B, C, D, X1, 11, KR3);
RIP2(D, E, A, B, C, X3, 14, KR3);
RIP2(C, D, E, A, B, X11, 14, KR3);
RIP2(B, C, D, E, A, X15, 6, KR3);
RIP2(A, B, C, D, E, X0, 14, KR3);
RIP2(E, A, B, C, D, X5, 6, KR3);
RIP2(D, E, A, B, C, X12, 9, KR3);
RIP2(C, D, E, A, B, X2, 12, KR3);
RIP2(B, C, D, E, A, X13, 9, KR3);
RIP2(A, B, C, D, E, X9, 12, KR3);
RIP2(E, A, B, C, D, X7, 5, KR3);
RIP2(D, E, A, B, C, X10, 15, KR3);
RIP2(C, D, E, A, B, X14, 8, KR3);
RIP1(B, C,D, E,A, WR64, SR64);
RIP1(A, B,C, D,E, WR65, SR65);
RIP1(E, A,B, C,D, WR66, SR66);
RIP1(D, E,A, B,C, WR67, SR67);
RIP1(C, D,E, A,B, WR68, SR68);
RIP1(B, C,D, E,A, WR69, SR69);
RIP1(A, B,C, D,E, WR70, SR70);
RIP1(E, A,B, C,D, WR71, SR71);
RIP1(D, E,A, B,C, WR72, SR72);
RIP1(C, D,E, A,B, WR73, SR73);
RIP1(B, C,D, E,A, WR74, SR74);
RIP1(A, B,C, D,E, WR75, SR75);
RIP1(E, A,B, C,D, WR76, SR76);
RIP1(D, E,A, B,C, WR77, SR77);
RIP1(C, D,E, A,B, WR78, SR78);
RIP1(B, C,D, E,A, WR79, SR79);
RIP1(B, C, D, E, A, X12, 8);
RIP1(A, B, C, D, E, X15, 5);
RIP1(E, A, B, C, D, X10, 12);
RIP1(D, E, A, B, C, X4, 9);
RIP1(C, D, E, A, B, X1, 12);
RIP1(B, C, D, E, A, X5, 5);
RIP1(A, B, C, D, E, X8, 14);
RIP1(E, A, B, C, D, X7, 6);
RIP1(D, E, A, B, C, X6, 8);
RIP1(C, D, E, A, B, X2, 13);
RIP1(B, C, D, E, A, X13, 6);
RIP1(A, B, C, D, E, X14, 5);
RIP1(E, A, B, C, D, X0, 15);
RIP1(D, E, A, B, C, X3, 13);
RIP1(C, D, E, A, B, X9, 11);
RIP1(B, C, D, E, A, X11, 11);
D = ctx->B + c + D;
ctx->B = ctx->C + d + E;

403
lib/libcrypto/ripemd/rmdconst.h
View file

@ -1,403 +0,0 @@
/* $OpenBSD: rmdconst.h,v 1.4 2023/07/08 06:52:56 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
__BEGIN_HIDDEN_DECLS
#define KL0 0x00000000L
#define KL1 0x5A827999L
#define KL2 0x6ED9EBA1L
#define KL3 0x8F1BBCDCL
#define KL4 0xA953FD4EL
#define KR0 0x50A28BE6L
#define KR1 0x5C4DD124L
#define KR2 0x6D703EF3L
#define KR3 0x7A6D76E9L
#define KR4 0x00000000L
#define WL00 0
#define SL00 11
#define WL01 1
#define SL01 14
#define WL02 2
#define SL02 15
#define WL03 3
#define SL03 12
#define WL04 4
#define SL04 5
#define WL05 5
#define SL05 8
#define WL06 6
#define SL06 7
#define WL07 7
#define SL07 9
#define WL08 8
#define SL08 11
#define WL09 9
#define SL09 13
#define WL10 10
#define SL10 14
#define WL11 11
#define SL11 15
#define WL12 12
#define SL12 6
#define WL13 13
#define SL13 7
#define WL14 14
#define SL14 9
#define WL15 15
#define SL15 8
#define WL16 7
#define SL16 7
#define WL17 4
#define SL17 6
#define WL18 13
#define SL18 8
#define WL19 1
#define SL19 13
#define WL20 10
#define SL20 11
#define WL21 6
#define SL21 9
#define WL22 15
#define SL22 7
#define WL23 3
#define SL23 15
#define WL24 12
#define SL24 7
#define WL25 0
#define SL25 12
#define WL26 9
#define SL26 15
#define WL27 5
#define SL27 9
#define WL28 2
#define SL28 11
#define WL29 14
#define SL29 7
#define WL30 11
#define SL30 13
#define WL31 8
#define SL31 12
#define WL32 3
#define SL32 11
#define WL33 10
#define SL33 13
#define WL34 14
#define SL34 6
#define WL35 4
#define SL35 7
#define WL36 9
#define SL36 14
#define WL37 15
#define SL37 9
#define WL38 8
#define SL38 13
#define WL39 1
#define SL39 15
#define WL40 2
#define SL40 14
#define WL41 7
#define SL41 8
#define WL42 0
#define SL42 13
#define WL43 6
#define SL43 6
#define WL44 13
#define SL44 5
#define WL45 11
#define SL45 12
#define WL46 5
#define SL46 7
#define WL47 12
#define SL47 5
#define WL48 1
#define SL48 11
#define WL49 9
#define SL49 12
#define WL50 11
#define SL50 14
#define WL51 10
#define SL51 15
#define WL52 0
#define SL52 14
#define WL53 8
#define SL53 15
#define WL54 12
#define SL54 9
#define WL55 4
#define SL55 8
#define WL56 13
#define SL56 9
#define WL57 3
#define SL57 14
#define WL58 7
#define SL58 5
#define WL59 15
#define SL59 6
#define WL60 14
#define SL60 8
#define WL61 5
#define SL61 6
#define WL62 6
#define SL62 5
#define WL63 2
#define SL63 12
#define WL64 4
#define SL64 9
#define WL65 0
#define SL65 15
#define WL66 5
#define SL66 5
#define WL67 9
#define SL67 11
#define WL68 7
#define SL68 6
#define WL69 12
#define SL69 8
#define WL70 2
#define SL70 13
#define WL71 10
#define SL71 12
#define WL72 14
#define SL72 5
#define WL73 1
#define SL73 12
#define WL74 3
#define SL74 13
#define WL75 8
#define SL75 14
#define WL76 11
#define SL76 11
#define WL77 6
#define SL77 8
#define WL78 15
#define SL78 5
#define WL79 13
#define SL79 6
#define WR00 5
#define SR00 8
#define WR01 14
#define SR01 9
#define WR02 7
#define SR02 9
#define WR03 0
#define SR03 11
#define WR04 9
#define SR04 13
#define WR05 2
#define SR05 15
#define WR06 11
#define SR06 15
#define WR07 4
#define SR07 5
#define WR08 13
#define SR08 7
#define WR09 6
#define SR09 7
#define WR10 15
#define SR10 8
#define WR11 8
#define SR11 11
#define WR12 1
#define SR12 14
#define WR13 10
#define SR13 14
#define WR14 3
#define SR14 12
#define WR15 12
#define SR15 6
#define WR16 6
#define SR16 9
#define WR17 11
#define SR17 13
#define WR18 3
#define SR18 15
#define WR19 7
#define SR19 7
#define WR20 0
#define SR20 12
#define WR21 13
#define SR21 8
#define WR22 5
#define SR22 9
#define WR23 10
#define SR23 11
#define WR24 14
#define SR24 7
#define WR25 15
#define SR25 7
#define WR26 8
#define SR26 12
#define WR27 12
#define SR27 7
#define WR28 4
#define SR28 6
#define WR29 9
#define SR29 15
#define WR30 1
#define SR30 13
#define WR31 2
#define SR31 11
#define WR32 15
#define SR32 9
#define WR33 5
#define SR33 7
#define WR34 1
#define SR34 15
#define WR35 3
#define SR35 11
#define WR36 7
#define SR36 8
#define WR37 14
#define SR37 6
#define WR38 6
#define SR38 6
#define WR39 9
#define SR39 14
#define WR40 11
#define SR40 12
#define WR41 8
#define SR41 13
#define WR42 12
#define SR42 5
#define WR43 2
#define SR43 14
#define WR44 10
#define SR44 13
#define WR45 0
#define SR45 13
#define WR46 4
#define SR46 7
#define WR47 13
#define SR47 5
#define WR48 8
#define SR48 15
#define WR49 6
#define SR49 5
#define WR50 4
#define SR50 8
#define WR51 1
#define SR51 11
#define WR52 3
#define SR52 14
#define WR53 11
#define SR53 14
#define WR54 15
#define SR54 6
#define WR55 0
#define SR55 14
#define WR56 5
#define SR56 6
#define WR57 12
#define SR57 9
#define WR58 2
#define SR58 12
#define WR59 13
#define SR59 9
#define WR60 9
#define SR60 12
#define WR61 7
#define SR61 5
#define WR62 10
#define SR62 15
#define WR63 14
#define SR63 8
#define WR64 12
#define SR64 8
#define WR65 15
#define SR65 5
#define WR66 10
#define SR66 12
#define WR67 4
#define SR67 9
#define WR68 1
#define SR68 12
#define WR69 5
#define SR69 5
#define WR70 8
#define SR70 14
#define WR71 7
#define SR71 6
#define WR72 6
#define SR72 8
#define WR73 2
#define SR73 13
#define WR74 13
#define SR74 6
#define WR75 14
#define SR75 5
#define WR76 0
#define SR76 15
#define WR77 3
#define SR77 13
#define WR78 9
#define SR78 11
#define WR79 11
#define SR79 11
__END_HIDDEN_DECLS

63
lib/libcrypto/rsa/rsa_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_ameth.c,v 1.30 2023/07/07 06:59:18 tb Exp $ */
/* $OpenBSD: rsa_ameth.c,v 1.32 2023/08/10 15:05:28 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -136,21 +136,28 @@ rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
static int
rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
unsigned char *penc = NULL;
int penclen;
ASN1_STRING *str;
ASN1_STRING *str = NULL;
int strtype;
unsigned char *penc = NULL;
int penclen = 0;
ASN1_OBJECT *aobj;
if (!rsa_param_encode(pkey, &str, &strtype))
return 0;
penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc);
if (penclen <= 0)
return 0;
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
strtype, str, penc, penclen))
return 1;
goto err;
if ((penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc)) <= 0) {
penclen = 0;
goto err;
}
if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
goto err;
if (!X509_PUBKEY_set0_param(pk, aobj, strtype, str, penc, penclen))
goto err;
free(penc);
return 1;
err:
ASN1_STRING_free(str);
freezero(penc, penclen);
return 0;
}
@ -212,29 +219,33 @@ old_rsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
static int
rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
unsigned char *rk = NULL;
int rklen;
ASN1_STRING *str;
ASN1_STRING *str = NULL;
ASN1_OBJECT *aobj;
int strtype;
unsigned char *rk = NULL;
int rklen = 0;
if (!rsa_param_encode(pkey, &str, &strtype))
return 0;
rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk);
if (rklen <= 0) {
goto err;
if ((rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk)) <= 0) {
RSAerror(ERR_R_MALLOC_FAILURE);
ASN1_STRING_free(str);
return 0;
rklen = 0;
goto err;
}
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0,
strtype, str, rk, rklen)) {
if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL)
goto err;
if (!PKCS8_pkey_set0(p8, aobj, 0, strtype, str, rk, rklen)) {
RSAerror(ERR_R_MALLOC_FAILURE);
ASN1_STRING_free(str);
return 0;
goto err;
}
return 1;
err:
ASN1_STRING_free(str);
freezero(rk, rklen);
return 0;
}
static int

281
lib/libcrypto/bn/bn_blind.c → lib/libcrypto/rsa/rsa_blinding.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_blind.c,v 1.32 2023/08/02 09:25:36 tb Exp $ */
/* $OpenBSD: rsa_blinding.c,v 1.3 2023/08/09 12:09:06 tb Exp $ */
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
@ -109,13 +109,16 @@
* [including the GNU Public Licence.]
*/
#include <pthread.h>
#include <stdio.h>
#include <openssl/opensslconf.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include "bn_local.h"
#include "rsa_local.h"
#define BN_BLINDING_COUNTER 32
@ -124,47 +127,48 @@ struct bn_blinding_st {
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod;
CRYPTO_THREADID tid;
pthread_t tid;
int counter;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
};
static BN_BLINDING *
BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
BN_BLINDING *
BN_BLINDING_new(const BIGNUM *e, const BIGNUM *mod, BN_CTX *ctx,
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
{
BN_BLINDING *ret = NULL;
if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) {
BNerror(ERR_R_MALLOC_FAILURE);
return NULL;
goto err;
}
if (A != NULL) {
if ((ret->A = BN_dup(A)) == NULL)
goto err;
}
if (Ai != NULL) {
if ((ret->Ai = BN_dup(Ai)) == NULL)
goto err;
}
/* save a copy of mod in the BN_BLINDING structure */
if ((ret->A = BN_new()) == NULL)
goto err;
if ((ret->Ai = BN_new()) == NULL)
goto err;
if ((ret->e = BN_dup(e)) == NULL)
goto err;
if ((ret->mod = BN_dup(mod)) == NULL)
goto err;
if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
/* Set the counter to the special value -1
* to indicate that this is never-used fresh blinding
* that does not need updating before first use. */
ret->counter = -1;
CRYPTO_THREADID_current(&ret->tid);
return (ret);
/* Update on first use. */
ret->counter = BN_BLINDING_COUNTER - 1;
ret->tid = pthread_self();
if (bn_mod_exp != NULL)
ret->bn_mod_exp = bn_mod_exp;
if (m_ctx != NULL)
ret->m_ctx = m_ctx;
return ret;
err:
if (ret != NULL)
BN_BLINDING_free(ret);
BN_BLINDING_free(ret);
return NULL;
}
@ -182,157 +186,176 @@ BN_BLINDING_free(BN_BLINDING *r)
free(r);
}
static int
BN_BLINDING_setup(BN_BLINDING *b, BN_CTX *ctx)
{
if (!bn_rand_interval(b->A, 1, b->mod))
return 0;
if (BN_mod_inverse_ct(b->Ai, b->A, b->mod, ctx) == NULL)
return 0;
if (b->bn_mod_exp != NULL && b->m_ctx != NULL) {
if (!b->bn_mod_exp(b->A, b->A, b->e, b->mod, ctx, b->m_ctx))
return 0;
} else {
if (!BN_mod_exp_ct(b->A, b->A, b->e, b->mod, ctx))
return 0;
}
return 1;
}
static int
BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
{
int ret = 0;
if (b->A == NULL || b->Ai == NULL) {
BNerror(BN_R_NOT_INITIALIZED);
goto err;
}
if (b->counter == -1)
if (++b->counter >= BN_BLINDING_COUNTER) {
if (!BN_BLINDING_setup(b, ctx))
goto err;
b->counter = 0;
if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL) {
/* re-create blinding parameters */
if (!BN_BLINDING_create_param(b, NULL, NULL, ctx, NULL, NULL))
goto err;
} else {
if (!BN_mod_mul(b->A, b->A, b->A, b->mod, ctx))
if (!BN_mod_sqr(b->A, b->A, b->mod, ctx))
goto err;
if (!BN_mod_mul(b->Ai, b->Ai, b->Ai, b->mod, ctx))
if (!BN_mod_sqr(b->Ai, b->Ai, b->mod, ctx))
goto err;
}
ret = 1;
err:
if (b->counter == BN_BLINDING_COUNTER)
b->counter = 0;
return ret;
}
int
BN_BLINDING_convert(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
BN_BLINDING_convert(BIGNUM *n, BIGNUM *inv, BN_BLINDING *b, BN_CTX *ctx)
{
int ret = 1;
int ret = 0;
if (b->A == NULL || b->Ai == NULL) {
BNerror(BN_R_NOT_INITIALIZED);
return 0;
if (!BN_BLINDING_update(b, ctx))
goto err;
if (inv != NULL) {
if (!bn_copy(inv, b->Ai))
goto err;
}
if (b->counter == -1)
/* Fresh blinding, doesn't need updating. */
b->counter = 0;
else if (!BN_BLINDING_update(b, ctx))
return 0;
if (r != NULL) {
if (!bn_copy(r, b->Ai))
ret = 0;
}
if (!BN_mod_mul(n, n, b->A, b->mod, ctx))
ret = 0;
ret = BN_mod_mul(n, n, b->A, b->mod, ctx);
err:
return ret;
}
int
BN_BLINDING_invert(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
BN_BLINDING_invert(BIGNUM *n, const BIGNUM *inv, BN_BLINDING *b, BN_CTX *ctx)
{
int ret;
if (inv == NULL)
inv = b->Ai;
if (r != NULL)
ret = BN_mod_mul(n, n, r, b->mod, ctx);
else {
if (b->Ai == NULL) {
BNerror(BN_R_NOT_INITIALIZED);
return (0);
}
ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
}
return ret;
return BN_mod_mul(n, n, inv, b->mod, ctx);
}
CRYPTO_THREADID *
BN_BLINDING_thread_id(BN_BLINDING *b)
int
BN_BLINDING_is_local(BN_BLINDING *b)
{
return &b->tid;
return pthread_equal(pthread_self(), b->tid) != 0;
}
static BIGNUM *
rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
BN_CTX *ctx)
{
BIGNUM *ret = NULL, *r0, *r1, *r2;
if (d == NULL || p == NULL || q == NULL)
return NULL;
BN_CTX_start(ctx);
if ((r0 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((r1 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((r2 = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_sub(r1, p, BN_value_one()))
goto err;
if (!BN_sub(r2, q, BN_value_one()))
goto err;
if (!BN_mul(r0, r1, r2, ctx))
goto err;
ret = BN_mod_inverse_ct(NULL, d, r0, ctx);
err:
BN_CTX_end(ctx);
return ret;
}
BN_BLINDING *
BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx)
RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
{
BIGNUM *e = NULL;
BIGNUM n;
BN_CTX *ctx = NULL;
BN_BLINDING *ret = NULL;
int retry_counter = 32;
if (b == NULL)
ret = BN_BLINDING_new(NULL, NULL, m);
else
ret = b;
if (ret == NULL)
if ((ctx = in_ctx) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (ret->A == NULL && (ret->A = BN_new()) == NULL)
BN_CTX_start(ctx);
if ((e = rsa->e) == NULL)
e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
if (e == NULL) {
RSAerror(RSA_R_NO_PUBLIC_EXPONENT);
goto err;
if (ret->Ai == NULL && (ret->Ai = BN_new()) == NULL)
goto err;
if (e != NULL) {
BN_free(ret->e);
ret->e = BN_dup(e);
}
if (ret->e == NULL)
goto err;
if (bn_mod_exp != NULL)
ret->bn_mod_exp = bn_mod_exp;
if (m_ctx != NULL)
ret->m_ctx = m_ctx;
do {
if (!BN_rand_range(ret->A, ret->mod))
goto err;
if (BN_mod_inverse_ct(ret->Ai, ret->A, ret->mod, ctx) == NULL) {
/* this should almost never happen for good RSA keys */
unsigned long error = ERR_peek_last_error();
if (ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
if (retry_counter-- == 0) {
BNerror(BN_R_TOO_MANY_ITERATIONS);
goto err;
}
ERR_clear_error();
} else
goto err;
} else
break;
} while (1);
if (ret->bn_mod_exp != NULL && ret->m_ctx != NULL) {
if (!ret->bn_mod_exp(ret->A, ret->A, ret->e, ret->mod,
ctx, ret->m_ctx))
goto err;
} else {
if (!BN_mod_exp_ct(ret->A, ret->A, ret->e, ret->mod, ctx))
goto err;
}
return ret;
BN_init(&n);
BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
if ((ret = BN_BLINDING_new(e, &n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n)) == NULL) {
RSAerror(ERR_R_BN_LIB);
goto err;
}
err:
if (b == NULL && ret != NULL) {
BN_BLINDING_free(ret);
ret = NULL;
}
BN_CTX_end(ctx);
if (ctx != in_ctx)
BN_CTX_free(ctx);
if (e != rsa->e)
BN_free(e);
return ret;
}
void
RSA_blinding_off(RSA *rsa)
{
BN_BLINDING_free(rsa->blinding);
rsa->blinding = NULL;
rsa->flags |= RSA_FLAG_NO_BLINDING;
}
LCRYPTO_ALIAS(RSA_blinding_off);
int
RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
{
int ret = 0;
if (rsa->blinding != NULL)
RSA_blinding_off(rsa);
rsa->blinding = RSA_setup_blinding(rsa, ctx);
if (rsa->blinding == NULL)
goto err;
rsa->flags &= ~RSA_FLAG_NO_BLINDING;
ret = 1;
err:
return (ret);
}
LCRYPTO_ALIAS(RSA_blinding_on);

231
lib/libcrypto/rsa/rsa_crpt.c
View file

@ -1,231 +0,0 @@
/* $OpenBSD: rsa_crpt.c,v 1.23 2023/07/28 10:05:16 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdio.h>
#include <openssl/opensslconf.h>
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/lhash.h>
#include <openssl/rsa.h>
#include "bn_local.h"
#include "rsa_local.h"
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
int
RSA_bits(const RSA *r)
{
return BN_num_bits(r->n);
}
LCRYPTO_ALIAS(RSA_bits);
int
RSA_size(const RSA *r)
{
return BN_num_bytes(r->n);
}
LCRYPTO_ALIAS(RSA_size);
int
RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_public_encrypt);
int
RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_private_encrypt);
int
RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_private_decrypt);
int
RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_public_decrypt);
int
RSA_flags(const RSA *r)
{
return r == NULL ? 0 : r->meth->flags;
}
LCRYPTO_ALIAS(RSA_flags);
void
RSA_blinding_off(RSA *rsa)
{
BN_BLINDING_free(rsa->blinding);
rsa->blinding = NULL;
rsa->flags |= RSA_FLAG_NO_BLINDING;
}
LCRYPTO_ALIAS(RSA_blinding_off);
int
RSA_blinding_on(RSA *rsa, BN_CTX *ctx)
{
int ret = 0;
if (rsa->blinding != NULL)
RSA_blinding_off(rsa);
rsa->blinding = RSA_setup_blinding(rsa, ctx);
if (rsa->blinding == NULL)
goto err;
rsa->flags &= ~RSA_FLAG_NO_BLINDING;
ret = 1;
err:
return (ret);
}
LCRYPTO_ALIAS(RSA_blinding_on);
static BIGNUM *
rsa_get_public_exp(const BIGNUM *d, const BIGNUM *p, const BIGNUM *q,
BN_CTX *ctx)
{
BIGNUM *ret = NULL, *r0, *r1, *r2;
if (d == NULL || p == NULL || q == NULL)
return NULL;
BN_CTX_start(ctx);
if ((r0 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((r1 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((r2 = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_sub(r1, p, BN_value_one()))
goto err;
if (!BN_sub(r2, q, BN_value_one()))
goto err;
if (!BN_mul(r0, r1, r2, ctx))
goto err;
ret = BN_mod_inverse_ct(NULL, d, r0, ctx);
err:
BN_CTX_end(ctx);
return ret;
}
BN_BLINDING *
RSA_setup_blinding(RSA *rsa, BN_CTX *in_ctx)
{
BIGNUM *e;
BIGNUM n;
BN_CTX *ctx;
BN_BLINDING *ret = NULL;
if (in_ctx == NULL) {
if ((ctx = BN_CTX_new()) == NULL)
return 0;
} else
ctx = in_ctx;
BN_CTX_start(ctx);
if (rsa->e == NULL) {
e = rsa_get_public_exp(rsa->d, rsa->p, rsa->q, ctx);
if (e == NULL) {
RSAerror(RSA_R_NO_PUBLIC_EXPONENT);
goto err;
}
} else
e = rsa->e;
BN_init(&n);
BN_with_flags(&n, rsa->n, BN_FLG_CONSTTIME);
ret = BN_BLINDING_create_param(NULL, e, &n, ctx, rsa->meth->bn_mod_exp,
rsa->_method_mod_n);
if (ret == NULL) {
RSAerror(ERR_R_BN_LIB);
goto err;
}
CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
err:
BN_CTX_end(ctx);
if (in_ctx == NULL)
BN_CTX_free(ctx);
if (rsa->e == NULL)
BN_free(e);
return ret;
}

81
lib/libcrypto/rsa/rsa_eay.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_eay.c,v 1.63 2023/08/02 08:44:38 tb Exp $ */
/* $OpenBSD: rsa_eay.c,v 1.65 2023/08/09 12:09:06 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -222,7 +222,6 @@ rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
{
BN_BLINDING *ret;
int got_write_lock = 0;
CRYPTO_THREADID cur;
CRYPTO_r_lock(CRYPTO_LOCK_RSA);
@ -235,24 +234,14 @@ rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
rsa->blinding = RSA_setup_blinding(rsa, ctx);
}
ret = rsa->blinding;
if (ret == NULL)
if ((ret = rsa->blinding) == NULL)
goto err;
CRYPTO_THREADID_current(&cur);
if (!CRYPTO_THREADID_cmp(&cur, BN_BLINDING_thread_id(ret))) {
/* rsa->blinding is ours! */
*local = 1;
} else {
/* resort to rsa->mt_blinding instead */
/*
* Instruct rsa_blinding_convert(), rsa_blinding_invert()
* that the BN_BLINDING is shared, meaning that accesses
* require locks, and that the blinding factor must be
* stored outside the BN_BLINDING
*/
*local = 0;
/*
* We need a shared blinding. Accesses require locks and a copy of the
* blinding factor needs to be retained on use.
*/
if ((*local = BN_BLINDING_is_local(ret)) == 0) {
if (rsa->mt_blinding == NULL) {
if (!got_write_lock) {
CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
@ -266,11 +255,12 @@ rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
ret = rsa->mt_blinding;
}
err:
err:
if (got_write_lock)
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
else
CRYPTO_r_unlock(CRYPTO_LOCK_RSA);
return ret;
}
@ -857,3 +847,56 @@ RSA_PKCS1_SSLeay(void)
return RSA_PKCS1_OpenSSL();
}
LCRYPTO_ALIAS(RSA_PKCS1_SSLeay);
int
RSA_bits(const RSA *r)
{
return BN_num_bits(r->n);
}
LCRYPTO_ALIAS(RSA_bits);
int
RSA_size(const RSA *r)
{
return BN_num_bytes(r->n);
}
LCRYPTO_ALIAS(RSA_size);
int
RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_public_encrypt);
int
RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_private_encrypt);
int
RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_private_decrypt);
int
RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
RSA *rsa, int padding)
{
return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
}
LCRYPTO_ALIAS(RSA_public_decrypt);
int
RSA_flags(const RSA *r)
{
return r == NULL ? 0 : r->meth->flags;
}
LCRYPTO_ALIAS(RSA_flags);

9
lib/libcrypto/rsa/rsa_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_local.h,v 1.4 2023/07/28 10:05:16 tb Exp $ */
/* $OpenBSD: rsa_local.h,v 1.6 2023/08/09 12:09:06 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -153,6 +153,13 @@ int RSA_padding_check_X931(unsigned char *to, int tlen,
const unsigned char *f, int fl, int rsa_len);
int RSA_X931_hash_id(int nid);
BN_BLINDING *BN_BLINDING_new(const BIGNUM *e, const BIGNUM *mod, BN_CTX *ctx,
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx);
void BN_BLINDING_free(BN_BLINDING *b);
int BN_BLINDING_convert(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
int BN_BLINDING_invert(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
int BN_BLINDING_is_local(BN_BLINDING *b);
BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
__END_HIDDEN_DECLS

6
lib/libcrypto/sha/sha1.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sha1.c,v 1.11 2023/07/08 12:24:10 beck Exp $ */
/* $OpenBSD: sha1.c,v 1.12 2023/08/10 07:15:23 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -141,8 +141,8 @@ static void
sha1_block_data_order(SHA_CTX *c, const void *p, size_t num)
{
const unsigned char *data = p;
unsigned MD32_REG_T A, B, C, D, E, T, l;
unsigned MD32_REG_T X0, X1, X2, X3, X4, X5, X6, X7,
unsigned int A, B, C, D, E, T, l;
unsigned int X0, X1, X2, X3, X4, X5, X6, X7,
X8, X9, X10, X11, X12, X13, X14, X15;
A = c->h0;

4
lib/libcrypto/sha/sha256.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sha256.c,v 1.27 2023/07/08 12:24:10 beck Exp $ */
/* $OpenBSD: sha256.c,v 1.28 2023/08/10 07:15:23 jsing Exp $ */
/* ====================================================================
* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
*
@ -135,7 +135,7 @@ sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num)
{
const uint8_t *in = _in;
const SHA_LONG *in32;
unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1;
unsigned int a, b, c, d, e, f, g, h, s0, s1, T1;
SHA_LONG X[16];
int i;